FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-27 18:04:16 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
fd10aa77-fb5e-11e9-af7b-0800274e5f20gitea -- information disclosure

The Gitea Team reports:

When a comment in an issue or PR mentions a user using @username, the mentioned user receives a mail notification even if they don't have permission to see the originating repository.


Discovery 2019-09-27
Entry 2019-10-30
gitea
< 1.9.5

https://github.com/go-gitea/gitea/releases/tag/v1.9.5
https://blog.gitea.io/2019/10/gitea-1.9.5-is-released/
8ba23a62-997d-11eb-9f0e-0800278d94f0gitea -- multiple vulnerabilities

The Gitea Team reports for release 1.13.7:

  • Update to bluemonday-1.0.6
  • Clusterfuzz found another way

Discovery 2021-04-07
Entry 2021-04-09
gitea
< 1.13.7

https://github.com/go-gitea/gitea/releases/tag/v1.13.7
ports/254930
3b2ee737-c12d-11e9-aabc-0800274e5f20gitea -- multiple vulnerabilities

The Gitea Team reports:

This release contains two security fixes, so we highly recommend updating.


Discovery 2019-07-31
Entry 2019-07-31
gitea
< 1.9.1

https://blog.gitea.io/2019/08/gitea-1.9.1-is-released/
https://github.com/go-gitea/gitea/releases/tag/v1.9.1
df794e5d-3975-11ec-84e8-0800273f11eagitea -- multiple vulnerabilities

The Gitea Team reports for release 1.15.5:

  • Upgrade Bluemonday to v1.0.16 (#17372) (#17374)
  • Ensure correct SSH permissions check for private and restricted users (#17370) (#17373)

Discovery 2021-10-21
Entry 2021-11-04
gitea
< 1.15.5

https://github.com/go-gitea/gitea/releases/tag/v1.15.5
ports/259548
d3180f02-031e-11ec-875f-0800273f11eagitea -- multiple vulnerabilities

The Gitea Team reports for release 1.15.0:

  • Encrypt LDAP bind password in db with SECRET_KEY (#15547)
  • Remove random password in Dockerfiles (#15362)
  • Upgrade to the latest version of golang-jwt and increase minimum go to 1.15 (#16590) (#16606)
  • Correctly create of git-daemon-export-ok files (#16508) (#16514)
  • Don't show private user's repo in explore view (#16550) (#16554)
  • Update node tar dependency to 6.1.6 (#16622) (#16623)

Discovery 2021-04-29
Entry 2021-08-22
gitea
< 1.15.0

https://github.com/go-gitea/gitea/releases/tag/v1.15.0
ports/257994
094fb2ec-9aa3-11eb-83cb-0800278d94f0gitea -- multiple vulnerabilities

The Gitea Team reports for release 1.14.0:

  • Validate email in external authenticator registration form
  • Ensure validation occurs on clone addresses too

Discovery 2021-03-11
Entry 2021-04-11
gitea
< 1.14.0

https://github.com/go-gitea/gitea/releases/tag/v1.14.0
ports/254976
be088777-6085-11ea-8609-08002731610egitea -- multiple vulnerabilities

The Gitea Team reports for release 1.11.0:

  • Never allow an empty password to validate (#9682) (#9683)
  • Prevent redirect to Host (#9678) (#9679)
  • Swagger hide search field (#9554)
  • Add "search" to reserved usernames (#9063)
  • Switch to fomantic-ui (#9374)
  • Only serve attachments when linked to issue/release and if accessible by user (#9340)

The Gitea Team reports for release 1.11.2:

  • Ensure only own addresses are updated (#10397) (#10399)
  • Logout POST action (#10582) (#10585)
  • Org action fixes and form cleanup (#10512) (#10514)
  • Change action GETs to POST (#10462) (#10464)
  • Fix admin notices (#10480) (#10483)
  • Change admin dashboard to POST (#10465) (#10466)
  • Update markbates/goth (#10444) (#10445)
  • Update crypto vendors (#10385) (#10398)

Discovery 2019-11-18
Entry 2020-03-07
gitea
< 1.11.2

https://blog.gitea.io/2020/02/gitea-1.11.0-is-released/
https://blog.gitea.io/2020/03/gitea-1.11.2-is-released/
ports/244025
c4d2f950-8c27-11eb-a3ae-0800278d94f0gitea -- multiple vulnerabilities

The Gitea Team reports for release 1.13.6:

  • Fix bug on avatar middleware
  • Fix another clusterfuzz identified issue

Discovery 2021-03-21
Entry 2021-03-23
gitea
< 1.13.6

https://github.com/go-gitea/gitea/releases/tag/v1.13.5
ports/254515
cdb10765-6879-11eb-a7d8-08002734b9edgitea -- multiple vulnerabilities

The Gitea Team reports for release 1.13.2:

  • Prevent panic on fuzzer provided string
  • Add secure/httpOnly attributes to the lang cookie

Discovery 2021-01-07
Entry 2021-02-06
gitea
< 1.13.2

https://github.com/go-gitea/gitea/releases/tag/v1.13.2
ports/253295
1650cee2-a320-11ea-a090-08002734b9edgitea -- multiple vulnerabilities

The Gitea Team reports for release 1.11.6:

  • Fix missing authorization check on pull for public repos of private/limited org (#11656) (#11683)
  • Use session for retrieving org teams (#11438) (#11439)

Discovery 2020-03-01
Entry 2020-05-31
gitea
< 1.11.6

https://github.com/go-gitea/gitea/releases/tag/v1.11.6
ports/246892
2739b88b-4b88-11eb-a4c0-08002734b9edgitea -- multiple vulnerabilities

The Gitea Team reports for release 1.13.1:

  • Hide private participation in Orgs
  • Fix escaping issue in diff

Discovery 2020-12-15
Entry 2020-12-31
gitea
< 1.13.1

https://github.com/go-gitea/gitea/releases/tag/v1.13.1
ports/252310
733afd81-01cf-11ec-aec9-0800273f11eagitea -- multiple vulnerabilities

The Gitea Team reports for release 1.14.6:

  • Bump github.com/markbates/goth from v1.67.1 to v1.68.0 (#16538) (#16540)
  • Switch to maintained JWT lib (#16532) (#16535)
  • Upgrade to latest version of golang-jwt (as forked for 1.14) (#16590) (#16607)

Discovery 2021-07-24
Entry 2021-08-20
gitea
< 1.14.6

https://github.com/go-gitea/gitea/releases/tag/v1.14.6
ports/257973
95ee401d-cc6a-11ec-9cfc-10c37b4ac2eagitea -- Escape git fetch remote

The Gitea team reports:

Escape git fetch remote in services/migrations/gitea_uploader.go


Discovery 2022-04-25
Entry 2022-05-05
gitea
< 1.16.7

https://github.com/go-gitea/gitea/pull/19487
83466f76-aefe-11ec-b4b6-d05099c0c059gitea -- Open Redirect on login

Andrew Thornton reports:

When a location containing backslashes is presented, the existing protections against open redirect are bypassed, because browsers will convert adjacent forward and backslashes within the location to double forward slashes.


Discovery 2022-03-23
Entry 2022-03-29
gitea
< 1.16.5

CVE-2022-1058
https://huntr.dev/bounties/4fb42144-ac70-4f76-a5e1-ef6b5e55dc0d/
b12a341a-0932-11ea-bf09-080027e0baa0gitea -- multiple vulnerabilities

The Gitea Team reports:

This release contains five security fixes, so we recommend updating:

  • Fix issue with user.fullname
  • Ignore mentions for users with no access
  • Be more strict with git arguments
  • Extract the username and password from the mirror url
  • Reserve .well-known username

Discovery 2019-11-17
Entry 2019-11-22
gitea
< 1.9.10

https://blog.gitea.io/2019/11/gitea-1.10.0-is-released/
ports/241981
55facdb0-2c24-11eb-9aac-08002734b9edgitea -- multiple vulnerabilities

The Gitea Team reports for release 1.12.6:

  • Prevent git operations for inactive users
  • Disallow urlencoded new lines in git protocol paths if there is a port

Discovery 2020-11-16
Entry 2020-11-21
gitea
< 1.12.6

Disallow urlencoded new lines in git protocol paths if there is a port
ports/251296
a512a412-3a33-11ea-af63-0800274e5f20gitea -- multiple vulnerabilities

The Gitea Team reports:

  • Hide credentials when submitting migration
  • Never allow an empty password to validate
  • Prevent redirect to Host
  • Hide public repos owned by private orgs

Discovery 2019-11-22
Entry 2020-01-18
gitea
< 1.10.3

https://github.com/go-gitea/gitea/releases/tag/v1.10.3
ports/243437
502ba001-7ffa-11eb-911c-0800278d94f0gitea -- multiple vulnerabilities

The Gitea Team reports for release 1.13.3:

  • Turn default hash password algorithm back to pbkdf2 from argon2 until we find a better one

The Gitea Team reports for release 1.13.4:

  • Fix issue popups

Discovery 2021-01-07
Entry 2021-02-06
gitea
< 1.13.4

https://github.com/go-gitea/gitea/releases/tag/v1.13.3
https://github.com/go-gitea/gitea/releases/tag/v1.13.4
ports/254130
b99492b2-362b-11eb-9f86-08002734b9edgitea -- multiple vulnerabilities

The Gitea Team reports for release 1.13.0:

  • Add Allow-/Block-List for Migrate and Mirrors
  • Prevent git operations for inactive users
  • Disallow urlencoded new lines in git protocol paths if there is a port
  • Mitigate Security vulnerability in the git hook feature
  • Disable DSA ssh keys by default
  • Set TLS minimum version to 1.2
  • Use argon as default password hash algorithm
  • Escape failed highlighted files

Discovery 2020-12-01
Entry 2020-12-04
gitea
< 1.13.0

https://github.com/go-gitea/gitea/releases/tag/v1.13.0
ports/251577
943d23b6-e65e-11eb-ad30-0800273f11eagitea -- multiple vulnerabilities

The Gitea Team reports for release 1.14.5:

  • Hide mirror passwords on repo settings page (#16022) (#16355)
  • Update bluemonday to v1.0.15 (#16379) (#16380)

Discovery 2021-05-16
Entry 2021-07-18
gitea
< 1.14.5

https://github.com/go-gitea/gitea/releases/tag/v1.14.5
ports/257221
1431a25c-8a70-11eb-bd16-0800278d94f0gitea -- quoting in markdown text

The Gitea Team reports for release 1.13.5:

  • Update to goldmark 1.3.3

Discovery 2021-03-20
Entry 2021-03-21
gitea
< 1.13.5

https://github.com/go-gitea/gitea/releases/tag/v1.13.5
ports/254130
0ff80f41-aefe-11ec-b4b6-d05099c0c059gitea -- Improper/incorrect authorization

Youssef Rebahi-Gilbert reports:

When Gitea is built and configured for PAM authentication it skips checking authorization completely. Therefore expired accounts and accounts with expired passwords can still login.


Discovery 2022-03-06
Entry 2022-03-29
gitea
< 1.16.4

CVE-2022-0905
https://huntr.dev/bounties/8d221f92-b2b1-4878-bc31-66ff272e5ceb
e7392840-c520-11e9-a4ef-0800274e5f20gitea -- multiple vulnerabilities

The Gitea Team reports:

This release contains two security fixes, so we highly recommend updating.


Discovery 2019-08-22
Entry 2019-08-22
gitea
< 1.9.2

https://github.com/go-gitea/gitea/releases/tag/v1.9.2
https://blog.gitea.io/2019/08/gitea-1.9.2-is-released/
0e561c06-d13a-11eb-92be-0800273f11eagitea -- multiple vulnerabilities

The Gitea Team reports for release 1.14.3:

  • Encrypt migration credentials at rest (#15895) (#16187)
  • Only check access tokens if they are likely to be tokens (#16164) (#16171)
  • Add missing SameSite settings for the i_like_gitea cookie (#16037) (#16039)
  • Fix setting of SameSite on cookies (#15989) (#15991)

Discovery 2021-05-16
Entry 2021-06-19
gitea
< 1.14.3

https://github.com/go-gitea/gitea/releases/tag/v1.14.3
ports/256720