FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-28 15:43:32 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
63e36475-119f-11e9-aba7-080027fee39cgitea -- insufficient privilege check

The Gitea project reports:

Security

  • Prevent DeleteFilePost doing arbitrary deletion

Discovery 2019-01-04
Entry 2019-01-06
gitea
< 1.6.3

https://github.com/go-gitea/gitea/issues/5631
0ff80f41-aefe-11ec-b4b6-d05099c0c059gitea -- Improper/incorrect authorization

Youssef Rebahi-Gilbert reports:

When Gitea is built and configured for PAM authentication it skips checking authorization completely. Therefore expired accounts and accounts with expired passwords can still login.


Discovery 2022-03-06
Entry 2022-03-29
gitea
< 1.16.4

CVE-2022-0905
https://huntr.dev/bounties/8d221f92-b2b1-4878-bc31-66ff272e5ceb
cdb10765-6879-11eb-a7d8-08002734b9edgitea -- multiple vulnerabilities

The Gitea Team reports for release 1.13.2:

  • Prevent panic on fuzzer provided string
  • Add secure/httpOnly attributes to the lang cookie

Discovery 2021-01-07
Entry 2021-02-06
gitea
< 1.13.2

https://github.com/go-gitea/gitea/releases/tag/v1.13.2
ports/253295
d3180f02-031e-11ec-875f-0800273f11eagitea -- multiple vulnerabilities

The Gitea Team reports for release 1.15.0:

  • Encrypt LDAP bind password in db with SECRET_KEY (#15547)
  • Remove random password in Dockerfiles (#15362)
  • Upgrade to the latest version of golang-jwt and increase minimum go to 1.15 (#16590) (#16606)
  • Correctly create of git-daemon-export-ok files (#16508) (#16514)
  • Don't show private user's repo in explore view (#16550) (#16554)
  • Update node tar dependency to 6.1.6 (#16622) (#16623)

Discovery 2021-04-29
Entry 2021-08-22
gitea
< 1.15.0

https://github.com/go-gitea/gitea/releases/tag/v1.15.0
ports/257994
bcf56a42-9df8-11e8-afb0-589cfc0f81b0gitea -- TOTP passcode reuse

The Gitea project reports:

TOTP passcodes can be reused.


Discovery 2018-05-01
Entry 2018-08-12
gitea
< 1.5.0

https://github.com/go-gitea/gitea/pull/3878
3b2ee737-c12d-11e9-aabc-0800274e5f20gitea -- multiple vulnerabilities

The Gitea Team reports:

This release contains two security fixes, so we highly recommend updating.


Discovery 2019-07-31
Entry 2019-07-31
gitea
< 1.9.1

https://blog.gitea.io/2019/08/gitea-1.9.1-is-released/
https://github.com/go-gitea/gitea/releases/tag/v1.9.1
8ba23a62-997d-11eb-9f0e-0800278d94f0gitea -- multiple vulnerabilities

The Gitea Team reports for release 1.13.7:

  • Update to bluemonday-1.0.6
  • Clusterfuzz found another way

Discovery 2021-04-07
Entry 2021-04-09
gitea
< 1.13.7

https://github.com/go-gitea/gitea/releases/tag/v1.13.7
ports/254930
943d23b6-e65e-11eb-ad30-0800273f11eagitea -- multiple vulnerabilities

The Gitea Team reports for release 1.14.5:

  • Hide mirror passwords on repo settings page (#16022) (#16355)
  • Update bluemonday to v1.0.15 (#16379) (#16380)

Discovery 2021-05-16
Entry 2021-07-18
gitea
< 1.14.5

https://github.com/go-gitea/gitea/releases/tag/v1.14.5
ports/257221
502ba001-7ffa-11eb-911c-0800278d94f0gitea -- multiple vulnerabilities

The Gitea Team reports for release 1.13.3:

  • Turn default hash password algorithm back to pbkdf2 from argon2 until we find a better one

The Gitea Team reports for release 1.13.4:

  • Fix issue popups

Discovery 2021-01-07
Entry 2021-02-06
gitea
< 1.13.4

https://github.com/go-gitea/gitea/releases/tag/v1.13.3
https://github.com/go-gitea/gitea/releases/tag/v1.13.4
ports/254130
a8ba7358-4b02-11e9-9ba0-4c72b94353b5gitea -- XSS vulnerability

Gitea Team reports:

Fix potential XSS vulnerability in repository description.


Discovery 2019-03-12
Entry 2019-03-20
gitea
< 1.7.4

https://blog.gitea.io/2019/03/gitea-1.7.4-is-released/
cb539d4e-cd68-11e8-8819-00e04c1ea73dgitea -- multiple vulnerabilities

Gitea project reports:

CSRF Vulnerability on API.

Enforce token on api routes.


Discovery 2018-10-01
Entry 2018-10-11
gitea
< 1.5.2

https://github.com/go-gitea/gitea/issues/4357
ttps://github.com/go-gitea/gitea/pull/4840
deb4f633-de1d-11e8-a9fb-080027f43a02gitea -- remote code exeution

The Gitea project reports:

[This release] contains crit[i]cal security fix for vulnerability that could potentially allow for authorized users to do remote code ex[e]cution.


Discovery 2018-10-25
Entry 2018-11-01
gitea
< 1.5.3

https://github.com/go-gitea/gitea/pull/5177
https://github.com/go-gitea/gitea/pull/5196
https://github.com/go-macaron/session/commit/084f1e5c1071f585902a7552b483cee04bc00a14
a1de4ae9-6fda-11e9-9ba0-4c72b94353b5gitea -- multiple vulnerabilities

Gitea Team reports:

This release contains two new security fixes which cannot be backported to the 1.7.0 branch, so it is recommended to update to this version.


Discovery 2019-04-21
Entry 2019-05-06
gitea
< 1.8.0

https://blog.gitea.io/2019/04/gitea-1.8.0-is-released/
1650cee2-a320-11ea-a090-08002734b9edgitea -- multiple vulnerabilities

The Gitea Team reports for release 1.11.6:

  • Fix missing authorization check on pull for public repos of private/limited org (#11656) (#11683)
  • Use session for retrieving org teams (#11438) (#11439)

Discovery 2020-03-01
Entry 2020-05-31
gitea
< 1.11.6

https://github.com/go-gitea/gitea/releases/tag/v1.11.6
ports/246892
e7b69694-b3b5-11e9-9bb6-0800274e5f20gitea -- multiple vulnerabilities

The Gitea Team reports:

This version of Gitea contains security fixes that could not be backported to 1.8. For this reason, we strongly recommend updating.


Discovery 2019-07-31
Entry 2019-07-31
gitea
< 1.9.0

https://blog.gitea.io/2019/07/gitea-1.9.0-is-released/
https://github.com/go-gitea/gitea/releases/tag/v1.9.0
be088777-6085-11ea-8609-08002731610egitea -- multiple vulnerabilities

The Gitea Team reports for release 1.11.0:

  • Never allow an empty password to validate (#9682) (#9683)
  • Prevent redirect to Host (#9678) (#9679)
  • Swagger hide search field (#9554)
  • Add "search" to reserved usernames (#9063)
  • Switch to fomantic-ui (#9374)
  • Only serve attachments when linked to issue/release and if accessible by user (#9340)

The Gitea Team reports for release 1.11.2:

  • Ensure only own addresses are updated (#10397) (#10399)
  • Logout POST action (#10582) (#10585)
  • Org action fixes and form cleanup (#10512) (#10514)
  • Change action GETs to POST (#10462) (#10464)
  • Fix admin notices (#10480) (#10483)
  • Change admin dashboard to POST (#10465) (#10466)
  • Update markbates/goth (#10444) (#10445)
  • Update crypto vendors (#10385) (#10398)

Discovery 2019-11-18
Entry 2020-03-07
gitea
< 1.11.2

https://blog.gitea.io/2020/02/gitea-1.11.0-is-released/
https://blog.gitea.io/2020/03/gitea-1.11.2-is-released/
ports/244025
b12a341a-0932-11ea-bf09-080027e0baa0gitea -- multiple vulnerabilities

The Gitea Team reports:

This release contains five security fixes, so we recommend updating:

  • Fix issue with user.fullname
  • Ignore mentions for users with no access
  • Be more strict with git arguments
  • Extract the username and password from the mirror url
  • Reserve .well-known username

Discovery 2019-11-17
Entry 2019-11-22
gitea
< 1.9.10

https://blog.gitea.io/2019/11/gitea-1.10.0-is-released/
ports/241981
55facdb0-2c24-11eb-9aac-08002734b9edgitea -- multiple vulnerabilities

The Gitea Team reports for release 1.12.6:

  • Prevent git operations for inactive users
  • Disallow urlencoded new lines in git protocol paths if there is a port

Discovery 2020-11-16
Entry 2020-11-21
gitea
< 1.12.6

Disallow urlencoded new lines in git protocol paths if there is a port
ports/251296
95ee401d-cc6a-11ec-9cfc-10c37b4ac2eagitea -- Escape git fetch remote

The Gitea team reports:

Escape git fetch remote in services/migrations/gitea_uploader.go


Discovery 2022-04-25
Entry 2022-05-05
gitea
< 1.16.7

https://github.com/go-gitea/gitea/pull/19487
83466f76-aefe-11ec-b4b6-d05099c0c059gitea -- Open Redirect on login

Andrew Thornton reports:

When a location containing backslashes is presented, the existing protections against open redirect are bypassed, because browsers will convert adjacent forward and backslashes within the location to double forward slashes.


Discovery 2022-03-23
Entry 2022-03-29
gitea
< 1.16.5

CVE-2022-1058
https://huntr.dev/bounties/4fb42144-ac70-4f76-a5e1-ef6b5e55dc0d/
2739b88b-4b88-11eb-a4c0-08002734b9edgitea -- multiple vulnerabilities

The Gitea Team reports for release 1.13.1:

  • Hide private participation in Orgs
  • Fix escaping issue in diff

Discovery 2020-12-15
Entry 2020-12-31
gitea
< 1.13.1

https://github.com/go-gitea/gitea/releases/tag/v1.13.1
ports/252310
733afd81-01cf-11ec-aec9-0800273f11eagitea -- multiple vulnerabilities

The Gitea Team reports for release 1.14.6:

  • Bump github.com/markbates/goth from v1.67.1 to v1.68.0 (#16538) (#16540)
  • Switch to maintained JWT lib (#16532) (#16535)
  • Upgrade to latest version of golang-jwt (as forked for 1.14) (#16590) (#16607)

Discovery 2021-07-24
Entry 2021-08-20
gitea
< 1.14.6

https://github.com/go-gitea/gitea/releases/tag/v1.14.6
ports/257973
0e561c06-d13a-11eb-92be-0800273f11eagitea -- multiple vulnerabilities

The Gitea Team reports for release 1.14.3:

  • Encrypt migration credentials at rest (#15895) (#16187)
  • Only check access tokens if they are likely to be tokens (#16164) (#16171)
  • Add missing SameSite settings for the i_like_gitea cookie (#16037) (#16039)
  • Fix setting of SameSite on cookies (#15989) (#15991)

Discovery 2021-05-16
Entry 2021-06-19
gitea
< 1.14.3

https://github.com/go-gitea/gitea/releases/tag/v1.14.3
ports/256720
b747783f-5fb6-11e9-b2ac-08002705f877gitea -- remote code execution

The Gitea team reports:

Prevent remote code execution vulnerability with mirror repo URL settings.


Discovery 2019-04-13
Entry 2019-04-17
gitea
< 1.7.5

https://blog.gitea.io/2019/04/gitea-1.7.6-is-released/
1431a25c-8a70-11eb-bd16-0800278d94f0gitea -- quoting in markdown text

The Gitea Team reports for release 1.13.5:

  • Update to goldmark 1.3.3

Discovery 2021-03-20
Entry 2021-03-21
gitea
< 1.13.5

https://github.com/go-gitea/gitea/releases/tag/v1.13.5
ports/254130
e7392840-c520-11e9-a4ef-0800274e5f20gitea -- multiple vulnerabilities

The Gitea Team reports:

This release contains two security fixes, so we highly recommend updating.


Discovery 2019-08-22
Entry 2019-08-22
gitea
< 1.9.2

https://github.com/go-gitea/gitea/releases/tag/v1.9.2
https://blog.gitea.io/2019/08/gitea-1.9.2-is-released/
29d34524-0542-11e9-a444-080027fee39cgitea -- privilege escalation, XSS

The Gitea project reports:

Security

  • Sanitize uploaded file names
  • HTMLEncode user added text

Discovery 2018-12-19
Entry 2018-12-21
gitea
< 1.6.2

https://github.com/go-gitea/gitea/issues/5569
https://github.com/go-gitea/gitea/issues/5565
41c1cd6f-2645-11e9-b5f1-080027fee39cgitea -- multiple vulnerabilities

Gitea Team reports:

Disable redirect for i18n

Only allow local login if password is non-empty

Fix go-get URL generation


Discovery 2019-01-31
Entry 2019-02-01
gitea
< 1.7.1

https://github.com/go-gitea/gitea/releases/tag/v1.7.1
df794e5d-3975-11ec-84e8-0800273f11eagitea -- multiple vulnerabilities

The Gitea Team reports for release 1.15.5:

  • Upgrade Bluemonday to v1.0.16 (#17372) (#17374)
  • Ensure correct SSH permissions check for private and restricted users (#17370) (#17373)

Discovery 2021-10-21
Entry 2021-11-04
gitea
< 1.15.5

https://github.com/go-gitea/gitea/releases/tag/v1.15.5
ports/259548
094fb2ec-9aa3-11eb-83cb-0800278d94f0gitea -- multiple vulnerabilities

The Gitea Team reports for release 1.14.0:

  • Validate email in external authenticator registration form
  • Ensure validation occurs on clone addresses too

Discovery 2021-03-11
Entry 2021-04-11
gitea
< 1.14.0

https://github.com/go-gitea/gitea/releases/tag/v1.14.0
ports/254976
a512a412-3a33-11ea-af63-0800274e5f20gitea -- multiple vulnerabilities

The Gitea Team reports:

  • Hide credentials when submitting migration
  • Never allow an empty password to validate
  • Prevent redirect to Host
  • Hide public repos owned by private orgs

Discovery 2019-11-22
Entry 2020-01-18
gitea
< 1.10.3

https://github.com/go-gitea/gitea/releases/tag/v1.10.3
ports/243437
7f6146aa-2157-11e9-9ba0-4c72b94353b5gitea -- multiple vulnerabilities

Gitea Team reports:

Do not display the raw OpenID error in the UI

When redirecting clean the path to avoid redirecting to external site

Prevent DeleteFilePost doing arbitrary deletion


Discovery 2019-01-22
Entry 2019-01-26
gitea
< 1.7.0

https://github.com/go-gitea/gitea/releases/tag/v1.7.0
7c750960-b129-11e8-9fcd-080027f43a02Information disclosure - Gitea leaks email addresses

The Gitea project reports:

[Privacy] Gitea leaks hidden email addresses #4417

A fix has been implemented in Gitea 1.5.1.


Discovery 2018-07-10
Entry 2018-09-05
gitea
< 1.5.1

https://github.com/go-gitea/gitea/issues/4417
https://github.com/go-gitea/gitea/pull/4784
c4d2f950-8c27-11eb-a3ae-0800278d94f0gitea -- multiple vulnerabilities

The Gitea Team reports for release 1.13.6:

  • Fix bug on avatar middleware
  • Fix another clusterfuzz identified issue

Discovery 2021-03-21
Entry 2021-03-23
gitea
< 1.13.6

https://github.com/go-gitea/gitea/releases/tag/v1.13.5
ports/254515
b99492b2-362b-11eb-9f86-08002734b9edgitea -- multiple vulnerabilities

The Gitea Team reports for release 1.13.0:

  • Add Allow-/Block-List for Migrate and Mirrors
  • Prevent git operations for inactive users
  • Disallow urlencoded new lines in git protocol paths if there is a port
  • Mitigate Security vulnerability in the git hook feature
  • Disable DSA ssh keys by default
  • Set TLS minimum version to 1.2
  • Use argon as default password hash algorithm
  • Escape failed highlighted files

Discovery 2020-12-01
Entry 2020-12-04
gitea
< 1.13.0

https://github.com/go-gitea/gitea/releases/tag/v1.13.0
ports/251577
fd10aa77-fb5e-11e9-af7b-0800274e5f20gitea -- information disclosure

The Gitea Team reports:

When a comment in an issue or PR mentions a user using @username, the mentioned user receives a mail notification even if they don't have permission to see the originating repository.


Discovery 2019-09-27
Entry 2019-10-30
gitea
< 1.9.5

https://github.com/go-gitea/gitea/releases/tag/v1.9.5
https://blog.gitea.io/2019/10/gitea-1.9.5-is-released/