Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Escape git fetch remote #19487

Merged
merged 1 commit into from
Apr 25, 2022
Merged

Escape git fetch remote #19487

merged 1 commit into from
Apr 25, 2022

Conversation

6543
Copy link
Member

@6543 6543 commented Apr 25, 2022

as title

@GiteaBot GiteaBot added the lgtm/need 1 This PR needs approval from one additional maintainer to be merged. label Apr 25, 2022
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Apr 25, 2022
@6543 6543 merged commit fe274c1 into go-gitea:main Apr 25, 2022
@6543 6543 deleted the nit branch April 25, 2022 13:07
6543 added a commit to 6543-forks/gitea that referenced this pull request Apr 25, 2022
@6543
Add notags to fetch (go-gitea#19487)
2cb2e28
@6543 6543 mentioned this pull request Apr 25, 2022
Merged
@6543 6543 added this to the 1.17.0 milestone Apr 25, 2022
@6543 6543 added the backport/done All backports for this PR have been created label Apr 25, 2022
@6543
Copy link
Member Author

6543 commented Apr 25, 2022

-> #19490

@6543 6543 changed the title change nit Add notags to fetch Apr 25, 2022
zjjhot added a commit to zjjhot/gitea that referenced this pull request Apr 25, 2022
@zjjhot
Merge remote-tracking branch 'giteaofficial/main'
430a8fa 
* giteaofficial/main:
  User specific repoID or xorm builder conditions for issue search (go-gitea#19475)
  Add notags to fetch (go-gitea#19487)
6543 added a commit that referenced this pull request Apr 25, 2022
@6543
Add notags to fetch (#19487) (#19490)
242f7f1 
* Add notags to fetch (#19487)

* gofumpt
@6543 6543 added the topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! label May 1, 2022
@6543 6543 changed the title Add notags to fetch Escape git fetch remote May 2, 2022
@mweinelt
Copy link

Was a CVE requested for this issue? Because this looks exploitable.

@techknowlogick
Copy link
Member

@mweinelt one was requested, pending assignment

@GoVulnBot GoVulnBot mentioned this pull request May 16, 2022
Closed
@jba jba mentioned this pull request May 16, 2022
Open
@Li4n0
Copy link

Li4n0 commented May 16, 2022

@mweinelt one was requested, pending assignment

It looks like there is an error in the CVE description, 1.6.7 should be 1.16.7.

@6543
Copy link
Member Author

6543 commented May 16, 2022

already reported

@mweinelt
Copy link

Will there be a patch for 1.15.11? And do you have an EOL policy somewhere?

@wxiaoguang
Copy link
Contributor

https://github.com/go-gitea/gitea/blob/main/CONTRIBUTING.md#release-cycle

During a development cycle, we may also publish any necessary minor releases for the previous version. 
For example, if the latest, published release is v1.2, then minor changes for the previous release
 — e.g., v1.1.0 -> v1.1.1—are still possible.

Although it's not very obvious, it means that the latest stable releases would get updates implicitly. At the moment, the latest stable release is 1.16

6543 added a commit to 6543-forks/gitea that referenced this pull request May 16, 2022
@6543
Add notags to fetch (go-gitea#19487)
42e37e6
@6543 6543 mentioned this pull request May 16, 2022
Closed
@6543
Copy link
Member Author

6543 commented May 16, 2022

well here is the backport: #19728 - but we will not make a new release for v1.15.x

@6543
Copy link
Member Author

6543 commented May 16, 2022

feel free to cherry-pick the commit if you relay on 1.15 ... but you should really upgrade anyway

the build fails at #19728 ... so well it's EOL for sure!!!

@go-gitea go-gitea locked as resolved and limited conversation to collaborators May 16, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@lafriks lafriks lafriks left review comments

@zeripath zeripath zeripath approved these changes

@lunny lunny lunny approved these changes

Assignees
No one assigned
Labels
backport/done All backports for this PR have been created lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/bug
Projects
None yet
Milestone
1.17.0
Development

Successfully merging this pull request may close these issues.
9 participants
@6543 @mweinelt @techknowlogick @Li4n0 @wxiaoguang @lunny @lafriks @zeripath @GiteaBot