Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 868996 - <www-apps/gitea-1.17.2: multiple vulnerabilities
Summary: <www-apps/gitea-1.17.2: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://github.com/go-gitea/gitea/rel...
Whiteboard: B4 [glsa+]
Keywords: PullRequest
Depends on: 873373
Blocks:
  Show dependency tree
 
Reported: 2022-09-06 23:31 UTC by John Helmert III
Modified: 2022-10-31 02:18 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-06 23:31:48 UTC
"SECURITY

Double check CloneURL is acceptable (#20869) (#20892)
Add more checks in migration code (#21011) (#21050)"

Not sure if these are actually vulnerability fixes or just hardening,
but in any case we need a bump to 1.17.2.
Comment 1 Tomáš Mózes 2022-09-24 06:35:36 UTC
cp gitea-1.17.1.ebuild gitea-1.17.2.ebuild works for me.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-24 20:04:36 UTC
(In reply to Tomáš Mózes from comment #1)
> cp gitea-1.17.1.ebuild gitea-1.17.2.ebuild works for me.

Make a PR? :)
Comment 3 Larry the Git Cow gentoo-dev 2022-09-29 02:16:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e172bd677fe11bb073517ac058b154c80b3abecf

commit e172bd677fe11bb073517ac058b154c80b3abecf
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2022-09-28 08:49:07 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-09-29 02:16:02 +0000

    www-apps/gitea: security bump to 1.17.2
    
    Bug: https://bugs.gentoo.org/868996
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/27506
    Signed-off-by: Sam James <sam@gentoo.org>

 www-apps/gitea/Manifest            |   1 +
 www-apps/gitea/gitea-1.17.2.ebuild | 125 +++++++++++++++++++++++++++++++++++++
 2 files changed, 126 insertions(+)
Comment 4 Larry the Git Cow gentoo-dev 2022-09-29 13:53:10 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=be1363f08f70bea68c6a6d0129b6097e70d2be40

commit be1363f08f70bea68c6a6d0129b6097e70d2be40
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2022-09-29 09:23:53 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-09-29 13:52:52 +0000

    www-apps/gitea: drop vulnerable
    
    Bug: https://bugs.gentoo.org/868996
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/27524
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 www-apps/gitea/Manifest            |   3 -
 www-apps/gitea/gitea-1.16.7.ebuild | 118 ----------------------------------
 www-apps/gitea/gitea-1.16.9.ebuild | 125 -------------------------------------
 www-apps/gitea/gitea-1.17.1.ebuild | 125 -------------------------------------
 4 files changed, 371 deletions(-)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-30 14:22:07 UTC
Thanks!
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-21 17:27:22 UTC
GLSA request filed.
Comment 7 Larry the Git Cow gentoo-dev 2022-10-31 01:41:54 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3f72d6f5794d0d3c914ffacdf4c915fd8aac8d89

commit 3f72d6f5794d0d3c914ffacdf4c915fd8aac8d89
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 01:10:13 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 01:40:14 +0000

    [ GLSA 202210-14 ] Gitea: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/848465
    Bug: https://bugs.gentoo.org/857819
    Bug: https://bugs.gentoo.org/868996
    Bug: https://bugs.gentoo.org/877355
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-14.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 02:18:59 UTC
GLSA released, all done!