As in summary: this version is compatible with php-7. Reproducible: Always
Created attachment 464878 [details] ebuild
Also CC'ing security team as this release fixes several security issues.
Thanks for the report. CVE-2016-9838: Incorrect use of unfiltered data stored to the session on a form validation failure allows for existing user accounts to be modified; to include resetting their username, password, and user group assignments. https://developer.joomla.org/security-centre/664-20161201-core-elevated-privileges.html CVE-2016-9836 Inadequate filesystem checks allowed files with alternative PHP file extensions to be uploaded. https://developer.joomla.org/security-centre/665-20161202-core-shell-upload.html CVE-2016-9837 Inadequate ACL checks in the Beez3 com_content article layout override enables a user to view restricted content. https://developer.joomla.org/security-centre/666-20161203-core-information-disclosure.html
Changing rating, package has no stable ebuild.
# Thomas Deutschmann <whissi@gentoo.org> (17 May 2017) # Multiple unpatched security vulnerabilities (see bug #603756, #610696, #612650 ...) # Removal in 30 days. www-apps/joomla
May I ask why you are total masking ALL versions of Joomla and seeking to remove Joomla completely from the portage tree when the aforementioned CVE issues are resolved in a version that Gentoo has chosen not to release in their ebuild (for any/no reason)? My overlay contains the latest version of Joomla and is being masked by your total mask. At the very least, shouldn't your mask be a < 3.6.5 mask since that version is the one that resolved the CVE issue? Thanks for your time and consideration.
All vulnerabilities from this bug are affecting the current Joomla version available within Gentoo repository (www-apps/joomla-3.4.8): CVE-2016-9838 ============= Affected Installs ----------------- Joomla! CMS versions 1.6.0 through 3.6.4 Solution -------- Upgrade to version 3.6.5 CVE-2016-9836 ============= Affected Installs ----------------- Joomla! CMS versions 3.0.0 through 3.6.4 Solution -------- Upgrade to version 3.6.5 CVE-2016-9837 ============= Affected Installs ----------------- Joomla! CMS versions 3.0.0 through 3.6.4 Solution -------- Upgrade to version 3.6.5 We remove unmaintained packages from time to time, especially when they are vulnerable. So this mask was applied to prepare for package removal and is our last attempt to get some attention from someone actual using the package... If you are interested in maintaining the package for Gentoo through proxy maintainers project please see https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers#Getting_Started
Thank you Thomas. I fully understand and agree to wanting to remove vulnerable Joomla versions from the official portage tree, and why you'd want to mask the same; I follow why the mask would be set to ALL versions instead of just masking the known vulnerable versions. As a result of the current mask, my overlay is negatively affected even though my overlay does not contain a known vulnerable version of Joomla. Once Joomla is removed from the official portage tree, does the mask remain? If so, would you please consider changing it to only mask versions prior to the release fixing the known vulnerabilities (i.e. <web-apps/joomla-3.6.5) or explain why you can't? Thank you also for the information on being a proxy maintainer. Unfortunately, I do not feel qualified to be an official maintainer of the package for the Gentoo tree. I appreciate your help, your time, and your consideration. --Vance M. Allen
Correction to my first paragraph -- I ^don't^ follow why the mask would be set to ALL versions instead of just masking the known vulnerable versions.
(In reply to Vance M. Allen from comment #9) > Correction to my first paragraph -- I ^don't^ follow why the mask would be > set to ALL versions instead of just masking the known vulnerable versions. We are going to remove the entire package from official Gentoo repository. I understand that this will temporary affect your repository (because your repository's parent is the Gentoo repository) but this is the default procedure, see https://devmanual.gentoo.org/ebuild-maintenance/#removing-a-package In other words: In this case we want attention from anyone having a www-apps/joomla package... understand the PMASK like a last desperate call for help. Anyone who cares about www-apps/joomla is encouraged to jump in and help so that this package can stay well maintained in the official repository. > Once Joomla is removed from the official portage tree, does the mask remain? No, like you can read in the referenced devmanual: > 6. Remove package.mask entry So somewhere between 24-28. June 2017, when we actually will remove the package, we will also remove the mask. > Thank you also for the information on being a proxy maintainer. Unfortunately, > I do not feel qualified to be an official maintainer of the package for the > Gentoo tree. It is a pity to hear that. But remember, the proxy maintainer project don't expect that you are already a perfect maintainer. If you are willing to learn (and have time of course), the project will assist and guide you toward ensuring that your submission meets the standards of the Gentoo QA policy.
commit fe7d7445faf698a716e9f542fdc18b771fa42b6a Author: Michał Górny <mgorny@gentoo.org> AuthorDate: Sat Jun 17 10:29:26 2017 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: Sat Jun 17 10:39:58 2017 www-apps/joomla: Remove last-rited pkg
