Date: Sun, 13 Mar 2016 14:39:51 +0000 (UTC) From: Jason Unovitch <junovitch@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r410971 - head/security/vuxml Message-ID: <201603131439.u2DEdpsd034705@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: junovitch Date: Sun Mar 13 14:39:50 2016 New Revision: 410971 URL: https://svnweb.freebsd.org/changeset/ports/410971 Log: Expand February PHP entry with extra CVE and all security bugs on changelog Security: CVE-2016-2554 Security: https://vuxml.FreeBSD.org/freebsd/85eb4e46-cf16-11e5-840f-485d605f4717.html Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sun Mar 13 13:56:44 2016 (r410970) +++ head/security/vuxml/vuln.xml Sun Mar 13 14:39:50 2016 (r410971) @@ -2497,14 +2497,18 @@ Notes: </vuln> <vuln vid="85eb4e46-cf16-11e5-840f-485d605f4717"> - <topic>php -- pcre vulnerability</topic> + <topic>php -- multiple vulnerabilities</topic> <affects> <package> <name>php55</name> + <name>php55-phar</name> + <name>php55-wddx</name> <range><lt>5.5.32</lt></range> </package> <package> <name>php56</name> + <name>php56-phar</name> + <name>php56-wddx</name> <range><lt>5.6.18</lt></range> </package> </affects> @@ -2512,11 +2516,32 @@ Notes: <body xmlns="http://www.w3.org/1999/xhtml">; <p>PHP reports:</p> <blockquote cite="http://php.net/ChangeLog-5.php#5.6.18">; - <ul><li>PCRE: + <ul><li>Core: <ul> - <li>Upgraded bundled PCRE library to 8.38.(CVE-2015-8383, - CVE-2015-8386, CVE-2015-8387, CVE-2015-8389, CVE-2015-8390, - CVE-2015-8391, CVE-2015-8393, CVE-2015-8394)</li> + <li>Fixed bug #71039 (exec functions ignore length but look for NULL + termination).</li> + <li>Fixed bug #71323 (Output of stream_get_meta_data can be + falsified by its input).</li> + <li>Fixed bug #71459 (Integer overflow in iptcembed()).</li> + </ul></li> + <li>PCRE: + <ul> + <li>Upgraded bundled PCRE library to 8.38.(CVE-2015-8383, + CVE-2015-8386, CVE-2015-8387, CVE-2015-8389, CVE-2015-8390, + CVE-2015-8391, CVE-2015-8393, CVE-2015-8394)</li> + </ul></li> + <li>Phar: + <ul> + <li>Fixed bug #71354 (Heap corruption in tar/zip/phar parser).</li> + <li>Fixed bug #71391 (NULL Pointer Dereference in + phar_tar_setupmetadata()).</li> + <li>Fixed bug #71488 (Stack overflow when decompressing tar + archives). (CVE-2016-2554)</li> + </ul></li> + <li>WDDX: + <ul> + <li>Fixed bug #71335 (Type Confusion in WDDX Packet + Deserialization).</li> </ul></li> </ul> </blockquote> @@ -2531,12 +2556,14 @@ Notes: <cvename>CVE-2015-8391</cvename> <cvename>CVE-2015-8393</cvename> <cvename>CVE-2015-8394</cvename> + <cvename>CVE-2016-2554</cvename> <url>http://php.net/ChangeLog-5.php#5.6.18</url>; <url>http://php.net/ChangeLog-5.php#5.5.32</url>; </references> <dates> <discovery>2016-02-04</discovery> <entry>2016-02-09</entry> + <modified>2016-03-13</modified> </dates> </vuln>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201603131439.u2DEdpsd034705>