From owner-freebsd-security@FreeBSD.ORG  Tue Apr  3 14:01:21 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A84B01065670
	for <freebsd-security@freebsd.org>;
	Tue,  3 Apr 2012 14:01:21 +0000 (UTC)
	(envelope-from rsimmons0@gmail.com)
Received: from mail-vb0-f54.google.com (mail-vb0-f54.google.com
	[209.85.212.54])
	by mx1.freebsd.org (Postfix) with ESMTP id 591348FC0C
	for <freebsd-security@freebsd.org>;
	Tue,  3 Apr 2012 14:01:21 +0000 (UTC)
Received: by vbmv11 with SMTP id v11so3461617vbm.13
	for <freebsd-security@freebsd.org>;
	Tue, 03 Apr 2012 07:01:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:content-type:content-transfer-encoding;
	bh=ZojNrnAR1HYYbLzRx4cwgmXSP5xCPffj5IkfMPspvQM=;
	b=nNnqC1KnfDYBIaKlVnfJVRPSZDRg3GjvKgyN6Pm3ss3Eck6IXzUDt0/dF9Uu1kcunf
	B7oE02C9LRNB3fQhYBM57ZOc+BDUMF3xqlCUuYKZHQoJNTmHhsaQtF0foUtss6lzTTOq
	ILd2y9EifWCShtIzdD0ZMZHm5FbsOAUyGh0AJpVDjDiT+H/SFlMP0Qllfz1yN5TGfnVz
	JbGUqiVRVeSYJ4ty5JlSnbbe2gKlH88hmnrlWeXmErmSrk6WIBUQuK2uZvZ0Em0D4PJD
	xFeNpr3os69SAvvAShgCcOHZSP3rksywkqwCVxMjqtbS71wsWUzAIuzR9shzoB9JhJS/
	13Sg==
MIME-Version: 1.0
Received: by 10.220.224.197 with SMTP id ip5mr5739922vcb.41.1333461675094;
	Tue, 03 Apr 2012 07:01:15 -0700 (PDT)
Received: by 10.52.117.76 with HTTP; Tue, 3 Apr 2012 07:01:15 -0700 (PDT)
In-Reply-To: <CABkZrei+Mi4Th5LOhPyYBX=KVp1jeXaqWci4ja=YymHzrCkc4w@mail.gmail.com>
References: <CABkZrehP0H8z98f6z9e-F45kw2JYUkcmizt59jbh5RSgDnJWwg@mail.gmail.com>
	<4F79EA30.6070205@acsalaska.net>
	<CABkZrei+Mi4Th5LOhPyYBX=KVp1jeXaqWci4ja=YymHzrCkc4w@mail.gmail.com>
Date: Tue, 3 Apr 2012 10:01:15 -0400
Message-ID: <CA+QLa9DqQ+js4fPiEePrhJCURw6TPQGJ3eRpi5p9e=opCrcNbA@mail.gmail.com>
From: Robert Simmons <rsimmons0@gmail.com>
To: freebsd-security@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: About PHP 5.X in FreeBSD port tree
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Apr 2012 14:01:21 -0000

On Tue, Apr 3, 2012 at 2:54 AM, James Chang <james.technew@gmail.com> wrote=
:
> Dear Sir,
>
> =A0 =A0 =A0 =A0Thanks for your notice, but there seems no information abo=
ut
> whether the vulnerabilities about CVE-2011-2483, CVE-2011-4153 and
> CVE-2011-3389 were fixed in FreeBSD port tree (PHP 5.3.10_1) or not?

Looks like CVE-2011-2483 applies to PHP before 5.3.7:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2011-2483

and CVE-2011-4153 applies to 5.3.8:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2011-4153

and CVE-2011-3389 does not apply to PHP AFAIK:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2011-3389

Since the version in ports is 5.3.10, I think you're safe.  I'm sure
someone will correct me if I'm off the mark.

Personally, I use portaudit to keep it all straight:
http://www.freebsd.org/cgi/url.cgi?ports/ports-mgmt/portaudit/pkg-descr

Additionally, I'm signed up for the digest version of the US-CERT
alerts from here:
http://www.us-cert.gov/cas/signup.html

Pretty good because it shows right in the second column of the report
what versions are affected.

Cheers!
Rob