FreeBSD Bugzilla – Attachment 247191 Details for
Bug 275742
www/gitea: update to 1.21.3 (fixes security vulnerabilities)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Update prot to 1.21.3 plus vuxml entries
gitea-1.21.3.patch (text/plain), 3.67 KB, created by
Stefan Bethke
on 2023-12-21 22:52:19 UTC
(
hide
)
Description:
Update prot to 1.21.3 plus vuxml entries
Filename:
MIME Type:
Creator:
Stefan Bethke
Created:
2023-12-21 22:52:19 UTC
Size:
3.67 KB
patch
obsolete
>diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml >index d3972f612c23..60ae70cba0b7 100644 >--- a/security/vuxml/vuln/2023.xml >+++ b/security/vuxml/vuln/2023.xml >@@ -1,3 +1,59 @@ >+ <vuln vid="b2765c89-a052-11ee-bed2-596753f1a87c"> >+ <topic>gitea -- Prefix Truncation Attack against ChaCha20-Poly1305 and Encrypt-then-MAC aka Terrapin</topic> >+ <affects> >+ <package> >+ <name>gitea</name> >+ <range><lt>1.21.3</lt></range> >+ </package> >+ </affects> >+ <description> >+ <body xmlns="http://www.w3.org/1999/xhtml"> >+ <p>The Gitea team reports:</p> >+ <blockquote cite="https://github.com/go-gitea/gitea/pull/28519"> >+ <p>Update golang.org/x/crypto</p> >+ </blockquote> >+ </body> >+ </description> >+ <references> >+ <url>https://github.com/go-gitea/gitea/releases/tag/v1.21.3</url> >+ </references> >+ <dates> >+ <discovery>2023-12-19</discovery> >+ <entry>2023-12-21</entry> >+ </dates> >+ </vuln> >+ >+ <vuln vid="482bb980-99a3-11ee-b5f7-6bd56600d90c"> >+ <topic>gitea -- missing permission checks</topic> >+ <affects> >+ <package> >+ <name>gitea</name> >+ <range><lt>1.21.2</lt></range> >+ </package> >+ </affects> >+ <description> >+ <body xmlns="http://www.w3.org/1999/xhtml"> >+ <p>The Gitea team reports:</p> >+ <blockquote cite="https://github.com/go-gitea/gitea/pull/28406"> >+ <p>Fix missing check</p> >+ </blockquote> >+ <blockquote cite="https://github.com/go-gitea/gitea/pull/28423"> >+ <p>Do some missing checks</p> >+ </blockquote> >+ <p>By crafting an API request, attackers can access the contents of >+ issues even though the logged-in user does not have access rights to >+ these issues.</p> >+ </body> >+ </description> >+ <references> >+ <url>https://github.com/go-gitea/gitea/releases/tag/v1.21.2</url> >+ </references> >+ <dates> >+ <discovery>2023-12-12</discovery> >+ <entry>2023-12-13</entry> >+ </dates> >+ </vuln> >+ > <vuln vid="0f7598cc-9fe2-11ee-b47f-901b0e9408dc"> > <topic>nebula -- security fix for terrapin vulnerability</topic> > <affects> >diff --git a/www/gitea/Makefile b/www/gitea/Makefile >index 287dba7c6138..29de243a37d7 100644 >--- a/www/gitea/Makefile >+++ b/www/gitea/Makefile >@@ -1,7 +1,6 @@ > PORTNAME= gitea > DISTVERSIONPREFIX= v >-DISTVERSION= 1.21.0 >-PORTREVISION= 1 >+DISTVERSION= 1.21.3 > CATEGORIES= www > MASTER_SITES= https://github.com/go-gitea/gitea/releases/download/${DISTVERSIONPREFIX}${DISTVERSION}/ \ > https://dl.gitea.io/gitea/${DISTVERSION}/ >diff --git a/www/gitea/distinfo b/www/gitea/distinfo >index 011dfb106ba4..6d7cd1c1dda7 100644 >--- a/www/gitea/distinfo >+++ b/www/gitea/distinfo >@@ -1,3 +1,3 @@ >-TIMESTAMP = 1699991932 >-SHA256 (gitea-src-1.21.0.tar.gz) = 69b12778b3b5f24aecff08d8e5122e4edf784bda2e4335b77f2bbd0404a11a93 >-SIZE (gitea-src-1.21.0.tar.gz) = 53744981 >+TIMESTAMP = 1703198078 >+SHA256 (gitea-src-1.21.3.tar.gz) = b490bda7bfbe95bde50f4c98478a80b4539344140ad9290d083e9393e83d33bf >+SIZE (gitea-src-1.21.3.tar.gz) = 53775315 >diff --git a/www/gitea/pkg-message b/www/gitea/pkg-message >index e3393b659d24..2bbd58784bc0 100644 >--- a/www/gitea/pkg-message >+++ b/www/gitea/pkg-message >@@ -1,4 +1,19 @@ > [ >+{ type: upgrade >+ maximum_version: 1.20.0 >+ message: <<EOM >+Please make sure to empty or maintain the contents of the >+/usr/local/share/gitea folder between your upgrades of gitea. >+Changes between versions can break the web UI due to residual >+files from earlier versions. >+ >+1.21.0 has a breaking change regarding the public assets folder. In case >+you use a proxying webserver serving the files, you need to update your >+configuration: >+ >+https://github.com/go-gitea/gitea/pull/25907 >+EOM >+} > { type: upgrade > maximum_version: 1.7.6 > message: <<EOM
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=247191">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
stb
:
maintainer-approval+
Actions:
View
|
Diff
Attachments on
bug 275742
:
247026
| 247191