From nobody Tue Dec 17 23:57:57 2024
X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YCYfF2QFXz5hv62;
	Tue, 17 Dec 2024 23:57:57 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4YCYfF1lQSz41Rd;
	Tue, 17 Dec 2024 23:57:57 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1734479877;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=AwarQ9dLro5iN96aFKzpmxDKPryUglxbeGPNuUt8uNE=;
	b=W71bJjCZb+FYu+DwbIC6Fq7yXzk9MgYTKrRY1OXJIuQMMY2B4tdyRZcViiDvhXhcrtgP1i
	KaziWDVNdvZYogNWO/W+3Xg6664bnsYv2uEgNEumPBOJRLU2533Bb4lQEYvwcsVb7aj0Uf
	h/YjRcq9Meult9pLUu2s72iZl7x22pudd22fHrebNlbc9LT/A3cTIhsRTPtQNTAM+qQKBo
	Yr4wrm38al7vbljyP3Lf9VVQPnZkkWZWwSNixGTu0XaESkmCQYhXFXmMvRYDISjZUuHULf
	Lda83OhcpMi3KfWQZoRJ0/zJ0lNkOUGdCzGx2oSjIJ8Uclc9iqsCmZ9Knqe0YA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1734479877;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=AwarQ9dLro5iN96aFKzpmxDKPryUglxbeGPNuUt8uNE=;
	b=sLssH9T8mawvqv4NC8h+16L4fEi9CUy/gpzmwibw/Ym0+JuPCpvPcpz429iM2LXbvu3T7x
	ADOtpYhTzgcrvCg3h0xHelc97W0PQT/alq5QIyhQDWLN5W//sN5G238LHFgb3LFpIcLAOA
	qFSzSLW1tC/ZjswzuHT5XSt7QPNuVwvIla7YSs9wjAYL+skqnenrT+ZYdN8k9X49umiue0
	/xZJumRxUSLhqifFzixdlL6mq3GgFWmkjD2dPp7EIYJ8rNdeKTBmDinROl8UQaqeOwrc0X
	ZK7zx4il411rnW1IIGxDUCTsQok7FA2sCIKX37ZdsP2bkgwaQLx+Ms/Yhe3pYw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1734479877; a=rsa-sha256; cv=none;
	b=IXXMqZXrEKNHwOAHyhCynTIbbJa37UslnEHFBUcz22KRl6cjrTUtyOeLhve5i1ACjyNeSp
	Wt4d425QtIonnY4o713zBD/XcTBgQlj8UxlmTTkO73plngwbP7dua0iNIN2T1NZfxNVBi0
	JiyVi6KhrafASkZBugU8FNJfsD1NbxJOmlr0bmFprps/f3G5Of40e4+OAqDOOJXn8dNO1u
	dfkO3rEx+f2kY1cFlUTCUTFIrIjZOIAxSNT5LLJFTqfEN9KUoBwA7tx+RqlDMKu1MHgMTK
	G5f1uABGjo7vL3yZsDTCfRvI8doWF+5Ce+YIDh9VdGkjjOca9PeqmubZU9nsWw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YCYfF1LdwzlHq;
	Tue, 17 Dec 2024 23:57:57 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 4BHNvvho073031;
	Tue, 17 Dec 2024 23:57:57 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 4BHNvvRN073028;
	Tue, 17 Dec 2024 23:57:57 GMT
	(envelope-from git)
Date: Tue, 17 Dec 2024 23:57:57 GMT
Message-Id: <202412172357.4BHNvvRN073028@gitrepo.freebsd.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
        dev-commits-ports-main@FreeBSD.org
From: Vladimir Druzenko <vvd@FreeBSD.org>
Subject: git: 96ddbb42b98f - main - security/vuxml: add records for
  www/forgejo < 9.0.3 and www/forgejo7 < 7.0.12
List-Id: Commits to the main branch of the FreeBSD ports repository <dev-commits-ports-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main
List-Help: <mailto:dev-commits-ports-main+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-ports-main@freebsd.org
Sender: owner-dev-commits-ports-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: vvd
X-Git-Repository: ports
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 96ddbb42b98fcb6022729ea28cd6725fcfdc4597
Auto-Submitted: auto-generated

The branch main has been updated by vvd:

URL: https://cgit.FreeBSD.org/ports/commit/?id=96ddbb42b98fcb6022729ea28cd6725fcfdc4597

commit 96ddbb42b98fcb6022729ea28cd6725fcfdc4597
Author:     Stefan Bethke <stb@lassitu.de>
AuthorDate: 2024-12-17 23:52:04 +0000
Commit:     Vladimir Druzenko <vvd@FreeBSD.org>
CommitDate: 2024-12-17 23:52:04 +0000

    security/vuxml: add records for www/forgejo < 9.0.3 and www/forgejo7 < 7.0.12
    
    https://codeberg.org/forgejo/forgejo/pulls/5974
    https://codeberg.org/forgejo/forgejo/pulls/6248
    https://codeberg.org/forgejo/forgejo/pulls/6249
    
    PR:     283388
---
 security/vuxml/vuln/2024.xml | 112 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 112 insertions(+)

diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml
index 8e9741134971..96c33141d418 100644
--- a/security/vuxml/vuln/2024.xml
+++ b/security/vuxml/vuln/2024.xml
@@ -1,3 +1,115 @@
+  <vuln vid="5ca064a6-bca1-11ef-8926-9b4f2d14eb53">
+    <topic>forgejo -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>forgejo</name>
+	<range><lt>9.0.2</lt></range>
+      <package>
+	<name>forgejo</name>
+	<range><lt>7.0.11</lt></range>
+      </package>
+      </package>
+    </affects>
+    <description>
+       <body xmlns="http://www.w3.org/1999/xhtml">
+       <h1>Problem Description:</h1>
+       <ul>
+       <li>It was possible to use a token sent via email for secondary email validation to reset the password instead. In other words, a token sent for a given action (registration, password reset or secondary email validation) could be used to perform a different action. It is no longer possible to use a token for an action that is different from its original purpose.</li>
+       <li>A fork of a public repository would show in the list of forks, even if its owner was not a public user or organization. Such a fork is now hidden from the list of forks of the public repository.</li>
+       <li>The members of an organization team with read access to a repository (e.g. to read issues) but no read access to the code could read the RSS or atom feeds which include the commit activity. Reading the RSS or atom feeds is now denied unless the team has read permissions on the code.</li>
+       <li>The tokens used when replying by email to issues or pull requests were weaker than the rfc2104 recommendations. The tokens are now truncated to 128 bits instead of 80 bits. It is no longer possible to reply to emails sent before the upgrade because the weaker tokens are invalid.</li>
+       <li>A registered user could modify the update frequency of any push mirror (e.g. every 4h instead of every 8h). They are now only able to do that if they have administrative permissions on the repository.</li>
+       <li>It was possible to use basic authorization (i.e. user:password) for requests to the API even when security keys were enrolled for a user. It is no longer possible, an application token must be used instead.</li>
+       <li>Some markup sanitation rules were not as strong as they could be (e.g. allowing emoji somethingelse as well as emoji). The rules are now stricter and do not allow for such cases.</li>
+       <li>When Forgejo is configured to enable instance wide search (e.g. with bleve), results found in the repositories of private or limited users were displayed to anonymous visitors. The results found in private or limited organizations were not displayed. The search results found in the repositories of private or limited user are no longer displayed to anonymous visitors.</li>
+       </ul>
+      </body>
+    </description>
+    <references>
+      <url>https://codeberg.org/forgejo/forgejo/pulls/5974</url>
+      <url>https://codeberg.org/forgejo/forgejo/pulls/5974</url>
+      <url>https://codeberg.org/forgejo/forgejo/pulls/5974</url>
+      <url>https://codeberg.org/forgejo/forgejo/pulls/5974</url>
+      <url>https://codeberg.org/forgejo/forgejo/pulls/5974</url>
+      <url>https://codeberg.org/forgejo/forgejo/pulls/5974</url>
+      <url>https://codeberg.org/forgejo/forgejo/pulls/5974</url>
+      <url>https://codeberg.org/forgejo/forgejo/pulls/5974</url>
+    </references>
+    <dates>
+      <discovery>2024-12-12</discovery>
+      <entry>2024-12-17</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="25a697de-bca1-11ef-8926-9b4f2d14eb53">
+    <topic>forgejo -- unauthorized user impersonation</topic>
+    <affects>
+      <package>
+	<name>forgejo</name>
+	<range><lt>7.0.12</lt></range>
+      </package>
+    </affects>
+    <description>
+       <body xmlns="http://www.w3.org/1999/xhtml">
+       <h1>Problem Description:</h1>
+       <ul>
+       <li>When Forgejo is configured to run the internal ssh server with
+       [server].START_SSH_SERVER=true, it was possible for a registered user
+       to impersonate another user.  The rootless container image uses the
+       internal ssh server by default and was vulnerable.  A Forgejo
+       instance running from a binary or from a root container image does
+       not use the internal ssh server by default and was not vulnerable. 
+       The incorrect use of the crypto package is the root cause of the
+       vulnerability and was fixed for the internal ssh server.</li>
+       <li>Revert "allow synchronizing user status from OAuth2 login
+       providers"</li>
+       </ul>
+      </body>
+    </description>
+    <references>
+      <url>https://codeberg.org/forgejo/forgejo/pulls/6248</url>
+    </references>
+    <dates>
+      <discovery>2024-12-12</discovery>
+      <entry>2024-12-17</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="6dcf6fc6-bca0-11ef-8926-9b4f2d14eb53">
+    <topic>forgejo -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>forgejo</name>
+	<range><lt>9.0.3</lt></range>
+      </package>
+    </affects>
+    <description>
+       <body xmlns="http://www.w3.org/1999/xhtml">
+       <h1>Problem Description:</h1>
+       <ul>
+       <li>When Forgejo is configured to run the internal ssh server with
+       [server].START_SSH_SERVER=true, it was possible for a registered user
+       to impersonate another user.  The rootless container image uses the
+       internal ssh server by default and was vulnerable.  A Forgejo
+       instance running from a binary or from a root container image does
+       not use the internal ssh server by default and was not vulnerable. 
+       The incorrect use of the crypto package is the root cause of the
+       vulnerability and was fixed for the internal ssh server.</li>
+       <li>Revert "allow synchronizing user status from OAuth2 login
+       providers"</li>
+       </ul>
+      </body>
+    </description>
+    <references>
+      <url>https://codeberg.org/forgejo/forgejo/pulls/6248</url>
+      <url>https://codeberg.org/forgejo/forgejo/pulls/6249</url>
+    </references>
+    <dates>
+      <discovery>2024-12-12</discovery>
+      <entry>2024-12-17</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="71f3e9f0-bafc-11ef-885d-901b0e934d69">
     <topic>py-matrix-synapse -- multiple vulnerabilities in versions prior to 1.120.1</topic>
     <affects>