Ubuntu

Change log for “php4” package in Ubuntu

125 of 25 results
Deleted in feisty-release on 2007-03-14 (Reason: obsoleted by php5, outstanding vulnerabilities, unsupport...)
php4 (6:4.4.4-8) unstable; urgency=high

  [ sean finney ]
  * bring some of the mainline php4 modules back into the php source
    package instead of distributing them in independant source packages:
    - php4-imap
    - php4-interbase
    - php4-mcrypt
    - php4-pspell
    these modules are still provided in the same binary packages as
    before, but will now be built in tandem with the core php packages.
  * the above change is part of a fix for several RC bugs, keep our
    typically high severity yet again.
  * due to how the modules were seperately packaged, they had a version
    equal to that of the php5 version, which means a mandatory epoch
    bump.
  * fix for no interbase building for arches besides i386 and amd64.

 -- Ubuntu Archive Auto-Sync <email address hidden>   Thu,  23 Nov 2006 08:40:53 +0000
Superseded in feisty-release on 2006-11-23
php4 (4:4.4.4-7) unstable; urgency=high

  [ sean finney ]
  * Add a bit of support in upgrade scripts to avoid unnecessary
    ucf prompting during upgrades.
  * loosen the the depends of libapache2-mod-php4 to allow using
    apache2-mpm-itk as an alternative to apache2-mpm-prefork. 
    Closes: #398581.
  * updated standards-version.

  [ Steve Langasek ]
  * Grammarize the changes to php.ini and README.Debian.security.
    Closes: #398097.
  * Re-enable LFS support in PHP4, this time with a fixed libapr API that
    is invariant with respect to -D_FILE_OFFSET_BITS=64
  * Add a versioned build-dependency on libapr1-dev (>= 1.2.7-8) for
    the above.
  * Also change the exported phpapi virtual package to mention LFS --
    changing the data type sizes with -D_FILE_OFFSET_BITS=64 *does*
    change the PHP extension ABI as well, and we *want* it to do this,
    so make sure we don't get subtly broken extensions in the process.
  * Export LFS_CFLAGS as part of the php-config --includes interface,
    otherwise we could again have segfaults with third-party modules
    built against the wrong API (isn't LFS great?)

 -- Ubuntu Archive Auto-Sync <email address hidden>   Wed,  22 Nov 2006 11:41:32 +0000
Superseded in feisty-release on 2006-11-22
php4 (4:4.4.4-6) unstable; urgency=high

  * Disable large file support, looks like it crashes (Closes: #397402)

Superseded in feisty-release on 2006-11-08
php4 (4:4.4.4-4~4) unstable; urgency=medium

  * the "lucky 4's" release.

  [sean finney]
  * add a README.Debian.security to clarify how we handle/respond
    to security problems in stable releases.
  * add notes to php.ini to reflect tis.
    patch: 059-php.ini.securitynotes.patch
  * bump the debhelper compatibility level to 4.
  * remove the config-file muckery wrt extension_dir, as that predates
    sarge and thus we don't have to worry about it.
  * the long overdue rework of configuration file handling.  this also
    removes the need for debconf and template translations
    closes: #322436, #378354, #283304, #295385, #359070, #393504, 
    and closes: #206908, #250686, #271169, #295726, #388698.
  * start using ucf to manage the the various SAPI php.ini files.
  * cleanup and consolidation of a few things in the ./debian dir
  * bump the memory limit to 32M for the cli API.

Superseded in feisty-release on 2006-11-08
php4 (4:4.4.2-1.1build1) feisty; urgency=low

  * Rebuild for ldbl128 change on powerpc and sparc.

 -- Matthias Klose <email address hidden>   Thu,  2 Nov 2006 10:24:49 +0000
Obsolete in hoary-security on 2008-03-19
php4 (4:4.3.10-10ubuntu4.8) hoary-security; urgency=low

  * SECURITY UPDATE: Multiple vulnerabilities.
  * Fix CVE number in 4:4.3.10-10ubuntu4.5 changelog: The curl open_basedir
    bypass is actually CVE-2006-4483, not -2563.
  * Add debian/patches/CVE-2006-4486.patch:
    - Fix integer overflow and memory_limit bypass on 64 bit platforms.
    - Patch stolen from RedHat security update, not fixed upstream yet.
  * Add debian/patches/CVE-2006-4625.patch:
    - Fix open_basedir/safe_mode bypass with ini_restore().
    - Ported from upstream CVS:
      http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_ini.c?r1=1.39.2.2&r2=1.39.2.3

 -- Martin Pitt <email address hidden>   Tue, 10 Oct 2006 14:54:50 +0000
Superseded in hoary-security on 2006-10-10
php4 (4:4.3.10-10ubuntu4.7) hoary-security; urgency=low

  * SECURITY UPDATE: Multiple vulnerabilities.
  * debian/patches/CVE-2006-4020.patch:
    - sscanf buffer overflow
    - http://bugs.php.net/bug.php?id=38322
    - http://cvs.php.net/viewvc.cgi/php-src/ext/standard/scanf.c?r1=1.16.4.9.2.1&r2=1.16.4.9.2.2
  * debian/patches/CVE-2006-4481.patch:
    - safe_mode/open_basedir bypass with imap_reopen()
    - http://cvs.php.net/viewvc.cgi/php-src/ext/imap/php_imap.c?r1=1.142.2.44.2.5&r2=1.142.2.44.2.6
  * debian/patches/CVE-2006-4482.patch:
    - str_repeat() and wordwrap() buffer overflow on 64 bit systems
    - http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.445.2.14.2.10&r2=1.445.2.14.2.11
  * debian/patches/CVE-2006-4484.patch:
    - GIF parser overflow
    - http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd_gif_in.c?r1=1.2.2.2.6.2&r2=1.2.2.2.6.3

 -- Martin Pitt <email address hidden>   Thu,  7 Sep 2006 11:52:10 +0000
Superseded in hoary-security on 2006-09-07
php4 (4:4.3.10-10ubuntu4.6) hoary-security; urgency=low

  * debian/patches/CVE-2006-1494.patch: Fix patch to not use p_len (which is
    not yet used in this PHP version). Many thanks to James Manning for
    tracking this down. Closes: LP#53581

 -- Martin Pitt <email address hidden>   Wed, 26 Jul 2006 06:36:41 +0000
Superseded in hoary-security on 2006-07-26
php4 (4:4.3.10-10ubuntu4.5) hoary-security; urgency=low

  * SECURITY UPDATE: Multiple vulnerabilities.
  * debian/patches/CVE-2006-0996.patch:
    - XSS in phpinfo() [CVE-2006-0996]
    - http://cvs.php.net/viewcvs.cgi/php-src/ext/standard/info.c?r1=1.260&r2=1.261
      (that's the PHP5 version, ported to 4.3)
  * debian/patches/CVE-2006-1490.patch:
    - Memory disclosure in html_entity_decode() [CVE-2006-1490]
    - http://cvs.php.net/viewcvs.cgi/php-src/ext/standard/html.c?r1=1.112&r2=1.113
  * debian/patches/CVE-2006-1494.patch:
    - Bypassing open_basedir restrictions with tempnam()
      [CVE-2006-1494, CVE-2006-2660]
    - http://cvs.php.net/viewcvs.cgi/php-src/ext/standard/file.c?r1=1.429&r2=1.430
  * debian/patches/CVE-2006-1608.patch:
    - Bypassing open_basedir restrictions with copy() via a source argument
      containing a compress.zlib:// URI [CVE-2006-1608]
    - http://cvs.php.net/viewcvs.cgi/php-src/ext/standard/file.c?r1=1.279.2.70&r2=1.279.2.71
  * debian/patches/CVE-2006-1990.patch:
    - Integer overflow in wordwrap function (usually not triggerable from
      outside). [CVE-2006-1990]
    - http://cvs.php.net/viewcvs.cgi/php-src/ext/standard/string.c?r1=1.333.2.52.2.3&r2=1.333.2.52.2.4
    - Zend/zend_alloc.c: Fix variable declaration to work on 64-bit systems to
      plug this vulnerability on amd64/ia64, too. (not yet fixed upstream)
  * debian/patches/CVE-2006-2563.patch:
    - Bypassing safe mode/open_basedir restrictions with curl module
      [CVE-2006-2563]
    - Patch taken from Mandriva, not fixed upstream.
  * debian/patches/CVE-2006-3011.patch:
    - Bypassing safe mode/open_basedir restrictions with error_log() with
      'php://' or other schema in the third argument. [CVE-2006-3011]
    - http://cvs.php.net/viewvc.cgi/php-src/ext/standard/basic_functions.c?r1=1.543.2.51.2.9&r2=1.543.2.51.2.10
  * debian/patches/CVE-2006-3017.patch:
    - Fix zend_hash_del() (previously could delete the wrong element, which
      prevented a variable from being unset even when the PHP unset function
      was called, which might cause the variable's value to be used in
      security-relevant operations). [CVE-2006-3017]
    - http://cvs.php.net/viewcvs.cgi/Zend/zend_hash.c?r1=1.87.4.8.2.1&r2=1.87.4.8.2.3
  * debian/patches/CVE-2006-3018.patch:
    - Heap corruption in session extension. [CVE-2006-3018]
    - http://cvs.php.net/viewcvs.cgi/php-src/ext/session/mod_files.c?r1=1.102&r2=1.103

 -- Martin Pitt <email address hidden>   Wed, 19 Jul 2006 09:13:45 +0000
Superseded in feisty-release on 2006-11-03
Obsolete in edgy-release on 2008-06-19
php4 (4:4.4.2-1.1) unstable; urgency=high

  * Non-maintainer upload.
  * Backport patches from upstream CVS to fix security issues:
    * 058-html_entity_decode_fix.patch: Fix information leak in
      html_entity_decode() (CVE-2006-1490). (Closes: #359904)
    * 059-wordwrap_fix.patch: Fix possible heap overflow in wordwrap()
      (CVE-2006-1990). (Closes: #365311)
  * Make sure patches are applied in correct order; patch from Sven Mueller.

 -- Ubuntu Archive Auto-Sync <email address hidden>   Thu,  15 Jun 2006 15:18:09 +0100
Superseded in edgy-release on 2006-06-15
Obsolete in dapper-release on 2011-09-06
php4 (4:4.4.2-1build1) dapper; urgency=low

  * Rebuild against the new libmysqlclient15off with correct symbols.

 -- Adam Conrad <email address hidden>   Thu,  6 Apr 2006 15:11:21 +1000
Obsolete in warty-security on 2008-01-09
php4 (4:4.3.8-3ubuntu7.15) warty-security; urgency=low

  * SECURITY UPDATE: multiple fixes backported from 5.1.2 and CVS:
    - Fix multiple HTTP response splitting vulnerabilities in sessions and
      the header() function, due to lack of input validation; CVE-2006-0207
      + Add safety checks in the header() function to make sure that we
        don't get newlines injected by (mis)use of user input in headers.
      + Add a check for invalid characters in session names, so that we
        aren't subject to HTTP response splitting vulnerabilities in
        the Set-Cookie header we send back out as a result of user input.
      + Bring in a patch from newer versions of php4 and php5, preventing
        us from sending session cookies when we were just handed one,
        unless the session ID has changed, eliminating another vector.
    - Filter HTML error reporting, preventing cross-site scripting attacks
      when both display_errors and html_errors are enabled; CVE-2006-0208

 -- Adam Conrad <email address hidden>   Wed,  8 Mar 2006 18:17:46 +1100
Superseded in hoary-security on 2006-07-19
php4 (4:4.3.10-10ubuntu4.4) hoary-security; urgency=low

  * SECURITY UPDATE: multiple fixes backported from 5.1.2 and CVS:
    - Fix multiple HTTP response splitting vulnerabilities in sessions and
      the header() function, due to lack of input validation; CVE-2006-0207
      + Add safety checks in the header() function to make sure that we
        don't get newlines injected by (mis)use of user input in headers.
      + Add a check for invalid characters in session names, so that we
        aren't subject to HTTP response splitting vulnerabilities in
        the Set-Cookie header we send back out as a result of user input.
    - Filter HTML error reporting, preventing cross-site scripting attacks
      when both display_errors and html_errors are enabled; CVE-2006-0208

 -- Adam Conrad <email address hidden>   Wed,  8 Mar 2006 18:07:11 +1100
Obsolete in breezy-security on 2008-03-25
php4 (4:4.4.0-3ubuntu2) breezy-security; urgency=low

  * SECURITY UPDATE: multiple fixes backported from 5.1.2 and CVS:
    - Fix multiple HTTP response splitting vulnerabilities in sessions and
      the header() function, due to lack of input validation; CVE-2006-0207
      + Add safety checks in the header() function to make sure that we
        don't get newlines injected by (mis)use of user input in headers.
      + Add a check for invalid characters in session names, so that we
        aren't subject to HTTP response splitting vulnerabilities in
        the Set-Cookie header we send back out as a result of user input.
    - Filter HTML error reporting, preventing cross-site scripting attacks
      when both display_errors and html_errors are enabled; CVE-2006-0208

 -- Adam Conrad <email address hidden>   Wed,  8 Mar 2006 17:50:13 +1100
Superseded in dapper-release on 2006-04-06
Superseded in dapper-release on 2006-02-03
php4 (4:4.4.2-1) unstable; urgency=low


  * New upstream bugfix release, skipping the problematic 4.4.1 release:
    - Remove some PEAR cruft from 006-debian_quirks.patch, since we don't
      build PEAR from php4 anymore, and it conflicted with upstream diffs.
    - Remove 054-open_basedir_slash.patch, now integrated upstream.
    - Remove 055-gd_safe_mode_checks.patch, fixed differently upstream.
  * Many security vulns fixed (closes: #336645, #339577, #336004, #341726):
    - Fixes multiple cross-site-scripting vulnerabilities; CVE-2006-0208
    - Resolves multiple HTTP response splitting vulnerabilities, allowing
      arbitrary header injection via Set-Cookie headers; see CVE-2006-0207
    - Resolves a local denial of service in the apache2 SAPI, which can
      be triggered by using session.save_path in .htaccess; CVE-2005-3319
    - Resolves an infinite loop in the exif_read_data function which can
      be triggered with a specially-crafted JPEG image; CVE-2005-3353
    - Resolves an XSS vulnerability in the phpinfo function; CVE-2005-3388
    - Resolves a vulnerability in the parse_str function whereby a remote
      attacker can fool PHP into turning on register_globals, thus making
      applications vulnerable to global variable injections; CVE-2005-3389
    - Resolves a vulnerability in the RFC1867 file upload feature where, if
      register_globals is enabled, a remote attacker can modify the GLOBALS
      array with a multipart/form-data POST request; see CVE-2005-3390
    - Resolves numerous safe_mode and open_basedir bypasses; CVE-2005-3391
    - Resolves INI settings leaks in the apache2 SAPI, leading to safe_mode
      and open_basedir bypasses between virtual hosts; CVE-2005-3392
    - Resolves a CRLF injection vulnerability in the mb_send_mail function,
      allowing injection of arbitrary mail headers; see CVE-2005-3883
  * Bump libdb build-dep from 4.2 to 4.3, matching apache (closes: #343399)
  * Bump our MySQL build-dep to 5.0's libmysqlclient15-dev (closes: #343791)
  * Automate the process of getting the list of built-in modules into the
    package descriptions, so it stays fresh in the future (see: #341867)
  * Create 056-mime_magic_strings.patch, making the mime_magic extension
    more liberal about what mime-types is accepts, as well as making it skip
    over ones it dislikes, rather than disabling itself (see: #335674)
  * Add 057-no_apache_installed.patch, to stop spewing a mess of errors in
    configure because we don't have the apache binaries in the build chroot.
  * Fix small typo in the php4-xslt package description (see: #344816)

 -- Adam Conrad <adconrad@0c3.net>  Wed, 18 Jan 2006 18:41:11 +1100
Superseded in breezy-security on 2006-03-10
Superseded in breezy-security on 2006-02-03
php4 (4:4.4.0-3ubuntu1) breezy-security; urgency=low


  * SECURITY UPDATE: multiple fixes backported from new upstream releases:
    - Resolves a local denial of service in the apache2 SAPI, which can
      be triggered by using session.save_path in .htaccess; CVE-2005-3319
    - Resolves an infinite loop in the exif_read_data function which can
      be triggered with a specially-crafted JPEG image; CVE-2005-3353
    - Resolves an XSS vulnerability in the phpinfo function; CVE-2005-3388
    - Resolves a vulnerability in the parse_str function whereby a remote
      attacker can fool PHP into turning on register_globals, thus making
      applications vulnerable to global variable injections; CVE-2005-3389
    - Resolves a vulnerability in the RFC1867 file upload feature where, if
      register_globals is enabled, a remote attacker can modify the GLOBALS
      array with a multipart/form-data POST request; see CVE-2005-3390
    - Resolves numerous safe_mode and open_basedir bypasses; CVE-2005-3391
    - Resolves INI settings leaks in the apache2 SAPI, leading to safe_mode
      and open_basedir bypasses between virtual hosts; CVE-2005-3392
    - Resolves a CRLF injection vulnerability in the mb_send_mail function,
      allowing injection of arbitrary mail headers; see CVE-2005-3883

 -- Adam Conrad <email address hidden>  Mon, 19 Dec 2005 16:48:53 +1100
Superseded in hoary-security on 2006-03-10
Superseded in hoary-security on 2006-02-03
php4 (4:4.3.10-10ubuntu4.3) hoary-security; urgency=low


  * SECURITY UPDATE: multiple fixes backported from new upstream releases:
    - Resolves a local denial of service in the apache2 SAPI, which can
      be triggered by using session.save_path in .htaccess; CVE-2005-3319
    - Resolves an infinite loop in the exif_read_data function which can
      be triggered with a specially-crafted JPEG image; CVE-2005-3353
    - Resolves an XSS vulnerability in the phpinfo function; CVE-2005-3388
    - Resolves a vulnerability in the parse_str function whereby a remote
      attacker can fool PHP into turning on register_globals, thus making
      applications vulnerable to global variable injections; CVE-2005-3389
    - Resolves a vulnerability in the RFC1867 file upload feature where, if
      register_globals is enabled, a remote attacker can modify the GLOBALS
      array with a multipart/form-data POST request; see CVE-2005-3390
    - Resolves INI settings leaks in the apache2 SAPI, leading to safe_mode
      and open_basedir bypasses between virtual hosts; CVE-2005-3392
    - Resolves a CRLF injection vulnerability in the mb_send_mail function,
      allowing injection of arbitrary mail headers; see CVE-2005-3883

 -- Adam Conrad <email address hidden>  Fri, 23 Dec 2005 15:06:06 +1000
Superseded in warty-security on 2006-03-10
Superseded in warty-security on 2006-02-03
Superseded in warty-security on 2006-02-03
php4 (4:4.3.8-3ubuntu7.14) warty-security; urgency=low


  * SECURITY UPDATE: multiple fixes backported from new upstream releases:
    - Resolves a local denial of service in the apache2 SAPI, which can
      be triggered by using session.save_path in .htaccess; CVE-2005-3319
    - Resolves an infinite loop in the exif_read_data function which can
      be triggered with a specially-crafted JPEG image; CVE-2005-3353
    - Resolves an XSS vulnerability in the phpinfo function; CVE-2005-3388
    - Resolves a vulnerability in the parse_str function whereby a remote
      attacker can fool PHP into turning on register_globals, thus making
      applications vulnerable to global variable injections; CVE-2005-3389
    - Resolves a vulnerability in the RFC1867 file upload feature where, if
      register_globals is enabled, a remote attacker can modify the GLOBALS
      array with a multipart/form-data POST request; see CVE-2005-3390
    - Resolves numerous safe_mode and open_basedir bypasses; CVE-2005-3391
    - Resolves INI settings leaks in the apache2 SAPI, leading to safe_mode
      and open_basedir bypasses between virtual hosts; CVE-2005-3392
    - Resolves a CRLF injection vulnerability in the mb_send_mail function,
      allowing injection of arbitrary mail headers; see CVE-2005-3883

 -- Adam Conrad <email address hidden>  Fri, 23 Dec 2005 15:09:37 +1000
Superseded in dapper-release on 2006-01-31
php4 (4:4.4.0-4) unstable; urgency=low


  * Build-Depend on libcurl3-openssl-dev, since libcurl3-dev is going away
    soon.  Keep libcurl3-dev as an alternate for backporting (closes: #334367)
  * Switch from libmysqlclient12 to libmysqlclient14; this puts us on the
    *other* side of the line regarding which combinations of DSOs cause
    segfaults, so hopefully the others catch up with us soon (closes: #316755)
  * Look for magic.mime in /usr/share/file now instead of /usr/share/misc/file,
    as the path has been changed to comply with the FHS (closes: #334510)
  * Make the above backportable as well, by searching for both files, and
    picking the one that's currently installed on the user's system.
  * Include swedish debconf translation from Daniel Nylander (closes: #330642)

 -- Adam Conrad <email address hidden>  Fri, 21 Oct 2005 01:52:03 +1000
Obsolete in breezy-release on 2008-03-25
php4 (4:4.4.0-3) unstable; urgency=low


  * Remove Andres Salomon from the Uploaders field, at his request.  Thanks
    for all your work on the PHP packages, Andres, now fix our kernel bugs.
  * Add 054-open_basedir_slash.patch, which fixes a bug where if open_basedir
    is set to "/foo/", users can access files in "/foobar/", which is not the
    documented behaviour; this addresses CAN-2005-3054 (closes: #323585)
  * Add 055-gd_safe_mode_checks.patch from PHP CVS, adding missing safe_mode
    checks to the _php_image_output and _php_image_output_ctx GD functions.

 -- Adam Conrad <adconrad@0c3.net>  Tue, 27 Sep 2005 16:12:05 +1000
Superseded in hoary-security on 2006-01-31
php4 (4:4.3.10-10ubuntu4.2) hoary-security; urgency=low


  * SECURITY UPDATE: similar-named open_basedir bypass.
  * Add 054-open_basedir_slash.patch, which fixes a bug where if open_basedir
    is set to "/foo/", users can access files in "/foobar/", which is not the
    documented behaviour; this addresses CAN-2005-3054 (see Debian #323585)

 -- Adam Conrad <email address hidden>  Fri,  7 Oct 2005 18:37:58 +1000
Obsolete in hoary-release on 2008-03-19
php4 (4:4.3.10-2ubuntu4) hoary; urgency=low


  * Remove apache-dev dependencies and the apache1.3 module

 -- Thom May <email address hidden>  Tue,  1 Mar 2005 11:04:28 +0000
Obsolete in hoary-release on 2008-03-19
php4 (4:4.3.10-10ubuntu4) hoary; urgency=low


  * Introduce a new substvar "debian:Base", allowing the loosening of
    dependencies for packages (such as the php4 meta-package) which
    could suffer from version skew between the php4 and php4-universe
    source packages.

 -- Adam Conrad <adconrad@0c3.net>  Fri,  1 Apr 2005 05:42:44 +0000
Superseded in warty-security on 2006-01-31
php4 (4:4.3.8-3ubuntu7.13) warty-security; urgency=low


  * SECURITY UPDATE: open_basedir bypass and php4-gd safe_mode bypass.
  * Add 054-open_basedir_slash.patch, which fixes a bug where if open_basedir
    is set to "/foo/", users can access files in "/foobar/", which is not the
    documented behaviour; this addresses CAN-2005-3054 (see Debian #323585)
  * Add 055-gd_safe_mode_checks.patch from PHP CVS, adding missing safe_mode
    checks to the _php_image_output and _php_image_output_ctx GD functions.

 -- Adam Conrad <email address hidden>  Tue, 27 Sep 2005 19:18:20 +1000
Obsolete in warty-release on 2008-01-09
php4 (4:4.3.8-3ubuntu7) warty; urgency=low


  * Fixes for Warty #1915
   - GPC processing fixes
   - RFC 1867 handling fixes

 -- Thom May <email address hidden>  Fri,  1 Oct 2004 18:54:56 +0100
125 of 25 results