Summary: | www/joomla31: update to 3.4.5 (multiple security advisories) | ||||||
---|---|---|---|---|---|---|---|
Product: | Ports & Packages | Reporter: | Jason Unovitch <junovitch> | ||||
Component: | Individual Port(s) | Assignee: | Jason Unovitch <junovitch> | ||||
Status: | Closed FIXED | ||||||
Severity: | Affects Many People | CC: | feld, ports-secteam, ports | ||||
Priority: | Normal | Keywords: | security | ||||
Version: | Latest | Flags: | junovitch:
maintainer-feedback-
junovitch: merge-quarterly+ |
||||
Hardware: | Any | ||||||
OS: | Any | ||||||
Attachments: |
|
Description
Jason Unovitch
2015-10-25 15:28:41 UTC
Created attachment 162489 [details] joomla3-3.4.5.patch www/joomla31: update 3.2.3 -> 3.4.5 - Update PORTVERSION, distinfo, and pkg-plist for 3.4.5 - Update SHEBANG_FILES for new release - Add NO_ARCH PR: 204016 Security: CVE-2014-6631 Security: CVE-2014-6632 Security: CVE-2014-7228 Security: CVE-2014-7229 Security: CVE-2015-5397 Security: CVE-2015-5608 Security: CVE-2015-6939 Security: CVE-2015-7297 Security: CVE-2015-7857 Security: CVE-2015-7858 Security: CVE-2015-7859 Security: CVE-2015-7899 Security: https://vuxml.FreeBSD.org/freebsd/0ebc6e78-7ac6-11e5-b35a-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/03e54e42-7ac6-11e5-b35a-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/f8c37915-7ac5-11e5-b35a-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/ec2d1cfd-7ac5-11e5-b35a-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/deaba148-7ac5-11e5-b35a-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/cec4d01a-7ac5-11e5-b35a-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/beb3d5fc-7ac5-11e5-b35a-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/adbb32d9-7ac5-11e5-b35a-002590263bf5.html (In reply to Jason Unovitch from comment #1) Nicola, The above is going through QA at the moment. At the moment this preserves the current flaw that all files are owned by WWWOWN and WWWGRP. This needs to get fixed ASAP but given how high priority the recent site takeover issue is we may want to work together to review this and get the port patched sooner than later. We can follow up with permission hardening after further review and with a port PORTREVISION bump. what is the status on this? (In reply to Mark Felder from comment #3) QA was fine and I was hoping the maintainer would have been able to review this. % portlint -ac looks fine. Poudriere clean on the following: 9.3-RELEASE-p28 amd64 9.3-RELEASE-p28 i386 10.1-RELEASE-p22 amd64 10.1-RELEASE-p22 i386 10.2-RELEASE-p5 amd64 10.2-RELEASE-p5 i386 11.0-CURRENT r289912 amd64 11.0-CURRENT r289912 i386 (In reply to Jason Unovitch from comment #4) Approved by: ports-secteam (feld) A commit references this bug: Author: junovitch Date: Fri Oct 30 22:52:51 UTC 2015 New revision: 400558 URL: https://svnweb.freebsd.org/changeset/ports/400558 Log: www/joomla31: update 3.2.3 -> 3.4.5 - Update PORTVERSION, distinfo, and pkg-plist for 3.4.5 - Update SHEBANG_FILES for new release - Add NO_ARCH - Change @dirrmtry to @dir in pkg-plist PR: 204016 Approved by: ports-secteam (feld) Security: CVE-2014-6631 Security: CVE-2014-6632 Security: CVE-2014-7228 Security: CVE-2014-7229 Security: CVE-2015-5397 Security: CVE-2015-5608 Security: CVE-2015-6939 Security: CVE-2015-7297 Security: CVE-2015-7857 Security: CVE-2015-7858 Security: CVE-2015-7859 Security: CVE-2015-7899 Security: https://vuxml.FreeBSD.org/freebsd/0ebc6e78-7ac6-11e5-b35a-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/03e54e42-7ac6-11e5-b35a-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/f8c37915-7ac5-11e5-b35a-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/ec2d1cfd-7ac5-11e5-b35a-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/deaba148-7ac5-11e5-b35a-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/cec4d01a-7ac5-11e5-b35a-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/beb3d5fc-7ac5-11e5-b35a-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/adbb32d9-7ac5-11e5-b35a-002590263bf5.html MFH: 2015Q4 Changes: head/www/joomla31/Makefile head/www/joomla31/distinfo head/www/joomla31/pkg-plist (In reply to Mark Felder from comment #5) Can you give a second approval to match this port's naming to the upstream policy of only supporting one 3.x release for security updates at a time? Just a 'svn mv joomla31 joomla3' with the wwww/Makefile fixup and MOVED entry. I'm unsure of the practicality of the higher permissions given Joomla let's you install plugins from the web interface. Boneless the scope of permission hardening is outside the scope of the 3.2.3 -> 3.4.5 bump and should be a second PR. (In reply to Jason Unovitch from comment #8) Phone autocorrect... Hardened permissions Nonetheless the scope... A commit references this bug: Author: junovitch Date: Mon Nov 2 23:21:15 UTC 2015 New revision: 400677 URL: https://svnweb.freebsd.org/changeset/ports/400677 Log: MFH: r399684 (manual, www/joomla31 only), r400558 www/joomla31: update 3.2.3 -> 3.4.5 - Update PORTVERSION, distinfo, and pkg-plist for 3.4.5 - Update SHEBANG_FILES for new release - Add NO_ARCH - Change @dirrmtry to @dir in pkg-plist - Manually merge shebangfix related fixes from r399684 PR: 204016 Approved by: ports-secteam (feld) Security: CVE-2014-6631 Security: CVE-2014-6632 Security: CVE-2014-7228 Security: CVE-2014-7229 Security: CVE-2015-5397 Security: CVE-2015-5608 Security: CVE-2015-6939 Security: CVE-2015-7297 Security: CVE-2015-7857 Security: CVE-2015-7858 Security: CVE-2015-7859 Security: CVE-2015-7899 Security: https://vuxml.FreeBSD.org/freebsd/0ebc6e78-7ac6-11e5-b35a-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/03e54e42-7ac6-11e5-b35a-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/f8c37915-7ac5-11e5-b35a-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/ec2d1cfd-7ac5-11e5-b35a-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/deaba148-7ac5-11e5-b35a-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/cec4d01a-7ac5-11e5-b35a-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/beb3d5fc-7ac5-11e5-b35a-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/adbb32d9-7ac5-11e5-b35a-002590263bf5.html Changes: _U branches/2015Q4/ branches/2015Q4/www/joomla31/Makefile branches/2015Q4/www/joomla31/distinfo branches/2015Q4/www/joomla31/pkg-plist A commit references this bug: Author: junovitch Date: Tue Nov 3 03:19:42 UTC 2015 New revision: 400682 URL: https://svnweb.freebsd.org/changeset/ports/400682 Log: www/joomla3: svn move joomla31 joomla3 - Match origin to PKGNAME to align with the Joomla upstream only supporting the most recent 3.x release at any one time. www/Makefile, MOVED: Chase Joomla rename joomla31 -> joomla3 + spelling fix Reference: https://docs.joomla.org/What_version_of_Joomla!_should_you_use PR: 204016 Approved by: ports-secteam (feld) MFH: 2015Q4 Changes: head/MOVED head/www/Makefile head/www/joomla3/ head/www/joomla31/ A commit references this bug: Author: junovitch Date: Tue Nov 3 03:29:48 UTC 2015 New revision: 400683 URL: https://svnweb.freebsd.org/changeset/ports/400683 Log: MFH: r400682 www/joomla3: svn move joomla31 joomla3 - Match origin to PKGNAME to align with the Joomla upstream only supporting the most recent 3.x release at any one time. www/Makefile, MOVED: Chase Joomla rename joomla31 -> joomla3 Reference: https://docs.joomla.org/What_version_of_Joomla!_should_you_use PR: 204016 Approved by: ports-secteam (feld) Changes: _U branches/2015Q4/ branches/2015Q4/MOVED branches/2015Q4/www/Makefile branches/2015Q4/www/joomla3/ branches/2015Q4/www/joomla31/ - Set maintainer-feedback- -- commits approved by ports-secteam - Set merge-quarterly+ -- MFH completed after approval by ports-secteam - Remove needs-patch -- one was provided in comment 1 - Take assignment of and close PR (In reply to Jason Unovitch from comment #2) Nicola, bug 204241 was opened related to the insecure default permissions comment to document work related to improving that. Otherwise everything related to this batch of secure updates and the fixup to the less than idea port origin has been committed and MFH'd. |