Bug 209779

Summary: lang/php55 lang/php56: Update to latest versions (5.5.36, 5.6.22) fixes security vulnerabilities
Product: Ports & Packages Reporter: Fabiano Sidler <freebsd-bugs>
Component: Individual Port(s)Assignee: Alex Dupre <ale>
Status: Closed FIXED    
Severity: Affects Many People CC: freebsd-bugs, junovitch, ports-secteam
Priority: --- Keywords: security
Version: LatestFlags: bugzilla: maintainer-feedback? (ale)
junovitch: merge-quarterly+
Hardware: Any   
OS: Any   

Description Fabiano Sidler 2016-05-27 07:59:02 UTC
http://php.net/ChangeLog-5.php#5.6.22
http://php.net/ChangeLog-5.php#5.5.36

Please also don't forget to MTQ (2016Q2).
Comment 1 commit-hook freebsd_committer freebsd_triage 2016-05-28 01:41:15 UTC
A commit references this bug:

Author: junovitch
Date: Sat May 28 01:40:53 UTC 2016
New revision: 415969
URL: https://svnweb.freebsd.org/changeset/ports/415969

Log:
  Document security issues fixed in PHP 7.0.7, 5.6.22, and 5.5.36

  PR:		209779
  Reported by:	Fabiano Sidler <fabianosidler@swissonline.ch>
  Security:	CVE-2013-7456
  Security:	CVE-2016-4343
  Security:	CVE-2016-5093
  Security:	CVE-2016-5094
  Security:	CVE-2016-5096
  Security:	https://vuxml.FreeBSD.org/freebsd/6b110175-246d-11e6-8dd3-002590263bf5.html

Changes:
  head/security/vuxml/vuln.xml
Comment 2 commit-hook freebsd_committer freebsd_triage 2016-05-28 01:42:18 UTC
A commit references this bug:

Author: junovitch
Date: Sat May 28 01:41:36 UTC 2016
New revision: 415971
URL: https://svnweb.freebsd.org/changeset/ports/415971

Log:
  lang/php56: update 5.6.21 -> 5.6.22 [1] plus minor fixup

  - Fix MAILHEAD patch to match the new version of the patch. The distinfo
    currently matches the php-5.5.x-mail-header.patch.old patch. [2]

  PR:		209779 [1]
  PR:		208072 [2]
  Reported by:	Fabiano Sidler <fabianosidler@swissonline.ch> [1]
  Reported by:	Vladislav V. Prodan <admin@support.od.ua> [2]
  Approved by:	ports-secteam (with hat)
  Security:	CVE-2013-7456
  Security:	CVE-2016-5093
  Security:	CVE-2016-5094
  Security:	CVE-2016-5096
  Security:	https://vuxml.FreeBSD.org/freebsd/6b110175-246d-11e6-8dd3-002590263bf5.html
  MFH:		2016Q2

Changes:
  head/lang/php56/Makefile
  head/lang/php56/distinfo
Comment 3 commit-hook freebsd_committer freebsd_triage 2016-05-28 01:42:25 UTC
A commit references this bug:

Author: junovitch
Date: Sat May 28 01:42:05 UTC 2016
New revision: 415972
URL: https://svnweb.freebsd.org/changeset/ports/415972

Log:
  lang/php55: update 5.5.35 -> 5.5.36 [1] plus minor fixups

  - Fix MAILHEAD patch to match the new version of the patch. The distinfo
    currently matches the php-5.5.x-mail-header.patch.old patch. [2]
  - Fix regression from r415818's conversion to @sample by installing
    the default php-fpm.conf under ${LOCALBASE}/etc and not ${LOCALBASE}

  PR:		209779 [1]
  PR:		208073 [2]
  Reported by:	Fabiano Sidler <fabianosidler@swissonline.ch> [1]
  Submitted by:	Paulo Henrique <paulo.oliveira@protonmail.ch> [2]
  Approved by:	ports-secteam (with hat)
  Security:	CVE-2013-7456
  Security:	CVE-2016-4343
  Security:	CVE-2016-5093
  Security:	CVE-2016-5094
  Security:	CVE-2016-5096
  Security:	https://vuxml.FreeBSD.org/freebsd/6b110175-246d-11e6-8dd3-002590263bf5.html
  MFH:		2016Q2

Changes:
  head/lang/php55/Makefile
  head/lang/php55/distinfo
  head/lang/php55/pkg-plist
Comment 4 commit-hook freebsd_committer freebsd_triage 2016-05-28 01:48:29 UTC
A commit references this bug:

Author: junovitch
Date: Sat May 28 01:48:23 UTC 2016
New revision: 415973
URL: https://svnweb.freebsd.org/changeset/ports/415973

Log:
  MFH: r415304 r415818 r415970 r415971 r415972

  - Really fix ZTS build with pthreads, required by threaded apache24
  - Bump PORTREVISION due to dependency on thread library

  Approved by:	miwi (mentor)

  Simplify plist by using @sample

  lang/php70: update 7.0.6 -> 7.0.7

  Approved by:	ports-secteam (with hat)
  Security:	CVE-2013-7456
  Security:	CVE-2016-5093
  Security:	https://vuxml.FreeBSD.org/freebsd/6b110175-246d-11e6-8dd3-002590263bf5.html

  lang/php56: update 5.6.21 -> 5.6.22 [1] plus minor fixup

  - Fix MAILHEAD patch to match the new version of the patch. The distinfo
    currently matches the php-5.5.x-mail-header.patch.old patch. [2]

  PR:		209779 [1]
  PR:		208072 [2]
  Reported by:	Fabiano Sidler <fabianosidler@swissonline.ch> [1]
  Reported by:	Vladislav V. Prodan <admin@support.od.ua> [2]
  Approved by:	ports-secteam (with hat)
  Security:	CVE-2013-7456
  Security:	CVE-2016-5093
  Security:	CVE-2016-5094
  Security:	CVE-2016-5096
  Security:	https://vuxml.FreeBSD.org/freebsd/6b110175-246d-11e6-8dd3-002590263bf5.html

  lang/php55: update 5.5.35 -> 5.5.36 [1] plus minor fixups

  - Fix MAILHEAD patch to match the new version of the patch. The distinfo
    currently matches the php-5.5.x-mail-header.patch.old patch. [2]
  - Fix regression from r415818's conversion to @sample by installing
    the default php-fpm.conf under ${LOCALBASE}/etc and not ${LOCALBASE}

  PR:		209779 [1]
  PR:		208073 [2]
  Reported by:	Fabiano Sidler <fabianosidler@swissonline.ch> [1]
  Submitted by:	Paulo Henrique <paulo.oliveira@protonmail.ch> [2]
  Approved by:	ports-secteam (with hat)
  Security:	CVE-2013-7456
  Security:	CVE-2016-4343
  Security:	CVE-2016-5093
  Security:	CVE-2016-5094
  Security:	CVE-2016-5096
  Security:	https://vuxml.FreeBSD.org/freebsd/6b110175-246d-11e6-8dd3-002590263bf5.html

Changes:
_U  branches/2016Q2/
  branches/2016Q2/lang/php55/Makefile
  branches/2016Q2/lang/php55/distinfo
  branches/2016Q2/lang/php55/pkg-plist
  branches/2016Q2/lang/php56/Makefile
  branches/2016Q2/lang/php56/distinfo
  branches/2016Q2/lang/php56/pkg-plist
  branches/2016Q2/lang/php70/Makefile
  branches/2016Q2/lang/php70/distinfo
  branches/2016Q2/lang/php70/pkg-plist
Comment 5 commit-hook freebsd_committer freebsd_triage 2016-05-28 01:48:33 UTC
A commit references this bug:

Author: junovitch
Date: Sat May 28 01:48:23 UTC 2016
New revision: 415973
URL: https://svnweb.freebsd.org/changeset/ports/415973

Log:
  MFH: r415304 r415818 r415970 r415971 r415972

  - Really fix ZTS build with pthreads, required by threaded apache24
  - Bump PORTREVISION due to dependency on thread library

  Approved by:	miwi (mentor)

  Simplify plist by using @sample

  lang/php70: update 7.0.6 -> 7.0.7

  Approved by:	ports-secteam (with hat)
  Security:	CVE-2013-7456
  Security:	CVE-2016-5093
  Security:	https://vuxml.FreeBSD.org/freebsd/6b110175-246d-11e6-8dd3-002590263bf5.html

  lang/php56: update 5.6.21 -> 5.6.22 [1] plus minor fixup

  - Fix MAILHEAD patch to match the new version of the patch. The distinfo
    currently matches the php-5.5.x-mail-header.patch.old patch. [2]

  PR:		209779 [1]
  PR:		208072 [2]
  Reported by:	Fabiano Sidler <fabianosidler@swissonline.ch> [1]
  Reported by:	Vladislav V. Prodan <admin@support.od.ua> [2]
  Approved by:	ports-secteam (with hat)
  Security:	CVE-2013-7456
  Security:	CVE-2016-5093
  Security:	CVE-2016-5094
  Security:	CVE-2016-5096
  Security:	https://vuxml.FreeBSD.org/freebsd/6b110175-246d-11e6-8dd3-002590263bf5.html

  lang/php55: update 5.5.35 -> 5.5.36 [1] plus minor fixups

  - Fix MAILHEAD patch to match the new version of the patch. The distinfo
    currently matches the php-5.5.x-mail-header.patch.old patch. [2]
  - Fix regression from r415818's conversion to @sample by installing
    the default php-fpm.conf under ${LOCALBASE}/etc and not ${LOCALBASE}

  PR:		209779 [1]
  PR:		208073 [2]
  Reported by:	Fabiano Sidler <fabianosidler@swissonline.ch> [1]
  Submitted by:	Paulo Henrique <paulo.oliveira@protonmail.ch> [2]
  Approved by:	ports-secteam (with hat)
  Security:	CVE-2013-7456
  Security:	CVE-2016-4343
  Security:	CVE-2016-5093
  Security:	CVE-2016-5094
  Security:	CVE-2016-5096
  Security:	https://vuxml.FreeBSD.org/freebsd/6b110175-246d-11e6-8dd3-002590263bf5.html

Changes:
_U  branches/2016Q2/
  branches/2016Q2/lang/php55/Makefile
  branches/2016Q2/lang/php55/distinfo
  branches/2016Q2/lang/php55/pkg-plist
  branches/2016Q2/lang/php56/Makefile
  branches/2016Q2/lang/php56/distinfo
  branches/2016Q2/lang/php56/pkg-plist
  branches/2016Q2/lang/php70/Makefile
  branches/2016Q2/lang/php70/distinfo
  branches/2016Q2/lang/php70/pkg-plist
Comment 6 Jason Unovitch freebsd_committer freebsd_triage 2016-05-28 01:53:44 UTC
Fabiano,
Thanks for the report.  The requested security update has been committed under ports-secteam approval.  I also fixed the MAILHEAD option for both ports while here.

- Set merge-quarterly+ as it's been merged.
- Set 'security' keyword.
- Drop 'patch' keyword as there was never a patch attached to the PR and 'needs-patch' is irrelevant now that it's fixed.
- Close PR