CVE-2023-3515: Open Redirect in GitHub repository go-gitea/gitea prior to 1.19.4. The fix is actually in 1.21.0. Please stabilize.
See also: https://bugs.gentoo.org/918603
The commit has been backport to 1.20.0 and 1.19.4 actually 1.20.0: https://github.com/go-gitea/gitea/pull/25154 1.19.4: https://github.com/go-gitea/gitea/pull/25155 So this shouldn't be a problem.
Ah, you're right, it's just that the fixes for those branches aren't easily tracked down via the references in the CVE. Even when you do find the right commits, Github isn't showing the tags they're a part of (for me). Seems first fixed version for us for the open redirect is 1.20.4: https://github.com/go-gitea/gitea/commit/7679f4d51a637ae47880e09dbb185651cb7163c7 ~/git/gitea $ git tag --contains 7679f4d51a637ae47880e09dbb185651cb7163c7 v1.20.0 v1.20.0-rc1 v1.20.0-rc2 v1.20.1 v1.20.2 v1.20.3 v1.20.4 v1.20.5 v1.20.6 But then there's other vulnerabilities that are now fixed in 1.20.6, so we need a bump to 1.20.6. We can just merge the other bug into this one.
*** Bug 918603 has been marked as a duplicate of this bug. ***
Yes, a PR of bumping to 1.20.6 and 1.21.1 has been opened. See https://github.com/gentoo/gentoo/pull/34015
please advise and stabilize new version, would be 1.20.6 a good candidate?
(In reply to Yixun Lan from comment #6) > please advise and stabilize new version, would be 1.20.6 a good candidate? I'm using 1.21.1, works fine on amd64.
Due to the fact that 1.21 has some breaking changes compared to 1.20, I tend to stabilize 1.20.6 first.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b1b2cdd2052d7dd35f144db548ce879fa041c99d commit b1b2cdd2052d7dd35f144db548ce879fa041c99d Author: Yixun Lan <dlan@gentoo.org> AuthorDate: 2023-11-29 23:44:17 +0000 Commit: Yixun Lan <dlan@gentoo.org> CommitDate: 2023-11-29 23:51:38 +0000 www-apps/gitea: drop vulnerable version 1.20.4 Bug: https://bugs.gentoo.org/918674 Signed-off-by: Yixun Lan <dlan@gentoo.org> www-apps/gitea/Manifest | 1 - www-apps/gitea/gitea-1.20.4.ebuild | 131 ------------------------------------- 2 files changed, 132 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=78c91985a976aea4687d6ddfc98944f32f41ef48 commit 78c91985a976aea4687d6ddfc98944f32f41ef48 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-12-23 09:39:06 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-12-23 09:39:49 +0000 [ GLSA 202312-13 ] Gitea: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/887825 Bug: https://bugs.gentoo.org/891983 Bug: https://bugs.gentoo.org/905886 Bug: https://bugs.gentoo.org/918674 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202312-13.xml | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+)