Bug 204016 - www/joomla31: update to 3.4.5 (multiple security advisories)
Summary: www/joomla31: update to 3.4.5 (multiple security advisories)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Jason Unovitch
URL:
Keywords: security
Depends on:
Blocks:
 
Reported: 2015-10-25 15:28 UTC by Jason Unovitch
Modified: 2015-11-03 03:53 UTC (History)
3 users (show)

See Also:
junovitch: maintainer-feedback-
junovitch: merge-quarterly+

Attachments
joomla3-3.4.5.patch (538.00 KB, patch)
2015-10-27 02:04 UTC, Jason Unovitch 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Jason Unovitch freebsd_committer freebsd_triage 2015-10-27 02:04:19 UTC 
Created attachment 162489 [details]
joomla3-3.4.5.patch

www/joomla31: update 3.2.3 -> 3.4.5

- Update PORTVERSION, distinfo, and pkg-plist for 3.4.5
- Update SHEBANG_FILES for new release
- Add NO_ARCH

PR:		204016
Security:	CVE-2014-6631
Security:	CVE-2014-6632
Security:	CVE-2014-7228
Security:	CVE-2014-7229
Security:	CVE-2015-5397
Security:	CVE-2015-5608
Security:	CVE-2015-6939
Security:	CVE-2015-7297
Security:	CVE-2015-7857
Security:	CVE-2015-7858
Security:	CVE-2015-7859
Security:	CVE-2015-7899
Security:	https://vuxml.FreeBSD.org/freebsd/0ebc6e78-7ac6-11e5-b35a-002590263bf5.html
Security:	https://vuxml.FreeBSD.org/freebsd/03e54e42-7ac6-11e5-b35a-002590263bf5.html
Security:	https://vuxml.FreeBSD.org/freebsd/f8c37915-7ac5-11e5-b35a-002590263bf5.html
Security:	https://vuxml.FreeBSD.org/freebsd/ec2d1cfd-7ac5-11e5-b35a-002590263bf5.html
Security:	https://vuxml.FreeBSD.org/freebsd/deaba148-7ac5-11e5-b35a-002590263bf5.html
Security:	https://vuxml.FreeBSD.org/freebsd/cec4d01a-7ac5-11e5-b35a-002590263bf5.html
Security:	https://vuxml.FreeBSD.org/freebsd/beb3d5fc-7ac5-11e5-b35a-002590263bf5.html
Security:	https://vuxml.FreeBSD.org/freebsd/adbb32d9-7ac5-11e5-b35a-002590263bf5.html
Comment 2 Jason Unovitch freebsd_committer freebsd_triage 2015-10-27 02:08:38 UTC 
(In reply to Jason Unovitch from comment #1)
Nicola,
The above is going through QA at the moment.  At the moment this preserves the current flaw that all files are owned by WWWOWN and WWWGRP.  This needs to get fixed ASAP but given how high priority the recent site takeover issue is we may want to work together to review this and get the port patched sooner than later.  We can follow up with permission hardening after further review and with a port PORTREVISION bump.
Comment 3 Mark Felder freebsd_committer freebsd_triage 2015-10-29 13:54:15 UTC 
what is the status on this?
Comment 4 Jason Unovitch freebsd_committer freebsd_triage 2015-10-30 00:13:55 UTC 
(In reply to Mark Felder from comment #3)
QA was fine and I was hoping the maintainer would have been able to review this.

% portlint -ac
looks fine.

Poudriere clean on the following:
9.3-RELEASE-p28      amd64
9.3-RELEASE-p28      i386
10.1-RELEASE-p22     amd64
10.1-RELEASE-p22     i386
10.2-RELEASE-p5      amd64
10.2-RELEASE-p5      i386
11.0-CURRENT r289912 amd64
11.0-CURRENT r289912 i386
Comment 5 Mark Felder freebsd_committer freebsd_triage 2015-10-30 16:54:36 UTC 
(In reply to Jason Unovitch from comment #4)

Approved by: ports-secteam (feld)
Comment 6 commit-hook freebsd_committer freebsd_triage 2015-10-30 22:53:48 UTC 
A commit references this bug:

Author: junovitch
Date: Fri Oct 30 22:52:51 UTC 2015
New revision: 400558
URL: https://svnweb.freebsd.org/changeset/ports/400558

Log:
  www/joomla31: update 3.2.3 -> 3.4.5

  - Update PORTVERSION, distinfo, and pkg-plist for 3.4.5
  - Update SHEBANG_FILES for new release
  - Add NO_ARCH
  - Change @dirrmtry to @dir in pkg-plist

  PR:		204016
  Approved by:	ports-secteam (feld)
  Security:	CVE-2014-6631
  Security:	CVE-2014-6632
  Security:	CVE-2014-7228
  Security:	CVE-2014-7229
  Security:	CVE-2015-5397
  Security:	CVE-2015-5608
  Security:	CVE-2015-6939
  Security:	CVE-2015-7297
  Security:	CVE-2015-7857
  Security:	CVE-2015-7858
  Security:	CVE-2015-7859
  Security:	CVE-2015-7899
  Security:	https://vuxml.FreeBSD.org/freebsd/0ebc6e78-7ac6-11e5-b35a-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/03e54e42-7ac6-11e5-b35a-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/f8c37915-7ac5-11e5-b35a-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/ec2d1cfd-7ac5-11e5-b35a-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/deaba148-7ac5-11e5-b35a-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/cec4d01a-7ac5-11e5-b35a-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/beb3d5fc-7ac5-11e5-b35a-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/adbb32d9-7ac5-11e5-b35a-002590263bf5.html
  MFH:		2015Q4

Changes:
  head/www/joomla31/Makefile
  head/www/joomla31/distinfo
  head/www/joomla31/pkg-plist
Comment 7 Jason Unovitch freebsd_committer freebsd_triage 2015-11-01 09:17:33 UTC 
(In reply to Mark Felder from comment #5)
Can you give a second approval to match this port's naming to the upstream policy of only supporting one 3.x release for security updates at a time?

Just a 'svn mv joomla31 joomla3' with the wwww/Makefile fixup and MOVED entry.
Comment 8 Jason Unovitch freebsd_committer freebsd_triage 2015-11-01 09:20:07 UTC 
I'm unsure of the practicality of the higher permissions given Joomla let's you install plugins from the web interface. Boneless the scope of permission hardening is outside the scope of the 3.2.3 -> 3.4.5 bump and should be a second PR.
Comment 9 Jason Unovitch freebsd_committer freebsd_triage 2015-11-01 09:21:45 UTC 
(In reply to Jason Unovitch from comment #8)
Phone autocorrect...
Hardened permissions
Nonetheless the scope...
Comment 10 commit-hook freebsd_committer freebsd_triage 2015-11-02 23:21:45 UTC 
A commit references this bug:

Author: junovitch
Date: Mon Nov  2 23:21:15 UTC 2015
New revision: 400677
URL: https://svnweb.freebsd.org/changeset/ports/400677

Log:
  MFH: r399684 (manual, www/joomla31 only), r400558

  www/joomla31: update 3.2.3 -> 3.4.5

  - Update PORTVERSION, distinfo, and pkg-plist for 3.4.5
  - Update SHEBANG_FILES for new release
  - Add NO_ARCH
  - Change @dirrmtry to @dir in pkg-plist
  - Manually merge shebangfix related fixes from r399684

  PR:		204016
  Approved by:	ports-secteam (feld)
  Security:	CVE-2014-6631
  Security:	CVE-2014-6632
  Security:	CVE-2014-7228
  Security:	CVE-2014-7229
  Security:	CVE-2015-5397
  Security:	CVE-2015-5608
  Security:	CVE-2015-6939
  Security:	CVE-2015-7297
  Security:	CVE-2015-7857
  Security:	CVE-2015-7858
  Security:	CVE-2015-7859
  Security:	CVE-2015-7899
  Security:	https://vuxml.FreeBSD.org/freebsd/0ebc6e78-7ac6-11e5-b35a-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/03e54e42-7ac6-11e5-b35a-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/f8c37915-7ac5-11e5-b35a-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/ec2d1cfd-7ac5-11e5-b35a-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/deaba148-7ac5-11e5-b35a-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/cec4d01a-7ac5-11e5-b35a-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/beb3d5fc-7ac5-11e5-b35a-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/adbb32d9-7ac5-11e5-b35a-002590263bf5.html

Changes:
_U  branches/2015Q4/
  branches/2015Q4/www/joomla31/Makefile
  branches/2015Q4/www/joomla31/distinfo
  branches/2015Q4/www/joomla31/pkg-plist
Comment 11 commit-hook freebsd_committer freebsd_triage 2015-11-03 03:20:01 UTC 
A commit references this bug:

Author: junovitch
Date: Tue Nov  3 03:19:42 UTC 2015
New revision: 400682
URL: https://svnweb.freebsd.org/changeset/ports/400682

Log:
  www/joomla3: svn move joomla31 joomla3

  - Match origin to PKGNAME to align with the Joomla upstream only supporting
    the most recent 3.x release at any one time.

  www/Makefile, MOVED: Chase Joomla rename joomla31 -> joomla3 + spelling fix

  Reference:	https://docs.joomla.org/What_version_of_Joomla!_should_you_use

  PR:		204016
  Approved by:	ports-secteam (feld)
  MFH:		2015Q4

Changes:
  head/MOVED
  head/www/Makefile
  head/www/joomla3/
  head/www/joomla31/
Comment 12 commit-hook freebsd_committer freebsd_triage 2015-11-03 03:30:03 UTC 
A commit references this bug:

Author: junovitch
Date: Tue Nov  3 03:29:48 UTC 2015
New revision: 400683
URL: https://svnweb.freebsd.org/changeset/ports/400683

Log:
  MFH: r400682

  www/joomla3: svn move joomla31 joomla3

  - Match origin to PKGNAME to align with the Joomla upstream only supporting
    the most recent 3.x release at any one time.

  www/Makefile, MOVED: Chase Joomla rename joomla31 -> joomla3

  Reference:	https://docs.joomla.org/What_version_of_Joomla!_should_you_use

  PR:		204016
  Approved by:	ports-secteam (feld)

Changes:
_U  branches/2015Q4/
  branches/2015Q4/MOVED
  branches/2015Q4/www/Makefile
  branches/2015Q4/www/joomla3/
  branches/2015Q4/www/joomla31/
Comment 13 Jason Unovitch freebsd_committer freebsd_triage 2015-11-03 03:53:49 UTC 
- Set maintainer-feedback- -- commits approved by ports-secteam
- Set merge-quarterly+ -- MFH completed after approval by ports-secteam
- Remove needs-patch -- one was provided in comment 1
- Take assignment of and close PR

(In reply to Jason Unovitch from comment #2)
Nicola, bug 204241 was opened related to the insecure default permissions comment to document work related to improving that.  Otherwise everything related to this batch of secure updates and the fixup to the less than idea port origin has been committed and MFH'd.