Bug 279781 - www/forgejo: update to 7.0.4 (fixes security vulnerabilities)
Summary: www/forgejo: update to 7.0.4 (fixes security vulnerabilities)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: freebsd-ports-bugs (Nobody)
URL: https://codeberg.org/forgejo/forgejo/...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-06-16 09:03 UTC by Stefan Bethke
Modified: 2024-06-24 03:19 UTC (History)
1 user (show)

See Also:
fernape: merge-quarterly+

Attachments
patch for port and vuxml (2.62 KB, patch)
2024-06-16 09:03 UTC, Stefan Bethke 		stb: maintainer-approval+
Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Bethke 2024-06-16 09:03:49 UTC 
Created attachment 251495 [details]
patch for port and vuxml

Release notes: https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#7-0-4
Comment 1 Fernando Apesteguía freebsd_committer freebsd_triage 2024-06-17 17:19:45 UTC 
^Triage: If there is a changelog or release notes URL available for this version, please add it to the URL field.


Thanks!
Comment 2 commit-hook freebsd_committer freebsd_triage 2024-06-19 06:37:45 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=be43fb2830c94e23e0d9aa49ef9b982b0ab31e2c

commit be43fb2830c94e23e0d9aa49ef9b982b0ab31e2c
Author:     Stefan Bethke <stb@lassitu.de>
AuthorDate: 2024-06-17 17:16:10 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2024-06-19 06:37:17 +0000

    www/forgejo: update to 7.0.4 (fixes security vulnerabilities)

    CVE-2024-24789: the archive/zip package's handling of certain types of invalid
    zip files differs from the behavior of most zip implementations. This
    misalignment could be exploited to create an zip file with contents that vary
    depending on the implementation reading the file.

    PR:             279781
    Reported by:    stb@lassitu.de (maintainer)
    MFH:            2024Q2
    Security:       CVE-2024-24789

 www/forgejo/Makefile | 3 +--
 www/forgejo/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 5 deletions(-)
Comment 3 commit-hook freebsd_committer freebsd_triage 2024-06-19 06:43:47 UTC 
A commit in branch 2024Q2 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=d18807bcfba5dd79b8d8fdce2c6baf9f962fa69f

commit d18807bcfba5dd79b8d8fdce2c6baf9f962fa69f
Author:     Stefan Bethke <stb@lassitu.de>
AuthorDate: 2024-06-17 17:16:10 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2024-06-19 06:42:50 +0000

    www/forgejo: update to 7.0.4 (fixes security vulnerabilities)

    CVE-2024-24789: the archive/zip package's handling of certain types of invalid
    zip files differs from the behavior of most zip implementations. This
    misalignment could be exploited to create an zip file with contents that vary
    depending on the implementation reading the file.

    PR:             279781
    Reported by:    stb@lassitu.de (maintainer)
    MFH:            2024Q2
    Security:       CVE-2024-24789

    (cherry picked from commit be43fb2830c94e23e0d9aa49ef9b982b0ab31e2c)

 www/forgejo/Makefile | 3 +--
 www/forgejo/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 5 deletions(-)
Comment 4 Fernando Apesteguía freebsd_committer freebsd_triage 2024-06-19 06:43:54 UTC 
Committed,

Thanks!