FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-12-24 11:27:39 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
f07c8f87-8e65-11ef-81b8-659bf0027d16	forgejo -- multiple vulnerabilities Problem Description: Forgejo generates a token which is used to authenticate web endpoints that are only meant to be used internally, for instance when the SSH daemon is used to push a commit with Git. The verification of this token was not done in constant time and was susceptible to timing attacks. A pre-condition for such an attack is the precise measurements of the time for each operation. Since it requires observing the timing of network operations, the issue is mitigated when a Forgejo instance is accessed over the internet because the ISP introduce unpredictable random delays. Because of a missing permission check, the branch used to propose a pull request to a repository can always be deleted by the user performing the merge. It was fixed so that such a deletion is only allowed if the user performing the merge has write permission to the repository from which the pull request was made. Discovery 2024-10-28 Entry 2024-10-29 forgejo < 9.0.1 forgejo7 < 7.0.10 https://codeberg.org/forgejo/forgejo/milestone/8544 https://codeberg.org/forgejo/forgejo/pulls/5719 https://codeberg.org/forgejo/forgejo/pulls/5718
a5e13973-6c75-11ef-858b-23eeba13701a	forgejo -- multiple vulnerabilities Problem Description: Replace v-html with v-text in search inputbox Upgrade webpack to v5.94.0 as a precaution to mitigate CVE-2024-43788, although we were not yet able to confirm that this can be exploited in Forgejo. Discovery 2024-09-03 Entry 2024-09-06 forgejo < 8.0.3 forgejo7 < 7.0.9 CVE-2024-43788 https://codeberg.org/forgejo/forgejo/milestone/8231

VuXML ID

Description

f07c8f87-8e65-11ef-81b8-659bf0027d16

forgejo -- multiple vulnerabilities

Problem Description:

Forgejo generates a token which is used to authenticate web endpoints that are only meant to be used internally, for instance when the SSH daemon is used to push a commit with Git. The verification of this token was not done in constant time and was susceptible to timing attacks. A pre-condition for such an attack is the precise measurements of the time for each operation. Since it requires observing the timing of network operations, the issue is mitigated when a Forgejo instance is accessed over the internet because the ISP introduce unpredictable random delays.
Because of a missing permission check, the branch used to propose a pull request to a repository can always be deleted by the user performing the merge. It was fixed so that such a deletion is only allowed if the user performing the merge has write permission to the repository from which the pull request was made.

Discovery 2024-10-28
Entry 2024-10-29
forgejo

< 9.0.1

forgejo7

< 7.0.10

https://codeberg.org/forgejo/forgejo/milestone/8544
https://codeberg.org/forgejo/forgejo/pulls/5719
https://codeberg.org/forgejo/forgejo/pulls/5718

a5e13973-6c75-11ef-858b-23eeba13701a

forgejo -- multiple vulnerabilities

Problem Description:

Replace v-html with v-text in search inputbox
Upgrade webpack to v5.94.0 as a precaution to mitigate CVE-2024-43788, although we were not yet able to confirm that this can be exploited in Forgejo.

Discovery 2024-09-03
Entry 2024-09-06
forgejo

< 8.0.3

forgejo7

< 7.0.9

CVE-2024-43788
https://codeberg.org/forgejo/forgejo/milestone/8231