pkgsrc.se | The NetBSD package collection

Subject: CVS commit: pkgsrc/www/php-concrete-cms
From: Takahiro Kambe
Date: 2024-03-10 15:40:26
Message id: 20240310144026.8EA92FA2A@cvs.NetBSD.org

Log Message:
www/php-concrete-cms: update to 9.2.7

* pkgsrc change: use PHP_BASE_VERS for dependency to PHP.

9.2.7 (2024-03-05)

Behavioral Improvements

* Improved display of certain UI elements when Concrete was used with
  non-Bedrock/Bootstrap themes.

* Back to Website button in Dashboard now uses the vanity URL instead of the
  cID URL (Thanks JohnTheFish)

* Add db charset and collation to environment report (thanks JohnTheFish)

Bug Fixes

* Fixed: Time selector in the calendar event dialog not showing all times.

* Fixed: Undefined array key "value"' in
  /concrete/attributes/date_time/controller.php under PHP 8.

* Fixed: Undefined array key 0' in
  /concrete/blocks/calendar_event/controller.php:224 under PHP 8.

* Fix pagination not working in clipboard side panel (thanks
  quentinnorbert0)

* Fix double encoding when displaying page template name (thanks
  quentinnorbert0)

* Fixed inability to clear date/time attributes using the built-in HTML
  datepicker clear link.

* Fixed bug when attempting to do an advanced search by time in the Logs
  (thanks Quentin-Gach)

* Fixed error where including an ampersand in your site name would cause it
  to be displayed as &amp; in your site browser title.

* Fixed: Undefined property: Concrete\Block\Survey\Controller::$cID' in
  /concrete/blocks/survey/controller.php:206 under PHP 8.

* Fixed: Undefined variable $fID' in
  /concrete/single_pages/download_file.php:23 under certain conditions in
  PHP 8.

* Fixed error when attempting to log values that were non-scalar (thanks
  JohnTheFish)

Security Updates

* Fixed CVE-2024-2179 Stored XSS in the Name field of a Group type with
  commit 11965.  A rogue administrator could inject malicious code into the
  Name field of a Group type which might be executed when users visit the
  affected page because of insufficient validation of administrator provided
  data.  The Concrete CMS Security team scored this 2.2 with CVSS v3 vector
  AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N.  Concrete versions below 9 do not
  include group types so they are not affected by this vulnerability.
  Thanks Luca Fuda for reporting HackerOne 2383192.

Files:

Revision	Action	file
1.2	modify	pkgsrc/www/php-concrete-cms/Makefile
1.2	modify	pkgsrc/www/php-concrete-cms/distinfo