moved to release
php5 (5.6.4+dfsg-4ubuntu2) vivid; urgency=medium
* SECURITY UPDATE: out of bounds read via invalid php file
- debian/patches/CVE-2014-9427.patch: fix bounds in
sapi/cgi/cgi_main.c.
- CVE-2014-9427
* SECURITY UPDATE: out of bounds read in fileinfo
- debian/patches/CVE-2014-9652.patch: properly check length in
ext/fileinfo/libmagic/softmagic.c.
- CVE-2014-9652
* SECURITY UPDATE: arbitrary code execution via improper handling of
duplicate keys in unserializer, additional fix
- debian/patches/CVE-2015-0231.patch: fix use after free in
ext/standard/var_unserializer.*, added test to
ext/standard/tests/strings/bug68710.phpt.
- CVE-2015-0231
* SECURITY UPDATE: arbitrary code execution or denial of service via
crafted EXIF data
- debian/patches/CVE-2015-0232.patch: fix uninitialized pointer free in
ext/exif/exif.c.
- CVE-2015-0232
* SECURITY UPDATE: use after free in opcache component
- debian/patches/CVE-2015-1351.patch: fix use after free in
ext/opcache/zend_shared_alloc.c.
- CVE-2015-1351
* SECURITY UPDATE: null pointer dereference in pgsql
- debian/patches/CVE-2015-1352.patch: properly set valid token in
ext/pgsql/pgsql.c.
- CVE-2015-1352
* debian/patches/remove_readelf.patch: remove readelf.c from fileinfo as
it isn't used, and is a source of confusion when doing security
updates.
-- Marc Deslauriers <email address hidden> Tue, 17 Feb 2015 15:47:51 -0500