security/vuxml: add records for www/gitea < 1.22.6

stblassitude · VVD · commit 44f68d063324 · 2024-12-18T03:04:58.000+03:00
go-gitea/gitea#32810 GHSA-v778-237x-gjrc go-gitea/gitea#32791 go-gitea/gitea#32654 go-gitea/gitea#32531 go-gitea/gitea#32473 PR: 283389
diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml
@@ -1,3 +1,84 @@
+  <vuln vid="38e6f778-bca3-11ef-8926-9b4f2d14eb53">
+    <topic>gitea -- Fix misuse of PublicKeyCallback</topic>
+    <affects>
+      <package>
+	<name>gitea</name>
+	<range><lt>1.22.6</lt></range>
+      </package>
+    </affects>
+    <description>
+       <body xmlns="http://www.w3.org/1999/xhtml">
+       <h1>Problem Description:</h1>
+       <ul>
+       <li>Misuse of ServerConfig.PublicKeyCallback may cause authorization
+       bypass in golang.org/x/crypto</li>
+       </ul>
+      </body>
+    </description>
+    <references>
+      <url>https://github.com/go-gitea/gitea/pull/32810</url>
+      <url>https://github.com/advisories/GHSA-v778-237x-gjrc</url>
+    </references>
+    <dates>
+      <discovery>2024-12-12</discovery>
+      <entry>2024-12-17</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="453cd84e-bca4-11ef-8926-9b4f2d14eb53">
+    <topic>gitea -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>gitea</name>
+	<range><lt>1.22.5</lt></range>
+      </package>
+    </affects>
+    <description>
+       <body xmlns="http://www.w3.org/1999/xhtml">
+       <h1>Problem Description:</h1>
+       <ul>
+       <li>Fix delete branch perm checking</li>
+       <li>Upgrade crypto library</li>
+       </ul>
+      </body>
+    </description>
+    <references>
+      <url>https://github.com/go-gitea/gitea/pull/32791</url>
+      <url>https://github.com/go-gitea/gitea/pull/32654</url>
+    </references>
+    <dates>
+      <discovery>2024-11-27</discovery>
+      <entry>2024-12-17</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="6ea20f0c-bca3-11ef-8926-9b4f2d14eb53">
+    <topic>gitea -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>gitea</name>
+	<range><lt>1.22.4</lt></range>
+      </package>
+    </affects>
+    <description>
+       <body xmlns="http://www.w3.org/1999/xhtml">
+       <h1>Problem Description:</h1>
+       <ul>
+       <li>Fix basic auth with webauthn</li>
+       <li>Refactor internal routers (partial backport, auth token const time comparing)</li>
+       </ul>
+      </body>
+    </description>
+    <references>
+      <url>https://github.com/go-gitea/gitea/pull/32531</url>
+      <url>https://github.com/go-gitea/gitea/pull/32473</url>
+    </references>
+    <dates>
+      <discovery>2024-11-16</discovery>
+      <entry>2024-12-17</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="5ca064a6-bca1-11ef-8926-9b4f2d14eb53">
     <topic>forgejo -- multiple vulnerabilities</topic>
     <affects>
