Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 22 Aug 2011 17:37:15 -0700 (PDT)
From:      Jeremy Chadwick <freebsd@jdc.parodius.com>
To:        FreeBSD-gnats-submit@FreeBSD.org
Cc:        security-officer@FreeBSD.org, ale@FreeBSD.org
Subject:   ports/160013: lang/php5 (5.3.7) should be marked insecure (crypt flaw)
Message-ID:  <20110823003715.51E5A102C1A@icarus.home.lan>
Resent-Message-ID: <201108230040.p7N0e66d095290@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         160013
>Category:       ports
>Synopsis:       lang/php5 (5.3.7) should be marked insecure (crypt flaw)
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Aug 23 00:40:06 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator:     Jeremy Chadwick
>Release:        FreeBSD 8.2-STABLE amd64
>Organization:
>Environment:
System: FreeBSD icarus.home.lan 8.2-STABLE FreeBSD 8.2-STABLE #0: Mon Aug 8 07:16:45 PDT 2011 root@icarus.home.lan:/usr/obj/usr/src/sys/X7SBA_RELENG_8_amd64 amd64
>Description:
	https://bugs.php.net/bug.php?id=55439
	https://threatpost.com/en_us/blogs/serious-crypto-bug-found-php-537-082211
	http://developers.slashdot.org/story/11/08/22/2332217/Serious-Crypto-Bug-Found-In-PHP-537

	The bug has since been fixed, but the PHP developers are recommending folks
	wait until 5.3.8 is released.  So, 5.3.7 in ports should probably be marked
	unusable/insecure until then.

	I'm not sure who maintains security/vuxml updates (group effort?).
>How-To-Repeat:
	n/a
>Fix:
	There may be a patch available somewhere, but I'm inclined to recommend
	folks wait until 5.3.8.


>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110823003715.51E5A102C1A>