Bug 220809 - lang/php56: Change from oniguruma5 to oniguruma6
Summary: lang/php56: Change from oniguruma5 to oniguruma6
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Torsten Zuehlsdorff
URL:
Keywords: easy, needs-qa, security
Depends on:
Blocks:
 
Reported: 2017-07-17 20:49 UTC by Dan Langille
Modified: 2017-11-26 20:50 UTC (History)
12 users (show)

See Also:
bugzilla: maintainer-feedback? (ale)
koobs: maintainer-feedback? (ports-secteam)
tz: merge-quarterly+


Attachments
patch to oniguruma6 (444 bytes, patch)
2017-07-17 20:49 UTC, Dan Langille
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Dan Langille freebsd_committer freebsd_triage 2017-07-17 20:49:26 UTC
Created attachment 184451 [details]
patch to oniguruma6

Given the current vuln with devel/oniguruma5 and that it seems to be end-of-life, should we make lang/php56 use devel/oniguruma6 instead?
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2017-07-18 13:01:15 UTC
Request ports-secteam input on a merge to quarterly
Comment 2 Lukasz Wasikowski 2017-07-19 11:28:32 UTC
This should resolve dependency conflict between converters/php56-mbstring (which depends on oniguruma5) and textproc/jq (which depends on oniguruma6). Probably there are more conflicts like this, but this one bit me recently.
Comment 3 Dan Langille freebsd_committer freebsd_triage 2017-07-19 11:32:27 UTC
From https://www.freshports.org/devel/oniguruma5/

###
This port is required by:

converters/php56-mbstring
lang/mosh
###

* deleted ports not included in the above paste

I suppose if we're fixing one, we should fix both.
Comment 4 Dan Langille freebsd_committer freebsd_triage 2017-07-25 18:13:20 UTC
(In reply to Kubilay Kocak from comment #1)
Did we hear from secteam?
Comment 5 Torsten Zuehlsdorff freebsd_committer freebsd_triage 2017-07-27 08:31:04 UTC
No. If we get no feedback until next Wednesday, i'm going to commit the change with maintainer-timeout.
Comment 6 Dan Langille freebsd_committer freebsd_triage 2017-07-28 16:23:03 UTC
I am happy for you to do this work, thank you.
Comment 7 commit-hook freebsd_committer freebsd_triage 2017-08-02 14:25:28 UTC
A commit references this bug:

Author: tz
Date: Wed Aug  2 14:24:31 UTC 2017
New revision: 447107
URL: https://svnweb.freebsd.org/changeset/ports/447107

Log:
  lang/php56: Change from oniguruma5 to oniguruma6

  Switch mbstring extension from devel/oniguruma5
  to devel/oniguruma6 to fix security issues covert in
  Oniguruma 6.4.

  PR:           220809
  Submitted by: Dan Langille <dvl@FreeBSD.org>
  Approved by:  maintainer (timeout, 16 days)
  MFH:          2017Q3

Changes:
  head/converters/php56-mbstring/Makefile
  head/lang/php56/Makefile.ext
Comment 8 Torsten Zuehlsdorff freebsd_committer freebsd_triage 2017-08-02 14:26:05 UTC
MFH is requested.
Comment 9 Kubilay Kocak freebsd_committer freebsd_triage 2017-08-03 01:10:05 UTC
Assign to committer rsolving, retaining maintainer on CC
Comment 10 commit-hook freebsd_committer freebsd_triage 2017-08-03 15:22:17 UTC
A commit references this bug:

Author: tz
Date: Thu Aug  3 15:21:55 UTC 2017
New revision: 447228
URL: https://svnweb.freebsd.org/changeset/ports/447228

Log:
  MFH: r447107

  lang/php56: Change from oniguruma5 to oniguruma6

  Switch mbstring extension from devel/oniguruma5
  to devel/oniguruma6 to fix security issues covert in
  Oniguruma 6.4.

  PR:           220809
  Submitted by: Dan Langille <dvl@FreeBSD.org>
  Approved by:  maintainer (timeout, 16 days)

  Approved by:	ports-secteam (feld)

Changes:
_U  branches/2017Q3/
  branches/2017Q3/converters/php56-mbstring/Makefile
  branches/2017Q3/lang/php56/Makefile.ext
Comment 11 Torsten Zuehlsdorff freebsd_committer freebsd_triage 2017-08-03 15:24:04 UTC
Now committed to quarterly. Everything done :)
Comment 12 Christos Chatzaras 2017-08-03 19:57:19 UTC
My servers had oniguruma4 with php56-mbstring.

Can you add instructions to /usr/ports/UPDATING to notify users?

portupgrade -o devel/oniguruma6 devel/oniguruma4
portupgrade -o devel/oniguruma6 devel/oniguruma5
portupgrade -fr devel/oniguruma6

Thank you.
Comment 13 Kubilay Kocak freebsd_committer freebsd_triage 2017-08-05 05:13:01 UTC
Re-open per UPDATING instructions request
Comment 14 commit-hook freebsd_committer freebsd_triage 2017-09-29 20:10:48 UTC
A commit references this bug:

Author: eugen
Date: Fri Sep 29 20:10:13 UTC 2017
New revision: 450934
URL: https://svnweb.freebsd.org/changeset/ports/450934

Log:
  Give a hint for those who strugges updating PHP after
  dependency switch from devel/oniguruma5 to devel/oniguruma6

  PR:		220809
  Reported by:	dvl
  Approved by:	ale (maintainer timeout, 8 weeks)

Changes:
  head/UPDATING
Comment 15 vali gholami 2017-11-26 20:50:07 UTC
MARKED AS SPAM