pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/www/php-concrete-cms
Module Name: pkgsrc
Committed By: taca
Date: Sun Mar 8 13:24:26 UTC 2026
Modified Files:
pkgsrc/www/php-concrete-cms: Makefile PLIST distinfo
Log Message:
www/php-concrete-cms: update to 9.4.8
9.4.8 (2026-03-03)
Behavioral Improvements
* Improved performance on sites with large amounts of permission
assignments.
Security Updates
* All security fixes below are for Concrete CMS version 9 only. There will
be no fixes for version 8.
* Fixed CVE-2026-3452 by making columns and filterFields starts from empty
with commit 1286. Prior to the fix, an authenticated administrator could
store attacker-controlled serialized data in block configuration fields
that are later passed to unserialize() without class restrictions or
integrity checks making Concrete CMS vulnerable to remote code execution.
The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score
of 8.9 with vector
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. Thanks
YJK of ZUSO ART for reporting H1 3549050.
* Fixed CVE-2026-3244 with commit 12826 for H1 3542571. Prior to the fix, a
stored cross-site scripting (XSS) vulnerability existed in the search
block where page names and content were rendered without proper HTML
encoding in search results. Authenticated administrators were able to
inject malicious JavaScript through page names which executed when users
searched for and viewed those pages in search results. The Concrete CMS
security team gave this vulnerability a CVSS v.4.0 score of 4.8 with
vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N.
Thanks zolpak for reporting HackerOne 3542571.
* Fixed CVE-2026-3242 with commit 12826 for H1 3451125 to prevent
administrators from being able to add stored XSS via the Switch Language
block. The Concrete CMS security team gave this vulnerability a CVSS
v.4.0 score of 4.8 with vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks
M3dium for reporting HackerOne 3451125
* Fixed CVE-2026-3241 with commit 12826 for H1 3456482 to prevent
administrators from being able to add cross-site scripting (XSS) into the
options of a multiple-choice question (Checkbox List, Radio Buttons, or
Select Box) in the "Legacy Form" block. The Concrete CMS security team
gave this vulnerability a CVSS v.4.0 score of 4.8 with vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks
M3dium for reporting H1 3456482.
* Fixed CVE-2026-3240 with commit 12826 for H1 3451114 to prevent an editor
from being able to use the Question field in the element Legacy form from
being able to inject stored XSS. The Concrete CMS security team gave this
vulnerability a CVSS v.4.0 score of 4.8 with vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Thanks
minhnn42, namdi, and quanlna2 from VCSLab-Viettel Cyber Security for
reporting H1 3451114.
* Fixed CVE-2026-2994 with commit 12826 for H1 3437650 to ensure the CSRF
token is checked before changes to the group_id parameter are saved when
using the Anti-Spam Allowlist Group Configuration. The Concrete CMS
security team gave this vulnerability a CVSS v.4.0 score of 2.3 with
vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N.
Thanks z3rco for reporting H1 3437650.
To generate a diff of this commit:
cvs rdiff -u -r1.18 -r1.19 pkgsrc/www/php-concrete-cms/Makefile
cvs rdiff -u -r1.12 -r1.13 pkgsrc/www/php-concrete-cms/PLIST
cvs rdiff -u -r1.14 -r1.15 pkgsrc/www/php-concrete-cms/distinfo
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/www/php-concrete-cms/Makefile
diff -u pkgsrc/www/php-concrete-cms/Makefile:1.18 pkgsrc/www/php-concrete-cms/Makefile:1.19
--- pkgsrc/www/php-concrete-cms/Makefile:1.18 Mon Feb 23 15:51:32 2026
+++ pkgsrc/www/php-concrete-cms/Makefile Sun Mar 8 13:24:26 2026
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.18 2026/02/23 15:51:32 taca Exp $
+# $NetBSD: Makefile,v 1.19 2026/03/08 13:24:26 taca Exp $
#
DISTNAME= concrete-cms-${GITHUB_RELEASE}
@@ -6,7 +6,7 @@ PKGNAME= ${PHP_PKG_PREFIX}-${DISTNAME}
CATEGORIES= www
MASTER_SITES= ${MASTER_SITE_GITHUB:=concretecms/}
GITHUB_PROJECT= concretecms
-GITHUB_RELEASE= 9.4.7
+GITHUB_RELEASE= 9.4.8
EXTRACT_SUFX= .zip
MAINTAINER= pkgsrc-users%NetBSD.org@localhost
Index: pkgsrc/www/php-concrete-cms/PLIST
diff -u pkgsrc/www/php-concrete-cms/PLIST:1.12 pkgsrc/www/php-concrete-cms/PLIST:1.13
--- pkgsrc/www/php-concrete-cms/PLIST:1.12 Fri Dec 19 14:40:27 2025
+++ pkgsrc/www/php-concrete-cms/PLIST Sun Mar 8 13:24:26 2026
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.12 2025/12/19 14:40:27 taca Exp $
+@comment $NetBSD: PLIST,v 1.13 2026/03/08 13:24:26 taca Exp $
${CC_DOCDIR}/README
${CC_WEBDIR}/LICENSE.TXT
${CC_WEBDIR}/application/bootstrap/app.php
@@ -950,7 +950,6 @@ ${CC_WEBDIR}/concrete/config/api/site.ph
${CC_WEBDIR}/concrete/config/api/system.php
${CC_WEBDIR}/concrete/config/app.php
${CC_WEBDIR}/concrete/config/captcha.php
-${CC_WEBDIR}/concrete/config/coding_style.php
${CC_WEBDIR}/concrete/config/concrete.php
${CC_WEBDIR}/concrete/config/conversations.php
${CC_WEBDIR}/concrete/config/database.php
@@ -10341,12 +10340,16 @@ ${CC_WEBDIR}/concrete/src/Summary/Templa
${CC_WEBDIR}/concrete/src/Summary/Template/Renderer.php
${CC_WEBDIR}/concrete/src/Summary/Template/RendererFilterer.php
${CC_WEBDIR}/concrete/src/Summary/Template/TemplateLocator.php
-${CC_WEBDIR}/concrete/src/Support/CodingStyle/Differ.php
+${CC_WEBDIR}/concrete/src/Support/CodingStyle/FileFlag.php
+${CC_WEBDIR}/concrete/src/Support/CodingStyle/Fixer/EnsureDefinedOrDieFixer.php
${CC_WEBDIR}/concrete/src/Support/CodingStyle/Fixer/InlineTagFixer.php
-${CC_WEBDIR}/concrete/src/Support/CodingStyle/PhpFixer.php
-${CC_WEBDIR}/concrete/src/Support/CodingStyle/PhpFixerOptions.php
-${CC_WEBDIR}/concrete/src/Support/CodingStyle/PhpFixerRuleResolver.php
-${CC_WEBDIR}/concrete/src/Support/CodingStyle/PhpFixerRunner.php
+${CC_WEBDIR}/concrete/src/Support/CodingStyle/Fixer/LogicalOperatorsFixer.php
+${CC_WEBDIR}/concrete/src/Support/CodingStyle/Fixer/NoAliasLanguageConstructCallFixer.php
+${CC_WEBDIR}/concrete/src/Support/CodingStyle/Fixer/Traits/DefinedOrDie.php
+${CC_WEBDIR}/concrete/src/Support/CodingStyle/FixerRegistry.php
+${CC_WEBDIR}/concrete/src/Support/CodingStyle/PHPCSFixerConfigurator.php
+${CC_WEBDIR}/concrete/src/Support/CodingStyle/RuleCustomisationPolicy.php
+${CC_WEBDIR}/concrete/src/Support/CodingStyle/autoload.php
${CC_WEBDIR}/concrete/src/Support/Facade/Application.php
${CC_WEBDIR}/concrete/src/Support/Facade/Config.php
${CC_WEBDIR}/concrete/src/Support/Facade/Cookie.php
@@ -10719,6 +10722,7 @@ ${CC_WEBDIR}/concrete/src/Updater/Migrat
${CC_WEBDIR}/concrete/src/Updater/Migrations/Migrations/Version20241210181033.php
${CC_WEBDIR}/concrete/src/Updater/Migrations/Migrations/Version20241217194138.php
${CC_WEBDIR}/concrete/src/Updater/Migrations/Migrations/Version20250227155410.php
+${CC_WEBDIR}/concrete/src/Updater/Migrations/Migrations/Version20250302004500.php
${CC_WEBDIR}/concrete/src/Updater/Migrations/Migrations/Version20250827152432.php
${CC_WEBDIR}/concrete/src/Updater/Migrations/RepeatableMigrationInterface.php
${CC_WEBDIR}/concrete/src/Updater/Migrations/Routine/AddPageDraftsBooleanTrait.php
@@ -15750,8 +15754,10 @@ ${CC_WEBDIR}/concrete/vendor/mlocati/con
${CC_WEBDIR}/concrete/vendor/mlocati/concrete5-translation-library/src/Parser/DynamicItem/PermissionKeyCategory.php
${CC_WEBDIR}/concrete/vendor/mlocati/concrete5-translation-library/src/Parser/DynamicItem/SelectAttributeValue.php
${CC_WEBDIR}/concrete/vendor/mlocati/concrete5-translation-library/src/Parser/DynamicItem/Tree.php
+${CC_WEBDIR}/concrete/vendor/mlocati/concrete5-translation-library/src/Parser/InstalledPackage.php
${CC_WEBDIR}/concrete/vendor/mlocati/concrete5-translation-library/src/Parser/Php.php
${CC_WEBDIR}/concrete/vendor/mlocati/concrete5-translation-library/src/Parser/ThemePresets.php
+${CC_WEBDIR}/concrete/vendor/mlocati/concrete5-translation-library/src/Parser/Twig.php
${CC_WEBDIR}/concrete/vendor/mlocati/concrete5-translation-library/src/ParserFactory.php
${CC_WEBDIR}/concrete/vendor/mlocati/concrete5-translation-library/src/Util/ConfigFile.php
${CC_WEBDIR}/concrete/vendor/mlocati/concrete5-translation-library/src/Util/ConfigFileFakeClass.php
@@ -17354,6 +17360,7 @@ ${CC_WEBDIR}/concrete/vendor/phpseclib/p
${CC_WEBDIR}/concrete/vendor/phpseclib/phpseclib/phpseclib/Math/Common/FiniteField/Integer.php
${CC_WEBDIR}/concrete/vendor/phpseclib/phpseclib/phpseclib/Math/PrimeField.php
${CC_WEBDIR}/concrete/vendor/phpseclib/phpseclib/phpseclib/Math/PrimeField/Integer.php
+${CC_WEBDIR}/concrete/vendor/phpseclib/phpseclib/phpseclib/Net/SCP.php
${CC_WEBDIR}/concrete/vendor/phpseclib/phpseclib/phpseclib/Net/SFTP.php
${CC_WEBDIR}/concrete/vendor/phpseclib/phpseclib/phpseclib/Net/SFTP/Stream.php
${CC_WEBDIR}/concrete/vendor/phpseclib/phpseclib/phpseclib/Net/SSH2.php
Index: pkgsrc/www/php-concrete-cms/distinfo
diff -u pkgsrc/www/php-concrete-cms/distinfo:1.14 pkgsrc/www/php-concrete-cms/distinfo:1.15
--- pkgsrc/www/php-concrete-cms/distinfo:1.14 Fri Dec 19 14:40:27 2025
+++ pkgsrc/www/php-concrete-cms/distinfo Sun Mar 8 13:24:26 2026
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.14 2025/12/19 14:40:27 taca Exp $
+$NetBSD: distinfo,v 1.15 2026/03/08 13:24:26 taca Exp $
-BLAKE2s (concrete-cms-9.4.7.zip) = 0434637a9cc112ef1b77e940c300d57fdc88a72ee21dbf18669a23bb48655553
-SHA512 (concrete-cms-9.4.7.zip) = a2df4eca4e00ba1d04ba3d917800f8d9fa0ad797e9f7ccf2fe27a6b5850bab058cebebcf77fc505628add93fa737b5b3d280a109d66a4f24be7c0db3a5cc7e26
-Size (concrete-cms-9.4.7.zip) = 76788547 bytes
+BLAKE2s (concrete-cms-9.4.8.zip) = 40a1b35e4bf99b19c3f0af344654c12aa4488d277f7f7fb497a14977e9aceca8
+SHA512 (concrete-cms-9.4.8.zip) = 663c1d8ce2eca371e08a9e1cc0422cb7575b8ef5749874d94fdbd0498598f825caff1810e7c7a43924e8c26852a8ff070b2287bb1b7ee99f22387365561ee698
+Size (concrete-cms-9.4.8.zip) = 76801242 bytes
Home |
Main Index |
Thread Index |
Old Index