FreeBSD Bugzilla – Attachment 257002 Details for
Bug 284360
www/gitea: update to 1.23.1 (fixes security vulnerability)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
port and vuxml
gitea-1.23.1.patch (text/plain), 5.16 KB, created by
Stefan Bethke
on 2025-01-26 11:06:07 UTC
(
hide
)
Description:
port and vuxml
Filename:
MIME Type:
Creator:
Stefan Bethke
Created:
2025-01-26 11:06:07 UTC
Size:
5.16 KB
patch
obsolete
>diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml >index f21059cf40cf..c26d5ba3b4a8 100644 >--- a/security/vuxml/vuln/2025.xml >+++ b/security/vuxml/vuln/2025.xml >@@ -1,3 +1,31 @@ >+ <vuln vid="752a81cb-dbd4-11ef-a489-a78527073c14"> >+ <topic>gitea -- enforce attachment file type restrictions</topic> >+ <affects> >+ <package> >+ <name>gitea</name> >+ <range><lt>1.23.0</lt></range> >+ </package> >+ </affects> >+ <description> >+ <body xmlns="http://www.w3.org/1999/xhtml"> >+ <p>The Gitea project reports:</p> >+ <blockquote cite="https://github.com/go-gitea/gitea/releases/tag/v1.23.0"> >+ <p>Issue posters and users with repository write access are able to >+ edit attachment names in a way that circumvents the instance-level >+ file extension restrictions using the edit attachment APIs. [...] >+ Add checks for these endpoints.</p> >+ </blockquote> >+ </body> >+ </description> >+ <references> >+ <url>https://github.com/go-gitea/gitea/pull/32151</url> >+ </references> >+ <dates> >+ <discovery>2024-11-06</discovery> >+ <entry>2024-01-26</entry> >+ </dates> >+ </vuln> >+ > <vuln vid="41711c0d-db27-11ef-873e-8447094a420f"> > <topic>Vaultwarden -- Muiltiple vulnerabilities</topic> > <affects> >diff --git a/www/gitea/Makefile b/www/gitea/Makefile >index b35eef040c15..f64f166e2fa4 100644 >--- a/www/gitea/Makefile >+++ b/www/gitea/Makefile >@@ -1,7 +1,6 @@ > PORTNAME= gitea > DISTVERSIONPREFIX= v >-DISTVERSION= 1.22.6 >-PORTREVISION= 1 >+DISTVERSION= 1.23.1 > CATEGORIES= www > MASTER_SITES= https://github.com/go-gitea/gitea/releases/download/${DISTVERSIONPREFIX}${DISTVERSION}/ \ > https://dl.gitea.io/gitea/${DISTVERSION}/ >@@ -16,7 +15,7 @@ LICENSE_FILE= ${WRKSRC}/LICENSE > > RUN_DEPENDS= git:devel/git > >-USES= cpe gmake go:1.22,no_targets >+USES= cpe gmake go:1.23,no_targets > USE_RC_SUBR= gitea > > EXTRACT_AFTER_ARGS= --strip-components 1 # since 1.17.0, archive includes gitea-src-VERSION directory >@@ -71,6 +70,10 @@ do-install: > @${MKDIR} ${STAGEDIR}${ETCDIR}/conf > ${INSTALL_DATA} ${WRKDIR}/app.ini.sample ${STAGEDIR}${ETCDIR}/conf/app.ini.sample > ${INSTALL_DATA} ${WRKSRC}/custom/conf/app.example.ini ${STAGEDIR}${ETCDIR}/conf/app.ini.defaults >+ ${MKDIR} ${STAGEDIR}${DATADIR} >+ ${MKDIR} ${STAGEDIR}/var/db/gitea >+ ${MKDIR} ${STAGEDIR}/var/db/gitea/gitea-repositories >+ ${MKDIR} ${STAGEDIR}/var/log/gitea > > do-install-BINDATA-off: > cd ${WRKSRC} && ${COPYTREE_SHARE} "options public templates" ${STAGEDIR}${DATADIR} >diff --git a/www/gitea/distinfo b/www/gitea/distinfo >index 9260354fa231..4781f67ed8c4 100644 >--- a/www/gitea/distinfo >+++ b/www/gitea/distinfo >@@ -1,3 +1,3 @@ >-TIMESTAMP = 1734459279 >-SHA256 (gitea-src-1.22.6.tar.gz) = 251a3ee97e11f288764f9e15d0163116a04f2811b9d0d3c32f46a04f90f0756e >-SIZE (gitea-src-1.22.6.tar.gz) = 54465618 >+TIMESTAMP = 1737883673 >+SHA256 (gitea-src-1.23.1.tar.gz) = da4d36c4c9fe3980b4ba130526cf030ba7dba51d3a6844c6723a6eaef34b6df9 >+SIZE (gitea-src-1.23.1.tar.gz) = 55539987 >diff --git a/www/gitea/files/app.ini.sample.in b/www/gitea/files/app.ini.sample.in >index 71cccbf31650..0080ed412ca4 100644 >--- a/www/gitea/files/app.ini.sample.in >+++ b/www/gitea/files/app.ini.sample.in >@@ -7,15 +7,17 @@ > # > # This sample configuration runs Gitea with a local database. Before > # running this configuration, make sure to change the INTERNAL_TOKEN, >-# JWT_SECRET, and SECRET_KEY variables. SECRET_KEY is a password of your >-# choosing, INTERNAL_TOKEN is a 64-byte random number in BASE64 encoding, >-# JWT_SECRET is a 32-byte random number in BASE64 encoding. >+# JWT_SECRET, LFS_JWT_SECRET, and SECRET_KEY variables. SECRET_KEY is >+# a password of your choosing, INTERNAL_TOKEN is a 64-byte random >+# number in BASE64 encoding, JWT_SECRET is a 32-byte random number in >+# BASE64 encoding. > # >-# You can generate the token using for example: >-# openssl rand -base64 64 >+# You can generate appropriate values using: >+# gitea generate secret [INTERNAL_TOKEN|JWT_SECRET|LFS_JWT_SECRET|SECRET_KEY] >+# and then copy that output to the appropriate place in this file. > # >-# You can let Gitea add these to the config for you; you need to make >-# app.ini writeable by the git user. >+# Alternatively, you can let Gitea add these to the config for you; you >+# need to make app.ini writeable by the git user. > # > # There are no pre-configured users; the first user to register becomes an > # admin. In this sample configuration, the HTTP server only listens on >diff --git a/www/gitea/files/gitea.in b/www/gitea/files/gitea.in >index 566a4b46ef93..affda78defa1 100644 >--- a/www/gitea/files/gitea.in >+++ b/www/gitea/files/gitea.in >@@ -41,6 +41,7 @@ gitea_start() { > done > /usr/sbin/daemon %%DAEMONARGS%% \ > -u ${gitea_user} -p ${pidfile} \ >+ -l daemon -s warning \ > /usr/bin/env -i \ > "GITEA_WORK_DIR=${gitea_shared}" \ > "GITEA_CUSTOM=${gitea_custom}" \ >diff --git a/www/gitea/pkg-plist b/www/gitea/pkg-plist >index 209e1c8e372c..acab89e7b63f 100644 >--- a/www/gitea/pkg-plist >+++ b/www/gitea/pkg-plist >@@ -1,3 +1,6 @@ > @sample %%ETCDIR%%/conf/app.ini.sample > %%ETCDIR%%/conf/app.ini.defaults > sbin/gitea >+@dir(git,git,755) /var/db/gitea >+@dir(git,git,755) /var/db/gitea/gitea-repositories >+@dir(git,git,755) /var/log/gitea
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=257002">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 284360
: 257002