head 1.19;
access;
symbols
pkgsrc-2026Q1:1.19.0.2
pkgsrc-2026Q1-base:1.19
pkgsrc-2025Q4:1.16.0.2
pkgsrc-2025Q4-base:1.16
pkgsrc-2025Q3:1.13.0.2
pkgsrc-2025Q3-base:1.13
pkgsrc-2025Q2:1.10.0.2
pkgsrc-2025Q2-base:1.10
pkgsrc-2025Q1:1.9.0.2
pkgsrc-2025Q1-base:1.9
pkgsrc-2024Q4:1.6.0.4
pkgsrc-2024Q4-base:1.6
pkgsrc-2024Q3:1.6.0.2
pkgsrc-2024Q3-base:1.6
pkgsrc-2024Q2:1.5.0.2
pkgsrc-2024Q2-base:1.5
pkgsrc-2024Q1:1.2.0.2
pkgsrc-2024Q1-base:1.2;
locks; strict;
comment @# @;
1.19
date 2026.03.08.13.24.26; author taca; state Exp;
branches;
next 1.18;
commitid lC2I4Qgx9jYBRaxG;
1.18
date 2026.02.23.15.51.32; author taca; state Exp;
branches;
next 1.17;
commitid gWy71HXrEry06wvG;
1.17
date 2026.01.08.14.17.49; author taca; state Exp;
branches;
next 1.16;
commitid qwDbt1vPaQtr3BpG;
1.16
date 2025.12.19.14.40.27; author taca; state Exp;
branches;
next 1.15;
commitid P8rBkOiSFMP8P1nG;
1.15
date 2025.11.11.13.46.55; author taca; state Exp;
branches;
next 1.14;
commitid NHCWfj369pCvK8iG;
1.14
date 2025.10.22.16.16.47; author taca; state Exp;
branches;
next 1.13;
commitid fQfHcVU0BEhCdAfG;
1.13
date 2025.09.15.14.43.34; author taca; state Exp;
branches;
next 1.12;
commitid 4yYvV9fnZKixTOaG;
1.12
date 2025.08.11.16.14.33; author taca; state Exp;
branches;
next 1.11;
commitid 8BJm8leRLlGuwk6G;
1.11
date 2025.07.26.06.53.53; author taca; state Exp;
branches;
next 1.10;
commitid JH2wCcyPRkB3Wd4G;
1.10
date 2025.06.05.13.54.35; author taca; state Exp;
branches;
next 1.9;
commitid z5CeChnSoGa1UHXF;
1.9
date 2025.02.08.04.04.40; author taca; state Exp;
branches;
next 1.8;
commitid T6VbuRYrMq2OoCIF;
1.8
date 2025.01.29.15.17.43; author taca; state Exp;
branches;
next 1.7;
commitid cyzVvWHOS34jroHF;
1.7
date 2025.01.19.14.10.02; author taca; state Exp;
branches;
next 1.6;
commitid IJzOTAYEfNrlo6GF;
1.6
date 2024.08.20.14.38.05; author taca; state Exp;
branches;
next 1.5;
commitid Nt5JFsQByEhQqzmF;
1.5
date 2024.06.05.16.17.03; author taca; state Exp;
branches;
next 1.4;
commitid rQxGMjLlW7LiqOcF;
1.4
date 2024.05.12.14.36.46; author taca; state Exp;
branches;
next 1.3;
commitid 9zWKC2lOmOXFDI9F;
1.3
date 2024.04.07.13.59.05; author taca; state Exp;
branches;
next 1.2;
commitid eCmyc9DBmouxyd5F;
1.2
date 2024.03.10.14.40.26; author taca; state Exp;
branches
1.2.2.1;
next 1.1;
commitid OqnAXrpgwwyvGC1F;
1.1
date 2024.02.26.15.06.27; author taca; state Exp;
branches;
next ;
commitid MiNmIvcCpfEVeXZE;
1.2.2.1
date 2024.04.11.15.10.42; author bsiegert; state Exp;
branches;
next ;
commitid rp4ke1xCCOAaPJ5F;
desc
@@
1.19
log
@www/php-concrete-cms: update to 9.4.8
9.4.8 (2026-03-03)
Behavioral Improvements
* Improved performance on sites with large amounts of permission
assignments.
Security Updates
* All security fixes below are for Concrete CMS version 9 only. There will
be no fixes for version 8.
* Fixed CVE-2026-3452 by making columns and filterFields starts from empty
with commit 1286. Prior to the fix, an authenticated administrator could
store attacker-controlled serialized data in block configuration fields
that are later passed to unserialize() without class restrictions or
integrity checks making Concrete CMS vulnerable to remote code execution.
The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score
of 8.9 with vector
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. Thanks
YJK of ZUSO ART for reporting H1 3549050.
* Fixed CVE-2026-3244 with commit 12826 for H1 3542571. Prior to the fix, a
stored cross-site scripting (XSS) vulnerability existed in the search
block where page names and content were rendered without proper HTML
encoding in search results. Authenticated administrators were able to
inject malicious JavaScript through page names which executed when users
searched for and viewed those pages in search results. The Concrete CMS
security team gave this vulnerability a CVSS v.4.0 score of 4.8 with
vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N.
Thanks zolpak for reporting HackerOne 3542571.
* Fixed CVE-2026-3242 with commit 12826 for H1 3451125 to prevent
administrators from being able to add stored XSS via the Switch Language
block. The Concrete CMS security team gave this vulnerability a CVSS
v.4.0 score of 4.8 with vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks
M3dium for reporting HackerOne 3451125
* Fixed CVE-2026-3241 with commit 12826 for H1 3456482 to prevent
administrators from being able to add cross-site scripting (XSS) into the
options of a multiple-choice question (Checkbox List, Radio Buttons, or
Select Box) in the "Legacy Form" block. The Concrete CMS security team
gave this vulnerability a CVSS v.4.0 score of 4.8 with vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks
M3dium for reporting H1 3456482.
* Fixed CVE-2026-3240 with commit 12826 for H1 3451114 to prevent an editor
from being able to use the Question field in the element Legacy form from
being able to inject stored XSS. The Concrete CMS security team gave this
vulnerability a CVSS v.4.0 score of 4.8 with vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Thanks
minhnn42, namdi, and quanlna2 from VCSLab-Viettel Cyber Security for
reporting H1 3451114.
* Fixed CVE-2026-2994 with commit 12826 for H1 3437650 to ensure the CSRF
token is checked before changes to the group_id parameter are saved when
using the Anti-Spam Allowlist Group Configuration. The Concrete CMS
security team gave this vulnerability a CVSS v.4.0 score of 2.3 with
vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N.
Thanks z3rco for reporting H1 3437650.
@
text
@# $NetBSD: Makefile,v 1.18 2026/02/23 15:51:32 taca Exp $
#
DISTNAME= concrete-cms-${GITHUB_RELEASE}
PKGNAME= ${PHP_PKG_PREFIX}-${DISTNAME}
CATEGORIES= www
MASTER_SITES= ${MASTER_SITE_GITHUB:=concretecms/}
GITHUB_PROJECT= concretecms
GITHUB_RELEASE= 9.4.8
EXTRACT_SUFX= .zip
MAINTAINER= pkgsrc-users@@NetBSD.org
HOMEPAGE= https://www.concretecms.org/
COMMENT= Concrete CMS, Open sourece Content Management System
LICENSE= mit
DEPENDS+= ${PHP_PKG_PREFIX}-pdo_mysql>=${PHP_BASE_VERS}:../../databases/php-pdo_mysql
DEPENDS+= ${PHP_PKG_PREFIX}-gd>=${PHP_BASE_VERS}:../../graphics/php-gd
DEPENDS+= ${PHP_PKG_PREFIX}-curl>=${PHP_BASE_VERS}:../../www/php-curl
DEPENDS+= ${PHP_PKG_PREFIX}-zip>=${PHP_BASE_VERS}:../../archivers/php-zip
DEPENDS+= ${PHP_PKG_PREFIX}-iconv>=${PHP_BASE_VERS}:../../converters/php-iconv
DEPENDS+= ${PHP_PKG_PREFIX}-mbstring>=${PHP_BASE_VERS}:../../converters/php-mbstring
DEPENDS+= ${PHP_PKG_PREFIX}-pecl-mcrypt>=1.0.0:../../security/php-pecl-mcrypt
SUPERSEDES+= ${PHP_PKG_PREFIX}-concrete5-[0-9]*
PHP_VERSIONS_ACCEPTED= 82 83 84
# Avoid unzip's warning
EXTRACT_OPTS_ZIP= -qo
USE_LANGUAGES= # none
NO_BUILD= yes
USE_TOOLS+= pax
BUILD_DEFS+= APACHE_GROUP APACHE_USER
CC_DOCDIR?= share/doc/${PHP_PKG_PREFIX}/concrete-cms
CC_WEBDIR?= share/${PHP_PKG_PREFIX}/concrete-cms
INSTALLATION_DIRS= ${CC_WEBDIR} ${CC_DOCDIR}
OWN_DIRS_PERMS+= ${CC_WEBDIR}/application/config ${APACHE_USER} ${APACHE_GROUP} 0770
OWN_DIRS_PERMS+= ${CC_WEBDIR}/packages ${APACHE_USER} ${APACHE_GROUP} 0775
PKG_GROUPS= ${APACHE_GROUP}
PKG_USERS= ${APACHE_USER}:${APACHE_GROUP}
PKG_USERS_VARS= APACHE_USER
PKG_GROUPS_VARS= APACHE_GROUP
FILES_SUBST+= WWWGRP=${APACHE_GROUP} WWWOWN=${APACHE_USER} \
CC_WEBDIR=${CC_WEBDIR}
PLIST_SUBST+= CC_DOCDIR=${CC_DOCDIR} CC_WEBDIR=${CC_WEBDIR}
PRINT_PLIST_AWK+= /^${CC_DOCDIR:S|/|\\/|g}/ \
{ gsub(/${CC_DOCDIR:S|/|\\/|g}/, "$${CC_DOCDIR}") }
PRINT_PLIST_AWK+= /^${CC_WEBDIR:S|/|\\/|g}/ \
{ gsub(/${CC_WEBDIR:S|/|\\/|g}/, "$${CC_WEBDIR}") }
pre-install:
cd ${WRKSRC} && ${FIND} . -type f -exec ${CHMOD} -x {} \;
cd ${WRKSRC} && ${RMDIR} application/config packages || ${TRUE}
do-install:
cd ${WRKSRC} && ${FIND} . -type f \! -name '*.orig' -print | \
pax -rw ${DESTDIR}${PREFIX}/${CC_WEBDIR}
${INSTALL_DATA} ${FILESDIR}/README ${DESTDIR}${PREFIX}/${CC_DOCDIR}
.include "../../lang/php/phpversion.mk"
.include "../../mk/bsd.pkg.mk"
@
1.18
log
@www/php-concrete-cms: allow php84
Concrete CMS 9.4 already supports PHP 8.4.
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.17 2026/01/08 14:17:49 taca Exp $
d9 1
a9 1
GITHUB_RELEASE= 9.4.7
@
1.17
log
@Remove reference to php81.
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.16 2025/12/19 14:40:27 taca Exp $
d27 1
a27 1
PHP_VERSIONS_ACCEPTED= 82 83
@
1.16
log
@www/php-concrete-cms: update to 9.4.7
9.4.7 (2025-12-02)
Behavioral Improvements
* YouTube block view now contains iframe code to help YouTube render better
under certain stricter web server settings (thanks MarcoKuoni)
* We now define operation IDs for API endpoints (thanks hissy)
* On the Dashboard > Database Entities page we now show entities that are
defined using PHP attributes (not just entities) (thanks mlocati)
Bug Fixes
* Fixed: Conversations file attachment icons and file attachment area are
not formatted properly.
* Fixed: conversation loader shows properly.
* Fixed: The close "X" of Workflow pop-up only has Atomik css & doesn't show
up in other theme
* Fixed: Subscribe to Conversation "X" button does Unsubscribe/Subscribe
button action
* Fixed incorrect edit profile validation on username.
* Fixed inability to rename a form block's name through the block editing
dialog once it has been added to the page.
* Fixed bug when regional jQuery UI languages did not load in time (thanks
mlocati)
Developer Updates
* Updated dependencies to their latest minor versions.
Security Updates
* Patched Symfony Foundation libraries to resolve this security issue:
https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass
* Updated enshrined/svg-sanitized, which improves security scanning of SVG
files (see https://www.cve.org/CVERecord?id=CVE-2025-55166).
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.15 2025/11/11 13:46:55 taca Exp $
d27 1
a27 1
PHP_VERSIONS_ACCEPTED= 81 82 83
@
1.15
log
@www/php-concrete-cms: update to 9.4.6
9.4.6 (2025-11-04)
New Features
* We now check whether the web server appears to be properly configured to
support pretty URLs on the URLs and Redirection Dashboard page, and
present warnings to the user prior to allowing them to set this
configuration value if it appears that it will cause their site to cease
rendering (thanks mlocati)
Behavioral Improvements
* Added additional logging to pages, files, Express entries/objects, and
calendar events.
* The "Remove Old Page Versions" task is now more efficient and handles
larger data sets much more reliably (thanks biplobice)
* We now show seconds in the log entry timestamp.
* We now only redirect requests to URLs where trailing slash settings don’t
match when using GET requests, rather than all requests (thanks
JohnTheFish)
Bug Fixes
* Fixed bug that caused container instances in the database to be deleted
and recreated on each page load, potentially dramatically increasing DB
usage on pages where containers were used.
* Fixed bug where reordering Express entries on associations didn’t work
under certain conditions.
* Fixed: Can not go to pages on other sites from sitemap panel when using
multisite (thanks hissy)
* Fixed inability to retrieve group details over the REST API.
* Fixed: ClassNotFoundError on accessing open api spec (thanks hissy)
* Fixed: When using multisite, page drafts can be created within the wrong
site (thanks hissy)
* Fixed bug where Page List block pagination interface was buggy after
update to 9.4.5 under certain conditions.
* Fixed: When you hover over the tooltip icon near Image hover of Image
Block, the tooltip does not appear (thanks SashaMcr)
* Miscellaneous PHP8 fixes and code cleanup (thanks biplobice)
* Made some untranslatable strings translatable (thanks wtflm)
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.14 2025/10/22 16:16:47 taca Exp $
d9 1
a9 1
GITHUB_RELEASE= 9.4.6
@
1.14
log
@www/php-concrete-cms: update to 9.4.5
9.4.5 (2025-10-7)
Behavioral Improvements
* We now no longer wrap Grid Framework-based layouts in an extra row and
column class.
* Fixed some UI quirks when mousing over table-based list views in the
Dashboard.
Bug Fixes
* Fixed: pages with editing canonical URLs are not correctly marked as in trash.
* Fixed: Nesting "Free-Form Layout" type Areas/Layouts breaks honouring the
"Spacing" value
* Fixed: 5xx Server Error for calendar RSS feed.
* Fixed bug where privacy policy accept banner appeared strangely on the
Stacks Dashboard page.
* Fixed bug where adding blocks to areas in the Dashboard Welcome screen
would only allow you to add one block, and then you would be forced to
reload the page.
* Fixed bug where saving theme customizations could force custom CSS dialog
to render multiple times.
* Fixed notice error when configuring legacy themes.
Developer Updates
* $controller->buildRedirect(...) can now take a page object as its first
argument (thanks mnakalay)
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.13 2025/09/15 14:43:34 taca Exp $
d9 1
a9 1
GITHUB_RELEASE= 9.4.5
@
1.13
log
@www/php-concrete-cms: update to 9.4.4
9.4.4 (2025-09-02)
New Features
* Renamed "Automated Logout" Dashboard page to "Logout Options"; added
options to the Dashboard page to control whether users see an explicit
logout message when they log out.
* Added an option to log stack traces of uncaught exceptions, available in
the Logging Settings Dashboard page (thanks mlocati)
Behavioral Improvements
* We now do a better job of keeping the current page in edit mode while
you're actively making changes to the page without it timing out (thanks
mlocati)
* Improvements to Page List blocks when dealing with large data sets of
pages and not ignoring permissions (thanks hissy)
* Improvements to button display in composer form and page versions panel
when a page version has already been submitted to workflow (thanks hissy).
* Images placed in the Hero Image block will now preload with a tag
in the header, improving performance scores in webmaster tools (thanks
hissy)
Bug Fixes
* Fixed bug where a user encounters an error when attempting to add a Form
to a page via the Express Form block (thanks mlocati)
* Fixed: Express Entry Detail Block not returning results in version 9.4.3
(thanks mlocati)
* Fixed bug where certain web server configurations coupled with
non-standard web requests could result in pages rendering with incorrect
JS/CSS paths. Coupled with full page caching and a request could result
in a cached page with broken assets.
* Fixed: Default HTTP client options found in config/app.php were old and
mostly not properly honored. Now new proper config options and default
values are provided (thanks ArniPL)
* Fixed display bug in Chrome and possibly other browsers where the first
click on a block in a page would briefly highlight the block with an
opaque color, instead of the semi-transparent green it should.
* Fixed PHP warnings in Text encoding service (thanks mlocati)
* Fixed bug where filtering users by certain groups could return incorrect
users if the group names were similar (thanks mlocati)
* Fix the behavior of sitemap selector not working for level 3 and lower
when working with the selectFromSitemap or selectMultipleFromSitemap
methods in the PageSelector class (thanks parasek)
* Fixed: multiple instances of the Social Links attribute do not work on a
user profile page.
* Fixed: Folder Name is not sorted correctly in document library (thanks
SashaMcr)
* Fixed many bugs and inconsistencies when importing and export attributes
as CIF XML (thanks mlocati)
* Fixed avaScript error in Express Search Form: $(...).datepicker is not a
function when using a date/time attribute with an Express List block
(thanks hissy)
* Fixed bug where "Display in browser" option was still forcing files to
download when using the Document Library (thanks hissy)
* Fixed: LinkAbstractor::export does not export concrete-picture element
collectly (thanks hissy)
* Avoid multiline comments in i18n comments (thanks mlocati)
* Fixed: "undefined" text shown in confirmation modal when removing
permissions in bulk via Page Search
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.12 2025/08/11 16:14:33 taca Exp $
d9 1
a9 1
GITHUB_RELEASE= 9.4.4
@
1.12
log
@www/php-concrete-cms: update to 9.4.3
9.4.3 (2025-08-05)
Behavioral Improvements
* Many block types that didn't properly report their file usage to the
Dashboard File Details page now do so (thanks mlocati)
* RSS Feeds created and listed in the Dashboard now include a convenience
link to view the contents of the feed (thanks Mesuva)
* Force download view_inline will no longer download a file if the file is
not viewable inline, instead it will just return (thanks Allan-macareux)
* When comparing page versions, we will now sort the version IDs to ensure
that you're always comparing old versions to new versions regardless of
the order of query string arguments, and we'll also order the version IDs
in the tab description more sensibly.
* You can now set the background of stack contents in the Dashboard to a
temporary white or black (does not affect content or how its rendered) in
order to assist when working on content that differs from the Dashboard
color scheme (thanks mlocati)
Bug Fixes
* Many bug fixes to the Concrete content import/export system (thanks
mlocati)
* Fixed bug where Concrete proxy settings were not sending URLs that were
https:// through the proxy (thanks hissy)
* Sites that registered a proxy server in the Dashboard will now use that
proxy server when connecting to the marketplace for add-on downloads and
updates (thanks hissy)
* When editing the frontend of a site on mobile, the pages icon in the
toolbar was positioned incorrectly. This is now fixed.
* Fixed error when assigning a new page attribute to multiple pages via Page
Search (thanks danklassen)
* Fixed bug where Option List attributes that were defined through CIF XML
on import or through custom code were not properly assigning to a page.
* Fixed error where leaving a comment larger than 255 characters on a page
version would trigger a database error (thanks SashaMcr)
Developer Updates
* Massive improvements to block import and export, including the ability to
import and export many block types that were not possible (Calendar,
etc…) (thanks mlocati)
* Minor translation improvements (thanks mlocati)
* Certain ancient functions now marked as deprecated since PHP provides
their functionality natively (thanks mlocati)
* We now dispatch the "on_add_canonical_page_path" when adding a canonical
path (thanks biplobice)
* Fixed bug running the c5:ide-symbols console command under certain
conditions (thanks mlocati)
Security Fixes
* Fixed CVE-2025-8571 Reflected XSS in Conversation Messages Dashboard Page
by adding more sanitization to the Url::setVariable method with commit
12643 for version 9 and commit 12646 for version 8. The Concrete CMS
security team gave this vulnerability a CVSS v.4.0 score of 4.8 with
vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N.
Unsanitized input could cause theft of session cookies or tokens,
defacement of web content, redirection to malicious sites, and (if victim
is an admin), the execution of unauthorized actions. Thanks Fortbridge
for performing a penetration test and vulnerability assessment on Concrete
CMS and reporting this issue.
* Fixed CVE-2025-8573 Stored XSS from Home Folder on Members Dashboard page
with commit 12643. The Concrete CMS security team gave this vulnerability
a CVSS v.4.0 score of 2.8 with vector
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. A rogue
admin could set up a malicious folder containing XSS to which users could
be directed upon login. Version 8 is not affected. Thanks sealldev for
reporting HackerOne 3145536.
* Fixed inconsistent behavior when using the rich text editor. Before the
fix, users pasting HTML into the "content" pane of the rich text editor
and saving the content resulted in HTML-escaped versions of the content.
Note that re-saving it would then save it as HTML.
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.11 2025/07/26 06:53:53 taca Exp $
d9 1
a9 1
GITHUB_RELEASE= 9.4.3
@
1.11
log
@www/php-concrete-cms: update to 9.4.2
9.4.2 (2025-07-01)
Behavioral Improvements
* File Chooser will now remember the last tab you had selected (in addition
to the current behavior of allowing site-wide setting of Recent Files or
File Manager as the default option.)
* Updated certain color values in Atomik theme skins to make them conform
better to accessibility guidelines.
* Updated certain Dashboard interfaces to look better in Dark mode.
* SVG thumbnails and detail images are now properly displayed in the File
Manager (thanks mnakalay)
* When a block that is exported has custom design properties, we now only
include the values that are set, rather than a potentially large amount of
empty XML nodes (thanks mlocati)
* Added the ability to disable automatic board regeneration using Board
Settings.
Bug Fixes
* Fixed errors that would occur when attempting to regenerate or schedule
custom board elements without new Board Instance Logging enabled.
* Fixed fatal error that would occur if OpenGraph support is enabled but
rendered on a view where no page is present (thanks mlocati)
* Searching file sets in the bulk add to file set dialog not works again.
* File Tracker feature now correctly notes when files are referenced in rich
text content (thanks mlocati)
* Fixed bug where stack menu in the Dashboard didn’t show up on mobile
(thanks SashaMcr)
* Fixed weird padding on add pages menu item on mobile in the Dashboard.
* Fixed appearance glitches in certain dialogs due to the way that jQuery UI
dialog changed appending CSS classes to HTML elements.
* Fixed error where a page without an active version appearing in the Top
Navigation Bar would cause a sitewide error.
* Fixed links not appearing properly in Concrete dialogs.
* Fixed error where files identified by a UUID would not be exported
properly when using the Migration Tool (thanks mlocati)
* Fixed: Express Form - admin can check off notifications and not enter an
email address (thanks danklassen)
* Fixed occasional, unexplained errors when saving the Tags block.
* Tags block now shows the tag selector again when applying tags to the
target page when choosing a specific page.
* Reverted page list performance improvement that actually degraded
performance under certain conditions.
* Fixed: Scheduled Publication of a page leads to an error in the Top
Navigation block controller
* Bug fixes to exported output of the Feature block type, Feature block type
now uses the standard Destination Picker component for selecting link
(thanks mlocati)
* Fixed Uncaught Exception: Could not convert database value to 'object' as
an error was triggered by the unserialization: 'Return type of
Concrete\Core\Entity\Board\InstanceLogEntry::jsonSerialize() should either
be compatible with JsonSerializable::jsonSerialize(): mixed, or the
#[\ReturnTypeWillChange] attribute should be used to temporarily suppress
the notice' under certain conditions (thanks ahukkanen)
Developer Updates
* Classmap symbols files used by IDEs for Concrete development are now
excluded from Composer (which will result in Composer reporting fewer
errors when running) (thanks mlocati)
* Allow defining custom parent dir for VolatileDirectory by passing
$parentDirectory (thanks mlocati)
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.10 2025/06/05 13:54:35 taca Exp $
d9 1
a9 1
GITHUB_RELEASE= 9.4.2
@
1.10
log
@www/php-concrete-cms: update to 9.4.1
9.4.0 (2025-05-06)
Changes from 9.3.9 are too many to write here, but I mention security
updates here.
Security Updates
* Fixed CVE-2025-0660 Stored XSS in Folder Function by adding sanitation to
the folder selector dropdown output with commit 11bef02 and by fixing
folder deletion issues with commit 7c134e9 for version 9. The "Add
Folder" functionality lacked input sanitization, allowing a rogue admin to
inject XSS payloads as foldernames. The Concrete CMS security team gave
this vulnerability a CVSS v4.0 score of 4.8 with vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N. Versions
below 9 are not affected. Thanks, Alfin Joseph for reporting HackerOne
2941432.
* Fixed CVE-2025-3153 CSRF and XSS in the Concrete CMS Address attribute
with commit 12511 for version 9 and with commit 12511 for version 8.5.
Fixed unsanitized address custom attribute when rendering addresses
unattached to a particular country. Attackers are limited to individuals
whom a site administrator has granted the ability to fill in an address
attribute. It is possible for the attacker to glean limited information
from the site but amount and type is restricted by mitigating controls and
the level of access of the attacker. Limited data modification is
possible. The dashboard page itself could be rendered unavailable. The
fix only sanitizes new data uploaded post update to Concrete CMS 9.4.0RC2.
Existing database entries added before the update will still be “live”
if there were successful exploits added under previous versions; a
database search is recommended. The Concrete CMS security team gave this
vulnerability CVSS v.4.0 score of 5.1 with vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L Thanks Myq
Larson for repo...
Please refer
in detail.
9.4.1 (2025-05-12)
Behavioral Improvements
* Correctly initialize HTTP client in FeedService so that it is a singleton (thanks mlocati)
* We now forget pages from the page index when they are moved to the trash.
* Improved performance when using the core translation library to extract strings from templates into .po files (thanks mlocati)
Bug Fixes
* Fixed: User without stack editing permissions can add blocks to global
areas
* User without add stack permission can edit or delete blocks on global
areas
* Fixed: new 9.4 OpenGraph feature doesn't escape characters in page
name/descriptions (thanks mlocati)
* Concrete JS and CSS assets were not properly built in 9.4.0, leading to
some display issues (buttons appearing in a slightly different styling,
etc…) This has been fixed.
* The Gallery block displayed an error when being edited with the default
Atomik sample content under PHP 8.4 and possibly under other
conditions. This was due to an incompatible version of its JS dragging
library being included. This has been fixed.
* Fixed: New 9.4.0 OpenGraph feature not compatible with SVG files
* The Gallery sample content in Atomik displayed extra slides under PHP 8.4
and possibly other conditions. This has been fixed.
Developer Updates
* Add new method to the Seo class and make the class properties protected
from private (thanks biplobice)
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.9 2025/02/08 04:04:40 taca Exp $
d9 1
a9 1
GITHUB_RELEASE= 9.4.1
@
1.9
log
@multiple PHP support
* Use PHP_BASE_VERS in DEPENDS if required.
* Use REPLACE_PHP.
Bump PKGREVISION.
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.8 2025/01/29 15:17:43 taca Exp $
a5 1
PKGREVISION= 1
d9 1
a9 1
GITHUB_RELEASE= 9.3.9
@
1.8
log
@www/php-concrete-cms: allow PHP 8.3
Concrete Version 9 supports PHP 8.3: .
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.7 2025/01/19 14:10:02 taca Exp $
d6 1
@
1.7
log
@www/php-concrete-cms: update to 9.3.9
Changes are too many to write here, please refer release notes:
.
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.6 2024/08/20 14:38:05 taca Exp $
d27 1
a27 1
PHP_VERSIONS_ACCEPTED= 81 82
@
1.6
log
@www/php-concrete-cms: update to 9.3.3
9.3.3 (2024-08-06)
New Features
* There is now an Add Page button when editing a site in mobile view (thanks
hissy)
Behavioral Improvements
* Improved installation speed.
* Viewing a Dashboard user search preset and exporting will now properly
export just the users in those search results (thanks SashaMcr)
* Dialogs and panels do not burst out of small screens when editing on
mobile devices (thanks hissy)
* Allow using "secure" cookies automatically for HTTPS requests (thanks
mlocati)
* We now display the particular user that owns the writable directories on
installation when checking that those directories are writable fails
(thanks mlocati)
* The Express Form block now uses the email HTML input type for email
addresses, enabling better validation (thanks bikerdave)
* Changed the hardcoded "items per page" to a configurable setting in the
file chooser (thanks SashaMcr)
* Fixed: Indexes for text fields removed after refreshing entities (thanks
mlocati)
* Improved suggested nginx rule for enabling pretty URLs (thanks mlocati)
* Switch name of Concrete Monolog Cascade package (thanks bikerdave)
* Better output sanitization in Top Navigation Bar block (thanks hissy)
* Added additional explanation to the version scheduling interface (thanks
KnollElias)
Bug Fixes
* Fix: mobile editing menu hadn’t worked in version 9 (thanks hissy)
* Fixing error: The remote updater throws: "The directory %s already
exists. Perhaps this item has already been installed." when attempting to
run the remote updater.
* Updated verbiage on old featured theme and featured add-on Dashboard
notification blocks, in case they’re installed on some older upgraded
sites.
* Fixed error on some sites when accidentally including a malformed package
in the packages/ directory (thanks mlocati)
* Fixed: Custom topic of page list block doesn't get saved (thanks hissy)
* Fixed: Calendar Events with Versions created by Deleted Users Cannot be
Edited
* Fix type of "length" ORM annotation in SearchResult Health entity (thanks
mlocati)
* Fixed possible errors when using the Switch Language block to switch
languages (thanks biplobice)
* Fixed errors attempting to link over to the marketplace when the Concrete
site in question does not have a public and private marketplace key
(thanks pszostok)
* Fixed: Share this Page "Print" option does not work.
* Removed ID from X sharing service icon, because adding it to the page
multiple times could cause W3C validation to complain (thanks
quentinnorbert0)
* Fixed error where third party library zircote/swagger-php could block
installation of Concrete in Composer installations.
* Fixed error related to lingering version block entries in the database
persisting after they should be deleted under very specific circumstances
(thanks bleenders)
* Fixed: Error thrown when trying to save user attribute under very specific
circumstances (thanks mnakalay)
* Fixed: Foreign key constraint violation when deleting users associated
with Board InstanceSlotRules
Developer Updates
* Translation library parsers can now be customized and extended (thanks
mlocati)
Security Updates
* Fixed CVE-2024-4350 Stored XSS in RSS Displayer with commit 12166 for
version 9 and with commit c08d9671cec4e7afdabb547339c4bc0bed8eab06 for
version 8. Prior to the fix a rogue administrator could inject malicious
code into fields due to insufficient input validation. The Concrete CMS
security team gave this vulnerability a CVSS v3.1 score of 3.0 with a
vector of AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N and a CVSS v4 score of 2.1
with vector
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Thanks
m3dium for reporting HackerOne 2479824
* Fixed CVE-2024-4353 Stored XSS in Generate Board Name Input Field commit
12151. Prior to the fix, the name input field does not check the input
sufficiently letting a rogue administrator have the capability to inject
malicious
* JavaScript code. The Concrete CMS security team gave this vulnerability a
CVSS v3.1 score of 3.1 with a vector of
AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N and a CVSS v4 score of 1.8 with vector
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Concrete
versions below 9 are not affected by this vulnerability. Thanks fhAnso
for reporting HackerOne 2597394
* Fixed CVE-2024-7394 Stored XSS in getAttributeSetName() by sanitizing
Board instance names on output with commit 12166 for version 9 and commit
c08d9671cec4e7afdabb547339c4bc0bed8eab06 for version 8. Prior to the fix,
a rogue administrator could inject malicious code. The Concrete CMS team
ranked this a CVSS v3.1 rank of 2 with vector
AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N and a CVSS v4.0 rank of 1.8 with
vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N.
Thanks m3dium for reporting HackerOne 2463288
* Fixed CVE-2024-7512 Stored XSS in Board instances by sanitizing instance
names with commit #12151. Prior to the fix a rogue administrator could
inject malicious code. The Concrete CMS security team gave this
vulnerability a CVSS 4.0 Score of 1.8 with vector:
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Versions
below 9 are not affected. Thanks m3dium for reporting HackerOne 2486344.
* Show a more generic error message in RSS Displayer block if curl is unable
to load posts. Thanks m3dium for recommending this in HackerOne 2479824
* Concrete v.9.3.3 now enforces the Secure Flag for the CONCRETE cookie if a
login request is using https by default. This is in line with industry
best practice. If a site is served over http:// and the guest uses
http:// to log in, the CONCRETE cookie will not have the Secure flag
applied so that the site is usable. Although the patch could not be
applied cleanly to version 8, the Secure Flag setting can be configured
via the dashboard. Since this is a configuration setting, no CVE is being
issued. Thanks Yusuke Uchida for reporting HackerOne 2399192.
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.5 2024/06/05 16:17:03 taca Exp $
d9 1
a9 1
GITHUB_RELEASE= 9.3.3
@
1.5
log
@www/php-concrete-cms: update to 9.3.2
9.3.0 (2024-05-16)
New Features
* Support for the brand-new marketplace found at market.concretecms.com,
featuring auto-connect, free trials on Concrete SAAS, Composer support for
packages, a modern website and much more.
* Added support for webp images as the default thumbnail type when Concrete
auto-generates thumbnails (thanks parasek)
* Added lazy loading as an option for the Image block (thanks parasek)
* Added an option to keep file manager folders at the top of the list of
contents (instead of intermingled with files) (thanks hissy)
* When deleting user groups, users are now presented with an option as to
what to do with child groups. (thanks mlocati)
* Make thumbnails generated by Image Helper SEO-friendly (thanks parasek)
* Atomik is now built on Bedrock 1.5 (Bootstrap 5.3)
* Dashboard theme is now built on Bedrock 1.5 (Bootstrap 5.3)
Behavioral Improvements
* Added a config value to toggle default behavior of "Keep Live Version
Approved"-Toggle-Button (thanks marcokuoni)
* Added a confirm dialog box when cancelling out of the in-page rich text
editor (thanks Mesuva)
* If users are prompted to save the username and password on install, the
proper credentials will be saved for the admin user (thanks mlocati)
* Add attribute key handle next to attribute key name in the page type
composer form add dialog (thanks parasek)
* Allow for setting/altering the User Logged by the Logging Service (Thanks
haeflimi)
* File manager detail page now reloads when the file is swapped (thanks
mlocati)
Bug Fixes
* Fixed: CKEditor Maximize plugin breaks editing when used in a dialog
(thanks mlocati)
* Bug fixes and improvements to Boards (thanks marcokuoni)
* Fixed blank screen that showed when adding blocks to the composer page
type form on first load (thanks parasek)
* Fixed bug where custom styles applied to a global area didn't work.
* Fixed: When a page is re-edited, topics in the child level of the topic
attribute disappear (thanks hissy)
Backward Compatibility Notes
* There has been some refactoring to the core class loaders and autoloaders.
If you work with the autoloader directly or have extended the built-in
Symfony autoloader classes, verify your changes work properly.
* The core themes now rely on Bootstrap 5.3 (Bedrock 1.5).
Developer Updates
* Significant improvements to the core autoloaders (thanks mlocati)
* The Dashboard and CMS are now using Bedrock 1.5 (built from Bootstrap 5.3)
as their basis. This should be minimally invasive, but if some third
party packages are not displaying properly, please verify that their
markup conforms to Bootstrap 5.3.
* Removing trailing / from HTML header elements (thanks marcokuoni)
* Developers can now specify CLI shortcuts for fields added to their tasks,
when they're run via the CLI (thanks KnollElias)
9.3.1 (2024-05-17)
Behavioral Improvements
* 9.3.0 automatically checked and configured a canonical URL on
installation, in order to improve marketplace connection reliability.
This is not actually necessary, as initial marketplace connections do not
require a canonical URL to function, so this behavior has been reverted to
pre-9.3.0.
* When encountering a problem downloading a package, we now report the error
in a nicer presentation.
* If the saving of remote data in a Concrete Site data object in the
marketplace fails, it will fail silently and log the error, instead of
outputting it.
Bug Fixes
* Fixed error when visiting the Dashboard Extend package under PHP 7.
* Fixed some minor marketplace connection errors when not running in UTC.
* Fixed bug where package showed up as ready to download from the
marketplace even when it was already installed
9.3.2 (2024-05-28)
Bug Fixes
* Fixed errors where copying a package after downloading it from the
marketplace would throw an error under certain conditions.
* Moving a stack from Orphan Blocks into the page 500 (thanks JohnTheFish)
* Fixed: Stacks, Containers and Scrapbook blocks makes longer block cache
than block cache setting (thanks hissy)
* Fixed bug where boolean page attributes that are checked by default show
up as checked even if they have previously been saved unchecked (thanks
hissy)
* Fixed error when using workflow under certain conditions in PHP 8+ (thanks
pszostok)
* Fixed: If you use advanced log configuration to set your own logger for
Channels::META_CHANNEL_ALL, this logger gets applied to all core channels.
Therefore you cannot set this at the same time as customising a specific
core channel (thanks bikerdave)
Developer Updates
Updated scssphp/scssphp to a newer version, tweaking some output of the
theme customizer (thanks mlocati)
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.4 2024/05/12 14:36:46 taca Exp $
d9 1
a9 1
GITHUB_RELEASE= 9.3.2
@
1.4
log
@Drop support for php80 (PHP 8.0).
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.3 2024/04/07 13:59:05 taca Exp $
d9 1
a9 1
GITHUB_RELEASE= 9.2.9
@
1.3
log
@www/php-concrete-cms: update to 9.2.8
9.2.8 (2024-04-02)
Bug Fixes
* Fixed bug where c5:info console command would fail when run on a Concrete
webroot if that webroot was not yet an installed Concrete site.
* Fixed bug where logout link in toolbar would not work when user was logged
in as an editor who could not view the Dashboard (thanks ounziw)
Security Updates
* Created CVE-2024-2753 Stored XSS on the calendar color settings screen and
fixed it with commit 11988 Prior to the fix, a rogue administrator could
put malicious javascript on the Concrete CMS color setting screen which
would have would have been triggered by and affected users who accessed
the color settings screen. The Concrete CMS security team gave this
vulnerability a CVSS v3.1 score of 2.0 with a vector of
AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
Thank you Rikuto Tauchi for reporting HackerOne 2433383.
* Created CVE-2024-3178 Cross-site Scripting (XSS) - Advanced File Search
Filter and fixed it with commit 11988 for version 9 and commit 11989 for
version 8. Prior to the fix, a rogue administrator could add malicious
code in the file manager because of insufficient validation of
administrator provided data. All administrators have access to the File
Manager and hence could create a search filter with the malicious code
attached. The Concrete CMS security team gave this vulnerability a CVSS
v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L
Thank you Guram (javakhishvili) for reporting HackerOne 949443
* Created CVE-2024-3179 Stored XSS in the Custom Class page editing and
fixed it with commit 11988 for version 9 and commit 11989 for version 8.
Prior to the fix, a rogue administrator could insert malicious code in the
custom class field due to insufficient validation of administrator
provided data. Concrete CMS version 9.2.8 and 8.5.13 no longer allow any
non alphanumeric characters in this CSS class. The Concrete CMS security
team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of
AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L Thank you Alexey Solovyev for
reporting HackerOne 918129.
* Created and fixed [CVE-2024-3180]
(https://nvd.nist.gov/vuln/detail/CVE-2024-3180) Prior to fix, stored XSS
could be executed by a rogue administrator adding malicious code to the
link-text field when creating a block of type file. Fixed with commit
11988 for version 9 and commit 11989 for version 8. The Concrete CMS
security team gave this vulnerability a CVSS v3.1 sore of 3.1 with a
vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L Thank you Alexey Solovyev
for reporting HackerOne 903356
* Created CVE-2024-3181 Stored XSS in the Search Field. Prior to the fix,
stored XSS could be executed by an administrator changing a filter to
which a rogue administrator had previously added malicious code. The
Concrete Team fixed this with commit 11988 for version 9 and commit 11989
for version 8. Thank you Alexey Solovyev for reporting HackerOne 918142
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.2 2024/03/10 14:40:26 taca Exp $
d9 1
a9 1
GITHUB_RELEASE= 9.2.8
d27 1
a27 1
PHP_VERSIONS_ACCEPTED= 80 81 82
@
1.2
log
@www/php-concrete-cms: update to 9.2.7
* pkgsrc change: use PHP_BASE_VERS for dependency to PHP.
9.2.7 (2024-03-05)
Behavioral Improvements
* Improved display of certain UI elements when Concrete was used with
non-Bedrock/Bootstrap themes.
* Back to Website button in Dashboard now uses the vanity URL instead of the
cID URL (Thanks JohnTheFish)
* Add db charset and collation to environment report (thanks JohnTheFish)
Bug Fixes
* Fixed: Time selector in the calendar event dialog not showing all times.
* Fixed: Undefined array key "value"' in
/concrete/attributes/date_time/controller.php under PHP 8.
* Fixed: Undefined array key 0' in
/concrete/blocks/calendar_event/controller.php:224 under PHP 8.
* Fix pagination not working in clipboard side panel (thanks
quentinnorbert0)
* Fix double encoding when displaying page template name (thanks
quentinnorbert0)
* Fixed inability to clear date/time attributes using the built-in HTML
datepicker clear link.
* Fixed bug when attempting to do an advanced search by time in the Logs
(thanks Quentin-Gach)
* Fixed error where including an ampersand in your site name would cause it
to be displayed as & in your site browser title.
* Fixed: Undefined property: Concrete\Block\Survey\Controller::$cID' in
/concrete/blocks/survey/controller.php:206 under PHP 8.
* Fixed: Undefined variable $fID' in
/concrete/single_pages/download_file.php:23 under certain conditions in
PHP 8.
* Fixed error when attempting to log values that were non-scalar (thanks
JohnTheFish)
Security Updates
* Fixed CVE-2024-2179 Stored XSS in the Name field of a Group type with
commit 11965. A rogue administrator could inject malicious code into the
Name field of a Group type which might be executed when users visit the
affected page because of insufficient validation of administrator provided
data. The Concrete CMS Security team scored this 2.2 with CVSS v3 vector
AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N. Concrete versions below 9 do not
include group types so they are not affected by this vulnerability.
Thanks Luca Fuda for reporting HackerOne 2383192.
@
text
@d1 1
a1 1
# $NetBSD: Makefile,v 1.1 2024/02/26 15:06:27 taca Exp $
d9 1
a9 1
GITHUB_RELEASE= 9.2.7
@
1.2.2.1
log
@Pullup ticket #6845 - requested by taca
www/php-concrete-cms: security fix
Revisions pulled up:
- www/php-concrete-cms/Makefile 1.3
- www/php-concrete-cms/PLIST 1.2
- www/php-concrete-cms/distinfo 1.3
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Apr 7 13:59:05 UTC 2024
Modified Files:
pkgsrc/www/php-concrete-cms: Makefile PLIST distinfo
Log Message:
www/php-concrete-cms: update to 9.2.8
9.2.8 (2024-04-02)
Bug Fixes
* Fixed bug where c5:info console command would fail when run on a Concrete
webroot if that webroot was not yet an installed Concrete site.
* Fixed bug where logout link in toolbar would not work when user was logged
in as an editor who could not view the Dashboard (thanks ounziw)
Security Updates
* Created CVE-2024-2753 Stored XSS on the calendar color settings screen and
fixed it with commit 11988 Prior to the fix, a rogue administrator could
put malicious javascript on the Concrete CMS color setting screen which
would have would have been triggered by and affected users who accessed
the color settings screen. The Concrete CMS security team gave this
vulnerability a CVSS v3.1 score of 2.0 with a vector of
AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
Thank you Rikuto Tauchi for reporting HackerOne 2433383.
* Created CVE-2024-3178 Cross-site Scripting (XSS) - Advanced File Search
Filter and fixed it with commit 11988 for version 9 and commit 11989 for
version 8. Prior to the fix, a rogue administrator could add malicious
code in the file manager because of insufficient validation of
administrator provided data. All administrators have access to the File
Manager and hence could create a search filter with the malicious code
attached. The Concrete CMS security team gave this vulnerability a CVSS
v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L
Thank you Guram (javakhishvili) for reporting HackerOne 949443
* Created CVE-2024-3179 Stored XSS in the Custom Class page editing and
fixed it with commit 11988 for version 9 and commit 11989 for version 8.
Prior to the fix, a rogue administrator could insert malicious code in the
custom class field due to insufficient validation of administrator
provided data. Concrete CMS version 9.2.8 and 8.5.13 no longer allow any
non alphanumeric characters in this CSS class. The Concrete CMS security
team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of
AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L Thank you Alexey Solovyev for
reporting HackerOne 918129.
* Created and fixed [CVE-2024-3180]
(https://nvd.nist.gov/vuln/detail/CVE-2024-3180) Prior to fix, stored XSS
could be executed by a rogue administrator adding malicious code to the
link-text field when creating a block of type file. Fixed with commit
11988 for version 9 and commit 11989 for version 8. The Concrete CMS
security team gave this vulnerability a CVSS v3.1 sore of 3.1 with a
vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L Thank you Alexey Solovyev
for reporting HackerOne 903356
* Created CVE-2024-3181 Stored XSS in the Search Field. Prior to the fix,
stored XSS could be executed by an administrator changing a filter to
which a rogue administrator had previously added malicious code. The
Concrete Team fixed this with commit 11988 for version 9 and commit 11989
for version 8. Thank you Alexey Solovyev for reporting HackerOne 918142
@
text
@d1 1
a1 1
# $NetBSD$
d9 1
a9 1
GITHUB_RELEASE= 9.2.8
@
1.1
log
@www/php-concrete-cms: add package version 9.2.6
Concrete CMS is successor of www/php-concrete5.
Concrete CMS
Concrete CMS is a web content management system designed for creating and
managing websites. Its interface is user-friendly, catering to both novices
and experts.
Concrete is written in PHP and JavaScript and it pulls data from a MySQL
database.
In Concrete CMS, your website is structured as a hierarchy of pages
organized within a sitemap. Each page adheres to a specific Page Type and
utilizes one of its associated Templates. These Templates are PHP files
that combine standard HTML/CSS with dynamic Block Areas. Within Block
Areas, you can insert Blocks, which range from basic HTML Text to advanced
interactive features like forms. Block Areas can be further refined using
Layouts or Containers. While Layouts simply split a block area into
columns, Containers are code-defined and can encompass additional markup and
styling.
* Files
* Users, Groups & Authentication
* Permissions & Workflow
* Attributes
* Packages
@
text
@d1 1
a1 1
# $NetBSD$
d9 1
a9 1
GITHUB_RELEASE= 9.2.6
d17 6
a22 6
DEPENDS+= ${PHP_PKG_PREFIX}-pdo_mysql>=5.3.3:../../databases/php-pdo_mysql
DEPENDS+= ${PHP_PKG_PREFIX}-gd>=5.3.3:../../graphics/php-gd
DEPENDS+= ${PHP_PKG_PREFIX}-curl>=5.3.3:../../www/php-curl
DEPENDS+= ${PHP_PKG_PREFIX}-zip>=5.3.3:../../archivers/php-zip
DEPENDS+= ${PHP_PKG_PREFIX}-iconv>=5.3.3:../../converters/php-iconv
DEPENDS+= ${PHP_PKG_PREFIX}-mbstring>=5.3.3:../../converters/php-mbstring
@