Gogs - Package Updates

girish

[1.16.0]

• Update base image to 3.2.0

nebulon

[1.16.1]

• Update Gogs to 0.12.4
• Security: Potential SSRF attack by CRLF injection via repository migration. #6413 by @stypr
• Regression: Fixed smart links for issues stops rendering. #6506 by @unknwon
• Added X-Frame-Options header to prevent Clickjacking. #6409 by @matheusmosca

girish

[1.17.0]

• Update Gogs to 0.12.5
• Security: Potential SSRF in repository migration. #6754 by @michaellrowley
• Security: Improper PAM authorization handling. #6810 by @ysf

girish

[1.17.1]

• Update Gogs to 0.12.6
• Full changelog
• Security: Remote command execution in file uploading. #6833 by @unknwon
• Regression: Unable to migrate repository from other local Git hosting. Added a new configuration option [security] LOCAL_NETWORK_ALLOWLIST, which is a comma separated list of hostnames that are explicitly allowed to be accessed within the local network. #6841 by @unknwon

girish

[1.17.2]

• Update Gogs to 0.12.7
• Full changelog
• Security: Stored XSS in issues. #6919 by @unknwon
• Invalid character in Access-Control-Allow-Credentials response header. #4983 by @wuhan005
• Mysterious ssh: overflow reading version string errors from builtin SSH server. #6882 by @unknwon

nebulon

[1.17.3]

• Update Gogs to 0.12.8
• Full changelog
• Security: SSRF in webhook. #6901
• Security: XSS in cookies. #6953
• Security: OS Command Injection in file uploading. #6968
• Security: Remote Command Execution in file editing. #6555

girish

[1.17.4]

• Update Gogs to 0.12.9
• Full changelog
• Security: OS Command Injection in file editor. #7000
• Security: Sanitize DisplayName in repository issue list. #7009
• Security: Path Traversal in file editor on Windows. #7001
• Security: Path Traversal in Git HTTP endpoints. #7002
• Unable to init repository during creation on Windows. #6967

nebulon

[1.17.5]

• Update Gogs to 0.12.10
• Full changelog
• Support using [security] LOCAL_NETWORK_ALLOWLIST = * to allow all hostnames. #7111
• Unable to send webhooks to local network addresses after configured [security] LOCAL_NETWORK_ALLOWLIST. #7074

girish

[1.17.6]

• Add support for email display name

girish

[1.18.0]

• Update base image to 4.0.0

nebulon

[1.18.1]

• Update Gogs to 0.12.11
• Full changelog
• Security: Stored XSS for issue assignees. #7145
• Security: OS Command Injection in repo editor on case-insensitive file systems. #7030
• Unable to render repository pages with implicit submodules (e.g. get submodule "REDACTED": revision does not exist). #6436

girish

[1.19.0]

• Update Gogs to 0.13.0
• Full changelog
• Support using personal access token in the password field. #3866
• An unlisted option is added when create or migrate a repository. Unlisted repositories are public but not being listed for users without direct access in the UI. #5733
• New API endpoint PUT /repos/:owner/:repo/contents/:path for creating and update repository contents. #5967
• New configuration option [git.timeout] DIFF for customizing operation timeout of git diff. #6315
• New configuration option [server] SSH_SERVER_MACS for setting list of accepted MACs for connections to builtin SSH server. #6434
• New configuration option [repository] DEFAULT_BRANCH for setting default branch name for new repositories. #7291
• New configuration option [server] SSH_SERVER_ALGORITHMS for specifying the list of accepted key exchange algorithms for connections to builtin SSH server. #7345
• Support specifying custom schema for PostgreSQL. #6695
• Support rendering Mermaid diagrams in Markdown. #6776
• Docker: Allow passing extra arguments to the backup command. #7060
• New languages support: Mongolian, Romanian. #6510 #7082
• The required Go version to compile source code changed to 1.18.
• Access tokens are now stored using their SHA256 hashes instead of raw values. #7008
• Unable to use LDAP authentication on ARM machines. #6761
• Unable to choose "Lookup Avatar by mail" in user settings without deleting custom avatar. #7267
• Mistakenly include the "data" directory under the custom directory in the Docker setup. #7343
• Unable to start after data recovery with an outdated migration version. #7125

girish

[1.20.0]

• Update base image to 4.2.0

girish

[1.20.1]

• Set GOGS_CUSTOM env var

Package Updates

[1.20.2]

• Update gogs to 0.13.2
• Full Changelog
• Security: Path Traversal in file editing UI. GHSA-r7j8-5h9c-f6fx
• Security: Path Traversal in file update API. GHSA-qf5v-rp47-55gg
• Security: Argument Injection in the built-in SSH server. GHSA-vm62-9jw3-c8w3
• Security: Deletion of internal files. GHSA-ccqv-43vm-4f3w
• Security: Argument Injection during changes preview. GHSA-9pp6-wq8c-3w2c
• Security: Argument Injection when tagging new releases. GHSA-m27m-h5gj-wwmg
• Use the non-deprecated section name [email] during installation for email settings. #​7704
• Use the non-deprecated section name [email] PASSWORD during installation for email password. #​7807
• Make purple template label color to actually use the hexcode of purple. #​7722

Package Updates

[1.21.0]

• Update base image to 5.0.0

Package Updates

[1.22.0]

• checklist added to manifest

Package Updates

[1.22.1]

• Update gogs to 0.13.3
• Full Changelog
• Security: Stored XSS in PDF renderer. GHSA-xh32-cx6c-cp4v
• Security: Path Traversal in file editing UI. GHSA-wj44-9vcg-wjq7
• Randomly timeout on repository file uploads. #​7890
• Unable to override email templates in custom directory. #​7905

Package Updates

[1.23.0]

• Update gogs to 0.14.1
• Full Changelog
• Support comparing tags in addition to branches. #6141
• Show file name in browser tab title when viewing files. #5896
• Support using TLS for Redis session provider using [session] PROVIDER_CONFIG = ...,tls=true. #7860
• Support expanading values in app.ini from environment variables, e.g. [database] PASSWORD = ${DATABASE_PASSWORD}. #8057
• Support custom logout URL that users get redirected to after sign out using [auth] CUSTOM_LOGOUT_URL. #8089
• The required Go version to compile source code changed to 1.25.
• The build tag cert has been removed, and the gogs cert subcommand is now always available. #7883
• Switched to pure-Go SQLite driver, CGO is no longer required to compile Gogs. #7882
• Security: Unauthenticated file upload. #8128 - GHSA-fc3h-92p8-h36f
• Security: Protected branch bypass in web UI. #8124 - GHSA-2c6v-8r3v-gh6p

Package Updates

[1.23.1]

• Update gogs to 0.14.2
• Full Changelog
• Security: Cross-repository LFS object overwrite via missing content hash verification. #​8166 - GHSA-gmf8-978x-2fg2
• Security: Stored XSS via data URI in issue comments. #​8174 - GHSA-xrcr-gmf5-2r8j
• Security: Release tag option injection in release deletion. #​8175 - GHSA-v9vm-r24h-6rqm
• Security: Stored XSS in branch and wiki views through author and committer names. #​8176 - GHSA-vgvf-m4fw-938j
• Security: DOM-based XSS via issue meta selection on the issue page. #​8178 - GHSA-vgjm-2cpf-4g7c
• Unable to update files via web editor and API. #​8184