These vulnerabilities were fixed in Gitea 1.15.0: - The LDAP source bind password is stored in plaintext in the db. - https://github.com/go-gitea/gitea/pull/15547 - Bundled version of golang-jwt/jwt (3.2.1) is vulnerable - https://github.com/go-gitea/gitea/pull/16590 - https://github.com/golang-jwt/jwt/releases/tag/v3.2.2 - Private repositories were exported (when using with dev-vcs/git?) - https://github.com/go-gitea/gitea/pull/16508 - Repositories of private users are shown in explore - https://github.com/go-gitea/gitea/pull/16550 - Security issues with nodejs tar module? - https://github.com/go-gitea/gitea/pull/16622 I'm working on a pull request for 1.15.0. Reproducible: Always
Thanks for reporting!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=db88b1580e3c7c19afc9b0045d860665736d30a0 commit db88b1580e3c7c19afc9b0045d860665736d30a0 Author: Ronny (tastytea) Gutbrod <gentoo@tastytea.de> AuthorDate: 2021-08-22 12:03:26 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2021-09-24 07:51:14 +0000 www-apps/gitea: Version bump 1.15.2. Remove build-client useflag, because it does not work with sandbox. Bug: https://bugs.gentoo.org/809581 Signed-off-by: Ronny (tastytea) Gutbrod <gentoo@tastytea.de> Closes: https://github.com/gentoo/gentoo/pull/22073 Signed-off-by: Joonas Niilola <juippis@gentoo.org> www-apps/gitea/Manifest | 1 + www-apps/gitea/gitea-1.15.2.ebuild | 123 +++++++++++++++++++++++++++++++++++++ 2 files changed, 124 insertions(+)
We have 1.14.6 in tree which fixes the security issues, the newly added 1.15.2 is also fixed, tree clean.
Thank you! All done.