freebsd security - Apr 2012 - About PHP 5.X in FreeBSD port tree

Dear Sir,

        Thanks for your notice, but there seems no information about
whether the vulnerabilities about CVE-2011-2483, CVE-2011-4153 and
CVE-2011-3389 were fixed in FreeBSD port tree (PHP 5.3.10_1) or not?

Best Regards!

                                                             James Chang

2012/4/3 Mel Flynn <rflynn@acsalaska.net>:
> Please search the list before posting.
>
> --
> Mel

James Chang ha scritto:
>         Thanks for your notice, but there seems no information about
> whether the vulnerabilities about CVE-2011-2483, CVE-2011-4153 and
> CVE-2011-3389 were fixed in FreeBSD port tree (PHP 5.3.10_1) or not?
PHP 5.3.11 will be released soon and the port will be updated to this
release before switching to (probably) 5.4.1.

-- 
Alex Dupre

On Tue, Apr 3, 2012 at 2:54 AM, James Chang <james.technew@gmail.com>
wrote:
> Dear Sir,
>
> ? ? ? ?Thanks for your notice, but there seems no information about
> whether the vulnerabilities about CVE-2011-2483, CVE-2011-4153 and
> CVE-2011-3389 were fixed in FreeBSD port tree (PHP 5.3.10_1) or not?
Looks like CVE-2011-2483 applies to PHP before 5.3.7:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2483

and CVE-2011-4153 applies to 5.3.8:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4153

and CVE-2011-3389 does not apply to PHP AFAIK:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389

Since the version in ports is 5.3.10, I think you're safe.  I'm sure
someone will correct me if I'm off the mark.

Personally, I use portaudit to keep it all straight:
http://www.freebsd.org/cgi/url.cgi?ports/ports-mgmt/portaudit/pkg-descr

Additionally, I'm signed up for the digest version of the US-CERT
alerts from here:
http://www.us-cert.gov/cas/signup.html

Pretty good because it shows right in the second column of the report
what versions are affected.

Cheers!
Rob