Is it enough to only update php55? I could create a patch with relative easyness in that case.
2015-05-23 17:30 GMT+02:00 Roger Marquis <marq...@roble.com>: > FYI regarding these new and significant failures of FreeBSD security > policy and procedures. > > PHP55 vulnerabilities announced over a week ago > <https://www.dotdeb.org/2015/05/22/php-5-5-25-for-wheezy/>) have still > not been ported to lang/php55. You can, however, edit the Makefile, > increment the PORTVERSION from 5.5.24 to 5.5.25, and 'make makesum > deinstall reinstall clean' to secure a server without waiting for the > port to be updated. Older versions of PHP may also have unpatched > vulnerabilities that are not noted in the vuln.xml database. > > New CVEs for unzoo (and likely zoo as well) have not yet shown up in 'pkg > audit -F' or vuln.xml. Run 'pkg remove unzoo zoo' at your earliest > convenience if you have these installed. > > HEADS-UP: anyone maintaining public-facing FreeBSD servers who is > depending on 'pkg audit' to report whether a server is secure it should > be noted that this method is no longer reliable. > > If you find a vulnerability such as a new CVE or mailing list > announcement please send it to the port maintainer and > <ports-sect...@freebsd.org> as quickly as possible. They are whoefully > understaffed and need our help. Though freebsd.org indicates that > security alerts should be sent to <sect...@freebsd.org> this is > incorrect. If the vulnerability is in a port or package send an alert to > ports-secteam@ and NOT secteam@ as the secteam will generally not reply > to your email or forward the alerts to ports-secteam. > > Roger > > Does anyone know what's going on with vuln.xml updates? Over the last >> few weeks and months CVEs and application mailing lists have announced >> vulnerabilities for several ports that in some cases only showed up in >> vuln.xml after several days and in other cases are still not listed >> (despite email to the security team). >> > _______________________________________________ > freebsd-ports@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org" > _______________________________________________ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
