From owner-freebsd-ports@FreeBSD.ORG  Thu Jun  9 14:01:22 2005
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
X-Original-To: freebsd-ports@freebsd.org
Delivered-To: freebsd-ports@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6A75816A41C
	for <freebsd-ports@freebsd.org>; Thu,  9 Jun 2005 14:01:22 +0000 (GMT)
	(envelope-from mkb@incubus.de)
Received: from luzifer.incubus.de (incubus.de [80.237.207.83])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2136D43D1D
	for <freebsd-ports@freebsd.org>; Thu,  9 Jun 2005 14:01:22 +0000 (GMT)
	(envelope-from mkb@incubus.de)
Received: from [192.168.2.10] (p54AAE1C5.dip.t-dialin.net [84.170.225.197])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by luzifer.incubus.de (Postfix) with ESMTP id 831F8311B2
	for <freebsd-ports@freebsd.org>; Thu,  9 Jun 2005 16:04:13 +0200 (CEST)
Message-ID: <42A84C49.7070106@incubus.de>
Date: Thu, 09 Jun 2005 16:03:53 +0200
From: Matthias Buelow <mkb@incubus.de>
User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050526)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-ports@freebsd.org
X-Enigmail-Version: 0.91.0.0
OpenPGP: id=6FF22C9F;
	url=http://www.mkbuelow.net/mkbkeys
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: php4 vulnerabilities
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jun 2005 14:01:22 -0000

Hi folks,

I have various php4 ports installed, an up-to-date portaudit auditfile,
and it doesn't warn me about the following issues in php4 <4.3.11:
CVE-ID: CAN-2005-0524, CAN-2005-0525, CAN-2005-1042, CAN-2005-1043.

Don't these problems apply to the 4.3.10 as bundled in ports, or is the
auditfile just lagging? These are fairly serious issues, including a
remote buffer overflow with code injection. I only stumbled upon them
because I read about them being included in an update bundle for MacOS
X, on mainstream media (is there something like a
ports-security-notifications mailing list? Since the
security-notifications list apparently only sends notifications about
the base system.)

mkb.

P.S.: Please Cc: me if possible, since I'm not subscribed to the list.