mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2026-05-12 22:10:25 +00:00
63ec90b0ef
**Backport:** #7025 Resolves #6266 Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7025 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: Dmitrii Sharshakov <d3dx12.xx@gmail.com> Co-committed-by: Dmitrii Sharshakov <d3dx12.xx@gmail.com> Backported due to `make security-check` failing in `v11.0/forgejo` branch due to a new registered vulnerability in the github.com/nwaples/rardecode. ``` /home/forgejo/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.25.3.linux-amd64/bin/go run golang.org/x/vuln/cmd/govulncheck@v1 ./... === Symbol Results === Vulnerability #1: GO-2025-4020 DoS risk due to unrestricted RAR dictionary sizes in github.com/nwaples/rardecode More info: https://pkg.go.dev/vuln/GO-2025-4020 Module: github.com/nwaples/rardecode Found in: github.com/nwaples/rardecode@v1.1.3 Fixed in: N/A Example traces found: #1: modules/git/repo_commit.go:263:24: git.Repository.CommitsByFileAndRange calls io.ReadFull, which eventually calls rardecode.cipherBlockReader.Read #2: modules/packages/arch/metadata.go:22:2: arch.init calls archiver.init, which calls rardecode.init #3: modules/git/repo_language_stats.go:198:32: git.Repository.GetLanguageStats calls bytes.Buffer.ReadFrom, which calls rardecode.limitedReader.Read Your code is affected by 1 vulnerability from 1 module. This scan also found 1 vulnerability in packages you import and 0 vulnerabilities in modules you require, but your code doesn't appear to call these vulnerabilities. Use '-show verbose' for more details. exit status 3 make: *** [Makefile:526: security-check] Error 1 ``` Co-authored-by: Dmitrii Sharshakov <d3dx12.xx@gmail.com> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10043 Reviewed-by: Gusted <gusted@noreply.codeberg.org> |
||
|---|---|---|
| .. | ||
| forgejo | ||
| actions.go | ||
| admin.go | ||
| admin_auth.go | ||
| admin_auth_ldap.go | ||
| admin_auth_ldap_test.go | ||
| admin_auth_oauth.go | ||
| admin_auth_stmp.go | ||
| admin_regenerate.go | ||
| admin_user.go | ||
| admin_user_change_password.go | ||
| admin_user_create.go | ||
| admin_user_delete.go | ||
| admin_user_generate_access_token.go | ||
| admin_user_list.go | ||
| admin_user_must_change_password.go | ||
| cert.go | ||
| cmd.go | ||
| docs.go | ||
| doctor.go | ||
| doctor_convert.go | ||
| doctor_test.go | ||
| dump.go | ||
| dump_repo.go | ||
| dump_test.go | ||
| embedded.go | ||
| generate.go | ||
| hook.go | ||
| hook_test.go | ||
| keys.go | ||
| mailer.go | ||
| main.go | ||
| main_test.go | ||
| manager.go | ||
| manager_logging.go | ||
| migrate.go | ||
| migrate_storage.go | ||
| migrate_storage_test.go | ||
| restore_repo.go | ||
| serv.go | ||
| web.go | ||
| web_acme.go | ||
| web_graceful.go | ||
| web_https.go | ||