Forgejo Critical Security Release 1.18.1-0

Today Forgejo v1.18.1-0 was released.

This release contains an important security fix for Forgejo container images, as described below. When Forgejo runs from a binary, recommendations to upgrade the git version installed alongside it are also provided.

This release also contains branding improvements (webhooks, headers, etc.) and includes a more robust release process, as detailed in the release notes.

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

  • When using a Forgejo binary: upgrade the git package to a version greater or equal to v2.39.1, v2.38.3, v2.37.5, v2.36.4, v2.35.6, v2.34.6, v2.33.6, v2.32.5, v2.31.6, or v2.30.7
  • When using a Forgejo container image: docker pull codeberg.org/forgejo/forgejo:1.18.1-0

Critical security issues in Git

Git recently announced new versions to address two CVEs (CVE-2022-23521, CVE-2022-41903). On 17 January 2023, Git published the maintenance release v2.39.1, together with releases for older maintenance tracks v2.38.3, v2.37.5, v2.36.4, v2.35.6, v2.34.6, v2.33.6, v2.32.5, v2.31.6, and v2.30.7. All major GNU/Linux distributions also provide updated packages via their security update channels.

The Forgejo security team analyzed both CVE and confirmed that Forgejo can be used as an intermediary by an attacker to reach a vulnerable git version. The Forgejo codebase itself is not at fault and has no way to mitigate the problem: the only solution is to upgrade the git binary.

Fixing Git when using a Forgejo binary

When installed as a binary downloaded from the Forjego releases repository, it is the responsibility of the Forgejo admin to install git independently. Upgrading to a patched git package (with a version greater or equal to v2.39.1, v2.38.3, v2.37.5, v2.36.4, v2.35.6, v2.34.6, v2.33.6, v2.32.5, v2.31.6, and v2.30.7) is therefore enough to fix the problem, even if Forgejo is not upgraded. Note that some distributions (such as Ubuntu) may backport security fixes to older git versions instead of upgrading, and it is worth looking at the changelog for confirmation. If a package is older than 17 January 2023, it will NOT contain the security fix because it was only made public on that date.

Fixing Git when using a Forgejo container image

When installed as an image downloaded from the Forgejo registry, the container includes both the Forgejo binary and the git binary, as obtained from Alpine 3.16. Forgejo 1.18.0-1 contains a vulnerable git binary:

$ docker run --rm codeberg.org/forgejo/forgejo:1.18.0-1 git --version
git version 2.36.3

The Forgejo 1.18.1-0 images were built shortly after the patched git binary was upgraded in Alpine 3.16 and is not vulnerable:

$ docker run --rm codeberg.org/forgejo/forgejo:1.18.1-0 git --version
git version 2.36.4

In this case it is necessary to upgrade Forgejo to 1.18.1-0 to get the fixed git binary. The rootless variant of Forgejo also includes the git binary and can be upgraded in the same way.

Forgejo installation instructions

See the download page for instructions for installation instructions. If you are upgrading from Forgejo 1.18.0-1 (or Gitea 1.18) no manual action is required. If you’re on Gitea v1.17.x or older please read the release notes carefully, and in particular check out the breaking changes section of Gitea’s blog post.

The actual upgrade process is as simple as replacing the Gitea binary or container image with the corresponding Forgejo binary or container image. If you’re using the container images, you can use the 1.18 tag to stay up to date with the latest 1.18.x point release automatically.

Codeberg is not vulnerable

The Forgejo security team is a joint effort with Codeberg which already runs a git version that is not vulnerable.

Responsible disclosure to Gitea

As soon as the Forgejo security team confirmed the vulnerability, the conclusions were communicated to the Gitea security team. Forgejo recommended a rebuild of the Gitea container images for 1.18.1, that were created shortly before the proper Alpine package version was available.

Contribute to Forgejo

If you have any feedback or suggestions for Forgejo, we’d love to hear from you! Open an issue on our issue tracker for feature requests or bug reports. You can also find us on the Fediverse, or drop by our Matrix space (main chat room) to say hi!