CVS commit: [pkgsrc-2024Q1] pkgsrc/www/php-concrete-cms

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: [pkgsrc-2024Q1] pkgsrc/www/php-concrete-cms
From: "Benny Siegert" <bsiegert%netbsd.org@localhost>
Date: Thu, 11 Apr 2024 15:10:43 +0000

Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Thu Apr 11 15:10:42 UTC 2024

Modified Files:
        pkgsrc/www/php-concrete-cms [pkgsrc-2024Q1]: Makefile PLIST distinfo

Log Message:
Pullup ticket #6845 - requested by taca
www/php-concrete-cms: security fix

Revisions pulled up:
- www/php-concrete-cms/Makefile                                 1.3
- www/php-concrete-cms/PLIST                                    1.2
- www/php-concrete-cms/distinfo                                 1.3

---
   Module Name: pkgsrc
   Committed By:        taca
   Date:                Sun Apr  7 13:59:05 UTC 2024

   Modified Files:
        pkgsrc/www/php-concrete-cms: Makefile PLIST distinfo

   Log Message:
   www/php-concrete-cms: update to 9.2.8

   9.2.8 (2024-04-02)

   Bug Fixes

   * Fixed bug where c5:info console command would fail when run on a Concrete
     webroot if that webroot was not yet an installed Concrete site.

   * Fixed bug where logout link in toolbar would not work when user was logged
     in as an editor who could not view the Dashboard (thanks ounziw)

   Security Updates

   * Created CVE-2024-2753 Stored XSS on the calendar color settings screen and
     fixed it with commit 11988 Prior to the fix, a rogue administrator could
     put malicious javascript on the Concrete CMS color setting screen which
     would have would have been triggered by and affected users who accessed
     the color settings screen.  The Concrete CMS security team gave this
     vulnerability a CVSS v3.1 score of 2.0 with a vector of
     AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N

     Thank you Rikuto Tauchi for reporting HackerOne 2433383.

   * Created CVE-2024-3178 Cross-site Scripting (XSS) - Advanced File Search
     Filter and fixed it with commit 11988 for version 9 and commit 11989 for
     version 8.  Prior to the fix, a rogue administrator could add malicious
     code in the file manager because of insufficient validation of
     administrator provided data.  All administrators have access to the File
     Manager and hence could create a search filter with the malicious code
     attached.  The Concrete CMS security team gave this vulnerability a CVSS
     v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L

     Thank you Guram (javakhishvili) for reporting HackerOne 949443

   * Created CVE-2024-3179 Stored XSS in the Custom Class page editing and
     fixed it with commit 11988 for version 9 and commit 11989 for version 8.
     Prior to the fix, a rogue administrator could insert malicious code in the
     custom class field due to insufficient validation of administrator
     provided data.  Concrete CMS version 9.2.8 and 8.5.13 no longer allow any
     non alphanumeric characters in this CSS class.  The Concrete CMS security
     team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of
     AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L Thank you Alexey Solovyev for
     reporting HackerOne 918129.

   * Created and fixed [CVE-2024-3180]
     (https://nvd.nist.gov/vuln/detail/CVE-2024-3180) Prior to fix, stored XSS
     could be executed by a rogue administrator adding malicious code to the
     link-text field when creating a block of type file.  Fixed with commit
     11988 for version 9 and commit 11989 for version 8.  The Concrete CMS
     security team gave this vulnerability a CVSS v3.1 sore of 3.1 with a
     vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L Thank you Alexey Solovyev
     for reporting HackerOne 903356

   * Created CVE-2024-3181 Stored XSS in the Search Field.  Prior to the fix,
     stored XSS could be executed by an administrator changing a filter to
     which a rogue administrator had previously added malicious code.  The
     Concrete Team fixed this with commit 11988 for version 9 and commit 11989
     for version 8. Thank you Alexey Solovyev for reporting HackerOne 918142


To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.2.2.1 pkgsrc/www/php-concrete-cms/Makefile \
    pkgsrc/www/php-concrete-cms/distinfo
cvs rdiff -u -r1.1 -r1.1.2.1 pkgsrc/www/php-concrete-cms/PLIST

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/php-concrete-cms/Makefile
diff -u pkgsrc/www/php-concrete-cms/Makefile:1.2 pkgsrc/www/php-concrete-cms/Makefile:1.2.2.1
--- pkgsrc/www/php-concrete-cms/Makefile:1.2    Sun Mar 10 14:40:26 2024
+++ pkgsrc/www/php-concrete-cms/Makefile        Thu Apr 11 15:10:42 2024
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.2 2024/03/10 14:40:26 taca Exp $
+# $NetBSD: Makefile,v 1.2.2.1 2024/04/11 15:10:42 bsiegert Exp $
 #
 
 DISTNAME=      concrete-cms-${GITHUB_RELEASE}
@@ -6,7 +6,7 @@ PKGNAME=        ${PHP_PKG_PREFIX}-${DISTNAME}
 CATEGORIES=    www
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=concretecms/}
 GITHUB_PROJECT=        concretecms
-GITHUB_RELEASE=        9.2.7
+GITHUB_RELEASE=        9.2.8
 EXTRACT_SUFX=  .zip
 
 MAINTAINER=    pkgsrc-users%NetBSD.org@localhost
Index: pkgsrc/www/php-concrete-cms/distinfo
diff -u pkgsrc/www/php-concrete-cms/distinfo:1.2 pkgsrc/www/php-concrete-cms/distinfo:1.2.2.1
--- pkgsrc/www/php-concrete-cms/distinfo:1.2    Sun Mar 10 14:40:26 2024
+++ pkgsrc/www/php-concrete-cms/distinfo        Thu Apr 11 15:10:42 2024
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.2 2024/03/10 14:40:26 taca Exp $
+$NetBSD: distinfo,v 1.2.2.1 2024/04/11 15:10:42 bsiegert Exp $
 
-BLAKE2s (concrete-cms-9.2.7.zip) = d2e4865a0655f5dc0db55a0d34d0992c19715f6cb65a745b03d3fb921e77ea87
-SHA512 (concrete-cms-9.2.7.zip) = 9300ae11119217e1b641004bf0536f785a0b0b3b5ec0787bfcfacab3165e125fb3032003092ecbc42cc344619d821aa2e28545ee3a0fc6f195173d856c3a961b
-Size (concrete-cms-9.2.7.zip) = 76117302 bytes
+BLAKE2s (concrete-cms-9.2.8.zip) = 413b77d973b4fe0fd85decc9fdf94ccc18aacef7fc691d86d7eb0a4d52011e05
+SHA512 (concrete-cms-9.2.8.zip) = 932df86c9ebdbcd1074a9cc87ab803eff91024d80861b953841629dd9ec0dcea0aeeaaba79d78f463e2f5680fa5a2744f1127a8a1b48173b501213ff52062a09
+Size (concrete-cms-9.2.8.zip) = 76118976 bytes

Index: pkgsrc/www/php-concrete-cms/PLIST
diff -u pkgsrc/www/php-concrete-cms/PLIST:1.1 pkgsrc/www/php-concrete-cms/PLIST:1.1.2.1
--- pkgsrc/www/php-concrete-cms/PLIST:1.1       Mon Feb 26 15:06:27 2024
+++ pkgsrc/www/php-concrete-cms/PLIST   Thu Apr 11 15:10:42 2024
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.1 2024/02/26 15:06:27 taca Exp $
+@comment $NetBSD: PLIST,v 1.1.2.1 2024/04/11 15:10:42 bsiegert Exp $
 ${CC_DOCDIR}/README
 ${CC_WEBDIR}/LICENSE.TXT
 ${CC_WEBDIR}/application/bootstrap/app.php
@@ -20421,6 +20421,7 @@ ${CC_WEBDIR}/concrete/vendor/zircote/swa
 ${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/AugmentParameters.php
 ${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/AugmentProperties.php
 ${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/AugmentRefs.php
+${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/AugmentRequestBody.php
 ${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/AugmentSchemas.php
 ${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/BuildPaths.php
 ${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/CleanUnmerged.php

Prev by Date: CVS commit: [pkgsrc-2024Q1] pkgsrc/editors/abiword-plugins
Next by Date: CVS commit: pkgsrc/lang/gambc
Previous by Thread: CVS commit: [pkgsrc-2024Q1] pkgsrc/editors/abiword-plugins
Next by Thread: CVS commit: pkgsrc/lang/gambc
Indexes:

Home | Main Index | Thread Index | Old Index