git: 478a7fab1aa3 - main - www/gitea: Update version 1.21.0=>1.21.3

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Muhammad Moinur Rahman <bofh_at_FreeBSD.org>
Date: Fri, 22 Dec 2023 01:24:49 UTC
The branch main has been updated by bofh:

URL: https://cgit.FreeBSD.org/ports/commit/?id=478a7fab1aa36ee655d2840c7f282de684ca4d51

commit 478a7fab1aa36ee655d2840c7f282de684ca4d51
Author:     Stefan Bethke <stb@lassitu.de>
AuthorDate: 2023-12-21 23:19:59 +0000
Commit:     Muhammad Moinur Rahman <bofh@FreeBSD.org>
CommitDate: 2023-12-22 01:24:35 +0000

    www/gitea: Update version 1.21.0=>1.21.3
    
    - Add relevant vuxml entry
    - Move pkg-message to SUB_FILES as we are using PREFIX
    
    Changelog: https://blog.gitea.com/release-of-1.21.3/
    
    PR:             275742
    Approved by:    submitter is maintainer
---
 security/vuxml/vuln/2023.xml                    | 56 +++++++++++++++++++++++++
 www/gitea/Makefile                              |  5 +--
 www/gitea/distinfo                              |  6 +--
 www/gitea/{pkg-message => files/pkg-message.in} | 15 +++++++
 4 files changed, 76 insertions(+), 6 deletions(-)

diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml
index d3972f612c23..7de965752d64 100644
--- a/security/vuxml/vuln/2023.xml
+++ b/security/vuxml/vuln/2023.xml
@@ -1,3 +1,59 @@
+  <vuln vid="b2765c89-a052-11ee-bed2-596753f1a87c">
+    <topic>gitea -- Prefix Truncation Attack against ChaCha20-Poly1305 and Encrypt-then-MAC aka Terrapin</topic>
+    <affects>
+      <package>
+	<name>gitea</name>
+	<range><lt>1.21.3</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>The Gitea team reports:</p>
+	<blockquote cite="https://github.com/go-gitea/gitea/pull/28519">
+	  <p>Update golang.org/x/crypto</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://github.com/go-gitea/gitea/releases/tag/v1.21.3</url>
+    </references>
+    <dates>
+      <discovery>2023-12-19</discovery>
+      <entry>2023-12-21</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="482bb980-99a3-11ee-b5f7-6bd56600d90c">
+    <topic>gitea -- missing permission checks</topic>
+    <affects>
+      <package>
+	<name>gitea</name>
+	<range><lt>1.21.2</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>The Gitea team reports:</p>
+	<blockquote cite="https://github.com/go-gitea/gitea/pull/28406">
+	  <p>Fix missing check</p>
+	</blockquote>
+	<blockquote cite="https://github.com/go-gitea/gitea/pull/28423">
+	  <p>Do some missing checks</p>
+	</blockquote>
+        <p>By crafting an API request, attackers can access the contents of
+        issues even though the logged-in user does not have access rights to
+        these issues.</p>
+      </body>
+    </description>
+    <references>
+      <url>https://github.com/go-gitea/gitea/releases/tag/v1.21.2</url>
+    </references>
+    <dates>
+      <discovery>2023-08-30</discovery>
+      <entry>2023-09-10</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="0f7598cc-9fe2-11ee-b47f-901b0e9408dc">
     <topic>nebula -- security fix for terrapin vulnerability</topic>
     <affects>
diff --git a/www/gitea/Makefile b/www/gitea/Makefile
index 287dba7c6138..2d2837e6b440 100644
--- a/www/gitea/Makefile
+++ b/www/gitea/Makefile
@@ -1,7 +1,6 @@
 PORTNAME=	gitea
 DISTVERSIONPREFIX=	v
-DISTVERSION=	1.21.0
-PORTREVISION=	1
+DISTVERSION=	1.21.3
 CATEGORIES=	www
 MASTER_SITES=	https://github.com/go-gitea/gitea/releases/download/${DISTVERSIONPREFIX}${DISTVERSION}/ \
 		https://dl.gitea.io/gitea/${DISTVERSION}/
@@ -20,7 +19,7 @@ USES=		cpe gmake go:1.21,no_targets
 USE_RC_SUBR=	gitea
 
 EXTRACT_AFTER_ARGS=	--strip-components 1 # since 1.17.0, archive includes gitea-src-VERSION directory
-SUB_FILES+=	app.ini.sample
+SUB_FILES+=	app.ini.sample pkg-message
 SUB_LIST+=	GITUSER=${USERS}
 
 NO_WRKSUBDIR=	yes
diff --git a/www/gitea/distinfo b/www/gitea/distinfo
index 011dfb106ba4..93f0353acb68 100644
--- a/www/gitea/distinfo
+++ b/www/gitea/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1699991932
-SHA256 (gitea-src-1.21.0.tar.gz) = 69b12778b3b5f24aecff08d8e5122e4edf784bda2e4335b77f2bbd0404a11a93
-SIZE (gitea-src-1.21.0.tar.gz) = 53744981
+TIMESTAMP = 1703201941
+SHA256 (gitea-src-1.21.3.tar.gz) = b490bda7bfbe95bde50f4c98478a80b4539344140ad9290d083e9393e83d33bf
+SIZE (gitea-src-1.21.3.tar.gz) = 53775315
diff --git a/www/gitea/pkg-message b/www/gitea/files/pkg-message.in
similarity index 68%
rename from www/gitea/pkg-message
rename to www/gitea/files/pkg-message.in
index e3393b659d24..f1b18026682e 100644
--- a/www/gitea/pkg-message
+++ b/www/gitea/files/pkg-message.in
@@ -1,4 +1,19 @@
 [
+{ type: upgrade
+  maximum_version: 1.20.0
+  message: <<EOM
+Please make sure to empty or maintain the contents of the
+%%PREFIX%%/share/gitea folder between your upgrades of gitea.
+Changes between versions can break the web UI due to residual
+files from earlier versions.
+
+1.21.0 has a breaking change regarding the public assets folder. In case
+you use a proxying webserver serving the files, you need to update your
+configuration:
+
+https://github.com/go-gitea/gitea/pull/25907
+EOM
+}
 { type: upgrade
   maximum_version: 1.7.6
   message: <<EOM