Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.1358 Gitea 1.7.6 fixes RCE vulnerability 18 April 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Gitea Publisher: Gitea Operating System: Windows UNIX variants (UNIX, Linux, OSX) BSD variants Impact/Access: Execute Arbitrary Code/Commands -- Unknown/Unspecified Resolution: Patch/Upgrade Original Bulletin: https://blog.gitea.io/2019/04/gitea-1.7.6-is-released/ - --------------------------BEGIN INCLUDED TEXT-------------------- Gitea 1.7.6 is released Sat Apr 13, 2019 by zeripath We proudly present the security release of Gitea version 1.7.6. This release contains a very important security fix so it is highly recommended to update to this version. Users running our version 1.8 release candidates should also update. We have merged 2 pull requests to release this version. You can download one of our pre-built binaries from our downloads page - make sure to select the correct platform! For further details on how to install, follow our installation guide. We would like to say special thanks to zeripath who reported and fixed the security issue fixed in this release, and mrsdizzie who confirmed and produced a minimal exploitable testcase for the security issue. We?d like to thank all of our supporters on Open Collective who are helping us with financial sustainment. Changelog * SECURITY + Prevent remote code execution vulnerability with mirror repo URL settings (#6593) (#6595) * BUGFIXES + Allow resend of confirmation email when logged in (#6482) (#6487) Copyright 2019 The Gitea Authors. All rights reserved. Made with and Hugo. Sponsored by INBlockchain, Packet, DigitalOcean, and all of our backers on Open Collective. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXLgAemaOgq3Tt24GAQgH2Q//QuOLWfIJunxzjIgG5VXOlcf4yIh0fAhi TSf2mb5YJIVk7ihK/PVjiqluldpYJZ/15/ibPIPvxgjwDHZDoNEHt0e0y2hXkq5I m4ZHEJR0qTLnvrM8C62u3m9WpgcWl3YGitgqgcbnbRVl+pXsn4fvPjSS4iVMwy6k fNl/4C9Jyj8Cr2C9lmmuk7wtI5G1XyK8H1BGbNcci+ihnt3V7ksnagC3QmzQvliD AMq8MlxRZEEcENBNd9GVxPFZHdoGn6QEeGqmZZtABsxe3kAbLZdQksGAxcXPY2XR 52B61wg0O2movEAbTIxKDr4Wx8dNilLhvBLaczJIgIjvdqz7Kjvg6jo12bppbcD4 alF72e6xFXmoeUuQ5xVtOpMODuJgLi/gJXQxkn9xO5eGFf+wlQYKjDtZ3NYopn2S J4M7WtxSxpSXk+l8eQrPNACWF960dxKuKNw43SbVMnO+EtFZjuZY5jK1yzrfOW+Z C/hhN31/ML7TClwjYaEU41kVeZqmeLA3HdLgionFZIjYGc/HOJMr8/0iqu6YN3TD MRD0aLYlGyG9DdvaoFFi7ztasNukRaKmuj1YUmdgfwaaS3pZwqGYrxcgWPYztZlZ TUKChuC7lZkS28zo5MdhDcym6JN9YPtJCCfeVnUvPPLLqGMk2ljVU2Kj9KmTGcvu tTzsurMqT2E= =2WK8 -----END PGP SIGNATURE-----