If you’ve had a
FreeBSD system up for a while, you might have installed converters/php56-mbstring. It might have originally been installed with devel/oniguruma5, which is unmaintained and has some serious vulnerabilities. If you install it new, it will install devel/oniguruma6 as a dependency and that’s fine. If you’re stuck with the old version:
# pkg audit -F # portmaster -e oniguruma5-5.9.6_1 (your exact version may vary) # cd /usr/ports/devel/oniguruma5 # make deinstall # make clean # portmaster php56-mbstring-5.6.31 (your exact version may vary) # pkg audit -F
Vulns erased. I didn’t find anything about this in /usr/ports/UPDATING so, if you’re searching, here it is.
oniguruma5-5.9.6_1 is vulnerable:
oniguruma — multiple vulnerabilities