Remote Code Execution in Forgejo? (dustri.org)

submitted 3 days ago* (last edited 3 days ago) by tofu@lemmy.nocturnal.garden to c/selfhosted@lemmy.world

42 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[-] warm@kbin.earth 8 points 3 days ago

The entire attitude is shit. Could just contact the developers as outlined, instead of being a prude about it for some clout.

[-] non_burglar@lemmy.world -2 points 2 days ago* (last edited 2 days ago)

I understand what you're saying, but Forgejo has an outdated and made-up-from-thin-air policy. From their security.md:

You MUST disclose vulns to the author (why are we dictating instead of inviting participation)
emails about vulns MUST be encrypted (I don't even understand this one, this gives really strong "we don't know how email works" vibes)

And it just goes on, like someone from 2003 wrote that policy.

Now, I'm going to agree with you that it's a bit of a dick move to do the carrot dangle thing, but some vendors/devs just don't respond without the pressure. And forgejo has been forced by github supporters to implement a security policy after trying to ignore it.

It seems that the author has some ongoing interactions with forgejo, and it would be great if these were disclosed in the article, but forgejo seems to need a kick in the pants, especially over an RCE, the forbidden sev 10 of vulns.

[-] AbidanYre@lemmy.world 2 points 20 hours ago

emails about vulns MUST be encrypted (I don't even understand this one, this gives really strong "we don't know how email works" vibes)

PGP/GPG has existed for decades as a way to encrypt email.

[-] non_burglar@lemmy.world 1 points 1 hour ago

Sure, but with some key management. You can't just send an encrpyted email unannounced.

[-] warm@kbin.earth 5 points 2 days ago

If you replaced Forgejo with GitHub then I would understand, but Forgejo isn't a massive organization with hundreds of hired employees, it's run by people in their spare time with the option of donations.

Anyone can help contribute, instead of doing that, this guy decided to try and get some clout by being an asshole because he is butthurt about some other interaction. If this guy went about it the proper way and then still got no answer or fix after months, then I would understand more, but he didn't.

this post was submitted on 29 Apr 2026

91 points (89.6% liked)

Selfhosted

58915 readers

504 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz