Bug 260675 - www/matomo: Update to 4.6.2
Summary: www/matomo: Update to 4.6.2
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Jochen Neumeister
URL: https://matomo.org/changelog/matomo-4...
Keywords: needs-qa, security
Depends on:
Blocks:
 
Reported: 2021-12-25 09:51 UTC by Andrej Ebert
Modified: 2021-12-31 06:51 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (joneum)
koobs: merge-quarterly?

Attachments
git diff (42.25 KB, patch)
2021-12-25 09:51 UTC, Andrej Ebert 		no flags Details | Diff
poudriere-testport log (38.15 KB, text/plain)
2021-12-25 09:52 UTC, Andrej Ebert 		no flags Details
poudriere-portlint (90 bytes, text/plain)
2021-12-25 09:53 UTC, Andrej Ebert 		no flags Details
git diff without maintainer change (42.08 KB, patch)
2021-12-25 22:24 UTC, Andrej Ebert 		andrej: maintainer-approval? (joneum)
 Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andrej Ebert 2021-12-25 09:51:09 UTC 
Created attachment 230383 [details]
git diff

Changes:

https://matomo.org/changelog/matomo-4-6-0/

https://matomo.org/changelog/matomo-4-6-2/

There is a security relevant bug fixed, but I didn't find a CVE for it and the description in the changelog is rather... superficial:

[snip]
Security release

This is a major security release.

We fixed an issue where it was possible to gain access to any Matomo user account on a server running Nginx, where the Matomo user login is known and two-factor authentication is disabled and if the Matomo user could be tricked into doing some specific action. It is strongly recommended to use two-factor authentication for the safety of your account.

This issue was responsibly disclosed to our Security team. 
[/snip]

Also changed maintainer to myself, as sugessted by current maintainer here: bug #254157, comment #4

And now the patch to supress the file integrity warning caused by the shebangfix to misc/log-analytics/import_logs.py actually made it to the diff :)
Comment 1 Andrej Ebert 2021-12-25 09:52:58 UTC 
Created attachment 230384 [details]
poudriere-testport log
Comment 2 Andrej Ebert 2021-12-25 09:53:45 UTC 
Created attachment 230385 [details]
poudriere-portlint
Comment 3 Kubilay Kocak freebsd_committer freebsd_triage 2021-12-25 10:05:41 UTC 
^Triage: Pending VuXML entry
Comment 4 Jochen Neumeister freebsd_committer freebsd_triage 2021-12-25 21:41:11 UTC 
Maintainer change not approved
Comment 5 Andrej Ebert 2021-12-25 22:24:53 UTC 
Created attachment 230410 [details]
git diff without maintainer change

Removed the maintainer change, everything else is the same as before
Comment 6 Andrej Ebert 2021-12-25 22:38:29 UTC 
Also upgraded to this version on my one running instance of matomo, went without any problems.
Comment 7 commit-hook freebsd_committer freebsd_triage 2021-12-31 06:50:22 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=7bc5b0d6ab019927d30e646a940471d6d291fd69

commit 7bc5b0d6ab019927d30e646a940471d6d291fd69
Author:     Jochen Neumeister <joneum@FreeBSD.org>
AuthorDate: 2021-12-31 06:48:19 +0000
Commit:     Jochen Neumeister <joneum@FreeBSD.org>
CommitDate: 2021-12-31 06:48:19 +0000

    www/matomo: Update to 4.6.2

    PR:     260675
    Sponsored by:   Netzkommune GmbH

 www/matomo/Makefile                                |   2 +-
 www/matomo/distinfo                                |   6 +-
 .../files/patch-config_manifest.inc.php (new)      |  11 +
 www/matomo/files/pkg-message.in                    |   2 +-
 www/matomo/pkg-plist                               | 445 ++++++++-------------
 5 files changed, 178 insertions(+), 288 deletions(-)