Forgejo Security Release 1.18.2-1

Today Forgejo v1.18.2-1 was released.

This stable release includes a security fix. It was possible to reveal a user’s email address, which is problematic because users can choose to hide their email address from everyone. This was possible because the notification email for a repository transfer request to an organization included every user’s email address in the owner team. This has been fixed by sending individual emails instead and the code was refactored to prevent it from happening again.

We strongly recommend that all installations are upgraded to the latest version as soon as possible.

Forgejo installation instructions

See the download page for instructions for installation instructions. If you are upgrading from Forgejo 1.18.X-N (or Gitea 1.18) no manual action is required. If you’re on Gitea v1.17.X or older please read the release notes carefully, and in particular check out the breaking changes section of Gitea’s blog post.

The actual upgrade process is as simple as replacing the Gitea binary or container image with the corresponding Forgejo binary or container image. If you’re using the container images, you can use the 1.18 tag to stay up to date with the latest 1.18.x point release automatically.

Codeberg is not vulnerable

The Forgejo security team is a joint effort with Codeberg which already runs a Forgejo version that includes the security fix.

Responsible disclosure to Gitea

On 21 January 2023, as soon as the Forgejo security team confirmed the vulnerability, the detailed conclusions were communicated to the Gitea security team. The corresponding bug fix was published 22 January 2023.

Contribute to Forgejo

If you have any feedback or suggestions for Forgejo, we’d love to hear from you! Open an issue on our issue tracker for feature requests or bug reports. You can also find us on the Fediverse, or drop by our Matrix space (main chat room) to say hi!