Date: Mon, 17 Jun 2024 17:34:27 GMT From: Fernando =?utf-8?Q?Apestegu=C3=ADa?= <fernape@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 46213c50d8ac - main - security/vuxml: Add www/forgejo vulnerability Message-ID: <202406171734.45HHYRJt007352@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by fernape: URL: https://cgit.FreeBSD.org/ports/commit/?id=46213c50d8ac9a2b3dc090e470ee0dde70127b48 commit 46213c50d8ac9a2b3dc090e470ee0dde70127b48 Author: Stefan Bethke <stb@lassitu.de> AuthorDate: 2024-06-17 17:18:47 +0000 Commit: Fernando ApesteguĂa <fernape@FreeBSD.org> CommitDate: 2024-06-17 17:18:47 +0000 security/vuxml: Add www/forgejo vulnerability CVE-2024-24789 NVD assessment not yet provided PR: 299781 --- security/vuxml/vuln/2024.xml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml index 9625555b8194..52ab5c647d4c 100644 --- a/security/vuxml/vuln/2024.xml +++ b/security/vuxml/vuln/2024.xml @@ -1,3 +1,39 @@ + <vuln vid="f0ba7008-2bbd-11ef-b4ca-814a3d504243"> + <topic>forgejo -- multiple issues</topic> + <affects> + <package> + <name>forgejo</name> + <range><lt>7.0.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The forgejo team reports:</p> + <blockquote cite="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#7-0-4">; + <p><a href="https://pkg.go.dev/vuln/GO-2024-2888">CVE-2024-24789</a>: + The archive/zip package's handling of certain types of invalid + zip files differs from the behavior of most zip implementations. + This misalignment could be exploited to create an zip file with + contents that vary depending on the implementation reading the + file.</p> + <p>The OAuth2 implementation does not always require authentication + for public clients, a requirement of RFC 6749 Section 10.2. A + malicious client can impersonate another client and obtain access + to protected resources if the impersonated client fails to, or is + unable to, keep its client credentials confidential.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2024-24789</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2024-24789</url>; + </references> + <dates> + <discovery>2024-04-04</discovery> + <entry>2024-04-11</entry> + </dates> + </vuln> + <vuln vid="219aaa1e-2aff-11ef-ab37-5404a68ad561"> <topic>traefik -- Unexpected behavior with IPv4-mapped IPv6 addresses</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202406171734.45HHYRJt007352>