Authentication-Results: name.execsw.org;
	dkim=pass (1024-bit key) header.d=netbsd.org header.i=@netbsd.org header.b=b5yXSpTG;
	dkim=pass (1024-bit key) header.d=netbsd.org header.i=@netbsd.org header.b=rkXvfPOL
Received: by mail.netbsd.org (Postfix, from userid 605)
	id 0073684E62; Sun,  7 Apr 2024 13:59:08 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netbsd.org;
	s=20240131; t=1712498348;
	bh=SHHcSf4VQB6YlA/J3F32yFuaReqaTun5Zhrw3pfJvBo=;
	h=Date:From:Subject:To:Reply-To:List-Id:List-Unsubscribe;
	b=b5yXSpTGmbl+zXaCgD5Mk+8Q22NW3mc5XDzJn8g4ZSksdZqBm23eya8OzIYLTAc+4
	 UxQk2LgiqsPiEngzRLGFHY2GyW+Yq6uRQXOk3xUC67+Ymj0dyLRQep5VcMYSk+ldbQ
	 CLHG6gIa2edY/qRVGToGnrOnzhU12QLN3d6GIuQU=
Received: from localhost (localhost [127.0.0.1])
	by mail.netbsd.org (Postfix) with ESMTP id E562884D72
	for <pkgsrc-changes@NetBSD.org>; Sun,  7 Apr 2024 13:59:06 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Authentication-Results: mail.netbsd.org (amavisd-new);
	dkim=pass (1024-bit key) header.d=netbsd.org
Received: from mail.netbsd.org ([127.0.0.1])
	by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025)
	with ESMTP id uTJWAx_37-Tj for <pkgsrc-changes@netbsd.org>;
	Sun,  7 Apr 2024 13:59:06 +0000 (UTC)
Received: from cvs.NetBSD.org (ivanova.NetBSD.org [IPv6:2001:470:a085:999:28c:faff:fe03:5984])
	by mail.netbsd.org (Postfix) with ESMTP id 12A5184D2D
	for <pkgsrc-changes@NetBSD.org>; Sun,  7 Apr 2024 13:59:06 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netbsd.org;
	s=20240131; t=1712498346;
	bh=SHHcSf4VQB6YlA/J3F32yFuaReqaTun5Zhrw3pfJvBo=;
	h=Date:From:Subject:To:Reply-To;
	b=rkXvfPOLbkm2wtyfOsyIgpPw8EAE0PICuN/IBOREuqQ3izQus1kHqylgC9Sc0Vpfo
	 sPYbS505bXzBf8WOBi6Fv+79/ERLenFYMl3p940wPHqYLSvoEHFWpCxQjXx6q+VT38
	 qM+gf9rF7ZdRJVdD7qu/N49riXkq/7chtioKUMnE=
Received: by cvs.NetBSD.org (Postfix, from userid 500)
	id 0A1A3FA2C; Sun,  7 Apr 2024 13:59:06 +0000 (UTC)
Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_171249834676010"
MIME-Version: 1.0
Date: Sun, 7 Apr 2024 13:59:06 +0000
From: "Takahiro Kambe" <taca@netbsd.org>
Subject: CVS commit: pkgsrc/www/php-concrete-cms
To: pkgsrc-changes@NetBSD.org
Reply-To: taca@netbsd.org
X-Mailer: log_accum
Message-Id: <20240407135906.0A1A3FA2C@cvs.NetBSD.org>
Sender: pkgsrc-changes-owner@NetBSD.org
List-Id: <pkgsrc-changes.NetBSD.org>
Precedence: bulk
List-Unsubscribe: <mailto:majordomo@NetBSD.org?subject=Unsubscribe%20pkgsrc-changes&body=unsubscribe%20pkgsrc-changes>

This is a multi-part message in MIME format.

--_----------=_171249834676010
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"

Module Name:	pkgsrc
Committed By:	taca
Date:		Sun Apr  7 13:59:05 UTC 2024

Modified Files:
	pkgsrc/www/php-concrete-cms: Makefile PLIST distinfo

Log Message:
www/php-concrete-cms: update to 9.2.8

9.2.8 (2024-04-02)

Bug Fixes

* Fixed bug where c5:info console command would fail when run on a Concrete
  webroot if that webroot was not yet an installed Concrete site.

* Fixed bug where logout link in toolbar would not work when user was logged
  in as an editor who could not view the Dashboard (thanks ounziw)

Security Updates

* Created CVE-2024-2753 Stored XSS on the calendar color settings screen and
  fixed it with commit 11988 Prior to the fix, a rogue administrator could
  put malicious javascript on the Concrete CMS color setting screen which
  would have would have been triggered by and affected users who accessed
  the color settings screen.  The Concrete CMS security team gave this
  vulnerability a CVSS v3.1 score of 2.0 with a vector of
  AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N

  Thank you Rikuto Tauchi for reporting HackerOne 2433383.

* Created CVE-2024-3178 Cross-site Scripting (XSS) - Advanced File Search
  Filter and fixed it with commit 11988 for version 9 and commit 11989 for
  version 8.  Prior to the fix, a rogue administrator could add malicious
  code in the file manager because of insufficient validation of
  administrator provided data.  All administrators have access to the File
  Manager and hence could create a search filter with the malicious code
  attached.  The Concrete CMS security team gave this vulnerability a CVSS
  v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L

  Thank you Guram (javakhishvili) for reporting HackerOne 949443

* Created CVE-2024-3179 Stored XSS in the Custom Class page editing and
  fixed it with commit 11988 for version 9 and commit 11989 for version 8.
  Prior to the fix, a rogue administrator could insert malicious code in the
  custom class field due to insufficient validation of administrator
  provided data.  Concrete CMS version 9.2.8 and 8.5.13 no longer allow any
  non alphanumeric characters in this CSS class.  The Concrete CMS security
  team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of
  AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L Thank you Alexey Solovyev for
  reporting HackerOne 918129.

* Created and fixed [CVE-2024-3180]
  (https://nvd.nist.gov/vuln/detail/CVE-2024-3180) Prior to fix, stored XSS
  could be executed by a rogue administrator adding malicious code to the
  link-text field when creating a block of type file.  Fixed with commit
  11988 for version 9 and commit 11989 for version 8.  The Concrete CMS
  security team gave this vulnerability a CVSS v3.1 sore of 3.1 with a
  vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L Thank you Alexey Solovyev
  for reporting HackerOne 903356

* Created CVE-2024-3181 Stored XSS in the Search Field.  Prior to the fix,
  stored XSS could be executed by an administrator changing a filter to
  which a rogue administrator had previously added malicious code.  The
  Concrete Team fixed this with commit 11988 for version 9 and commit 11989
  for version 8. Thank you Alexey Solovyev for reporting HackerOne 918142


To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 pkgsrc/www/php-concrete-cms/Makefile \
    pkgsrc/www/php-concrete-cms/distinfo
cvs rdiff -u -r1.1 -r1.2 pkgsrc/www/php-concrete-cms/PLIST

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


--_----------=_171249834676010
Content-Disposition: inline
Content-Length: 2892
Content-Transfer-Encoding: binary
Content-Type: text/x-diff; charset=us-ascii

Modified files:

Index: pkgsrc/www/php-concrete-cms/Makefile
diff -u pkgsrc/www/php-concrete-cms/Makefile:1.2 pkgsrc/www/php-concrete-cms/Makefile:1.3
--- pkgsrc/www/php-concrete-cms/Makefile:1.2	Sun Mar 10 14:40:26 2024
+++ pkgsrc/www/php-concrete-cms/Makefile	Sun Apr  7 13:59:05 2024
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.2 2024/03/10 14:40:26 taca Exp $
+# $NetBSD: Makefile,v 1.3 2024/04/07 13:59:05 taca Exp $
 #
 
 DISTNAME=	concrete-cms-${GITHUB_RELEASE}
@@ -6,7 +6,7 @@ PKGNAME=	${PHP_PKG_PREFIX}-${DISTNAME}
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_GITHUB:=concretecms/}
 GITHUB_PROJECT=	concretecms
-GITHUB_RELEASE=	9.2.7
+GITHUB_RELEASE=	9.2.8
 EXTRACT_SUFX=	.zip
 
 MAINTAINER=	pkgsrc-users@NetBSD.org
Index: pkgsrc/www/php-concrete-cms/distinfo
diff -u pkgsrc/www/php-concrete-cms/distinfo:1.2 pkgsrc/www/php-concrete-cms/distinfo:1.3
--- pkgsrc/www/php-concrete-cms/distinfo:1.2	Sun Mar 10 14:40:26 2024
+++ pkgsrc/www/php-concrete-cms/distinfo	Sun Apr  7 13:59:05 2024
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.2 2024/03/10 14:40:26 taca Exp $
+$NetBSD: distinfo,v 1.3 2024/04/07 13:59:05 taca Exp $
 
-BLAKE2s (concrete-cms-9.2.7.zip) = d2e4865a0655f5dc0db55a0d34d0992c19715f6cb65a745b03d3fb921e77ea87
-SHA512 (concrete-cms-9.2.7.zip) = 9300ae11119217e1b641004bf0536f785a0b0b3b5ec0787bfcfacab3165e125fb3032003092ecbc42cc344619d821aa2e28545ee3a0fc6f195173d856c3a961b
-Size (concrete-cms-9.2.7.zip) = 76117302 bytes
+BLAKE2s (concrete-cms-9.2.8.zip) = 413b77d973b4fe0fd85decc9fdf94ccc18aacef7fc691d86d7eb0a4d52011e05
+SHA512 (concrete-cms-9.2.8.zip) = 932df86c9ebdbcd1074a9cc87ab803eff91024d80861b953841629dd9ec0dcea0aeeaaba79d78f463e2f5680fa5a2744f1127a8a1b48173b501213ff52062a09
+Size (concrete-cms-9.2.8.zip) = 76118976 bytes

Index: pkgsrc/www/php-concrete-cms/PLIST
diff -u pkgsrc/www/php-concrete-cms/PLIST:1.1 pkgsrc/www/php-concrete-cms/PLIST:1.2
--- pkgsrc/www/php-concrete-cms/PLIST:1.1	Mon Feb 26 15:06:27 2024
+++ pkgsrc/www/php-concrete-cms/PLIST	Sun Apr  7 13:59:05 2024
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.1 2024/02/26 15:06:27 taca Exp $
+@comment $NetBSD: PLIST,v 1.2 2024/04/07 13:59:05 taca Exp $
 ${CC_DOCDIR}/README
 ${CC_WEBDIR}/LICENSE.TXT
 ${CC_WEBDIR}/application/bootstrap/app.php
@@ -20421,6 +20421,7 @@ ${CC_WEBDIR}/concrete/vendor/zircote/swa
 ${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/AugmentParameters.php
 ${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/AugmentProperties.php
 ${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/AugmentRefs.php
+${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/AugmentRequestBody.php
 ${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/AugmentSchemas.php
 ${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/BuildPaths.php
 ${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/CleanUnmerged.php


--_----------=_171249834676010--