Bug 230800 - devel/gogs: Fix open redirect vulnerability
Summary: devel/gogs: Fix open redirect vulnerability
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Steve Wills
URL: https://github.com/gogs/gogs/issues/5364
Keywords:
Depends on:
Blocks:
 
Reported: 2018-08-21 13:57 UTC by Dmitri Goutnik
Modified: 2018-08-22 21:18 UTC (History)
0 users

See Also:
dmgk: merge-quarterly?


Attachments
patch file (1.06 KB, patch)
2018-08-21 13:57 UTC, Dmitri Goutnik
dmgk: maintainer-approval+
Details | Diff
vuln.patch (1.48 KB, patch)
2018-08-22 20:26 UTC, Dmitri Goutnik
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Dmitri Goutnik freebsd_committer 2018-08-21 13:57:41 UTC
Created attachment 196418 [details]
patch file

- Fix open redirect vulnerability in login action.

Upstream report: https://github.com/gogs/gogs/issues/5364
Upstream patch: https://github.com/gogs/gogs/commit/1f247cf8139cb483276cd8dd06385a800ce9d4b2

QA:
  poudriere testport: OK (112a, 111a, 104i)
Comment 1 Steve Wills freebsd_committer 2018-08-22 18:24:21 UTC
Would like to get a comment from upstream before committing and merging this. Can you also create a VuXML entry for this, and add the CVE reference if there is one?

Thanks,
Steve
Comment 2 Dmitri Goutnik freebsd_committer 2018-08-22 20:26:39 UTC
Created attachment 196447 [details]
vuln.patch

Hi Steve,

VuXML entry attached, there's no CVE. According to gogs GitHub issue tracker, this issue belongs to 0.12 milestone which has no ETA; I thought it would make sense to get it in early instead of waiting for upstream.
Comment 3 commit-hook freebsd_committer 2018-08-22 21:03:41 UTC
A commit references this bug:

Author: swills
Date: Wed Aug 22 21:03:22 UTC 2018
New revision: 477824
URL: https://svnweb.freebsd.org/changeset/ports/477824

Log:
  Document gogs open redirect issue

  PR:		230800
  Submitted by:	Dmitri Goutnik <dg@syrec.org>

Changes:
  head/security/vuxml/vuln.xml
Comment 4 commit-hook freebsd_committer 2018-08-22 21:16:53 UTC
A commit references this bug:

Author: swills
Date: Wed Aug 22 21:16:16 UTC 2018
New revision: 477825
URL: https://svnweb.freebsd.org/changeset/ports/477825

Log:
  devel/gogs: Fix open redirect vulnerability

  PR:		230800
  Submitted by:	Dmitri Goutnik <dg@syrec.org> (maintainer)
  MFH:		2018Q3
  Security:	e53a908d-a645-11e8-8acd-10c37b4ac2ea

Changes:
  head/devel/gogs/Makefile
  head/devel/gogs/distinfo
Comment 5 commit-hook freebsd_committer 2018-08-22 21:17:56 UTC
A commit references this bug:

Author: swills
Date: Wed Aug 22 21:17:29 UTC 2018
New revision: 477826
URL: https://svnweb.freebsd.org/changeset/ports/477826

Log:
  MFH: r477825

  devel/gogs: Fix open redirect vulnerability

  PR:		230800
  Submitted by:	Dmitri Goutnik <dg@syrec.org> (maintainer)
  Security:	e53a908d-a645-11e8-8acd-10c37b4ac2ea

  Approved by:	ports-secteam (implicit)

Changes:
_U  branches/2018Q3/
  branches/2018Q3/devel/gogs/Makefile
  branches/2018Q3/devel/gogs/distinfo
Comment 6 Steve Wills freebsd_committer 2018-08-22 21:18:35 UTC
Committed, thanks especially for the VuXML entry!