Why were the patch versions for CVE-2019-11576, CVE-2022-0905, CVE-2018-15192, CVE-2021-29134, CVE-2021-3382 released so late?

General

Silence-worker-02 November 15, 2023, 12:57pm 1

We are a research team dedicated to Golang, have discovered that CVE-2019-11576, CVE-2022-0905, CVE-2018-15192, CVE-2021-29134, CVE-2021-3382 were addressed in commit 19ec2606e91610421a3e9cd87c94748ef07ca468, 1314f38b59748397b3429fb9bc9f9d6bac85d2f2, 599ff1c054e436daa4dc3f049aa8661d9c2395f9, f4e677edb1f236cd802f5dd2f0759252c9235bd6, b59ed41e81270660e08a18ade5ad09ecd033f905. However, upon analyzing the commit, we observed that the patch versions (v1.9.0-rc1, v1.18.0-dev, v1.16.0-rc1, v1.15.0-rc1, v1.15.0-dev) were released after a lapse of over one month. We are interested in understanding the reasons behind this delay in releasing the patch version, as it could potentially impede the prompt dissemination of patches to downstream users. We seek clarification on whether the delay might be attributed to:

1. Issues with testing and CI checking.
2. Other commits requiring inclusion in a single release.
3. By convention, infrequent release of versions.
4. Other reasons.
   We appreciate your attention to this matter and eagerly await your response. Thank you.

jake November 18, 2023, 5:22pm 2

At least for CVE-2021-3382, it was patched on Jan 18 (Use path not filepath in routers/editor by zeripath · Pull Request #14390 · go-gitea/gitea · GitHub) on the main development branch. On Jan 19, it was backported to the v1.13 release branch (Use path not filepath in routers/editor (#14390) by 6543 · Pull Request #14396 · go-gitea/gitea · GitHub) and released 12 days later with v1.13.2. I did not look into the others.

emil14 December 14, 2023, 5:06pm 3

I am also curious about this question. I recently noticed a security announcement in Forgejo (on Mastodon), which was released on November 25. v1.20.5-1 - forgejo/forgejo - Codeberg.org

I read the blog post and understand that Gitea was also affected, and tried to check their process. And although the patches were published shortly after, it looks like it took them three days to adress the issue. Release v1.20.6 · go-gitea/gitea · GitHub was released on November 28.

It’s much shorter, but I cannot see an obvious reason for the delay. And as far as I understand, it was a very critical security issue (allows reading private content and modifying others content, even in private repos it seems).

I wonder why there is no response in this thread?

emil14 December 14, 2023, 5:19pm 4

@Silence-worker-02 Digging a little bit in the Forgejo spaces, it looks like you are not the only team wondering about Gitea’s security practice: #86 - Security collaboration with upstream projects - forgejo/discussions - Codeberg.org (a discussion about how to proceed with projects like Gitea when there is no response to emails and other things)

lunny December 16, 2023, 2:48pm 5

We are focus on security for many years from Gitea started. I could only say something is not the truth. I think the delay because reporter has a special embargo for us. And before the day embargo is end, they changed the patch and send an email to us. They released before we have time to read the email. After we found the patch changed, we have to check all other possible places have the same security, and we found more problems.

For the response
1 They never followed our security policy.
2 We have replied them and provide the first version patch, and they never mentioned our contirbution for the patch.

1 Like

lunny December 16, 2023, 2:50pm 6

All the version you point out are dev branch or tags. All security patches will be released on a stable minor version.

1 Like

emil14 January 19, 2024, 10:53pm 7

lunny:

1 They never followed our security policy.

Can you elaborate on this? Your security policy basically states to send you an email, and they did. How didn’t they follow your policy?

lunny:

2 We have replied them and provide the first version patch, and they never mentioned our contirbution for the patch.

there are credits for you here: Forgejo Security Release 1.20.5-1 — Forgejo

Further research from both Gitea and Forgejo teams in the following days revealed more vulnerabilities. Initial fixes and tests verifying they are effective were exchanged

lunny:

All the version you point out are dev branch or tags. All security patches will be released on a stable minor version.

However, I acknowledge this response. You mean the security fixes were released sooner, but on the release branches, and the security team didn’t check the release versions but only compared the time between security fix on the dev branch and when the stable release was made? Thank you for clarifying this.

Silence-worker-02:

we observed that the patch versions (v1.9.0-rc1, v1.18.0-dev, v1.16.0-rc1, v1.15.0-rc1, v1.15.0-dev) were released after a lapse of over one month.

Yeah, these are not the security releases, but the next stable releases. The security fixes went into Gitea much earlier.