Bug 220809 - lang/php56: Change from oniguruma5 to oniguruma6
Summary: lang/php56: Change from oniguruma5 to oniguruma6
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Torsten Zuehlsdorff
URL:
Keywords: easy, needs-qa, security
Depends on:
Blocks:
 
Reported: 2017-07-17 20:49 UTC by Dan Langille
Modified: 2017-11-26 20:50 UTC (History)
12 users (show)

See Also:
bugzilla: maintainer-feedback? (ale)
koobs: maintainer-feedback? (ports-secteam)
tz: merge-quarterly+

Attachments
patch to oniguruma6 (444 bytes, patch)
2017-07-17 20:49 UTC, Dan Langille 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dan Langille freebsd_committer freebsd_triage 2017-07-17 20:49:26 UTC 
Created attachment 184451 [details]
patch to oniguruma6

Given the current vuln with devel/oniguruma5 and that it seems to be end-of-life, should we make lang/php56 use devel/oniguruma6 instead?
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2017-07-18 13:01:15 UTC 
Request ports-secteam input on a merge to quarterly
Comment 2 Lukasz Wasikowski 2017-07-19 11:28:32 UTC 
This should resolve dependency conflict between converters/php56-mbstring (which depends on oniguruma5) and textproc/jq (which depends on oniguruma6). Probably there are more conflicts like this, but this one bit me recently.
Comment 3 Dan Langille freebsd_committer freebsd_triage 2017-07-19 11:32:27 UTC 
From https://www.freshports.org/devel/oniguruma5/

###
This port is required by:

converters/php56-mbstring
lang/mosh
###

* deleted ports not included in the above paste

I suppose if we're fixing one, we should fix both.
Comment 4 Dan Langille freebsd_committer freebsd_triage 2017-07-25 18:13:20 UTC 
(In reply to Kubilay Kocak from comment #1)
Did we hear from secteam?
Comment 5 Torsten Zuehlsdorff freebsd_committer freebsd_triage 2017-07-27 08:31:04 UTC 
No. If we get no feedback until next Wednesday, i'm going to commit the change with maintainer-timeout.
Comment 6 Dan Langille freebsd_committer freebsd_triage 2017-07-28 16:23:03 UTC 
I am happy for you to do this work, thank you.
Comment 7 commit-hook freebsd_committer freebsd_triage 2017-08-02 14:25:28 UTC 
A commit references this bug:

Author: tz
Date: Wed Aug  2 14:24:31 UTC 2017
New revision: 447107
URL: https://svnweb.freebsd.org/changeset/ports/447107

Log:
  lang/php56: Change from oniguruma5 to oniguruma6

  Switch mbstring extension from devel/oniguruma5
  to devel/oniguruma6 to fix security issues covert in
  Oniguruma 6.4.

  PR:           220809
  Submitted by: Dan Langille <dvl@FreeBSD.org>
  Approved by:  maintainer (timeout, 16 days)
  MFH:          2017Q3

Changes:
  head/converters/php56-mbstring/Makefile
  head/lang/php56/Makefile.ext
Comment 8 Torsten Zuehlsdorff freebsd_committer freebsd_triage 2017-08-02 14:26:05 UTC 
MFH is requested.
Comment 9 Kubilay Kocak freebsd_committer freebsd_triage 2017-08-03 01:10:05 UTC 
Assign to committer rsolving, retaining maintainer on CC
Comment 10 commit-hook freebsd_committer freebsd_triage 2017-08-03 15:22:17 UTC 
A commit references this bug:

Author: tz
Date: Thu Aug  3 15:21:55 UTC 2017
New revision: 447228
URL: https://svnweb.freebsd.org/changeset/ports/447228

Log:
  MFH: r447107

  lang/php56: Change from oniguruma5 to oniguruma6

  Switch mbstring extension from devel/oniguruma5
  to devel/oniguruma6 to fix security issues covert in
  Oniguruma 6.4.

  PR:           220809
  Submitted by: Dan Langille <dvl@FreeBSD.org>
  Approved by:  maintainer (timeout, 16 days)

  Approved by:	ports-secteam (feld)

Changes:
_U  branches/2017Q3/
  branches/2017Q3/converters/php56-mbstring/Makefile
  branches/2017Q3/lang/php56/Makefile.ext
Comment 11 Torsten Zuehlsdorff freebsd_committer freebsd_triage 2017-08-03 15:24:04 UTC 
Now committed to quarterly. Everything done :)
Comment 12 Christos Chatzaras 2017-08-03 19:57:19 UTC 
My servers had oniguruma4 with php56-mbstring.

Can you add instructions to /usr/ports/UPDATING to notify users?

portupgrade -o devel/oniguruma6 devel/oniguruma4
portupgrade -o devel/oniguruma6 devel/oniguruma5
portupgrade -fr devel/oniguruma6

Thank you.
Comment 13 Kubilay Kocak freebsd_committer freebsd_triage 2017-08-05 05:13:01 UTC 
Re-open per UPDATING instructions request
Comment 14 commit-hook freebsd_committer freebsd_triage 2017-09-29 20:10:48 UTC 
A commit references this bug:

Author: eugen
Date: Fri Sep 29 20:10:13 UTC 2017
New revision: 450934
URL: https://svnweb.freebsd.org/changeset/ports/450934

Log:
  Give a hint for those who strugges updating PHP after
  dependency switch from devel/oniguruma5 to devel/oniguruma6

  PR:		220809
  Reported by:	dvl
  Approved by:	ale (maintainer timeout, 8 weeks)

Changes:
  head/UPDATING
Comment 15 vali gholami 2017-11-26 20:50:07 UTC 
MARKED AS SPAM