Created attachment 177671 [details] update patch update www/joomla3 to 3.6.4, mordenize port, add pgsql, clean up permissions The current maintainer hasn't touched the port in over a year, and is 2 major versions out of date.
NOTE: There ARE security vulnerabilities in the previous version, https://developer.joomla.org/security-centre.html
Are both the mysqli and pgsql modules required? If not, they should be OPTIONS.
the code can pick, but you're probably right..... I'll go make that change. (original author only supported MySQL. I'm a PostgreSQL bigot).
Created attachment 177672 [details] Add MYSQL/PGSQL Options Added MYSQL and PGSQL options to pick which DB (or both) you want.
Are you sure that everything needs to be owned by www? That doesn't seem right. www is supposed to be an unprivileged user. Shouldn't it only own the directories it needs to write to, and nothing else?
the auto-upgrade wants to replace stuff and also adding extensions/etc. the original port had it all owned by WWW as well, AFAICT.
Does the auto-upgrade overwrite the files themselves installed by the port? I feel like www should only own the stuff it absolutely has to be able to write to. Sorry Larry, but I don't think that whether the port currently does it that way or not is relevant; you're asking to take maintainership, so you should make sure that it's using best practice.
Yes, it does update the files installed by the port. We could disable that functionality, but... With all the extensions, etc, that ADD stuff all over the tree, it really does need to have write. and I don't want it to be 777. :)
That behaviour seems strange. What happens if the port gets reinstalled, PORTREVISION gets bumped, etc?
it would reinstall the base files, and then whine about needing an upgrade, but the releases are far between, and when a new release comes (March for 3.7) I'd update to the new GH tag. Also, there are thousands(literally) of extensions that can be web installed, and the server needs to add them ll over it's tree. Apache won't let a vhost run under a different UID :(
cache, logs, and tmp are the only directories that should be writable. It specifically notes in the Joomla setup guide to redirect anything writable out of the root of your joomla install. "Ensure that all configurable paths to writable or uploadable directories (document repositories, image galleries, caches) are outside of public_html. Check third party extensions such as DOCMan and Gallery2 for editable paths to writable directories." https://docs.joomla.org/Security_Checklist/Joomla!_Setup
Hrm. Then how is the auto-updater supposed to do it's job and the install-from-web option. I'll go make the change however. Thanks, Mark.
Oh, and since their installer needs to write to the root, at least temporarily, what's the right answer there?
I've sent a question to the Joomla! security folks. I'll wait to see what all they say.
I'm going to guess that the install-from-web and auto-updater are not expected to work if it is installed from an OS-provided package with file permissions locked down. I'm curious to hear what the Joomla folks have to say, though. In Wordpress world I know they added the ability to ftp/sftp to localhost to update the files so they don't have to be owned by the webserver user. Maybe they do something like that?
response from the JSSF: [quote] Hi Larry, For extension installation and core updates to work, the web space does need to have appropriate write permissions. There are some files that can be locked to read only (such as configuration.php, which Joomla does when saving the global configuration) as they generally won't change once in place. For Joomla to run, files don't need to be writable except for the cache and logs directories (the tmp directory is mainly used during install/update, though some extensions may use it as well), but if someone were to take extra steps to lock down their filesystem, they would need to make the files writable long enough to perform any updates then switch it back. -- Joomla! Security Strike Team security@joomla.org {#HS:287528464-29#} [/quote] so I am going to leave the www:www ownership.
Created attachment 178165 [details] 3.6.5 security update 3.6.5/Security updates. https://developer.joomla.org/security-centre.html CVE-2016-9837 CVE-2016-9836 CVE-2016-9838 CVE-2016-9081 CVE-2016-8869 CVE-2016-8870
A commit references this bug: Author: adamw Date: Wed Dec 21 21:56:31 UTC 2016 New revision: 429131 URL: https://svnweb.freebsd.org/changeset/ports/429131 Log: Update to 3.6.5, which resolves a number of CVEs. Add postgresql support via a knob, and pass maintainership to submitter. Thanks to nivit for looking after this port for so long. PR: 215058 Submitted by: Larry Rosenman Approved by: maintainer timeout MFH: 2016Q4 Security: CVE-2016-8869 Security: CVE-2016-8870 Security: CVE-2016-9081 Security: CVE-2016-9836 Security: CVE-2016-9837 Security: CVE-2016-9838 Changes: head/www/joomla3/Makefile head/www/joomla3/distinfo head/www/joomla3/files/pkg-message.in head/www/joomla3/pkg-plist
Committed with small modifications after timeout. Good work on this, Larry. I'm going to keep this PR open until it's merged to quarterly.
A commit references this bug: Author: adamw Date: Thu Dec 22 02:03:22 UTC 2016 New revision: 429136 URL: https://svnweb.freebsd.org/changeset/ports/429136 Log: MFH: r429131 Update to 3.6.5, which addresses a number of CVEs. Add postgresql support via a knob, and pass maintainership to submitter. Thanks to nivit for looking after this port for so long. PR: 215058 Submitted by: Larry Rosenman Approved by: maintainer timeout Security: CVE-2016-8869 Security: CVE-2016-8870 Security: CVE-2016-9081 Security: CVE-2016-9836 Security: CVE-2016-9837 Security: CVE-2016-9838 Approved by: ports-secteam (junovitch) Changes: _U branches/2016Q4/ branches/2016Q4/www/joomla3/Makefile branches/2016Q4/www/joomla3/distinfo branches/2016Q4/www/joomla3/files/pkg-message.in branches/2016Q4/www/joomla3/pkg-plist
Merge to quarterly is done.
A commit references this bug: Author: junovitch Date: Thu Dec 22 03:21:59 UTC 2016 New revision: 429139 URL: https://svnweb.freebsd.org/changeset/ports/429139 Log: Document Joomla! security advisories since 3.4.6 was released. While here, update entry for 3.4.6 with final advisory information from JSST page. A big thanks to Larry Rosenman for reporting the open issues and getting the port up to date. PR: 215058 Reported by: Larry Rosenman <ler@lerctr.org> Security: CVE-2016-8869 Security: CVE-2016-8870 Security: CVE-2016-9081 Security: CVE-2016-9836 Security: CVE-2016-9837 Security: CVE-2016-9838 Security: https://vuxml.FreeBSD.org/freebsd/624b45c0-c7f3-11e6-ae1b-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/a27d234a-c7f2-11e6-ae1b-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/c0ef061a-c7f0-11e6-ae1b-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/f0806cad-c7f1-11e6-ae1b-002590263bf5.html Changes: head/security/vuxml/vuln.xml