mafyuh/Auto-Homelab
mafyuh/Auto-Homelab
Archived
1
1
Fork 0
Code Issues 5 Pull requests 10 Projects 1 Wiki Activity Actions

⬆️ Update codeberg.org/forgejo/forgejo Docker tag to v7.0.5 #397

Merged
mafyuh merged 2 commits from renovate/codeberg.org-forgejo-forgejo-7.x into main 2024-07-04 12:42:42 -04:00
Conversation 0 Commits 2 Files changed 1 +1 -1
renovatebot commented 2024-07-03 16:02:08 -04:00
Collaborator
Copy link

This PR contains the following updates:

Package Update Change
codeberg.org/forgejo/forgejo (source) patch 7.0.4 -> 7.0.5

Release Notes

forgejo/forgejo (codeberg.org/forgejo/forgejo)

v7.0.5

Compare Source

This is a security release. See the documentation for more information on the upgrade procedure.

In addition to the following notable bug fixes, you can browse the full list of pull requests included in this release.

  • regreSSHion

    Recommended action when running Forgejo from a:

    • binary - upgrade the OpenSSH server that was installed independently.
    • root OCI image - upgrade to Forgejo 7.0.5.
    • rootless OCI image - no upgrade is necessary.

    CVE-2024-6387 also known as regreSSHion is an Unauthenticated Remote Code Execution (RCE) vulnerability in OpenSSH’s server (sshd) on glibc-based Linux systems. It is strongly recommended that an OpenSSH server installed independently of Forgejo is upgraded as soon as possible.

    All Forgejo OCI root images, including 7.0.5 contain an OpenSSH server. They are based on https://alpinelinux.org/ which relies on https://musl.libc.org/ and not https://en.wikipedia.org/wiki/Glibc. As a precaution the Forgejo v7.0.5 root OCI image contains an updated OpenSSH server patched for CVE-2024-6387.

    The Forgejo OCI rootless images, including 7.0.5, do not contain an OpenSSH server, they rely on the internal Forgejo implementation of the SSH protocol.

  • Security:

    • Compiled with Go v1.22.5. Fixed: CVE-2024-24791 - GO-2024-2963: Denial of service due to improper 100-continue handling in net/http. The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

  • Bug fixes:

    • backport - PR: Fixed: authentication Source Administration page wrongfully handles the "Custom URLs Instead of Default URLs" checkbox (missing checkbox, irrelevant fields).
    • backport - PR: Fixed: git push to an adopted repository fails.
    • backport - PR - commit: Fixed: markdown doesn't render math within brackets
    • backport - PR - commit: Fixed: selecting the "No Project" filter in the issue/pull request list has no effect
    • backport - PR: Fixed: error 500 when processing crafted TIFF files.
    • backport - PR: Fixed: wrong placeholder text in the form for adding repository collaborator.

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

Did Renovate not find changelogs? No worries! Click here

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [codeberg.org/forgejo/forgejo](https://forgejo.org) ([source](https://codeberg.org/forgejo/forgejo)) | patch | `7.0.4` -> `7.0.5` | --- ### Release Notes <details> <summary>forgejo/forgejo (codeberg.org/forgejo/forgejo)</summary> ### [`v7.0.5`](https://codeberg.org/forgejo/forgejo/blob/HEAD/RELEASE-NOTES.md#705) [Compare Source](https://codeberg.org/forgejo/forgejo/compare/v7.0.4...v7.0.5) This is a security release. See the documentation for more information on the [upgrade procedure](https://forgejo.org/docs/v7.0/admin/upgrade/). In addition to the following notable bug fixes, you can browse the [full list of pull requests](https://codeberg.org/forgejo/forgejo/pulls?milestone=6654) included in this release. - **regreSSHion** Recommended action when running Forgejo from a: - binary - upgrade the OpenSSH server that was installed independently. - root OCI image - upgrade to [Forgejo 7.0.5](https://codeberg.org/forgejo/-/packages/container/forgejo/7.0.5). - rootless OCI image - no upgrade is necessary. [CVE-2024-6387](https://nvd.nist.gov/vuln/detail/CVE-2024-6387) also known as [regreSSHion](https://www.qualys.com/regresshion-cve-2024-6387/) is an Unauthenticated Remote Code Execution (RCE) vulnerability in OpenSSH’s server (sshd) on glibc-based Linux systems. It is **strongly recommended** that an OpenSSH server installed independently of Forgejo is upgraded as soon as possible. All Forgejo OCI root images, including [7.0.5](https://codeberg.org/forgejo/-/packages/container/forgejo/7.0.5) contain an OpenSSH server. They are based on https://alpinelinux.org/ which relies on https://musl.libc.org/ and not https://en.wikipedia.org/wiki/Glibc. As a precaution the [Forgejo v7.0.5 root OCI image](https://codeberg.org/forgejo/-/packages/container/forgejo/7.0.5) contains an [updated OpenSSH server](https://pkgs.alpinelinux.org/packages?name=openssh\&branch=v3.19) patched for [CVE-2024-6387](https://nvd.nist.gov/vuln/detail/CVE-2024-6387). The Forgejo OCI rootless images, including [7.0.5](https://codeberg.org/forgejo/-/packages/container/forgejo/7.0.5-rootless), do not contain an OpenSSH server, they rely on the internal Forgejo implementation of the SSH protocol. - **Security:** - Compiled with Go v1.22.5. Fixed: [CVE-2024-24791](https://nvd.nist.gov/vuln/detail/CVE-2024-24791) - [GO-2024-2963](https://pkg.go.dev/vuln/GO-2024-2963): Denial of service due to improper 100-continue handling in net/http. The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail. - **Bug fixes:** - [backport](https://codeberg.org/forgejo/forgejo/pulls/4059) - [PR](https://codeberg.org/forgejo/forgejo/pulls/4194): Fixed: authentication Source Administration page wrongfully handles the "Custom URLs Instead of Default URLs" checkbox (missing checkbox, irrelevant fields). - [backport](https://codeberg.org/forgejo/forgejo/pulls/4151) - [PR](https://codeberg.org/forgejo/forgejo/pulls/4149): Fixed: git push to an adopted repository fails. - [backport](https://codeberg.org/forgejo/forgejo/pulls/4215) - [PR](https://codeberg.org/forgejo/forgejo/pulls/4213) - [commit](https://codeberg.org/forgejo/forgejo/commit/4ed5044dea94872e025f585debf7a16e6bd6bbdb): Fixed: markdown doesn't render math within brackets - [backport](https://codeberg.org/forgejo/forgejo/pulls/4219) - [PR](https://codeberg.org/forgejo/forgejo/pulls/4145) - [commit](https://codeberg.org/forgejo/forgejo/commit/9aa3ae955ff506d883737e576dd62f674a3ee372): Fixed: selecting the "No Project" filter in the issue/pull request list has no effect - [backport](https://codeberg.org/forgejo/forgejo/pulls/4248) - [PR](https://codeberg.org/forgejo/forgejo/pulls/4241): Fixed: error 500 when processing crafted TIFF files. - [backport](https://codeberg.org/forgejo/forgejo/pulls/4261) - [PR](https://codeberg.org/forgejo/forgejo/pulls/4258): Fixed: wrong placeholder text in the form for adding repository collaborator. </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- Did Renovate not find changelogs? No worries! [Click here](https://git.mafyuh.dev/mafyuh/Auto-Homelab/src/branch/main/.github/changelogs.md) <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MjAuMCIsInVwZGF0ZWRJblZlciI6IjM3LjQyMC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
renovatebot added 1 commit 2024-07-03 16:02:08 -04:00
⬆️ Update codeberg.org/forgejo/forgejo Docker tag to v7.0.5
All checks were successful
Lint on PR / Lint YAML files (pull_request) Successful in 9s
Details
330b993e65
mafyuh added 1 commit 2024-07-04 12:42:27 -04:00
Merge branch 'main' into renovate/codeberg.org-forgejo-forgejo-7.x
All checks were successful
Lint on PR / Lint YAML files (pull_request) Successful in 10s
Details
Deploy to Hosts / deploy (pull_request) Successful in 50s
Details
ee86fbf537
mafyuh merged commit 7df4d522f9 into main 2024-07-04 12:42:42 -04:00
mafyuh deleted branch renovate/codeberg.org-forgejo-forgejo-7.x 2024-07-04 12:42:42 -04:00
This repo is archived. You cannot comment on pull requests.
Reviewers
No reviewers
Labels
Clear labels   
addition

Adding new Docker container to Repo

  
deletion

Deleting something from the repo.

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
wontfix

This won't be fixed

No labels
addition
deletion
duplicate
enhancement
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: mafyuh/Auto-Homelab#397
No description provided.
Delete branch "renovate/codeberg.org-forgejo-forgejo-7.x"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?