Created attachment 159004 [details] Patch to update to 1.9.2.0 Long overdue, update to 1.9.2.0: This fixes a number of important security isseus, contained in: - SUPEE-6285 - SUPEE-5994 - SUPEE-5344 - SUPEE-1533 - SUPEE-3941 - APPSEC-212 New in version 1.9.x: - Responsive Web Design (rwd) theme - New way to extend themes through theme.xml (See: http://alanstorm.com/magento_parent_child_themes for a good introduction) - Various security enhancements involving hardening of controllers. - WARNING: Admin controllers that do NOT extend Mage_Adminhtml_Controller_Action do NOT gain these enhancements and susceptible to exposing the admin login form on carefully crafted URLs. This makes brute-force password attacks harder to detect as there is a broader range of URLs to monitor. Please check your local and 3rd party extensions. - Email is now sent through cron, including transactional emails in batches of maximum 100 (by default). This means if Magento cron is run at */15, delays are 1-15 minutes minumum and upwards of 15 minutes if queue is filling up. Adjust your cron invocation accordingly. - CAUTION: All templates files patched in SUPEE-6285 need the same fix in overridden (store specific) templates. Further reading: <http://merch.docs.magento.com/ce/user_guide/Magento_Community_Edition_User_Guide.html#magento/release-notes-ce-1.9.2.html> Port changes: - Port will contain a release suffix designating the latest patch that is included. - Framework added to apply patches the official way so it'll be easier to maintain. - Work in progress to get rid of the 2 bash-isms that make would introduce bash as PATCH_DEPENDS (to upstream). - Changed MASTER_SITE to my server, since Magento broke it: <https://twitter.com/daniel_sloof/status/618512496668876801> - Added option to install the test suite (NOTE: Work in Progress upstream, there be dragons) - Added snappy support now that port is in - Install some files as samples as preparation for sample data port - Make use of new OPTIONS syntax - Make my life easier
There a plist issues and portlint -ca reveals quite some points. Could you take a look?
Created attachment 161558 [details] Revision of patch to address some QA We really need to get this patch in. This is a security release and I notice none of the past security releases have been properly documented in VuXML. I've addressed a handful of the QA items. Can you please fix these last few as soon as possible? I'll look into the VuXML documentation in the next few days. WARN: Makefile: [101]: possible direct use of command "patch" found. use ${PATCH} instead. WARN: Makefile: possible use of absolute pathname "/var/tmp". FATAL: Makefile: either PORTVERSION or DISTVERSION must be specified, not both. WARN: Makefile: Consider defining LICENSE. WARN: Makefile: no port directory /usr/ports/databases/php${PHP_VER}-redis found, even though it is listed in RUN_DEPENDS.
(In reply to Jason Unovitch from comment #2) There is already a new version 1.9.2.1 which includes the latest security patches. The patch should directly update to this version! If you need help with the upgrade, i could help you. But this week i'm short on time.
(In reply to Torsten Zühlsdorff from comment #3) Thanks for pointing this out! Melvyn, Can you factor this in with the QA corrections noted above?
A commit references this bug: Author: junovitch Date: Wed Oct 14 23:59:02 UTC 2015 New revision: 399322 URL: https://svnweb.freebsd.org/changeset/ports/399322 Log: Document multiple vulnerabilities in the Magento platform While here, update an older entry to reflect Magento was vulnerable PR: 201709 Security: https://vuxml.FreeBSD.org/freebsd/ea1d2530-72ce-11e5-a2a1-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/ec34d0c2-1799-11e2-b4ab-000c29033c32.html Security: CVE-2012-3363 Changes: head/security/vuxml/vuln.xml
Melvyn, Any update on the QA issues noted above as well as version 1.9.2.1 noted by Torsten?
"Severe" QA issues are mostly false positives, not fixing them to please a broken tool. Remains: - PORTVERSION/DISTVERSION: Since I'm hosting myself (also for the 1.9.2.1 release), I'll match the distfile to the port version. And I'm wondering if this is a relic, since nothing got broken. - snappy: even when fixed, portlint will still complain: the current default PHP_VER is 5 and that one is in the tree. The 55/56 ones didn't need a single change last time, so I was wondering what to do about that. - LICENSE, can do. Version 1.9.2.1 needs a bit of work as an undefined number of custom templates may need to be altered. I'll provide a script for it and an entry to run it in pkg-message, but I'm not confident the latter is read, so I'm leaning to do this in UPDATING.
(In reply to melvyn from comment #7) > "Severe" QA issues are mostly false positives, > not fixing them to please a broken tool. If you name them i will have a look at it. I have also some work on portlint to do, because of false positives in another port.
Please notice that there was a new release. The new version 1.9.2.2 fixed 10 more security issues: http://magento.com/security/patches/supee-6788
By the way: today magento 2.0 was released. Should we update to this directly?
Hi, Any progress here?
(In reply to melvyn from comment #7) > "Severe" QA issues are mostly false positives, not fixing them to please a broken tool. > PORTVERSION/DISTVERSION: Since I'm hosting myself (also for the 1.9.2.1 release), I'll match the distfile to the port version. And I'm wondering if this is a relic, since nothing got broken. It is broken as the PATCH_LEVEL release is treated as an older release. If we need to add patches and stay with the same major release then we can add and bump PORTREVISION. pkg version -t 1.9.2.0 1.9.2.0.P6285 > I notice the latest releases are on your mirror. Can we at least get a new patch with at least the PORTVERSION/DISTVERSION fixed that has the latest SUPEE patches? fetch: http://magemana.nl/ports/dist/magento-1.9.2.1.tar.bz2: Not Found fetch: http://magemana.nl/ports/dist/magento-1.9.2.2.tar.bz2: Not Found
(In reply to Jason Unovitch from comment #12) Correction: I notice the latest releases are *NOT* on your mirror.
I suggest updating the optional REDIS dependency to databases/php56-redis, as databases/php5-redis is for PHP 5.4 which expired this month. I will leave the rest of the port untouched.
It looks like selecting the REDIS option does *not* pull in the redis port as a dependency?
The REDIS option is not effective, as seen here: [rene@acer] ~/freebsd/ports/head/www/magento% make showconfig ===> The following configuration options are available for magento-1.8.1.0: EXAMPLES=on: Build and/or install examples OAUTH=off: Depend on pecl-oauth for REST API REDIS=on: Depend on php56-redis for faster redis backend SESSIONS=off: Mark Cm/RedisSession module active ===> Use 'make config' to modify these settings [rene@acer] ~/freebsd/ports/head/www/magento% make run-depends-list /usr/home/rene/freebsd/ports/head/archivers/php56-zlib /usr/home/rene/freebsd/ports/head/converters/php56-iconv /usr/home/rene/freebsd/ports/head/databases/php56-mysql /usr/home/rene/freebsd/ports/head/databases/php56-pdo_mysql /usr/home/rene/freebsd/ports/head/devel/php56-json /usr/home/rene/freebsd/ports/head/ftp/php56-curl /usr/home/rene/freebsd/ports/head/graphics/php56-gd /usr/home/rene/freebsd/ports/head/lang/php56 /usr/home/rene/freebsd/ports/head/net/php56-soap /usr/home/rene/freebsd/ports/head/security/php56-hash /usr/home/rene/freebsd/ports/head/security/php56-mcrypt /usr/home/rene/freebsd/ports/head/textproc/php56-ctype /usr/home/rene/freebsd/ports/head/textproc/php56-dom /usr/home/rene/freebsd/ports/head/textproc/php56-simplexml [rene@acer] ~/freebsd/ports/head/www/magento% [rene@acer] ~/freebsd/ports/head/www/magento% svn diff Index: Makefile =================================================================== --- Makefile (revision 407342) +++ Makefile (working copy) @@ -18,7 +18,7 @@ OPTIONS_DEFINE= OAUTH SESSIONS REDIS EXAMPLES OAUTH_DESC= Depend on pecl-oauth for REST API SESSIONS_DESC= Mark Cm/RedisSession module active -REDIS_DESC= Depend on php5-redis for faster redis backend +REDIS_DESC= Depend on php56-redis for faster redis backend #SNAPPY_DESC= Use google snappy for Redis Cache compression NO_BUILD= yes @@ -29,7 +29,7 @@ RUN_DEPENDS+= pecl-oauth>=1.2.3:${PORTSDIR}/net/pecl-oauth .endif .if !empty(${PORT_OPTIONS:MREDIS}) -RUN_DEPENDS+= php5-redis>=2.2.0:${PORTSDIR}/databases/php5-redis +RUN_DEPENDS+= php56-redis>=2.2.0:${PORTSDIR}/databases/php56-redis .endif # First need to submit the port #.if ${PORT_OPTIONS:MSNAPPY} [rene@acer] ~/freebsd/ports/head/www/magento%
A commit references this bug: Author: rene Date: Sat Jan 30 16:32:16 UTC 2016 New revision: 407533 URL: https://svnweb.freebsd.org/changeset/ports/407533 Log: www/magento: use databases/php56-redis instead of expired databases/php5-redis for REDIS Both ports are at the same version of redis, and the option is off by default. PR: 201709 (comment #14 to #16) Approved by: portmgr (miwi) Changes: head/www/magento/Makefile
No longer work with Magento. Maintainership already removed.