mafyuh/iac
1
0
Fork 0
Code Issues 6 Pull requests 7 Projects 1 Wiki Activity Actions

⬆️ Update codeberg.org/forgejo/forgejo Docker tag to v7.0.5 - autoclosed #18

Closed
renovatebot wants to merge 1 commit from renovate/codeberg.org-forgejo-forgejo-7.x into main
pull from: renovate/codeberg.org-forgejo-forgejo-7.x
merge into: mafyuh:main
Conversation 0 Commits 1 Files changed 1 +1 -1
renovatebot commented 2024-07-20 11:34:28 -04:00
Collaborator
Copy link

This PR contains the following updates:

Package Update Change
codeberg.org/forgejo/forgejo (source) patch 7.0.4 -> 7.0.5

Release Notes

forgejo/forgejo (codeberg.org/forgejo/forgejo)

v7.0.5

Compare Source

This is a security release. See the documentation for more information on the upgrade procedure.

In addition to the following notable bug fixes, you can browse the full list of pull requests included in this release.

  • regreSSHion

    Recommended action when running Forgejo from a:

    • binary - upgrade the OpenSSH server that was installed independently.
    • root OCI image - upgrade to Forgejo 7.0.5.
    • rootless OCI image - no upgrade is necessary.

    CVE-2024-6387 also known as regreSSHion is an Unauthenticated Remote Code Execution (RCE) vulnerability in OpenSSH’s server (sshd) on glibc-based Linux systems. It is strongly recommended that an OpenSSH server installed independently of Forgejo is upgraded as soon as possible.

    All Forgejo OCI root images, including 7.0.5 contain an OpenSSH server. They are based on https://alpinelinux.org/ which relies on https://musl.libc.org/ and not https://en.wikipedia.org/wiki/Glibc. As a precaution the Forgejo v7.0.5 root OCI image contains an updated OpenSSH server patched for CVE-2024-6387.

    The Forgejo OCI rootless images, including 7.0.5, do not contain an OpenSSH server, they rely on the internal Forgejo implementation of the SSH protocol.

  • Security:

    • Compiled with Go v1.22.5. Fixed: CVE-2024-24791 - GO-2024-2963: Denial of service due to improper 100-continue handling in net/http. The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

  • Bug fixes:

    • backport - PR: Fixed: authentication Source Administration page wrongfully handles the "Custom URLs Instead of Default URLs" checkbox (missing checkbox, irrelevant fields).
    • backport - PR: Fixed: git push to an adopted repository fails.
    • backport - PR - commit: Fixed: markdown doesn't render math within brackets
    • backport - PR - commit: Fixed: selecting the "No Project" filter in the issue/pull request list has no effect
    • backport - PR: Fixed: error 500 when processing crafted TIFF files.
    • backport - PR: Fixed: wrong placeholder text in the form for adding repository collaborator.

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

Did Renovate not find changelogs? No worries! Click here

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [codeberg.org/forgejo/forgejo](https://forgejo.org) ([source](https://codeberg.org/forgejo/forgejo)) | patch | `7.0.4` -> `7.0.5` | --- ### Release Notes <details> <summary>forgejo/forgejo (codeberg.org/forgejo/forgejo)</summary> ### [`v7.0.5`](https://codeberg.org/forgejo/forgejo/blob/HEAD/RELEASE-NOTES.md#705) [Compare Source](https://codeberg.org/forgejo/forgejo/compare/v7.0.4...v7.0.5) This is a security release. See the documentation for more information on the [upgrade procedure](https://forgejo.org/docs/v7.0/admin/upgrade/). In addition to the following notable bug fixes, you can browse the [full list of pull requests](https://codeberg.org/forgejo/forgejo/pulls?milestone=6654) included in this release. - **regreSSHion** Recommended action when running Forgejo from a: - binary - upgrade the OpenSSH server that was installed independently. - root OCI image - upgrade to [Forgejo 7.0.5](https://codeberg.org/forgejo/-/packages/container/forgejo/7.0.5). - rootless OCI image - no upgrade is necessary. [CVE-2024-6387](https://nvd.nist.gov/vuln/detail/CVE-2024-6387) also known as [regreSSHion](https://www.qualys.com/regresshion-cve-2024-6387/) is an Unauthenticated Remote Code Execution (RCE) vulnerability in OpenSSH’s server (sshd) on glibc-based Linux systems. It is **strongly recommended** that an OpenSSH server installed independently of Forgejo is upgraded as soon as possible. All Forgejo OCI root images, including [7.0.5](https://codeberg.org/forgejo/-/packages/container/forgejo/7.0.5) contain an OpenSSH server. They are based on https://alpinelinux.org/ which relies on https://musl.libc.org/ and not https://en.wikipedia.org/wiki/Glibc. As a precaution the [Forgejo v7.0.5 root OCI image](https://codeberg.org/forgejo/-/packages/container/forgejo/7.0.5) contains an [updated OpenSSH server](https://pkgs.alpinelinux.org/packages?name=openssh\&branch=v3.19) patched for [CVE-2024-6387](https://nvd.nist.gov/vuln/detail/CVE-2024-6387). The Forgejo OCI rootless images, including [7.0.5](https://codeberg.org/forgejo/-/packages/container/forgejo/7.0.5-rootless), do not contain an OpenSSH server, they rely on the internal Forgejo implementation of the SSH protocol. - **Security:** - Compiled with Go v1.22.5. Fixed: [CVE-2024-24791](https://nvd.nist.gov/vuln/detail/CVE-2024-24791) - [GO-2024-2963](https://pkg.go.dev/vuln/GO-2024-2963): Denial of service due to improper 100-continue handling in net/http. The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail. - **Bug fixes:** - [backport](https://codeberg.org/forgejo/forgejo/pulls/4059) - [PR](https://codeberg.org/forgejo/forgejo/pulls/4194): Fixed: authentication Source Administration page wrongfully handles the "Custom URLs Instead of Default URLs" checkbox (missing checkbox, irrelevant fields). - [backport](https://codeberg.org/forgejo/forgejo/pulls/4151) - [PR](https://codeberg.org/forgejo/forgejo/pulls/4149): Fixed: git push to an adopted repository fails. - [backport](https://codeberg.org/forgejo/forgejo/pulls/4215) - [PR](https://codeberg.org/forgejo/forgejo/pulls/4213) - [commit](https://codeberg.org/forgejo/forgejo/commit/4ed5044dea94872e025f585debf7a16e6bd6bbdb): Fixed: markdown doesn't render math within brackets - [backport](https://codeberg.org/forgejo/forgejo/pulls/4219) - [PR](https://codeberg.org/forgejo/forgejo/pulls/4145) - [commit](https://codeberg.org/forgejo/forgejo/commit/9aa3ae955ff506d883737e576dd62f674a3ee372): Fixed: selecting the "No Project" filter in the issue/pull request list has no effect - [backport](https://codeberg.org/forgejo/forgejo/pulls/4248) - [PR](https://codeberg.org/forgejo/forgejo/pulls/4241): Fixed: error 500 when processing crafted TIFF files. - [backport](https://codeberg.org/forgejo/forgejo/pulls/4261) - [PR](https://codeberg.org/forgejo/forgejo/pulls/4258): Fixed: wrong placeholder text in the form for adding repository collaborator. </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- Did Renovate not find changelogs? No worries! [Click here](https://git.mafyuh.dev/mafyuh/Auto-Homelab/src/branch/main/.github/changelogs.md) <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MjMuMSIsInVwZGF0ZWRJblZlciI6IjM3LjQyMy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
renovatebot added 1 commit 2024-07-20 11:34:29 -04:00
⬆️ Update codeberg.org/forgejo/forgejo Docker tag to v7.0.5
Some checks failed
Lint on PR / Lint YAML files (pull_request) Successful in 9s
Details
Deploy to Hosts / deploy (pull_request) Has been cancelled
Details
6dca4e1242
renovatebot changed title from ⬆️ Update codeberg.org/forgejo/forgejo Docker tag to v7.0.5 to ⬆️ Update codeberg.org/forgejo/forgejo Docker tag to v7.0.5 - autoclosed 2024-07-20 12:00:55 -04:00
renovatebot closed this pull request 2024-07-20 12:00:55 -04:00
Some checks failed
Lint on PR / Lint YAML files (pull_request) Successful in 9s
Details
Deploy to Hosts / deploy (pull_request) Has been cancelled
Details

Pull request closed

This pull request cannot be reopened because the branch was deleted.
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
ansible

   
bug

Something is not working

  
docker

   
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
kubernetes

   
opentofu

   
packer

   
question

More information is needed

  
renovate

   
wontfix

This won't be fixed

No labels
ansible
bug
docker
duplicate
enhancement
help wanted
invalid
kubernetes
opentofu
packer
question
renovate
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: mafyuh/iac#18
No description provided.
Delete branch "renovate/codeberg.org-forgejo-forgejo-7.x"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?