Created attachment 184451 [details] patch to oniguruma6 Given the current vuln with devel/oniguruma5 and that it seems to be end-of-life, should we make lang/php56 use devel/oniguruma6 instead?
Request ports-secteam input on a merge to quarterly
This should resolve dependency conflict between converters/php56-mbstring (which depends on oniguruma5) and textproc/jq (which depends on oniguruma6). Probably there are more conflicts like this, but this one bit me recently.
From https://www.freshports.org/devel/oniguruma5/ ### This port is required by: converters/php56-mbstring lang/mosh ### * deleted ports not included in the above paste I suppose if we're fixing one, we should fix both.
(In reply to Kubilay Kocak from comment #1) Did we hear from secteam?
No. If we get no feedback until next Wednesday, i'm going to commit the change with maintainer-timeout.
I am happy for you to do this work, thank you.
A commit references this bug: Author: tz Date: Wed Aug 2 14:24:31 UTC 2017 New revision: 447107 URL: https://svnweb.freebsd.org/changeset/ports/447107 Log: lang/php56: Change from oniguruma5 to oniguruma6 Switch mbstring extension from devel/oniguruma5 to devel/oniguruma6 to fix security issues covert in Oniguruma 6.4. PR: 220809 Submitted by: Dan Langille <dvl@FreeBSD.org> Approved by: maintainer (timeout, 16 days) MFH: 2017Q3 Changes: head/converters/php56-mbstring/Makefile head/lang/php56/Makefile.ext
MFH is requested.
Assign to committer rsolving, retaining maintainer on CC
A commit references this bug: Author: tz Date: Thu Aug 3 15:21:55 UTC 2017 New revision: 447228 URL: https://svnweb.freebsd.org/changeset/ports/447228 Log: MFH: r447107 lang/php56: Change from oniguruma5 to oniguruma6 Switch mbstring extension from devel/oniguruma5 to devel/oniguruma6 to fix security issues covert in Oniguruma 6.4. PR: 220809 Submitted by: Dan Langille <dvl@FreeBSD.org> Approved by: maintainer (timeout, 16 days) Approved by: ports-secteam (feld) Changes: _U branches/2017Q3/ branches/2017Q3/converters/php56-mbstring/Makefile branches/2017Q3/lang/php56/Makefile.ext
Now committed to quarterly. Everything done :)
My servers had oniguruma4 with php56-mbstring. Can you add instructions to /usr/ports/UPDATING to notify users? portupgrade -o devel/oniguruma6 devel/oniguruma4 portupgrade -o devel/oniguruma6 devel/oniguruma5 portupgrade -fr devel/oniguruma6 Thank you.
Re-open per UPDATING instructions request
A commit references this bug: Author: eugen Date: Fri Sep 29 20:10:13 UTC 2017 New revision: 450934 URL: https://svnweb.freebsd.org/changeset/ports/450934 Log: Give a hint for those who strugges updating PHP after dependency switch from devel/oniguruma5 to devel/oniguruma6 PR: 220809 Reported by: dvl Approved by: ale (maintainer timeout, 8 weeks) Changes: head/UPDATING
MARKED AS SPAM