Created attachment 242474 [details] Kanboard update to 1.2.29 Changes: https://github.com/kanboard/kanboard/releases/tag/v1.2.29 This is also includes a security patch: A low-privileged attacker with permission to attach a document on a vulnerable Kanboard instance can trick the victim into pasting malicious screenshot data and achieve cross-site scripting if CSP is improperly configured. https://github.com/kanboard/kanboard/security/advisories/GHSA-hjmw-gm82-r4gv
^Triage: If there is a changelog or release notes URL available for this version, please add it to the URL field. Note to self: add CVE-2023-32685 entry to vuxml. Thanks!
Looking at the diff it looks fine, but I have currently no way to test it. With that said, I'd like to also give back the maintainer status for this port. Thank you very much!
(In reply to Daniel Tihanyi from comment #2) Thanks Daniel, I will reset the MAINTAINER field in a follow-up commit. Thank you for maintaining the port!
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=3234f61d53db881c9de6c55ff44a09fa9c37ec0f commit 3234f61d53db881c9de6c55ff44a09fa9c37ec0f Author: Linus Sundqvist <linus.sundqvist@loopia.se> AuthorDate: 2023-05-30 06:34:22 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2023-05-31 06:34:41 +0000 www/kanboard: Update to 1.2.29 ChangeLog: https://github.com/kanboard/kanboard/releases/tag/v1.2.29 * Avoid potential clipboard based cross-site scripting (CVE-2023-32685) * Upgrade Docker image to PHP 8.2 and Alpine 3.18 * Add themes support: dark, light and automatic mode * Fix broken "Hide this Column" feature * Do not close modals when clicking on the background if the form has changed * Fix incorrect route for "My Activity Stream" * Fix incorrect parameter encoding when using URLs rewriting * Add support for task links in Markdown headings * Handle 413 responses from Nginx when uploading files too large * Restore all previously loaded translations when sending user notifications * Regenerate session ID after successful authentication * Use SESSION_DURATION option to define the session lifetime stored in the database The option SESSION_DURATION is used to define the cookie lifetime. With this change, Kanboard will try to use first SESSION_DURATION instead of the default session.gc_maxlifetime value. * Bump phpunit/phpunit from 9.6.6 to 9.6.8 PR: 271702 Reported by: linus.sundqvist@loopia.se MFH: 2023Q2 (security fix) Security: CVE-2023-32685 www/kanboard/Makefile | 2 +- www/kanboard/distinfo | 6 +++--- www/kanboard/pkg-plist | 5 ++++- 3 files changed, 8 insertions(+), 5 deletions(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=439ce2af737fd7667d09a7ba8fb39d296392d807 commit 439ce2af737fd7667d09a7ba8fb39d296392d807 Author: Fernando Apesteguía <fernape@FreeBSD.org> AuthorDate: 2023-05-30 06:39:49 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2023-05-31 06:47:04 +0000 security/vuxml: Add XSS php80-kanboard vulnerability CVE-2023-32685 with Base Score 7.1 (HIGH) PR: 271702 security/vuxml/vuln/2023.xml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+)
A commit in branch 2023Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=7fb636ec2c47a522cf522dd6874c167829c4a4ad commit 7fb636ec2c47a522cf522dd6874c167829c4a4ad Author: Linus Sundqvist <linus.sundqvist@loopia.se> AuthorDate: 2023-05-30 06:34:22 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2023-05-31 06:58:18 +0000 www/kanboard: Update to 1.2.29 ChangeLog: https://github.com/kanboard/kanboard/releases/tag/v1.2.29 * Avoid potential clipboard based cross-site scripting (CVE-2023-32685) * Upgrade Docker image to PHP 8.2 and Alpine 3.18 * Add themes support: dark, light and automatic mode * Fix broken "Hide this Column" feature * Do not close modals when clicking on the background if the form has changed * Fix incorrect route for "My Activity Stream" * Fix incorrect parameter encoding when using URLs rewriting * Add support for task links in Markdown headings * Handle 413 responses from Nginx when uploading files too large * Restore all previously loaded translations when sending user notifications * Regenerate session ID after successful authentication * Use SESSION_DURATION option to define the session lifetime stored in the database The option SESSION_DURATION is used to define the cookie lifetime. With this change, Kanboard will try to use first SESSION_DURATION instead of the default session.gc_maxlifetime value. * Bump phpunit/phpunit from 9.6.6 to 9.6.8 PR: 271702 Reported by: linus.sundqvist@loopia.se MFH: 2023Q2 (security fix) Security: CVE-2023-32685 (cherry picked from commit 3234f61d53db881c9de6c55ff44a09fa9c37ec0f) www/kanboard/Makefile | 2 +- www/kanboard/distinfo | 6 +++--- www/kanboard/pkg-plist | 5 ++++- 3 files changed, 8 insertions(+), 5 deletions(-)
Committed and merged to 2023Q2, Thanks!
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=5fc5f6e57638650eb96f4067d3246d6517a22ab1 commit 5fc5f6e57638650eb96f4067d3246d6517a22ab1 Author: Fernando Apesteguía <fernape@FreeBSD.org> AuthorDate: 2023-05-31 08:38:50 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2023-05-31 12:49:42 +0000 www/kanboard: back to the pool Maintainer relinquishes maintainership. PR: 271702 www/kanboard/Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
A commit in branch 2023Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=0cc4cbc9335e242acdc5f358937e70152fe8cfac commit 0cc4cbc9335e242acdc5f358937e70152fe8cfac Author: Fernando Apesteguía <fernape@FreeBSD.org> AuthorDate: 2023-05-31 08:38:50 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2023-05-31 12:54:02 +0000 www/kanboard: back to the pool Maintainer relinquishes maintainership. PR: 271702 (cherry picked from commit 5fc5f6e57638650eb96f4067d3246d6517a22ab1) www/kanboard/Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
Done. Thank you for maintaining the port!
Hi, Thanks for committing the change. Unfortunately now it seems like 2023Q2 cannot be built correctly because the change from https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=270976 was never applied to Q2 (I guess?) So www/kanboard can be built in main-branch at the moment, but not 2023Q2 because the above bug change was never applied. Specifically the changes in pkg-plist, I also see that the BUILD_DEPENDS in Makefile is not in 2023Q2. Sorry if I did something wrong in the patch-file and getting it pushed into Quarterly, I'm still new at this!
(In reply to linus.sundqvist from comment #11) Should be fixed now. Thanks for the heads up!