877355 – (CVE-2022-42968) <www-apps/gitea-1.17.3: Multiple vulnerabilities

Bug 877355 (CVE-2022-42968) - <www-apps/gitea-1.17.3: Multiple vulnerabilities

Summary: <www-apps/gitea-1.17.3: Multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2022-42968

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [glsa+]
Keywords:

Depends on:	877707
Blocks:	CVE-2022-32149
	Show dependency tree

Reported:	2022-10-16 23:26 UTC by Sam James
Modified:	2022-11-10 00:08 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2022-10-16 23:26:31 UTC

From 1.17.3 release notes:

SECURITY

    Sanitize and Escape refs in git backend (#21464) (#21463)
    Bump golang.org/x/text (#21412) (#21413)
    Update bluemonday (#21281) (#21287)

Comment 1 Larry the Git Cow gentoo-dev

2022-10-16 23:41:48 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3e14361d484b8a44e6f399d8b7476373838f23cc

commit 3e14361d484b8a44e6f399d8b7476373838f23cc
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-10-16 23:28:08 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-10-16 23:28:08 +0000

    www-apps/gitea: add 1.17.3
    
    Bug: https://bugs.gentoo.org/877355
    Signed-off-by: Sam James <sam@gentoo.org>

 www-apps/gitea/Manifest            |   1 +
 www-apps/gitea/gitea-1.17.3.ebuild | 125 +++++++++++++++++++++++++++++++++++++
 2 files changed, 126 insertions(+)

Comment 2 John Helmert III archtester

2022-10-17 14:39:02 UTC

(In reply to Sam James from comment #0)
> From 1.17.3 release notes:
> 
> SECURITY
> 
>     Sanitize and Escape refs in git backend (#21464) (#21463)

This one's CVE-2022-42968.

>     Bump golang.org/x/text (#21412) (#21413)

CVE-2022-32149.

>     Update bluemonday (#21281) (#21287)

Comment 3 Larry the Git Cow gentoo-dev

2022-10-20 15:42:28 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ad8a8d9d0e4116301239865429f04cc368c265d1

commit ad8a8d9d0e4116301239865429f04cc368c265d1
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-10-20 15:41:25 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-20 15:41:25 +0000

    www-apps/gitea: drop 1.17.2
    
    Bug: https://bugs.gentoo.org/877355
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 www-apps/gitea/Manifest            |   1 -
 www-apps/gitea/gitea-1.17.2.ebuild | 125 -------------------------------------
 2 files changed, 126 deletions(-)

Comment 4 John Helmert III archtester

2022-10-21 17:27:14 UTC

GLSA request filed.

Comment 5 Larry the Git Cow gentoo-dev

2022-10-31 01:41:41 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3f72d6f5794d0d3c914ffacdf4c915fd8aac8d89

commit 3f72d6f5794d0d3c914ffacdf4c915fd8aac8d89
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 01:10:13 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 01:40:14 +0000

    [ GLSA 202210-14 ] Gitea: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/848465
    Bug: https://bugs.gentoo.org/857819
    Bug: https://bugs.gentoo.org/868996
    Bug: https://bugs.gentoo.org/877355
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-14.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

Comment 6 John Helmert III archtester

2022-10-31 02:19:00 UTC

GLSA released, all done!