"Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE functions in libpng [...] before 1.6.19 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image." https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8126 http://www.openwall.com/lists/oss-security/2015/11/12/2 Assuming it might be usable for exploitation, I would recommend bumping the port soon.
libpng website is down and sourceforge is in in Disaster Recovery mode (and doesn't have 1.6.19 yet), so this update will have to wait a few hours I guess..
This is now handled in Phabricator https://reviews.freebsd.org/D4164
A commit references this bug: Author: antoine Date: Sun Nov 15 11:41:02 UTC 2015 New revision: 401693 URL: https://svnweb.freebsd.org/changeset/ports/401693 Log: Update to 1.6.19 PR: 204551 MFH: 2015Q4 Security: CVE-2015-8126 Changes: head/graphics/png/Makefile head/graphics/png/distinfo head/graphics/png/pkg-plist
A commit references this bug: Author: antoine Date: Sun Nov 15 11:43:12 UTC 2015 New revision: 401694 URL: https://svnweb.freebsd.org/changeset/ports/401694 Log: MFH: r401693 Update to 1.6.19 PR: 204551 Security: CVE-2015-8126 Changes: _U branches/2015Q4/ branches/2015Q4/graphics/png/Makefile branches/2015Q4/graphics/png/distinfo branches/2015Q4/graphics/png/pkg-plist
security/vuxml change committed by brnrd@ in r401719 [1] but PR: not referenced. [1] http://svnweb.freebsd.org/changeset/ports/401719 CC committer that resolved.