oniguruma5 vulnerabilities and php56-mbstring

Thursday, August 3, 2017 

If you’ve had a FreeBSD system up for a while, you might have installed converters/php56-mbstring. It might have originally been installed with devel/oniguruma5, which is unmaintained and has some serious vulnerabilities. If you install it new, it will install devel/oniguruma6 as a dependency and that’s fine. If you’re stuck with the old version:


# pkg audit -F
# portmaster -e oniguruma5-5.9.6_1  (your exact version may vary)
# cd /usr/ports/devel/oniguruma5
# make deinstall
# make clean
# portmaster php56-mbstring-5.6.31 (your exact version may vary)
# pkg audit -F

Vulns erased. I didn’t find anything about this in /usr/ports/UPDATING so, if you’re searching, here it is.

 

Vulns:

oniguruma5-5.9.6_1 is vulnerable:
oniguruma — multiple vulnerabilities
CVE: CVE-2017-9228
CVE: CVE-2017-9228
CVE: CVE-2017-9227
CVE: CVE-2017-9226
CVE: CVE-2017-9224
WWW: https://vuxml.FreeBSD.org/freebsd/b396cf6c-62e6-11e7-9def-b499baebfeaf.html

Posted at 14:11:33 GMT-0700

Category: FreeBSD