⬆️ Update codeberg.org/forgejo/forgejo Docker tag to v7.0.5 #397

Merged
mafyuh merged 2 commits from renovate/codeberg.org-forgejo-forgejo-7.x into main 2024-07-04 12:42:42 -04:00
Collaborator

This PR contains the following updates:

Package Update Change
codeberg.org/forgejo/forgejo (source) patch 7.0.4 -> 7.0.5

Release Notes

forgejo/forgejo (codeberg.org/forgejo/forgejo)

v7.0.5

Compare Source

This is a security release. See the documentation for more information on the upgrade procedure.

In addition to the following notable bug fixes, you can browse the full list of pull requests included in this release.

  • regreSSHion

    Recommended action when running Forgejo from a:

    • binary - upgrade the OpenSSH server that was installed independently.
    • root OCI image - upgrade to Forgejo 7.0.5.
    • rootless OCI image - no upgrade is necessary.

    CVE-2024-6387 also known as regreSSHion is an Unauthenticated Remote Code Execution (RCE) vulnerability in OpenSSH’s server (sshd) on glibc-based Linux systems. It is strongly recommended that an OpenSSH server installed independently of Forgejo is upgraded as soon as possible.

    All Forgejo OCI root images, including 7.0.5 contain an OpenSSH server. They are based on https://alpinelinux.org/ which relies on https://musl.libc.org/ and not https://en.wikipedia.org/wiki/Glibc. As a precaution the Forgejo v7.0.5 root OCI image contains an updated OpenSSH server patched for CVE-2024-6387.

    The Forgejo OCI rootless images, including 7.0.5, do not contain an OpenSSH server, they rely on the internal Forgejo implementation of the SSH protocol.

  • Security:

    • Compiled with Go v1.22.5. Fixed: CVE-2024-24791 - GO-2024-2963: Denial of service due to improper 100-continue handling in net/http. The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.
  • Bug fixes:

    • backport - PR: Fixed: authentication Source Administration page wrongfully handles the "Custom URLs Instead of Default URLs" checkbox (missing checkbox, irrelevant fields).
    • backport - PR: Fixed: git push to an adopted repository fails.
    • backport - PR - commit: Fixed: markdown doesn't render math within brackets
    • backport - PR - commit: Fixed: selecting the "No Project" filter in the issue/pull request list has no effect
    • backport - PR: Fixed: error 500 when processing crafted TIFF files.
    • backport - PR: Fixed: wrong placeholder text in the form for adding repository collaborator.

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

Did Renovate not find changelogs? No worries! Click here

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [codeberg.org/forgejo/forgejo](https://forgejo.org) ([source](https://codeberg.org/forgejo/forgejo)) | patch | `7.0.4` -> `7.0.5` | --- ### Release Notes <details> <summary>forgejo/forgejo (codeberg.org/forgejo/forgejo)</summary> ### [`v7.0.5`](https://codeberg.org/forgejo/forgejo/blob/HEAD/RELEASE-NOTES.md#705) [Compare Source](https://codeberg.org/forgejo/forgejo/compare/v7.0.4...v7.0.5) This is a security release. See the documentation for more information on the [upgrade procedure](https://forgejo.org/docs/v7.0/admin/upgrade/). In addition to the following notable bug fixes, you can browse the [full list of pull requests](https://codeberg.org/forgejo/forgejo/pulls?milestone=6654) included in this release. - **regreSSHion** Recommended action when running Forgejo from a: - binary - upgrade the OpenSSH server that was installed independently. - root OCI image - upgrade to [Forgejo 7.0.5](https://codeberg.org/forgejo/-/packages/container/forgejo/7.0.5). - rootless OCI image - no upgrade is necessary. [CVE-2024-6387](https://nvd.nist.gov/vuln/detail/CVE-2024-6387) also known as [regreSSHion](https://www.qualys.com/regresshion-cve-2024-6387/) is an Unauthenticated Remote Code Execution (RCE) vulnerability in OpenSSH’s server (sshd) on glibc-based Linux systems. It is **strongly recommended** that an OpenSSH server installed independently of Forgejo is upgraded as soon as possible. All Forgejo OCI root images, including [7.0.5](https://codeberg.org/forgejo/-/packages/container/forgejo/7.0.5) contain an OpenSSH server. They are based on https://alpinelinux.org/ which relies on https://musl.libc.org/ and not https://en.wikipedia.org/wiki/Glibc. As a precaution the [Forgejo v7.0.5 root OCI image](https://codeberg.org/forgejo/-/packages/container/forgejo/7.0.5) contains an [updated OpenSSH server](https://pkgs.alpinelinux.org/packages?name=openssh\&branch=v3.19) patched for [CVE-2024-6387](https://nvd.nist.gov/vuln/detail/CVE-2024-6387). The Forgejo OCI rootless images, including [7.0.5](https://codeberg.org/forgejo/-/packages/container/forgejo/7.0.5-rootless), do not contain an OpenSSH server, they rely on the internal Forgejo implementation of the SSH protocol. - **Security:** - Compiled with Go v1.22.5. Fixed: [CVE-2024-24791](https://nvd.nist.gov/vuln/detail/CVE-2024-24791) - [GO-2024-2963](https://pkg.go.dev/vuln/GO-2024-2963): Denial of service due to improper 100-continue handling in net/http. The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail. - **Bug fixes:** - [backport](https://codeberg.org/forgejo/forgejo/pulls/4059) - [PR](https://codeberg.org/forgejo/forgejo/pulls/4194): Fixed: authentication Source Administration page wrongfully handles the "Custom URLs Instead of Default URLs" checkbox (missing checkbox, irrelevant fields). - [backport](https://codeberg.org/forgejo/forgejo/pulls/4151) - [PR](https://codeberg.org/forgejo/forgejo/pulls/4149): Fixed: git push to an adopted repository fails. - [backport](https://codeberg.org/forgejo/forgejo/pulls/4215) - [PR](https://codeberg.org/forgejo/forgejo/pulls/4213) - [commit](https://codeberg.org/forgejo/forgejo/commit/4ed5044dea94872e025f585debf7a16e6bd6bbdb): Fixed: markdown doesn't render math within brackets - [backport](https://codeberg.org/forgejo/forgejo/pulls/4219) - [PR](https://codeberg.org/forgejo/forgejo/pulls/4145) - [commit](https://codeberg.org/forgejo/forgejo/commit/9aa3ae955ff506d883737e576dd62f674a3ee372): Fixed: selecting the "No Project" filter in the issue/pull request list has no effect - [backport](https://codeberg.org/forgejo/forgejo/pulls/4248) - [PR](https://codeberg.org/forgejo/forgejo/pulls/4241): Fixed: error 500 when processing crafted TIFF files. - [backport](https://codeberg.org/forgejo/forgejo/pulls/4261) - [PR](https://codeberg.org/forgejo/forgejo/pulls/4258): Fixed: wrong placeholder text in the form for adding repository collaborator. </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- Did Renovate not find changelogs? No worries! [Click here](https://git.mafyuh.dev/mafyuh/Auto-Homelab/src/branch/main/.github/changelogs.md) <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MjAuMCIsInVwZGF0ZWRJblZlciI6IjM3LjQyMC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
renovatebot added 1 commit 2024-07-03 16:02:08 -04:00
⬆️ Update codeberg.org/forgejo/forgejo Docker tag to v7.0.5
All checks were successful
Lint on PR / Lint YAML files (pull_request) Successful in 9s
330b993e65
mafyuh added 1 commit 2024-07-04 12:42:27 -04:00
Merge branch 'main' into renovate/codeberg.org-forgejo-forgejo-7.x
All checks were successful
Lint on PR / Lint YAML files (pull_request) Successful in 10s
Deploy to Hosts / deploy (pull_request) Successful in 50s
ee86fbf537
mafyuh merged commit 7df4d522f9 into main 2024-07-04 12:42:42 -04:00
mafyuh deleted branch renovate/codeberg.org-forgejo-forgejo-7.x 2024-07-04 12:42:42 -04:00
This repo is archived. You cannot comment on pull requests.
No reviewers
No milestone
No project
No assignees
2 participants
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: mafyuh/Auto-Homelab#397
No description provided.