mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2026-01-16 23:12:07 +00:00
63ec90b0ef
Some checks failed
testing / backend-checks (push) Has been cancelled
testing / frontend-checks (push) Has been cancelled
/ release (push) Has been cancelled
testing / test-unit (push) Has been cancelled
testing / test-e2e (push) Has been cancelled
testing / test-remote-cacher (redis) (push) Has been cancelled
testing / test-remote-cacher (valkey) (push) Has been cancelled
testing / test-remote-cacher (garnet) (push) Has been cancelled
testing / test-remote-cacher (redict) (push) Has been cancelled
testing / test-mysql (push) Has been cancelled
testing / test-pgsql (push) Has been cancelled
testing / test-sqlite (push) Has been cancelled
testing / security-check (push) Has been cancelled
**Backport:** #7025 Resolves #6266 Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7025 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: Dmitrii Sharshakov <d3dx12.xx@gmail.com> Co-committed-by: Dmitrii Sharshakov <d3dx12.xx@gmail.com> Backported due to `make security-check` failing in `v11.0/forgejo` branch due to a new registered vulnerability in the github.com/nwaples/rardecode. ``` /home/forgejo/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.25.3.linux-amd64/bin/go run golang.org/x/vuln/cmd/govulncheck@v1 ./... === Symbol Results === Vulnerability #1: GO-2025-4020 DoS risk due to unrestricted RAR dictionary sizes in github.com/nwaples/rardecode More info: https://pkg.go.dev/vuln/GO-2025-4020 Module: github.com/nwaples/rardecode Found in: github.com/nwaples/rardecode@v1.1.3 Fixed in: N/A Example traces found: #1: modules/git/repo_commit.go:263:24: git.Repository.CommitsByFileAndRange calls io.ReadFull, which eventually calls rardecode.cipherBlockReader.Read #2: modules/packages/arch/metadata.go:22:2: arch.init calls archiver.init, which calls rardecode.init #3: modules/git/repo_language_stats.go:198:32: git.Repository.GetLanguageStats calls bytes.Buffer.ReadFrom, which calls rardecode.limitedReader.Read Your code is affected by 1 vulnerability from 1 module. This scan also found 1 vulnerability in packages you import and 0 vulnerabilities in modules you require, but your code doesn't appear to call these vulnerabilities. Use '-show verbose' for more details. exit status 3 make: *** [Makefile:526: security-check] Error 1 ``` Co-authored-by: Dmitrii Sharshakov <d3dx12.xx@gmail.com> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10043 Reviewed-by: Gusted <gusted@noreply.codeberg.org> |
||
|---|---|---|
| .. | ||
| emoji.json | ||
| favicon.svg | ||
| go-licenses.json | ||
| logo.svg | ||
