Forgejo Security Release 1.21.2-1

Forgejo v1.21.2-1 was released 12 December 2023.

This release contains a security fix related to permissions enforcement of web endpoints.

Recommended Action

We strongly recommend that all Forgejo installations are upgraded to the latest version as soon as possible.

The project page of private users is publicly visible

The project page of a private user was missing a permission check and was visible publicly. The other pages (packages, repositories, etc.) of this user or even its existence are not visible publicly.

Reminder of responsible disclosure

On 11 December 2023 the project page vulnerability was revealed publicly in contradiction with the Gitea and Forgejo security policies as well as the general principles of responsible disclosure.

This unfortunate incident forced the immediate preparation of this Forgejo patch release. With no advance warning it only allowed for limited testing and there is a non negligible risk of a regression.

In such a situation the Forgejo admins and users are suffering the consequences, either because they are left unecessarily exposed to publicly known vulnerabilities or because their instance may run into regressions due to insufficient preparation time and testing.

If you discover a new vulnerability, you are urged to not reveal it publicly but to send an encrypted email to security@forgejo.org so this situation does not happen again.

Contribute to Forgejo

If you have any feedback or suggestions for Forgejo, we’d love to hear from you! Open an issue on our issue tracker for feature requests or bug reports. You can also find us on the Fediverse, or drop by our Matrix space (main chat room) to say hi!