Based off the following commit: http://svnweb.freebsd.org/ports/head/security/vuxml/vuln.xml?r1=414860&r2=414889 The latest archivers/libarchive vuxml entry (CVE-2016-1541) was fixed in 3.2 not 2.3. Appears there was confusion with the latest commit: http://svnweb.freebsd.org/ports/head/archivers/libarchive/distinfo?view=log "Upgrading to 2.3"
A commit references this bug: Author: junovitch Date: Tue May 10 00:22:28 UTC 2016 New revision: 414896 URL: https://svnweb.freebsd.org/changeset/ports/414896 Log: Fix version range for libarchive entry. [1] While here, add CVE and wrap lines at <80 PR: 209404 [1] Reported by: dereks@lifeofadishwasher.com [1] Security: CVE-2016-1541 Security: https://vuxml.FreeBSD.org/freebsd/2b4c8e1f-1609-11e6-b55e-b499baebfeaf.html Changes: head/security/vuxml/vuln.xml
Thanks for the report. The commit message for both the VuXML and actual port update were incorrect. The distinfo and VuXML test reflected 3.2.0 which is the correct version where the issue is fixed.