These vulnerabilities were fixed in Gitea 1.15.0:
- The LDAP source bind password is stored in plaintext in the db.
- Bundled version of golang-jwt/jwt (3.2.1) is vulnerable
- Private repositories were exported (when using with dev-vcs/git?)
- Repositories of private users are shown in explore
- Security issues with nodejs tar module?
I'm working on a pull request for 1.15.0.
Thanks for reporting!
The bug has been referenced in the following commit(s):
Author: Ronny (tastytea) Gutbrod <email@example.com>
AuthorDate: 2021-08-22 12:03:26 +0000
Commit: Joonas Niilola <firstname.lastname@example.org>
CommitDate: 2021-09-24 07:51:14 +0000
www-apps/gitea: Version bump 1.15.2.
Remove build-client useflag, because it does not work with sandbox.
Signed-off-by: Ronny (tastytea) Gutbrod <email@example.com>
Signed-off-by: Joonas Niilola <firstname.lastname@example.org>
www-apps/gitea/Manifest | 1 +
www-apps/gitea/gitea-1.15.2.ebuild | 123 +++++++++++++++++++++++++++++++++++++
2 files changed, 124 insertions(+)
We have 1.14.6 in tree which fixes the security issues, the newly added 1.15.2 is also fixed, tree clean.
Thank you! All done.