A VuXML entry needs to be added to report vulnerability for CVE-2016-3714. Early reports of this vulnerability disclosure are found here: https://medium.com/@rhuber/imagemagick-is-on-fire-cve-2016-3714-379faf762247#.yqywcwi29 This has been confirmed by the ImageMagick developers, with a work-around published here: https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588
Created attachment 169972 [details] Patch to add VuXML entry for graphics/ImageMagick multiple vulnerabilities (including "ImageTragick")
A commit references this bug: Author: kwm Date: Fri May 6 15:27:50 UTC 2016 New revision: 414710 URL: https://svnweb.freebsd.org/changeset/ports/414710 Log: Document ImageMagick vulnabilities. PR: 209241 Submitted by: Ben Woods Changes: head/security/vuxml/vuln.xml
Koop, Ben, This doesn't look right with PORTEPOCH. Can you check 'pkg audit `make -VPKGNAME -C /usr/ports/graphics/ImageMagick`' actually works for the fixed and unfixed version?
(In reply to Jason Unovitch from comment #3) Indeed, the VuXML entry is missing the PORTEPOCH for graphics/ImageMagick. I believe the change should be: - <range><lt>6.9.3.9_1</lt></range> + <range><lt>6.9.3.9_1,1</lt></range>
A commit references this bug: Author: kwm Date: Sat May 7 07:30:32 UTC 2016 New revision: 414760 URL: https://svnweb.freebsd.org/changeset/ports/414760 Log: Add forgotten portepoch to the ImageMagick 6.x version. PR: 209241 Reported by: Ben Woods, Jason Unovitch Changes: head/security/vuxml/vuln.xml
Good catch, I completly forgot to check that ...