Bug 230800

Summary: devel/gogs: Fix open redirect vulnerability
Product: Ports & Packages Reporter: Dmitri Goutnik <dmgk>
Component: Individual Port(s)Assignee: Steve Wills <swills>
Status: Closed FIXED    
Severity: Affects Some People Flags: dmgk: merge-quarterly?
Priority: ---    
Version: Latest   
Hardware: Any   
OS: Any   
URL: https://github.com/gogs/gogs/issues/5364
Attachments:
Description Flags
patch file
dmgk: maintainer-approval+
vuln.patch none

Description Dmitri Goutnik freebsd_committer freebsd_triage 2018-08-21 13:57:41 UTC 
Created attachment 196418 [details]
patch file

- Fix open redirect vulnerability in login action.

Upstream report: https://github.com/gogs/gogs/issues/5364
Upstream patch: https://github.com/gogs/gogs/commit/1f247cf8139cb483276cd8dd06385a800ce9d4b2

QA:
  poudriere testport: OK (112a, 111a, 104i)
Comment 1 Steve Wills freebsd_committer freebsd_triage 2018-08-22 18:24:21 UTC 
Would like to get a comment from upstream before committing and merging this. Can you also create a VuXML entry for this, and add the CVE reference if there is one?

Thanks,
Steve
Comment 2 Dmitri Goutnik freebsd_committer freebsd_triage 2018-08-22 20:26:39 UTC 
Created attachment 196447 [details]
vuln.patch

Hi Steve,

VuXML entry attached, there's no CVE. According to gogs GitHub issue tracker, this issue belongs to 0.12 milestone which has no ETA; I thought it would make sense to get it in early instead of waiting for upstream.
Comment 3 commit-hook freebsd_committer freebsd_triage 2018-08-22 21:03:41 UTC 
A commit references this bug:

Author: swills
Date: Wed Aug 22 21:03:22 UTC 2018
New revision: 477824
URL: https://svnweb.freebsd.org/changeset/ports/477824

Log:
  Document gogs open redirect issue

  PR:		230800
  Submitted by:	Dmitri Goutnik <dg@syrec.org>

Changes:
  head/security/vuxml/vuln.xml
Comment 4 commit-hook freebsd_committer freebsd_triage 2018-08-22 21:16:53 UTC 
A commit references this bug:

Author: swills
Date: Wed Aug 22 21:16:16 UTC 2018
New revision: 477825
URL: https://svnweb.freebsd.org/changeset/ports/477825

Log:
  devel/gogs: Fix open redirect vulnerability

  PR:		230800
  Submitted by:	Dmitri Goutnik <dg@syrec.org> (maintainer)
  MFH:		2018Q3
  Security:	e53a908d-a645-11e8-8acd-10c37b4ac2ea

Changes:
  head/devel/gogs/Makefile
  head/devel/gogs/distinfo
Comment 5 commit-hook freebsd_committer freebsd_triage 2018-08-22 21:17:56 UTC 
A commit references this bug:

Author: swills
Date: Wed Aug 22 21:17:29 UTC 2018
New revision: 477826
URL: https://svnweb.freebsd.org/changeset/ports/477826

Log:
  MFH: r477825

  devel/gogs: Fix open redirect vulnerability

  PR:		230800
  Submitted by:	Dmitri Goutnik <dg@syrec.org> (maintainer)
  Security:	e53a908d-a645-11e8-8acd-10c37b4ac2ea

  Approved by:	ports-secteam (implicit)

Changes:
_U  branches/2018Q3/
  branches/2018Q3/devel/gogs/Makefile
  branches/2018Q3/devel/gogs/distinfo
Comment 6 Steve Wills freebsd_committer freebsd_triage 2018-08-22 21:18:35 UTC 
Committed, thanks especially for the VuXML entry!