Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-32546: Releases · gogs/gogs

Missing input validation in internal/db/repo_editor.go in Gogs before 0.12.8 allows an attacker to execute code remotely. An unprivileged attacker (registered user) can overwrite the Git configuration in his repository. This leads to Remote Command Execution, because that configuration can contain an option such as sshCommand, which is executed when a master branch is a remote branch (using an ssh:// URI). The remote branch can also be configured by editing the Git configuration file. One can create a new file in a new repository, using the GUI, with “” as its name, and then rename this file to .git/config with the custom configuration content (and then save it).

CVE
#sql#xss#csrf#web#windows#git#rce#ssrf#auth#ssh#docker

Changed

  • All users (including admins) need to use the configuration option [security] LOCAL_NETWORK_ALLOWLIST to allow repository migration and webhooks to be able to access local network addresses, which is a comma separated list of hostnames. #6988

Fixed

  • Security: SSRF in webhook. #6901
  • Security: XSS in cookies. #6953
  • Security: OS Command Injection in file uploading. #6968
  • Security: Remote Command Execution in file editing. #6555

0.12.7****Fixed

  • Security: Stored XSS in issues. #6919
  • Invalid character in Access-Control-Allow-Credentials response header. #4983
  • Mysterious ssh: overflow reading version string errors from builtin SSH server. #6882

0.12.6****Fixed

  • Security: Remote command execution in file uploading. #6833
  • Regression: Unable to migrate repository from other local Git hosting. Added a new configuration option [security] LOCAL_NETWORK_ALLOWLIST, which is a comma separated list of hostnames that are explicitly allowed to be accessed within the local network. #6841
  • Slow start of Docker containers using NAS devices. #6554

0.12.5****Fixed

  • Security: Potential SSRF in repository migration. #6754
  • Security: Improper PAM authorization handling. #6810

0.12.4****Fixed

  • Security: Potential SSRF attack by CRLF injection via repository migration. #6413
  • Regression: Fixed smart links for issues stops rendering. #6506
  • Added X-Frame-Options header to prevent Clickjacking. #6409

0.12.3****Fixed

  • Regression: When running Gogs on Windows, push commits no longer fail on a daily basis with the error "pre-receive hook declined". #6316
  • Auto-linked commit SHAs now have correct links. #6300
  • Git LFS client (with version >= 2.5.0) wasn’t able to upload files with known format (e.g. PNG, JPEG), and the server is expecting the HTTP Header Content-Type to be application/octet-stream. The server now tells the LFS client to always use Content-Type: application/octet-stream when upload files.

0.12.2****Fixed

  • Regression: Pages are correctly rendered when requesting ?go-get=1 for subdirectories. #6314
  • Regression: Submodule with a relative path is linked correctly. #6319
  • Backup can be processed when --target is specified on Windows. #6339
  • Commit message contains keywords look like an issue reference no longer fails the push entirely. #6289

0.12.1****Fixed

  • The updated_at field is now correctly updated when updates an issue. #6209
  • Fixed a regression which created login_source.cfg column to have VARCHAR(255) instead of TEXT in MySQL. #6280

0.12.0****Added

  • Support for Git LFS, you can read documentation for both user and admin. #1322
  • Allow admin to remove observers from the repository. #5803
  • Use Last-Modified HTTP header for raw files. #5811
  • Support syntax highlighting for SAS code files (i.e. .r, .sas, .tex, .yaml). #5856
  • Able to fill in pull request title with a template. #5901
  • Able to override static files under public/ directory, please refer to documentation for usage. #5920
  • New API endpoint GET /admin/teams/:teamid/members to list members of a team. #5877
  • Support backup with retention policy for Docker deployments. #6140

Changed

  • The organization profile page has changed to display at most 12 members. #5506
  • The required Go version to compile source code changed to 1.14.
  • All assets are now embedded into binary and served from memory by default. Set [server] LOAD_ASSETS_FROM_DISK = true to load them from disk. #5920
  • Application and Go versions are removed from page footer and only show in the admin dashboard.
  • Build tag for running as Windows Service has been changed from miniwinsvc to minwinsvc.
  • Configuration option APP_NAME is deprecated and will end support in 0.13.0, please start using BRAND_NAME.
  • Configuration option [server] ROOT_URL is deprecated and will end support in 0.13.0, please start using [server] EXTERNAL_URL.
  • Configuration option [server] LANDING_PAGE is deprecated and will end support in 0.13.0, please start using [server] LANDING_URL.
  • Configuration option [database] DB_TYPE is deprecated and will end support in 0.13.0, please start using [database] TYPE.
  • Configuration option [database] PASSWD is deprecated and will end support in 0.13.0, please start using [database] PASSWORD.
  • Configuration option [security] REVERSE_PROXY_AUTHENTICATION_USER is deprecated and will end support in 0.13.0, please start using [auth] REVERSE_PROXY_AUTHENTICATION_HEADER.
  • Configuration section [mailer] is deprecated and will end support in 0.13.0, please start using [email].
  • Configuration section [service] is deprecated and will end support in 0.13.0, please start using [auth].
  • Configuration option [auth] ACTIVE_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] ACTIVATE_CODE_LIVES.
  • Configuration option [auth] RESET_PASSWD_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] RESET_PASSWORD_CODE_LIVES.
  • Configuration option [auth] ENABLE_CAPTCHA is deprecated and will end support in 0.13.0, please start using [auth] ENABLE_REGISTRATION_CAPTCHA.
  • Configuration option [auth] ENABLE_NOTIFY_MAIL is deprecated and will end support in 0.13.0, please start using [user] ENABLE_EMAIL_NOTIFICATION.
  • Configuration option [session] GC_INTERVAL_TIME is deprecated and will end support in 0.13.0, please start using [session] GC_INTERVAL.
  • Configuration option [session] SESSION_LIFE_TIME is deprecated and will end support in 0.13.0, please start using [session] MAX_LIFE_TIME.
  • The name - is reserved and cannot be used for users or organizations.

Fixed

  • [Security] Potential open redirection with i18n.
  • [Security] Potential ability to delete files outside a repository.
  • [Security] Potential ability to set primary email on others’ behalf from their verified emails.
  • [Security] Potential XSS attack via .ipynb. #5170
  • [Security] Potential SSRF attack via webhooks. #5366
  • [Security] Potential CSRF attack in admin panel. #5367
  • [Security] Potential stored XSS attack in some browsers. #5397
  • [Security] Potential RCE on mirror repositories. #5767
  • [Security] Potential XSS attack with raw markdown API. #5907
  • File both modified and renamed within a commit treated as separate files. #5056
  • Unable to restore the database backup to MySQL 8.0 with syntax error. #5602
  • Open/close milestone redirects to a 404 page. #5677
  • Disallow multiple tokens with same name. #5587 #5820
  • Enable Federated Avatar Lookup could cause server to crash. #5848
  • Private repositories are hidden in the organization’s view. #5869
  • Users have access to base repository cannot view commits in forks. #5878
  • Server error when changing email address in user settings page. #5899
  • Fall back to use RFC 3339 as time layout when misconfigured. #6098
  • Unable to update team with server error. #6185
  • Webhooks are not fired after push when [service] REQUIRE_SIGNIN_VIEW = true.
  • Files with identical content are randomly displayed one of them.

Removed

  • Configuration option [other] SHOW_FOOTER_VERSION
  • Configuration option [server] STATIC_ROOT_PATH
  • Configuration option [repository] MIRROR_QUEUE_LENGTH
  • Configuration option [repository] PULL_REQUEST_QUEUE_LENGTH
  • Configuration option [session] ENABLE_SET_COOKIE
  • Configuration option [release.attachment] PATH
  • Configuration option [webhook] QUEUE_LENGTH
  • Build tag sqlite, which means CGO is now required.

This is a release candidate for the 0.12.8 patch release.

ℹ️ Heads up! There is a new patch release 0.12.8 available, we recommend directly installing or upgrading to that version.

Fixed

  • Security: Stored XSS in issues. #6919 by @unknwon
  • Invalid character in Access-Control-Allow-Credentials response header. #4983 by @wuhan005
  • Mysterious ssh: overflow reading version string errors from builtin SSH server. #6882 by @unknwon

0.12.6****Fixed

  • Security: Remote command execution in file uploading. #6833
  • Regression: Unable to migrate repository from other local Git hosting. Added a new configuration option [security] LOCAL_NETWORK_ALLOWLIST, which is a comma separated list of hostnames that are explicitly allowed to be accessed within the local network. #6841
  • Slow start of Docker containers using NAS devices. #6554

0.12.5****Fixed

  • Security: Potential SSRF in repository migration. #6754
  • Security: Improper PAM authorization handling. #6810

0.12.4****Fixed

  • Security: Potential SSRF attack by CRLF injection via repository migration. #6413
  • Regression: Fixed smart links for issues stops rendering. #6506
  • Added X-Frame-Options header to prevent Clickjacking. #6409

0.12.3****Fixed

  • Regression: When running Gogs on Windows, push commits no longer fail on a daily basis with the error "pre-receive hook declined". #6316
  • Auto-linked commit SHAs now have correct links. #6300
  • Git LFS client (with version >= 2.5.0) wasn’t able to upload files with known format (e.g. PNG, JPEG), and the server is expecting the HTTP Header Content-Type to be application/octet-stream. The server now tells the LFS client to always use Content-Type: application/octet-stream when upload files.

0.12.2****Fixed

  • Regression: Pages are correctly rendered when requesting ?go-get=1 for subdirectories. #6314
  • Regression: Submodule with a relative path is linked correctly. #6319
  • Backup can be processed when --target is specified on Windows. #6339
  • Commit message contains keywords look like an issue reference no longer fails the push entirely. #6289

0.12.1****Fixed

  • The updated_at field is now correctly updated when updates an issue. #6209
  • Fixed a regression which created login_source.cfg column to have VARCHAR(255) instead of TEXT in MySQL. #6280

0.12.0****Added

  • Support for Git LFS, you can read documentation for both user and admin. #1322
  • Allow admin to remove observers from the repository. #5803
  • Use Last-Modified HTTP header for raw files. #5811
  • Support syntax highlighting for SAS code files (i.e. .r, .sas, .tex, .yaml). #5856
  • Able to fill in pull request title with a template. #5901
  • Able to override static files under public/ directory, please refer to documentation for usage. #5920
  • New API endpoint GET /admin/teams/:teamid/members to list members of a team. #5877
  • Support backup with retention policy for Docker deployments. #6140

Changed

  • The organization profile page has changed to display at most 12 members. #5506
  • The required Go version to compile source code changed to 1.14.
  • All assets are now embedded into binary and served from memory by default. Set [server] LOAD_ASSETS_FROM_DISK = true to load them from disk. #5920
  • Application and Go versions are removed from page footer and only show in the admin dashboard.
  • Build tag for running as Windows Service has been changed from miniwinsvc to minwinsvc.
  • Configuration option APP_NAME is deprecated and will end support in 0.13.0, please start using BRAND_NAME.
  • Configuration option [server] ROOT_URL is deprecated and will end support in 0.13.0, please start using [server] EXTERNAL_URL.
  • Configuration option [server] LANDING_PAGE is deprecated and will end support in 0.13.0, please start using [server] LANDING_URL.
  • Configuration option [database] DB_TYPE is deprecated and will end support in 0.13.0, please start using [database] TYPE.
  • Configuration option [database] PASSWD is deprecated and will end support in 0.13.0, please start using [database] PASSWORD.
  • Configuration option [security] REVERSE_PROXY_AUTHENTICATION_USER is deprecated and will end support in 0.13.0, please start using [auth] REVERSE_PROXY_AUTHENTICATION_HEADER.
  • Configuration section [mailer] is deprecated and will end support in 0.13.0, please start using [email].
  • Configuration section [service] is deprecated and will end support in 0.13.0, please start using [auth].
  • Configuration option [auth] ACTIVE_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] ACTIVATE_CODE_LIVES.
  • Configuration option [auth] RESET_PASSWD_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] RESET_PASSWORD_CODE_LIVES.
  • Configuration option [auth] ENABLE_CAPTCHA is deprecated and will end support in 0.13.0, please start using [auth] ENABLE_REGISTRATION_CAPTCHA.
  • Configuration option [auth] ENABLE_NOTIFY_MAIL is deprecated and will end support in 0.13.0, please start using [user] ENABLE_EMAIL_NOTIFICATION.
  • Configuration option [session] GC_INTERVAL_TIME is deprecated and will end support in 0.13.0, please start using [session] GC_INTERVAL.
  • Configuration option [session] SESSION_LIFE_TIME is deprecated and will end support in 0.13.0, please start using [session] MAX_LIFE_TIME.
  • The name - is reserved and cannot be used for users or organizations.

Fixed

  • [Security] Potential open redirection with i18n.
  • [Security] Potential ability to delete files outside a repository.
  • [Security] Potential ability to set primary email on others’ behalf from their verified emails.
  • [Security] Potential XSS attack via .ipynb. #5170
  • [Security] Potential SSRF attack via webhooks. #5366
  • [Security] Potential CSRF attack in admin panel. #5367
  • [Security] Potential stored XSS attack in some browsers. #5397
  • [Security] Potential RCE on mirror repositories. #5767
  • [Security] Potential XSS attack with raw markdown API. #5907
  • File both modified and renamed within a commit treated as separate files. #5056
  • Unable to restore the database backup to MySQL 8.0 with syntax error. #5602
  • Open/close milestone redirects to a 404 page. #5677
  • Disallow multiple tokens with same name. #5587 #5820
  • Enable Federated Avatar Lookup could cause server to crash. #5848
  • Private repositories are hidden in the organization’s view. #5869
  • Users have access to base repository cannot view commits in forks. #5878
  • Server error when changing email address in user settings page. #5899
  • Fall back to use RFC 3339 as time layout when misconfigured. #6098
  • Unable to update team with server error. #6185
  • Webhooks are not fired after push when [service] REQUIRE_SIGNIN_VIEW = true.
  • Files with identical content are randomly displayed one of them.

Removed

  • Configuration option [other] SHOW_FOOTER_VERSION
  • Configuration option [server] STATIC_ROOT_PATH
  • Configuration option [repository] MIRROR_QUEUE_LENGTH
  • Configuration option [repository] PULL_REQUEST_QUEUE_LENGTH
  • Configuration option [session] ENABLE_SET_COOKIE
  • Configuration option [release.attachment] PATH
  • Configuration option [webhook] QUEUE_LENGTH
  • Build tag sqlite, which means CGO is now required.

This is a release candidate for the 0.12.7 patch release.

ℹ️ Heads up! There is a new patch release 0.12.8 available, we recommend directly installing or upgrading to that version.

Fixed

  • Security: Remote command execution in file uploading. #6833 by @unknwon
  • Regression: Unable to migrate repository from other local Git hosting. Added a new configuration option [security] LOCAL_NETWORK_ALLOWLIST, which is a comma separated list of hostnames that are explicitly allowed to be accessed within the local network. #6841 by @unknwon
  • Slow start of Docker containers using NAS devices. #6554 by @druppy

0.12.5****Fixed

  • Security: Potential SSRF in repository migration. #6754
  • Security: Improper PAM authorization handling. #6810

0.12.4****Fixed

  • Security: Potential SSRF attack by CRLF injection via repository migration. #6413
  • Regression: Fixed smart links for issues stops rendering. #6506
  • Added X-Frame-Options header to prevent Clickjacking. #6409

0.12.3****Fixed

  • Regression: When running Gogs on Windows, push commits no longer fail on a daily basis with the error "pre-receive hook declined". #6316
  • Auto-linked commit SHAs now have correct links. #6300
  • Git LFS client (with version >= 2.5.0) wasn’t able to upload files with known format (e.g. PNG, JPEG), and the server is expecting the HTTP Header Content-Type to be application/octet-stream. The server now tells the LFS client to always use Content-Type: application/octet-stream when upload files.

0.12.2****Fixed

  • Regression: Pages are correctly rendered when requesting ?go-get=1 for subdirectories. #6314
  • Regression: Submodule with a relative path is linked correctly. #6319
  • Backup can be processed when --target is specified on Windows. #6339
  • Commit message contains keywords look like an issue reference no longer fails the push entirely. #6289

0.12.1****Fixed

  • The updated_at field is now correctly updated when updates an issue. #6209
  • Fixed a regression which created login_source.cfg column to have VARCHAR(255) instead of TEXT in MySQL. #6280

0.12.0****Added

  • Support for Git LFS, you can read documentation for both user and admin. #1322
  • Allow admin to remove observers from the repository. #5803
  • Use Last-Modified HTTP header for raw files. #5811
  • Support syntax highlighting for SAS code files (i.e. .r, .sas, .tex, .yaml). #5856
  • Able to fill in pull request title with a template. #5901
  • Able to override static files under public/ directory, please refer to documentation for usage. #5920
  • New API endpoint GET /admin/teams/:teamid/members to list members of a team. #5877
  • Support backup with retention policy for Docker deployments. #6140

Changed

  • The organization profile page has changed to display at most 12 members. #5506
  • The required Go version to compile source code changed to 1.14.
  • All assets are now embedded into binary and served from memory by default. Set [server] LOAD_ASSETS_FROM_DISK = true to load them from disk. #5920
  • Application and Go versions are removed from page footer and only show in the admin dashboard.
  • Build tag for running as Windows Service has been changed from miniwinsvc to minwinsvc.
  • Configuration option APP_NAME is deprecated and will end support in 0.13.0, please start using BRAND_NAME.
  • Configuration option [server] ROOT_URL is deprecated and will end support in 0.13.0, please start using [server] EXTERNAL_URL.
  • Configuration option [server] LANDING_PAGE is deprecated and will end support in 0.13.0, please start using [server] LANDING_URL.
  • Configuration option [database] DB_TYPE is deprecated and will end support in 0.13.0, please start using [database] TYPE.
  • Configuration option [database] PASSWD is deprecated and will end support in 0.13.0, please start using [database] PASSWORD.
  • Configuration option [security] REVERSE_PROXY_AUTHENTICATION_USER is deprecated and will end support in 0.13.0, please start using [auth] REVERSE_PROXY_AUTHENTICATION_HEADER.
  • Configuration section [mailer] is deprecated and will end support in 0.13.0, please start using [email].
  • Configuration section [service] is deprecated and will end support in 0.13.0, please start using [auth].
  • Configuration option [auth] ACTIVE_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] ACTIVATE_CODE_LIVES.
  • Configuration option [auth] RESET_PASSWD_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] RESET_PASSWORD_CODE_LIVES.
  • Configuration option [auth] ENABLE_CAPTCHA is deprecated and will end support in 0.13.0, please start using [auth] ENABLE_REGISTRATION_CAPTCHA.
  • Configuration option [auth] ENABLE_NOTIFY_MAIL is deprecated and will end support in 0.13.0, please start using [user] ENABLE_EMAIL_NOTIFICATION.
  • Configuration option [session] GC_INTERVAL_TIME is deprecated and will end support in 0.13.0, please start using [session] GC_INTERVAL.
  • Configuration option [session] SESSION_LIFE_TIME is deprecated and will end support in 0.13.0, please start using [session] MAX_LIFE_TIME.
  • The name - is reserved and cannot be used for users or organizations.

Fixed

  • [Security] Potential open redirection with i18n.
  • [Security] Potential ability to delete files outside a repository.
  • [Security] Potential ability to set primary email on others’ behalf from their verified emails.
  • [Security] Potential XSS attack via .ipynb. #5170
  • [Security] Potential SSRF attack via webhooks. #5366
  • [Security] Potential CSRF attack in admin panel. #5367
  • [Security] Potential stored XSS attack in some browsers. #5397
  • [Security] Potential RCE on mirror repositories. #5767
  • [Security] Potential XSS attack with raw markdown API. #5907
  • File both modified and renamed within a commit treated as separate files. #5056
  • Unable to restore the database backup to MySQL 8.0 with syntax error. #5602
  • Open/close milestone redirects to a 404 page. #5677
  • Disallow multiple tokens with same name. #5587 #5820
  • Enable Federated Avatar Lookup could cause server to crash. #5848
  • Private repositories are hidden in the organization’s view. #5869
  • Users have access to base repository cannot view commits in forks. #5878
  • Server error when changing email address in user settings page. #5899
  • Fall back to use RFC 3339 as time layout when misconfigured. #6098
  • Unable to update team with server error. #6185
  • Webhooks are not fired after push when [service] REQUIRE_SIGNIN_VIEW = true.
  • Files with identical content are randomly displayed one of them.

Removed

  • Configuration option [other] SHOW_FOOTER_VERSION
  • Configuration option [server] STATIC_ROOT_PATH
  • Configuration option [repository] MIRROR_QUEUE_LENGTH
  • Configuration option [repository] PULL_REQUEST_QUEUE_LENGTH
  • Configuration option [session] ENABLE_SET_COOKIE
  • Configuration option [release.attachment] PATH
  • Configuration option [webhook] QUEUE_LENGTH
  • Build tag sqlite, which means CGO is now required.

This is a release candidate for the 0.12.6 patch release.

ℹ️ Heads up! There is a new patch release 0.12.8 available, we recommend directly installing or upgrading to that version.

Fixed

  • Security: Potential SSRF in repository migration. #6754 by @michaellrowley
  • Security: Improper PAM authorization handling. #6810 by @ysf

0.12.4****Fixed

  • Security: Potential SSRF attack by CRLF injection via repository migration. #6413
  • Regression: Fixed smart links for issues stops rendering. #6506
  • Added X-Frame-Options header to prevent Clickjacking. #6409

0.12.3****Fixed

  • Regression: When running Gogs on Windows, push commits no longer fail on a daily basis with the error "pre-receive hook declined". #6316
  • Auto-linked commit SHAs now have correct links. #6300
  • Git LFS client (with version >= 2.5.0) wasn’t able to upload files with known format (e.g. PNG, JPEG), and the server is expecting the HTTP Header Content-Type to be application/octet-stream. The server now tells the LFS client to always use Content-Type: application/octet-stream when upload files.

0.12.2****Fixed

  • Regression: Pages are correctly rendered when requesting ?go-get=1 for subdirectories. #6314
  • Regression: Submodule with a relative path is linked correctly. #6319
  • Backup can be processed when --target is specified on Windows. #6339
  • Commit message contains keywords look like an issue reference no longer fails the push entirely. #6289

0.12.1****Fixed

  • The updated_at field is now correctly updated when updates an issue. #6209
  • Fixed a regression which created login_source.cfg column to have VARCHAR(255) instead of TEXT in MySQL. #6280

0.12.0****Added

  • Support for Git LFS, you can read documentation for both user and admin. #1322
  • Allow admin to remove observers from the repository. #5803
  • Use Last-Modified HTTP header for raw files. #5811
  • Support syntax highlighting for SAS code files (i.e. .r, .sas, .tex, .yaml). #5856
  • Able to fill in pull request title with a template. #5901
  • Able to override static files under public/ directory, please refer to documentation for usage. #5920
  • New API endpoint GET /admin/teams/:teamid/members to list members of a team. #5877
  • Support backup with retention policy for Docker deployments. #6140

Changed

  • The organization profile page has changed to display at most 12 members. #5506
  • The required Go version to compile source code changed to 1.14.
  • All assets are now embedded into binary and served from memory by default. Set [server] LOAD_ASSETS_FROM_DISK = true to load them from disk. #5920
  • Application and Go versions are removed from page footer and only show in the admin dashboard.
  • Build tag for running as Windows Service has been changed from miniwinsvc to minwinsvc.
  • Configuration option APP_NAME is deprecated and will end support in 0.13.0, please start using BRAND_NAME.
  • Configuration option [server] ROOT_URL is deprecated and will end support in 0.13.0, please start using [server] EXTERNAL_URL.
  • Configuration option [server] LANDING_PAGE is deprecated and will end support in 0.13.0, please start using [server] LANDING_URL.
  • Configuration option [database] DB_TYPE is deprecated and will end support in 0.13.0, please start using [database] TYPE.
  • Configuration option [database] PASSWD is deprecated and will end support in 0.13.0, please start using [database] PASSWORD.
  • Configuration option [security] REVERSE_PROXY_AUTHENTICATION_USER is deprecated and will end support in 0.13.0, please start using [auth] REVERSE_PROXY_AUTHENTICATION_HEADER.
  • Configuration section [mailer] is deprecated and will end support in 0.13.0, please start using [email].
  • Configuration section [service] is deprecated and will end support in 0.13.0, please start using [auth].
  • Configuration option [auth] ACTIVE_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] ACTIVATE_CODE_LIVES.
  • Configuration option [auth] RESET_PASSWD_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] RESET_PASSWORD_CODE_LIVES.
  • Configuration option [auth] ENABLE_CAPTCHA is deprecated and will end support in 0.13.0, please start using [auth] ENABLE_REGISTRATION_CAPTCHA.
  • Configuration option [auth] ENABLE_NOTIFY_MAIL is deprecated and will end support in 0.13.0, please start using [user] ENABLE_EMAIL_NOTIFICATION.
  • Configuration option [session] GC_INTERVAL_TIME is deprecated and will end support in 0.13.0, please start using [session] GC_INTERVAL.
  • Configuration option [session] SESSION_LIFE_TIME is deprecated and will end support in 0.13.0, please start using [session] MAX_LIFE_TIME.
  • The name - is reserved and cannot be used for users or organizations.

Fixed

  • [Security] Potential open redirection with i18n.
  • [Security] Potential ability to delete files outside a repository.
  • [Security] Potential ability to set primary email on others’ behalf from their verified emails.
  • [Security] Potential XSS attack via .ipynb. #5170
  • [Security] Potential SSRF attack via webhooks. #5366
  • [Security] Potential CSRF attack in admin panel. #5367
  • [Security] Potential stored XSS attack in some browsers. #5397
  • [Security] Potential RCE on mirror repositories. #5767
  • [Security] Potential XSS attack with raw markdown API. #5907
  • File both modified and renamed within a commit treated as separate files. #5056
  • Unable to restore the database backup to MySQL 8.0 with syntax error. #5602
  • Open/close milestone redirects to a 404 page. #5677
  • Disallow multiple tokens with same name. #5587 #5820
  • Enable Federated Avatar Lookup could cause server to crash. #5848
  • Private repositories are hidden in the organization’s view. #5869
  • Users have access to base repository cannot view commits in forks. #5878
  • Server error when changing email address in user settings page. #5899
  • Fall back to use RFC 3339 as time layout when misconfigured. #6098
  • Unable to update team with server error. #6185
  • Webhooks are not fired after push when [service] REQUIRE_SIGNIN_VIEW = true.
  • Files with identical content are randomly displayed one of them.

Removed

  • Configuration option [other] SHOW_FOOTER_VERSION
  • Configuration option [server] STATIC_ROOT_PATH
  • Configuration option [repository] MIRROR_QUEUE_LENGTH
  • Configuration option [repository] PULL_REQUEST_QUEUE_LENGTH
  • Configuration option [session] ENABLE_SET_COOKIE
  • Configuration option [release.attachment] PATH
  • Configuration option [webhook] QUEUE_LENGTH
  • Build tag sqlite, which means CGO is now required.

This is a release candidate for the 0.12.5 patch release.

ℹ️ Heads up! There is a new patch release 0.12.8 available, we recommend directly installing or upgrading to that version.

Fixed

  • Security: Potential SSRF attack by CRLF injection via repository migration. #6413 by @stypr
  • Regression: Fixed smart links for issues stops rendering. #6506 by @unknwon
  • Added X-Frame-Options header to prevent Clickjacking. #6409 by @matheusmosca

0.12.3****Fixed

  • Regression: When running Gogs on Windows, push commits no longer fail on a daily basis with the error "pre-receive hook declined". #6316
  • Auto-linked commit SHAs now have correct links. #6300
  • Git LFS client (with version >= 2.5.0) wasn’t able to upload files with known format (e.g. PNG, JPEG), and the server is expecting the HTTP Header Content-Type to be application/octet-stream. The server now tells the LFS client to always use Content-Type: application/octet-stream when upload files.

0.12.2****Fixed

  • Regression: Pages are correctly rendered when requesting ?go-get=1 for subdirectories. #6314
  • Regression: Submodule with a relative path is linked correctly. #6319
  • Backup can be processed when --target is specified on Windows. #6339
  • Commit message contains keywords look like an issue reference no longer fails the push entirely. #6289

0.12.1****Fixed

  • The updated_at field is now correctly updated when updates an issue. #6209
  • Fixed a regression which created login_source.cfg column to have VARCHAR(255) instead of TEXT in MySQL. #6280

0.12.0****Added

  • Support for Git LFS, you can read documentation for both user and admin. #1322
  • Allow admin to remove observers from the repository. #5803
  • Use Last-Modified HTTP header for raw files. #5811
  • Support syntax highlighting for SAS code files (i.e. .r, .sas, .tex, .yaml). #5856
  • Able to fill in pull request title with a template. #5901
  • Able to override static files under public/ directory, please refer to documentation for usage. #5920
  • New API endpoint GET /admin/teams/:teamid/members to list members of a team. #5877
  • Support backup with retention policy for Docker deployments. #6140

Changed

  • The organization profile page has changed to display at most 12 members. #5506
  • The required Go version to compile source code changed to 1.14.
  • All assets are now embedded into binary and served from memory by default. Set [server] LOAD_ASSETS_FROM_DISK = true to load them from disk. #5920
  • Application and Go versions are removed from page footer and only show in the admin dashboard.
  • Build tag for running as Windows Service has been changed from miniwinsvc to minwinsvc.
  • Configuration option APP_NAME is deprecated and will end support in 0.13.0, please start using BRAND_NAME.
  • Configuration option [server] ROOT_URL is deprecated and will end support in 0.13.0, please start using [server] EXTERNAL_URL.
  • Configuration option [server] LANDING_PAGE is deprecated and will end support in 0.13.0, please start using [server] LANDING_URL.
  • Configuration option [database] DB_TYPE is deprecated and will end support in 0.13.0, please start using [database] TYPE.
  • Configuration option [database] PASSWD is deprecated and will end support in 0.13.0, please start using [database] PASSWORD.
  • Configuration option [security] REVERSE_PROXY_AUTHENTICATION_USER is deprecated and will end support in 0.13.0, please start using [auth] REVERSE_PROXY_AUTHENTICATION_HEADER.
  • Configuration section [mailer] is deprecated and will end support in 0.13.0, please start using [email].
  • Configuration section [service] is deprecated and will end support in 0.13.0, please start using [auth].
  • Configuration option [auth] ACTIVE_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] ACTIVATE_CODE_LIVES.
  • Configuration option [auth] RESET_PASSWD_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] RESET_PASSWORD_CODE_LIVES.
  • Configuration option [auth] ENABLE_CAPTCHA is deprecated and will end support in 0.13.0, please start using [auth] ENABLE_REGISTRATION_CAPTCHA.
  • Configuration option [auth] ENABLE_NOTIFY_MAIL is deprecated and will end support in 0.13.0, please start using [user] ENABLE_EMAIL_NOTIFICATION.
  • Configuration option [session] GC_INTERVAL_TIME is deprecated and will end support in 0.13.0, please start using [session] GC_INTERVAL.
  • Configuration option [session] SESSION_LIFE_TIME is deprecated and will end support in 0.13.0, please start using [session] MAX_LIFE_TIME.
  • The name - is reserved and cannot be used for users or organizations.

Fixed

  • [Security] Potential open redirection with i18n.
  • [Security] Potential ability to delete files outside a repository.
  • [Security] Potential ability to set primary email on others’ behalf from their verified emails.
  • [Security] Potential XSS attack via .ipynb. #5170
  • [Security] Potential SSRF attack via webhooks. #5366
  • [Security] Potential CSRF attack in admin panel. #5367
  • [Security] Potential stored XSS attack in some browsers. #5397
  • [Security] Potential RCE on mirror repositories. #5767
  • [Security] Potential XSS attack with raw markdown API. #5907
  • File both modified and renamed within a commit treated as separate files. #5056
  • Unable to restore the database backup to MySQL 8.0 with syntax error. #5602
  • Open/close milestone redirects to a 404 page. #5677
  • Disallow multiple tokens with same name. #5587 #5820
  • Enable Federated Avatar Lookup could cause server to crash. #5848
  • Private repositories are hidden in the organization’s view. #5869
  • Users have access to base repository cannot view commits in forks. #5878
  • Server error when changing email address in user settings page. #5899
  • Fall back to use RFC 3339 as time layout when misconfigured. #6098
  • Unable to update team with server error. #6185
  • Webhooks are not fired after push when [service] REQUIRE_SIGNIN_VIEW = true.
  • Files with identical content are randomly displayed one of them.

Removed

  • Configuration option [other] SHOW_FOOTER_VERSION
  • Configuration option [server] STATIC_ROOT_PATH
  • Configuration option [repository] MIRROR_QUEUE_LENGTH
  • Configuration option [repository] PULL_REQUEST_QUEUE_LENGTH
  • Configuration option [session] ENABLE_SET_COOKIE
  • Configuration option [release.attachment] PATH
  • Configuration option [webhook] QUEUE_LENGTH
  • Build tag sqlite, which means CGO is now required.

This is a release candidate for the 0.12.4 patch release.

Related news

GHSA-56j7-2pm8-rgmx: OS Command Injection in gogs

### Impact The malicious user is able to update a crafted `config` file into repository's `.git` directory with to gain SSH access to the server. All installations with [repository upload enabled (default)](https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L129) are affected. ### Patches Repository file updates are prohibited to its `.git` directory. Users should upgrade to 0.12.8 or the latest 0.13.0+dev. ### Workarounds N/A ### References N/A ### For more information If you have any questions or comments about this advisory, please post on #6555.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907