From 3982bdbf674a48658a0b542e1bee1ac575451bc7829f9efe1821d5b48e68726c Mon Sep 17 00:00:00 2001
From: Richard Rahl <rrahl0@proton.me>
Date: Sun, 16 Jun 2024 13:05:45 +0000
Subject: [PATCH] Accepting request 1181169 from home:rrahl0:upgrades

- update to 7.0.4:
  * Fixed: CVE-2024-24789: the archive/zip package's handling of certain types
    of invalid zip files differs from the behavior of most zip implementations.
    This misalignment could be exploited to create an zip file with contents that
    vary depending on the implementation reading the file.
  * the OAuth2 implementation does not always require authentication for public
    clients, a requirement of RFC 6749 Section 10.2
  * forgejo migrate-storage --type actions-artifacts always fails because it picks the wrong path.
  * avatar files can be found in storage while they do not exist in the database.
  * repository admins are always denied the right to force merge and instance admins
    are subject to restrictions to merge that must only apply to repository admins.
  * non conformance with the Nix tarball fetcher immutable link protocol.
  * migrated activities (such as reviews) are mapped to the user who initiated the
    migration rather than the Ghost user, if the external user cannot be mapped to a
    local one. This mapping mismatch leads to internal server errors in some cases.
  *  a v7.0.0 regression causes [admin].SEND_NOTIFICATION_EMAIL_ON_NEW_USER=true to always be ignored.
  * using a subquery for user deletion is a performance bottleneck when using mariadb 10
    because only mariadb 11 takes advantage of the available index.
  * a v7.0.3 regression causes the expanding diffs in pull requests to fail with a 404 error.
  * SourceHut Builds webhook fail when the triggers field is used.
  * the label list rendering in the issue and pull request timeline is displayed on
    multiple lines instead of a single one.
  * Git hooks of this repository seem to be broken." warning when pushing more than one branch at a time.
  * automerge does not happen when the approval count reaches the required threshold.
  * the FORCE_PRIVATE=true setting is not consistently enforced.
  * CSRF validation errors when OAuth is not enabled.
  * headlines in rendered org-mode do not have a margin on the top

OBS-URL: https://build.opensuse.org/request/show/1181169
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=21
---
 forgejo-src-7.0.3.tar.gz     |  3 ---
 forgejo-src-7.0.3.tar.gz.asc |  7 -------
 forgejo-src-7.0.4.tar.gz     |  3 +++
 forgejo-src-7.0.4.tar.gz.asc |  7 +++++++
 forgejo.changes              | 31 +++++++++++++++++++++++++++++++
 forgejo.spec                 |  2 +-
 6 files changed, 42 insertions(+), 11 deletions(-)
 delete mode 100644 forgejo-src-7.0.3.tar.gz
 delete mode 100644 forgejo-src-7.0.3.tar.gz.asc
 create mode 100644 forgejo-src-7.0.4.tar.gz
 create mode 100644 forgejo-src-7.0.4.tar.gz.asc

diff --git a/forgejo-src-7.0.3.tar.gz b/forgejo-src-7.0.3.tar.gz
deleted file mode 100644
index 08f621c..0000000
--- a/forgejo-src-7.0.3.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c9e85222eb27508e74a284cb125df7c6d7cfc31f52c62f1e305d2aeb1bdb7abc
-size 54895104
diff --git a/forgejo-src-7.0.3.tar.gz.asc b/forgejo-src-7.0.3.tar.gz.asc
deleted file mode 100644
index 934fef4..0000000
--- a/forgejo-src-7.0.3.tar.gz.asc
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iHUEABYIAB0WIQTrEU9ebA3CvN0YNVCkthotxZI3EAUCZk4qfAAKCRCkthotxZI3
-EK/FAP9m98DUdSUB+5LZFmha2VGPm1BtfeC3IMctTI1mpH3ARAD/RovDuiALj+MO
-XGkkM8twN732GTGN+QvpSStcbUJCyQk=
-=YTAy
------END PGP SIGNATURE-----
diff --git a/forgejo-src-7.0.4.tar.gz b/forgejo-src-7.0.4.tar.gz
new file mode 100644
index 0000000..67a2e11
--- /dev/null
+++ b/forgejo-src-7.0.4.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:881e55d92a4145238a8e7a39dd5c64d547c7629361005ded0393f33ec9e6bba4
+size 54935871
diff --git a/forgejo-src-7.0.4.tar.gz.asc b/forgejo-src-7.0.4.tar.gz.asc
new file mode 100644
index 0000000..3a0de9c
--- /dev/null
+++ b/forgejo-src-7.0.4.tar.gz.asc
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+iHUEABYIAB0WIQTrEU9ebA3CvN0YNVCkthotxZI3EAUCZmsYGwAKCRCkthotxZI3
+EFMLAP0QcaXg/PGEw6IlE2gh2OxTl/iNK3vGUm2Rhi465noIzQEA7iwMYolVpLUB
+EAz/8Fi3AbdynB+hLEqGBMS8bWw3hQA=
+=XeV6
+-----END PGP SIGNATURE-----
diff --git a/forgejo.changes b/forgejo.changes
index 04e37bb..939b0bb 100644
--- a/forgejo.changes
+++ b/forgejo.changes
@@ -1,3 +1,34 @@
+-------------------------------------------------------------------
+Sun Jun 16 12:52:27 UTC 2024 - Richard Rahl <rrahl0@disroot.org>
+
+- update to 7.0.4:
+  * Fixed: CVE-2024-24789: the archive/zip package's handling of certain types
+    of invalid zip files differs from the behavior of most zip implementations.
+    This misalignment could be exploited to create an zip file with contents that
+    vary depending on the implementation reading the file.
+  * the OAuth2 implementation does not always require authentication for public
+    clients, a requirement of RFC 6749 Section 10.2
+  * forgejo migrate-storage --type actions-artifacts always fails because it picks the wrong path.
+  * avatar files can be found in storage while they do not exist in the database.
+  * repository admins are always denied the right to force merge and instance admins
+    are subject to restrictions to merge that must only apply to repository admins.
+  * non conformance with the Nix tarball fetcher immutable link protocol.
+  * migrated activities (such as reviews) are mapped to the user who initiated the
+    migration rather than the Ghost user, if the external user cannot be mapped to a
+    local one. This mapping mismatch leads to internal server errors in some cases.
+  *  a v7.0.0 regression causes [admin].SEND_NOTIFICATION_EMAIL_ON_NEW_USER=true to always be ignored.
+  * using a subquery for user deletion is a performance bottleneck when using mariadb 10
+    because only mariadb 11 takes advantage of the available index.
+  * a v7.0.3 regression causes the expanding diffs in pull requests to fail with a 404 error.
+  * SourceHut Builds webhook fail when the triggers field is used.
+  * the label list rendering in the issue and pull request timeline is displayed on
+    multiple lines instead of a single one.
+  * Git hooks of this repository seem to be broken." warning when pushing more than one branch at a time.
+  * automerge does not happen when the approval count reaches the required threshold.
+  * the FORCE_PRIVATE=true setting is not consistently enforced.
+  * CSRF validation errors when OAuth is not enabled.
+  * headlines in rendered org-mode do not have a margin on the top
+
 -------------------------------------------------------------------
 Wed May 22 20:41:58 UTC 2024 - Richard Rahl <rrahl0@disroot.org>
 
diff --git a/forgejo.spec b/forgejo.spec
index f411a8b..50dca0a 100644
--- a/forgejo.spec
+++ b/forgejo.spec
@@ -30,7 +30,7 @@
 %endif
 %endif
 Name:           forgejo
-Version:        7.0.3
+Version:        7.0.4
 Release:        0
 Summary:        Self-hostable forge
 License:        MIT