Forgejo Security Release 1.18.3-2

Today Forgejo v1.18.3-2 was released.

This release contains a security fix for Forgejo container images, as described below. When Forgejo runs from a binary, recommendations to upgrade the git version installed alongside it are also provided.

This release also contains bug fixes as detailed in the release notes.

We recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

  • When using a Forgejo binary: upgrade the git package to a version greater or equal to v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7 or v2.30.8
  • When using a Forgejo container image: docker pull codeberg.org/forgejo/forgejo:1.18.3-2

Security issues in Git

Git recently announced new versions to address two CVEs (CVE-2023-22490, CVE-2023-23946). On 14 February 2023, Git published the maintenance release v2.39.2, together with releases for older maintenance tracks v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8.

The Forgejo security team analyzed both CVE and concluded that they cannot be exploited via Forgejo. It is however recommended to upgrade git as a precaution.

Fixing Git when using a Forgejo binary

When installed as a binary downloaded from the Forjego releases repository, it is the responsibility of the Forgejo admin to install git independently. Upgrading to a patched git package (with a version greater or equal to v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7 or v2.30.8) is therefore enough to fix the problem, even if Forgejo is not upgraded.

Fixing Git when using a Forgejo container image

When installed as an image downloaded from the Forgejo registry, the container includes both the Forgejo binary and the git binary, as obtained from Alpine 3.16. Forgejo 1.18.3-1 contains a vulnerable git binary:

$ docker run --rm codeberg.org/forgejo/forgejo:1.18.3-1 git --version
git version 2.36.4

The Forgejo 1.18.3-2 images were built shortly after the patched git binary was upgraded in Alpine 3.16 and is not vulnerable:

$ docker run --rm codeberg.org/forgejo/forgejo:1.18.3-2 git --version
git version 2.36.5

In this case it is necessary to upgrade Forgejo to 1.18.3-2 to get the fixed git binary. The rootless variant of Forgejo also includes the git binary and can be upgraded in the same way.

Forgejo installation instructions

See the download page for instructions for installation instructions. If you are upgrading from Forgejo 1.18.3-1 (or Gitea 1.18) no manual action is required. If you’re on Gitea v1.17.x or older please read the release notes carefully, and in particular check out the breaking changes section of Gitea’s blog post.

The actual upgrade process is as simple as replacing the Gitea binary or container image with the corresponding Forgejo binary or container image. If you’re using the container images, you can use the 1.18 tag to stay up to date with the latest 1.18.x point release automatically.

Contribute to Forgejo

If you have any feedback or suggestions for Forgejo, we’d love to hear from you! Open an issue on our issue tracker for feature requests or bug reports. You can also find us on the Fediverse, or drop by our Matrix space (main chat room) to say hi!