Bug 198993

Summary: [PATCH][SECURITY] lang/php5: Update to 5.4.39
Product: Ports & Packages Reporter: Jason Unovitch <junovitch>
Component: Individual Port(s)Assignee: Alex Dupre <ale>
Status: Closed FIXED    
Severity: Affects Only Me Keywords: patch
Priority: --- Flags: bugzilla: maintainer-feedback? (ale)
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
lang/php: update to 5.4.39
none
Poudriere Build Logs from 10.1-RELEASE amd64
none
VUXML entry documenting CVE-2015-0231, CVE-2015-2305, and CVE-2015-2331 none

Description Jason Unovitch freebsd_committer freebsd_triage 2015-03-28 23:02:22 UTC 
Created attachment 154937 [details]
lang/php: update to 5.4.39

The PHP development team announces the immediate availability of PHP 5.4.39. Six security-related bugs were fixed in this release, including CVE-2015-0231, CVE-2015-2305 and CVE-2015-2331. All PHP 5.4 users are encouraged to upgrade to this version.

Reported by: bagas @ https://forums.freebsd.org/threads/php-5-4-39-when-appears-in-the-ports.50997/

Build time tested: php5 php5-extensions php5curl php5-xml php5-mbstring php5-json php5-simplexml php5-dom
Basic Runtime tested: php5 php5-curl php5-xml php5-mbstring php5-json php5-simplexml php5-dom

Poudriere logs are forthcoming.
Comment 1 Jason Unovitch freebsd_committer freebsd_triage 2015-03-28 23:03:49 UTC 
Created attachment 154938 [details]
Poudriere Build Logs from 10.1-RELEASE amd64

Also build tested and available upon request:
10.1-RELEASE i386, 9.3-RELEASE amd64, 9.3-RELEASE i386, 8.4-RELEASE amd64, 8.4-RELEASE i386
Comment 2 Jason Unovitch freebsd_committer freebsd_triage 2015-03-28 23:42:05 UTC 
Created attachment 154941 [details]
VUXML entry documenting CVE-2015-0231, CVE-2015-2305, and CVE-2015-2331

This covers the PHP updates in PR 198882 (php55), 198739 (php56), as well as this PR.

Testing:
jason@hostname:~/vuxml % make validate
/bin/sh /usr/home/jason/vuxml/files/tidy.sh
"/usr/home/jason/vuxml/files/tidy.xsl" "/usr/home/jason/vuxml/vuln.xml" >
"/usr/home/jason/vuxml/vuln.xml.tidy"
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/home/jason/vuxml/vuln.xml
>>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
... seems okay
/usr/local/bin/python2.7 /usr/home/jason/vuxml/files/extra-validation.py

jason@hostname:~/vuxml % env PKG_DBDIR=/home/jason/vuxml pkg audit php5-5.4.38
php5-5.4.38 is vulnerable:
php5 -- multiple vulnerabilities
CVE: CVE-2015-2331
CVE: CVE-2015-2305
CVE: CVE-2015-0231
WWW:
http://vuxml.FreeBSD.org/freebsd/db119391-d59f-11e4-991c-002590263bf5.html
Comment 3 Jason Unovitch freebsd_committer freebsd_triage 2015-04-13 02:34:22 UTC 
Closing:

lang/php5 updated from 5.4.38 -> 5.4.39 in r382896:
https://svnweb.freebsd.org/ports?view=revision&revision=382896

security/vuxml updated in r382948:
https://svnweb.freebsd.org/ports?view=revision&revision=382948