Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-30781: Gitea 1.16.7 is released - Blog

Gitea before 1.16.7 does not escape git fetch remote.

CVE
#mac#git#auth

Mon May 2, 2022 by jolheiser

We are proud to present the release of Gitea version 1.16.7.

We highly encourage users to update to this version for some important bug-fixes.

We have merged 20 pull requests to release this version.

We would like to give a special thanks to E99p1ant and Li4n0 from Vidar-Team and thanks to @6543 for submitting the security patch for this release.

You can download one of our pre-built binaries from our downloads page - make sure to select the correct platform! For further details on how to install, follow our installation guide.

We would also like to thank all of our supporters on Open Collective who are helping to sustain us financially.

Have you heard? We now have a swag shop! 👕 🍵

Changelog****1.16.7 - 2022-05-02

  • SECURITY
    • Escape git fetch remote (#19487) (#19490)
  • BUGFIXES
    • Don’t overwrite err with nil (#19572) (#19574)
    • On Migrations, only write commit-graph if wiki clone was successful (#19563) (#19568)
    • Respect DefaultUserIsRestricted system default when creating new user (#19310) (#19560)
    • Don’t error when branch’s commit doesn’t exist (#19547) (#19548)
    • Support hostname:port to pass host matcher’s check (#19543) (#19544)
    • Prevent intermittent race in attribute reader close (#19537) (#19539)
    • Fix 64-bit atomic operations on 32-bit machines (#19531) (#19532)
    • Prevent dangling archiver goroutine (#19516) (#19526)
    • Fix migrate release from github (#19510) (#19523)
    • When view _Siderbar or _Footer, just display once (#19501) (#19522)
    • Fix blame page select range error and some typos (#19503)
    • Fix name of doctor fix “authorized-keys” in hints (#19464) (#19484)
    • User specific repoID or xorm builder conditions for issue search (#19475) (#19476)
    • Prevent dangling cat-file calls (goroutine alternative) (#19454) (#19466)
    • RepoAssignment ensure to close before overwrite (#19449) (#19460)
    • Set correct PR status on 3way on conflict checking (#19457) (#19458)
    • Mark TemplateLoading error as “UnprocessableEntity” (#19445) (#19446)

Related news

Gitea 1.16.6 Remote Code Execution

This Metasploit module exploits the Git fetch command in Gitea repository migration process that leads to a remote command execution on the system. This vulnerability affects Gitea versions prior to 1.16.7.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907