The Gitea team reports:

Use git.HOME_PATH for Git HOME directory

Add write check for creating Commit status

Remove deprecated SSH ciphers from default

< 1.17.0

The Gitea Team reports for release 1.13.3:

• Turn default hash password algorithm back to pbkdf2 from argon2 until we find a better one

The Gitea Team reports for release 1.13.4:

• Fix issue popups

< 1.13.4

The Gitea team reports:

This PR refactors and improves the password hashing code within gitea and makes it possible for server administrators to set the password hashing parameters.

In addition it takes the opportunity to adjust the settings for pbkdf2 in order to make the hashing a little stronger.

Add command to bulk set must-change-password

As part of administration sometimes it is appropriate to forcibly tell users to update their passwords.

This PR creates a new command gitea admin user must-change-password which will set the MustChangePassword flag on the provided users.

< 1.18.4

The Gitea Team reports for release 1.13.5:

• Update to goldmark 1.3.3

< 1.13.5

The Gitea Team reports for release 1.13.1:

• Hide private participation in Orgs
• Fix escaping issue in diff

< 1.13.1

The Gitea Team reports for release 1.11.0:

• Never allow an empty password to validate (#9682) (#9683)
• Prevent redirect to Host (#9678) (#9679)
• Swagger hide search field (#9554)
• Add "search" to reserved usernames (#9063)
• Switch to fomantic-ui (#9374)
• Only serve attachments when linked to issue/release and if accessible by user (#9340)

The Gitea Team reports for release 1.11.2:

• Ensure only own addresses are updated (#10397) (#10399)
• Logout POST action (#10582) (#10585)
• Org action fixes and form cleanup (#10512) (#10514)
• Change action GETs to POST (#10462) (#10464)
• Fix admin notices (#10480) (#10483)
• Change admin dashboard to POST (#10465) (#10466)
• Update markbates/goth (#10444) (#10445)
• Update crypto vendors (#10385) (#10398)

< 1.11.2

The Gitea Team reports for release 1.14.5:

• Hide mirror passwords on repo settings page (#16022) (#16355)
• Update bluemonday to v1.0.15 (#16379) (#16380)

< 1.14.5

The Gitea Team reports:

• Hide credentials when submitting migration
• Never allow an empty password to validate
• Prevent redirect to Host
• Hide public repos owned by private orgs

< 1.10.3

The Gitea Team reports for release 1.13.6:

• Fix bug on avatar middleware
• Fix another clusterfuzz identified issue

< 1.13.6

Andrew Thornton reports:

When a location containing backslashes is presented, the existing protections against open redirect are bypassed, because browsers will convert adjacent forward and backslashes within the location to double forward slashes.

< 1.16.5

The Gitea team reports:

Sanitize and Escape refs in git backend

Bump golang.org/x/text

Update bluemonday

< 1.17.3

The Gitea Team reports for release 1.14.3:

• Encrypt migration credentials at rest (#15895) (#16187)
• Only check access tokens if they are likely to be tokens (#16164) (#16171)
• Add missing SameSite settings for the i_like_gitea cookie (#16037) (#16039)
• Fix setting of SameSite on cookies (#15989) (#15991)

< 1.14.3

The Gitea Team reports for release 1.12.6:

• Prevent git operations for inactive users
• Disallow urlencoded new lines in git protocol paths if there is a port

< 1.12.6

The Gitea Team reports for release 1.11.6:

• Fix missing authorization check on pull for public repos of private/limited org (#11656) (#11683)
• Use session for retrieving org teams (#11438) (#11439)

< 1.11.6

Youssef Rebahi-Gilbert reports:

When Gitea is built and configured for PAM authentication it skips checking authorization completely. Therefore expired accounts and accounts with expired passwords can still login.

< 1.16.4

The Gitea Team reports for release 1.15.0:

• Encrypt LDAP bind password in db with SECRET_KEY (#15547)
• Remove random password in Dockerfiles (#15362)
• Upgrade to the latest version of golang-jwt and increase minimum go to 1.15 (#16590) (#16606)
• Correctly create of git-daemon-export-ok files (#16508) (#16514)
• Don't show private user's repo in explore view (#16550) (#16554)
• Update node tar dependency to 6.1.6 (#16622) (#16623)

< 1.15.0

The Gitea Team reports for release 1.15.5:

• Upgrade Bluemonday to v1.0.16 (#17372) (#17374)
• Ensure correct SSH permissions check for private and restricted users (#17370) (#17373)

< 1.15.5

The Gitea Team reports for release 1.14.6:

• Bump github.com/markbates/goth from v1.67.1 to v1.68.0 (#16538) (#16540)
• Switch to maintained JWT lib (#16532) (#16535)
• Upgrade to latest version of golang-jwt (as forked for 1.14) (#16590) (#16607)

< 1.14.6

The Gitea Team reports for release 1.13.7:

• Update to bluemonday-1.0.6
• Clusterfuzz found another way

< 1.13.7

The Gitea team reports:

Update golang.org/x/crypto

< 1.21.3

The Gitea team reports:

Double check CloneURL is acceptable

Add more checks in migration code

< 1.17.2

The Gitea team reports:

Fix missing check

Do some missing checks

By crafting an API request, attackers can access the contents of issues even though the logged-in user does not have access rights to these issues.

< 1.21.2

Problem Description:

Even with RequireSignInView enabled, anonymous users can use docker pull to fetch public images.

< 1.21.5

The Gitea team reports:

Escape git fetch remote in services/migrations/gitea_uploader.go

< 1.16.7

The Gitea team reports:

Prevent multiple To recipients: Change the mailer interface to prevent leaking of possible hidden email addresses when sending to multiple recipients.

< 1.18.3

The Gitea team reports:

If redirect_to parameter has set value starting with \\example.com redirect will be created with header Location: /\\example.com that will redirect to example.com domain.

< 1.19.4

Problem Description:

• The Wiki page did not sanitize author name
• the reviewer name on a "dismiss review" comment is also affected
• the migration page has some spots

< 1.21.6

The Gitea team reports:

Remove ReverseProxy authentication from the API

Support Go Vulnerability Management

Forbid HTML string tooltips

< 1.18.0

The Gitea team reports:

Test if container blob is accessible before mounting.

Set type="password" on all auth_token fields

Seen when migrating from other hosting platforms.

Prevents exposing the token to screen capture/cameras/eyeballs.

Prevents the browser from saving the value in its autocomplete dictionary, which often is not secure.

< 1.20.0

The Gitea team reports:

check blocklist for emails when adding them to account

< 1.20.3

The Gitea team reports:

Do not allow Ghost access to limited visible user/org

Fix package access for admins and inactive users

< 1.17.4

The Gitea Team reports for release 1.13.2:

• Prevent panic on fuzzer provided string
• Add secure/httpOnly attributes to the lang cookie

< 1.13.2

The Gitea team reports:

Add write check for creating Commit status

Check for permission when fetching user controlled issues

< 1.16.9

The Gitea Team reports for release 1.13.0:

• Add Allow-/Block-List for Migrate and Mirrors
• Prevent git operations for inactive users
• Disallow urlencoded new lines in git protocol paths if there is a port
• Mitigate Security vulnerability in the git hook feature
• Disable DSA ssh keys by default
• Set TLS minimum version to 1.2
• Use argon as default password hash algorithm
• Escape failed highlighted files

< 1.13.0

The Gitea Team reports for release 1.14.0:

• Validate email in external authenticator registration form
• Ensure validation occurs on clone addresses too

< 1.14.0

The Gitea team reports:

Fix API leaking Usermail if not logged in

The API should only return the real Mail of a User, if the caller is logged in. The check do to this don't work. This PR fixes this. This not really a security issue, but can lead to Spam.

< 1.20.3

The Gitea team reports:

Disallow javascript, vbscript and data (data uri images still work) url schemes even if all other schemes are allowed

< 1.20.1