Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 809581 - www-apps/gitea: Multiple vulnerabilities
Summary: www-apps/gitea: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://github.com/go-gitea/gitea/rel...
Whiteboard: ~4 [noglsa]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2021-08-22 11:57 UTC by tastytea
Modified: 2021-09-25 13:34 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description tastytea 2021-08-22 11:57:39 UTC
These vulnerabilities were fixed in Gitea 1.15.0:

- The LDAP source bind password is stored in plaintext in the db.
  - https://github.com/go-gitea/gitea/pull/15547
- Bundled version of golang-jwt/jwt (3.2.1) is vulnerable
  - https://github.com/go-gitea/gitea/pull/16590
  - https://github.com/golang-jwt/jwt/releases/tag/v3.2.2
- Private repositories were exported (when using with dev-vcs/git?)
  - https://github.com/go-gitea/gitea/pull/16508
- Repositories of private users are shown in explore
  - https://github.com/go-gitea/gitea/pull/16550
- Security issues with nodejs tar module?
  - https://github.com/go-gitea/gitea/pull/16622

I'm working on a pull request for 1.15.0.

Reproducible: Always
Comment 1 John Helmert III gentoo-dev Security 2021-08-22 16:12:27 UTC
Thanks for reporting!
Comment 2 Larry the Git Cow gentoo-dev 2021-09-24 07:56:30 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=db88b1580e3c7c19afc9b0045d860665736d30a0

commit db88b1580e3c7c19afc9b0045d860665736d30a0
Author:     Ronny (tastytea) Gutbrod <gentoo@tastytea.de>
AuthorDate: 2021-08-22 12:03:26 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-09-24 07:51:14 +0000

    www-apps/gitea: Version bump 1.15.2.
    
    Remove build-client useflag, because it does not work with sandbox.
    
    Bug: https://bugs.gentoo.org/809581
    Signed-off-by: Ronny (tastytea) Gutbrod <gentoo@tastytea.de>
    Closes: https://github.com/gentoo/gentoo/pull/22073
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 www-apps/gitea/Manifest            |   1 +
 www-apps/gitea/gitea-1.15.2.ebuild | 123 +++++++++++++++++++++++++++++++++++++
 2 files changed, 124 insertions(+)
Comment 3 Tomáš Mózes 2021-09-24 09:42:18 UTC
We have 1.14.6 in tree which fixes the security issues, the newly added 1.15.2 is also fixed, tree clean.
Comment 4 John Helmert III gentoo-dev Security 2021-09-25 13:34:06 UTC
Thank you! All done.