Today Forgejo v1.18.1-0 was released.
This release contains an important security fix for Forgejo container images, as described below. When Forgejo runs from a binary, recommendations to upgrade the
git version installed alongside it are also provided.
This release also contains branding improvements (webhooks, headers, etc.) and includes a more robust release process, as detailed in the release notes.
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
- When using a Forgejo binary: upgrade the
gitpackage to a version greater or equal to v2.39.1, v2.38.3, v2.37.5, v2.36.4, v2.35.6, v2.34.6, v2.33.6, v2.32.5, v2.31.6, or v2.30.7
- When using a Forgejo container image:
docker pull codeberg.org/forgejo/forgejo:1.18.1-0
Git recently announced new versions to address two CVEs (CVE-2022-23521, CVE-2022-41903). On 17 January 2023, Git published the maintenance release v2.39.1, together with releases for older maintenance tracks v2.38.3, v2.37.5, v2.36.4, v2.35.6, v2.34.6, v2.33.6, v2.32.5, v2.31.6, and v2.30.7. All major GNU/Linux distributions also provide updated packages via their security update channels.
The Forgejo security team analyzed both CVE and confirmed that Forgejo can be used as an intermediary by an attacker to reach a vulnerable
git version. The Forgejo codebase itself is not at fault and has no way to mitigate the problem: the only solution is to upgrade the
When installed as a binary downloaded from the Forjego releases repository, it is the responsibility of the Forgejo admin to install
git independently. Upgrading to a patched
git package (with a version greater or equal to v2.39.1, v2.38.3, v2.37.5, v2.36.4, v2.35.6, v2.34.6, v2.33.6, v2.32.5, v2.31.6, and v2.30.7) is therefore enough to fix the problem, even if Forgejo is not upgraded. Note that some distributions (such as Ubuntu) may backport security fixes to older
git versions instead of upgrading, and it is worth looking at the changelog for confirmation. If a package is older than 17 January 2023, it will NOT contain the security fix because it was only made public on that date.
When installed as an image downloaded from the Forgejo registry, the container includes both the Forgejo binary and the
git binary, as obtained from Alpine 3.16.
Forgejo 1.18.0-1 contains a vulnerable
$ docker run --rm codeberg.org/forgejo/forgejo:1.18.0-1 git --version git version 2.36.3
The Forgejo 1.18.1-0 images were built shortly after the patched
git binary was upgraded in
Alpine 3.16 and is not vulnerable:
$ docker run --rm codeberg.org/forgejo/forgejo:1.18.1-0 git --version git version 2.36.4
In this case it is necessary to upgrade Forgejo to
1.18.1-0 to get the fixed
git binary. The rootless variant of Forgejo also includes the
git binary and can be upgraded in the same way.
See the download page
for instructions for installation instructions. If you are upgrading from
Forgejo 1.18.0-1 (or
Gitea 1.18) no manual action is required. If you’re on
Gitea v1.17.x or older please read the release notes
carefully, and in particular check out the breaking changes section of Gitea’s blog post.
The actual upgrade process is as simple as replacing the Gitea binary or container image
with the corresponding Forgejo binary
or container image.
If you’re using the container images, you can use the
to stay up to date with the latest
1.18.x point release automatically.
As soon as the Forgejo security team confirmed the vulnerability, the conclusions were communicated to the Gitea security team. Forgejo recommended a rebuild of the Gitea container images for
1.18.1, that were created shortly before the proper Alpine package version was available.
If you have any feedback or suggestions for Forgejo, we’d love to hear from you! Open an issue on our issue tracker for feature requests or bug reports. You can also find us on the Fediverse, or drop by our Matrix space (main chat room) to say hi!