Thu Apr 11 15:10:42 2024 UTC (44d)
Pullup ticket #6845 - requested by taca
www/php-concrete-cms: security fix

Revisions pulled up:
- www/php-concrete-cms/Makefile                                 1.3
- www/php-concrete-cms/PLIST                                    1.2
- www/php-concrete-cms/distinfo                                 1.3

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Sun Apr  7 13:59:05 UTC 2024

   Modified Files:
   	pkgsrc/www/php-concrete-cms: Makefile PLIST distinfo

   Log Message:
   www/php-concrete-cms: update to 9.2.8

   9.2.8 (2024-04-02)

   Bug Fixes

   * Fixed bug where c5:info console command would fail when run on a Concrete
     webroot if that webroot was not yet an installed Concrete site.

   * Fixed bug where logout link in toolbar would not work when user was logged
     in as an editor who could not view the Dashboard (thanks ounziw)

   Security Updates

   * Created CVE-2024-2753 Stored XSS on the calendar color settings screen and
     fixed it with commit 11988 Prior to the fix, a rogue administrator could
     put malicious javascript on the Concrete CMS color setting screen which
     would have would have been triggered by and affected users who accessed
     the color settings screen.  The Concrete CMS security team gave this
     vulnerability a CVSS v3.1 score of 2.0 with a vector of
     AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N

     Thank you Rikuto Tauchi for reporting HackerOne 2433383.

   * Created CVE-2024-3178 Cross-site Scripting (XSS) - Advanced File Search
     Filter and fixed it with commit 11988 for version 9 and commit 11989 for
     version 8.  Prior to the fix, a rogue administrator could add malicious
     code in the file manager because of insufficient validation of
     administrator provided data.  All administrators have access to the File
     Manager and hence could create a search filter with the malicious code
     attached.  The Concrete CMS security team gave this vulnerability a CVSS
     v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L

     Thank you Guram (javakhishvili) for reporting HackerOne 949443

   * Created CVE-2024-3179 Stored XSS in the Custom Class page editing and
     fixed it with commit 11988 for version 9 and commit 11989 for version 8.
     Prior to the fix, a rogue administrator could insert malicious code in the
     custom class field due to insufficient validation of administrator
     provided data.  Concrete CMS version 9.2.8 and 8.5.13 no longer allow any
     non alphanumeric characters in this CSS class.  The Concrete CMS security
     team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of
     AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L Thank you Alexey Solovyev for
     reporting HackerOne 918129.

   * Created and fixed [CVE-2024-3180]
     (https://nvd.nist.gov/vuln/detail/CVE-2024-3180) Prior to fix, stored XSS
     could be executed by a rogue administrator adding malicious code to the
     link-text field when creating a block of type file.  Fixed with commit
     11988 for version 9 and commit 11989 for version 8.  The Concrete CMS
     security team gave this vulnerability a CVSS v3.1 sore of 3.1 with a
     vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L Thank you Alexey Solovyev
     for reporting HackerOne 903356

   * Created CVE-2024-3181 Stored XSS in the Search Field.  Prior to the fix,
     stored XSS could be executed by an administrator changing a filter to
     which a rogue administrator had previously added malicious code.  The
     Concrete Team fixed this with commit 11988 for version 9 and commit 11989
     for version 8. Thank you Alexey Solovyev for reporting HackerOne 918142


(bsiegert)
diff -r1.2 -r1.2.2.1 pkgsrc/www/php-concrete-cms/Makefile
diff -r1.2 -r1.2.2.1 pkgsrc/www/php-concrete-cms/distinfo
diff -r1.1 -r1.1.2.1 pkgsrc/www/php-concrete-cms/PLIST
cvs diff -r1.2 -r1.2.2.1 pkgsrc/www/php-concrete-cms/Makefile (expand / switch to unified diff)

--- pkgsrc/www/php-concrete-cms/Makefile 2024/03/10 14:40:26 1.2
+++ pkgsrc/www/php-concrete-cms/Makefile 2024/04/11 15:10:42 1.2.2.1
@@ -1,22 +1,22 @@ @@ -1,22 +1,22 @@
1# $NetBSD: Makefile,v 1.2 2024/03/10 14:40:26 taca Exp $ 1# $NetBSD: Makefile,v 1.2.2.1 2024/04/11 15:10:42 bsiegert Exp $
2# 2#
3 3
4DISTNAME= concrete-cms-${GITHUB_RELEASE} 4DISTNAME= concrete-cms-${GITHUB_RELEASE}
5PKGNAME= ${PHP_PKG_PREFIX}-${DISTNAME} 5PKGNAME= ${PHP_PKG_PREFIX}-${DISTNAME}
6CATEGORIES= www 6CATEGORIES= www
7MASTER_SITES= ${MASTER_SITE_GITHUB:=concretecms/} 7MASTER_SITES= ${MASTER_SITE_GITHUB:=concretecms/}
8GITHUB_PROJECT= concretecms 8GITHUB_PROJECT= concretecms
9GITHUB_RELEASE= 9.2.7 9GITHUB_RELEASE= 9.2.8
10EXTRACT_SUFX= .zip 10EXTRACT_SUFX= .zip
11 11
12MAINTAINER= pkgsrc-users@NetBSD.org 12MAINTAINER= pkgsrc-users@NetBSD.org
13HOMEPAGE= https://www.concretecms.org/ 13HOMEPAGE= https://www.concretecms.org/
14COMMENT= Concrete CMS, Open sourece Content Management System 14COMMENT= Concrete CMS, Open sourece Content Management System
15LICENSE= mit 15LICENSE= mit
16 16
17DEPENDS+= ${PHP_PKG_PREFIX}-pdo_mysql>=${PHP_BASE_VERS}:../../databases/php-pdo_mysql 17DEPENDS+= ${PHP_PKG_PREFIX}-pdo_mysql>=${PHP_BASE_VERS}:../../databases/php-pdo_mysql
18DEPENDS+= ${PHP_PKG_PREFIX}-gd>=${PHP_BASE_VERS}:../../graphics/php-gd 18DEPENDS+= ${PHP_PKG_PREFIX}-gd>=${PHP_BASE_VERS}:../../graphics/php-gd
19DEPENDS+= ${PHP_PKG_PREFIX}-curl>=${PHP_BASE_VERS}:../../www/php-curl 19DEPENDS+= ${PHP_PKG_PREFIX}-curl>=${PHP_BASE_VERS}:../../www/php-curl
20DEPENDS+= ${PHP_PKG_PREFIX}-zip>=${PHP_BASE_VERS}:../../archivers/php-zip 20DEPENDS+= ${PHP_PKG_PREFIX}-zip>=${PHP_BASE_VERS}:../../archivers/php-zip
21DEPENDS+= ${PHP_PKG_PREFIX}-iconv>=${PHP_BASE_VERS}:../../converters/php-iconv 21DEPENDS+= ${PHP_PKG_PREFIX}-iconv>=${PHP_BASE_VERS}:../../converters/php-iconv
22DEPENDS+= ${PHP_PKG_PREFIX}-mbstring>=${PHP_BASE_VERS}:../../converters/php-mbstring 22DEPENDS+= ${PHP_PKG_PREFIX}-mbstring>=${PHP_BASE_VERS}:../../converters/php-mbstring
cvs diff -r1.2 -r1.2.2.1 pkgsrc/www/php-concrete-cms/distinfo (expand / switch to unified diff)

--- pkgsrc/www/php-concrete-cms/distinfo 2024/03/10 14:40:26 1.2
+++ pkgsrc/www/php-concrete-cms/distinfo 2024/04/11 15:10:42 1.2.2.1
@@ -1,5 +1,5 @@ @@ -1,5 +1,5 @@
1$NetBSD: distinfo,v 1.2 2024/03/10 14:40:26 taca Exp $ 1$NetBSD: distinfo,v 1.2.2.1 2024/04/11 15:10:42 bsiegert Exp $
2 2
3BLAKE2s (concrete-cms-9.2.7.zip) = d2e4865a0655f5dc0db55a0d34d0992c19715f6cb65a745b03d3fb921e77ea87 3BLAKE2s (concrete-cms-9.2.8.zip) = 413b77d973b4fe0fd85decc9fdf94ccc18aacef7fc691d86d7eb0a4d52011e05
4SHA512 (concrete-cms-9.2.7.zip) = 9300ae11119217e1b641004bf0536f785a0b0b3b5ec0787bfcfacab3165e125fb3032003092ecbc42cc344619d821aa2e28545ee3a0fc6f195173d856c3a961b 4SHA512 (concrete-cms-9.2.8.zip) = 932df86c9ebdbcd1074a9cc87ab803eff91024d80861b953841629dd9ec0dcea0aeeaaba79d78f463e2f5680fa5a2744f1127a8a1b48173b501213ff52062a09
5Size (concrete-cms-9.2.7.zip) = 76117302 bytes 5Size (concrete-cms-9.2.8.zip) = 76118976 bytes
cvs diff -r1.1 -r1.1.2.1 pkgsrc/www/php-concrete-cms/PLIST (expand / switch to unified diff)

--- pkgsrc/www/php-concrete-cms/PLIST 2024/02/26 15:06:27 1.1
+++ pkgsrc/www/php-concrete-cms/PLIST 2024/04/11 15:10:42 1.1.2.1
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1@comment $NetBSD: PLIST,v 1.1 2024/02/26 15:06:27 taca Exp $ 1@comment $NetBSD: PLIST,v 1.1.2.1 2024/04/11 15:10:42 bsiegert Exp $
2${CC_DOCDIR}/README 2${CC_DOCDIR}/README
3${CC_WEBDIR}/LICENSE.TXT 3${CC_WEBDIR}/LICENSE.TXT
4${CC_WEBDIR}/application/bootstrap/app.php 4${CC_WEBDIR}/application/bootstrap/app.php
5${CC_WEBDIR}/application/bootstrap/autoload.php 5${CC_WEBDIR}/application/bootstrap/autoload.php
6${CC_WEBDIR}/application/bootstrap/start.php 6${CC_WEBDIR}/application/bootstrap/start.php
7${CC_WEBDIR}/application/files/index.html 7${CC_WEBDIR}/application/files/index.html
8${CC_WEBDIR}/application/index.html 8${CC_WEBDIR}/application/index.html
9${CC_WEBDIR}/composer.json 9${CC_WEBDIR}/composer.json
10${CC_WEBDIR}/composer.lock 10${CC_WEBDIR}/composer.lock
11${CC_WEBDIR}/concrete/api/swagger/index.css 11${CC_WEBDIR}/concrete/api/swagger/index.css
12${CC_WEBDIR}/concrete/api/swagger/swagger-ui-bundle.js 12${CC_WEBDIR}/concrete/api/swagger/swagger-ui-bundle.js
13${CC_WEBDIR}/concrete/api/swagger/swagger-ui-es-bundle-core.js 13${CC_WEBDIR}/concrete/api/swagger/swagger-ui-es-bundle-core.js
14${CC_WEBDIR}/concrete/api/swagger/swagger-ui-es-bundle.js 14${CC_WEBDIR}/concrete/api/swagger/swagger-ui-es-bundle.js
@@ -20411,26 +20411,27 @@ ${CC_WEBDIR}/concrete/vendor/zircote/swa @@ -20411,26 +20411,27 @@ ${CC_WEBDIR}/concrete/vendor/zircote/swa
20411${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Attributes/ServerVariable.php 20411${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Attributes/ServerVariable.php
20412${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Attributes/Tag.php 20412${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Attributes/Tag.php
20413${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Attributes/Trace.php 20413${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Attributes/Trace.php
20414${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Attributes/Webhook.php 20414${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Attributes/Webhook.php
20415${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Attributes/Xml.php 20415${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Attributes/Xml.php
20416${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Attributes/XmlContent.php 20416${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Attributes/XmlContent.php
20417${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Context.php 20417${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Context.php
20418${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Generator.php 20418${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Generator.php
20419${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Loggers/ConsoleLogger.php 20419${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Loggers/ConsoleLogger.php
20420${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Loggers/DefaultLogger.php 20420${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Loggers/DefaultLogger.php
20421${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/AugmentParameters.php 20421${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/AugmentParameters.php
20422${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/AugmentProperties.php 20422${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/AugmentProperties.php
20423${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/AugmentRefs.php 20423${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/AugmentRefs.php
 20424${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/AugmentRequestBody.php
20424${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/AugmentSchemas.php 20425${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/AugmentSchemas.php
20425${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/BuildPaths.php 20426${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/BuildPaths.php
20426${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/CleanUnmerged.php 20427${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/CleanUnmerged.php
20427${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/CleanUnusedComponents.php 20428${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/CleanUnusedComponents.php
20428${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/Concerns/CollectorTrait.php 20429${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/Concerns/CollectorTrait.php
20429${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/Concerns/DocblockTrait.php 20430${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/Concerns/DocblockTrait.php
20430${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/Concerns/MergePropertiesTrait.php 20431${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/Concerns/MergePropertiesTrait.php
20431${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/Concerns/RefTrait.php 20432${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/Concerns/RefTrait.php
20432${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/Concerns/TypesTrait.php 20433${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/Concerns/TypesTrait.php
20433${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/DocBlockDescriptions.php 20434${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/DocBlockDescriptions.php
20434${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/ExpandClasses.php 20435${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/ExpandClasses.php
20435${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/ExpandEnums.php 20436${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/ExpandEnums.php
20436${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/ExpandInterfaces.php 20437${CC_WEBDIR}/concrete/vendor/zircote/swagger-php/src/Processors/ExpandInterfaces.php