Bug 230512 - www/gitea: Update to 1.5.0 (Fixes security vulnerabilities)
Summary: www/gitea: Update to 1.5.0 (Fixes security vulnerabilities)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Florian Smeets
URL: https://blog.gitea.io/2018/08/gitea-1...
Keywords: needs-patch, needs-qa, security
Depends on:
Blocks:
 
Reported: 2018-08-10 20:37 UTC by stb
Modified: 2018-08-12 08:03 UTC (History)
3 users (show)

See Also:


Attachments
update gitea port to 1.5.0 (14.72 KB, patch)
2018-08-10 20:37 UTC, stb
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description stb 2018-08-10 20:37:08 UTC
Created attachment 196065 [details]
update gitea port to 1.5.0

Update Gitea to 1.5.0

Release notes: https://blog.gitea.io/2018/08/gitea-1.5.0-is-released/

Three security fixes, general bugfixes, and new features.

This port update also contains a small fix for the start script, to properly pass the username of the git system account to Gitea.
Comment 1 stb 2018-08-10 20:38:00 UTC
Sorry, forgot:

Startup script fix hat tip to schmidt@ze.tum.de.
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2018-08-10 22:50:00 UTC
Pending a VuXML entry addition. @maintainer if you can provide that, that would be great.
Comment 3 stb 2018-08-10 22:51:43 UTC
How can I provide a VuXML entry?
Comment 4 Kubilay Kocak freebsd_committer freebsd_triage 2018-08-10 23:03:06 UTC
(In reply to stb from comment #3)

One creates a new entry in the security/vuxml port then provides a diff of that change.

There's a special 'newentry' make target that adds an entry to the xml file with a new uuid for you. There's a 'validate' target to validate the resulting xml. One needs to have 'installed' the vuxml port to install the validation tools.

For details on the fields/content values, see:

https://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/book.html#security-notify
Comment 5 stb 2018-08-10 23:04:44 UTC
More specifically, I have no knowledge of the claimed security fixes, and I have no knowledge of the vulnerabilities that these fixes try to avoid. The only information the Gitea project provides are in the release notes on Github: https://github.com/go-gitea/gitea/releases/tag/v1.5.0 which list four pull requests.

I do not feel competent to explain what the problems are, what consequences one might suffer, and how the fixes solve the problem. As far as I can tell, there are no advisories provided by the Gitea project containing such information.

I could go through the mechanics of creating an entry, but have no idea what to enter.
Comment 6 Kubilay Kocak freebsd_committer freebsd_triage 2018-08-10 23:15:46 UTC
(In reply to stb from comment #5)

One may just relay what the project provides. In this case there are 3 security fixes, each with pull request/issue descriptions:

"""
The Gitea project documents 3 fixed security issues:

Check that repositories can only be migrated to own user or organizations (#4366) (#4370)
Limit uploaded avatar image-size to 4096px x 3072px by default (#4353)
Do not allow to reuse TOTP passcode (#3878)
"""

Add the pull-request/issue url's to <url></url> blocks
If there are CVE references, add those as <cvename></cvename> blocks
Comment 7 Florian Smeets freebsd_committer 2018-08-11 08:42:41 UTC
I will take care of this later today. If there is no vuxml diff by then, I will create the entry, not a problem.
Comment 8 commit-hook freebsd_committer 2018-08-12 07:55:51 UTC
A commit references this bug:

Author: flo
Date: Sun Aug 12 07:55:09 UTC 2018
New revision: 476973
URL: https://svnweb.freebsd.org/changeset/ports/476973

Log:
  Document www/gitea vulnerability, with the scarce details provided by Gitea

  PR:		230512

Changes:
  head/security/vuxml/vuln.xml
Comment 9 commit-hook freebsd_committer 2018-08-12 08:00:57 UTC
A commit references this bug:

Author: flo
Date: Sun Aug 12 08:00:31 UTC 2018
New revision: 476977
URL: https://svnweb.freebsd.org/changeset/ports/476977

Log:
  Update to 1.5.0

  PR:		230512
  Submitted by:	stb@lassitu.de (maintainer)
  Security:	bcf56a42-9df8-11e8-afb0-589cfc0f81b0

Changes:
  head/www/gitea/Makefile
  head/www/gitea/distinfo
  head/www/gitea/files/gitea.in
  head/www/gitea/pkg-plist
Comment 10 Florian Smeets freebsd_committer 2018-08-12 08:03:24 UTC
committed. thanks