Merge pull request NixOS#271553 from LeSuisse/gitea-vuln-23.05

[23.05] gitea: mark as insecure
Ma27 · Dec 2, 2023 · ecb27ed · ecb27ed
2 parents c72d4d8 + 393e70a
commit ecb27ed
Showing 1 changed file with 23 additions and 0 deletions.
diff --git a/pkgs/applications/version-management/gitea/default.nix b/pkgs/applications/version-management/gitea/default.nix
@@ -88,5 +88,28 @@ buildGoModule rec {
     license = licenses.mit;
     maintainers = with maintainers; [ disassembler kolaente ma27 techknowlogick ];
     broken = stdenv.isDarwin;
+    knownVulnerabilities = [
+      ''
+        Gitea's API and web endpoints before version 1.20.5 are affected by multiple
+        critical security vulnerabilities.
+
+        Non-exhaustive list:
+         - reveal comments from issues and pull-requests from private repositories
+         - delete comments from issues and pull-requests
+         - get private release attachments
+         - delete releases and tags
+         - get ssh deployment keys (public key)
+         - get OAuth2 applications (except for the secret)
+         - 2FA not being enforced for the container registry login (docker login)
+
+        There isn't a clear way how to backport and validate all those fixes to the now EOL
+        Gitea 1.19.x and bumping the release from 1.19.x to 1.20.x is not possible due to
+        its breaking nature.
+        Given nixpkgs 23.11 has been released by now and nixpkgs 23.05 will reach EOL very
+        soon (2023-12-31), please update to nixpkgs 23.11 instead.
+
+        forgejo's blogpost on these issues: https://forgejo.org/2023-11-release-v1-20-5-1/#responsible-disclosure-to-gitea
+      ''
+    ];
   };
 }