From nobody Fri Mar 14 07:55:59 2025
X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZDcB83x43z5qkqj;
	Fri, 14 Mar 2025 07:56:00 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4ZDcB76d9cz3H8m;
	Fri, 14 Mar 2025 07:55:59 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1741938959;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=1SQ2qHTEl/KoCVR6Wimpie6CLxBlerNYoHu/rVO1Q1c=;
	b=yXdLxAplIF0lYyhwGUvAJQC7vWbE+oWHEX7UDqcEIvRbeW0+eo3UTUGvPCY9Q99m0Ok1nc
	xHBoABM1yGoXr/FSlvkiFaI/50a1nm3NZSvmjJQrfCsc8J3sOpalkKw58wPR8vcicUJ0Y0
	W6t4R78qKSQbLEkaXNWfn0aWLy19bnTsVfez5Qlop2ycmKXXHmq3/M32vl/EwIU824Uykv
	zpBdPEPjMQKSGwa/eSksJxngcLLUD6qM2Lv90xTLmDsTGAfL4cV3CsgWy4qnhwEGkJ04AI
	zOsFPJjRtG1iFAZvhC52MM/O9BZBK3VKTDwmGjAO/R4m8beTlwM/EQUj/b2QuA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1741938959; a=rsa-sha256; cv=none;
	b=d46vxt86WLn1ZsOqCpQMhPBLMzjwMHdsYSnYyusA7A52S4F9y+vXGWMIFMcXhFUmXc7OLI
	7c0kCrTtUo2hFkajzyQUgiI6/QBwy4HQmMrsQagdZZMl1IRQMLHH2R+nIm7B0rbcxge4uh
	z/X8cY4DxpmP6rj2Z4rfHfAFYza1bSFQoOdzIw9jRGytZQNhKOWVuqONzsibJIA0AX4x7N
	6mAtVdStpl+d0iA9Q5dM6SVIhfheDtRsx14pnqBGOOUbRAgr60VexKCJ4IIBNN0LDi+8zr
	LRTgUTrU4jiTJbz67RwWnpdGcEVbf0NSqFKR6gLv1v3THpnTHA1gFwR0JCv5iQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1741938959;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=1SQ2qHTEl/KoCVR6Wimpie6CLxBlerNYoHu/rVO1Q1c=;
	b=YdIxLOss8c3fUYefsP6lAlXuCSKctmaJ6eHq4DNIvEPgMsPnhYmnfhAIjrmjLVD6AYJJ3v
	+q9KYQNkJjf+XidE4PyOyx1f4pPZDK1exrE/WheFJcu8i7IjtrMjLgXRtrHqvRXiWrUB9N
	dTXW/bnoNaCWW1FJMvU6XZrO2y2F7xFa3B/Hn+a7+hUrTugFfPrKhaIAaPN3aoNHkRY/CI
	aRBmzAZb7Tb1UDh7t55KfztZty4Pj05hPi7uj2fPGgkFbUafa1rD8ULcJOzBsLI/3O3Mnj
	TEB5YsatPavynPwO9i9cdYZ1ocl8wZ/8GHOcyeYCp7TyNWTKbBZa9g0horfcxA==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4ZDcB769jDzc8l;
	Fri, 14 Mar 2025 07:55:59 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 52E7tx25029986;
	Fri, 14 Mar 2025 07:55:59 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 52E7txrE029983;
	Fri, 14 Mar 2025 07:55:59 GMT
	(envelope-from git)
Date: Fri, 14 Mar 2025 07:55:59 GMT
Message-Id: <202503140755.52E7txrE029983@gitrepo.freebsd.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
        dev-commits-ports-main@FreeBSD.org
From: Muhammad Moinur Rahman <bofh@FreeBSD.org>
Subject: git: 537b5822a5c0 - main - security/vuxml: Document PHP
  vulnerabilities
List-Id: Commit messages for all branches of the ports repository <dev-commits-ports-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all
List-Help: <mailto:dev-commits-ports-all+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-ports-all@freebsd.org
Sender: owner-dev-commits-ports-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: bofh
X-Git-Repository: ports
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 537b5822a5c034186e31f3f633d6c48e6668211c
Auto-Submitted: auto-generated

The branch main has been updated by bofh:

URL: https://cgit.FreeBSD.org/ports/commit/?id=537b5822a5c034186e31f3f633d6c48e6668211c

commit 537b5822a5c034186e31f3f633d6c48e6668211c
Author:     Christos Chatzaras <chris@cretaforce.gr>
AuthorDate: 2025-03-14 07:45:28 +0000
Commit:     Muhammad Moinur Rahman <bofh@FreeBSD.org>
CommitDate: 2025-03-14 07:55:44 +0000

    security/vuxml: Document PHP vulnerabilities
    
    PR:             285386
---
 security/vuxml/vuln/2025.xml | 72 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 71 insertions(+), 1 deletion(-)

diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml
index 275e4224a4d2..7f38e65b7cb8 100644
--- a/security/vuxml/vuln/2025.xml
+++ b/security/vuxml/vuln/2025.xml
@@ -1,3 +1,73 @@
+  <vuln vid="2ac2ddc2-0051-11f0-8673-f02f7432cf97">
+  <topic>php -- Multiple vulnerabilities</topic>
+  <affects>
+    <package>
+      <name>php81</name>
+      <range>
+	<lt>8.1.32</lt>
+      </range>
+    </package>
+    <package>
+      <name>php82</name>
+      <range>
+	<lt>8.2.28</lt>
+      </range>
+    </package>
+    <package>
+      <name>php83</name>
+      <range>
+	<lt>8.3.19</lt>
+      </range>
+    </package>
+    <package>
+      <name>php84</name>
+      <range>
+	<lt>8.4.5</lt>
+      </range>
+    </package>
+  </affects>
+  <description>
+    <body xmlns="http://www.w3.org/1999/xhtml">
+      <p>php.net reports:</p>
+      <blockquote cite="https://www.php.net/ChangeLog-8.php">
+	<ul>
+	  <li>
+	    CVE-2024-11235: Core: Fixed GHSA-rwp7-7vc6-8477 (Reference counting in php_request_shutdown causes Use-After-Free).
+	  </li>
+	  <li>
+	    CVE-2025-1219: LibXML: Fixed GHSA-p3x9-6h7p-cgfc (libxml streams use wrong `content-type` header when requesting a redirected resource).
+	  </li>
+	  <li>
+	    CVE-2025-1736: Streams: Fixed GHSA-hgf5-96fm-v528 (Stream HTTP wrapper header check might omit basic auth header).
+	  </li>
+	  <li>
+	    CVE-2025-1861: Streams: Fixed GHSA-52jp-hrpf-2jff (Stream HTTP wrapper truncate redirect location to 1024 bytes).
+	  </li>
+	  <li>
+	    CVE-2025-1734: Streams: Fixed GHSA-pcmh-g36c-qc44 (Streams HTTP wrapper does not fail for headers without colon).
+	  </li>
+	  <li>
+	    CVE-2025-1217: Streams: Fixed GHSA-v8xr-gpvj-cx9g (Header parser of `http` stream wrapper does not handle folded headers).
+	  </li>
+	</ul>
+      </blockquote>
+    </body>
+  </description>
+  <references>
+    <cvename>CVE-2024-11235</cvename>
+    <cvename>CVE-2025-1219</cvename>
+    <cvename>CVE-2025-1736</cvename>
+    <cvename>CVE-2025-1861</cvename>
+    <cvename>CVE-2025-1734</cvename>
+    <cvename>CVE-2025-1217</cvename>
+    <url>https://www.php.net/ChangeLog-8.php</url>
+  </references>
+  <dates>
+    <discovery>2025-03-13</discovery>
+    <entry>2025-03-13</entry>
+  </dates>
+  </vuln>
+
   <vuln vid="0b43fac4-005d-11f0-a540-6cc21735f730">
     <topic>shibboleth-sp -- Parameter manipulation allows the forging of signed SAML messages</topic>
     <affects>
@@ -53,7 +123,7 @@
 	    vulnerability by editing the protocols.xml configuration file and
 	    removing this line:
 	    <code>&lt;Binding id="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
-	             path="/SAML2/POST-SimpleSign" /&gt;</code>
+		path="/SAML2/POST-SimpleSign" /&gt;</code>
 	  </p>
 	</blockquote>
 	</body>