Ubuntu

Change log for “php5” package in Ubuntu

175 of 280 results
Published in utopic-release on 2014-04-23
Published in trusty-release on 2014-04-09
Deleted in trusty-proposed (Reason: moved to release)
php5 (5.5.9+dfsg-1ubuntu4) trusty; urgency=medium

  * Comment out "reload signal USR2" stanza from php5-fpm to make the job
    compatible with Precise upstart, when it's still running as pid1
    during upgrade to trusty and before the restart. We'd rather support
    shorter down-time then reload interface. (LP: #1272788)
 -- Dimitri John Ledkov <email address hidden>   Wed, 09 Apr 2014 16:23:30 +0100
Published in lucid-updates on 2014-04-07
Published in lucid-security on 2014-04-07
php5 (5.3.2-1ubuntu4.24) lucid-security; urgency=medium

  * SECURITY UPDATE: denial of service in fileinfo via crafted offset in
    PE executable
    - debian/patches/CVE-2014-2270.patch: check bounds in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-2270
 -- Marc Deslauriers <email address hidden>   Thu, 03 Apr 2014 15:23:04 -0400
Superseded in trusty-release on 2014-04-09
Deleted in trusty-proposed on 2014-04-11 (Reason: moved to release)
php5 (5.5.9+dfsg-1ubuntu3) trusty; urgency=medium

  * SECURITY UPDATE: denial of service in fileinfo via crafted offset in
    PE executable
    - debian/patches/CVE-2014-2270.patch: check bounds in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-2270
 -- Marc Deslauriers <email address hidden>   Thu, 03 Apr 2014 15:12:10 -0400
Published in quantal-updates on 2014-04-07
Published in quantal-security on 2014-04-07
php5 (5.4.6-1ubuntu1.8) quantal-security; urgency=medium

  * SECURITY UPDATE: denial of service in fileinfo via crafted offset in
    PE executable
    - debian/patches/CVE-2014-2270.patch: check bounds in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-2270
 -- Marc Deslauriers <email address hidden>   Thu, 03 Apr 2014 15:18:45 -0400
Published in saucy-updates on 2014-04-07
Published in saucy-security on 2014-04-07
php5 (5.5.3+dfsg-1ubuntu2.3) saucy-security; urgency=medium

  * SECURITY UPDATE: denial of service in fileinfo via crafted offset in
    PE executable
    - debian/patches/CVE-2014-2270.patch: check bounds in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-2270
 -- Marc Deslauriers <email address hidden>   Thu, 03 Apr 2014 15:14:26 -0400
Published in precise-updates on 2014-04-07
Published in precise-security on 2014-04-07
php5 (5.3.10-1ubuntu3.11) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service in fileinfo via crafted offset in
    PE executable
    - debian/patches/CVE-2014-2270.patch: check bounds in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-2270
 -- Marc Deslauriers <email address hidden>   Thu, 03 Apr 2014 15:21:27 -0400
Superseded in trusty-release on 2014-04-04
Deleted in trusty-proposed on 2014-04-05 (Reason: moved to release)
php5 (5.5.9+dfsg-1ubuntu2) trusty; urgency=medium

  * SECURITY UPDATE: denial of service via crafted indirect offset value
    in fileinfo
    - debian/patches/CVE-2013-1943.patch: properly handle recursion in
      ext/fileinfo/libmagic/{ascmagic.c,file.h,funcs.c,softmagic.c}, added
      test to ext/fileinfo/tests/cve-2014-1943.phpt.
    - CVE-2013-1943
  * debian/patches/imageconvolution-regression.patch: fix regression in
    imageconvolution caused by security fix in 5.5.9.
 -- Marc Deslauriers <email address hidden>   Mon, 03 Mar 2014 13:42:25 -0500
Superseded in lucid-updates on 2014-04-07
Superseded in lucid-security on 2014-04-07
php5 (5.3.2-1ubuntu4.23) lucid-security; urgency=medium

  * SECURITY UPDATE: denial of service via crafted indirect offset value
    in fileinfo
    - debian/patches/CVE-2013-1943.patch: properly handle recursion in
      ext/fileinfo/libmagic/{ascmagic.c,file.h,funcs.c,softmagic.c}, added
      test to ext/fileinfo/tests/cve-2014-1943.phpt.
    - CVE-2013-1943
 -- Marc Deslauriers <email address hidden>   Fri, 28 Feb 2014 17:40:15 -0500
Superseded in precise-updates on 2014-04-07
Superseded in precise-security on 2014-04-07
php5 (5.3.10-1ubuntu3.10) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service via crafted indirect offset value
    in fileinfo
    - debian/patches/CVE-2013-1943.patch: properly handle recursion in
      ext/fileinfo/libmagic/{ascmagic.c,file.h,funcs.c,softmagic.c}, added
      test to ext/fileinfo/tests/cve-2014-1943.phpt.
    - CVE-2013-1943
 -- Marc Deslauriers <email address hidden>   Fri, 28 Feb 2014 14:55:00 -0500
Superseded in quantal-updates on 2014-04-07
Superseded in quantal-security on 2014-04-07
php5 (5.4.6-1ubuntu1.7) quantal-security; urgency=medium

  * SECURITY UPDATE: denial of service via crafted indirect offset value
    in fileinfo
    - debian/patches/CVE-2013-1943.patch: properly handle recursion in
      ext/fileinfo/libmagic/{ascmagic.c,file.h,funcs.c,softmagic.c}, added
      test to ext/fileinfo/tests/cve-2014-1943.phpt.
    - CVE-2013-1943
  * This package does _not_ contain the changes from .4.6-1ubuntu1.6 in
    quantal-proposed.
 -- Marc Deslauriers <email address hidden>   Fri, 28 Feb 2014 11:40:51 -0500
Superseded in saucy-updates on 2014-04-07
Superseded in saucy-security on 2014-04-07
php5 (5.5.3+dfsg-1ubuntu2.2) saucy-security; urgency=medium

  * SECURITY UPDATE: denial of service and possible code execution via
    multiple issues in gdImageCrop
    - debian/patches/CVE-2013-7226.patch: fix overflows and data type
      issues in ext/gd/gd.c,ext/gd/libgd/gd_crop.c, added test to
      ext/gd/tests/bug66356.phpt.
    - CVE-2013-7226
    - CVE-2013-7327
    - CVE-2013-7328
    - CVE-2014-2020
  * SECURITY UPDATE: denial of service via crafted indirect offset value
    in fileinfo
    - debian/patches/CVE-2013-1943.patch: properly handle recursion in
      ext/fileinfo/libmagic/{ascmagic.c,file.h,funcs.c,softmagic.c}, added
      test to ext/fileinfo/tests/cve-2014-1943.phpt.
    - CVE-2013-1943
  * debian/rules: re-enable tests.
 -- Marc Deslauriers <email address hidden>   Fri, 28 Feb 2014 11:15:03 -0500
Superseded in trusty-release on 2014-03-03
Deleted in trusty-proposed on 2014-03-05 (Reason: moved to release)
php5 (5.5.9+dfsg-1ubuntu1) trusty; urgency=medium

  * Merge from Debian testing. Remaining changes:
    - d/control: drop Build-Depends that are in universe: firebird-dev,
      libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
    - d/rules: drop configuration of packages that are in universe: qdgm, onig.
    - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
      interbase or firebird.
    - d/rules: export DEB_HOST_MULTIARCH properly.
    - d/control: drop binary packages php5-imap, php5-interbase and php5-mcrypt
      since we have separate versions in universe.
    - d/modulelist: drop imap, interbase and mcrypt since we have separate
      versions in universe.
    - d/rules: drop configuration of imap and mcrypt since we have separate
      versions in universe.
    - d/source_php5.py, d/rules: add apport hook.
    - d/rules: stop mysql instance on clean just in case we failed in tests.
    - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
      as only the latter is in main.
    - d/rules, d/control: drop use of dh_systemd as it is in universe.
    - debian/rules: re-enable tests
    - d/tests/{cgi,cli,mod-php}: dep8 tests for common use cases.
  * Drop changes (upstreamed to Debian):
    - d/p/use-system-timezone.patch, d/tests/system-timezone: use system
      timezone by default, instead of requiring it to be configured.
  * d/rules: load dpkg-buildflags earlier, so that CFLAGS changes are not
    overridden (LP: #1280044).

Superseded in trusty-release on 2014-02-20
Deleted in trusty-proposed on 2014-02-22 (Reason: moved to release)
php5 (5.5.8+dfsg-2ubuntu1) trusty; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - d/control: drop Build-Depends that are in universe: firebird-dev,
      libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
    - d/rules: drop configuration of packages that are in universe: qdgm,
      onig.
    - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
      interbase or firebird.
    - d/rules: export DEB_HOST_MULTIARCH properly.
    - d/control: drop binary packages php5-imap, php5-interbase and
      php5-mcrypt since we have separate versions in universe.
    - d/modulelist: drop imap, interbase and mcrypt since we have separate
      versions in universe.
    - d/rules: drop configuration of imap and mcrypt since we have separate
      versions in universe.
    - d/source_php5.py, d/rules: add apport hook.
    - d/rules: stop mysql instance on clean just in case we failed in tests.
    - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
      as only the latter is in main.
    - d/rules, d/control: drop use of dh_systemd as it is in universe.
    - debian/rules: re-enable tests
  * Previously undocumented changes:
    - d/tests/{cgi,cli,mod_php}: dep8 tests for common use cases.
  * Drop changes:
    - d/p/{CVE-2013-6420,CVE-2013-6712,fix-freetype-ftbfs}.patch: upstreamed.
    - d/control: relegate php5-json and pkg-php-tools from Recommends to
      Suggests as they are in universe: php5-json and pkg-php-tools are now in
      main (LP: #1242726).
    - d/control, d/rules: re-enable libedit-dev: libedit-dev is now enabled in
      Debian.
  * d/tests/mod-php: rename from mod_php; the previous name was illegal.
  * d/tests/{cgi,mod-php}: use new default Apache DocumentRoot /var/www/html.
  * d/p/use-system-timezone.patch, d/tests/system-timezone: use system
    timezone by default, instead of requiring it to be configured.
    (LP: #1244343).
 -- Robie Basak <email address hidden>   Tue, 21 Jan 2014 15:40:58 +0000
Deleted in quantal-proposed on 2014-03-04 (Reason: moved to -updates)
php5 (5.4.6-1ubuntu1.6) quantal; urgency=low

  * debian/patches/lp1102366.patch: properly reset rfc1867 callbacks to
    prevent segfault. (LP: #1102366)
 -- Marc Deslauriers <email address hidden>   Mon, 23 Dec 2013 09:00:58 -0500
Superseded in trusty-release on 2014-01-21
Deleted in trusty-proposed on 2014-01-23 (Reason: moved to release)
php5 (5.5.6+dfsg-1ubuntu2) trusty; urgency=medium

  * No change rebuild against libicu52
 -- Dimitri John Ledkov <email address hidden>   Sat, 28 Dec 2013 05:16:26 +0000
Superseded in trusty-release on 2013-12-31
Deleted in trusty-proposed on 2014-01-01 (Reason: moved to release)
php5 (5.5.6+dfsg-1ubuntu1) trusty; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - d/control: drop Build-Depends that are in universe: firebird-dev,
      libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
    - d/rules: drop configuration of packages that are in universe: qdgm,
      onig.
    - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
      interbase or firebird.
    - d/rules: export DEB_HOST_MULTIARCH properly.
    - d/control: drop binary packages php5-imap, php5-interbase and
      php5-mcrypt since we have separate versions in universe.
    - d/modulelist: drop imap, interbase and mcrypt since we have separate
      versions in universe.
    - d/rules: drop configuration of imap and mcrypt since we have separate
      versions in universe.
    - d/source_php5.py, d/rules: add apport hook.
    - d/rules: stop mysql instance on clean just in case we failed in tests.
    - d/control, d/rules: re-enable libedit-dev.
    - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
      as only the latter is in main.
    - d/rules, d/control: drop use of dh_systemd as it is in universe.
    - d/control: relegate php5-json and pkg-php-tools from Recommends to
      Suggests as they are in universe.
  * Dropped changes:
    - d/p/crash_in_get_zval_ptr_ptr_var.patch: upstream
  * SECURITY UPDATE: denial of service and possible code execution via
    malicious certificate
    - debian/patches/CVE-2013-6420.patch: properly validate timestr in
      ext/openssl/openssl.c, added ext/openssl/tests/cve-2013-6420.*.
    - CVE-2013-6420
  * SECURITY UPDATE: denial of service via crafted interval specification
    - debian/patches/CVE-2013-6712.patch: check error_count in
      ext/date/lib/parse_iso_intervals.*.
    - CVE-2013-6712
  * debian/patches/fix-freetype-ftbfs.patch: fix compilation with newer
    freetype
  * debian/rules: re-enable tests

Superseded in saucy-updates on 2014-03-03
Superseded in saucy-security on 2014-03-03
php5 (5.5.3+dfsg-1ubuntu2.1) saucy-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via
    malicious certificate
    - debian/patches/CVE-2013-6420.patch: properly validate timestr in
      ext/openssl/openssl.c, added ext/openssl/tests/cve-2013-6420.*.
    - CVE-2013-6420
  * SECURITY UPDATE: denial of service via crafted interval specification
    - debian/patches/CVE-2013-6712.patch: check error_count in
      ext/date/lib/parse_iso_intervals.*.
    - CVE-2013-6712
 -- Marc Deslauriers <email address hidden>   Wed, 11 Dec 2013 13:45:28 -0500
Superseded in lucid-updates on 2014-03-03
Superseded in lucid-security on 2014-03-03
php5 (5.3.2-1ubuntu4.22) lucid-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via
    malicious certificate
    - debian/patches/CVE-2013-6420.patch: properly validate timestr in
      ext/openssl/openssl.c, added ext/openssl/tests/cve-2013-6420.*.
    - CVE-2013-6420
  * SECURITY UPDATE: denial of service via crafted interval specification
    - debian/patches/CVE-2013-6712.patch: check error_count in
      ext/date/lib/parse_iso_intervals.*.
    - CVE-2013-6712
 -- Marc Deslauriers <email address hidden>   Wed, 11 Dec 2013 19:23:24 -0500
Superseded in quantal-updates on 2014-03-03
Superseded in quantal-security on 2014-03-03
php5 (5.4.6-1ubuntu1.5) quantal-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via
    malicious certificate
    - debian/patches/CVE-2013-6420.patch: properly validate timestr in
      ext/openssl/openssl.c, added ext/openssl/tests/cve-2013-6420.*.
    - CVE-2013-6420
  * SECURITY UPDATE: denial of service via crafted interval specification
    - debian/patches/CVE-2013-6712.patch: check error_count in
      ext/date/lib/parse_iso_intervals.*.
    - CVE-2013-6712
 -- Marc Deslauriers <email address hidden>   Wed, 11 Dec 2013 19:20:51 -0500
Published in raring-updates on 2013-12-12
Published in raring-security on 2013-12-12
php5 (5.4.9-4ubuntu2.4) raring-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via
    malicious certificate
    - debian/patches/CVE-2013-6420.patch: properly validate timestr in
      ext/openssl/openssl.c, added ext/openssl/tests/cve-2013-6420.*.
    - CVE-2013-6420
  * SECURITY UPDATE: denial of service via crafted interval specification
    - debian/patches/CVE-2013-6712.patch: check error_count in
      ext/date/lib/parse_iso_intervals.*.
    - CVE-2013-6712
 -- Marc Deslauriers <email address hidden>   Wed, 11 Dec 2013 19:19:30 -0500
Superseded in precise-updates on 2014-03-03
Superseded in precise-security on 2014-03-03
php5 (5.3.10-1ubuntu3.9) precise-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via
    malicious certificate
    - debian/patches/CVE-2013-6420.patch: properly validate timestr in
      ext/openssl/openssl.c, added ext/openssl/tests/cve-2013-6420.*.
    - CVE-2013-6420
  * SECURITY UPDATE: denial of service via crafted interval specification
    - debian/patches/CVE-2013-6712.patch: check error_count in
      ext/date/lib/parse_iso_intervals.*.
    - CVE-2013-6712
 -- Marc Deslauriers <email address hidden>   Wed, 11 Dec 2013 19:22:04 -0500
Superseded in trusty-release on 2013-12-12
Deleted in trusty-proposed on 2013-12-14 (Reason: moved to release)
php5 (5.5.3+dfsg-1ubuntu3) trusty; urgency=low

  * No change rebuild against db 5.3.
 -- Dmitrijs Ledkovs <email address hidden>   Sat, 02 Nov 2013 20:03:00 +0000
Superseded in trusty-release on 2013-11-03
Published in saucy-release on 2013-10-09
Deleted in saucy-proposed (Reason: moved to release)
php5 (5.5.3+dfsg-1ubuntu2) saucy; urgency=low

  * d/p/crash_in_get_zval_ptr_ptr_var.patch: cherry-pick from upstream to fix
    segfault (LP: #1236733).
 -- Robie Basak <email address hidden>   Wed, 09 Oct 2013 11:29:29 +0000
Superseded in precise-updates on 2013-12-12
Superseded in precise-security on 2013-12-12
php5 (5.3.10-1ubuntu3.8) precise-security; urgency=low

  * SECURITY UPDATE: SSL cert validation spoofing via NULL character in
    subjectAltName.
    - debian/patches/CVE-2013-4248.patch: validate subjectAltName in
      ext/openssl/openssl.c, added test to ext/openssl/tests/cve2013_4073*.
    - CVE-2013-4248
 -- Marc Deslauriers <email address hidden>   Wed, 04 Sep 2013 12:54:39 -0400
Superseded in quantal-updates on 2013-12-12
Superseded in quantal-security on 2013-12-12
php5 (5.4.6-1ubuntu1.4) quantal-security; urgency=low

  * SECURITY UPDATE: SSL cert validation spoofing via NULL character in
    subjectAltName.
    - debian/patches/CVE-2013-4248.patch: validate subjectAltName in
      ext/openssl/openssl.c, added test to ext/openssl/tests/cve2013_4073*.
    - CVE-2013-4248
 -- Marc Deslauriers <email address hidden>   Wed, 04 Sep 2013 11:07:56 -0400
Superseded in raring-updates on 2013-12-12
Superseded in raring-security on 2013-12-12
php5 (5.4.9-4ubuntu2.3) raring-security; urgency=low

  * SECURITY UPDATE: SSL cert validation spoofing via NULL character in
    subjectAltName.
    - debian/patches/CVE-2013-4248.patch: validate subjectAltName in
      ext/openssl/openssl.c, added test to ext/openssl/tests/cve2013_4073*.
    - CVE-2013-4248
 -- Marc Deslauriers <email address hidden>   Wed, 04 Sep 2013 10:59:04 -0400
Superseded in lucid-updates on 2013-12-12
Superseded in lucid-security on 2013-12-12
php5 (5.3.2-1ubuntu4.21) lucid-security; urgency=low

  * SECURITY UPDATE: SSL cert validation spoofing via NULL character in
    subjectAltName.
    - debian/patches/CVE-2013-4248.patch: validate subjectAltName in
      ext/openssl/openssl.c, added test to ext/openssl/tests/cve2013_4073*.
    - CVE-2013-4248
 -- Marc Deslauriers <email address hidden>   Wed, 04 Sep 2013 12:56:49 -0400
Superseded in saucy-release on 2013-10-09
Deleted in saucy-proposed on 2013-10-10 (Reason: moved to release)
php5 (5.5.3+dfsg-1ubuntu1) saucy; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - d/control: drop Build-Depends that are in universe: firebird-dev,
      libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
    - d/rules: drop configuration of packages that are in universe: qdgm,
      onig.
    - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
      interbase or firebird.
    - d/rules: export DEB_HOST_MULTIARCH properly.
    - d/control: drop binary packages php5-imap, php5-interbase and
      php5-mcrypt since we have separate versions in universe.
    - d/modulelist: drop imap, interbase and mcrypt since we have separate
      versions in universe.
    - d/rules: drop configuration of imap and mcrypt since we have separate
      versions in universe.
    - d/source_php5.py, d/rules: add apport hook.
    - d/rules: stop mysql instance on clean just in case we failed in tests.
    - d/control, d/rules: re-enable libedit-dev.
    - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
      as only the latter is in main.
    - d/rules, d/control: drop use of dh_systemd as it is in universe.
    - d/control: relegate php5-json and pkg-php-tools from Recommends to
      Suggests as they are in universe.

Superseded in saucy-release on 2013-09-04
Deleted in saucy-proposed on 2013-09-05 (Reason: moved to release)
php5 (5.5.1+dfsg-1ubuntu1) saucy; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - d/control: drop Build-Depends that are in universe: firebird-dev,
      libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
    - d/rules: drop configuration of packages that are in universe: qdgm,
      onig.
    - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
      interbase or firebird.
    - d/rules: export DEB_HOST_MULTIARCH properly.
    - d/control: drop binary packages php5-imap, php5-interbase and
      php5-mcrypt since we have separate versions in universe.
    - d/modulelist: drop imap, interbase and mcrypt since we have separate
      versions in universe.
    - d/rules: drop configuration of imap and mcrypt since we have separate
      versions in universe.
    - d/source_php5.py, d/rules: add apport hook.
    - d/rules: stop mysql instance on clean just in case we failed in tests.
    - d/control, d/rules: re-enable libedit-dev.
    - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
      as only the latter is in main.
    - d/rules, d/control: drop use of dh_systemd as it is in universe.
    - d/control: relegate php5-json and pkg-php-tools from Recommends to
      Suggests as they are in universe.

Superseded in saucy-release on 2013-07-25
Deleted in saucy-proposed on 2013-07-26 (Reason: moved to release)
php5 (5.5.0+dfsg-15ubuntu1) saucy; urgency=low

  * Merged from Debian unstable to get security fix.

Superseded in saucy-release on 2013-07-18
Deleted in saucy-proposed on 2013-07-20 (Reason: moved to release)
php5 (5.5.0+dfsg-14ubuntu1) saucy; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - d/control: drop Build-Depends that are in universe: firebird-dev,
      libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
    - d/rules: drop configuration of packages that are in universe: qdgm,
      onig.
    - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
      interbase or firebird.
    - d/rules: export DEB_HOST_MULTIARCH properly.
    - d/control: drop binary packages php5-imap, php5-interbase and
      php5-mcrypt since we have separate versions in universe.
    - d/modulelist: drop imap, interbase and mcrypt since we have separate
      versions in universe.
    - d/rules: drop configuration of imap and mcrypt since we have separate
      versions in universe.
    - d/source_php5.py, d/rules: add apport hook.
    - d/rules: stop mysql instance on clean just in case we failed in tests.
    - d/control, d/rules: re-enable libedit-dev.
    - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
      as only the latter is in main.
    - d/rules, d/control: drop use of dh_systemd as it is in universe.
    - d/control: relegate php5-json from Recommends to Suggests as it is in
      universe.
  * Relegate pkg-php-tools Recommends to Suggests as it is in universe.
 -- Robie Basak <email address hidden>   Wed, 17 Jul 2013 18:00:02 +0000
Superseded in raring-updates on 2013-09-05
Superseded in raring-security on 2013-09-05
php5 (5.4.9-4ubuntu2.2) raring-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via xml
    parser heap overflow
    - debian/patches/CVE-2013-4113.patch: check against XML_MAXLEVEL in
      ext/xml/xml.c, add test to ext/xml/tests/bug65236.phpt.
    - CVE-2013-4113
  * SECURITY UPDATE: denial of service via overflow in SdnToJewish
    - debian/patches/CVE-2013-4635.patch: check value in
      ext/calendar/jewish.c, add test to
      ext/calendar/tests/jdtojewish64.phpt.
    - CVE-2013-4635
 -- Marc Deslauriers <email address hidden>   Mon, 15 Jul 2013 09:42:36 -0400
Superseded in quantal-updates on 2013-09-05
Superseded in quantal-security on 2013-09-05
php5 (5.4.6-1ubuntu1.3) quantal-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via xml
    parser heap overflow
    - debian/patches/CVE-2013-4113.patch: check against XML_MAXLEVEL in
      ext/xml/xml.c, add test to ext/xml/tests/bug65236.phpt.
    - CVE-2013-4113
  * SECURITY UPDATE: denial of service via overflow in SdnToJewish
    - debian/patches/CVE-2013-4635.patch: check value in
      ext/calendar/jewish.c, add test to
      ext/calendar/tests/jdtojewish64.phpt.
    - CVE-2013-4635
 -- Marc Deslauriers <email address hidden>   Mon, 15 Jul 2013 09:48:22 -0400
Superseded in precise-updates on 2013-09-05
Superseded in precise-security on 2013-09-05
php5 (5.3.10-1ubuntu3.7) precise-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via xml
    parser heap overflow
    - debian/patches/CVE-2013-4113.patch: check against XML_MAXLEVEL in
      ext/xml/xml.c, add test to ext/xml/tests/bug65236.phpt.
    - CVE-2013-4113
  * SECURITY UPDATE: denial of service via overflow in SdnToJewish
    - debian/patches/CVE-2013-4635.patch: check value in
      ext/calendar/jewish.c, add test to
      ext/calendar/tests/jdtojewish64.phpt.
    - CVE-2013-4635
 -- Marc Deslauriers <email address hidden>   Mon, 15 Jul 2013 09:49:43 -0400
Superseded in lucid-updates on 2013-09-05
Superseded in lucid-security on 2013-09-05
php5 (5.3.2-1ubuntu4.20) lucid-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via xml
    parser heap overflow
    - debian/patches/CVE-2013-4113.patch: check against XML_MAXLEVEL in
      ext/xml/xml.c, add test to ext/xml/tests/bug65236.phpt.
    - CVE-2013-4113
  * SECURITY UPDATE: denial of service via overflow in SdnToJewish
    - debian/patches/CVE-2013-4635.patch: check value in
      ext/calendar/jewish.c, add test to
      ext/calendar/tests/jdtojewish64.phpt.
    - CVE-2013-4635
 -- Marc Deslauriers <email address hidden>   Mon, 15 Jul 2013 09:50:48 -0400
Superseded in saucy-proposed on 2013-07-17
php5 (5.5.0+dfsg-6ubuntu1) saucy; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - d/control: drop Build-Depends that are in universe: firebird-dev,
      libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
    - d/rules: drop configuration of packages that are in universe: qdgm,
      onig.
    - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
      interbase or firebird.
    - d/rules: export DEB_HOST_MULTIARCH properly.
    - d/control: drop binary packages php5-imap, php5-interbase and
      php5-mcrypt since we have separate versions in universe.
    - d/modulelist: drop imap, interbase and mcrypt since we have separate
      versions in universe.
    - d/rules: drop configuration of imap and mcrypt since we have separate
      versions in universe.
    - d/source_php5.py, d/rules: add apport hook.
    - d/rules: stop mysql instance on clean just in case we failed in tests.
    - d/control, d/rules: re-enable libedit-dev.
  * Remaining changes that were previously undocumented:
    - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
      as only the latter is in main.
  * Drop changes:
    - Add build-dependency on lemon, which we now need. This is evidently no
      longer required, since there is no sign of it being used in
      5.4.15-1ubuntu3.
    - Dropped libcurl-dev not in the archive. libcurl-dev is a virtual
      alternative, so doesn't need to be dropped.
    - debian/control: replace build-depends on mysql-server with
      mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and
      mysql-server-5.5 postinst confusion with starting up multiple
      mysqlds listening on the same port. The test infrastructure in packaging
      has changed, and now breaks without the mysql-server-5.5 postinst having
      run and created the mysql user. However, it also finds an available port
      itself so no longer conflicts with our mysql-server-5.5 postinst.
    - Patches included upstream:
      + debian/patches/CVE-2013-2110.patch
      + debian/patches/fix_gd_210.patch
      + debian/patches/CVE-2013-4635.patch
      + debian/patches/CVE-2013-4636.patch
  * Drop changes that were previously undocumented:
    - d/rules: adjust memory limits in .ini files. It appears that this was
      intended to be dropped back in 5.4.6-1ubuntu1, going by the old
      changelog entry.
    - d/rules: adjust openssl path in configure script. PHP still appears to
      configure, detect and build openssl-related components correctly
      regardless.
    - d/rules: disable parallel builds. There is no previous explanation as to
      why this was disabled, and having this in place is standard practice and
      in the Debian packaging.
    - d/rules: adjust PHP5_{HOST,BUILD}_GNU_TYPE. There is no previous
      explanation as to why this was present, and I can't find any regression
      that would be fixed by this change.
  * New changes:
    - d/rules, d/control: drop use of dh_systemd as it is in universe.
    - d/control: relegate php5-json from Recommends to Suggests as it is in
      universe.
 -- Robie Basak <email address hidden>   Mon, 15 Jul 2013 14:09:59 +0000
Superseded in saucy-release on 2013-07-18
Deleted in saucy-proposed on 2013-07-19 (Reason: moved to release)
php5 (5.4.15-1ubuntu3) saucy; urgency=low

  * SECURITY UPDATE: denial of service via overflow in SdnToJewish
    - debian/patches/CVE-2013-4635.patch: check value in
      ext/calendar/jewish.c, add test to
      ext/calendar/tests/jdtojewish64.phpt.
    - CVE-2013-4635
  * SECURITY UPDATE: denial of service via incorrect MIME type detection
    - debian/patches/CVE-2013-4636.patch: use efree in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2013-4636
 -- Marc Deslauriers <email address hidden>   Fri, 28 Jun 2013 08:20:11 -0400
Superseded in saucy-release on 2013-06-30
Deleted in saucy-proposed on 2013-07-01 (Reason: moved to release)
php5 (5.4.15-1ubuntu2) saucy; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via
    quoted_printable_encode overflow
    - debian/patches/CVE-2013-2110.patch: calculate proper string size in
      ext/standard/quot_print.c, add test to
      ext/standard/tests/strings/bug64879.phpt.
    - CVE-2013-2110
  * debian/patches/fix_gd_210.patch: fix php-gd compatibility with
    libgd2 2.1.0. (LP: #1188070)
 -- Marc Deslauriers <email address hidden>   Tue, 11 Jun 2013 09:19:47 -0400
Superseded in raring-updates on 2013-07-16
Superseded in raring-security on 2013-07-16
php5 (5.4.9-4ubuntu2.1) raring-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via
    quoted_printable_encode overflow
    - debian/patches/CVE-2013-2110.patch: calculate proper string size in
      ext/standard/quot_print.c, add test to
      ext/standard/tests/strings/bug64879.phpt.
    - CVE-2013-2110
 -- Marc Deslauriers <email address hidden>   Mon, 10 Jun 2013 16:02:40 -0400
Superseded in saucy-release on 2013-06-12
Deleted in saucy-proposed on 2013-06-13 (Reason: moved to release)
php5 (5.4.15-1ubuntu1) saucy; urgency=low

  * Merge from Debian experimental. Remaining changes:
    - d/rules: Simplify apache config settings since we never build
      interbase or firebird.
    - debian/rules: export DEB_HOST_MULTIARCH properly.
    - Add build-dependency on lemon, which we now need.
    - Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is
      in universe.
    - Dropped libcurl-dev not in the archive.
    - debian/control: replace build-depends on mysql-server with
      mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and
      mysql-server-5.5 postinst confusion with starting up multiple
      mysqlds listening on the same port.
    - Dropped php5-imap, php5-interbase, php5-mcrypt since we have
      versions already in universe.
    - Dropped libonig-dev and libqgdbm since its in universe. (libonig
      MIR has been declined due to an inactive upstream. So this is
      probably a permanent change).
    - modulelist: Drop imap, interbase, sybase, and mcrypt.
    - debian/rules:
      - Dropped building of mcrypt, imap, and interbase.
      - Install apport hook for php5.
      - stop mysql instance on clean just in case we failed in tests
    - debian/control, debian/rules: Re-enable libedit-dev.
  * Dropped changes:
    - debian/patches/CVE-2013-1643.patch: included upstream.

Superseded in saucy-release on 2013-06-02
Published in raring-release on 2013-03-11
Deleted in raring-proposed (Reason: moved to release)
php5 (5.4.9-4ubuntu2) raring; urgency=low

  * SECURITY UPDATE: arbitrary file disclosure via XML External Entity
    - debian/patches/CVE-2013-1643.patch: disable the entity loader in
      ext/libxml/libxml.c, ext/libxml/php_libxml.h, ext/soap/php_xml.c.
    - CVE-2013-1643
 -- Marc Deslauriers <email address hidden>   Fri, 08 Mar 2013 16:12:43 -0500

Available diffs

Superseded in lucid-updates on 2013-07-16
Superseded in lucid-security on 2013-07-16
php5 (5.3.2-1ubuntu4.19) lucid-security; urgency=low

  * SECURITY UPDATE: arbitrary file disclosure via XML External Entity
    - debian/patches/CVE-2013-1643.patch: disable the entity loader in
      ext/libxml/libxml.c, ext/libxml/php_libxml.h, ext/soap/php_xml.c.
    - CVE-2013-1643
 -- Marc Deslauriers <email address hidden>   Mon, 11 Mar 2013 07:49:54 -0400
Superseded in quantal-updates on 2013-07-16
Superseded in quantal-security on 2013-07-16
php5 (5.4.6-1ubuntu1.2) quantal-security; urgency=low

  * SECURITY UPDATE: arbitrary file disclosure via XML External Entity
    - debian/patches/CVE-2013-1643.patch: disable the entity loader in
      ext/libxml/libxml.c, ext/libxml/php_libxml.h, ext/soap/php_xml.c.
    - CVE-2013-1643
 -- Marc Deslauriers <email address hidden>   Fri, 08 Mar 2013 16:18:48 -0500
Superseded in precise-updates on 2013-07-16
Superseded in precise-security on 2013-07-16
php5 (5.3.10-1ubuntu3.6) precise-security; urgency=low

  * SECURITY UPDATE: arbitrary file disclosure via XML External Entity
    - debian/patches/CVE-2013-1643.patch: disable the entity loader in
      ext/libxml/libxml.c, ext/libxml/php_libxml.h, ext/soap/php_xml.c.
    - CVE-2013-1643
 -- Marc Deslauriers <email address hidden>   Fri, 08 Mar 2013 16:22:01 -0500
Published in oneiric-updates on 2013-03-13
Published in oneiric-security on 2013-03-13
php5 (5.3.6-13ubuntu3.10) oneiric-security; urgency=low

  * SECURITY UPDATE: arbitrary file disclosure via XML External Entity
    - debian/patches/CVE-2013-1643.patch: disable the entity loader in
      ext/libxml/libxml.c, ext/libxml/php_libxml.h, ext/soap/php_xml.c.
    - CVE-2013-1643
 -- Marc Deslauriers <email address hidden>   Fri, 08 Mar 2013 16:32:19 -0500
Published in hardy-updates on 2013-03-13
Published in hardy-security on 2013-03-13
php5 (5.2.4-2ubuntu5.27) hardy-security; urgency=low

  * SECURITY UPDATE: arbitrary file disclosure via XML External Entity
    - debian/patches/CVE-2013-1643.patch: disable the entity loader in
      ext/libxml/libxml.c, ext/libxml/php_libxml.h, ext/soap/php_xml.c.
    - CVE-2013-1643
 -- Marc Deslauriers <email address hidden>   Mon, 11 Mar 2013 07:55:03 -0400
Superseded in precise-updates on 2013-03-13
Superseded in precise-security on 2013-03-13
php5 (5.3.10-1ubuntu3.5) precise-security; urgency=low

  * SECURITY UPDATE: arbitrary memory disclosure (LP: #1099793)
    - debian/patches/CVE-2012-6113.patch: properly initialize length in
      ext/openssl/openssl.c.
    - CVE-2012-6113
 -- Marc Deslauriers <email address hidden>   Fri, 18 Jan 2013 09:49:22 -0500
Superseded in raring-release on 2013-03-11
Deleted in raring-proposed on 2013-03-13 (Reason: moved to release)
php5 (5.4.9-4ubuntu1) raring; urgency=low

  * Merge from Debian experimental. Remaining changes:
    - d/rules: Simplify apache config settings since we never build
      interbase or firebird.
    - debian/rules: export DEB_HOST_MULTIARCH properly.
    - Add build-dependency on lemon, which we now need.
    - Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is
      in universe.
    - Dropped libcurl-dev not in the archive.
    - debian/control: replace build-depends on mysql-server with
      mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and
      mysql-server-5.5 postinst confusion with starting up multiple
      mysqlds listening on the same port.
    - Dropped php5-imap, php5-interbase, php5-mcrypt since we have
      versions already in universe.
    - Dropped libonig-dev and libqgdbm since its in universe. (libonig
      MIR has been declined due to an inactive upstream. So this is
      probably a permanent change).
    - modulelist: Drop imap, interbase, sybase, and mcrypt.
    - debian/rules:
      - Dropped building of mcrypt, imap, and interbase.
      - Install apport hook for php5.
      - stop mysql instance on clean just in case we failed in tests
    - debian/control, debian/rules: Re-enable libedit-dev.
  * Dropped changes:
    - Re-add logic to guess default timezone from system to fix default
      timezone regression Cherry-picked from Debian 5.4.4-6 (also in
      Debian 5.4.6-2).
    - debian/patches/libxml290.patch: Fix FTBFS with libxml 2.9.0.
      (included upstream)

Available diffs

Superseded in raring-release on 2012-12-05
Deleted in raring-proposed on 2012-12-07 (Reason: moved to release)
php5 (5.4.6-1ubuntu2) raring; urgency=low

  [ Robie Basak ]
  * Re-add logic to guess default timezone from system to fix default timezone
    regression (LP: #1069529). Cherry-picked from Debian 5.4.4-6 (also in
    Debian 5.4.6-2).

  [ Marc Deslauriers ]
  * debian/patches/libxml290.patch: Fix FTBFS with libxml 2.9.0.
 -- Marc Deslauriers <email address hidden>   Wed, 07 Nov 2012 11:54:55 -0500

Available diffs

Superseded in quantal-updates on 2013-03-13
Deleted in quantal-proposed on 2013-03-15 (Reason: moved to -updates)
php5 (5.4.6-1ubuntu1.1) quantal-proposed; urgency=low

  * Re-add logic to guess default timezone from system to fix default timezone
    regression (LP: #1069529). Cherry-picked from Debian 5.4.4-6 (also in
    Debian 5.4.6-2).
 -- Robie Basak <email address hidden>   Wed, 24 Oct 2012 10:04:51 +0000

Available diffs

Superseded in hardy-updates on 2013-03-13
Superseded in hardy-security on 2013-03-13
php5 (5.2.4-2ubuntu5.26) hardy-security; urgency=low

  * SECURITY UPDATE: HTTP response-splitting issue with %0D sequences
    - debian/patches/CVE-2011-1398.patch: properly handle %0D and NUL in
      main/SAPI.c.
    - CVE-2011-1398
    - CVE-2012-4388
  * SECURITY UPDATE: denial of service and possible code execution via
    _php_stream_scandir function (LP: #1028064)
    - debian/patches/CVE-2012-2688.patch: prevent overflow in
      main/streams/streams.c.
    - CVE-2012-2688
  * SECURITY UPDATE: denial of service via PDO extension crafted parameter
    - debian/patches/CVE-2012-3450.patch: improve logic in
      ext/pdo/pdo_sql_parser.re, regenerate ext/pdo/pdo_sql_parser.c, add
      test to ext/pdo_mysql/tests/bug_61755.phpt.
    - CVE-2012-3450
 -- Marc Deslauriers <email address hidden>   Wed, 12 Sep 2012 11:51:06 -0400
Superseded in lucid-updates on 2013-03-13
Superseded in lucid-security on 2013-03-13
php5 (5.3.2-1ubuntu4.18) lucid-security; urgency=low

  * SECURITY UPDATE: HTTP response-splitting issue with %0D sequences
    - debian/patches/CVE-2011-1398.patch: properly handle %0D and NUL in
      main/SAPI.c, added tests to ext/standard/tests/*, fix test suite
      failures in ext/phar/phar_object.c.
    - CVE-2011-1398
    - CVE-2012-4388
  * SECURITY UPDATE: denial of service and possible code execution via
    _php_stream_scandir function (LP: #1028064)
    - debian/patches/CVE-2012-2688.patch: prevent overflow in
      main/streams/streams.c.
    - CVE-2012-2688
  * SECURITY UPDATE: denial of service via PDO extension crafted parameter
    - debian/patches/CVE-2012-3450.patch: improve logic in
      ext/pdo/pdo_sql_parser.re, regenerate ext/pdo/pdo_sql_parser.c, add
      test to ext/pdo_mysql/tests/bug_61755.phpt.
    - CVE-2012-3450
 -- Marc Deslauriers <email address hidden>   Wed, 12 Sep 2012 11:33:30 -0400
Obsolete in natty-updates on 2013-06-04
Obsolete in natty-security on 2013-06-04
php5 (5.3.5-1ubuntu7.11) natty-security; urgency=low

  * SECURITY UPDATE: HTTP response-splitting issue with %0D sequences
    - debian/patches/CVE-2011-1398.patch: properly handle %0D and NUL in
      main/SAPI.c, added tests to ext/standard/tests/*, fix test suite
      failures in ext/phar/phar_object.c.
    - CVE-2011-1398
    - CVE-2012-4388
  * SECURITY UPDATE: denial of service and possible code execution via
    _php_stream_scandir function (LP: #1028064)
    - debian/patches/CVE-2012-2688.patch: prevent overflow in
      main/streams/streams.c.
    - CVE-2012-2688
  * SECURITY UPDATE: denial of service via PDO extension crafted parameter
    - debian/patches/CVE-2012-3450.patch: improve logic in
      ext/pdo/pdo_sql_parser.re, regenerate ext/pdo/pdo_sql_parser.c, add
      test to ext/pdo_mysql/tests/bug_61755.phpt.
    - CVE-2012-3450
 -- Marc Deslauriers <email address hidden>   Wed, 12 Sep 2012 09:11:28 -0400
Superseded in oneiric-updates on 2013-03-13
Superseded in oneiric-security on 2013-03-13
php5 (5.3.6-13ubuntu3.9) oneiric-security; urgency=low

  * SECURITY UPDATE: HTTP response-splitting issue with %0D sequences
    - debian/patches/CVE-2011-1398.patch: properly handle %0D and NUL in
      main/SAPI.c, added tests to ext/standard/tests/*, fix test suite
      failures in ext/phar/phar_object.c.
    - CVE-2011-1398
    - CVE-2012-4388
  * SECURITY UPDATE: denial of service and possible code execution via
    _php_stream_scandir function (LP: #1028064)
    - debian/patches/CVE-2012-2688.patch: prevent overflow in
      main/streams/streams.c.
    - CVE-2012-2688
  * SECURITY UPDATE: denial of service via PDO extension crafted parameter
    - debian/patches/CVE-2012-3450.patch: improve logic in
      ext/pdo/pdo_sql_parser.re, regenerate ext/pdo/pdo_sql_parser.c, add
      test to ext/pdo_mysql/tests/bug_61755.phpt.
    - CVE-2012-3450
 -- Marc Deslauriers <email address hidden>   Wed, 12 Sep 2012 09:09:05 -0400
Superseded in precise-updates on 2013-01-22
Superseded in precise-security on 2013-01-22
php5 (5.3.10-1ubuntu3.4) precise-security; urgency=low

  * SECURITY UPDATE: HTTP response-splitting issue with %0D sequences
    - debian/patches/CVE-2011-1398.patch: properly handle %0D and NUL in
      main/SAPI.c, added tests to ext/standard/tests/*, fix test suite
      failures in ext/phar/phar_object.c.
    - CVE-2011-1398
    - CVE-2012-4388
  * SECURITY UPDATE: denial of service and possible code execution via
    _php_stream_scandir function (LP: #1028064)
    - debian/patches/CVE-2012-2688.patch: prevent overflow in
      main/streams/streams.c.
    - CVE-2012-2688
  * SECURITY UPDATE: denial of service via PDO extension crafted parameter
    - debian/patches/CVE-2012-3450.patch: improve logic in
      ext/pdo/pdo_sql_parser.re, regenerate ext/pdo/pdo_sql_parser.c, add
      test to ext/pdo_mysql/tests/bug_61755.phpt.
    - CVE-2012-3450
 -- Marc Deslauriers <email address hidden>   Tue, 11 Sep 2012 11:28:52 -0400
Superseded in precise-updates on 2012-09-17
Deleted in precise-proposed on 2012-09-18 (Reason: moved to -updates)
php5 (5.3.10-1ubuntu3.3) precise-proposed; urgency=low

  * Applies upstream bug fixes for several issues and bugs:
    * php5-fpm segfaults with error 4 in libc-2.15.so
        (LP: #1006738.  Bug Priority: High)
    * PHP5-FPM not reporting errors to web server (nginx)
        (LP: #1014044.  Bug Priority: Medium)
 -- Thomas Ward <email address hidden>   Tue, 31 Jul 2012 21:15:08 -0400
Superseded in raring-release on 2012-11-08
Published in quantal-release on 2012-08-22
php5 (5.4.6-1ubuntu1) quantal; urgency=low

  * Merge from Debian experimental (LP: #1006738 , LP: #1040212)
    Remaining changes:
    - d/rules: Simplify apache config settings since we never build
      interbase or firebird.
    - debian/rules: export DEB_HOST_MULTIARCH properly.
    - Add build-dependency on lemon, which we now need.
    - Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is
      in universe.
    - Dropped libcurl-dev not in the archive.
    - debian/control: replace build-depends on mysql-server with
      mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and
      mysql-server-5.5 postinst confusion with starting up multiple
      mysqlds listening on the same port.
    - Dropped php5-imap, php5-interbase, php5-mcrypt since we have
      versions already in universe.
    - Dropped libonig-dev and libqgdbm since its in universe. (libonig
      MIR has been declined due to an inactive upstream. So this is
      probably a permanent change).
    - modulelist: Drop imap, interbase, sybase, and mcrypt.
    - debian/rules:
      - Dropped building of mcrypt, imap, and interbase.
      - Install apport hook for php5.
      - stop mysql instance on clean just in case we failed in tests
    - debian/control, debian/rules: Re-enable libedit-dev.
  * Dropped Changes:
    - debian/rules: change memory limits on example .ini files.

Available diffs

Superseded in quantal-release on 2012-08-22
php5 (5.4.4-3ubuntu1) quantal; urgency=low

  * Merge from Debian unstable. (LP: #1014044) (LP: #1024355)
    Remaining changes:
    - d/rules: Simplify apache config settings since we never build
      interbase or firebird.
    - debian/rules: export DEB_HOST_MULTIARCH properly.
    - Add build-dependency on lemon, which we now need.
    - Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe.
    - Dropped libcurl-dev not in the archive.
    - debian/control: replace build-depends on mysql-server with
      mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and
      mysql-server-5.5 postinst confusion with starting up multiple
      mysqlds listening on the same port.
    - Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions
      already in universe.
    - Dropped libonig-dev and libqgdbm since its in universe. (libonig MIR
      has been declined due to an inactive upstream. So this is probably
      a permanent change).
    - modulelist: Drop imap, interbase, sybase, and mcrypt.
    - debian/rules:
      * Dropped building of mcrypt, imap, and interbase.
      * Install apport hook for php5.
      * stop mysql instance on clean just in case we failed in tests

Available diffs

Superseded in quantal-release on 2012-07-23
php5 (5.4.4-1ubuntu1) quantal; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - d/rules: Simplify apache config settings since we never build
      interbase or firebird.
    - debian/rules: export DEB_HOST_MULTIARCH properly.
    - Add build-dependency on lemon, which we now need.
    - Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe.
    - Dropped libcurl-dev not in the archive.
    - debian/control: replace build-depends on mysql-server with
      mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and
      mysql-server-5.5 postinst confusion with starting up multiple
      mysqlds listening on the same port.
    - Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions
      already in universe.
    - Dropped libonig-dev and libqgdbm since its in universe. (libonig MIR
      has been declined due to an inactive upstream. So this is probably
      a permanent change).
    - modulelist: Drop imap, interbase, sybase, and mcrypt.
    - debian/rules:
      * Dropped building of mcrypt, imap, and interbase.
      * Install apport hook for php5.
      * stop mysql instance on clean just in case we failed in tests
  * Dropped Changes:
    * d/rules: enable Suhosin patch with PHP5_SUHOSIN=yes -- Upstream suhosin
      has been slow to adopt PHP 5.4, and is showing signs of disengagement.
      Therefore, we will follow Debian's lead and drop Suhosin for now.
    - d/control: build-depend on mysql 5.5 instead of 5.1 for running tests.
      -- Debian just deps on mysql-server
    - Suggest php5-suhosin rather than recommends. -- Dropping suhosin
    - d/setup-mysql.sh: modify to work with mysql 5.5 differences -- superseded
      in Debian.
    - Only build php5-sqlite for sqlite3, dropping the obsolete sqlite2. --
      superseded in Debian
    - d/maxlifetime: Improve maxlifetime script to scan for more SAPIs and
      scan all *.ini in conf.d directory. -- Change came from Debian
    - d/libapache2-mod-php5.postinst,libapache2-mod-php5filter.postinst:
      Restart apache on first install to ensure module is fully enabled.
      -- Change came from Debian
    - debian/patches/php5-CVE-2012-1823.patch: filter query strings that
      are prefixed with '-' -- Fixed upstream
    - debian/control: Recommend php5-dev for php-pear. -- This was a poorly
      conceived idea anyway.
    - Pre-Depend on a new enough version of dpkg for dpkg-maintscript-helper
      rather than checking whether it exists at run-time, leading to more
      predictable behaviour on upgrades. -- Applied in Debian
    - d/p/gd-multiarch-fix.patch: superseded
  * d/NEWS: add note explaining that SUHOSIN is no longer enabled in the
    Ubuntu packages.

Superseded in lucid-updates on 2012-09-17
Superseded in lucid-security on 2012-09-17
php5 (5.3.2-1ubuntu4.17) lucid-security; urgency=low

  * SECURITY UPDATE: denial of service via invalid tidy objects
    - debian/patches/CVE-2012-0781.patch: track initialization in
      ext/tidy/tidy.c, added tests to ext/tidy/tests/004.phpt,
      ext/tidy/tests/bug54682.phpt.
    - CVE-2012-0781
  * SECURITY UPDATE: denial of service or possible directory traversal via
    invalid filename.
    - debian/patches/CVE-2012-1172.patch: ensure brackets get closed in
      main/rfc1867.c, add test to tests/basic/bug55500.phpt.
    - CVE-2012-1172
  * SECURITY UPDATE: password truncation via invalid byte
    - debian/patches/CVE-2012-2143.patch: improve logic in
      ext/standard/crypt_freesec.c, add test to
      ext/standard/tests/strings/crypt_chars.phpt.
    - CVE-2012-2143
  * SECURITY UPDATE: crypto() empty salt string issue
    - debian/patches/php_crypt_revamped.patch: Return fail string on
      invalid Blowfish salt rounds, fix regression when the salt is empty.
    - CVE-2012-2317
  * SECURITY UPDATE: improve php5-cgi query string parameter parsing
    - debian/patches/CVE-2012-233x.patch: improve parsing in
      sapi/cgi/cgi_main.c.
    - CVE-2012-2335
    - CVE-2012-2336
  * SECURITY UPDATE: phar extension heap overflow
    - debian/patches/CVE-2012-2386.patch: check for overflow in
      ext/phar/tar.c.
    - CVE-2012-2386
 -- Marc Deslauriers <email address hidden>   Tue, 12 Jun 2012 15:51:23 -0400
Superseded in natty-updates on 2012-09-17
Superseded in natty-security on 2012-09-17
php5 (5.3.5-1ubuntu7.10) natty-security; urgency=low

  * SECURITY UPDATE: denial of service via invalid tidy objects
    - debian/patches/CVE-2012-0781.patch: track initialization in
      ext/tidy/tidy.c, added tests to ext/tidy/tests/004.phpt,
      ext/tidy/tests/bug54682.phpt.
    - CVE-2012-0781
  * SECURITY UPDATE: denial of service or possible directory traversal via
    invalid filename.
    - debian/patches/CVE-2012-1172.patch: ensure brackets get closed in
      main/rfc1867.c, add test to tests/basic/bug55500.phpt.
    - CVE-2012-1172
  * SECURITY UPDATE: password truncation via invalid byte
    - debian/patches/CVE-2012-2143.patch: improve logic in
      ext/standard/crypt_freesec.c, add test to
      ext/standard/tests/strings/crypt_chars.phpt.
    - CVE-2012-2143
  * SECURITY UPDATE: crypto() empty salt string issue
    - debian/patches/{php_crypt_revamped,use_system_crypt_fixes}.patch:
      Return fail string on invalid Blowfish salt rounds, fix regression
      when the salt is empty.
    - CVE-2012-2317
  * SECURITY UPDATE: improve php5-cgi query string parameter parsing
    - debian/patches/CVE-2012-233x.patch: improve parsing in
      sapi/cgi/cgi_main.c.
    - CVE-2012-2335
    - CVE-2012-2336
  * SECURITY UPDATE: phar extension heap overflow
    - debian/patches/CVE-2012-2386.patch: check for overflow in
      ext/phar/tar.c.
    - CVE-2012-2386
 -- Marc Deslauriers <email address hidden>   Tue, 12 Jun 2012 15:38:21 -0400
Superseded in hardy-updates on 2012-09-17
Superseded in hardy-security on 2012-09-17
php5 (5.2.4-2ubuntu5.25) hardy-security; urgency=low

  * SECURITY UPDATE: denial of service via invalid tidy objects
    - debian/patches/CVE-2012-0781.patch: track initialization in
      ext/tidy/tidy.c, added tests to ext/tidy/tests/004.phpt,
      ext/tidy/tests/bug54682.phpt.
    - CVE-2012-0781
  * SECURITY UPDATE: denial of service or possible directory traversal via
    invalid filename.
    - debian/patches/CVE-2012-1172.patch: ensure brackets get closed in
      main/rfc1867.c, add test to tests/basic/bug55500.phpt.
    - CVE-2012-1172
  * SECURITY UPDATE: improve php5-cgi query string parameter parsing
    - debian/patches/CVE-2012-233x.patch: improve parsing in
      sapi/cgi/cgi_main.c.
    - CVE-2012-2335
    - CVE-2012-2336
 -- Marc Deslauriers <email address hidden>   Tue, 12 Jun 2012 16:02:25 -0400
Superseded in oneiric-updates on 2012-09-17
Superseded in oneiric-security on 2012-09-17
php5 (5.3.6-13ubuntu3.8) oneiric-security; urgency=low

  * SECURITY UPDATE: denial of service via invalid tidy objects
    - debian/patches/CVE-2012-0781.patch: track initialization in
      ext/tidy/tidy.c, added tests to ext/tidy/tests/004.phpt,
      ext/tidy/tests/bug54682.phpt.
    - CVE-2012-0781
  * SECURITY UPDATE: denial of service or possible directory traversal via
    invalid filename.
    - debian/patches/CVE-2012-1172.patch: ensure brackets get closed in
      main/rfc1867.c, add test to tests/basic/bug55500.phpt.
    - CVE-2012-1172
  * SECURITY UPDATE: password truncation via invalid byte
    - debian/patches/CVE-2012-2143.patch: improve logic in
      ext/standard/crypt_freesec.c, add test to
      ext/standard/tests/strings/crypt_chars.phpt.
    - CVE-2012-2143
  * SECURITY UPDATE: improve php5-cgi query string parameter parsing
    - debian/patches/CVE-2012-233x.patch: improve parsing in
      sapi/cgi/cgi_main.c.
    - CVE-2012-2335
    - CVE-2012-2336
  * SECURITY UPDATE: phar extension heap overflow
    - debian/patches/CVE-2012-2386.patch: check for overflow in
      ext/phar/tar.c.
    - CVE-2012-2386
 -- Marc Deslauriers <email address hidden>   Tue, 12 Jun 2012 15:31:43 -0400
Superseded in precise-updates on 2012-09-12
Superseded in precise-security on 2012-09-17
php5 (5.3.10-1ubuntu3.2) precise-security; urgency=low

  * SECURITY UPDATE: denial of service via invalid tidy objects
    - debian/patches/CVE-2012-0781.patch: track initialization in
      ext/tidy/tidy.c, added tests to ext/tidy/tests/004.phpt,
      ext/tidy/tests/bug54682.phpt.
    - CVE-2012-0781
  * SECURITY UPDATE: denial of service or possible directory traversal via
    invalid filename.
    - debian/patches/CVE-2012-1172.patch: ensure brackets get closed in
      main/rfc1867.c, add test to tests/basic/bug55500.phpt.
    - CVE-2012-1172
  * SECURITY UPDATE: password truncation via invalid byte
    - debian/patches/CVE-2012-2143.patch: improve logic in
      ext/standard/crypt_freesec.c, add test to
      ext/standard/tests/strings/crypt_chars.phpt.
    - CVE-2012-2143
  * SECURITY UPDATE: improve php5-cgi query string parameter parsing
    - debian/patches/CVE-2012-233x.patch: improve parsing in
      sapi/cgi/cgi_main.c.
    - CVE-2012-2335
    - CVE-2012-2336
  * SECURITY UPDATE: phar extension heap overflow
    - debian/patches/CVE-2012-2386.patch: check for overflow in
      ext/phar/tar.c.
    - CVE-2012-2386
 -- Marc Deslauriers <email address hidden>   Tue, 12 Jun 2012 13:40:37 -0400
Superseded in quantal-release on 2012-06-19
php5 (5.3.10-1ubuntu4) quantal; urgency=low

  * SECURITY UPDATE: php5-cgi query string parameters parsing
    vulnerability
    - debian/patches/php5-CVE-2012-1823.patch: filter query strings that
      are prefixed with '-'
    - CVE-2012-1823
    - CVE-2012-2311
 -- Steve Beattie <email address hidden>   Wed, 23 May 2012 15:57:57 -0400
Superseded in precise-updates on 2012-06-19
Superseded in precise-security on 2012-06-19
php5 (5.3.10-1ubuntu3.1) precise-security; urgency=low

  * SECURITY UPDATE: php5-cgi query string parameters parsing
    vulnerability
    - debian/patches/php5-CVE-2012-1823.patch: filter query strings that
      are prefixed with '-'
    - CVE-2012-1823
    - CVE-2012-2311
 -- Steve Beattie <email address hidden>   Thu, 03 May 2012 15:42:08 -0700
Superseded in hardy-updates on 2012-06-19
Superseded in hardy-security on 2012-06-19
php5 (5.2.4-2ubuntu5.24) hardy-security; urgency=low

  * SECURITY UPDATE: php5-cgi query string parameters parsing
    vulnerability
    - debian/patches/php5-CVE-2012-1823.patch: filter query strings that
      are prefixed with '-'
    - CVE-2012-1823
    - CVE-2012-2311
 -- Steve Beattie <email address hidden>   Thu, 03 May 2012 15:33:40 -0700
Superseded in oneiric-updates on 2012-06-19
Superseded in oneiric-security on 2012-06-19
php5 (5.3.6-13ubuntu3.7) oneiric-security; urgency=low

  * SECURITY UPDATE: php5-cgi query string parameters parsing
    vulnerability
    - debian/patches/php5-CVE-2012-1823.patch: filter query strings that
      are prefixed with '-'
    - CVE-2012-1823
    - CVE-2012-2311
 -- Steve Beattie <email address hidden>   Thu, 03 May 2012 15:12:00 -0700
Superseded in natty-updates on 2012-06-19
Superseded in natty-security on 2012-06-19
php5 (5.3.5-1ubuntu7.8) natty-security; urgency=low

  * SECURITY UPDATE: php5-cgi query string parameters parsing
    vulnerability
    - debian/patches/php5-CVE-2012-1823.patch: filter query strings that
      are prefixed with '-'
    - CVE-2012-1823
    - CVE-2012-2311
 -- Steve Beattie <email address hidden>   Thu, 03 May 2012 15:12:33 -0700
Superseded in lucid-updates on 2012-06-19
Superseded in lucid-security on 2012-06-19
php5 (5.3.2-1ubuntu4.15) lucid-security; urgency=low

  * SECURITY UPDATE: php5-cgi query string parameters parsing
    vulnerability
    - debian/patches/php5-CVE-2012-1823.patch: filter query strings that
      are prefixed with '-'
    - CVE-2012-1823
    - CVE-2012-2311
 -- Steve Beattie <email address hidden>   Thu, 03 May 2012 15:13:14 -0700
Superseded in quantal-release on 2012-05-23
Published in precise-release on 2012-04-11
php5 (5.3.10-1ubuntu3) precise; urgency=low

  * Cherry picked fixes from Debian testing:
    - d/maxlifetime: Improve maxlifetime script to scan for more SAPIs and
      scan all *.ini in conf.d directory.
      (LP: #916065).
    - d/libapache2-mod-php5.postinst,libapache2-mod-php5filter.postinst:
      Restart apache on first install to ensure module is fully enabled.
      (LP: #953081).
 -- James Page <email address hidden>   Wed, 11 Apr 2012 14:27:10 +0100
Superseded in precise-release on 2012-04-11
php5 (5.3.10-1ubuntu2) precise; urgency=low

  * Pre-Depend on a new enough version of dpkg for dpkg-maintscript-helper
    rather than checking whether it exists at run-time, leading to more
    predictable behaviour on upgrades.
 -- Colin Watson <email address hidden>   Mon, 05 Mar 2012 12:21:35 +0000

Available diffs

Superseded in precise-release on 2012-03-05
php5 (5.3.10-1ubuntu1) precise; urgency=low

  * Merge from Debian testing.  Remaining changes:
    - d/control: build-depend on mysql 5.5 instead of 5.1 for running tests.
    - d/setup-mysql.sh: modify to work with mysql 5.5 differences
    - debian/rules: export DEB_HOST_MULTIARCH properly.
    - Only build php5-sqlite for sqlite3, dropping the obsolete sqlite2.
    - Add build-dependency on lemon, which we now need.
    - Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe.
    - Dropped libcurl-dev not in the archive.
    - debian/control: replace build-depends on mysql-server with
      mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and
      mysql-server-5.5 postinst confusion with starting up multiple
      mysqlds listening on the same port.
    - Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions
      already in universe.
    - Suggest php5-suhosin rather than recommends.
    - Dropped libonig-dev and libqgdbm since its in universe. (libonig MIR
      has been declined due to an inactive upstream. So this is probably
      a permanent change).
    - modulelist: Drop imap, interbase, sybase, and mcrypt.
    - debian/rules:
      * Dropped building of mcrypt, imap, and interbase.
      * Install apport hook for php5.
      * stop mysql instance on clean just in case we failed in tests
    - debian/control: Recommend php5-dev for php-pear.
  * Dropped Changes:
    - d/patches/CVE-2011-4566.patch: Applied upstream
    - debian/rules: --enable-pcntl for cgi as well. (Applied in Debian)
  * d/rules: enable Suhosin patch with PHP5_SUHOSIN=yes
  * d/NEWS: add note explaining that SUHOSIN *is* enabled in the Ubuntu
    package.
  * d/rules: Simplify apache config settings since we never build
    interbase or firebird.

Available diffs

Superseded in lucid-updates on 2012-05-04
Superseded in lucid-security on 2012-05-04
php5 (5.3.2-1ubuntu4.14) lucid-security; urgency=low

  * debian/patches/php5-CVE-2012-0831-regression.patch: fix
    magic_quotes_gpc ini setting regression introduced by patch for
    CVE-2012-0831. Thanks to Ondřej Surý for the patch. (LP: #930115)
 -- Steve Beattie <email address hidden>   Fri, 10 Feb 2012 15:07:08 -0800
Superseded in natty-updates on 2012-05-04
Superseded in natty-security on 2012-05-04
php5 (5.3.5-1ubuntu7.7) natty-security; urgency=low

  * debian/patches/php5-CVE-2012-0831-regression.patch: fix
    magic_quotes_gpc ini setting regression introduced by patch for
    CVE-2012-0831. Thanks to Ondřej Surý for the patch. (LP: #930115)
 -- Steve Beattie <email address hidden>   Fri, 10 Feb 2012 14:58:23 -0800
175 of 280 results