Bug 199585
| Summary: | [PATCH] [SECURITY] lang/php5*: updates to 5.6.8, 5.5.24, 5.4.40 | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Franco Fichtner <franco> | ||||||||||||||||||
| Component: | Individual Port(s) | Assignee: | Alex Dupre <ale> | ||||||||||||||||||
| Status: | Closed FIXED | ||||||||||||||||||||
| Severity: | Affects Many People | CC: | brnrd, delphij, junovitch, xmj | ||||||||||||||||||
| Priority: | --- | Keywords: | patch, security | ||||||||||||||||||
| Version: | Latest | Flags: | bugzilla:
maintainer-feedback?
(ale) |
||||||||||||||||||
| Hardware: | Any | ||||||||||||||||||||
| OS: | Any | ||||||||||||||||||||
| Attachments: |
|
||||||||||||||||||||
Created attachment 155978 [details]
svn diff for security/vuxml
Add new PHP vulns to vuxml
Created attachment 155979 [details]
svn diff for lang/php5
Update lang/php5 to 5.5.40 fixing vulns
Created attachment 155980 [details]
svn diff for lang/php55
Update lang/php55 to 5.5.24 fixing vulns
Created attachment 155988 [details]
svn diff for lang/php56
There are 4 extensions that currently have a PORTREVISION, this improved patch removes these as well as updating the master port to 5.6.8
Created attachment 155989 [details]
svn diff for lang/php55
Update lang/php5 to 5.5.40 fixing vulns
This patch updates the master port and removes PORTREVISION from extensions that have it defined
Created attachment 155990 [details]
svn diff for lang/php5
Update lang/php5 to 5.4.40 fixing vulns
This patch updates the master port and removes PORTREVISION from extensions that have it defined
All, Thanks for this. I just started making patches myself but checked Bugzilla first to find this. It would be good to get this closed soon given there were a lot of CVE's covered in this one, including potential remote code execution. Bernard, Can you double check your patches with the MAILHEAD option enabled? All of your diffs remove the optional patch from the distinfo file that MAILHEAD references. See the Makefile for the available options and defaults. OPTIONS_DEFINE+=CLI CGI FPM EMBED PHPDBG DEBUG DTRACE IPV6 MAILHEAD LINKTHR ZTS OPTIONS_DEFAULT=CLI CGI FPM IPV6 LINKTHR Jason Bernard, Also see the prior updates in SVN. Both databases/php56-odbc and databases/php55-odbc required an update to regen the patch for the patch-config.m4 file. I've validated with a poudriere testport on databases/php56-odbc that just updating the version will prevent that from building. https://svnweb.freebsd.org/ports?view=revision&revision=382894 https://svnweb.freebsd.org/ports?view=revision&revision=382895 Jason A commit references this bug: Author: ale Date: Sun Apr 26 12:33:12 UTC 2015 New revision: 384787 URL: https://svnweb.freebsd.org/changeset/ports/384787 Log: Update to 5.6.8 release. PR: 199585 Submitted by: Franco Fichtner Changes: head/databases/php56-odbc/files/patch-config.m4 head/databases/php56-pdo_sqlite/Makefile head/databases/php56-sqlite3/Makefile head/lang/php56/Makefile head/lang/php56/distinfo head/security/php56-mcrypt/Makefile head/textproc/php56-pspell/Makefile Created attachment 156009 [details]
security/vuxml correction
ale@
The PR referenced in security/vuxml was incorrect. Patch attached for fix. Additionally, the 5.6.8 update will have to MFH into 2015Q2 before this is closed for real.
Jason
O my was that PHP 5.6 patch bad... That's the 5.6.6 yo 5.6.7 update :/ Sorry for the confusion! Need to polish my workflow! Hello,
Can r384787 for PHP 5.6.8 be MFH'd into 2015Q2. Additionally, can the vuxml patch be applied to reference the correct PR?
Index: security/vuxml/vuln.xml
===================================================================
--- security/vuxml/vuln.xml (revision 385083)
+++ security/vuxml/vuln.xml (working copy)
@@ -279,7 +279,7 @@
<cvename>CVE-2015-2783</cvename>
<cvename>CVE-2015-1351</cvename>
<cvename>CVE-2015-1352</cvename>
- <freebsdpr>ports/198739</freebsdpr>
+ <freebsdpr>ports/199585</freebsdpr>
</references>
<dates>
<discovery>2015-04-16</discovery>
ale@, Can r384787 for PHP 5.6.8 be MFH'd into 2015Q2. Can the vuxml entry be updated as mentioned above for the correct PR info as well or should I open a new PR for the MFH and vuxml correction? Jason 5.6.9 has been out for a week now... A commit references this bug: Author: delphij Date: Fri May 22 22:12:13 UTC 2015 New revision: 387085 URL: https://svnweb.freebsd.org/changeset/ports/387085 Log: MFH: r384787 (ale) Update to 5.6.8 release. PR: 199585 Submitted by: Franco Fichtner Approved by: ports-secteam Changes: _U branches/2015Q2/ branches/2015Q2/databases/php56-odbc/files/patch-config.m4 branches/2015Q2/databases/php56-pdo_sqlite/Makefile branches/2015Q2/databases/php56-sqlite3/Makefile branches/2015Q2/lang/php56/Makefile branches/2015Q2/lang/php56/distinfo branches/2015Q2/security/php56-mcrypt/Makefile branches/2015Q2/textproc/php56-pspell/Makefile (In reply to jason.unovitch from comment #13) I've merged the 5.6.8 update. (In reply to jason.unovitch from comment #12) Fixed. |
Created attachment 155818 [details] the actual diff ;)