www/gitea: Update version 1.21.0=>1.21.3

- Add relevant vuxml entry
- Move pkg-message to SUB_FILES as we are using PREFIX

Changelog: https://blog.gitea.com/release-of-1.21.3/

PR:		275742
Approved by:	submitter is maintainer

security/vuxml/vuln/2023.xml

@@ -1,3 +1,59 @@
+  <vuln vid="b2765c89-a052-11ee-bed2-596753f1a87c">
+    <topic>gitea -- Prefix Truncation Attack against ChaCha20-Poly1305 and Encrypt-then-MAC aka Terrapin</topic>
+    <affects>
+      <package>
+	<name>gitea</name>
+	<range><lt>1.21.3</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>The Gitea team reports:</p>
+	<blockquote cite="https://github.com/go-gitea/gitea/pull/28519">
+	  <p>Update golang.org/x/crypto</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://github.com/go-gitea/gitea/releases/tag/v1.21.3</url>
+    </references>
+    <dates>
+      <discovery>2023-12-19</discovery>
+      <entry>2023-12-21</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="482bb980-99a3-11ee-b5f7-6bd56600d90c">
+    <topic>gitea -- missing permission checks</topic>
+    <affects>
+      <package>
+	<name>gitea</name>
+	<range><lt>1.21.2</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>The Gitea team reports:</p>
+	<blockquote cite="https://github.com/go-gitea/gitea/pull/28406">
+	  <p>Fix missing check</p>
+	</blockquote>
+	<blockquote cite="https://github.com/go-gitea/gitea/pull/28423">
+	  <p>Do some missing checks</p>
+	</blockquote>
+        <p>By crafting an API request, attackers can access the contents of
+        issues even though the logged-in user does not have access rights to
+        these issues.</p>
+      </body>
+    </description>
+    <references>
+      <url>https://github.com/go-gitea/gitea/releases/tag/v1.21.2</url>
+    </references>
+    <dates>
+      <discovery>2023-08-30</discovery>
+      <entry>2023-09-10</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="0f7598cc-9fe2-11ee-b47f-901b0e9408dc">
     <topic>nebula -- security fix for terrapin vulnerability</topic>
     <affects>

www/gitea/Makefile

@@ -1,7 +1,6 @@
 PORTNAME=	gitea
 DISTVERSIONPREFIX=	v
-DISTVERSION=	1.21.0
-PORTREVISION=	1
+DISTVERSION=	1.21.3
 CATEGORIES=	www
 MASTER_SITES=	https://github.com/go-gitea/gitea/releases/download/${DISTVERSIONPREFIX}${DISTVERSION}/ \
 		https://dl.gitea.io/gitea/${DISTVERSION}/
@@ -20,7 +19,7 @@ USES=		cpe gmake go:1.21,no_targets
 USE_RC_SUBR=	gitea
 
 EXTRACT_AFTER_ARGS=	--strip-components 1 # since 1.17.0, archive includes gitea-src-VERSION directory
-SUB_FILES+=	app.ini.sample
+SUB_FILES+=	app.ini.sample pkg-message
 SUB_LIST+=	GITUSER=${USERS}
 
 NO_WRKSUBDIR=	yes

www/gitea/distinfo

@@ -1,3 +1,3 @@
-TIMESTAMP = 1699991932
-SHA256 (gitea-src-1.21.0.tar.gz) = 69b12778b3b5f24aecff08d8e5122e4edf784bda2e4335b77f2bbd0404a11a93
-SIZE (gitea-src-1.21.0.tar.gz) = 53744981
+TIMESTAMP = 1703201941
+SHA256 (gitea-src-1.21.3.tar.gz) = b490bda7bfbe95bde50f4c98478a80b4539344140ad9290d083e9393e83d33bf
+SIZE (gitea-src-1.21.3.tar.gz) = 53775315

www/gitea/files/pkg-message.in

@@ -1,4 +1,19 @@
 [
+{ type: upgrade
+  maximum_version: 1.20.0
+  message: <<EOM
+Please make sure to empty or maintain the contents of the
+%%PREFIX%%/share/gitea folder between your upgrades of gitea.
+Changes between versions can break the web UI due to residual
+files from earlier versions.
+
+1.21.0 has a breaking change regarding the public assets folder. In case
+you use a proxying webserver serving the files, you need to update your
+configuration:
+
+https://github.com/go-gitea/gitea/pull/25907
+EOM
+}
 { type: upgrade
   maximum_version: 1.7.6
   message: <<EOM