Change log for php5 package in Ubuntu

175 of 328 results
Published in trusty-proposed on 2015-08-13
php5 (5.5.9+dfsg-1ubuntu4.12) trusty; urgency=medium

  * Fix PHP Fatal error: Inconsistent insteadof definition (LP: #1474276)
    - Apply upstream fix

 -- Ryan Harper <email address hidden>  Thu, 13 Aug 2015 09:55:34 -0500
Published in wily-proposed on 2015-08-05
php5 (5.6.11+dfsg-1ubuntu2) wily; urgency=medium

  * No-change rebuild against new libicu

 -- Iain Lane <email address hidden>  Wed, 05 Aug 2015 17:41:17 +0100
Published in wily-release on 2015-07-27
Deleted in wily-proposed (Reason: moved to release)
php5 (5.6.11+dfsg-1ubuntu1) wily; urgency=medium

  * Merge from Debian. Remaining changes:
    - Drop support for firebird, c-client, mcrypt, onig and qdbm as they
      are in universe:
      + d/control: drop Build-Depends on firebird-dev, libc-client-dev,
        libmcrypt-dev, libonig-dev, libqdbm-dev.
      + d/control: drop binary packages php5-imap, php5-interbase and
        php5-mcrypt and their reverse dependencies.
      + d/rules: drop configuration of qdgm, onig, imap, mcrypt.
      + d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't
        build interbase or firebird.
      + d/modulelist: drop imap, interbase and mcrypt.
    - d/control: switch Build-Depends of netcat-traditional to
      netcat-openbsd as only the latter is in main.
    - d/source_php5.py, d/rules: add apport hook.
  * New upstream version uses __builtin_clzl when  __powerpc__ is defined,
    improving performance on POWER systems (LP: #1458434).
  * Drop changes (patches included upstream): CVE-2015-4598.patch,
    CVE-2015-4643.patch, CVE-2015-4644.patch.

 -- Robie Basak <email address hidden>  Mon, 27 Jul 2015 11:15:34 +0000
Superseded in wily-release on 2015-07-27
Deleted in wily-proposed on 2015-07-28 (Reason: moved to release)
php5 (5.6.9+dfsg-1ubuntu1) wily; urgency=medium

  * Merge from Debian. Remaining changes:
    - d/control: drop Build-Depends that are in universe: firebird-dev,
      libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
    - d/rules: drop configuration of packages that are in universe: qdgm, onig.
    - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
      interbase or firebird.
    - d/control: drop binary packages php5-imap, php5-interbase and php5-mcrypt
      since we have separate versions in universe.
    - d/modulelist: drop imap, interbase and mcrypt since we have separate
      versions in universe.
    - d/rules: drop configuration of imap and mcrypt since we have separate
      versions in universe.
    - d/source_php5.py, d/rules: add apport hook.
    - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
      as only the latter is in main.
  * Dropped changes:
    - patches included in new upstream version: CVE-2014-9427.patch,
      CVE-2014-9652.patch, CVE-2015-0231.patch, CVE-2015-0232.patch,
      CVE-2015-1351.patch, CVE-2015-1352.patch, remove_readelf.patch,
      CVE-2014-9705.patch, CVE-2015-0273.patch, CVE-2015-2301.patch,
      CVE-2015-2305.patch, CVE-2015-2331.patch, CVE-2015-2348.patch,
      CVE-2015-2787.patch, CVE-2015-2783.patch, bug69218.patch,
      bug69441.patch.
  * SECURITY UPDATE: more missing file path null byte checks
    - debian/patches/CVE-2015-4598.patch: add missing checks to
      ext/dom/document.c, ext/gd/gd.c, fix test in
      ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt.
    - CVE-2015-4598
  * SECURITY UPDATE: arbitrary code execution via ftp server long reply to
    a LIST command
    - debian/patches/CVE-2015-4643.patch: prevent overflow check bypass in
      ext/ftp/ftp.c.
    - CVE-2015-4643
  * SECURITY UPDATE: denial of service via php_pgsql_meta_data
    - debian/patches/CVE-2015-4644.patch: check return value in
      ext/pgsql/pgsql.c, add test to ext/pgsql/pg_insert_002.phpt.
    - CVE-2015-4644

Published in precise-updates on 2015-07-06
Published in precise-security on 2015-07-06
php5 (5.3.10-1ubuntu3.19) precise-security; urgency=medium

  * SECURITY UPDATE: missing file path null byte checks
    - debian/patches/CVE-2015-3411.patch: add missing checks to
      ext/dom/document.c, ext/fileinfo/fileinfo.c, ext/gd/gd.c,
      ext/hash/hash.c, ext/pgsql/pgsql.c, ext/standard/streamsfuncs.c,
      ext/xmlwriter/php_xmlwriter.c, ext/zlib/zlib.c, add tests to
      ext/fileinfo/tests/finfo_file_basic.phpt,
      ext/hash/tests/hash_hmac_file_error.phpt,
      backport CHECK_NULL_PATH to Zend/zend_API.h.
    - CVE-2015-3411
    - CVE-2015-3412
  * SECURITY UPDATE: denial of service via crafted tar archive
    - debian/patches/CVE-2015-4021.patch: handle empty strings in
      ext/phar/tar.c.
    - CVE-2015-4021
  * SECURITY UPDATE: arbitrary code execution via ftp server long reply to
    a LIST command
    - debian/patches/CVE-2015-4022.patch: fix overflow in ext/ftp/ftp.c.
    - CVE-2015-4022
  * SECURITY UPDATE: denial of service via crafted form data
    - debian/patches/CVE-2015-4024.patch: use smart_str to assemble strings
      in main/rfc1867.c.
    - CVE-2015-4024
  * SECURITY UPDATE: more missing file path null byte checks
    - debian/patches/CVE-2015-4025.patch: add missing checks to
      ext/pcntl/pcntl.c, ext/standard/dir.c.
    - CVE-2015-4025
    - CVE-2015-4026
  * SECURITY UPDATE: arbitrary code execution via crafted serialized data
    with unexpected data type
    - debian/patches/CVE-2015-4147.patch: check variable types in
      ext/soap/php_encoding.c, ext/soap/php_http.c, ext/soap/soap.c.
    - CVE-2015-4147
    - CVE-2015-4148
    - CVE-2015-4600
    - CVE-2015-4601
  * SECURITY UPDATE: more missing file path null byte checks
    - debian/patches/CVE-2015-4598.patch: add missing checks to
      ext/dom/document.c, ext/gd/gd.c.
    - CVE-2015-4598
  * SECURITY UPDATE: denial of service or information leak via type
    confusion with crafted serialized data
    - debian/patches/CVE-2015-4599.patch: use proper types in
      ext/soap/soap.c.
    - CVE-2015-4599
  * SECURITY UPDATE: denial of service or information leak via type
    confusion with crafted serialized data
    - debian/patches/CVE-2015-4602.patch: check for proper type in
      ext/standard/incomplete_class.c.
    - CVE-2015-4602
  * SECURITY UPDATE: denial of service or information leak via type
    confusion with crafted serialized data
    - debian/patches/CVE-2015-4603.patch: check type in
      Zend/zend_exceptions.c, add test to
      ext/standard/tests/serialize/bug69152.phpt.
    - CVE-2015-4603
  * SECURITY UPDATE: arbitrary code execution via ftp server long reply to
    a LIST command
    - debian/patches/CVE-2015-4643.patch: prevent overflow check bypass in
      ext/ftp/ftp.c.
    - CVE-2015-4643
  * SECURITY UPDATE: denial of service via php_pgsql_meta_data
    - debian/patches/CVE-2015-4644.patch: check return value in
      ext/pgsql/pgsql.c, add test to ext/pgsql/pg_insert_002.phpt.
    - CVE-2015-4644
  * debian/patches/CVE-2015-2783-memleak.patch: fix memory leak introduced
    by CVE-2015-2783 security update.

 -- Marc Deslauriers <email address hidden>  Thu, 02 Jul 2015 07:42:32 -0400
Published in utopic-updates on 2015-07-06
Published in utopic-security on 2015-07-06
php5 (5.5.12+dfsg-2ubuntu4.6) utopic-security; urgency=medium

  * SECURITY UPDATE: missing file path null byte checks
    - debian/patches/CVE-2015-3411.patch: add missing checks to
      ext/dom/document.c, ext/fileinfo/fileinfo.c, ext/gd/gd.c,
      ext/hash/hash.c, ext/pgsql/pgsql.c, ext/standard/link.c,
      ext/standard/streamsfuncs.c, ext/xmlwriter/php_xmlwriter.c,
      ext/zlib/zlib.c, add tests to
      ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt,
      ext/fileinfo/tests/finfo_file_basic.phpt,
      ext/hash/tests/hash_hmac_file_error.phpt
    - CVE-2015-3411
    - CVE-2015-3412
  * SECURITY UPDATE: denial of service via crafted tar archive
    - debian/patches/CVE-2015-4021.patch: handle empty strings in
      ext/phar/tar.c.
    - CVE-2015-4021
  * SECURITY UPDATE: arbitrary code execution via ftp server long reply to
    a LIST command
    - debian/patches/CVE-2015-4022.patch: fix overflow in ext/ftp/ftp.c.
    - CVE-2015-4022
  * SECURITY UPDATE: denial of service via crafted form data
    - debian/patches/CVE-2015-4024.patch: use smart_str to assemble strings
      in main/rfc1867.c.
    - CVE-2015-4024
  * SECURITY UPDATE: more missing file path null byte checks
    - debian/patches/CVE-2015-4025.patch: add missing checks to
      ext/pcntl/pcntl.c, ext/standard/basic_functions.c,
      ext/standard/dir.c, ext/standard/file.c.
    - CVE-2015-4025
    - CVE-2015-4026
  * SECURITY UPDATE: arbitrary code execution via crafted serialized data
    with unexpected data type
    - debian/patches/CVE-2015-4147.patch: check variable types in
      ext/soap/php_encoding.c, ext/soap/php_http.c, ext/soap/soap.c.
    - CVE-2015-4147
    - CVE-2015-4148
    - CVE-2015-4600
    - CVE-2015-4601
  * SECURITY UPDATE: more missing file path null byte checks
    - debian/patches/CVE-2015-4598.patch: add missing checks to
      ext/dom/document.c, ext/gd/gd.c, fix tests in
      ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt,
      ext/gd/tests/imageloadfont_error1.phpt,
      ext/zlib/tests/gzopen_variation1.phpt,
      ext/zlib/tests/readgzfile_variation1.phpt,
      ext/zlib/tests/readgzfile_variation6.phpt,
      ext/standard/tests/dir/dir_variation1.phpt,
      ext/standard/tests/dir/opendir_variation1.phpt,
      ext/standard/tests/file/mkdir_rmdir_variation2.phpt,
      ext/standard/tests/file/readlink_variation1.phpt,
      ext/standard/tests/file/tempnam_variation3-win32.phpt,
      ext/standard/tests/file/tempnam_variation3.phpt,
      ext/standard/tests/general_functions/include_path.phpt.
    - CVE-2015-4598
  * SECURITY UPDATE: denial of service or information leak via type
    confusion with crafted serialized data
    - debian/patches/CVE-2015-4599.patch: use proper types in
      ext/soap/soap.c.
    - CVE-2015-4599
  * SECURITY UPDATE: denial of service or information leak via type
    confusion with crafted serialized data
    - debian/patches/CVE-2015-4602.patch: check for proper type in
      ext/standard/incomplete_class.c.
    - CVE-2015-4602
  * SECURITY UPDATE: denial of service or information leak via type
    confusion with crafted serialized data
    - debian/patches/CVE-2015-4603.patch: check type in
      Zend/zend_exceptions.c, add test to
      ext/standard/tests/serialize/bug69152.phpt.
    - CVE-2015-4603
  * SECURITY UPDATE: arbitrary code execution via ftp server long reply to
    a LIST command
    - debian/patches/CVE-2015-4643.patch: prevent overflow check bypass in
      ext/ftp/ftp.c.
    - CVE-2015-4643
  * SECURITY UPDATE: denial of service via php_pgsql_meta_data
    - debian/patches/CVE-2015-4644.patch: check return value in
      ext/pgsql/pgsql.c, add test to ext/pgsql/pg_insert_002.phpt.
    - CVE-2015-4644
  * debian/patches/CVE-2015-2783-memleak.patch: fix memory leak introduced
    by CVE-2015-2783 security update.

 -- Marc Deslauriers <email address hidden>  Thu, 02 Jul 2015 08:51:10 -0400
Published in vivid-updates on 2015-07-06
Published in vivid-security on 2015-07-06
php5 (5.6.4+dfsg-4ubuntu6.2) vivid-security; urgency=medium

  * SECURITY UPDATE: missing file path null byte checks
    - debian/patches/CVE-2015-3411.patch: add missing checks to
      ext/dom/document.c, ext/fileinfo/fileinfo.c, ext/gd/gd.c,
      ext/hash/hash.c, ext/pgsql/pgsql.c, ext/standard/link.c,
      ext/standard/streamsfuncs.c, ext/xmlwriter/php_xmlwriter.c,
      ext/zlib/zlib.c, add tests to
      ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt,
      ext/fileinfo/tests/finfo_file_basic.phpt,
      ext/hash/tests/hash_hmac_file_error.phpt
    - CVE-2015-3411
    - CVE-2015-3412
  * SECURITY UPDATE: denial of service via crafted tar archive
    - debian/patches/CVE-2015-4021.patch: handle empty strings in
      ext/phar/tar.c.
    - CVE-2015-4021
  * SECURITY UPDATE: arbitrary code execution via ftp server long reply to
    a LIST command
    - debian/patches/CVE-2015-4022.patch: fix overflow in ext/ftp/ftp.c.
    - CVE-2015-4022
  * SECURITY UPDATE: denial of service via crafted form data
    - debian/patches/CVE-2015-4024.patch: use smart_str to assemble strings
      in main/rfc1867.c.
    - CVE-2015-4024
  * SECURITY UPDATE: more missing file path null byte checks
    - debian/patches/CVE-2015-4025.patch: add missing checks to
      ext/pcntl/pcntl.c, ext/standard/basic_functions.c,
      ext/standard/dir.c, ext/standard/file.c.
    - CVE-2015-4025
    - CVE-2015-4026
  * SECURITY UPDATE: arbitrary code execution via crafted serialized data
    with unexpected data type
    - debian/patches/CVE-2015-4147.patch: check variable types in
      ext/soap/php_encoding.c, ext/soap/php_http.c, ext/soap/soap.c.
    - CVE-2015-4147
    - CVE-2015-4148
    - CVE-2015-4600
    - CVE-2015-4601
  * SECURITY UPDATE: more missing file path null byte checks
    - debian/patches/CVE-2015-4598.patch: add missing checks to
      ext/dom/document.c, ext/gd/gd.c, fix tests in
      ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt,
      ext/gd/tests/imageloadfont_error1.phpt,
      ext/zlib/tests/gzopen_variation1.phpt,
      ext/zlib/tests/readgzfile_variation1.phpt,
      ext/zlib/tests/readgzfile_variation6.phpt,
      ext/standard/tests/dir/dir_variation1.phpt,
      ext/standard/tests/dir/opendir_variation1.phpt,
      ext/standard/tests/file/mkdir_rmdir_variation2.phpt,
      ext/standard/tests/file/readlink_variation1.phpt,
      ext/standard/tests/file/tempnam_variation3-win32.phpt,
      ext/standard/tests/file/tempnam_variation3.phpt,
      ext/standard/tests/general_functions/include_path.phpt.
    - CVE-2015-4598
  * SECURITY UPDATE: denial of service or information leak via type
    confusion with crafted serialized data
    - debian/patches/CVE-2015-4599.patch: use proper types in
      ext/soap/soap.c.
    - CVE-2015-4599
  * SECURITY UPDATE: denial of service or information leak via type
    confusion with crafted serialized data
    - debian/patches/CVE-2015-4602.patch: check for proper type in
      ext/standard/incomplete_class.c.
    - CVE-2015-4602
  * SECURITY UPDATE: denial of service or information leak via type
    confusion with crafted serialized data
    - debian/patches/CVE-2015-4603.patch: check type in
      Zend/zend_exceptions.c, add test to
      ext/standard/tests/serialize/bug69152.phpt.
    - CVE-2015-4603
  * SECURITY UPDATE: denial of service in Fileinfo with crafted file
    - debian/patches/CVE-2015-4604.patch: handle large offset in
      ext/fileinfo/libmagic/softmagic.c, add test to
      ext/fileinfo/tests/bug68819_001.phpt,
      ext/fileinfo/tests/bug68819_002.phpt.
    - CVE-2015-4604
    - CVE-2015-4605
  * SECURITY UPDATE: arbitrary code execution via ftp server long reply to
    a LIST command
    - debian/patches/CVE-2015-4643.patch: prevent overflow check bypass in
      ext/ftp/ftp.c.
    - CVE-2015-4643
  * SECURITY UPDATE: denial of service via php_pgsql_meta_data
    - debian/patches/CVE-2015-4644.patch: check return value in
      ext/pgsql/pgsql.c, add test to ext/pgsql/pg_insert_002.phpt.
    - CVE-2015-4644
  * debian/patches/CVE-2015-2783-memleak.patch: fix memory leak introduced
    by CVE-2015-2783 security update.

 -- Marc Deslauriers <email address hidden>  Thu, 02 Jul 2015 08:45:58 -0400
Published in trusty-updates on 2015-07-06
Published in trusty-security on 2015-07-06
php5 (5.5.9+dfsg-1ubuntu4.11) trusty-security; urgency=medium

  * SECURITY UPDATE: missing file path null byte checks
    - debian/patches/CVE-2015-3411.patch: add missing checks to
      ext/dom/document.c, ext/fileinfo/fileinfo.c, ext/gd/gd.c,
      ext/hash/hash.c, ext/pgsql/pgsql.c, ext/standard/link.c,
      ext/standard/streamsfuncs.c, ext/xmlwriter/php_xmlwriter.c,
      ext/zlib/zlib.c, add tests to
      ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt,
      ext/fileinfo/tests/finfo_file_basic.phpt,
      ext/hash/tests/hash_hmac_file_error.phpt
    - CVE-2015-3411
    - CVE-2015-3412
  * SECURITY UPDATE: denial of service via crafted tar archive
    - debian/patches/CVE-2015-4021.patch: handle empty strings in
      ext/phar/tar.c.
    - CVE-2015-4021
  * SECURITY UPDATE: arbitrary code execution via ftp server long reply to
    a LIST command
    - debian/patches/CVE-2015-4022.patch: fix overflow in ext/ftp/ftp.c.
    - CVE-2015-4022
  * SECURITY UPDATE: denial of service via crafted form data
    - debian/patches/CVE-2015-4024.patch: use smart_str to assemble strings
      in main/rfc1867.c.
    - CVE-2015-4024
  * SECURITY UPDATE: more missing file path null byte checks
    - debian/patches/CVE-2015-4025.patch: add missing checks to
      ext/pcntl/pcntl.c, ext/standard/basic_functions.c,
      ext/standard/dir.c, ext/standard/file.c.
    - CVE-2015-4025
    - CVE-2015-4026
  * SECURITY UPDATE: arbitrary code execution via crafted serialized data
    with unexpected data type
    - debian/patches/CVE-2015-4147.patch: check variable types in
      ext/soap/php_encoding.c, ext/soap/php_http.c, ext/soap/soap.c.
    - CVE-2015-4147
    - CVE-2015-4148
    - CVE-2015-4600
    - CVE-2015-4601
  * SECURITY UPDATE: more missing file path null byte checks
    - debian/patches/CVE-2015-4598.patch: add missing checks to
      ext/dom/document.c, ext/gd/gd.c, fix tests in
      ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt,
      ext/gd/tests/imageloadfont_error1.phpt,
      ext/zlib/tests/gzopen_variation1.phpt,
      ext/zlib/tests/readgzfile_variation1.phpt,
      ext/zlib/tests/readgzfile_variation6.phpt,
      ext/standard/tests/dir/dir_variation1.phpt,
      ext/standard/tests/dir/opendir_variation1.phpt,
      ext/standard/tests/file/mkdir_rmdir_variation2.phpt,
      ext/standard/tests/file/readlink_variation1.phpt,
      ext/standard/tests/file/tempnam_variation3-win32.phpt,
      ext/standard/tests/file/tempnam_variation3.phpt,
      ext/standard/tests/general_functions/include_path.phpt.
    - CVE-2015-4598
  * SECURITY UPDATE: denial of service or information leak via type
    confusion with crafted serialized data
    - debian/patches/CVE-2015-4599.patch: use proper types in
      ext/soap/soap.c.
    - CVE-2015-4599
  * SECURITY UPDATE: denial of service or information leak via type
    confusion with crafted serialized data
    - debian/patches/CVE-2015-4602.patch: check for proper type in
      ext/standard/incomplete_class.c.
    - CVE-2015-4602
  * SECURITY UPDATE: denial of service or information leak via type
    confusion with crafted serialized data
    - debian/patches/CVE-2015-4603.patch: check type in
      Zend/zend_exceptions.c, add test to
      ext/standard/tests/serialize/bug69152.phpt.
    - CVE-2015-4603
  * SECURITY UPDATE: arbitrary code execution via ftp server long reply to
    a LIST command
    - debian/patches/CVE-2015-4643.patch: prevent overflow check bypass in
      ext/ftp/ftp.c.
    - CVE-2015-4643
  * SECURITY UPDATE: denial of service via php_pgsql_meta_data
    - debian/patches/CVE-2015-4644.patch: check return value in
      ext/pgsql/pgsql.c, add test to ext/pgsql/pg_insert_002.phpt.
    - CVE-2015-4644
  * debian/patches/CVE-2015-2783-memleak.patch: fix memory leak introduced
    by CVE-2015-2783 security update.

 -- Marc Deslauriers <email address hidden>  Thu, 02 Jul 2015 08:53:30 -0400
Superseded in wily-release on 2015-07-15
Published in vivid-release on 2015-04-18
Deleted in vivid-proposed (Reason: moved to release)
php5 (5.6.4+dfsg-4ubuntu6) vivid; urgency=medium

  * SECURITY UPDATE: potential remote code execution vulnerability when
    used with the Apache 2.4 apache2handler
    - debian/patches/bug69218.patch: perform proper cleanup in
      sapi/apache2handler/sapi_apache2.c.
    - CVE number pending
  * SECURITY UPDATE: buffer overflow when parsing tar/zip/phar
    - debian/patches/bug69441.patch: check lengths in
      ext/phar/phar_internal.h.
    - CVE number pending
  * SECURITY UPDATE: buffer overflow in unserialize when parsing Phar
    - debian/patches/CVE-2015-2783.patch: properly check lengths in
      ext/phar/phar.c, ext/phar/phar_internal.h.
    - CVE-2015-2783
 -- Marc Deslauriers <email address hidden>   Fri, 17 Apr 2015 05:15:49 -0400
Published in lucid-updates on 2015-04-20
Published in lucid-security on 2015-04-20
php5 (5.3.2-1ubuntu4.30) lucid-security; urgency=medium

  * SECURITY UPDATE: potential remote code execution vulnerability when
    used with the Apache 2.4 apache2handler
    - debian/patches/bug69218.patch: perform proper cleanup in
      sapi/apache2handler/sapi_apache2.c.
    - CVE number pending
  * SECURITY UPDATE: buffer overflow when parsing tar/zip/phar
    - debian/patches/bug69441.patch: check lengths in
      ext/phar/phar_internal.h.
    - CVE number pending
  * SECURITY UPDATE: heap overflow in regexp library
    - debian/patches/CVE-2015-2305.patch: check for overflow in
      ext/ereg/regex/regcomp.c.
    - CVE-2015-2305
  * SECURITY UPDATE: buffer overflow in unserialize when parsing Phar
    - debian/patches/CVE-2015-2783.patch: properly check lengths in
      ext/phar/phar.c, ext/phar/phar_internal.h.
    - CVE-2015-2783
  * SECURITY UPDATE: arbitrary code exection via process_nested_data
    use-after-free
    - debian/patches/CVE-2015-2787.patch: fix logic in
      ext/standard/var_unserializer.*.
    - CVE-2015-2787
 -- Marc Deslauriers <email address hidden>   Fri, 17 Apr 2015 07:37:39 -0400
Superseded in precise-updates on 2015-07-06
Superseded in precise-security on 2015-07-06
php5 (5.3.10-1ubuntu3.18) precise-security; urgency=medium

  * SECURITY UPDATE: potential remote code execution vulnerability when
    used with the Apache 2.4 apache2handler
    - debian/patches/bug69218.patch: perform proper cleanup in
      sapi/apache2handler/sapi_apache2.c.
    - CVE number pending
  * SECURITY UPDATE: buffer overflow when parsing tar/zip/phar
    - debian/patches/bug69441.patch: check lengths in
      ext/phar/phar_internal.h.
    - CVE number pending
  * SECURITY UPDATE: heap overflow in regexp library
    - debian/patches/CVE-2015-2305.patch: check for overflow in
      ext/ereg/regex/regcomp.c.
    - CVE-2015-2305
  * SECURITY UPDATE: buffer overflow in unserialize when parsing Phar
    - debian/patches/CVE-2015-2783.patch: properly check lengths in
      ext/phar/phar.c, ext/phar/phar_internal.h.
    - CVE-2015-2783
  * SECURITY UPDATE: arbitrary code exection via process_nested_data
    use-after-free
    - debian/patches/CVE-2015-2787.patch: fix logic in
      ext/standard/var_unserializer.*.
    - CVE-2015-2787
 -- Marc Deslauriers <email address hidden>   Fri, 17 Apr 2015 06:25:37 -0400
Superseded in trusty-updates on 2015-07-06
Superseded in trusty-security on 2015-07-06
php5 (5.5.9+dfsg-1ubuntu4.9) trusty-security; urgency=medium

  * SECURITY UPDATE: potential remote code execution vulnerability when
    used with the Apache 2.4 apache2handler
    - debian/patches/bug69218.patch: perform proper cleanup in
      sapi/apache2handler/sapi_apache2.c.
    - CVE number pending
  * SECURITY UPDATE: buffer overflow when parsing tar/zip/phar
    - debian/patches/bug69441.patch: check lengths in
      ext/phar/phar_internal.h.
    - CVE number pending
  * SECURITY UPDATE: heap overflow in regexp library
    - debian/patches/CVE-2015-2305.patch: check for overflow in
      ext/ereg/regex/regcomp.c.
    - CVE-2015-2305
  * SECURITY UPDATE: move_uploaded_file filename restriction bypass
    - debian/patches/CVE-2015-2348.patch: handle nulls in
      ext/standard/basic_functions.c.
    - CVE-2015-2348
  * SECURITY UPDATE: buffer overflow in unserialize when parsing Phar
    - debian/patches/CVE-2015-2783.patch: properly check lengths in
      ext/phar/phar.c, ext/phar/phar_internal.h.
    - CVE-2015-2783
  * SECURITY UPDATE: arbitrary code exection via process_nested_data
    use-after-free
    - debian/patches/CVE-2015-2787.patch: fix logic in
      ext/standard/var_unserializer.*.
    - CVE-2015-2787
 -- Marc Deslauriers <email address hidden>   Fri, 17 Apr 2015 05:28:02 -0400
Superseded in utopic-updates on 2015-07-06
Superseded in utopic-security on 2015-07-06
php5 (5.5.12+dfsg-2ubuntu4.4) utopic-security; urgency=medium

  * SECURITY UPDATE: potential remote code execution vulnerability when
    used with the Apache 2.4 apache2handler
    - debian/patches/bug69218.patch: perform proper cleanup in
      sapi/apache2handler/sapi_apache2.c.
    - CVE number pending
  * SECURITY UPDATE: buffer overflow when parsing tar/zip/phar
    - debian/patches/bug69441.patch: check lengths in
      ext/phar/phar_internal.h.
    - CVE number pending
  * SECURITY UPDATE: heap overflow in regexp library
    - debian/patches/CVE-2015-2305.patch: check for overflow in
      ext/ereg/regex/regcomp.c.
    - CVE-2015-2305
  * SECURITY UPDATE: move_uploaded_file filename restriction bypass
    - debian/patches/CVE-2015-2348.patch: handle nulls in
      ext/standard/basic_functions.c.
    - CVE-2015-2348
  * SECURITY UPDATE: buffer overflow in unserialize when parsing Phar
    - debian/patches/CVE-2015-2783.patch: properly check lengths in
      ext/phar/phar.c, ext/phar/phar_internal.h.
    - CVE-2015-2783
  * SECURITY UPDATE: arbitrary code exection via process_nested_data
    use-after-free
    - debian/patches/CVE-2015-2787.patch: fix logic in
      ext/standard/var_unserializer.*.
    - CVE-2015-2787
 -- Marc Deslauriers <email address hidden>   Fri, 17 Apr 2015 05:24:45 -0400
Superseded in vivid-release on 2015-04-18
Deleted in vivid-proposed on 2015-04-19 (Reason: moved to release)
php5 (5.6.4+dfsg-4ubuntu5) vivid; urgency=medium

  * SECURITY UPDATE: move_uploaded_file filename restriction bypass
    - debian/patches/CVE-2015-2348.patch: handle nulls in
      ext/standard/basic_functions.c.
    - CVE-2015-2348
  * SECURITY UPDATE: arbitrary code exection via process_nested_data
    use-after-free
    - debian/patches/CVE-2015-2787.patch: fix logic in
      ext/standard/var_unserializer.*.
    - CVE-2015-2787
 -- Marc Deslauriers <email address hidden>   Thu, 02 Apr 2015 08:06:41 -0400
Deleted in trusty-proposed on 2015-04-24 (Reason: moved to -updates)
php5 (5.5.9+dfsg-1ubuntu4.8) trusty; urgency=medium

  * Fix php5-fpm logrotate since the upstart job has been introduced.
    (LP: #1230917)
    - Backport the /usr/lib/php5/php5-fpm-reopenlogs script from utopic.
    - Call the script in postrotate instead of invoke-rc.d php5-fpm reopen-logs.
      Upstart jobs don't support custom actions.
 -- Felix Geyer <email address hidden>   Tue, 31 Mar 2015 07:51:32 -0400
Superseded in vivid-release on 2015-04-03
Deleted in vivid-proposed on 2015-04-04 (Reason: moved to release)
php5 (5.6.4+dfsg-4ubuntu4) vivid; urgency=medium

  * SECURITY UPDATE: heap overflow in regexp library
    - debian/patches/CVE-2015-2305.patch: check for overflow in
      ext/ereg/regex/regcomp.c.
    - CVE-2015-2305
  * SECURITY UPDATE: integer overflow in zip module
    - debian/patches/CVE-2015-2331.patch: check for overflow in
      ext/zip/lib/zip_dirent.c.
    - CVE-2015-2331
 -- Marc Deslauriers <email address hidden>   Tue, 24 Mar 2015 15:12:32 -0400
Superseded in vivid-release on 2015-03-28
Deleted in vivid-proposed on 2015-03-30 (Reason: moved to release)
php5 (5.6.4+dfsg-4ubuntu3) vivid; urgency=medium

  * SECURITY UPDATE: denial of service or possible code execution in
    enchant
    - debian/patches/CVE-2014-9705.patch: handle position better in
      ext/enchant/enchant.c.
    - CVE-2014-9705
  * SECURITY UPDATE: arbitrary code execution via use after free in
    unserialize() with DateTimeZone and DateTime
    - debian/patches/CVE-2015-0273.patch: fix use after free in
      ext/date/php_date.c, added tests to ext/date/tests/bug68942.phpt,
      ext/date/tests/bug68942_2.phpt.
    - CVE-2015-0273
  * SECURITY UPDATE: denial of service or possible code execution in phar
    - debian/patches/CVE-2015-2301.patch: fix use after free in
      ext/phar/phar_object.c.
    - CVE-2015-2301
 -- Marc Deslauriers <email address hidden>   Mon, 16 Mar 2015 13:21:17 -0400
Superseded in precise-updates on 2015-04-20
Superseded in precise-security on 2015-04-20
php5 (5.3.10-1ubuntu3.17) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service via recursion
    - debian/patches/CVE-2014-8117.patch: lower recursion limit in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-8117
  * SECURITY UPDATE: denial of service or possible code execution in
    enchant
    - debian/patches/CVE-2014-9705.patch: handle position better in
      ext/enchant/enchant.c.
    - CVE-2014-9705
  * SECURITY UPDATE: arbitrary code execution via use after free in
    unserialize() with DateTime
    - debian/patches/CVE-2015-0273.patch: fix use after free in
      ext/date/php_date.c, added test to ext/date/tests/*.phpt.
    - CVE-2015-0273
  * SECURITY UPDATE: denial of service or possible code execution in phar
    - debian/patches/CVE-2015-2301.patch: fix use after free in
      ext/phar/phar_object.c.
    - CVE-2015-2301
 -- Marc Deslauriers <email address hidden>   Mon, 16 Mar 2015 13:59:27 -0400
Superseded in lucid-updates on 2015-04-20
Superseded in lucid-security on 2015-04-20
php5 (5.3.2-1ubuntu4.29) lucid-security; urgency=medium

  * SECURITY UPDATE: denial of service via recursion
    - debian/patches/CVE-2014-8117.patch: lower recursion limit in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-8117
  * SECURITY UPDATE: denial of service or possible code execution in
    enchant
    - debian/patches/CVE-2014-9705.patch: handle position better in
      ext/enchant/enchant.c.
    - CVE-2014-9705
  * SECURITY UPDATE: arbitrary code execution via use after free in
    unserialize() with DateTime
    - debian/patches/CVE-2015-0273.patch: fix use after free in
      ext/date/php_date.c, added tests to ext/date/tests/*.phpt.
    - CVE-2015-0273
  * SECURITY UPDATE: denial of service or possible code execution in phar
    - debian/patches/CVE-2015-2301.patch: fix use after free in
      ext/phar/phar_object.c.
    - CVE-2015-2301
 -- Marc Deslauriers <email address hidden>   Mon, 16 Mar 2015 15:00:32 -0400
Superseded in trusty-updates on 2015-04-20
Superseded in trusty-security on 2015-04-20
php5 (5.5.9+dfsg-1ubuntu4.7) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service via recursion
    - debian/patches/CVE-2014-8117.patch: lower recursion limit in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-8117
  * SECURITY UPDATE: denial of service or possible code execution in
    enchant
    - debian/patches/CVE-2014-9705.patch: handle position better in
      ext/enchant/enchant.c.
    - CVE-2014-9705
  * SECURITY UPDATE: arbitrary code execution via use after free in
    unserialize() with DateTimeZone and DateTime
    - debian/patches/CVE-2015-0273.patch: fix use after free in
      ext/date/php_date.c, added tests to ext/date/tests/bug68942.phpt,
      ext/date/tests/bug68942_2.phpt.
    - CVE-2015-0273
  * SECURITY UPDATE: denial of service or possible code execution in phar
    - debian/patches/CVE-2015-2301.patch: fix use after free in
      ext/phar/phar_object.c.
    - CVE-2015-2301
 -- Marc Deslauriers <email address hidden>   Mon, 16 Mar 2015 13:40:18 -0400
Superseded in utopic-updates on 2015-04-20
Superseded in utopic-security on 2015-04-20
php5 (5.5.12+dfsg-2ubuntu4.3) utopic-security; urgency=medium

  * SECURITY UPDATE: denial of service via recursion
    - debian/patches/CVE-2014-8117.patch: lower recursion limit in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-8117
  * SECURITY UPDATE: denial of service or possible code execution in
    enchant
    - debian/patches/CVE-2014-9705.patch: handle position better in
      ext/enchant/enchant.c.
    - CVE-2014-9705
  * SECURITY UPDATE: arbitrary code execution via use after free in
    unserialize() with DateTimeZone and DateTime
    - debian/patches/CVE-2015-0273.patch: fix use after free in
      ext/date/php_date.c, added tests to ext/date/tests/bug68942.phpt,
      ext/date/tests/bug68942_2.phpt.
    - CVE-2015-0273
  * SECURITY UPDATE: denial of service or possible code execution in phar
    - debian/patches/CVE-2015-2301.patch: fix use after free in
      ext/phar/phar_object.c.
    - CVE-2015-2301
 -- Marc Deslauriers <email address hidden>   Mon, 16 Mar 2015 13:31:32 -0400
Superseded in vivid-release on 2015-03-17
Deleted in vivid-proposed on 2015-03-19 (Reason: moved to release)
php5 (5.6.4+dfsg-4ubuntu2) vivid; urgency=medium

  * SECURITY UPDATE: out of bounds read via invalid php file
    - debian/patches/CVE-2014-9427.patch: fix bounds in
      sapi/cgi/cgi_main.c.
    - CVE-2014-9427
  * SECURITY UPDATE: out of bounds read in fileinfo
    - debian/patches/CVE-2014-9652.patch: properly check length in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-9652
  * SECURITY UPDATE: arbitrary code execution via improper handling of
    duplicate keys in unserializer, additional fix
    - debian/patches/CVE-2015-0231.patch: fix use after free in
      ext/standard/var_unserializer.*, added test to
      ext/standard/tests/strings/bug68710.phpt.
    - CVE-2015-0231
  * SECURITY UPDATE: arbitrary code execution or denial of service via
    crafted EXIF data
    - debian/patches/CVE-2015-0232.patch: fix uninitialized pointer free in
      ext/exif/exif.c.
    - CVE-2015-0232
  * SECURITY UPDATE: use after free in opcache component
    - debian/patches/CVE-2015-1351.patch: fix use after free in
      ext/opcache/zend_shared_alloc.c.
    - CVE-2015-1351
  * SECURITY UPDATE: null pointer dereference in pgsql
    - debian/patches/CVE-2015-1352.patch: properly set valid token in
      ext/pgsql/pgsql.c.
    - CVE-2015-1352
  * debian/patches/remove_readelf.patch: remove readelf.c from fileinfo as
    it isn't used, and is a source of confusion when doing security
    updates.
 -- Marc Deslauriers <email address hidden>   Tue, 17 Feb 2015 15:47:51 -0500
Superseded in precise-updates on 2015-03-18
Superseded in precise-security on 2015-03-18
php5 (5.3.10-1ubuntu3.16) precise-security; urgency=medium

  * SECURITY UPDATE: arbitrary code execution via improper handling of
    duplicate keys in unserializer
    - debian/patches/CVE-2014-8142.patch: fix use after free in
      ext/standard/var_unserializer.*, added test to
      ext/standard/tests/serialize/bug68594.phpt.
    - CVE-2014-8142
  * SECURITY UPDATE: arbitrary code execution via improper handling of
    duplicate keys in unserializer, additional fix
    - debian/patches/CVE-2015-0231.patch: fix use after free in
      ext/standard/var_unserializer.*, added test to
      ext/standard/tests/strings/bug68710.phpt.
    - CVE-2015-0231
  * debian/patches/remove_readelf.patch: remove readelf.c from fileinfo as
    it isn't used, and is a source of confusion when doing security
    updates.
  * debian/patches/CVE-2014-3710.patch: removed, wasn't needed.
 -- Marc Deslauriers <email address hidden>   Fri, 13 Feb 2015 11:53:39 -0500
Superseded in trusty-updates on 2015-03-18
Superseded in trusty-security on 2015-03-18
php5 (5.5.9+dfsg-1ubuntu4.6) trusty-security; urgency=medium

  * SECURITY UPDATE: arbitrary code execution via improper handling of
    duplicate keys in unserializer
    - debian/patches/CVE-2014-8142.patch: fix use after free in
      ext/standard/var_unserializer.*, added test to
      ext/standard/tests/serialize/bug68594.phpt.
    - CVE-2014-8142
  * SECURITY UPDATE: out of bounds read via invalid php file
    - debian/patches/CVE-2014-9427.patch: fix bounds in
      sapi/cgi/cgi_main.c.
    - CVE-2014-9427
  * SECURITY UPDATE: out of bounds read in fileinfo
    - debian/patches/CVE-2014-9652.patch: properly check length in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-9652
  * SECURITY UPDATE: arbitrary code execution via improper handling of
    duplicate keys in unserializer, additional fix
    - debian/patches/CVE-2015-0231.patch: fix use after free in
      ext/standard/var_unserializer.*, added test to
      ext/standard/tests/strings/bug68710.phpt.
    - CVE-2015-0231
  * SECURITY UPDATE: arbitrary code execution or denial of service via
    crafted EXIF data
    - debian/patches/CVE-2015-0232.patch: fix uninitialized pointer free in
      ext/exif/exif.c.
    - CVE-2015-0232
  * SECURITY UPDATE: use after free in opcache component
    - debian/patches/CVE-2015-1351.patch: fix use after free in
      ext/opcache/zend_shared_alloc.c.
    - CVE-2015-1351
  * SECURITY UPDATE: null pointer dereference in pgsql
    - debian/patches/CVE-2015-1352.patch: properly set valid token in
      ext/pgsql/pgsql.c.
    - CVE-2015-1352
  * debian/patches/remove_readelf.patch: remove readelf.c from fileinfo as
    it isn't used, and is a source of confusion when doing security
    updates.
  * debian/patches/CVE-2014-3710.patch: removed, wasn't needed.
 -- Marc Deslauriers <email address hidden>   Fri, 13 Feb 2015 11:15:38 -0500
Superseded in utopic-updates on 2015-03-18
Superseded in utopic-security on 2015-03-18
php5 (5.5.12+dfsg-2ubuntu4.2) utopic-security; urgency=medium

  * SECURITY UPDATE: arbitrary code execution via improper handling of
    duplicate keys in unserializer
    - debian/patches/CVE-2014-8142.patch: fix use after free in
      ext/standard/var_unserializer.*, added test to
      ext/standard/tests/serialize/bug68594.phpt.
    - CVE-2014-8142
  * SECURITY UPDATE: out of bounds read via invalid php file
    - debian/patches/CVE-2014-9427.patch: fix bounds in
      sapi/cgi/cgi_main.c.
    - CVE-2014-9427
  * SECURITY UPDATE: out of bounds read in fileinfo
    - debian/patches/CVE-2014-9652.patch: properly check length in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-9652
  * SECURITY UPDATE: arbitrary code execution via improper handling of
    duplicate keys in unserializer, additional fix
    - debian/patches/CVE-2015-0231.patch: fix use after free in
      ext/standard/var_unserializer.*, added test to
      ext/standard/tests/strings/bug68710.phpt.
    - CVE-2015-0231
  * SECURITY UPDATE: arbitrary code execution or denial of service via
    crafted EXIF data
    - debian/patches/CVE-2015-0232.patch: fix uninitialized pointer free in
      ext/exif/exif.c.
    - CVE-2015-0232
  * SECURITY UPDATE: use after free in opcache component
    - debian/patches/CVE-2015-1351.patch: fix use after free in
      ext/opcache/zend_shared_alloc.c.
    - CVE-2015-1351
  * SECURITY UPDATE: null pointer dereference in pgsql
    - debian/patches/CVE-2015-1352.patch: properly set valid token in
      ext/pgsql/pgsql.c.
    - CVE-2015-1352
  * debian/patches/remove_readelf.patch: remove readelf.c from fileinfo as
    it isn't used, and is a source of confusion when doing security
    updates.
  * debian/patches/CVE-2014-3710.patch: removed, wasn't needed.
 -- Marc Deslauriers <email address hidden>   Fri, 13 Feb 2015 08:10:41 -0500
Superseded in vivid-release on 2015-03-04
Deleted in vivid-proposed on 2015-03-05 (Reason: moved to release)
php5 (5.6.4+dfsg-4ubuntu1) vivid; urgency=medium

  * Merge from Debian testing (LP: #1411811). Remaining changes:
    - d/control: drop Build-Depends that are in universe: firebird-dev,
      libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
    - d/rules: drop configuration of packages that are in universe: qdgm, onig.
    - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
      interbase or firebird.
    - d/control: drop binary packages php5-imap, php5-interbase and php5-mcrypt
      since we have separate versions in universe.
    - d/modulelist: drop imap, interbase and mcrypt since we have separate
      versions in universe.
    - d/rules: drop configuration of imap and mcrypt since we have separate
      versions in universe.
    - d/source_php5.py, d/rules: add apport hook.
    - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
      as only the latter is in main.
  * Drop changes:
    - Reported fixed in upstream release of 5.6.0: quilt patches for
      CVE-2014-0237, CVE-2014-0238, CVE-2014-4049, CVE-2014-0207,
      CVE-2014-3478, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487,
      CVE-2014-3515, CVE-2014-4670, CVE-2014-4698, CVE-2014-4721,
      CVE-2014-3587 and CVE-2014-3597, and d/p/fix_systemd_ftbfs.patch.
    - Reported fixed in upstream release of 5.6.2: quilt patches for
      CVE-2014-3668, CVE-2014-3669 and CVE-2014-3670, and
      d/p/curl_embedded_null.patch.
    - Reported fixed in upstream release of 5.6.3: quilt patch for
      CVE-2014-3710.
    - Applied in Debian:
      + d/rules: stop mysql instance on clean just in case we failed in
        tests.
      + d/tests/{cgi,cli,mod-php}: dep8 tests for common use cases.
      + d/rules: export DEB_HOST_MULTIARCH properly.
      + d/rules: load dpkg-buildflags earlier, so that CFLAGS changes are not
        overridden.
 -- Robie Basak <email address hidden>   Tue, 27 Jan 2015 12:09:42 +0000
Superseded in vivid-release on 2015-02-02
Deleted in vivid-proposed on 2015-02-03 (Reason: moved to release)
php5 (5.5.12+dfsg-2ubuntu5) vivid; urgency=medium

  * SECURITY UPDATE: denial of service via buffer overflow in mkgmtime()
    - debian/patches/CVE-2014-3668.patch: properly handle sizes in
      ext/xmlrpc/libxmlrpc/xmlrpc.c, added test to
      ext/xmlrpc/tests/bug68027.phpt.
    - CVE-2014-3668
  * SECURITY UPDATE: integer overflow in unserialize()
    - debian/patches/CVE-2014-3669.patch: fix overflow in
      ext/standard/var_unserializer.{c,re}, added test to
      ext/standard/tests/serialize/bug68044.phpt.
    - CVE-2014-3669
  * SECURITY UPDATE: Heap corruption in exif_thumbnail()
    - debian/patches/CVE-2014-3670.patch: fix sizes in ext/exif/exif.c.
    - CVE-2014-3670
  * SECURITY UPDATE: out of bounds read in elf note headers in fileinfo()
    - debian/patches/CVE-2014-3710.patch: validate note headers in
      ext/fileinfo/libmagic/readelf.c.
    - CVE-2014-3710
  * SECURITY UPDATE: local file disclosure via curl NULL byte injection
    - debian/patches/curl_embedded_null.patch: don't accept curl options
      with embedded NULLs in ext/curl/interface.c, added test to
      ext/curl/tests/bug68089.phpt.
    - No CVE number
  * Fix FTBFS with systemd version in vivid
    - debian/patches/fix_systemd_ftbfs.patch: improve detection logic in
      sapi/fpm/config.m4.
 -- Marc Deslauriers <email address hidden>   Wed, 29 Oct 2014 11:56:11 -0400
Superseded in precise-updates on 2015-02-17
Superseded in precise-security on 2015-02-17
php5 (5.3.10-1ubuntu3.15) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service via buffer overflow in mkgmtime()
    - debian/patches/CVE-2014-3668.patch: properly handle sizes in
      ext/xmlrpc/libxmlrpc/xmlrpc.c, added test to
      ext/xmlrpc/tests/bug68027.phpt.
    - CVE-2014-3668
  * SECURITY UPDATE: integer overflow in unserialize()
    - debian/patches/CVE-2014-3669.patch: fix overflow in
      ext/standard/var_unserializer.{c,re}, added test to
      ext/standard/tests/serialize/bug68044.phpt.
    - CVE-2014-3669
  * SECURITY UPDATE: Heap corruption in exif_thumbnail()
    - debian/patches/CVE-2014-3670.patch: fix sizes in ext/exif/exif.c.
    - CVE-2014-3670
  * SECURITY UPDATE: out of bounds read in elf note headers in fileinfo()
    - debian/patches/CVE-2014-3710.patch: validate note headers in
      ext/fileinfo/libmagic/readelf.c.
    - CVE-2014-3710
  * SECURITY UPDATE: local file disclosure via curl NULL byte injection
    - debian/patches/curl_embedded_null.patch: don't accept curl options
      with embedded NULLs in ext/curl/interface.c, added test to
      ext/curl/tests/bug68089.phpt.
    - No CVE number
 -- Marc Deslauriers <email address hidden>   Tue, 28 Oct 2014 15:06:12 -0400
Superseded in trusty-updates on 2015-02-17
Superseded in trusty-security on 2015-02-17
php5 (5.5.9+dfsg-1ubuntu4.5) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service via buffer overflow in mkgmtime()
    - debian/patches/CVE-2014-3668.patch: properly handle sizes in
      ext/xmlrpc/libxmlrpc/xmlrpc.c, added test to
      ext/xmlrpc/tests/bug68027.phpt.
    - CVE-2014-3668
  * SECURITY UPDATE: integer overflow in unserialize()
    - debian/patches/CVE-2014-3669.patch: fix overflow in
      ext/standard/var_unserializer.{c,re}, added test to
      ext/standard/tests/serialize/bug68044.phpt.
    - CVE-2014-3669
  * SECURITY UPDATE: Heap corruption in exif_thumbnail()
    - debian/patches/CVE-2014-3670.patch: fix sizes in ext/exif/exif.c.
    - CVE-2014-3670
  * SECURITY UPDATE: out of bounds read in elf note headers in fileinfo()
    - debian/patches/CVE-2014-3710.patch: validate note headers in
      ext/fileinfo/libmagic/readelf.c.
    - CVE-2014-3710
  * SECURITY UPDATE: local file disclosure via curl NULL byte injection
    - debian/patches/curl_embedded_null.patch: don't accept curl options
      with embedded NULLs in ext/curl/interface.c, added test to
      ext/curl/tests/bug68089.phpt.
    - No CVE number
 -- Marc Deslauriers <email address hidden>   Tue, 28 Oct 2014 14:52:03 -0400
Superseded in utopic-updates on 2015-02-17
Superseded in utopic-security on 2015-02-17
php5 (5.5.12+dfsg-2ubuntu4.1) utopic-security; urgency=medium

  * SECURITY UPDATE: denial of service via buffer overflow in mkgmtime()
    - debian/patches/CVE-2014-3668.patch: properly handle sizes in
      ext/xmlrpc/libxmlrpc/xmlrpc.c, added test to
      ext/xmlrpc/tests/bug68027.phpt.
    - CVE-2014-3668
  * SECURITY UPDATE: integer overflow in unserialize()
    - debian/patches/CVE-2014-3669.patch: fix overflow in
      ext/standard/var_unserializer.{c,re}, added test to
      ext/standard/tests/serialize/bug68044.phpt.
    - CVE-2014-3669
  * SECURITY UPDATE: Heap corruption in exif_thumbnail()
    - debian/patches/CVE-2014-3670.patch: fix sizes in ext/exif/exif.c.
    - CVE-2014-3670
  * SECURITY UPDATE: out of bounds read in elf note headers in fileinfo()
    - debian/patches/CVE-2014-3710.patch: validate note headers in
      ext/fileinfo/libmagic/readelf.c.
    - CVE-2014-3710
  * SECURITY UPDATE: local file disclosure via curl NULL byte injection
    - debian/patches/curl_embedded_null.patch: don't accept curl options
      with embedded NULLs in ext/curl/interface.c, added test to
      ext/curl/tests/bug68089.phpt.
    - No CVE number
 -- Marc Deslauriers <email address hidden>   Tue, 28 Oct 2014 14:41:37 -0400
Superseded in lucid-updates on 2015-03-18
Superseded in lucid-security on 2015-03-18
php5 (5.3.2-1ubuntu4.28) lucid-security; urgency=medium

  * SECURITY UPDATE: denial of service via buffer overflow in mkgmtime()
    - debian/patches/CVE-2014-3668.patch: properly handle sizes in
      ext/xmlrpc/libxmlrpc/xmlrpc.c, added test to
      ext/xmlrpc/tests/bug68027.phpt.
    - CVE-2014-3668
  * SECURITY UPDATE: integer overflow in unserialize()
    - debian/patches/CVE-2014-3669.patch: fix overflow in
      ext/standard/var_unserializer.{c,re}, added test to
      ext/standard/tests/serialize/bug68044.phpt.
    - CVE-2014-3669
  * SECURITY UPDATE: Heap corruption in exif_thumbnail()
    - debian/patches/CVE-2014-3670.patch: fix sizes in ext/exif/exif.c.
    - CVE-2014-3670
  * SECURITY UPDATE: out of bounds read in elf note headers in fileinfo()
    - debian/patches/CVE-2014-3710.patch: validate note headers in
      ext/fileinfo/libmagic/readelf.c.
    - CVE-2014-3710
  * SECURITY UPDATE: local file disclosure via curl NULL byte injection
    - debian/patches/curl_embedded_null.patch: don't accept curl options
      with embedded NULLs in ext/curl/interface.c, added test to
      ext/curl/tests/bug68089.phpt.
    - No CVE number
 -- Marc Deslauriers <email address hidden>   Tue, 28 Oct 2014 15:17:04 -0400
Superseded in vivid-release on 2014-11-03
Published in utopic-release on 2014-09-22
Deleted in utopic-proposed (Reason: moved to release)
php5 (5.5.12+dfsg-2ubuntu4) utopic; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-3587.patch: check for array under-runs as well
      as over-runs in ext/fileinfo/libmagic/cdf.c
    - CVE-2014-3587
  * SECURITY UPDATE: denial of service in dns_get_record
    - debian/patches/CVE-2014-3597.patch: check for DNS overflows in
      ext/standard/dns.c
    - CVE-2014-3587
 -- Seth Arnold <email address hidden>   Wed, 03 Sep 2014 23:27:47 -0700
Superseded in lucid-updates on 2014-10-30
Superseded in lucid-security on 2014-10-30
php5 (5.3.2-1ubuntu4.27) lucid-security; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-3587.patch: check for array under-runs as well
      as over-runs in ext/fileinfo/libmagic/cdf.c
    - CVE-2014-3587
  * SECURITY UPDATE: denial of service in dns_get_record
    - debian/patches/CVE-2014-3597.patch: check for DNS overflows in
      ext/standard/dns.c
    - CVE-2014-3587
 -- Seth Arnold <email address hidden>   Wed, 03 Sep 2014 23:27:31 -0700
Superseded in precise-updates on 2014-10-30
Superseded in precise-security on 2014-10-30
php5 (5.3.10-1ubuntu3.14) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-3587.patch: check for array under-runs as well
      as over-runs in ext/fileinfo/libmagic/cdf.c
    - CVE-2014-3587
  * SECURITY UPDATE: denial of service in dns_get_record
    - debian/patches/CVE-2014-3597.patch: check for DNS overflows in
      ext/standard/dns.c
    - CVE-2014-3587
 -- Seth Arnold <email address hidden>   Wed, 03 Sep 2014 23:27:39 -0700
Superseded in trusty-updates on 2014-10-30
Superseded in trusty-security on 2014-10-30
php5 (5.5.9+dfsg-1ubuntu4.4) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-3587.patch: check for array under-runs as well
      as over-runs in ext/fileinfo/libmagic/cdf.c
    - CVE-2014-3587
  * SECURITY UPDATE: denial of service in dns_get_record
    - debian/patches/CVE-2014-3597.patch: check for DNS overflows in
      ext/standard/dns.c
    - CVE-2014-3587
 -- Seth Arnold <email address hidden>   Wed, 03 Sep 2014 23:33:06 -0700
Superseded in utopic-release on 2014-09-22
Deleted in utopic-proposed on 2014-09-23 (Reason: moved to release)
php5 (5.5.12+dfsg-2ubuntu3) utopic; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_read_short_sector
    - debian/patches/CVE-2014-0207.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0207
  * SECURITY UPDATE: denial of service in FileInfo mconvert
    - debian/patches/CVE-2014-3478.patch: properly handle truncated pascal
      string size in ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-3478
  * SECURITY UPDATE: denial of service in FileInfo cdf_check_stream_offset
    - debian/patches/CVE-2014-3479.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3479
  * SECURITY UPDATE: denial of service in FileInfo cdf_count_chain
    - debian/patches/CVE-2014-3480.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3480
  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-3487.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3487
  * SECURITY UPDATE: denial of service and possible code execution via
    unserialize() SPL type confusion
    - debian/patches/CVE-2014-3515.patch: properly check types in
      ext/spl/spl_array.c, ext/spl/spl_observer.c, added test to
      ext/spl/tests/SplObjectStorage_unserialize_bad.phpt.
    - CVE-2014-3515
  * SECURITY UPDATE: denial of service via SPL Iterators use-after-free
    - debian/patches/CVE-2014-4670.patch: fix use-after-free in
      ext/spl/spl_dllist.c, added test to ext/spl/tests/bug67538.phpt.
    - CVE-2014-4670
  * SECURITY UPDATE: denial of service via ArrayIterator use-after-free
    - debian/patches/CVE-2014-4698.patch: don't allow modifying ArrayObject
      during sorting in ext/spl/spl_array.c, added test to
      ext/spl/tests/bug67539.phpt.
    - CVE-2014-4698
  * SECURITY UPDATE: information leak via phpinfo (LP: #1338170)
    - debian/patches/CVE-2014-4721.patch: fix type confusion in
      ext/standard/info.c, added test to
      ext/standard/tests/general_functions/bug67498.phpt.
    - CVE-2014-4721
 -- Marc Deslauriers <email address hidden>   Wed, 09 Jul 2014 13:00:04 -0400
Superseded in lucid-updates on 2014-09-10
Superseded in lucid-security on 2014-09-09
php5 (5.3.2-1ubuntu4.26) lucid-security; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_read_short_sector
    - debian/patches/CVE-2014-0207.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0207
  * SECURITY UPDATE: denial of service in FileInfo cdf_count_chain
    - debian/patches/CVE-2014-3480.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3480
  * SECURITY UPDATE: denial of service and possible code execution via
    unserialize() SPL type confusion
    - debian/patches/CVE-2014-3515.patch: properly check types in
      ext/spl/spl_array.c, ext/spl/spl_observer.c, added test to
      ext/spl/tests/SplObjectStorage_unserialize_bad.phpt.
    - CVE-2014-3515
  * SECURITY UPDATE: denial of service via SPL Iterators use-after-free
    - debian/patches/CVE-2014-4670.patch: fix use-after-free in
      ext/spl/spl_dllist.c, added test to ext/spl/tests/bug67538.phpt.
    - CVE-2014-4670
  * SECURITY UPDATE: denial of service via ArrayIterator use-after-free
    - debian/patches/CVE-2014-4698.patch: don't allow modifying ArrayObject
      during sorting in ext/spl/spl_array.c, added test to
      ext/spl/tests/bug67539.phpt.
    - CVE-2014-4698
  * SECURITY UPDATE: information leak via phpinfo (LP: #1338170)
    - debian/patches/CVE-2014-4721.patch: fix type confusion in
      ext/standard/info.c, added test to
      ext/standard/tests/general_functions/bug67498.phpt.
    - CVE-2014-4721
 -- Marc Deslauriers <email address hidden>   Tue, 08 Jul 2014 21:22:42 -0400
Superseded in precise-updates on 2014-09-10
Superseded in precise-security on 2014-09-09
php5 (5.3.10-1ubuntu3.13) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_read_short_sector
    - debian/patches/CVE-2014-0207.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0207
  * SECURITY UPDATE: denial of service in FileInfo cdf_count_chain
    - debian/patches/CVE-2014-3480.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3480
  * SECURITY UPDATE: denial of service and possible code execution via
    unserialize() SPL type confusion
    - debian/patches/CVE-2014-3515.patch: properly check types in
      ext/spl/spl_array.c, ext/spl/spl_observer.c, added test to
      ext/spl/tests/SplObjectStorage_unserialize_bad.phpt.
    - CVE-2014-3515
  * SECURITY UPDATE: denial of service via SPL Iterators use-after-free
    - debian/patches/CVE-2014-4670.patch: fix use-after-free in
      ext/spl/spl_dllist.c, added test to ext/spl/tests/bug67538.phpt.
    - CVE-2014-4670
  * SECURITY UPDATE: denial of service via ArrayIterator use-after-free
    - debian/patches/CVE-2014-4698.patch: don't allow modifying ArrayObject
      during sorting in ext/spl/spl_array.c, added test to
      ext/spl/tests/bug67539.phpt.
    - CVE-2014-4698
  * SECURITY UPDATE: information leak via phpinfo (LP: #1338170)
    - debian/patches/CVE-2014-4721.patch: fix type confusion in
      ext/standard/info.c, added test to
      ext/standard/tests/general_functions/bug67498.phpt.
    - CVE-2014-4721
 -- Marc Deslauriers <email address hidden>   Mon, 07 Jul 2014 08:41:06 -0400
Obsolete in saucy-updates on 2015-04-24
Obsolete in saucy-security on 2015-04-24
php5 (5.5.3+dfsg-1ubuntu2.6) saucy-security; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_read_short_sector
    - debian/patches/CVE-2014-0207.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0207
  * SECURITY UPDATE: denial of service in FileInfo mconvert
    - debian/patches/CVE-2014-3478.patch: properly handle truncated pascal
      string size in ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-3478
  * SECURITY UPDATE: denial of service in FileInfo cdf_check_stream_offset
    - debian/patches/CVE-2014-3479.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3479
  * SECURITY UPDATE: denial of service in FileInfo cdf_count_chain
    - debian/patches/CVE-2014-3480.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3480
  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-3487.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3487
  * SECURITY UPDATE: denial of service and possible code execution via
    unserialize() SPL type confusion
    - debian/patches/CVE-2014-3515.patch: properly check types in
      ext/spl/spl_array.c, ext/spl/spl_observer.c, added test to
      ext/spl/tests/SplObjectStorage_unserialize_bad.phpt.
    - CVE-2014-3515
  * SECURITY UPDATE: denial of service via SPL Iterators use-after-free
    - debian/patches/CVE-2014-4670.patch: fix use-after-free in
      ext/spl/spl_dllist.c, added test to ext/spl/tests/bug67538.phpt.
    - CVE-2014-4670
  * SECURITY UPDATE: denial of service via ArrayIterator use-after-free
    - debian/patches/CVE-2014-4698.patch: don't allow modifying ArrayObject
      during sorting in ext/spl/spl_array.c, added test to
      ext/spl/tests/bug67539.phpt.
    - CVE-2014-4698
  * SECURITY UPDATE: information leak via phpinfo (LP: #1338170)
    - debian/patches/CVE-2014-4721.patch: fix type confusion in
      ext/standard/info.c, added test to
      ext/standard/tests/general_functions/bug67498.phpt.
    - CVE-2014-4721
 -- Marc Deslauriers <email address hidden>   Mon, 07 Jul 2014 07:46:31 -0400
Superseded in trusty-updates on 2014-09-10
Superseded in trusty-security on 2014-09-09
php5 (5.5.9+dfsg-1ubuntu4.3) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_read_short_sector
    - debian/patches/CVE-2014-0207.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0207
  * SECURITY UPDATE: denial of service in FileInfo mconvert
    - debian/patches/CVE-2014-3478.patch: properly handle truncated pascal
      string size in ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-3478
  * SECURITY UPDATE: denial of service in FileInfo cdf_check_stream_offset
    - debian/patches/CVE-2014-3479.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3479
  * SECURITY UPDATE: denial of service in FileInfo cdf_count_chain
    - debian/patches/CVE-2014-3480.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3480
  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-3487.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3487
  * SECURITY UPDATE: denial of service and possible code execution via
    unserialize() SPL type confusion
    - debian/patches/CVE-2014-3515.patch: properly check types in
      ext/spl/spl_array.c, ext/spl/spl_observer.c, added test to
      ext/spl/tests/SplObjectStorage_unserialize_bad.phpt.
    - CVE-2014-3515
  * SECURITY UPDATE: denial of service via SPL Iterators use-after-free
    - debian/patches/CVE-2014-4670.patch: fix use-after-free in
      ext/spl/spl_dllist.c, added test to ext/spl/tests/bug67538.phpt.
    - CVE-2014-4670
  * SECURITY UPDATE: denial of service via ArrayIterator use-after-free
    - debian/patches/CVE-2014-4698.patch: don't allow modifying ArrayObject
      during sorting in ext/spl/spl_array.c, added test to
      ext/spl/tests/bug67539.phpt.
    - CVE-2014-4698
  * SECURITY UPDATE: information leak via phpinfo (LP: #1338170)
    - debian/patches/CVE-2014-4721.patch: fix type confusion in
      ext/standard/info.c, added test to
      ext/standard/tests/general_functions/bug67498.phpt.
    - CVE-2014-4721
 -- Marc Deslauriers <email address hidden>   Mon, 07 Jul 2014 07:44:21 -0400
Superseded in trusty-updates on 2014-07-09
Superseded in trusty-security on 2014-07-09
php5 (5.5.9+dfsg-1ubuntu4.2) trusty-security; urgency=medium

  * SECURITY UPDATE: better FastCGI socket permissions (LP: #1334337)
    - debian/rules: enable listen.owner and listen.group so that the socket
      is accessible to www-data by default. This allows most setups to
      continue working with the more restrictive permissions.
 -- Marc Deslauriers <email address hidden>   Wed, 25 Jun 2014 11:46:16 -0400
Superseded in saucy-updates on 2014-07-09
Superseded in saucy-security on 2014-07-09
php5 (5.5.3+dfsg-1ubuntu2.5) saucy-security; urgency=medium

  * SECURITY UPDATE: better FastCGI socket permissions (LP: #1334337)
    - debian/rules: enable listen.owner and listen.group so that the socket
      is accessible to www-data by default. This allows most setups to
      continue working with the more restrictive permissions.
 -- Marc Deslauriers <email address hidden>   Wed, 25 Jun 2014 11:52:07 -0400
Superseded in utopic-release on 2014-07-09
Deleted in utopic-proposed on 2014-07-11 (Reason: moved to release)
php5 (5.5.12+dfsg-2ubuntu2) utopic; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_unpack_summary_info
    - debian/patches/CVE-2014-0237.patch: remove file_printf calls in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0237
  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-0238.patch: fix infinite loop in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0238
  * SECURITY UPDATE: code execution via buffer overflow in DNS TXT record
    parsing
    - debian/patches/CVE-2014-4049.patch: check length in
      ext/standard/dns.c.
    - CVE-2014-4049
 -- Marc Deslauriers <email address hidden>   Thu, 19 Jun 2014 13:21:19 -0400
Superseded in lucid-updates on 2014-07-09
Superseded in lucid-security on 2014-07-09
php5 (5.3.2-1ubuntu4.25) lucid-security; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_unpack_summary_info
    - debian/patches/CVE-2014-0237.patch: remove file_printf calls in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0237
  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-0238.patch: fix infinite loop in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0238
  * SECURITY UPDATE: code execution via buffer overflow in DNS TXT record
    parsing
    - debian/patches/CVE-2014-4049.patch: check length in
      ext/standard/dns.c.
    - CVE-2014-4049
 -- Marc Deslauriers <email address hidden>   Thu, 19 Jun 2014 13:48:46 -0400
Superseded in precise-updates on 2014-07-09
Superseded in precise-security on 2014-07-09
php5 (5.3.10-1ubuntu3.12) precise-security; urgency=medium

  * SECURITY UPDATE: incorrect FastCGI socket permissions (LP: #1307027)
    - debian/patches/CVE-2014-0185.patch: default to 0660 in
      sapi/fpm/fpm/fpm_unix.c, sapi/fpm/php-fpm.conf.in.
    - CVE-2014-0185
  * SECURITY UPDATE: denial of service in FileInfo cdf_unpack_summary_info
    - debian/patches/CVE-2014-0237.patch: remove file_printf calls in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0237
  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-0238.patch: fix infinite loop in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0238
  * SECURITY UPDATE: code execution via buffer overflow in DNS TXT record
    parsing
    - debian/patches/CVE-2014-4049.patch: check length in
      ext/standard/dns.c.
    - CVE-2014-4049
 -- Marc Deslauriers <email address hidden>   Thu, 19 Jun 2014 13:44:17 -0400
Superseded in trusty-updates on 2014-06-25
Superseded in trusty-security on 2014-06-25
php5 (5.5.9+dfsg-1ubuntu4.1) trusty-security; urgency=medium

  * SECURITY UPDATE: incorrect FastCGI socket permissions (LP: #1307027)
    - debian/patches/CVE-2014-0185.patch: default to 0660 in
      sapi/fpm/fpm/fpm_unix.c, sapi/fpm/php-fpm.conf.in.
    - CVE-2014-0185
  * SECURITY UPDATE: denial of service in FileInfo cdf_unpack_summary_info
    - debian/patches/CVE-2014-0237.patch: remove file_printf calls in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0237
  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-0238.patch: fix infinite loop in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0238
  * SECURITY UPDATE: code execution via buffer overflow in DNS TXT record
    parsing
    - debian/patches/CVE-2014-4049.patch: check length in
      ext/standard/dns.c.
    - CVE-2014-4049
 -- Marc Deslauriers <email address hidden>   Thu, 19 Jun 2014 13:30:13 -0400
Superseded in saucy-updates on 2014-06-25
Superseded in saucy-security on 2014-06-25
php5 (5.5.3+dfsg-1ubuntu2.4) saucy-security; urgency=medium

  * SECURITY UPDATE: incorrect FastCGI socket permissions (LP: #1307027)
    - debian/patches/CVE-2014-0185.patch: default to 0660 in
      sapi/fpm/fpm/fpm_unix.c, sapi/fpm/php-fpm.conf.in.
    - CVE-2014-0185
  * SECURITY UPDATE: denial of service in FileInfo cdf_unpack_summary_info
    - debian/patches/CVE-2014-0237.patch: remove file_printf calls in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0237
  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-0238.patch: fix infinite loop in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0238
  * SECURITY UPDATE: code execution via buffer overflow in DNS TXT record
    parsing
    - debian/patches/CVE-2014-4049.patch: check length in
      ext/standard/dns.c.
    - CVE-2014-4049
 -- Marc Deslauriers <email address hidden>   Thu, 19 Jun 2014 13:33:33 -0400
Superseded in utopic-release on 2014-06-20
Deleted in utopic-proposed on 2014-06-21 (Reason: moved to release)
php5 (5.5.12+dfsg-2ubuntu1) utopic; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - d/control: drop Build-Depends that are in universe: firebird-dev,
      libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
    - d/rules: drop configuration of packages that are in universe: qdgm, onig.
    - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
      interbase or firebird.
    - d/rules: export DEB_HOST_MULTIARCH properly.
    - d/control: drop binary packages php5-imap, php5-interbase and php5-mcrypt
      since we have separate versions in universe.
    - d/modulelist: drop imap, interbase and mcrypt since we have separate
      versions in universe.
    - d/rules: drop configuration of imap and mcrypt since we have separate
      versions in universe.
    - d/source_php5.py, d/rules: add apport hook.
    - d/rules: stop mysql instance on clean just in case we failed in tests.
    - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
      as only the latter is in main.
    - debian/rules: re-enable tests
    - d/tests/{cgi,cli,mod-php}: dep8 tests for common use cases.
    - d/rules: load dpkg-buildflags earlier, so that CFLAGS changes are not
      overridden.
  * Drop changes (upstreamed / in-Debian):
    - CVE-2014-2270, CVE-2013-1943, imageconvolution-regression.patch:
      included in this merge
  * Drop changes (no longer needed):
    - d/rules, d/control: re-add use of dh_systemd as it is in main now.
    - php5-fpm.upstart: re-add "reload signal USR2" stanza, LTS was
      released.

Superseded in utopic-release on 2014-05-21
Published in trusty-release on 2014-04-09
Deleted in trusty-proposed (Reason: moved to release)
php5 (5.5.9+dfsg-1ubuntu4) trusty; urgency=medium

  * Comment out "reload signal USR2" stanza from php5-fpm to make the job
    compatible with Precise upstart, when it's still running as pid1
    during upgrade to trusty and before the restart. We'd rather support
    shorter down-time then reload interface. (LP: #1272788)
 -- Dimitri John Ledkov <email address hidden>   Wed, 09 Apr 2014 16:23:30 +0100
Superseded in lucid-updates on 2014-06-23
Superseded in lucid-security on 2014-06-23
php5 (5.3.2-1ubuntu4.24) lucid-security; urgency=medium

  * SECURITY UPDATE: denial of service in fileinfo via crafted offset in
    PE executable
    - debian/patches/CVE-2014-2270.patch: check bounds in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-2270
 -- Marc Deslauriers <email address hidden>   Thu, 03 Apr 2014 15:23:04 -0400
Superseded in trusty-release on 2014-04-09
Deleted in trusty-proposed on 2014-04-11 (Reason: moved to release)
php5 (5.5.9+dfsg-1ubuntu3) trusty; urgency=medium

  * SECURITY UPDATE: denial of service in fileinfo via crafted offset in
    PE executable
    - debian/patches/CVE-2014-2270.patch: check bounds in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-2270
 -- Marc Deslauriers <email address hidden>   Thu, 03 Apr 2014 15:12:10 -0400
Obsolete in quantal-updates on 2015-04-24
Obsolete in quantal-security on 2015-04-24
php5 (5.4.6-1ubuntu1.8) quantal-security; urgency=medium

  * SECURITY UPDATE: denial of service in fileinfo via crafted offset in
    PE executable
    - debian/patches/CVE-2014-2270.patch: check bounds in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-2270
 -- Marc Deslauriers <email address hidden>   Thu, 03 Apr 2014 15:18:45 -0400
Superseded in saucy-updates on 2014-06-23
Superseded in saucy-security on 2014-06-23
php5 (5.5.3+dfsg-1ubuntu2.3) saucy-security; urgency=medium

  * SECURITY UPDATE: denial of service in fileinfo via crafted offset in
    PE executable
    - debian/patches/CVE-2014-2270.patch: check bounds in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-2270
 -- Marc Deslauriers <email address hidden>   Thu, 03 Apr 2014 15:14:26 -0400
Superseded in precise-updates on 2014-06-23
Superseded in precise-security on 2014-06-23
php5 (5.3.10-1ubuntu3.11) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service in fileinfo via crafted offset in
    PE executable
    - debian/patches/CVE-2014-2270.patch: check bounds in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-2270
 -- Marc Deslauriers <email address hidden>   Thu, 03 Apr 2014 15:21:27 -0400
Superseded in trusty-release on 2014-04-04
Deleted in trusty-proposed on 2014-04-05 (Reason: moved to release)
php5 (5.5.9+dfsg-1ubuntu2) trusty; urgency=medium

  * SECURITY UPDATE: denial of service via crafted indirect offset value
    in fileinfo
    - debian/patches/CVE-2013-1943.patch: properly handle recursion in
      ext/fileinfo/libmagic/{ascmagic.c,file.h,funcs.c,softmagic.c}, added
      test to ext/fileinfo/tests/cve-2014-1943.phpt.
    - CVE-2013-1943
  * debian/patches/imageconvolution-regression.patch: fix regression in
    imageconvolution caused by security fix in 5.5.9.
 -- Marc Deslauriers <email address hidden>   Mon, 03 Mar 2014 13:42:25 -0500
Superseded in lucid-updates on 2014-04-07
Superseded in lucid-security on 2014-04-07
php5 (5.3.2-1ubuntu4.23) lucid-security; urgency=medium

  * SECURITY UPDATE: denial of service via crafted indirect offset value
    in fileinfo
    - debian/patches/CVE-2013-1943.patch: properly handle recursion in
      ext/fileinfo/libmagic/{ascmagic.c,file.h,funcs.c,softmagic.c}, added
      test to ext/fileinfo/tests/cve-2014-1943.phpt.
    - CVE-2013-1943
 -- Marc Deslauriers <email address hidden>   Fri, 28 Feb 2014 17:40:15 -0500
Superseded in precise-updates on 2014-04-07
Superseded in precise-security on 2014-04-07
php5 (5.3.10-1ubuntu3.10) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service via crafted indirect offset value
    in fileinfo
    - debian/patches/CVE-2013-1943.patch: properly handle recursion in
      ext/fileinfo/libmagic/{ascmagic.c,file.h,funcs.c,softmagic.c}, added
      test to ext/fileinfo/tests/cve-2014-1943.phpt.
    - CVE-2013-1943
 -- Marc Deslauriers <email address hidden>   Fri, 28 Feb 2014 14:55:00 -0500
Superseded in quantal-updates on 2014-04-07
Superseded in quantal-security on 2014-04-07
php5 (5.4.6-1ubuntu1.7) quantal-security; urgency=medium

  * SECURITY UPDATE: denial of service via crafted indirect offset value
    in fileinfo
    - debian/patches/CVE-2013-1943.patch: properly handle recursion in
      ext/fileinfo/libmagic/{ascmagic.c,file.h,funcs.c,softmagic.c}, added
      test to ext/fileinfo/tests/cve-2014-1943.phpt.
    - CVE-2013-1943
  * This package does _not_ contain the changes from .4.6-1ubuntu1.6 in
    quantal-proposed.
 -- Marc Deslauriers <email address hidden>   Fri, 28 Feb 2014 11:40:51 -0500
Superseded in saucy-updates on 2014-04-07
Superseded in saucy-security on 2014-04-07
php5 (5.5.3+dfsg-1ubuntu2.2) saucy-security; urgency=medium

  * SECURITY UPDATE: denial of service and possible code execution via
    multiple issues in gdImageCrop
    - debian/patches/CVE-2013-7226.patch: fix overflows and data type
      issues in ext/gd/gd.c,ext/gd/libgd/gd_crop.c, added test to
      ext/gd/tests/bug66356.phpt.
    - CVE-2013-7226
    - CVE-2013-7327
    - CVE-2013-7328
    - CVE-2014-2020
  * SECURITY UPDATE: denial of service via crafted indirect offset value
    in fileinfo
    - debian/patches/CVE-2013-1943.patch: properly handle recursion in
      ext/fileinfo/libmagic/{ascmagic.c,file.h,funcs.c,softmagic.c}, added
      test to ext/fileinfo/tests/cve-2014-1943.phpt.
    - CVE-2013-1943
  * debian/rules: re-enable tests.
 -- Marc Deslauriers <email address hidden>   Fri, 28 Feb 2014 11:15:03 -0500
Superseded in trusty-release on 2014-03-03
Deleted in trusty-proposed on 2014-03-05 (Reason: moved to release)
php5 (5.5.9+dfsg-1ubuntu1) trusty; urgency=medium

  * Merge from Debian testing. Remaining changes:
    - d/control: drop Build-Depends that are in universe: firebird-dev,
      libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
    - d/rules: drop configuration of packages that are in universe: qdgm, onig.
    - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
      interbase or firebird.
    - d/rules: export DEB_HOST_MULTIARCH properly.
    - d/control: drop binary packages php5-imap, php5-interbase and php5-mcrypt
      since we have separate versions in universe.
    - d/modulelist: drop imap, interbase and mcrypt since we have separate
      versions in universe.
    - d/rules: drop configuration of imap and mcrypt since we have separate
      versions in universe.
    - d/source_php5.py, d/rules: add apport hook.
    - d/rules: stop mysql instance on clean just in case we failed in tests.
    - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
      as only the latter is in main.
    - d/rules, d/control: drop use of dh_systemd as it is in universe.
    - debian/rules: re-enable tests
    - d/tests/{cgi,cli,mod-php}: dep8 tests for common use cases.
  * Drop changes (upstreamed to Debian):
    - d/p/use-system-timezone.patch, d/tests/system-timezone: use system
      timezone by default, instead of requiring it to be configured.
  * d/rules: load dpkg-buildflags earlier, so that CFLAGS changes are not
    overridden (LP: #1280044).

Superseded in trusty-release on 2014-02-20
Deleted in trusty-proposed on 2014-02-22 (Reason: moved to release)
php5 (5.5.8+dfsg-2ubuntu1) trusty; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - d/control: drop Build-Depends that are in universe: firebird-dev,
      libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
    - d/rules: drop configuration of packages that are in universe: qdgm,
      onig.
    - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
      interbase or firebird.
    - d/rules: export DEB_HOST_MULTIARCH properly.
    - d/control: drop binary packages php5-imap, php5-interbase and
      php5-mcrypt since we have separate versions in universe.
    - d/modulelist: drop imap, interbase and mcrypt since we have separate
      versions in universe.
    - d/rules: drop configuration of imap and mcrypt since we have separate
      versions in universe.
    - d/source_php5.py, d/rules: add apport hook.
    - d/rules: stop mysql instance on clean just in case we failed in tests.
    - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
      as only the latter is in main.
    - d/rules, d/control: drop use of dh_systemd as it is in universe.
    - debian/rules: re-enable tests
  * Previously undocumented changes:
    - d/tests/{cgi,cli,mod_php}: dep8 tests for common use cases.
  * Drop changes:
    - d/p/{CVE-2013-6420,CVE-2013-6712,fix-freetype-ftbfs}.patch: upstreamed.
    - d/control: relegate php5-json and pkg-php-tools from Recommends to
      Suggests as they are in universe: php5-json and pkg-php-tools are now in
      main (LP: #1242726).
    - d/control, d/rules: re-enable libedit-dev: libedit-dev is now enabled in
      Debian.
  * d/tests/mod-php: rename from mod_php; the previous name was illegal.
  * d/tests/{cgi,mod-php}: use new default Apache DocumentRoot /var/www/html.
  * d/p/use-system-timezone.patch, d/tests/system-timezone: use system
    timezone by default, instead of requiring it to be configured.
    (LP: #1244343).
 -- Robie Basak <email address hidden>   Tue, 21 Jan 2014 15:40:58 +0000
Deleted in quantal-proposed on 2014-03-04 (Reason: moved to -updates)
php5 (5.4.6-1ubuntu1.6) quantal; urgency=low

  * debian/patches/lp1102366.patch: properly reset rfc1867 callbacks to
    prevent segfault. (LP: #1102366)
 -- Marc Deslauriers <email address hidden>   Mon, 23 Dec 2013 09:00:58 -0500
Superseded in trusty-release on 2014-01-21
Deleted in trusty-proposed on 2014-01-23 (Reason: moved to release)
php5 (5.5.6+dfsg-1ubuntu2) trusty; urgency=medium

  * No change rebuild against libicu52
 -- Dimitri John Ledkov <email address hidden>   Sat, 28 Dec 2013 05:16:26 +0000
Superseded in trusty-release on 2013-12-31
Deleted in trusty-proposed on 2014-01-01 (Reason: moved to release)
php5 (5.5.6+dfsg-1ubuntu1) trusty; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - d/control: drop Build-Depends that are in universe: firebird-dev,
      libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
    - d/rules: drop configuration of packages that are in universe: qdgm,
      onig.
    - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
      interbase or firebird.
    - d/rules: export DEB_HOST_MULTIARCH properly.
    - d/control: drop binary packages php5-imap, php5-interbase and
      php5-mcrypt since we have separate versions in universe.
    - d/modulelist: drop imap, interbase and mcrypt since we have separate
      versions in universe.
    - d/rules: drop configuration of imap and mcrypt since we have separate
      versions in universe.
    - d/source_php5.py, d/rules: add apport hook.
    - d/rules: stop mysql instance on clean just in case we failed in tests.
    - d/control, d/rules: re-enable libedit-dev.
    - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
      as only the latter is in main.
    - d/rules, d/control: drop use of dh_systemd as it is in universe.
    - d/control: relegate php5-json and pkg-php-tools from Recommends to
      Suggests as they are in universe.
  * Dropped changes:
    - d/p/crash_in_get_zval_ptr_ptr_var.patch: upstream
  * SECURITY UPDATE: denial of service and possible code execution via
    malicious certificate
    - debian/patches/CVE-2013-6420.patch: properly validate timestr in
      ext/openssl/openssl.c, added ext/openssl/tests/cve-2013-6420.*.
    - CVE-2013-6420
  * SECURITY UPDATE: denial of service via crafted interval specification
    - debian/patches/CVE-2013-6712.patch: check error_count in
      ext/date/lib/parse_iso_intervals.*.
    - CVE-2013-6712
  * debian/patches/fix-freetype-ftbfs.patch: fix compilation with newer
    freetype
  * debian/rules: re-enable tests

Superseded in saucy-updates on 2014-03-03
Superseded in saucy-security on 2014-03-03
php5 (5.5.3+dfsg-1ubuntu2.1) saucy-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via
    malicious certificate
    - debian/patches/CVE-2013-6420.patch: properly validate timestr in
      ext/openssl/openssl.c, added ext/openssl/tests/cve-2013-6420.*.
    - CVE-2013-6420
  * SECURITY UPDATE: denial of service via crafted interval specification
    - debian/patches/CVE-2013-6712.patch: check error_count in
      ext/date/lib/parse_iso_intervals.*.
    - CVE-2013-6712
 -- Marc Deslauriers <email address hidden>   Wed, 11 Dec 2013 13:45:28 -0500
Superseded in lucid-updates on 2014-03-03
Superseded in lucid-security on 2014-03-03
php5 (5.3.2-1ubuntu4.22) lucid-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via
    malicious certificate
    - debian/patches/CVE-2013-6420.patch: properly validate timestr in
      ext/openssl/openssl.c, added ext/openssl/tests/cve-2013-6420.*.
    - CVE-2013-6420
  * SECURITY UPDATE: denial of service via crafted interval specification
    - debian/patches/CVE-2013-6712.patch: check error_count in
      ext/date/lib/parse_iso_intervals.*.
    - CVE-2013-6712
 -- Marc Deslauriers <email address hidden>   Wed, 11 Dec 2013 19:23:24 -0500
Superseded in quantal-updates on 2014-03-03
Superseded in quantal-security on 2014-03-03
php5 (5.4.6-1ubuntu1.5) quantal-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via
    malicious certificate
    - debian/patches/CVE-2013-6420.patch: properly validate timestr in
      ext/openssl/openssl.c, added ext/openssl/tests/cve-2013-6420.*.
    - CVE-2013-6420
  * SECURITY UPDATE: denial of service via crafted interval specification
    - debian/patches/CVE-2013-6712.patch: check error_count in
      ext/date/lib/parse_iso_intervals.*.
    - CVE-2013-6712
 -- Marc Deslauriers <email address hidden>   Wed, 11 Dec 2013 19:20:51 -0500
Obsolete in raring-updates on 2015-04-24
Obsolete in raring-security on 2015-04-24
php5 (5.4.9-4ubuntu2.4) raring-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via
    malicious certificate
    - debian/patches/CVE-2013-6420.patch: properly validate timestr in
      ext/openssl/openssl.c, added ext/openssl/tests/cve-2013-6420.*.
    - CVE-2013-6420
  * SECURITY UPDATE: denial of service via crafted interval specification
    - debian/patches/CVE-2013-6712.patch: check error_count in
      ext/date/lib/parse_iso_intervals.*.
    - CVE-2013-6712
 -- Marc Deslauriers <email address hidden>   Wed, 11 Dec 2013 19:19:30 -0500
Superseded in precise-updates on 2014-03-03
Superseded in precise-security on 2014-03-03
php5 (5.3.10-1ubuntu3.9) precise-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via
    malicious certificate
    - debian/patches/CVE-2013-6420.patch: properly validate timestr in
      ext/openssl/openssl.c, added ext/openssl/tests/cve-2013-6420.*.
    - CVE-2013-6420
  * SECURITY UPDATE: denial of service via crafted interval specification
    - debian/patches/CVE-2013-6712.patch: check error_count in
      ext/date/lib/parse_iso_intervals.*.
    - CVE-2013-6712
 -- Marc Deslauriers <email address hidden>   Wed, 11 Dec 2013 19:22:04 -0500
Superseded in trusty-release on 2013-12-12
Deleted in trusty-proposed on 2013-12-14 (Reason: moved to release)
php5 (5.5.3+dfsg-1ubuntu3) trusty; urgency=low

  * No change rebuild against db 5.3.
 -- Dmitrijs Ledkovs <email address hidden>   Sat, 02 Nov 2013 20:03:00 +0000
Superseded in trusty-release on 2013-11-03
Obsolete in saucy-release on 2015-04-24
Deleted in saucy-proposed on 2015-04-28 (Reason: moved to release)
php5 (5.5.3+dfsg-1ubuntu2) saucy; urgency=low

  * d/p/crash_in_get_zval_ptr_ptr_var.patch: cherry-pick from upstream to fix
    segfault (LP: #1236733).
 -- Robie Basak <email address hidden>   Wed, 09 Oct 2013 11:29:29 +0000
Superseded in precise-updates on 2013-12-12
Superseded in precise-security on 2013-12-12
php5 (5.3.10-1ubuntu3.8) precise-security; urgency=low

  * SECURITY UPDATE: SSL cert validation spoofing via NULL character in
    subjectAltName.
    - debian/patches/CVE-2013-4248.patch: validate subjectAltName in
      ext/openssl/openssl.c, added test to ext/openssl/tests/cve2013_4073*.
    - CVE-2013-4248
 -- Marc Deslauriers <email address hidden>   Wed, 04 Sep 2013 12:54:39 -0400
Superseded in quantal-updates on 2013-12-12
Superseded in quantal-security on 2013-12-12
php5 (5.4.6-1ubuntu1.4) quantal-security; urgency=low

  * SECURITY UPDATE: SSL cert validation spoofing via NULL character in
    subjectAltName.
    - debian/patches/CVE-2013-4248.patch: validate subjectAltName in
      ext/openssl/openssl.c, added test to ext/openssl/tests/cve2013_4073*.
    - CVE-2013-4248
 -- Marc Deslauriers <email address hidden>   Wed, 04 Sep 2013 11:07:56 -0400
Superseded in raring-updates on 2013-12-12
Superseded in raring-security on 2013-12-12
php5 (5.4.9-4ubuntu2.3) raring-security; urgency=low

  * SECURITY UPDATE: SSL cert validation spoofing via NULL character in
    subjectAltName.
    - debian/patches/CVE-2013-4248.patch: validate subjectAltName in
      ext/openssl/openssl.c, added test to ext/openssl/tests/cve2013_4073*.
    - CVE-2013-4248
 -- Marc Deslauriers <email address hidden>   Wed, 04 Sep 2013 10:59:04 -0400
Superseded in lucid-updates on 2013-12-12
Superseded in lucid-security on 2013-12-12
php5 (5.3.2-1ubuntu4.21) lucid-security; urgency=low

  * SECURITY UPDATE: SSL cert validation spoofing via NULL character in
    subjectAltName.
    - debian/patches/CVE-2013-4248.patch: validate subjectAltName in
      ext/openssl/openssl.c, added test to ext/openssl/tests/cve2013_4073*.
    - CVE-2013-4248
 -- Marc Deslauriers <email address hidden>   Wed, 04 Sep 2013 12:56:49 -0400
175 of 328 results