Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package forgejo for openSUSE:Factory checked in at 2024-08-10 19:07:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/forgejo (Old) and /work/SRC/openSUSE:Factory/.forgejo.new.7232 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "forgejo" Sat Aug 10 19:07:58 2024 rev:12 rq:1193061 version:7.0.7 Changes: -------- --- /work/SRC/openSUSE:Factory/forgejo/forgejo.changes 2024-08-01 22:07:01.662897661 +0200 +++ /work/SRC/openSUSE:Factory/.forgejo.new.7232/forgejo.changes 2024-08-10 19:13:52.268908088 +0200 @@ -1,0 +2,24 @@ +Fri Aug 9 18:13:59 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de> + +- update to 7.0.7: + This is a security release. See the documentation for more + information on the upgrade procedure. + * Security + - A change introduced in Forgejo v1.21 allows a Forgejo user + with write permission on a repository description to inject a + client-side script into the web page viewed by the visitor. + This XSS allows for href in anchor elements to be set to a + javascript: URI in the repository description, which will + execute the specified script upon clicking (and not upon + loading). AllowStandardURLs is now called for the repository + description policy, which ensures that URIs in anchor + elements are mailto:, http:// or https:// and thereby + disallowing the javascript: URI. + * Bug fixes + - PR (backported): disallow javascript: URI in the repository + description + * Localization + - PR (backported): i18n: backport of #4568 #4668 and #4783 to + v7 + +------------------------------------------------------------------- Old: ---- forgejo-src-7.0.6.tar.gz forgejo-src-7.0.6.tar.gz.asc New: ---- forgejo-src-7.0.7.tar.gz forgejo-src-7.0.7.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ forgejo.spec ++++++ --- /var/tmp/diff_new_pack.o2RajP/_old 2024-08-10 19:13:53.816972377 +0200 +++ /var/tmp/diff_new_pack.o2RajP/_new 2024-08-10 19:13:53.820972543 +0200 @@ -30,7 +30,7 @@ %endif %endif Name: forgejo -Version: 7.0.6 +Version: 7.0.7 Release: 0 Summary: Self-hostable forge License: MIT ++++++ forgejo-src-7.0.6.tar.gz -> forgejo-src-7.0.7.tar.gz ++++++ /work/SRC/openSUSE:Factory/forgejo/forgejo-src-7.0.6.tar.gz /work/SRC/openSUSE:Factory/.forgejo.new.7232/forgejo-src-7.0.7.tar.gz differ: char 16, line 1