Bug 201709 - [MAINTAINER-UPDATE]: www/magento: Update to
Summary: [MAINTAINER-UPDATE]: www/magento: Update to
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Jason Unovitch
Keywords: needs-qa, patch, security
Depends on:
Reported: 2015-07-20 04:40 UTC by Melvyn Sopacua
Modified: 2016-10-14 10:55 UTC (History)
6 users (show)

See Also:

Patch to update to (335.60 KB, patch)
2015-07-20 04:40 UTC, Melvyn Sopacua
no flags Details | Diff
Revision of patch to address some QA (335.84 KB, patch)
2015-09-30 01:54 UTC, Jason Unovitch
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Melvyn Sopacua 2015-07-20 04:40:27 UTC
Created attachment 159004 [details]
Patch to update to

Long overdue, update to

This fixes a number of important security isseus, contained in:
- SUPEE-6285
- SUPEE-5994
- SUPEE-5344
- SUPEE-1533
- SUPEE-3941
- APPSEC-212

New in version 1.9.x:

- Responsive Web Design (rwd) theme
- New way to extend themes through theme.xml (See:
  http://alanstorm.com/magento_parent_child_themes for a good introduction)
- Various security enhancements involving hardening of controllers.
- WARNING: Admin controllers that do NOT extend Mage_Adminhtml_Controller_Action do NOT gain these enhancements and susceptible to exposing the admin login form on carefully crafted URLs.  This makes brute-force password attacks harder to detect as there is a broader range of URLs to monitor.  Please check your local and 3rd party extensions.
- Email is now sent through cron, including transactional emails in batches of maximum 100 (by default). This means if Magento cron is run at */15, delays are 1-15 minutes minumum and upwards of 15 minutes if queue is filling up. Adjust your cron invocation accordingly.
- CAUTION: All templates files patched in SUPEE-6285 need the same fix in overridden (store specific) templates.

Further reading:

Port changes:
- Port will contain a release suffix designating the latest patch that is
- Framework added to apply patches the official way so it'll be easier to
- Work in progress to get rid of the 2 bash-isms that make would introduce bash as PATCH_DEPENDS (to upstream).
- Changed MASTER_SITE to my server, since Magento broke it:
- Added option to install the test suite (NOTE: Work in Progress upstream, there be dragons)
- Added snappy support now that port is in
- Install some files as samples as preparation for sample data port
- Make use of new OPTIONS syntax
- Make my life easier
Comment 1 Thomas Zander freebsd_committer 2015-08-02 12:30:59 UTC
There a plist issues and portlint -ca reveals quite some points. Could you take a look?
Comment 2 Jason Unovitch freebsd_committer 2015-09-30 01:54:24 UTC
Created attachment 161558 [details]
Revision of patch to address some QA

We really need to get this patch in.  This is a security release and I notice none of the past security releases have been properly documented in VuXML.

I've addressed a handful of the QA items.  Can you please fix these last few as soon as possible?  I'll look into the VuXML documentation in the next few days.

WARN: Makefile: [101]: possible direct use of command "patch" found. use ${PATCH} instead.
WARN: Makefile: possible use of absolute pathname "/var/tmp".
FATAL: Makefile: either PORTVERSION or DISTVERSION must be specified, not both.
WARN: Makefile: Consider defining LICENSE.
WARN: Makefile: no port directory /usr/ports/databases/php${PHP_VER}-redis found, even though it is listed in RUN_DEPENDS.
Comment 3 Torsten Zühlsdorff 2015-09-30 07:46:24 UTC
(In reply to Jason Unovitch from comment #2)

There is already a new version which includes the latest security patches. The patch should directly update to this version!

If you need help with the upgrade, i could help you. But this week i'm short on time.
Comment 4 Jason Unovitch freebsd_committer 2015-10-01 02:43:11 UTC
(In reply to Torsten Zühlsdorff from comment #3)
Thanks for pointing this out!

Can you factor this in with the QA corrections noted above?
Comment 5 commit-hook freebsd_committer 2015-10-14 23:59:10 UTC
A commit references this bug:

Author: junovitch
Date: Wed Oct 14 23:59:02 UTC 2015
New revision: 399322
URL: https://svnweb.freebsd.org/changeset/ports/399322

  Document multiple vulnerabilities in the Magento platform
  While here, update an older entry to reflect Magento was vulnerable

  PR:		201709
  Security:	https://vuxml.FreeBSD.org/freebsd/ea1d2530-72ce-11e5-a2a1-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/ec34d0c2-1799-11e2-b4ab-000c29033c32.html
  Security:	CVE-2012-3363

Comment 6 Jason Unovitch freebsd_committer 2015-10-15 00:31:37 UTC
Any update on the QA issues noted above as well as version noted by Torsten?
Comment 7 Melvyn Sopacua 2015-10-17 15:36:22 UTC
"Severe" QA issues are mostly false positives, not fixing them to please a broken tool.
- PORTVERSION/DISTVERSION: Since I'm hosting myself (also for the release), I'll match the distfile to the port version. And I'm wondering if this is a relic, since nothing got broken.
- snappy: even when fixed, portlint will still complain: the current default PHP_VER is 5 and that one is in the tree. The 55/56 ones didn't need a single change last time, so I was wondering what to do about that.
- LICENSE, can do.

Version needs a bit of work as an undefined number of custom templates may need to be altered. I'll provide a script for it and an entry to run it in pkg-message, but I'm not confident the latter is read, so I'm leaning to do this in UPDATING.
Comment 8 Torsten Zühlsdorff 2015-10-19 08:14:01 UTC
(In reply to melvyn from comment #7)

> "Severe" QA issues are mostly false positives, 
> not fixing them to please a broken tool.

If you name them i will have a look at it. I have also some work on portlint to do, because of false positives in another port.
Comment 9 Torsten Zühlsdorff 2015-10-28 13:14:36 UTC
Please notice that there was a new release. The new version fixed 10 more security issues:
Comment 10 Torsten Zühlsdorff 2015-11-17 21:46:41 UTC
By the way: today magento 2.0 was released. Should we update to this directly?
Comment 11 Martin Wilke freebsd_committer 2016-01-18 06:53:40 UTC

Any progress here?
Comment 12 Jason Unovitch freebsd_committer 2016-01-18 13:22:42 UTC
(In reply to melvyn from comment #7)
> "Severe" QA issues are mostly false positives, not fixing them to please a broken tool.
> PORTVERSION/DISTVERSION: Since I'm hosting myself (also for the release), I'll match the distfile to the port version. And I'm wondering if this is a relic, since nothing got broken.

It is broken as the PATCH_LEVEL release is treated as an older release.  If we need to add patches and stay with the same major release then we can add and bump PORTREVISION.

pkg version -t

I notice the latest releases are on your mirror.  Can we at least get a new patch with at least the PORTVERSION/DISTVERSION fixed that has the latest SUPEE patches?

fetch: http://magemana.nl/ports/dist/magento- Not Found
fetch: http://magemana.nl/ports/dist/magento- Not Found
Comment 13 Jason Unovitch freebsd_committer 2016-01-18 13:23:16 UTC
(In reply to Jason Unovitch from comment #12)
Correction: I notice the latest releases are *NOT* on your mirror.
Comment 14 Rene Ladan freebsd_committer 2016-01-27 08:21:45 UTC
I suggest updating the optional REDIS dependency to databases/php56-redis, as databases/php5-redis is for PHP 5.4 which expired this month.

I will leave the rest of the port untouched.
Comment 15 Rene Ladan freebsd_committer 2016-01-27 12:23:52 UTC
It looks like selecting the REDIS option does *not* pull in the redis port as a dependency?
Comment 16 Rene Ladan freebsd_committer 2016-01-27 14:56:58 UTC
The REDIS option is not effective, as seen here:

[rene@acer] ~/freebsd/ports/head/www/magento% make showconfig
===> The following configuration options are available for magento-
     EXAMPLES=on: Build and/or install examples
     OAUTH=off: Depend on pecl-oauth for REST API
     REDIS=on: Depend on php56-redis for faster redis backend
     SESSIONS=off: Mark Cm/RedisSession module active
===> Use 'make config' to modify these settings
[rene@acer] ~/freebsd/ports/head/www/magento% make run-depends-list
[rene@acer] ~/freebsd/ports/head/www/magento%

[rene@acer] ~/freebsd/ports/head/www/magento% svn diff
Index: Makefile
--- Makefile    (revision 407342)
+++ Makefile    (working copy)
@@ -18,7 +18,7 @@
 OAUTH_DESC=    Depend on pecl-oauth for REST API
 SESSIONS_DESC= Mark Cm/RedisSession module active
-REDIS_DESC=    Depend on php5-redis for faster redis backend
+REDIS_DESC=    Depend on php56-redis for faster redis backend
 #SNAPPY_DESC=  Use google snappy for Redis Cache compression

 NO_BUILD=      yes
@@ -29,7 +29,7 @@
 RUN_DEPENDS+=  pecl-oauth>=1.2.3:${PORTSDIR}/net/pecl-oauth
 .if !empty(${PORT_OPTIONS:MREDIS})
-RUN_DEPENDS+=  php5-redis>=2.2.0:${PORTSDIR}/databases/php5-redis
+RUN_DEPENDS+=  php56-redis>=2.2.0:${PORTSDIR}/databases/php56-redis
 # First need to submit the port
[rene@acer] ~/freebsd/ports/head/www/magento%
Comment 17 commit-hook freebsd_committer 2016-01-30 16:32:46 UTC
A commit references this bug:

Author: rene
Date: Sat Jan 30 16:32:16 UTC 2016
New revision: 407533
URL: https://svnweb.freebsd.org/changeset/ports/407533

  www/magento: use databases/php56-redis instead of expired databases/php5-redis for REDIS

  Both ports are at the same version of redis, and the option is off by default.

  PR:		201709 (comment #14 to #16)
  Approved by:	portmgr (miwi)

Comment 18 Melvyn Sopacua 2016-09-09 13:04:58 UTC
No longer work with Magento. Maintainership already removed.