Date: Mon, 22 Aug 2011 17:37:15 -0700 (PDT) From: Jeremy Chadwick <freebsd@jdc.parodius.com> To: FreeBSD-gnats-submit@FreeBSD.org Cc: security-officer@FreeBSD.org, ale@FreeBSD.org Subject: ports/160013: lang/php5 (5.3.7) should be marked insecure (crypt flaw) Message-ID: <20110823003715.51E5A102C1A@icarus.home.lan> Resent-Message-ID: <201108230040.p7N0e66d095290@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 160013 >Category: ports >Synopsis: lang/php5 (5.3.7) should be marked insecure (crypt flaw) >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Aug 23 00:40:06 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Jeremy Chadwick >Release: FreeBSD 8.2-STABLE amd64 >Organization: >Environment: System: FreeBSD icarus.home.lan 8.2-STABLE FreeBSD 8.2-STABLE #0: Mon Aug 8 07:16:45 PDT 2011 root@icarus.home.lan:/usr/obj/usr/src/sys/X7SBA_RELENG_8_amd64 amd64 >Description: https://bugs.php.net/bug.php?id=55439 https://threatpost.com/en_us/blogs/serious-crypto-bug-found-php-537-082211 http://developers.slashdot.org/story/11/08/22/2332217/Serious-Crypto-Bug-Found-In-PHP-537 The bug has since been fixed, but the PHP developers are recommending folks wait until 5.3.8 is released. So, 5.3.7 in ports should probably be marked unusable/insecure until then. I'm not sure who maintains security/vuxml updates (group effort?). >How-To-Repeat: n/a >Fix: There may be a patch available somewhere, but I'm inclined to recommend folks wait until 5.3.8. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110823003715.51E5A102C1A>