Bug 925023

Summary:	<www-apps/gitea-1.21.5: allows anonymous container access if RequireSignInView is enabled
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	CONFIRMED ---
Severity:	minor	CC:	ajak, dlan, i, proxy-maint
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/go-gitea/gitea/releases/tag/v1.21.5
Whiteboard:	B4 [glsa?]
Package list:		Runtime testing required:	---
Bug Depends on:	925025
Bug Blocks:

Description John Helmert III archtester

2024-02-19 23:55:02 UTC

Changelog has:

"Prevent anonymous container access if RequireSignInView is enabled (#28877) (#28882)
Update go dependencies and fix go-git (#28893) (#28934)"

The security impact of the second line isn't obvious to me. Please
stabilize 1.21.5.

Comment 1 Larry the Git Cow gentoo-dev

2024-02-20 02:53:02 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=daa685f289d8d96c94a31fb8f6ab7be067dc76ec

commit daa685f289d8d96c94a31fb8f6ab7be067dc76ec
Author:     Yixun Lan <dlan@gentoo.org>
AuthorDate: 2024-02-20 02:51:08 +0000
Commit:     Yixun Lan <dlan@gentoo.org>
CommitDate: 2024-02-20 02:52:24 +0000

    www-apps/gitea: drop vulnerable version 1.21.4
    
    Bug: https://bugs.gentoo.org/925023
    Signed-off-by: Yixun Lan <dlan@gentoo.org>

 www-apps/gitea/Manifest            |   1 -
 www-apps/gitea/gitea-1.21.4.ebuild | 147 -------------------------------------
 2 files changed, 148 deletions(-)