From 393e70a0b959b77086e57e04e3c4d3df72b0ea8f Mon Sep 17 00:00:00 2001
From: Thomas Gerbet <thomas@gerbet.me>
Date: Sat, 2 Dec 2023 00:41:30 +0100
Subject: [PATCH] gitea: mark as insecure

---
 .../version-management/gitea/default.nix      | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/pkgs/applications/version-management/gitea/default.nix b/pkgs/applications/version-management/gitea/default.nix
index 0b9e1a9d93ab1..e4f987c65154f 100644
--- a/pkgs/applications/version-management/gitea/default.nix
+++ b/pkgs/applications/version-management/gitea/default.nix
@@ -88,5 +88,28 @@ buildGoModule rec {
     license = licenses.mit;
     maintainers = with maintainers; [ disassembler kolaente ma27 techknowlogick ];
     broken = stdenv.isDarwin;
+    knownVulnerabilities = [
+      ''
+        Gitea's API and web endpoints before version 1.20.5 are affected by multiple
+        critical security vulnerabilities.
+
+        Non-exhaustive list:
+         - reveal comments from issues and pull-requests from private repositories
+         - delete comments from issues and pull-requests
+         - get private release attachments
+         - delete releases and tags
+         - get ssh deployment keys (public key)
+         - get OAuth2 applications (except for the secret)
+         - 2FA not being enforced for the container registry login (docker login)
+
+        There isn't a clear way how to backport and validate all those fixes to the now EOL
+        Gitea 1.19.x and bumping the release from 1.19.x to 1.20.x is not possible due to
+        its breaking nature.
+        Given nixpkgs 23.11 has been released by now and nixpkgs 23.05 will reach EOL very
+        soon (2023-12-31), please update to nixpkgs 23.11 instead.
+
+        forgejo's blogpost on these issues: https://forgejo.org/2023-11-release-v1-20-5-1/#responsible-disclosure-to-gitea
+      ''
+    ];
   };
 }