Bug 260675

Summary: www/matomo: Update to 4.6.2
Product: Ports & Packages Reporter: Andrej Ebert <andrej>
Component: Individual Port(s)Assignee: Jochen Neumeister <joneum>
Status: Closed FIXED    
Severity: Affects Many People CC: joneum, mfechner, ports-secteam
Priority: Normal Keywords: needs-qa, security
Version: LatestFlags: bugzilla: maintainer-feedback? (joneum)
koobs: merge-quarterly?
Hardware: Any   
OS: Any   
URL: https://matomo.org/changelog/matomo-4-6-0/
Attachments:
Description Flags
git diff
none
poudriere-testport log
none
poudriere-portlint
none
git diff without maintainer change andrej: maintainer-approval? (joneum)

Description Andrej Ebert 2021-12-25 09:51:09 UTC 
Created attachment 230383 [details]
git diff

Changes:

https://matomo.org/changelog/matomo-4-6-0/

https://matomo.org/changelog/matomo-4-6-2/

There is a security relevant bug fixed, but I didn't find a CVE for it and the description in the changelog is rather... superficial:

[snip]
Security release

This is a major security release.

We fixed an issue where it was possible to gain access to any Matomo user account on a server running Nginx, where the Matomo user login is known and two-factor authentication is disabled and if the Matomo user could be tricked into doing some specific action. It is strongly recommended to use two-factor authentication for the safety of your account.

This issue was responsibly disclosed to our Security team. 
[/snip]

Also changed maintainer to myself, as sugessted by current maintainer here: bug #254157, comment #4

And now the patch to supress the file integrity warning caused by the shebangfix to misc/log-analytics/import_logs.py actually made it to the diff :)
Comment 1 Andrej Ebert 2021-12-25 09:52:58 UTC 
Created attachment 230384 [details]
poudriere-testport log
Comment 2 Andrej Ebert 2021-12-25 09:53:45 UTC 
Created attachment 230385 [details]
poudriere-portlint
Comment 3 Kubilay Kocak freebsd_committer freebsd_triage 2021-12-25 10:05:41 UTC 
^Triage: Pending VuXML entry
Comment 4 Jochen Neumeister freebsd_committer freebsd_triage 2021-12-25 21:41:11 UTC 
Maintainer change not approved
Comment 5 Andrej Ebert 2021-12-25 22:24:53 UTC 
Created attachment 230410 [details]
git diff without maintainer change

Removed the maintainer change, everything else is the same as before
Comment 6 Andrej Ebert 2021-12-25 22:38:29 UTC 
Also upgraded to this version on my one running instance of matomo, went without any problems.
Comment 7 commit-hook freebsd_committer freebsd_triage 2021-12-31 06:50:22 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=7bc5b0d6ab019927d30e646a940471d6d291fd69

commit 7bc5b0d6ab019927d30e646a940471d6d291fd69
Author:     Jochen Neumeister <joneum@FreeBSD.org>
AuthorDate: 2021-12-31 06:48:19 +0000
Commit:     Jochen Neumeister <joneum@FreeBSD.org>
CommitDate: 2021-12-31 06:48:19 +0000

    www/matomo: Update to 4.6.2

    PR:     260675
    Sponsored by:   Netzkommune GmbH

 www/matomo/Makefile                                |   2 +-
 www/matomo/distinfo                                |   6 +-
 .../files/patch-config_manifest.inc.php (new)      |  11 +
 www/matomo/files/pkg-message.in                    |   2 +-
 www/matomo/pkg-plist                               | 445 ++++++++-------------
 5 files changed, 178 insertions(+), 288 deletions(-)