Attachment #247191 for bug #275742




  <vuln vid="b2765c89-a052-11ee-bed2-596753f1a87c">
    <topic>gitea -- Prefix Truncation Attack against ChaCha20-Poly1305 and Encrypt-then-MAC aka Terrapin</topic>
    <affects>
      <package>
	<name>gitea</name>
	<range><lt>1.21.3</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>The Gitea team reports:</p>
	<blockquote cite="https://github.com/go-gitea/gitea/pull/28519">
	  <p>Update golang.org/x/crypto</p>
	</blockquote>
      </body>
    </description>
    <references>
      <url>https://github.com/go-gitea/gitea/releases/tag/v1.21.3</url>
    </references>
    <dates>
      <discovery>2023-12-19</discovery>
      <entry>2023-12-21</entry>
    </dates>
  </vuln>

  <vuln vid="482bb980-99a3-11ee-b5f7-6bd56600d90c">
    <topic>gitea -- missing permission checks</topic>
    <affects>
      <package>
	<name>gitea</name>
	<range><lt>1.21.2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>The Gitea team reports:</p>
	<blockquote cite="https://github.com/go-gitea/gitea/pull/28406">
	  <p>Fix missing check</p>
	</blockquote>
	<blockquote cite="https://github.com/go-gitea/gitea/pull/28423">
	  <p>Do some missing checks</p>
	</blockquote>
        <p>By crafting an API request, attackers can access the contents of
        issues even though the logged-in user does not have access rights to
        these issues.</p>
      </body>
    </description>
    <references>
      <url>https://github.com/go-gitea/gitea/releases/tag/v1.21.2</url>
    </references>
    <dates>
      <discovery>2023-12-12</discovery>
      <entry>2023-12-13</entry>
    </dates>
  </vuln>

  <vuln vid="0f7598cc-9fe2-11ee-b47f-901b0e9408dc">
    <topic>nebula -- security fix for terrapin vulnerability</topic>
    <affects>

Lines 1-7 Link Here

(-)b/www/gitea/Makefile (-2 / +1 lines)
1	PORTNAME= gitea	1	PORTNAME= gitea
2	DISTVERSIONPREFIX= v	2	DISTVERSIONPREFIX= v
3	DISTVERSION= 1.21.0	3	DISTVERSION= 1.21.3
4	PORTREVISION= 1
5	CATEGORIES= www	4	CATEGORIES= www
6	MASTER_SITES= https://github.com/go-gitea/gitea/releases/download/${DISTVERSIONPREFIX}${DISTVERSION}/ \	5	MASTER_SITES= https://github.com/go-gitea/gitea/releases/download/${DISTVERSIONPREFIX}${DISTVERSION}/ \
7	https://dl.gitea.io/gitea/${DISTVERSION}/	6	https://dl.gitea.io/gitea/${DISTVERSION}/

Lines 1-3 Link Here

(-)b/www/gitea/distinfo (-3 / +3 lines)
1	TIMESTAMP = 1699991932	1	TIMESTAMP = 1703198078
2	SHA256 (gitea-src-1.21.0.tar.gz) = 69b12778b3b5f24aecff08d8e5122e4edf784bda2e4335b77f2bbd0404a11a93	2	SHA256 (gitea-src-1.21.3.tar.gz) = b490bda7bfbe95bde50f4c98478a80b4539344140ad9290d083e9393e83d33bf
3	SIZE (gitea-src-1.21.0.tar.gz) = 53744981	3	SIZE (gitea-src-1.21.3.tar.gz) = 53775315




[
{ type: upgrade
  maximum_version: 1.20.0
  message: <<EOM
Please make sure to empty or maintain the contents of the
/usr/local/share/gitea folder between your upgrades of gitea.
Changes between versions can break the web UI due to residual
files from earlier versions.

1.21.0 has a breaking change regarding the public assets folder. In case
you use a proxying webserver serving the files, you need to update your
configuration:

https://github.com/go-gitea/gitea/pull/25907
EOM
}
{ type: upgrade
  maximum_version: 1.7.6
  message: <<EOM

Return to bug 275742

Lines 1-3 Link Here

(-)b/security/vuxml/vuln/2023.xml (+56 lines)
		1	<vuln vid="b2765c89-a052-11ee-bed2-596753f1a87c">
		2	<topic>gitea -- Prefix Truncation Attack against ChaCha20-Poly1305 and Encrypt-then-MAC aka Terrapin</topic>
		3	<affects>
		4	<package>
		5	<name>gitea</name>
		6	<range><lt>1.21.3</lt></range>
		7	</package>
		8	</affects>
		9	<description>
		10	<body xmlns="http://www.w3.org/1999/xhtml">
		11	<p>The Gitea team reports:</p>
		12	<blockquote cite="https://github.com/go-gitea/gitea/pull/28519">
		13	<p>Update golang.org/x/crypto</p>
		14	</blockquote>
		15	</body>
		16	</description>
		17	<references>
		18	<url>https://github.com/go-gitea/gitea/releases/tag/v1.21.3</url>
		19	</references>
		20	<dates>
		21	<discovery>2023-12-19</discovery>
		22	<entry>2023-12-21</entry>
		23	</dates>
		24	</vuln>
		25
		26	<vuln vid="482bb980-99a3-11ee-b5f7-6bd56600d90c">
		27	<topic>gitea -- missing permission checks</topic>
		28	<affects>
		29	<package>
		30	<name>gitea</name>
		31	<range><lt>1.21.2</lt></range>
		32	</package>
		33	</affects>
		34	<description>
		35	<body xmlns="http://www.w3.org/1999/xhtml">
		36	<p>The Gitea team reports:</p>
		37	<blockquote cite="https://github.com/go-gitea/gitea/pull/28406">
		38	<p>Fix missing check</p>
		39	</blockquote>
		40	<blockquote cite="https://github.com/go-gitea/gitea/pull/28423">
		41	<p>Do some missing checks</p>
		42	</blockquote>
		43	<p>By crafting an API request, attackers can access the contents of
		44	issues even though the logged-in user does not have access rights to
		45	these issues.</p>
		46	</body>
		47	</description>
		48	<references>
		49	<url>https://github.com/go-gitea/gitea/releases/tag/v1.21.2</url>
		50	</references>
		51	<dates>
		52	<discovery>2023-12-12</discovery>
		53	<entry>2023-12-13</entry>
		54	</dates>
		55	</vuln>
		56
1	<vuln vid="0f7598cc-9fe2-11ee-b47f-901b0e9408dc">	57	<vuln vid="0f7598cc-9fe2-11ee-b47f-901b0e9408dc">
2	<topic>nebula -- security fix for terrapin vulnerability</topic>	58	<topic>nebula -- security fix for terrapin vulnerability</topic>
3	<affects>	59	<affects>

Lines 1-4 Link Here

(-)b/www/gitea/pkg-message (+15 lines)
1	[	1	[
		2	{ type: upgrade
		3	maximum_version: 1.20.0
		4	message: <<EOM
		5	Please make sure to empty or maintain the contents of the
		6	/usr/local/share/gitea folder between your upgrades of gitea.
		7	Changes between versions can break the web UI due to residual
		8	files from earlier versions.
		9
		10	1.21.0 has a breaking change regarding the public assets folder. In case
		11	you use a proxying webserver serving the files, you need to update your
		12	configuration:
		13
		14	https://github.com/go-gitea/gitea/pull/25907
		15	EOM
		16	}
2	{ type: upgrade	17	{ type: upgrade
3	maximum_version: 1.7.6	18	maximum_version: 1.7.6
4	message: <<EOM	19	message: <<EOM