FreeBSD Bugzilla – Attachment 254597 Details for
Bug 282387
www/forgejo: Update 9.0.0 → 9.0.1 (fixes security vulnerabilities)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
update port to 9.0.1 including vuxml entry
forgejo-9.0.1.patch (text/plain), 3.03 KB, created by
Stefan Bethke
on 2024-10-28 16:23:41 UTC
(
hide
)
Description:
update port to 9.0.1 including vuxml entry
Filename:
MIME Type:
Creator:
Stefan Bethke
Created:
2024-10-28 16:23:41 UTC
Size:
3.03 KB
patch
obsolete
>diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml >index 8843fc4150ea..9b5facf921c7 100644 >--- a/security/vuxml/vuln/2024.xml >+++ b/security/vuxml/vuln/2024.xml >@@ -1,3 +1,47 @@ >+ <vuln vid="f07c8f87-8e65-11ef-81b8-659bf0027d16"> >+ <topic>forgejo -- multiple vulnerabilities</topic> >+ <affects> >+ <package> >+ <name>forgejo</name> >+ <range><lt>9.0.1</lt></range> >+ </package> >+ <package> >+ <name>forgejo7</name> >+ <range><lt>7.0.10</lt></range> >+ </package> >+ </affects> >+ <description> >+ <body xmlns="http://www.w3.org/1999/xhtml"> >+ <h1>Problem Description:</h1> >+ <ul> >+ <li>Forgejo generates a token which is used to authenticate web >+ endpoints that are only meant to be used internally, for instance >+ when the SSH daemon is used to push a commit with Git. The >+ verification of this token was not done in constant time and was >+ susceptible to timing attacks. A pre-condition for such an attack is >+ the precise measurements of the time for each operation. Since it >+ requires observing the timing of network operations, the issue is >+ mitigated when a Forgejo instance is accessed over the internet >+ because the ISP introduce unpredictable random delays.</li> >+ <li>Because of a missing permission check, the branch used to propose >+ a pull request to a repository can always be deleted by the user >+ performing the merge. It was fixed so that such a deletion is only >+ allowed if the user performing the merge has write permission to the >+ repository from which the pull request was made.</li> >+ </ul> >+ </body> >+ </description> >+ <references> >+ <url>https://codeberg.org/forgejo/forgejo/milestone/8544</url> >+ <url>https://codeberg.org/forgejo/forgejo/pulls/5719</url> >+ <url>https://codeberg.org/forgejo/forgejo/pulls/5718</url> >+ </references> >+ <dates> >+ <discovery>2024-10-28</discovery> >+ <entry>2024-10-28</entry> >+ </dates> >+ </vuln> >+ > <vuln vid="fafaef4d-f364-4a07-bbdd-bf53448c593c"> > <topic>chromium -- multiple security fixes</topic> > <affects> >diff --git a/www/forgejo/Makefile b/www/forgejo/Makefile >index 9808a26e3bb1..c3832f6ec907 100644 >--- a/www/forgejo/Makefile >+++ b/www/forgejo/Makefile >@@ -1,6 +1,6 @@ > PORTNAME= forgejo > DISTVERSIONPREFIX= v >-DISTVERSION= 9.0.0 >+DISTVERSION= 9.0.1 > CATEGORIES= www > MASTER_SITES= https://codeberg.org/forgejo/forgejo/releases/download/${DISTVERSIONPREFIX}${DISTVERSION}/ > DISTNAME= forgejo-src-${DISTVERSION} >diff --git a/www/forgejo/distinfo b/www/forgejo/distinfo >index eb07c7960509..65fd7c1fd821 100644 >--- a/www/forgejo/distinfo >+++ b/www/forgejo/distinfo >@@ -1,3 +1,3 @@ >-TIMESTAMP = 1729146681 >-SHA256 (forgejo-src-9.0.0.tar.gz) = 21364d6c1635711189f25da5dc343b3b28e8ade20a5f00202301ccc364adc1d2 >-SIZE (forgejo-src-9.0.0.tar.gz) = 53905348 >+TIMESTAMP = 1729375226 >+SHA256 (forgejo-src-9.0.1.tar.gz) = 6748c49677374947eb619b13f9ede983682ae117b8c0405442cc9afc847c4040 >+SIZE (forgejo-src-9.0.1.tar.gz) = 53961959
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=254597">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 282387
: 254597