FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-12-24 11:27:39 UTC

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
f07c8f87-8e65-11ef-81b8-659bf0027d16	forgejo -- multiple vulnerabilities Problem Description: Forgejo generates a token which is used to authenticate web endpoints that are only meant to be used internally, for instance when the SSH daemon is used to push a commit with Git. The verification of this token was not done in constant time and was susceptible to timing attacks. A pre-condition for such an attack is the precise measurements of the time for each operation. Since it requires observing the timing of network operations, the issue is mitigated when a Forgejo instance is accessed over the internet because the ISP introduce unpredictable random delays. Because of a missing permission check, the branch used to propose a pull request to a repository can always be deleted by the user performing the merge. It was fixed so that such a deletion is only allowed if the user performing the merge has write permission to the repository from which the pull request was made. Discovery 2024-10-28 Entry 2024-10-29 forgejo < 9.0.1 forgejo7 < 7.0.10 https://codeberg.org/forgejo/forgejo/milestone/8544 https://codeberg.org/forgejo/forgejo/pulls/5719 https://codeberg.org/forgejo/forgejo/pulls/5718

VuXML ID

Description

f07c8f87-8e65-11ef-81b8-659bf0027d16

forgejo -- multiple vulnerabilities

Problem Description:

Forgejo generates a token which is used to authenticate web endpoints that are only meant to be used internally, for instance when the SSH daemon is used to push a commit with Git. The verification of this token was not done in constant time and was susceptible to timing attacks. A pre-condition for such an attack is the precise measurements of the time for each operation. Since it requires observing the timing of network operations, the issue is mitigated when a Forgejo instance is accessed over the internet because the ISP introduce unpredictable random delays.
Because of a missing permission check, the branch used to propose a pull request to a repository can always be deleted by the user performing the merge. It was fixed so that such a deletion is only allowed if the user performing the merge has write permission to the repository from which the pull request was made.

Discovery 2024-10-28
Entry 2024-10-29
forgejo

< 9.0.1

< 7.0.10

https://codeberg.org/forgejo/forgejo/milestone/8544
https://codeberg.org/forgejo/forgejo/pulls/5719
https://codeberg.org/forgejo/forgejo/pulls/5718