925023 – <www-apps/gitea-1.21.5: allows anonymous container access if RequireSignInView is enabled

Bug 925023 - <www-apps/gitea-1.21.5: allows anonymous container access if RequireSignInView is enabled

Summary: <www-apps/gitea-1.21.5: allows anonymous container access if RequireSignInVie...

Status:	CONFIRMED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://github.com/go-gitea/gitea/rel...
Whiteboard:	B4 [glsa?]
Keywords:

Depends on:	925025
Blocks:
	Show dependency tree

Reported:	2024-02-19 23:55 UTC by John Helmert III
Modified:	2024-02-20 05:53 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2024-02-19 23:55:02 UTC

Changelog has:

"Prevent anonymous container access if RequireSignInView is enabled (#28877) (#28882)
Update go dependencies and fix go-git (#28893) (#28934)"

The security impact of the second line isn't obvious to me. Please
stabilize 1.21.5.

Comment 1 Larry the Git Cow gentoo-dev

2024-02-20 02:53:02 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=daa685f289d8d96c94a31fb8f6ab7be067dc76ec

commit daa685f289d8d96c94a31fb8f6ab7be067dc76ec
Author:     Yixun Lan <dlan@gentoo.org>
AuthorDate: 2024-02-20 02:51:08 +0000
Commit:     Yixun Lan <dlan@gentoo.org>
CommitDate: 2024-02-20 02:52:24 +0000

    www-apps/gitea: drop vulnerable version 1.21.4
    
    Bug: https://bugs.gentoo.org/925023
    Signed-off-by: Yixun Lan <dlan@gentoo.org>

 www-apps/gitea/Manifest            |   1 -
 www-apps/gitea/gitea-1.21.4.ebuild | 147 -------------------------------------
 2 files changed, 148 deletions(-)