FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-25 21:13:12 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
b3f77aae-241c-11ee-9684-c11c23f7b0f9gitea -- multiple issues

The Gitea team reports:

Test if container blob is accessible before mounting.

Set type="password" on all auth_token fields

Seen when migrating from other hosting platforms.

Prevents exposing the token to screen capture/cameras/eyeballs.

Prevents the browser from saving the value in its autocomplete dictionary, which often is not secure.


Discovery 2023-06-08
Entry 2023-07-05
gitea
< 1.20.0

https://blog.gitea.com/release-of-1.20.0
https://github.com/go-gitea/gitea/releases/tag/v1.20.0
482bb980-99a3-11ee-b5f7-6bd56600d90cgitea -- missing permission checks

The Gitea team reports:

Fix missing check

Do some missing checks

By crafting an API request, attackers can access the contents of issues even though the logged-in user does not have access rights to these issues.


Discovery 2023-08-30
Entry 2023-09-10
gitea
< 1.21.2

https://github.com/go-gitea/gitea/releases/tag/v1.21.2
8ea24413-1b15-11ee-9331-570525adb7f1gitea -- avoid open HTTP redirects

The Gitea team reports:

If redirect_to parameter has set value starting with \\example.com redirect will be created with header Location: /\\example.com that will redirect to example.com domain.


Discovery 2023-06-08
Entry 2023-07-05
gitea
< 1.19.4

https://blog.gitea.io/2023/07/gitea-1.19.4-is-released/
https://github.com/go-gitea/gitea/releases/tag/v1.19.4
5048ed45-b0f1-11ed-ab04-9106b1b896ddgitea -- password hash quality

The Gitea team reports:

This PR refactors and improves the password hashing code within gitea and makes it possible for server administrators to set the password hashing parameters.

In addition it takes the opportunity to adjust the settings for pbkdf2 in order to make the hashing a little stronger.

Add command to bulk set must-change-password

As part of administration sometimes it is appropriate to forcibly tell users to update their passwords.

This PR creates a new command gitea admin user must-change-password which will set the MustChangePassword flag on the provided users.


Discovery 2022-02-14
Entry 2023-02-20
gitea
< 1.18.4

https://blog.gitea.io/2023/02/gitea-1.18.4-is-released/
https://github.com/go-gitea/gitea/releases/tag/v1.18.4
36a37c92-44b1-11ee-b091-6162c1274384gitea -- information disclosure

The Gitea team reports:

Fix API leaking Usermail if not logged in

The API should only return the real Mail of a User, if the caller is logged in. The check do to this don't work. This PR fixes this. This not really a security issue, but can lead to Spam.


Discovery 2023-06-06
Entry 2023-08-27
gitea
< 1.20.3

https://blog.gitea.com/release-of-1.20.3
https://github.com/go-gitea/gitea/releases/tag/v1.20.3
d0da046a-81e6-11ed-96ca-0800277bb8a8gitea -- multiple issues

The Gitea team reports:

Do not allow Ghost access to limited visible user/org

Fix package access for admins and inactive users


Discovery 2022-10-24
Entry 2022-12-22
gitea
< 1.17.4

https://github.com/go-gitea/gitea/releases/tag/v1.17.4
86c330fe-bbae-4ca7-85f7-5321e627a4ebgitea -- multiple issues

The Gitea team reports:

Remove ReverseProxy authentication from the API

Support Go Vulnerability Management

Forbid HTML string tooltips


Discovery 2022-08-23
Entry 2023-01-02
gitea
< 1.18.0

https://blog.gitea.io/2022/12/gitea-1.18.0-is-released/
https://github.com/go-gitea/gitea/releases/tag/v1.18.0
b8a0fea2-9be9-11ed-8acf-0800277bb8a8gitea -- information disclosure

The Gitea team reports:

Prevent multiple To recipients: Change the mailer interface to prevent leaking of possible hidden email addresses when sending to multiple recipients.


Discovery 2022-01-22
Entry 2023-01-24
gitea
< 1.18.3

https://blog.gitea.io/2023/01/gitea-1.18.3-is-released/
4061a4b2-4fb1-11ee-acc7-0151f07bc899gitea -- block user account creation from blocked email domains

The Gitea team reports:

check blocklist for emails when adding them to account


Discovery 2023-08-30
Entry 2023-09-10
gitea
< 1.20.3

https://blog.gitea.com/release-of-1.20.4
https://github.com/go-gitea/gitea/releases/tag/v1.20.4
b2765c89-a052-11ee-bed2-596753f1a87cgitea -- Prefix Truncation Attack against ChaCha20-Poly1305 and Encrypt-then-MAC aka Terrapin

The Gitea team reports:

Update golang.org/x/crypto


Discovery 2023-12-19
Entry 2023-12-21
gitea
< 1.21.3

https://github.com/go-gitea/gitea/releases/tag/v1.21.3
5ecfb588-d2f4-11ee-ad82-dbdfaa8acfc2gitea -- Fix XSS vulnerabilities

Problem Description:

  • The Wiki page did not sanitize author name
  • the reviewer name on a "dismiss review" comment is also affected
  • the migration page has some spots

Discovery 2024-02-23
Entry 2024-02-24
gitea
< 1.21.6

https://blog.gitea.com/release-of-1.21.6/
ab0bab3c-2927-11ee-8608-07b8d3947721gitea -- Disallow dangerous URL schemes

The Gitea team reports:

Disallow javascript, vbscript and data (data uri images still work) url schemes even if all other schemes are allowed


Discovery 2023-06-18
Entry 2023-07-23
gitea
< 1.20.1

https://blog.gitea.com/release-of-1.20.1
https://github.com/go-gitea/gitea/releases/tag/v1.20.1
bd7592a1-cbfd-11ee-a42a-5404a6f3ca32gitea -- Prevent anonymous container access

Problem Description:

Even with RequireSignInView enabled, anonymous users can use docker pull to fetch public images.


Discovery 2024-01-24
Entry 2024-02-15
gitea
< 1.21.5

https://blog.gitea.com/release-of-1.21.5/