diff options
author | Fernando ApesteguĂa <fernape@FreeBSD.org> | 2023-07-17 06:58:44 +0000 |
---|---|---|
committer | Fernando ApesteguĂa <fernape@FreeBSD.org> | 2023-07-17 13:07:12 +0000 |
commit | 878a79c79f8dadaa2f3b2fd38dd8fbaebe80a5f4 (patch) | |
tree | 70481f16484ae6728349e9330717b6e6950edbd7 | |
parent | 19f37018f591aaca4ff811263237dfa5150a0614 (diff) | |
download | ports-878a79c79f8dadaa2f3b2fd38dd8fbaebe80a5f4.tar.gz ports-878a79c79f8dadaa2f3b2fd38dd8fbaebe80a5f4.zip |
security/vuxml: record www/gitea vulnerabilities
* Test if container blob is accessible before mounting
* Set type="password" on all auth_token fields
PR: 272538
-rw-r--r-- | security/vuxml/vuln/2023.xml | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index aa6f016e3156..9933364b3f5f 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -1,3 +1,36 @@ + <vuln vid="b3f77aae-241c-11ee-9684-c11c23f7b0f9"> + <topic>gitea -- multiple issues</topic> + <affects> + <package> + <name>gitea</name> + <range><lt>1.20.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>The Gitea team reports:</p> + <blockquote cite="https://github.com/go-gitea/gitea/pull/22759"> + <p>Test if container blob is accessible before mounting.</p> + </blockquote> + <blockquote cite="https://github.com/go-gitea/gitea/pull/22175"> + <p>Set type="password" on all auth_token fields</p> + <p>Seen when migrating from other hosting platforms.</p> + <p>Prevents exposing the token to screen capture/cameras/eyeballs.</p> + <p>Prevents the browser from saving the value in its autocomplete + dictionary, which often is not secure.</p> + </blockquote> + </body> + </description> + <references> + <url>https://blog.gitea.com/release-of-1.20.0</url> + <url>https://github.com/go-gitea/gitea/releases/tag/v1.20.0</url> + </references> + <dates> + <discovery>2023-06-08</discovery> + <entry>2023-07-05</entry> + </dates> + </vuln> + <vuln vid="41c60e16-2405-11ee-a0d1-84a93843eb75"> <topic>OpenSSL -- AES-SIV implementation ignores empty associated data entries</topic> <affects> |