Bug 251296 - www/gitea: Update to 1.12.6 (fixes security vulnerabilities)
Summary: www/gitea: Update to 1.12.6 (fixes security vulnerabilities)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Adam Weinberger
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-11-21 18:02 UTC by stb
Modified: 2020-11-22 16:03 UTC (History)
1 user (show)

See Also:
stb: maintainer-feedback+


Attachments
patch to update gitea port to 1.12.6 (895 bytes, patch)
2020-11-21 18:10 UTC, stb
stb: maintainer-approval+
Details | Diff
patch for vuxml for the two vulns (1.34 KB, patch)
2020-11-21 18:10 UTC, stb
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description stb 2020-11-21 18:02:53 UTC
This release fixes two security issues and 21 bugs.

Release notes: https://blog.gitea.io/2020/11/gitea-1.12.6-is-released/
Comment 1 stb 2020-11-21 18:10:12 UTC
Created attachment 219862 [details]
patch to update gitea port to 1.12.6
Comment 2 stb 2020-11-21 18:10:37 UTC
Created attachment 219863 [details]
patch for vuxml for the two vulns
Comment 3 commit-hook freebsd_committer 2020-11-22 15:49:12 UTC
A commit references this bug:

Author: adamw
Date: Sun Nov 22 15:48:14 UTC 2020
New revision: 556058
URL: https://svnweb.freebsd.org/changeset/ports/556058

Log:
  www/gitea: Update to 1.12.6

      SECURITY
          Prevent git operations for inactive users (#13527) (#13537)
          Disallow urlencoded new lines in git protocol paths if there is a port (#13521) (#13525)
      BUGFIXES
          API should only return Json (#13511) (#13564)
          Fix before and since query arguments at API (#13559) (#13560)
          Prevent panic on git blame by limiting lines to 4096 bytes at most (#13470) (#13492)
          Fix link detection in repository description with tailing ?_? (#13407) (#13408)
          Remove obsolete change of email on profile page (#13341) (#13348)
          Fix permission check on get Reactions API endpoints (#13344) (#13346)
          Add migrated pulls to pull request task queue (#13331) (#13335)
          API deny wrong pull creation options (#13308) (#13327)
          Fix initial commit page & binary munching problem (#13249) (#13259)
          Fix diff parsing (#13157) (#13136) (#13139)
          Return error 404 not 500 from API if team does not exist (#13118) (#13119)
          Prohibit automatic downgrades (#13108) (#13111)
          Fix GitLab Migration Option AuthToken (#13101)
          GitLab Label Color Normalizer (#12793) (#13100)
          Log the underlying panic in runMigrateTask (#13096) (#13098)
          Fix attachments list in edit comment (#13036) (#13097)
          Fix deadlock when deleting team user (#13093)
          Fix error create comment on outdated file (#13041) (#13042)
          Fix repository create/delete event webhooks (#13008) (#13027)
          Fix internal server error on README in submodule (#13006) (#13016)

  PR:		251296
  Submitted by:	maintainer
  MFH:		2020Q4
  Security:	https://github.com/go-gitea/gitea/pull/13527
  		https://github.com/go-gitea/gitea/pull/13521

Changes:
  head/www/gitea/Makefile
  head/www/gitea/distinfo
Comment 4 commit-hook freebsd_committer 2020-11-22 15:51:14 UTC
A commit references this bug:

Author: adamw
Date: Sun Nov 22 15:51:09 UTC 2020
New revision: 556060
URL: https://svnweb.freebsd.org/changeset/ports/556060

Log:
  MFH: r552525 r556058
  Approved by:	portmgr (with hat)

  www/gitea: Update to 1.12.5

  Changes: https://github.com/go-gitea/gitea/releases/tag/v1.12.5

  PR:		250372
  Approved by:	maintainer

  www/gitea: Update to 1.12.6

      SECURITY
          Prevent git operations for inactive users (#13527) (#13537)
          Disallow urlencoded new lines in git protocol paths if there is a port (#13521) (#13525)
      BUGFIXES
          API should only return Json (#13511) (#13564)
          Fix before and since query arguments at API (#13559) (#13560)
          Prevent panic on git blame by limiting lines to 4096 bytes at most (#13470) (#13492)
          Fix link detection in repository description with tailing ?_? (#13407) (#13408)
          Remove obsolete change of email on profile page (#13341) (#13348)
          Fix permission check on get Reactions API endpoints (#13344) (#13346)
          Add migrated pulls to pull request task queue (#13331) (#13335)
          API deny wrong pull creation options (#13308) (#13327)
          Fix initial commit page & binary munching problem (#13249) (#13259)
          Fix diff parsing (#13157) (#13136) (#13139)
          Return error 404 not 500 from API if team does not exist (#13118) (#13119)
          Prohibit automatic downgrades (#13108) (#13111)
          Fix GitLab Migration Option AuthToken (#13101)
          GitLab Label Color Normalizer (#12793) (#13100)
          Log the underlying panic in runMigrateTask (#13096) (#13098)
          Fix attachments list in edit comment (#13036) (#13097)
          Fix deadlock when deleting team user (#13093)
          Fix error create comment on outdated file (#13041) (#13042)
          Fix repository create/delete event webhooks (#13008) (#13027)
          Fix internal server error on README in submodule (#13006) (#13016)

  PR:		251296
  Submitted by:	maintainer
  Security:	https://github.com/go-gitea/gitea/pull/13527
  		https://github.com/go-gitea/gitea/pull/13521

Changes:
_U  branches/2020Q4/
  branches/2020Q4/www/gitea/Makefile
  branches/2020Q4/www/gitea/distinfo
Comment 5 Adam Weinberger freebsd_committer 2020-11-22 16:03:13 UTC
Update committed and merged to quarterly, and VuXML entry added. Thanks for your work on this!