Bug 240046

Summary: www/gitea: Update to 1.9.2 (fixes security vulnerabilities)
Product: Ports & Packages Reporter: stb
Component: Individual Port(s)Assignee: Kai Knoblich <kai>
Status: Closed FIXED    
Severity: Affects Many People CC: kai, ports-secteam
Priority: Normal Keywords: security
Version: LatestFlags: kai: merge-quarterly+
Hardware: Any   
OS: Any   
URL: https://blog.gitea.io/2019/08/gitea-1.9.2-is-released/
See Also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=240033
Attachments:
Description Flags
patch to update gitea port to 1.9.2
none
vuxml entry for the two vulns fixed in gitea 1.9.2
none
patch to update gitea port to 1.9.2 none

Description stb 2019-08-22 21:03:36 UTC
Update port to Gitea 1.9.2.

Gitea 1.9.2 fixes two security issues and four bugs, and includes one enhancement and one build fix.

Release notes: https://blog.gitea.io/2019/08/gitea-1.9.2-is-released/
Comment 1 stb 2019-08-22 21:12:15 UTC
Created attachment 206801 [details]
patch to update gitea port to 1.9.2
Comment 2 stb 2019-08-22 21:12:55 UTC
Created attachment 206802 [details]
vuxml entry for the two vulns fixed in gitea 1.9.2
Comment 3 stb 2019-08-22 21:14:41 UTC
Forgot to mention:

As suggested in #240033, change the git dependency to git-lite, which provides all the functionality Gitea requires. Applying this patch should close #240033.
Comment 4 stb 2019-08-22 21:17:32 UTC
I've updated the patch to remove the change to git dependencies because git-lite conflicts with git (on the package level), and upgrading will force removing git and switching to git-lite. I think that violates POLA.
Comment 5 stb 2019-08-22 21:18:21 UTC
Created attachment 206803 [details]
patch to update gitea port to 1.9.2
Comment 6 Kubilay Kocak freebsd_committer freebsd_triage 2019-08-23 02:26:21 UTC
Per comment 3, attachment 206803 [details] no longer blocks/closes bug 240033
Comment 7 commit-hook freebsd_committer 2019-08-23 21:16:57 UTC
A commit references this bug:

Author: kai
Date: Fri Aug 23 21:16:53 UTC 2019
New revision: 509659
URL: https://svnweb.freebsd.org/changeset/ports/509659

Log:
  security/vuxml: Document www/gitea issues

  PR:		240046
  Submitted by:	stb@lassitu.de (maintainer)

Changes:
  head/security/vuxml/vuln.xml
Comment 8 commit-hook freebsd_committer 2019-08-24 07:37:10 UTC
A commit references this bug:

Author: kai
Date: Sat Aug 24 07:36:15 UTC 2019
New revision: 509712
URL: https://svnweb.freebsd.org/changeset/ports/509712

Log:
  www/gitea: Update to 1.9.2

  Changelog:

  https://blog.gitea.io/2019/08/gitea-1.9.2-is-released/

  PR:		240046
  Submitted by:	stb@lassitu.de (maintainer)
  MFH:		2019Q3
  Security:	e7392840-c520-11e9-a4ef-0800274e5f20

Changes:
  head/www/gitea/Makefile
  head/www/gitea/distinfo
Comment 9 Kai Knoblich freebsd_committer 2019-08-24 07:58:57 UTC
(In reply to stb from comment #0)

Committed to the head branch, thank you for the patch, Stefan! Still waiting for approval from the ports-secteam to commit the changes to the 2019Q3 branch.

One small note/question: 

The "# Created by:" line was removed in the attached diffs. I have restored that line because it wasn't mentioned in the bug description or any other comments of this PR. 

I can still remove that line with an additional commit, if it was really intended.
Comment 10 commit-hook freebsd_committer 2019-08-25 08:08:02 UTC
A commit references this bug:

Author: kai
Date: Sun Aug 25 08:07:18 UTC 2019
New revision: 509776
URL: https://svnweb.freebsd.org/changeset/ports/509776

Log:
  MFH: r509712

  www/gitea: Update to 1.9.2

  Changelog:

  https://blog.gitea.io/2019/08/gitea-1.9.2-is-released/

  PR:		240046
  Submitted by:	stb@lassitu.de (maintainer)
  Security:	e7392840-c520-11e9-a4ef-0800274e5f20
  Approved by:	ports-secteam (miwi)

Changes:
_U  branches/2019Q3/
  branches/2019Q3/www/gitea/Makefile
  branches/2019Q3/www/gitea/distinfo
Comment 11 Kai Knoblich freebsd_committer 2019-08-25 08:44:12 UTC
Committed to the 2019Q3 branch, all done!

P.S.: Stefan, for the case if you want me to remove the "# Created by" line as noted in comment #9 just write a short feedback in this PR.