Version 5.22 in -head includes fixes for these CVEs which will treacle down to -stable.
I have not checked the version of file(1) in 9.x
Apologies, CVE-2014-2270 was addressed in FreeBSD-SA-14:16.file
Take. We intend to do an EN (by doing a full upgrade of file(1) to 5.22) instead of SA as there may be other issues affecting file(1) that didn't get covered.
Existing users of file(1) are advised to use the version shipped with ports, or use -e elf to disable the ELF tests as a workaround.
(In reply to Xin LI from comment #3)
Certainly this would have to be issued as an SA, not an EN. You can't just disguise the fact that there were vulnerabilities by doing a full upgrade to 5.22 and claiming it's an enhancement.
And is there a reason why this hasn't happened yet? The lack of action on this issue is maddening. You can't really expect people to just use -e elf as a workaround when there is unknown amounts of software out there using file(1).
This is fixed in EN-15:06.file.
Should https://www.freebsd.org/releases/10.1R/errata.html be updated?