Change log for php5 package in Ubuntu

175 of 350 results
Published in precise-updates on 2016-08-02
Published in precise-security on 2016-08-02
php5 (5.3.10-1ubuntu3.24) precise-security; urgency=medium

  * SECURITY UPDATE: segfault in SplMinHeap::compare
    - debian/patches/CVE-2015-4116.patch: properly handle count in
      ext/spl/spl_heap.c, added test to ext/spl/tests/bug69737.phpt.
    - CVE-2015-4116
  * SECURITY UPDATE: denial of service via recursive method calls
    - debian/patches/CVE-2015-8873.patch: add limit to
      Zend/zend_exceptions.c, add tests to
      ext/standard/tests/serialize/bug69152.phpt,
      ext/standard/tests/serialize/bug69793.phpt,
      sapi/cli/tests/005.phpt.
    - CVE-2015-8873
  * SECURITY UPDATE: denial of service or code execution via crafted
    serialized data
    - debian/patches/CVE-2015-8876.patch: fix logic in
      Zend/zend_exceptions.c, added test to Zend/tests/bug70121.phpt.
    - CVE-2015-8876
  * SECURITY UPDATE: XSS in header() with Internet Explorer (LP: #1594041)
    - debian/patches/CVE-2015-8935.patch: update header handling to
      RFC 7230 in main/SAPI.c, added tests to
      ext/standard/tests/general_functions/bug60227_*.phpt.
    - CVE-2015-8935
  * SECURITY UPDATE: get_icu_value_internal out-of-bounds read
    - debian/patches/CVE-2016-5093.patch: add enough space in
      ext/intl/locale/locale_methods.c, added test to
      ext/intl/tests/bug72241.phpt.
    - CVE-2016-5093
  * SECURITY UPDATE: integer overflow in php_html_entities()
    - debian/patches/CVE-2016-5094.patch: don't create strings with lengths
      outside int range in ext/standard/html.c.
    - CVE-2016-5094
  * SECURITY UPDATE: string overflows in string add operations
    - debian/patches/CVE-2016-5095.patch: check for size overflow in
      Zend/zend_operators.c.
    - CVE-2016-5095
  * SECURITY UPDATE: int/size_t confusion in fread
    - debian/patches/CVE-2016-5096.patch: check string length in
      ext/standard/file.c, added test to
      ext/standard/tests/file/bug72114.phpt.
    - CVE-2016-5096
  * SECURITY UPDATE: memory leak and buffer overflow in FPM
    - debian/patches/CVE-2016-5114.patch: check buffer length in
      sapi/fpm/fpm/fpm_log.c.
    - CVE-2016-5114
  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5385.patch: only use HTTP_PROXY from the
      local environment in ext/standard/basic_functions.c, main/SAPI.c,
      main/php_variables.c.
    - CVE-2016-5385
  * SECURITY UPDATE: inadequate error handling in bzread()
    - debian/patches/CVE-2016-5399.patch: do not allow reading past error
      read in ext/bz2/bz2.c.
    - CVE-2016-5399
  * SECURITY UPDATE: integer overflows in mcrypt
    - debian/patches/CVE-2016-5769.patch: check for overflow in
      ext/mcrypt/mcrypt.c.
    - CVE-2016-5769
  * SECURITY UPDATE: double free corruption in wddx_deserialize
    - debian/patches/CVE-2016-5772.patch: prevent double-free in
      ext/wddx/wddx.c, added test to ext/wddx/tests/bug72340.phpt.
    - CVE-2016-5772
  * SECURITY UPDATE: buffer overflow in php_url_parse_ex()
    - debian/patches/CVE-2016-6288.patch: handle length in
      ext/standard/url.c.
    - CVE-2016-6288
  * SECURITY UPDATE: integer overflow in the virtual_file_ex function
    - debian/patches/CVE-2016-6289.patch: properly check path_length in
      Zend/zend_virtual_cwd.c.
    - CVE-2016-6289
  * SECURITY UPDATE: use after free in unserialize() with unexpected
    session deserialization
    - debian/patches/CVE-2016-6290.patch: destroy var_hash properly in
      ext/session/session.c, added test to ext/session/tests/bug72562.phpt.
    - CVE-2016-6290
  * SECURITY UPDATE: out of bounds read in exif_process_IFD_in_MAKERNOTE
    - debian/patches/CVE-2016-6291.patch: add more bounds checks to
      ext/exif/exif.c.
    - CVE-2016-6291
  * SECURITY UPDATE: locale_accept_from_http out-of-bounds access
    - debian/patches/CVE-2016-6294.patch: check length in
      ext/intl/locale/locale_methods.c, added test to
      ext/intl/tests/bug72533.phpt.
    - CVE-2016-6294
  * SECURITY UPDATE: heap buffer overflow in simplestring_addn
    - debian/patches/CVE-2016-6296.patch: prevent overflows in
      ext/xmlrpc/libxmlrpc/simplestring.*.
    - CVE-2016-6296
  * SECURITY UPDATE: integer overflow in php_stream_zip_opener
    - debian/patches/CVE-2016-6297.patch: use size_t in
      ext/zip/zip_stream.c.
    - CVE-2016-6297
  * debian/patches/fix_exif_tests.patch: fix exif test results after
    security changes.

 -- Marc Deslauriers <email address hidden>  Mon, 01 Aug 2016 13:27:52 -0400
Published in trusty-updates on 2016-08-02
Published in trusty-security on 2016-08-02
php5 (5.5.9+dfsg-1ubuntu4.19) trusty-security; urgency=medium

  * SECURITY UPDATE: segfault in SplMinHeap::compare
    - debian/patches/CVE-2015-4116.patch: properly handle count in
      ext/spl/spl_heap.c, added test to ext/spl/tests/bug69737.phpt.
    - CVE-2015-4116
  * SECURITY UPDATE: denial of service via recursive method calls
    - debian/patches/CVE-2015-8873.patch: add limit to
      Zend/zend_exceptions.c, add tests to
      ext/standard/tests/serialize/bug69152.phpt,
      ext/standard/tests/serialize/bug69793.phpt,
      sapi/cli/tests/005.phpt.
    - CVE-2015-8873
  * SECURITY UPDATE: denial of service or code execution via crafted
    serialized data
    - debian/patches/CVE-2015-8876.patch: fix logic in
      Zend/zend_exceptions.c, added test to Zend/tests/bug70121.phpt.
    - CVE-2015-8876
  * SECURITY UPDATE: XSS in header() with Internet Explorer (LP: #1594041)
    - debian/patches/CVE-2015-8935.patch: update header handling to
      RFC 7230 in main/SAPI.c, added tests to
      ext/standard/tests/general_functions/bug60227_*.phpt.
    - CVE-2015-8935
  * SECURITY UPDATE: get_icu_value_internal out-of-bounds read
    - debian/patches/CVE-2016-5093.patch: add enough space in
      ext/intl/locale/locale_methods.c, added test to
      ext/intl/tests/bug72241.phpt.
    - CVE-2016-5093
  * SECURITY UPDATE: integer overflow in php_html_entities()
    - debian/patches/CVE-2016-5094.patch: don't create strings with lengths
      outside int range in ext/standard/html.c.
    - CVE-2016-5094
  * SECURITY UPDATE: string overflows in string add operations
    - debian/patches/CVE-2016-5095.patch: check for size overflow in
      Zend/zend_operators.c.
    - CVE-2016-5095
  * SECURITY UPDATE: int/size_t confusion in fread
    - debian/patches/CVE-2016-5096.patch: check string length in
      ext/standard/file.c, added test to
      ext/standard/tests/file/bug72114.phpt.
    - CVE-2016-5096
  * SECURITY UPDATE: memory leak and buffer overflow in FPM
    - debian/patches/CVE-2016-5114.patch: check buffer length in
      sapi/fpm/fpm/fpm_log.c.
    - CVE-2016-5114
  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5385.patch: only use HTTP_PROXY from the
      local environment in ext/standard/basic_functions.c, main/SAPI.c,
      main/php_variables.c.
    - CVE-2016-5385
  * SECURITY UPDATE: inadequate error handling in bzread()
    - debian/patches/CVE-2016-5399.patch: do not allow reading past error
      read in ext/bz2/bz2.c.
    - CVE-2016-5399
  * SECURITY UPDATE: double free in _php_mb_regex_ereg_replace_exec
    - debian/patches/CVE-2016-5768.patch: check pointer in
      ext/mbstring/php_mbregex.c, added test to
      ext/mbstring/tests/bug72402.phpt.
    - CVE-2016-5768
  * SECURITY UPDATE: integer overflows in mcrypt
    - debian/patches/CVE-2016-5769.patch: check for overflow in
      ext/mcrypt/mcrypt.c.
    - CVE-2016-5769
  * SECURITY UPDATE: ese after free GC algorithm and unserialize
    - debian/patches/CVE-2016-5771.patch: added new handler in
      ext/spl/spl_array.c, added test to Zend/tests/gc_024.phpt,
      ext/standard/tests/strings/bug72433.phpt.
    - CVE-2016-5771
  * SECURITY UPDATE: double free corruption in wddx_deserialize
    - debian/patches/CVE-2016-5772.patch: prevent double-free in
      ext/wddx/wddx.c, added test to ext/wddx/tests/bug72340.phpt.
    - CVE-2016-5772
  * SECURITY UPDATE: use after free in ZipArchive class
    - debian/patches/CVE-2016-5773.patch: add new handler in
      ext/zip/php_zip.c, added test to
      ext/standard/tests/strings/bug72434.phpt.
    - CVE-2016-5773
  * SECURITY UPDATE: buffer overflow in php_url_parse_ex()
    - debian/patches/CVE-2016-6288.patch: handle length in
      ext/standard/url.c.
    - CVE-2016-6288
  * SECURITY UPDATE: integer overflow in the virtual_file_ex function
    - debian/patches/CVE-2016-6289.patch: properly check path_length in
      Zend/zend_virtual_cwd.c.
    - CVE-2016-6289
  * SECURITY UPDATE: use after free in unserialize() with unexpected
    session deserialization
    - debian/patches/CVE-2016-6290.patch: destroy var_hash properly in
      ext/session/session.c, added test to ext/session/tests/bug72562.phpt.
    - CVE-2016-6290
  * SECURITY UPDATE: out of bounds read in exif_process_IFD_in_MAKERNOTE
    - debian/patches/CVE-2016-6291.patch: add more bounds checks to
      ext/exif/exif.c.
    - CVE-2016-6291
  * SECURITY UPDATE: NULL pointer dereference in exif_process_user_comment
    - debian/patches/CVE-2016-6292.patch: properly handle encoding in
      ext/exif/exif.c.
    - CVE-2016-6292
  * SECURITY UPDATE: locale_accept_from_http out-of-bounds access
    - debian/patches/CVE-2016-6294.patch: check length in
      ext/intl/locale/locale_methods.c, added test to
      ext/intl/tests/bug72533.phpt.
    - CVE-2016-6294
  * SECURITY UPDATE: use after free vulnerability in SNMP with GC and
    unserialize()
    - debian/patches/CVE-2016-6295.patch: add new handler to
      ext/snmp/snmp.c, add test to ext/snmp/tests/bug72479.phpt.
    - CVE-2016-6295
  * SECURITY UPDATE: heap buffer overflow in simplestring_addn
    - debian/patches/CVE-2016-6296.patch: prevent overflows in
      ext/xmlrpc/libxmlrpc/simplestring.*.
    - CVE-2016-6296
  * SECURITY UPDATE: integer overflow in php_stream_zip_opener
    - debian/patches/CVE-2016-6297.patch: use size_t in
      ext/zip/zip_stream.c.
    - CVE-2016-6297
  * debian/patches/fix_exif_tests.patch: fix exif test results after
    security changes.

 -- Marc Deslauriers <email address hidden>  Thu, 28 Jul 2016 08:57:10 -0400
Deleted in trusty-proposed on 2016-08-03 (Reason: moved to -updates)
php5 (5.5.9+dfsg-1ubuntu4.18) trusty; urgency=medium

  * Fix zlib function naming with LFS (LP: #1315888).

 -- Nishanth Aravamudan <email address hidden>  Tue, 31 May 2016 08:58:02 -0400
Superseded in precise-updates on 2016-08-02
Superseded in precise-security on 2016-08-02
php5 (5.3.10-1ubuntu3.23) precise-security; urgency=medium

  * SECURITY UPDATE: heap corruption in tar/zip/phar parser
    - debian/patches/CVE-2016-4342.patch: remove UMR when size is 0 in
      ext/phar/phar_object.c.
    - CVE-2016-4342
  * SECURITY UPDATE: uninitialized pointer in phar_make_dirstream()
    - debian/patches/CVE-2016-4343.patch: check lengths in
      ext/phar/dirstream.c, ext/phar/tar.c.
    - CVE-2016-4343
  * SECURITY UPDATE: bcpowmod accepts negative scale and corrupts _one_
    definition
    - debian/patches/CVE-2016-4537.patch: properly detect scale in
      ext/bcmath/bcmath.c, add test to ext/bcmath/tests/bug72093.phpt.
    - CVE-2016-4537
    - CVE-2016-4538
  * SECURITY UPDATE: xml_parse_into_struct segmentation fault
    - debian/patches/CVE-2016-4539.patch: check parser->level in
      ext/xml/xml.c, added test to ext/xml/tests/bug72099.phpt.
    - CVE-2016-4539
  * SECURITY UPDATE: out-of-bounds reads in zif_grapheme_stripos and
    zif_grapheme_strpos with negative offset
    - debian/patches/CVE-2016-4540.patch: check bounds in
      ext/intl/grapheme/grapheme_string.c, added test to
      ext/intl/tests/bug72061.phpt.
    - CVE-2016-4540
    - CVE-2016-4541
  * SECURITY UPDATE: out of bounds heap read access in exif header
    processing
    - debian/patches/CVE-2016-4542.patch: check sizes and length in
      ext/exif/exif.c.
    - CVE-2016-4542
    - CVE-2016-4543
    - CVE-2016-4544

 -- Marc Deslauriers <email address hidden>  Thu, 19 May 2016 12:54:58 -0400
Superseded in trusty-updates on 2016-08-02
Superseded in trusty-security on 2016-08-02
php5 (5.5.9+dfsg-1ubuntu4.17) trusty-security; urgency=medium

  * SECURITY UPDATE: heap corruption in tar/zip/phar parser
    - debian/patches/CVE-2016-4342.patch: remove UMR when size is 0 in
      ext/phar/phar_object.c.
    - CVE-2016-4342
  * SECURITY UPDATE: uninitialized pointer in phar_make_dirstream()
    - debian/patches/CVE-2016-4343.patch: check lengths in
      ext/phar/dirstream.c, ext/phar/tar.c.
    - CVE-2016-4343
  * SECURITY UPDATE: bcpowmod accepts negative scale and corrupts _one_
    definition
    - debian/patches/CVE-2016-4537.patch: properly detect scale in
      ext/bcmath/bcmath.c, add test to ext/bcmath/tests/bug72093.phpt.
    - CVE-2016-4537
    - CVE-2016-4538
  * SECURITY UPDATE: xml_parse_into_struct segmentation fault
    - debian/patches/CVE-2016-4539.patch: check parser->level in
      ext/xml/xml.c, added test to ext/xml/tests/bug72099.phpt.
    - CVE-2016-4539
  * SECURITY UPDATE: out-of-bounds reads in zif_grapheme_stripos and
    zif_grapheme_strpos with negative offset
    - debian/patches/CVE-2016-4540.patch: check bounds in
      ext/intl/grapheme/grapheme_string.c, added test to
      ext/intl/tests/bug72061.phpt.
    - CVE-2016-4540
    - CVE-2016-4541
  * SECURITY UPDATE: out of bounds heap read access in exif header
    processing
    - debian/patches/CVE-2016-4542.patch: check sizes and length in
      ext/exif/exif.c.
    - CVE-2016-4542
    - CVE-2016-4543
    - CVE-2016-4544

 -- Marc Deslauriers <email address hidden>  Thu, 19 May 2016 12:45:01 -0400
Published in wily-updates on 2016-05-24
Published in wily-security on 2016-05-24
php5 (5.6.11+dfsg-1ubuntu3.4) wily-security; urgency=medium

  * SECURITY UPDATE: heap corruption in tar/zip/phar parser
    - debian/patches/CVE-2016-4342.patch: remove UMR when size is 0 in
      ext/phar/phar_object.c.
    - CVE-2016-4342
  * SECURITY UPDATE: uninitialized pointer in phar_make_dirstream()
    - debian/patches/CVE-2016-4343.patch: check lengths in
      ext/phar/dirstream.c, ext/phar/tar.c.
    - CVE-2016-4343
  * SECURITY UPDATE: bcpowmod accepts negative scale and corrupts _one_
    definition
    - debian/patches/CVE-2016-4537.patch: properly detect scale in
      ext/bcmath/bcmath.c, add test to ext/bcmath/tests/bug72093.phpt.
    - CVE-2016-4537
    - CVE-2016-4538
  * SECURITY UPDATE: xml_parse_into_struct segmentation fault
    - debian/patches/CVE-2016-4539.patch: check parser->level in
      ext/xml/xml.c, added test to ext/xml/tests/bug72099.phpt.
    - CVE-2016-4539
  * SECURITY UPDATE: out-of-bounds reads in zif_grapheme_stripos and
    zif_grapheme_strpos with negative offset
    - debian/patches/CVE-2016-4540.patch: check bounds in
      ext/intl/grapheme/grapheme_string.c, added test to
      ext/intl/tests/bug72061.phpt.
    - CVE-2016-4540
    - CVE-2016-4541
  * SECURITY UPDATE: out of bounds heap read access in exif header
    processing
    - debian/patches/CVE-2016-4542.patch: check sizes and length in
      ext/exif/exif.c.
    - CVE-2016-4542
    - CVE-2016-4543
    - CVE-2016-4544

 -- Marc Deslauriers <email address hidden>  Thu, 19 May 2016 12:03:33 -0400
Superseded in wily-updates on 2016-05-24
Superseded in wily-security on 2016-05-24
php5 (5.6.11+dfsg-1ubuntu3.3) wily-security; urgency=medium

  * SECURITY REGRESSION: out of memory in SOAP (LP: #1575298)
    - debian/patches/CVE-2015-8835.patch: updated to fix bad patch
      backport.

 -- Marc Deslauriers <email address hidden>  Tue, 26 Apr 2016 14:57:54 -0400
Superseded in trusty-updates on 2016-05-24
Superseded in trusty-security on 2016-05-24
php5 (5.5.9+dfsg-1ubuntu4.16) trusty-security; urgency=medium

  * SECURITY UPDATE: directory traversal in ZipArchive::extractTo
    - debian/patches/CVE-2014-9767.patch: use proper path in
      ext/zip/php_zip.c, added test to ext/zip/tests/bug70350.phpt.
    - CVE-2014-9767
  * SECURITY UPDATE: type confusion issue in SoapClient
    - debian/patches/CVE-2015-8835.patch: check types in
      ext/soap/php_http.c.
    - CVE-2015-8835
    - CVE-2016-3185
  * SECURITY UPDATE: mysqlnd is vulnerable to BACKRONYM
    - debian/patches/CVE-2015-8838.patch: fix ssl handling in
      ext/mysqlnd/mysqlnd.c.
    - CVE-2015-8838
  * SECURITY UPDATE: denial of service or memory disclosure in gd via large
    bgd_color argument to imagerotate
    - debian/patches/CVE-2016-1903.patch: check bgcolor in
      ext/gd/libgd/gd_interpolation.c, added test to
      ext/gd/tests/bug70976.phpt.
    - CVE-2016-1903
  * SECURITY UPDATE: stack overflow when decompressing tar archives
    - debian/patches/CVE-2016-2554.patch: handle non-terminated linknames
      in ext/phar/tar.c.
    - CVE-2016-2554
  * SECURITY UPDATE: use-after-free in WDDX
    - debian/patches/CVE-2016-3141.patch: fix stack in ext/wddx/wddx.c,
      added test to ext/wddx/tests/bug71587.phpt.
    - CVE-2016-3141
  * SECURITY UPDATE: out-of-Bound Read in phar_parse_zipfile()
    - debian/patches/CVE-2016-3142.patch: check bounds in ext/phar/zip.c.
    - CVE-2016-3142
  * SECURITY UPDATE: libxml_disable_entity_loader setting is shared between
    threads
    - debian/patches/bug64938.patch: enable entity loader in
      ext/libxml/libxml.c.
    - No CVE number
  * SECURITY UPDATE: openssl_random_pseudo_bytes() is not cryptographically
    secure
    - debian/patches/bug70014.patch: use RAND_bytes instead of deprecated
      RAND_pseudo_bytes in ext/openssl/openssl.c.
    - No CVE number
  * SECURITY UPDATE: buffer over-write in finfo_open with malformed magic
    file
    - debian/patches/bug71527.patch: properly calculate length in
      ext/fileinfo/libmagic/funcs.c, added test to
      ext/fileinfo/tests/bug71527.magic.
    - CVE number pending
  * SECURITY UPDATE: php_snmp_error() format string Vulnerability
    - debian/patches/bug71704.patch: use format string in ext/snmp/snmp.c.
    - CVE number pending
  * SECURITY UPDATE: integer overflow in php_raw_url_encode
    - debian/patches/bug71798.patch: use size_t in ext/standard/url.c.
    - CVE number pending
  * SECURITY UPDATE: invalid memory write in phar on filename containing
    NULL
    - debian/patches/bug71860.patch: require valid paths in
      ext/phar/phar.c, ext/phar/phar_object.c, fix tests in
      ext/phar/tests/badparameters.phpt,
      ext/phar/tests/create_path_error.phpt,
      ext/phar/tests/phar_extract.phpt,
      ext/phar/tests/phar_isvalidpharfilename.phpt,
      ext/phar/tests/phar_unlinkarchive.phpt,
      ext/phar/tests/pharfileinfo_construct.phpt.
    - CVE number pending
  * SECURITY UPDATE: invalid negative size in mbfl_strcut
    - debian/patches/bug71906.patch: fix length checks in
      ext/mbstring/libmbfl/mbfl/mbfilter.c.
    - CVE number pending
  * This package does _NOT_ contain the changes from php5
    (5.5.9+dfsg-1ubuntu4.15) in trusty-proposed.

 -- Marc Deslauriers <email address hidden>  Wed, 20 Apr 2016 09:52:09 -0400
Superseded in precise-updates on 2016-05-24
Superseded in precise-security on 2016-05-24
php5 (5.3.10-1ubuntu3.22) precise-security; urgency=medium

  * SECURITY UPDATE: directory traversal in ZipArchive::extractTo
    - debian/patches/CVE-2014-9767.patch: use proper path in
      ext/zip/php_zip.c, added test to ext/zip/tests/bug70350.phpt.
    - CVE-2014-9767
  * SECURITY UPDATE: type confusion issue in SoapClient
    - debian/patches/CVE-2015-8835.patch: check types in
      ext/soap/php_http.c.
    - CVE-2015-8835
    - CVE-2016-3185
  * SECURITY UPDATE: mysqlnd is vulnerable to BACKRONYM
    - debian/patches/CVE-2015-8838.patch: fix ssl handling in
      ext/mysqlnd/mysqlnd.c.
    - CVE-2015-8838
  * SECURITY UPDATE: stack overflow when decompressing tar archives
    - debian/patches/CVE-2016-2554.patch: handle non-terminated linknames
      in ext/phar/tar.c.
    - CVE-2016-2554
  * SECURITY UPDATE: use-after-free in WDDX
    - debian/patches/CVE-2016-3141.patch: fix stack in ext/wddx/wddx.c,
      added test to ext/wddx/tests/bug71587.phpt.
    - CVE-2016-3141
  * SECURITY UPDATE: out-of-Bound Read in phar_parse_zipfile()
    - debian/patches/CVE-2016-3142.patch: check bounds in ext/phar/zip.c.
    - CVE-2016-3142
  * SECURITY UPDATE: libxml_disable_entity_loader setting is shared between
    threads
    - debian/patches/bug64938.patch: enable entity loader in
      ext/libxml/libxml.c.
    - No CVE number
  * SECURITY UPDATE: openssl_random_pseudo_bytes() is not cryptographically
    secure
    - debian/patches/bug70014.patch: use RAND_bytes instead of deprecated
      RAND_pseudo_bytes in ext/openssl/openssl.c.
    - No CVE number
  * SECURITY UPDATE: buffer over-write in finfo_open with malformed magic
    file
    - debian/patches/bug71527.patch: properly calculate length in
      ext/fileinfo/libmagic/funcs.c, added test to
      ext/fileinfo/tests/bug71527.magic.
    - CVE number pending
  * SECURITY UPDATE: integer overflow in php_raw_url_encode
    - debian/patches/bug71798.patch: use size_t in ext/standard/url.c.
    - CVE number pending
  * SECURITY UPDATE: invalid memory write in phar on filename containing
    NULL
    - debian/patches/bug71860.patch: require valid paths in
      ext/phar/phar.c, ext/phar/phar_object.c.
    - CVE number pending
  * SECURITY UPDATE: invalid negative size in mbfl_strcut
    - debian/patches/bug71906.patch: fix length checks in
      ext/mbstring/libmbfl/mbfl/mbfilter.c.
    - CVE number pending

 -- Marc Deslauriers <email address hidden>  Tue, 19 Apr 2016 16:55:56 -0400
Superseded in wily-updates on 2016-04-27
Superseded in wily-security on 2016-04-27
php5 (5.6.11+dfsg-1ubuntu3.2) wily-security; urgency=medium

  * SECURITY UPDATE: directory traversal in ZipArchive::extractTo
    - debian/patches/CVE-2014-9767.patch: use proper path in
      ext/zip/php_zip.c, added test to ext/zip/tests/bug70350.phpt.
    - CVE-2014-9767
  * SECURITY UPDATE: type confusion issue in SoapClient
    - debian/patches/CVE-2015-8835.patch: check types in
      ext/soap/php_http.c.
    - CVE-2015-8835
    - CVE-2016-3185
  * SECURITY UPDATE: denial of service or memory disclosure in gd via large
    bgd_color argument to imagerotate
    - debian/patches/CVE-2016-1903.patch: check bgcolor in
      ext/gd/libgd/gd_interpolation.c, added test to
      ext/gd/tests/bug70976.phpt.
    - CVE-2016-1903
  * SECURITY UPDATE: stack overflow when decompressing tar archives
    - debian/patches/CVE-2016-2554.patch: handle non-terminated linknames
      in ext/phar/tar.c.
    - CVE-2016-2554
  * SECURITY UPDATE: use-after-free in WDDX
    - debian/patches/CVE-2016-3141.patch: fix stack in ext/wddx/wddx.c,
      added test to ext/wddx/tests/bug71587.phpt.
    - CVE-2016-3141
  * SECURITY UPDATE: out-of-Bound Read in phar_parse_zipfile()
    - debian/patches/CVE-2016-3142.patch: check bounds in ext/phar/zip.c.
    - CVE-2016-3142
  * SECURITY UPDATE: openssl_random_pseudo_bytes() is not cryptographically
    secure
    - debian/patches/bug70014.patch: use RAND_bytes instead of deprecated
      RAND_pseudo_bytes in ext/openssl/openssl.c.
    - No CVE number
  * SECURITY UPDATE: buffer over-write in finfo_open with malformed magic
    file
    - debian/patches/bug71527.patch: properly calculate length in
      ext/fileinfo/libmagic/funcs.c, added test to
      ext/fileinfo/tests/bug71527.magic.
    - CVE number pending
  * SECURITY UPDATE: php_snmp_error() format string Vulnerability
    - debian/patches/bug71704.patch: use format string in ext/snmp/snmp.c.
    - CVE number pending
  * SECURITY UPDATE: integer overflow in php_raw_url_encode
    - debian/patches/bug71798.patch: use size_t in ext/standard/url.c.
    - CVE number pending
  * SECURITY UPDATE: invalid memory write in phar on filename containing
    NULL
    - debian/patches/bug71860.patch: require valid paths in
      ext/phar/phar.c, ext/phar/phar_object.c, fix tests in
      ext/phar/tests/badparameters.phpt,
      ext/phar/tests/bug64931/bug64931.phpt,
      ext/phar/tests/create_path_error.phpt,
      ext/phar/tests/phar_extract.phpt,
      ext/phar/tests/phar_isvalidpharfilename.phpt,
      ext/phar/tests/phar_unlinkarchive.phpt,
      ext/phar/tests/pharfileinfo_construct.phpt.
    - CVE number pending
  * SECURITY UPDATE: invalid negative size in mbfl_strcut
    - debian/patches/bug71906.patch: fix length checks in
      ext/mbstring/libmbfl/mbfl/mbfilter.c.
    - CVE number pending

 -- Marc Deslauriers <email address hidden>  Fri, 15 Apr 2016 10:37:57 -0400
Deleted in trusty-proposed on 2016-04-24 (Reason: moved to -updates)
php5 (5.5.9+dfsg-1ubuntu4.15) trusty; urgency=medium

  * Fix zlib function naming with LFS (LP: #1315888).

 -- Nishanth Aravamudan <email address hidden>  Tue, 22 Mar 2016 09:00:05 -0700
Deleted in xenial-release on 2016-04-07 (Reason: Obsoleted by php7.0; LP: #1547183)
Superseded in xenial-release on 2016-04-06
Deleted in xenial-proposed on 2016-04-07 (Reason: moved to release)
php5 (5.6.17+dfsg-3ubuntu1) xenial; urgency=medium

  * Merge from Debian. Remaining changes:
    - Drop support for firebird, c-client, mcrypt, onig and qdbm as they
      are in universe:
      + d/control: drop Build-Depends on firebird-dev, libc-client-dev,
        libmcrypt-dev, libonig-dev, libqdbm-dev.
      + d/control: drop binary packages php5-imap, php5-interbase and
        php5-mcrypt and their reverse dependencies.
      + d/rules: drop configuration of qdgm, onig, imap, mcrypt.
      + d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't
        build interbase or firebird.
      + d/modulelist: drop imap, interbase and mcrypt.
    - d/control: switch Build-Depends of netcat-traditional to
      netcat-openbsd as only the latter is in main.
    - d/source_php5.py, d/rules: add apport hook.

Superseded in xenial-release on 2016-02-02
Deleted in xenial-proposed on 2016-02-03 (Reason: moved to release)
php5 (5.6.16+dfsg-1ubuntu1) xenial; urgency=medium

  * Merge from Debian. Remaining changes:
    - Drop support for firebird, c-client, mcrypt, onig and qdbm as they
      are in universe:
      + d/control: drop Build-Depends on firebird-dev, libc-client-dev,
        libmcrypt-dev, libonig-dev, libqdbm-dev.
      + d/control: drop binary packages php5-imap, php5-interbase and
        php5-mcrypt and their reverse dependencies.
      + d/rules: drop configuration of qdgm, onig, imap, mcrypt.
      + d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't
        build interbase or firebird.
      + d/modulelist: drop imap, interbase and mcrypt.
    - d/control: switch Build-Depends of netcat-traditional to
      netcat-openbsd as only the latter is in main.
    - d/source_php5.py, d/rules: add apport hook.

Superseded in xenial-release on 2016-01-06
Deleted in xenial-proposed on 2016-01-07 (Reason: moved to release)
php5 (5.6.14+dfsg-1ubuntu1) xenial; urgency=medium

  * Merge from Debian. Remaining changes:
    - Drop support for firebird, c-client, mcrypt, onig and qdbm as they
      are in universe:
      + d/control: drop Build-Depends on firebird-dev, libc-client-dev,
        libmcrypt-dev, libonig-dev, libqdbm-dev.
      + d/control: drop binary packages php5-imap, php5-interbase and
        php5-mcrypt and their reverse dependencies.
      + d/rules: drop configuration of qdgm, onig, imap, mcrypt.
      + d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't
        build interbase or firebird.
      + d/modulelist: drop imap, interbase and mcrypt.
    - d/control: switch Build-Depends of netcat-traditional to
      netcat-openbsd as only the latter is in main.
    - d/source_php5.py, d/rules: add apport hook.
  * Drop changes (patches included upstream):
    - CVE-2015-6831-1.patch, CVE-2015-6831-2.patch, CVE-2015-6831-3.patch,
      CVE-2015-6832.patch, CVE-2015-6833-1.patch, CVE-2015-6833-2.patch,
      CVE-2015-6834-1.patch, CVE-2015-6834-2.patch, CVE-2015-6834-3.patch,
      CVE-2015-6835-1.patch, CVE-2015-6835-2.patch, CVE-2015-6836.patch,
      CVE-2015-6837-6838.patch

Superseded in precise-updates on 2016-04-21
Superseded in precise-security on 2016-04-21
php5 (5.3.10-1ubuntu3.21) precise-security; urgency=medium

  * SECURITY UPDATE: null pointer dereference in phar_get_fp_offset()
    - debian/patches/CVE-2015-7803.patch: check link in ext/phar/util.c.
    - CVE-2015-7803
  * SECURITY UPDATE: uninitialized pointer in phar_make_dirstream()
    - debian/patches/CVE-2015-7804.patch: check filename length in
      ext/phar/util.c, ext/phar/zip.c.
    - CVE-2015-7804

 -- Marc Deslauriers <email address hidden>  Tue, 27 Oct 2015 16:59:36 -0400
Superseded in wily-updates on 2016-04-21
Superseded in xenial-proposed on 2015-10-30
Superseded in wily-security on 2016-04-21
php5 (5.6.11+dfsg-1ubuntu3.1) wily-security; urgency=medium

  * SECURITY UPDATE: null pointer dereference in phar_get_fp_offset()
    - debian/patches/CVE-2015-7803.patch: check link in ext/phar/util.c.
    - CVE-2015-7803
  * SECURITY UPDATE: uninitialized pointer in phar_make_dirstream()
    - debian/patches/CVE-2015-7804.patch: check filename length in
      ext/phar/util.c, ext/phar/zip.c.
    - CVE-2015-7804

 -- Marc Deslauriers <email address hidden>  Tue, 27 Oct 2015 16:47:59 -0400
Superseded in trusty-updates on 2016-04-21
Superseded in trusty-security on 2016-04-21
php5 (5.5.9+dfsg-1ubuntu4.14) trusty-security; urgency=medium

  * SECURITY UPDATE: null pointer dereference in phar_get_fp_offset()
    - debian/patches/CVE-2015-7803.patch: check link in ext/phar/util.c.
    - CVE-2015-7803
  * SECURITY UPDATE: uninitialized pointer in phar_make_dirstream()
    - debian/patches/CVE-2015-7804.patch: check filename length in
      ext/phar/util.c, ext/phar/zip.c.
    - CVE-2015-7804

 -- Marc Deslauriers <email address hidden>  Tue, 27 Oct 2015 16:55:35 -0400
Published in vivid-updates on 2015-10-28
Published in vivid-security on 2015-10-28
php5 (5.6.4+dfsg-4ubuntu6.4) vivid-security; urgency=medium

  * SECURITY UPDATE: null pointer dereference in phar_get_fp_offset()
    - debian/patches/CVE-2015-7803.patch: check link in ext/phar/util.c.
    - CVE-2015-7803
  * SECURITY UPDATE: uninitialized pointer in phar_make_dirstream()
    - debian/patches/CVE-2015-7804.patch: check filename length in
      ext/phar/util.c, ext/phar/zip.c.
    - CVE-2015-7804

 -- Marc Deslauriers <email address hidden>  Tue, 27 Oct 2015 16:52:47 -0400
Superseded in precise-updates on 2015-10-28
Superseded in precise-security on 2015-10-28
php5 (5.3.10-1ubuntu3.20) precise-security; urgency=medium

  * debian/patches/bug65481.patch: backport bugfix to get new
    var_push_dtor_no_addref function.
  * SECURITY UPDATE: phar segfault on invalid file
    - debian/patches/CVE-2015-5589-1.patch: check stream before closing in
      ext/phar/phar_object.c.
    - debian/patches/CVE-2015-5589-2.patch: add better checks in
      ext/phar/phar_object.c.
    - CVE-2015-5589
  * SECURITY UPDATE: phar buffer overflow in phar_fix_filepath
    - debian/patches/CVE-2015-5590.patch: properly handle path in
      ext/phar/phar.c.
    - CVE-2015-5590
  * SECURITY UPDATE: multiple use-after-free issues in unserialize()
    - debian/patches/CVE-2015-6831-1.patch: fix SPLArrayObject in
      ext/spl/spl_array.c, added test to ext/spl/tests/bug70166.phpt.
    - debian/patches/CVE-2015-6831-2.patch: fix SplObjectStorage in
      ext/spl/spl_observer.c.
    - CVE-2015-6831
  * SECURITY UPDATE: dangling pointer in the unserialization of ArrayObject
    items
    - debian/patches/CVE-2015-6832.patch: fix dangling pointer in
      ext/spl/spl_array.c.
    - CVE-2015-6832
  * SECURITY UPDATE: phar files extracted outside of destination dir
    - debian/patches/CVE-2015-6833-1.patch: limit extracted files to given
      directory in ext/phar/phar_object.c.
    - CVE-2015-6833
  * SECURITY UPDATE: multiple vulnerabilities in unserialize()
    - debian/patches/CVE-2015-6834-1.patch: fix use-after-free in
      ext/standard/var.c, ext/standard/var_unserializer.*.
    - debian/patches/CVE-2015-6834-2.patch: fix use-after-free in
      ext/spl/spl_observer.c.
    - CVE-2015-6834
  * SECURITY UPDATE: use after free in session deserializer
    - debian/patches/CVE-2015-6835-1.patch: fix use after free in
      ext/session/session.c, ext/standard/var_unserializer.*
      fixed tests in ext/session/tests/session_decode_error2.phpt,
      ext/session/tests/session_decode_variation3.phpt.
    - CVE-2015-6835
  * SECURITY UPDATE: SOAP serialize_function_call() type confusion
    - debian/patches/CVE-2015-6836.patch: check type in ext/soap/soap.c,
      added test to ext/soap/tests/bug70388.phpt.
    - CVE-2015-6836
  * SECURITY UPDATE: NULL pointer dereference in XSLTProcessor class
    - debian/patches/CVE-2015-6837-6838.patch: fix logic in
      ext/xsl/xsltprocessor.c.
    - CVE-2015-6837
    - CVE-2015-6838

 -- Marc Deslauriers <email address hidden>  Tue, 29 Sep 2015 12:51:49 -0400
Superseded in trusty-updates on 2015-10-28
Superseded in trusty-security on 2015-10-28
php5 (5.5.9+dfsg-1ubuntu4.13) trusty-security; urgency=medium

  * SECURITY UPDATE: phar segfault on invalid file
    - debian/patches/CVE-2015-5589-1.patch: check stream before closing in
      ext/phar/phar_object.c.
    - debian/patches/CVE-2015-5589-2.patch: add better checks in
      ext/phar/phar_object.c.
    - CVE-2015-5589
  * SECURITY UPDATE: phar buffer overflow in phar_fix_filepath
    - debian/patches/CVE-2015-5590.patch: properly handle path in
      ext/phar/phar.c.
    - CVE-2015-5590
  * SECURITY UPDATE: multiple use-after-free issues in unserialize()
    - debian/patches/CVE-2015-6831-1.patch: fix SPLArrayObject in
      ext/spl/spl_array.c, added test to ext/spl/tests/bug70166.phpt.
    - debian/patches/CVE-2015-6831-2.patch: fix SplObjectStorage in
      ext/spl/spl_observer.c, added test to ext/spl/tests/bug70168.phpt.
    - debian/patches/CVE-2015-6831-3.patch: fix SplDoublyLinkedList in
      ext/spl/spl_dllist.c, added test to ext/spl/tests/bug70169.phpt.
    - CVE-2015-6831
  * SECURITY UPDATE: dangling pointer in the unserialization of ArrayObject
    items
    - debian/patches/CVE-2015-6832.patch: fix dangling pointer in
      ext/spl/spl_array.c, added test to ext/spl/tests/bug70068.phpt.
    - CVE-2015-6832
  * SECURITY UPDATE: phar files extracted outside of destination dir
    - debian/patches/CVE-2015-6833-1.patch: limit extracted files to given
      directory in ext/phar/phar_object.c.
    - CVE-2015-6833
  * SECURITY UPDATE: multiple vulnerabilities in unserialize()
    - debian/patches/CVE-2015-6834-1.patch: fix use-after-free in
      ext/standard/var.c, ext/standard/var_unserializer.*.
    - debian/patches/CVE-2015-6834-2.patch: fix use-after-free in
      ext/spl/spl_observer.c, added test to ext/spl/tests/bug70365.phpt.
    - debian/patches/CVE-2015-6834-3.patch: fix use-after-free in
      ext/spl/spl_dllist.c, added test to ext/spl/tests/bug70366.phpt.
    - CVE-2015-6834
  * SECURITY UPDATE: use after free in session deserializer
    - debian/patches/CVE-2015-6835-1.patch: fix use after free in
      ext/session/session.c, ext/standard/var_unserializer.*
      fixed tests in ext/session/tests/session_decode_error2.phpt,
      ext/session/tests/session_decode_variation3.phpt.
    - debian/patches/CVE-2015-6835-2.patch: add more fixes to
      ext/session/session.c.
    - CVE-2015-6835
  * SECURITY UPDATE: SOAP serialize_function_call() type confusion
    - debian/patches/CVE-2015-6836.patch: check type in ext/soap/soap.c,
      added test to ext/soap/tests/bug70388.phpt.
    - CVE-2015-6836
  * SECURITY UPDATE: NULL pointer dereference in XSLTProcessor class
    - debian/patches/CVE-2015-6837-6838.patch: fix logic in
      ext/xsl/xsltprocessor.c.
    - CVE-2015-6837
    - CVE-2015-6838

 -- Marc Deslauriers <email address hidden>  Tue, 29 Sep 2015 07:35:49 -0400
Superseded in xenial-release on 2015-11-04
Published in wily-release on 2015-10-02
Deleted in wily-proposed (Reason: moved to release)
php5 (5.6.11+dfsg-1ubuntu3) wily; urgency=medium

  * SECURITY UPDATE: multiple use-after-free issues in unserialize()
    - debian/patches/CVE-2015-6831-1.patch: fix SPLArrayObject in
      ext/spl/spl_array.c, added test to ext/spl/tests/bug70166.phpt.
    - debian/patches/CVE-2015-6831-2.patch: fix SplObjectStorage in
      ext/spl/spl_observer.c, added test to ext/spl/tests/bug70168.phpt.
    - debian/patches/CVE-2015-6831-3.patch: fix SplDoublyLinkedList in
      ext/spl/spl_dllist.c, added test to ext/spl/tests/bug70169.phpt.
    - CVE-2015-6831
  * SECURITY UPDATE: dangling pointer in the unserialization of ArrayObject
    items
    - debian/patches/CVE-2015-6832.patch: fix dangling pointer in
      ext/spl/spl_array.c, added test to ext/spl/tests/bug70068.phpt.
    - CVE-2015-6832
  * SECURITY UPDATE: phar files extracted outside of destination dir
    - debian/patches/CVE-2015-6833-1.patch: limit extracted files to given
      directory in ext/phar/phar_object.c.
    - debian/patches/CVE-2015-6833-2.patch: use emalloc in
      ext/phar/phar_object.c.
    - CVE-2015-6833
  * SECURITY UPDATE: multiple vulnerabilities in unserialize()
    - debian/patches/CVE-2015-6834-1.patch: fix use-after-free in
      ext/standard/var.c, ext/standard/var_unserializer.*.
    - debian/patches/CVE-2015-6834-2.patch: fix use-after-free in
      ext/spl/spl_observer.c, added test to ext/spl/tests/bug70365.phpt.
    - debian/patches/CVE-2015-6834-3.patch: fix use-after-free in
      ext/spl/spl_dllist.c, added test to ext/spl/tests/bug70366.phpt.
    - CVE-2015-6834
  * SECURITY UPDATE: use after free in session deserializer
    - debian/patches/CVE-2015-6835-1.patch: fix use after free in
      ext/session/session.c, ext/standard/var_unserializer.*
      fixed tests in ext/session/tests/session_decode_error2.phpt,
      ext/session/tests/session_decode_variation3.phpt.
    - debian/patches/CVE-2015-6835-2.patch: add more fixes to
      ext/session/session.c.
    - CVE-2015-6835
  * SECURITY UPDATE: SOAP serialize_function_call() type confusion
    - debian/patches/CVE-2015-6836.patch: check type in ext/soap/soap.c,
      added test to ext/soap/tests/bug70388.phpt.
    - CVE-2015-6836
  * SECURITY UPDATE: NULL pointer dereference in XSLTProcessor class
    - debian/patches/CVE-2015-6837-6838.patch: fix logic in
      ext/xsl/xsltprocessor.c.
    - CVE-2015-6837
    - CVE-2015-6838

 -- Marc Deslauriers <email address hidden>  Mon, 28 Sep 2015 07:26:44 -0400
Superseded in vivid-updates on 2015-10-28
Superseded in vivid-security on 2015-10-28
php5 (5.6.4+dfsg-4ubuntu6.3) vivid-security; urgency=medium

  * SECURITY UPDATE: phar segfault on invalid file
    - debian/patches/CVE-2015-5589-1.patch: check stream before closing in
      ext/phar/phar_object.c.
    - debian/patches/CVE-2015-5589-2.patch: add better checks in
      ext/phar/phar_object.c.
    - CVE-2015-5589
  * SECURITY UPDATE: phar buffer overflow in phar_fix_filepath
    - debian/patches/CVE-2015-5590.patch: properly handle path in
      ext/phar/phar.c.
    - CVE-2015-5590
  * SECURITY UPDATE: multiple use-after-free issues in unserialize()
    - debian/patches/CVE-2015-6831-1.patch: fix SPLArrayObject in
      ext/spl/spl_array.c, added test to ext/spl/tests/bug70166.phpt.
    - debian/patches/CVE-2015-6831-2.patch: fix SplObjectStorage in
      ext/spl/spl_observer.c, added test to ext/spl/tests/bug70168.phpt.
    - debian/patches/CVE-2015-6831-3.patch: fix SplDoublyLinkedList in
      ext/spl/spl_dllist.c, added test to ext/spl/tests/bug70169.phpt.
    - CVE-2015-6831
  * SECURITY UPDATE: dangling pointer in the unserialization of ArrayObject
    items
    - debian/patches/CVE-2015-6832.patch: fix dangling pointer in
      ext/spl/spl_array.c, added test to ext/spl/tests/bug70068.phpt.
    - CVE-2015-6832
  * SECURITY UPDATE: phar files extracted outside of destination dir
    - debian/patches/CVE-2015-6833-1.patch: limit extracted files to given
      directory in ext/phar/phar_object.c.
    - debian/patches/CVE-2015-6833-2.patch: use emalloc in
      ext/phar/phar_object.c.
    - CVE-2015-6833
  * SECURITY UPDATE: multiple vulnerabilities in unserialize()
    - debian/patches/CVE-2015-6834-1.patch: fix use-after-free in
      ext/standard/var.c, ext/standard/var_unserializer.*.
    - debian/patches/CVE-2015-6834-2.patch: fix use-after-free in
      ext/spl/spl_observer.c, added test to ext/spl/tests/bug70365.phpt.
    - debian/patches/CVE-2015-6834-3.patch: fix use-after-free in
      ext/spl/spl_dllist.c, added test to ext/spl/tests/bug70366.phpt.
    - CVE-2015-6834
  * SECURITY UPDATE: use after free in session deserializer
    - debian/patches/CVE-2015-6835-1.patch: fix use after free in
      ext/session/session.c, ext/standard/var_unserializer.*
      fixed tests in ext/session/tests/session_decode_error2.phpt,
      ext/session/tests/session_decode_variation3.phpt.
    - debian/patches/CVE-2015-6835-2.patch: add more fixes to
      ext/session/session.c.
    - CVE-2015-6835
  * SECURITY UPDATE: SOAP serialize_function_call() type confusion
    - debian/patches/CVE-2015-6836.patch: check type in ext/soap/soap.c,
      added test to ext/soap/tests/bug70388.phpt.
    - CVE-2015-6836
  * SECURITY UPDATE: NULL pointer dereference in XSLTProcessor class
    - debian/patches/CVE-2015-6837-6838.patch: fix logic in
      ext/xsl/xsltprocessor.c.
    - CVE-2015-6837
    - CVE-2015-6838

 -- Marc Deslauriers <email address hidden>  Mon, 28 Sep 2015 15:51:34 -0400
Superseded in trusty-updates on 2015-09-30
Deleted in trusty-proposed on 2015-10-02 (Reason: moved to -updates)
php5 (5.5.9+dfsg-1ubuntu4.12) trusty; urgency=medium

  * Fix PHP Fatal error: Inconsistent insteadof definition (LP: #1474276)
    - Apply upstream fix

 -- Ryan Harper <email address hidden>  Thu, 13 Aug 2015 09:55:34 -0500
Superseded in wily-release on 2015-10-02
Deleted in wily-proposed on 2015-10-03 (Reason: moved to release)
php5 (5.6.11+dfsg-1ubuntu2) wily; urgency=medium

  * No-change rebuild against new libicu

 -- Iain Lane <email address hidden>  Wed, 05 Aug 2015 17:41:17 +0100
Superseded in wily-release on 2015-09-01
Deleted in wily-proposed on 2015-09-03 (Reason: moved to release)
php5 (5.6.11+dfsg-1ubuntu1) wily; urgency=medium

  * Merge from Debian. Remaining changes:
    - Drop support for firebird, c-client, mcrypt, onig and qdbm as they
      are in universe:
      + d/control: drop Build-Depends on firebird-dev, libc-client-dev,
        libmcrypt-dev, libonig-dev, libqdbm-dev.
      + d/control: drop binary packages php5-imap, php5-interbase and
        php5-mcrypt and their reverse dependencies.
      + d/rules: drop configuration of qdgm, onig, imap, mcrypt.
      + d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't
        build interbase or firebird.
      + d/modulelist: drop imap, interbase and mcrypt.
    - d/control: switch Build-Depends of netcat-traditional to
      netcat-openbsd as only the latter is in main.
    - d/source_php5.py, d/rules: add apport hook.
  * New upstream version uses __builtin_clzl when  __powerpc__ is defined,
    improving performance on POWER systems (LP: #1458434).
  * Drop changes (patches included upstream): CVE-2015-4598.patch,
    CVE-2015-4643.patch, CVE-2015-4644.patch.

 -- Robie Basak <email address hidden>  Mon, 27 Jul 2015 11:15:34 +0000
Superseded in wily-release on 2015-07-27
Deleted in wily-proposed on 2015-07-28 (Reason: moved to release)
php5 (5.6.9+dfsg-1ubuntu1) wily; urgency=medium

  * Merge from Debian. Remaining changes:
    - d/control: drop Build-Depends that are in universe: firebird-dev,
      libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
    - d/rules: drop configuration of packages that are in universe: qdgm, onig.
    - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
      interbase or firebird.
    - d/control: drop binary packages php5-imap, php5-interbase and php5-mcrypt
      since we have separate versions in universe.
    - d/modulelist: drop imap, interbase and mcrypt since we have separate
      versions in universe.
    - d/rules: drop configuration of imap and mcrypt since we have separate
      versions in universe.
    - d/source_php5.py, d/rules: add apport hook.
    - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
      as only the latter is in main.
  * Dropped changes:
    - patches included in new upstream version: CVE-2014-9427.patch,
      CVE-2014-9652.patch, CVE-2015-0231.patch, CVE-2015-0232.patch,
      CVE-2015-1351.patch, CVE-2015-1352.patch, remove_readelf.patch,
      CVE-2014-9705.patch, CVE-2015-0273.patch, CVE-2015-2301.patch,
      CVE-2015-2305.patch, CVE-2015-2331.patch, CVE-2015-2348.patch,
      CVE-2015-2787.patch, CVE-2015-2783.patch, bug69218.patch,
      bug69441.patch.
  * SECURITY UPDATE: more missing file path null byte checks
    - debian/patches/CVE-2015-4598.patch: add missing checks to
      ext/dom/document.c, ext/gd/gd.c, fix test in
      ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt.
    - CVE-2015-4598
  * SECURITY UPDATE: arbitrary code execution via ftp server long reply to
    a LIST command
    - debian/patches/CVE-2015-4643.patch: prevent overflow check bypass in
      ext/ftp/ftp.c.
    - CVE-2015-4643
  * SECURITY UPDATE: denial of service via php_pgsql_meta_data
    - debian/patches/CVE-2015-4644.patch: check return value in
      ext/pgsql/pgsql.c, add test to ext/pgsql/pg_insert_002.phpt.
    - CVE-2015-4644

Superseded in precise-updates on 2015-09-30
Superseded in precise-security on 2015-09-30
php5 (5.3.10-1ubuntu3.19) precise-security; urgency=medium

  * SECURITY UPDATE: missing file path null byte checks
    - debian/patches/CVE-2015-3411.patch: add missing checks to
      ext/dom/document.c, ext/fileinfo/fileinfo.c, ext/gd/gd.c,
      ext/hash/hash.c, ext/pgsql/pgsql.c, ext/standard/streamsfuncs.c,
      ext/xmlwriter/php_xmlwriter.c, ext/zlib/zlib.c, add tests to
      ext/fileinfo/tests/finfo_file_basic.phpt,
      ext/hash/tests/hash_hmac_file_error.phpt,
      backport CHECK_NULL_PATH to Zend/zend_API.h.
    - CVE-2015-3411
    - CVE-2015-3412
  * SECURITY UPDATE: denial of service via crafted tar archive
    - debian/patches/CVE-2015-4021.patch: handle empty strings in
      ext/phar/tar.c.
    - CVE-2015-4021
  * SECURITY UPDATE: arbitrary code execution via ftp server long reply to
    a LIST command
    - debian/patches/CVE-2015-4022.patch: fix overflow in ext/ftp/ftp.c.
    - CVE-2015-4022
  * SECURITY UPDATE: denial of service via crafted form data
    - debian/patches/CVE-2015-4024.patch: use smart_str to assemble strings
      in main/rfc1867.c.
    - CVE-2015-4024
  * SECURITY UPDATE: more missing file path null byte checks
    - debian/patches/CVE-2015-4025.patch: add missing checks to
      ext/pcntl/pcntl.c, ext/standard/dir.c.
    - CVE-2015-4025
    - CVE-2015-4026
  * SECURITY UPDATE: arbitrary code execution via crafted serialized data
    with unexpected data type
    - debian/patches/CVE-2015-4147.patch: check variable types in
      ext/soap/php_encoding.c, ext/soap/php_http.c, ext/soap/soap.c.
    - CVE-2015-4147
    - CVE-2015-4148
    - CVE-2015-4600
    - CVE-2015-4601
  * SECURITY UPDATE: more missing file path null byte checks
    - debian/patches/CVE-2015-4598.patch: add missing checks to
      ext/dom/document.c, ext/gd/gd.c.
    - CVE-2015-4598
  * SECURITY UPDATE: denial of service or information leak via type
    confusion with crafted serialized data
    - debian/patches/CVE-2015-4599.patch: use proper types in
      ext/soap/soap.c.
    - CVE-2015-4599
  * SECURITY UPDATE: denial of service or information leak via type
    confusion with crafted serialized data
    - debian/patches/CVE-2015-4602.patch: check for proper type in
      ext/standard/incomplete_class.c.
    - CVE-2015-4602
  * SECURITY UPDATE: denial of service or information leak via type
    confusion with crafted serialized data
    - debian/patches/CVE-2015-4603.patch: check type in
      Zend/zend_exceptions.c, add test to
      ext/standard/tests/serialize/bug69152.phpt.
    - CVE-2015-4603
  * SECURITY UPDATE: arbitrary code execution via ftp server long reply to
    a LIST command
    - debian/patches/CVE-2015-4643.patch: prevent overflow check bypass in
      ext/ftp/ftp.c.
    - CVE-2015-4643
  * SECURITY UPDATE: denial of service via php_pgsql_meta_data
    - debian/patches/CVE-2015-4644.patch: check return value in
      ext/pgsql/pgsql.c, add test to ext/pgsql/pg_insert_002.phpt.
    - CVE-2015-4644
  * debian/patches/CVE-2015-2783-memleak.patch: fix memory leak introduced
    by CVE-2015-2783 security update.

 -- Marc Deslauriers <email address hidden>  Thu, 02 Jul 2015 07:42:32 -0400
Published in utopic-updates on 2015-07-06
Published in utopic-security on 2015-07-06
php5 (5.5.12+dfsg-2ubuntu4.6) utopic-security; urgency=medium

  * SECURITY UPDATE: missing file path null byte checks
    - debian/patches/CVE-2015-3411.patch: add missing checks to
      ext/dom/document.c, ext/fileinfo/fileinfo.c, ext/gd/gd.c,
      ext/hash/hash.c, ext/pgsql/pgsql.c, ext/standard/link.c,
      ext/standard/streamsfuncs.c, ext/xmlwriter/php_xmlwriter.c,
      ext/zlib/zlib.c, add tests to
      ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt,
      ext/fileinfo/tests/finfo_file_basic.phpt,
      ext/hash/tests/hash_hmac_file_error.phpt
    - CVE-2015-3411
    - CVE-2015-3412
  * SECURITY UPDATE: denial of service via crafted tar archive
    - debian/patches/CVE-2015-4021.patch: handle empty strings in
      ext/phar/tar.c.
    - CVE-2015-4021
  * SECURITY UPDATE: arbitrary code execution via ftp server long reply to
    a LIST command
    - debian/patches/CVE-2015-4022.patch: fix overflow in ext/ftp/ftp.c.
    - CVE-2015-4022
  * SECURITY UPDATE: denial of service via crafted form data
    - debian/patches/CVE-2015-4024.patch: use smart_str to assemble strings
      in main/rfc1867.c.
    - CVE-2015-4024
  * SECURITY UPDATE: more missing file path null byte checks
    - debian/patches/CVE-2015-4025.patch: add missing checks to
      ext/pcntl/pcntl.c, ext/standard/basic_functions.c,
      ext/standard/dir.c, ext/standard/file.c.
    - CVE-2015-4025
    - CVE-2015-4026
  * SECURITY UPDATE: arbitrary code execution via crafted serialized data
    with unexpected data type
    - debian/patches/CVE-2015-4147.patch: check variable types in
      ext/soap/php_encoding.c, ext/soap/php_http.c, ext/soap/soap.c.
    - CVE-2015-4147
    - CVE-2015-4148
    - CVE-2015-4600
    - CVE-2015-4601
  * SECURITY UPDATE: more missing file path null byte checks
    - debian/patches/CVE-2015-4598.patch: add missing checks to
      ext/dom/document.c, ext/gd/gd.c, fix tests in
      ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt,
      ext/gd/tests/imageloadfont_error1.phpt,
      ext/zlib/tests/gzopen_variation1.phpt,
      ext/zlib/tests/readgzfile_variation1.phpt,
      ext/zlib/tests/readgzfile_variation6.phpt,
      ext/standard/tests/dir/dir_variation1.phpt,
      ext/standard/tests/dir/opendir_variation1.phpt,
      ext/standard/tests/file/mkdir_rmdir_variation2.phpt,
      ext/standard/tests/file/readlink_variation1.phpt,
      ext/standard/tests/file/tempnam_variation3-win32.phpt,
      ext/standard/tests/file/tempnam_variation3.phpt,
      ext/standard/tests/general_functions/include_path.phpt.
    - CVE-2015-4598
  * SECURITY UPDATE: denial of service or information leak via type
    confusion with crafted serialized data
    - debian/patches/CVE-2015-4599.patch: use proper types in
      ext/soap/soap.c.
    - CVE-2015-4599
  * SECURITY UPDATE: denial of service or information leak via type
    confusion with crafted serialized data
    - debian/patches/CVE-2015-4602.patch: check for proper type in
      ext/standard/incomplete_class.c.
    - CVE-2015-4602
  * SECURITY UPDATE: denial of service or information leak via type
    confusion with crafted serialized data
    - debian/patches/CVE-2015-4603.patch: check type in
      Zend/zend_exceptions.c, add test to
      ext/standard/tests/serialize/bug69152.phpt.
    - CVE-2015-4603
  * SECURITY UPDATE: arbitrary code execution via ftp server long reply to
    a LIST command
    - debian/patches/CVE-2015-4643.patch: prevent overflow check bypass in
      ext/ftp/ftp.c.
    - CVE-2015-4643
  * SECURITY UPDATE: denial of service via php_pgsql_meta_data
    - debian/patches/CVE-2015-4644.patch: check return value in
      ext/pgsql/pgsql.c, add test to ext/pgsql/pg_insert_002.phpt.
    - CVE-2015-4644
  * debian/patches/CVE-2015-2783-memleak.patch: fix memory leak introduced
    by CVE-2015-2783 security update.

 -- Marc Deslauriers <email address hidden>  Thu, 02 Jul 2015 08:51:10 -0400
Superseded in vivid-updates on 2015-09-30
Superseded in vivid-security on 2015-09-30
php5 (5.6.4+dfsg-4ubuntu6.2) vivid-security; urgency=medium

  * SECURITY UPDATE: missing file path null byte checks
    - debian/patches/CVE-2015-3411.patch: add missing checks to
      ext/dom/document.c, ext/fileinfo/fileinfo.c, ext/gd/gd.c,
      ext/hash/hash.c, ext/pgsql/pgsql.c, ext/standard/link.c,
      ext/standard/streamsfuncs.c, ext/xmlwriter/php_xmlwriter.c,
      ext/zlib/zlib.c, add tests to
      ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt,
      ext/fileinfo/tests/finfo_file_basic.phpt,
      ext/hash/tests/hash_hmac_file_error.phpt
    - CVE-2015-3411
    - CVE-2015-3412
  * SECURITY UPDATE: denial of service via crafted tar archive
    - debian/patches/CVE-2015-4021.patch: handle empty strings in
      ext/phar/tar.c.
    - CVE-2015-4021
  * SECURITY UPDATE: arbitrary code execution via ftp server long reply to
    a LIST command
    - debian/patches/CVE-2015-4022.patch: fix overflow in ext/ftp/ftp.c.
    - CVE-2015-4022
  * SECURITY UPDATE: denial of service via crafted form data
    - debian/patches/CVE-2015-4024.patch: use smart_str to assemble strings
      in main/rfc1867.c.
    - CVE-2015-4024
  * SECURITY UPDATE: more missing file path null byte checks
    - debian/patches/CVE-2015-4025.patch: add missing checks to
      ext/pcntl/pcntl.c, ext/standard/basic_functions.c,
      ext/standard/dir.c, ext/standard/file.c.
    - CVE-2015-4025
    - CVE-2015-4026
  * SECURITY UPDATE: arbitrary code execution via crafted serialized data
    with unexpected data type
    - debian/patches/CVE-2015-4147.patch: check variable types in
      ext/soap/php_encoding.c, ext/soap/php_http.c, ext/soap/soap.c.
    - CVE-2015-4147
    - CVE-2015-4148
    - CVE-2015-4600
    - CVE-2015-4601
  * SECURITY UPDATE: more missing file path null byte checks
    - debian/patches/CVE-2015-4598.patch: add missing checks to
      ext/dom/document.c, ext/gd/gd.c, fix tests in
      ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt,
      ext/gd/tests/imageloadfont_error1.phpt,
      ext/zlib/tests/gzopen_variation1.phpt,
      ext/zlib/tests/readgzfile_variation1.phpt,
      ext/zlib/tests/readgzfile_variation6.phpt,
      ext/standard/tests/dir/dir_variation1.phpt,
      ext/standard/tests/dir/opendir_variation1.phpt,
      ext/standard/tests/file/mkdir_rmdir_variation2.phpt,
      ext/standard/tests/file/readlink_variation1.phpt,
      ext/standard/tests/file/tempnam_variation3-win32.phpt,
      ext/standard/tests/file/tempnam_variation3.phpt,
      ext/standard/tests/general_functions/include_path.phpt.
    - CVE-2015-4598
  * SECURITY UPDATE: denial of service or information leak via type
    confusion with crafted serialized data
    - debian/patches/CVE-2015-4599.patch: use proper types in
      ext/soap/soap.c.
    - CVE-2015-4599
  * SECURITY UPDATE: denial of service or information leak via type
    confusion with crafted serialized data
    - debian/patches/CVE-2015-4602.patch: check for proper type in
      ext/standard/incomplete_class.c.
    - CVE-2015-4602
  * SECURITY UPDATE: denial of service or information leak via type
    confusion with crafted serialized data
    - debian/patches/CVE-2015-4603.patch: check type in
      Zend/zend_exceptions.c, add test to
      ext/standard/tests/serialize/bug69152.phpt.
    - CVE-2015-4603
  * SECURITY UPDATE: denial of service in Fileinfo with crafted file
    - debian/patches/CVE-2015-4604.patch: handle large offset in
      ext/fileinfo/libmagic/softmagic.c, add test to
      ext/fileinfo/tests/bug68819_001.phpt,
      ext/fileinfo/tests/bug68819_002.phpt.
    - CVE-2015-4604
    - CVE-2015-4605
  * SECURITY UPDATE: arbitrary code execution via ftp server long reply to
    a LIST command
    - debian/patches/CVE-2015-4643.patch: prevent overflow check bypass in
      ext/ftp/ftp.c.
    - CVE-2015-4643
  * SECURITY UPDATE: denial of service via php_pgsql_meta_data
    - debian/patches/CVE-2015-4644.patch: check return value in
      ext/pgsql/pgsql.c, add test to ext/pgsql/pg_insert_002.phpt.
    - CVE-2015-4644
  * debian/patches/CVE-2015-2783-memleak.patch: fix memory leak introduced
    by CVE-2015-2783 security update.

 -- Marc Deslauriers <email address hidden>  Thu, 02 Jul 2015 08:45:58 -0400
Superseded in trusty-updates on 2015-09-23
Superseded in trusty-security on 2015-09-30
php5 (5.5.9+dfsg-1ubuntu4.11) trusty-security; urgency=medium

  * SECURITY UPDATE: missing file path null byte checks
    - debian/patches/CVE-2015-3411.patch: add missing checks to
      ext/dom/document.c, ext/fileinfo/fileinfo.c, ext/gd/gd.c,
      ext/hash/hash.c, ext/pgsql/pgsql.c, ext/standard/link.c,
      ext/standard/streamsfuncs.c, ext/xmlwriter/php_xmlwriter.c,
      ext/zlib/zlib.c, add tests to
      ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt,
      ext/fileinfo/tests/finfo_file_basic.phpt,
      ext/hash/tests/hash_hmac_file_error.phpt
    - CVE-2015-3411
    - CVE-2015-3412
  * SECURITY UPDATE: denial of service via crafted tar archive
    - debian/patches/CVE-2015-4021.patch: handle empty strings in
      ext/phar/tar.c.
    - CVE-2015-4021
  * SECURITY UPDATE: arbitrary code execution via ftp server long reply to
    a LIST command
    - debian/patches/CVE-2015-4022.patch: fix overflow in ext/ftp/ftp.c.
    - CVE-2015-4022
  * SECURITY UPDATE: denial of service via crafted form data
    - debian/patches/CVE-2015-4024.patch: use smart_str to assemble strings
      in main/rfc1867.c.
    - CVE-2015-4024
  * SECURITY UPDATE: more missing file path null byte checks
    - debian/patches/CVE-2015-4025.patch: add missing checks to
      ext/pcntl/pcntl.c, ext/standard/basic_functions.c,
      ext/standard/dir.c, ext/standard/file.c.
    - CVE-2015-4025
    - CVE-2015-4026
  * SECURITY UPDATE: arbitrary code execution via crafted serialized data
    with unexpected data type
    - debian/patches/CVE-2015-4147.patch: check variable types in
      ext/soap/php_encoding.c, ext/soap/php_http.c, ext/soap/soap.c.
    - CVE-2015-4147
    - CVE-2015-4148
    - CVE-2015-4600
    - CVE-2015-4601
  * SECURITY UPDATE: more missing file path null byte checks
    - debian/patches/CVE-2015-4598.patch: add missing checks to
      ext/dom/document.c, ext/gd/gd.c, fix tests in
      ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt,
      ext/gd/tests/imageloadfont_error1.phpt,
      ext/zlib/tests/gzopen_variation1.phpt,
      ext/zlib/tests/readgzfile_variation1.phpt,
      ext/zlib/tests/readgzfile_variation6.phpt,
      ext/standard/tests/dir/dir_variation1.phpt,
      ext/standard/tests/dir/opendir_variation1.phpt,
      ext/standard/tests/file/mkdir_rmdir_variation2.phpt,
      ext/standard/tests/file/readlink_variation1.phpt,
      ext/standard/tests/file/tempnam_variation3-win32.phpt,
      ext/standard/tests/file/tempnam_variation3.phpt,
      ext/standard/tests/general_functions/include_path.phpt.
    - CVE-2015-4598
  * SECURITY UPDATE: denial of service or information leak via type
    confusion with crafted serialized data
    - debian/patches/CVE-2015-4599.patch: use proper types in
      ext/soap/soap.c.
    - CVE-2015-4599
  * SECURITY UPDATE: denial of service or information leak via type
    confusion with crafted serialized data
    - debian/patches/CVE-2015-4602.patch: check for proper type in
      ext/standard/incomplete_class.c.
    - CVE-2015-4602
  * SECURITY UPDATE: denial of service or information leak via type
    confusion with crafted serialized data
    - debian/patches/CVE-2015-4603.patch: check type in
      Zend/zend_exceptions.c, add test to
      ext/standard/tests/serialize/bug69152.phpt.
    - CVE-2015-4603
  * SECURITY UPDATE: arbitrary code execution via ftp server long reply to
    a LIST command
    - debian/patches/CVE-2015-4643.patch: prevent overflow check bypass in
      ext/ftp/ftp.c.
    - CVE-2015-4643
  * SECURITY UPDATE: denial of service via php_pgsql_meta_data
    - debian/patches/CVE-2015-4644.patch: check return value in
      ext/pgsql/pgsql.c, add test to ext/pgsql/pg_insert_002.phpt.
    - CVE-2015-4644
  * debian/patches/CVE-2015-2783-memleak.patch: fix memory leak introduced
    by CVE-2015-2783 security update.

 -- Marc Deslauriers <email address hidden>  Thu, 02 Jul 2015 08:53:30 -0400
Superseded in wily-release on 2015-07-15
Published in vivid-release on 2015-04-18
Deleted in vivid-proposed (Reason: moved to release)
php5 (5.6.4+dfsg-4ubuntu6) vivid; urgency=medium

  * SECURITY UPDATE: potential remote code execution vulnerability when
    used with the Apache 2.4 apache2handler
    - debian/patches/bug69218.patch: perform proper cleanup in
      sapi/apache2handler/sapi_apache2.c.
    - CVE number pending
  * SECURITY UPDATE: buffer overflow when parsing tar/zip/phar
    - debian/patches/bug69441.patch: check lengths in
      ext/phar/phar_internal.h.
    - CVE number pending
  * SECURITY UPDATE: buffer overflow in unserialize when parsing Phar
    - debian/patches/CVE-2015-2783.patch: properly check lengths in
      ext/phar/phar.c, ext/phar/phar_internal.h.
    - CVE-2015-2783
 -- Marc Deslauriers <email address hidden>   Fri, 17 Apr 2015 05:15:49 -0400
Published in lucid-updates on 2015-04-20
Published in lucid-security on 2015-04-20
php5 (5.3.2-1ubuntu4.30) lucid-security; urgency=medium

  * SECURITY UPDATE: potential remote code execution vulnerability when
    used with the Apache 2.4 apache2handler
    - debian/patches/bug69218.patch: perform proper cleanup in
      sapi/apache2handler/sapi_apache2.c.
    - CVE number pending
  * SECURITY UPDATE: buffer overflow when parsing tar/zip/phar
    - debian/patches/bug69441.patch: check lengths in
      ext/phar/phar_internal.h.
    - CVE number pending
  * SECURITY UPDATE: heap overflow in regexp library
    - debian/patches/CVE-2015-2305.patch: check for overflow in
      ext/ereg/regex/regcomp.c.
    - CVE-2015-2305
  * SECURITY UPDATE: buffer overflow in unserialize when parsing Phar
    - debian/patches/CVE-2015-2783.patch: properly check lengths in
      ext/phar/phar.c, ext/phar/phar_internal.h.
    - CVE-2015-2783
  * SECURITY UPDATE: arbitrary code exection via process_nested_data
    use-after-free
    - debian/patches/CVE-2015-2787.patch: fix logic in
      ext/standard/var_unserializer.*.
    - CVE-2015-2787
 -- Marc Deslauriers <email address hidden>   Fri, 17 Apr 2015 07:37:39 -0400
Superseded in precise-updates on 2015-07-06
Superseded in precise-security on 2015-07-06
php5 (5.3.10-1ubuntu3.18) precise-security; urgency=medium

  * SECURITY UPDATE: potential remote code execution vulnerability when
    used with the Apache 2.4 apache2handler
    - debian/patches/bug69218.patch: perform proper cleanup in
      sapi/apache2handler/sapi_apache2.c.
    - CVE number pending
  * SECURITY UPDATE: buffer overflow when parsing tar/zip/phar
    - debian/patches/bug69441.patch: check lengths in
      ext/phar/phar_internal.h.
    - CVE number pending
  * SECURITY UPDATE: heap overflow in regexp library
    - debian/patches/CVE-2015-2305.patch: check for overflow in
      ext/ereg/regex/regcomp.c.
    - CVE-2015-2305
  * SECURITY UPDATE: buffer overflow in unserialize when parsing Phar
    - debian/patches/CVE-2015-2783.patch: properly check lengths in
      ext/phar/phar.c, ext/phar/phar_internal.h.
    - CVE-2015-2783
  * SECURITY UPDATE: arbitrary code exection via process_nested_data
    use-after-free
    - debian/patches/CVE-2015-2787.patch: fix logic in
      ext/standard/var_unserializer.*.
    - CVE-2015-2787
 -- Marc Deslauriers <email address hidden>   Fri, 17 Apr 2015 06:25:37 -0400
Superseded in trusty-updates on 2015-07-06
Superseded in trusty-security on 2015-07-06
php5 (5.5.9+dfsg-1ubuntu4.9) trusty-security; urgency=medium

  * SECURITY UPDATE: potential remote code execution vulnerability when
    used with the Apache 2.4 apache2handler
    - debian/patches/bug69218.patch: perform proper cleanup in
      sapi/apache2handler/sapi_apache2.c.
    - CVE number pending
  * SECURITY UPDATE: buffer overflow when parsing tar/zip/phar
    - debian/patches/bug69441.patch: check lengths in
      ext/phar/phar_internal.h.
    - CVE number pending
  * SECURITY UPDATE: heap overflow in regexp library
    - debian/patches/CVE-2015-2305.patch: check for overflow in
      ext/ereg/regex/regcomp.c.
    - CVE-2015-2305
  * SECURITY UPDATE: move_uploaded_file filename restriction bypass
    - debian/patches/CVE-2015-2348.patch: handle nulls in
      ext/standard/basic_functions.c.
    - CVE-2015-2348
  * SECURITY UPDATE: buffer overflow in unserialize when parsing Phar
    - debian/patches/CVE-2015-2783.patch: properly check lengths in
      ext/phar/phar.c, ext/phar/phar_internal.h.
    - CVE-2015-2783
  * SECURITY UPDATE: arbitrary code exection via process_nested_data
    use-after-free
    - debian/patches/CVE-2015-2787.patch: fix logic in
      ext/standard/var_unserializer.*.
    - CVE-2015-2787
 -- Marc Deslauriers <email address hidden>   Fri, 17 Apr 2015 05:28:02 -0400
Superseded in utopic-updates on 2015-07-06
Superseded in utopic-security on 2015-07-06
php5 (5.5.12+dfsg-2ubuntu4.4) utopic-security; urgency=medium

  * SECURITY UPDATE: potential remote code execution vulnerability when
    used with the Apache 2.4 apache2handler
    - debian/patches/bug69218.patch: perform proper cleanup in
      sapi/apache2handler/sapi_apache2.c.
    - CVE number pending
  * SECURITY UPDATE: buffer overflow when parsing tar/zip/phar
    - debian/patches/bug69441.patch: check lengths in
      ext/phar/phar_internal.h.
    - CVE number pending
  * SECURITY UPDATE: heap overflow in regexp library
    - debian/patches/CVE-2015-2305.patch: check for overflow in
      ext/ereg/regex/regcomp.c.
    - CVE-2015-2305
  * SECURITY UPDATE: move_uploaded_file filename restriction bypass
    - debian/patches/CVE-2015-2348.patch: handle nulls in
      ext/standard/basic_functions.c.
    - CVE-2015-2348
  * SECURITY UPDATE: buffer overflow in unserialize when parsing Phar
    - debian/patches/CVE-2015-2783.patch: properly check lengths in
      ext/phar/phar.c, ext/phar/phar_internal.h.
    - CVE-2015-2783
  * SECURITY UPDATE: arbitrary code exection via process_nested_data
    use-after-free
    - debian/patches/CVE-2015-2787.patch: fix logic in
      ext/standard/var_unserializer.*.
    - CVE-2015-2787
 -- Marc Deslauriers <email address hidden>   Fri, 17 Apr 2015 05:24:45 -0400
Superseded in vivid-release on 2015-04-18
Deleted in vivid-proposed on 2015-04-19 (Reason: moved to release)
php5 (5.6.4+dfsg-4ubuntu5) vivid; urgency=medium

  * SECURITY UPDATE: move_uploaded_file filename restriction bypass
    - debian/patches/CVE-2015-2348.patch: handle nulls in
      ext/standard/basic_functions.c.
    - CVE-2015-2348
  * SECURITY UPDATE: arbitrary code exection via process_nested_data
    use-after-free
    - debian/patches/CVE-2015-2787.patch: fix logic in
      ext/standard/var_unserializer.*.
    - CVE-2015-2787
 -- Marc Deslauriers <email address hidden>   Thu, 02 Apr 2015 08:06:41 -0400
Deleted in trusty-proposed on 2015-04-24 (Reason: moved to -updates)
php5 (5.5.9+dfsg-1ubuntu4.8) trusty; urgency=medium

  * Fix php5-fpm logrotate since the upstart job has been introduced.
    (LP: #1230917)
    - Backport the /usr/lib/php5/php5-fpm-reopenlogs script from utopic.
    - Call the script in postrotate instead of invoke-rc.d php5-fpm reopen-logs.
      Upstart jobs don't support custom actions.
 -- Felix Geyer <email address hidden>   Tue, 31 Mar 2015 07:51:32 -0400
Superseded in vivid-release on 2015-04-03
Deleted in vivid-proposed on 2015-04-04 (Reason: moved to release)
php5 (5.6.4+dfsg-4ubuntu4) vivid; urgency=medium

  * SECURITY UPDATE: heap overflow in regexp library
    - debian/patches/CVE-2015-2305.patch: check for overflow in
      ext/ereg/regex/regcomp.c.
    - CVE-2015-2305
  * SECURITY UPDATE: integer overflow in zip module
    - debian/patches/CVE-2015-2331.patch: check for overflow in
      ext/zip/lib/zip_dirent.c.
    - CVE-2015-2331
 -- Marc Deslauriers <email address hidden>   Tue, 24 Mar 2015 15:12:32 -0400
Superseded in vivid-release on 2015-03-28
Deleted in vivid-proposed on 2015-03-30 (Reason: moved to release)
php5 (5.6.4+dfsg-4ubuntu3) vivid; urgency=medium

  * SECURITY UPDATE: denial of service or possible code execution in
    enchant
    - debian/patches/CVE-2014-9705.patch: handle position better in
      ext/enchant/enchant.c.
    - CVE-2014-9705
  * SECURITY UPDATE: arbitrary code execution via use after free in
    unserialize() with DateTimeZone and DateTime
    - debian/patches/CVE-2015-0273.patch: fix use after free in
      ext/date/php_date.c, added tests to ext/date/tests/bug68942.phpt,
      ext/date/tests/bug68942_2.phpt.
    - CVE-2015-0273
  * SECURITY UPDATE: denial of service or possible code execution in phar
    - debian/patches/CVE-2015-2301.patch: fix use after free in
      ext/phar/phar_object.c.
    - CVE-2015-2301
 -- Marc Deslauriers <email address hidden>   Mon, 16 Mar 2015 13:21:17 -0400
Superseded in precise-updates on 2015-04-20
Superseded in precise-security on 2015-04-20
php5 (5.3.10-1ubuntu3.17) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service via recursion
    - debian/patches/CVE-2014-8117.patch: lower recursion limit in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-8117
  * SECURITY UPDATE: denial of service or possible code execution in
    enchant
    - debian/patches/CVE-2014-9705.patch: handle position better in
      ext/enchant/enchant.c.
    - CVE-2014-9705
  * SECURITY UPDATE: arbitrary code execution via use after free in
    unserialize() with DateTime
    - debian/patches/CVE-2015-0273.patch: fix use after free in
      ext/date/php_date.c, added test to ext/date/tests/*.phpt.
    - CVE-2015-0273
  * SECURITY UPDATE: denial of service or possible code execution in phar
    - debian/patches/CVE-2015-2301.patch: fix use after free in
      ext/phar/phar_object.c.
    - CVE-2015-2301
 -- Marc Deslauriers <email address hidden>   Mon, 16 Mar 2015 13:59:27 -0400
Superseded in lucid-updates on 2015-04-20
Superseded in lucid-security on 2015-04-20
php5 (5.3.2-1ubuntu4.29) lucid-security; urgency=medium

  * SECURITY UPDATE: denial of service via recursion
    - debian/patches/CVE-2014-8117.patch: lower recursion limit in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-8117
  * SECURITY UPDATE: denial of service or possible code execution in
    enchant
    - debian/patches/CVE-2014-9705.patch: handle position better in
      ext/enchant/enchant.c.
    - CVE-2014-9705
  * SECURITY UPDATE: arbitrary code execution via use after free in
    unserialize() with DateTime
    - debian/patches/CVE-2015-0273.patch: fix use after free in
      ext/date/php_date.c, added tests to ext/date/tests/*.phpt.
    - CVE-2015-0273
  * SECURITY UPDATE: denial of service or possible code execution in phar
    - debian/patches/CVE-2015-2301.patch: fix use after free in
      ext/phar/phar_object.c.
    - CVE-2015-2301
 -- Marc Deslauriers <email address hidden>   Mon, 16 Mar 2015 15:00:32 -0400
Superseded in trusty-updates on 2015-04-20
Superseded in trusty-security on 2015-04-20
php5 (5.5.9+dfsg-1ubuntu4.7) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service via recursion
    - debian/patches/CVE-2014-8117.patch: lower recursion limit in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-8117
  * SECURITY UPDATE: denial of service or possible code execution in
    enchant
    - debian/patches/CVE-2014-9705.patch: handle position better in
      ext/enchant/enchant.c.
    - CVE-2014-9705
  * SECURITY UPDATE: arbitrary code execution via use after free in
    unserialize() with DateTimeZone and DateTime
    - debian/patches/CVE-2015-0273.patch: fix use after free in
      ext/date/php_date.c, added tests to ext/date/tests/bug68942.phpt,
      ext/date/tests/bug68942_2.phpt.
    - CVE-2015-0273
  * SECURITY UPDATE: denial of service or possible code execution in phar
    - debian/patches/CVE-2015-2301.patch: fix use after free in
      ext/phar/phar_object.c.
    - CVE-2015-2301
 -- Marc Deslauriers <email address hidden>   Mon, 16 Mar 2015 13:40:18 -0400
Superseded in utopic-updates on 2015-04-20
Superseded in utopic-security on 2015-04-20
php5 (5.5.12+dfsg-2ubuntu4.3) utopic-security; urgency=medium

  * SECURITY UPDATE: denial of service via recursion
    - debian/patches/CVE-2014-8117.patch: lower recursion limit in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-8117
  * SECURITY UPDATE: denial of service or possible code execution in
    enchant
    - debian/patches/CVE-2014-9705.patch: handle position better in
      ext/enchant/enchant.c.
    - CVE-2014-9705
  * SECURITY UPDATE: arbitrary code execution via use after free in
    unserialize() with DateTimeZone and DateTime
    - debian/patches/CVE-2015-0273.patch: fix use after free in
      ext/date/php_date.c, added tests to ext/date/tests/bug68942.phpt,
      ext/date/tests/bug68942_2.phpt.
    - CVE-2015-0273
  * SECURITY UPDATE: denial of service or possible code execution in phar
    - debian/patches/CVE-2015-2301.patch: fix use after free in
      ext/phar/phar_object.c.
    - CVE-2015-2301
 -- Marc Deslauriers <email address hidden>   Mon, 16 Mar 2015 13:31:32 -0400
Superseded in vivid-release on 2015-03-17
Deleted in vivid-proposed on 2015-03-19 (Reason: moved to release)
php5 (5.6.4+dfsg-4ubuntu2) vivid; urgency=medium

  * SECURITY UPDATE: out of bounds read via invalid php file
    - debian/patches/CVE-2014-9427.patch: fix bounds in
      sapi/cgi/cgi_main.c.
    - CVE-2014-9427
  * SECURITY UPDATE: out of bounds read in fileinfo
    - debian/patches/CVE-2014-9652.patch: properly check length in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-9652
  * SECURITY UPDATE: arbitrary code execution via improper handling of
    duplicate keys in unserializer, additional fix
    - debian/patches/CVE-2015-0231.patch: fix use after free in
      ext/standard/var_unserializer.*, added test to
      ext/standard/tests/strings/bug68710.phpt.
    - CVE-2015-0231
  * SECURITY UPDATE: arbitrary code execution or denial of service via
    crafted EXIF data
    - debian/patches/CVE-2015-0232.patch: fix uninitialized pointer free in
      ext/exif/exif.c.
    - CVE-2015-0232
  * SECURITY UPDATE: use after free in opcache component
    - debian/patches/CVE-2015-1351.patch: fix use after free in
      ext/opcache/zend_shared_alloc.c.
    - CVE-2015-1351
  * SECURITY UPDATE: null pointer dereference in pgsql
    - debian/patches/CVE-2015-1352.patch: properly set valid token in
      ext/pgsql/pgsql.c.
    - CVE-2015-1352
  * debian/patches/remove_readelf.patch: remove readelf.c from fileinfo as
    it isn't used, and is a source of confusion when doing security
    updates.
 -- Marc Deslauriers <email address hidden>   Tue, 17 Feb 2015 15:47:51 -0500
Superseded in precise-updates on 2015-03-18
Superseded in precise-security on 2015-03-18
php5 (5.3.10-1ubuntu3.16) precise-security; urgency=medium

  * SECURITY UPDATE: arbitrary code execution via improper handling of
    duplicate keys in unserializer
    - debian/patches/CVE-2014-8142.patch: fix use after free in
      ext/standard/var_unserializer.*, added test to
      ext/standard/tests/serialize/bug68594.phpt.
    - CVE-2014-8142
  * SECURITY UPDATE: arbitrary code execution via improper handling of
    duplicate keys in unserializer, additional fix
    - debian/patches/CVE-2015-0231.patch: fix use after free in
      ext/standard/var_unserializer.*, added test to
      ext/standard/tests/strings/bug68710.phpt.
    - CVE-2015-0231
  * debian/patches/remove_readelf.patch: remove readelf.c from fileinfo as
    it isn't used, and is a source of confusion when doing security
    updates.
  * debian/patches/CVE-2014-3710.patch: removed, wasn't needed.
 -- Marc Deslauriers <email address hidden>   Fri, 13 Feb 2015 11:53:39 -0500
Superseded in trusty-updates on 2015-03-18
Superseded in trusty-security on 2015-03-18
php5 (5.5.9+dfsg-1ubuntu4.6) trusty-security; urgency=medium

  * SECURITY UPDATE: arbitrary code execution via improper handling of
    duplicate keys in unserializer
    - debian/patches/CVE-2014-8142.patch: fix use after free in
      ext/standard/var_unserializer.*, added test to
      ext/standard/tests/serialize/bug68594.phpt.
    - CVE-2014-8142
  * SECURITY UPDATE: out of bounds read via invalid php file
    - debian/patches/CVE-2014-9427.patch: fix bounds in
      sapi/cgi/cgi_main.c.
    - CVE-2014-9427
  * SECURITY UPDATE: out of bounds read in fileinfo
    - debian/patches/CVE-2014-9652.patch: properly check length in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-9652
  * SECURITY UPDATE: arbitrary code execution via improper handling of
    duplicate keys in unserializer, additional fix
    - debian/patches/CVE-2015-0231.patch: fix use after free in
      ext/standard/var_unserializer.*, added test to
      ext/standard/tests/strings/bug68710.phpt.
    - CVE-2015-0231
  * SECURITY UPDATE: arbitrary code execution or denial of service via
    crafted EXIF data
    - debian/patches/CVE-2015-0232.patch: fix uninitialized pointer free in
      ext/exif/exif.c.
    - CVE-2015-0232
  * SECURITY UPDATE: use after free in opcache component
    - debian/patches/CVE-2015-1351.patch: fix use after free in
      ext/opcache/zend_shared_alloc.c.
    - CVE-2015-1351
  * SECURITY UPDATE: null pointer dereference in pgsql
    - debian/patches/CVE-2015-1352.patch: properly set valid token in
      ext/pgsql/pgsql.c.
    - CVE-2015-1352
  * debian/patches/remove_readelf.patch: remove readelf.c from fileinfo as
    it isn't used, and is a source of confusion when doing security
    updates.
  * debian/patches/CVE-2014-3710.patch: removed, wasn't needed.
 -- Marc Deslauriers <email address hidden>   Fri, 13 Feb 2015 11:15:38 -0500
Superseded in utopic-updates on 2015-03-18
Superseded in utopic-security on 2015-03-18
php5 (5.5.12+dfsg-2ubuntu4.2) utopic-security; urgency=medium

  * SECURITY UPDATE: arbitrary code execution via improper handling of
    duplicate keys in unserializer
    - debian/patches/CVE-2014-8142.patch: fix use after free in
      ext/standard/var_unserializer.*, added test to
      ext/standard/tests/serialize/bug68594.phpt.
    - CVE-2014-8142
  * SECURITY UPDATE: out of bounds read via invalid php file
    - debian/patches/CVE-2014-9427.patch: fix bounds in
      sapi/cgi/cgi_main.c.
    - CVE-2014-9427
  * SECURITY UPDATE: out of bounds read in fileinfo
    - debian/patches/CVE-2014-9652.patch: properly check length in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-9652
  * SECURITY UPDATE: arbitrary code execution via improper handling of
    duplicate keys in unserializer, additional fix
    - debian/patches/CVE-2015-0231.patch: fix use after free in
      ext/standard/var_unserializer.*, added test to
      ext/standard/tests/strings/bug68710.phpt.
    - CVE-2015-0231
  * SECURITY UPDATE: arbitrary code execution or denial of service via
    crafted EXIF data
    - debian/patches/CVE-2015-0232.patch: fix uninitialized pointer free in
      ext/exif/exif.c.
    - CVE-2015-0232
  * SECURITY UPDATE: use after free in opcache component
    - debian/patches/CVE-2015-1351.patch: fix use after free in
      ext/opcache/zend_shared_alloc.c.
    - CVE-2015-1351
  * SECURITY UPDATE: null pointer dereference in pgsql
    - debian/patches/CVE-2015-1352.patch: properly set valid token in
      ext/pgsql/pgsql.c.
    - CVE-2015-1352
  * debian/patches/remove_readelf.patch: remove readelf.c from fileinfo as
    it isn't used, and is a source of confusion when doing security
    updates.
  * debian/patches/CVE-2014-3710.patch: removed, wasn't needed.
 -- Marc Deslauriers <email address hidden>   Fri, 13 Feb 2015 08:10:41 -0500
Superseded in vivid-release on 2015-03-04
Deleted in vivid-proposed on 2015-03-05 (Reason: moved to release)
php5 (5.6.4+dfsg-4ubuntu1) vivid; urgency=medium

  * Merge from Debian testing (LP: #1411811). Remaining changes:
    - d/control: drop Build-Depends that are in universe: firebird-dev,
      libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
    - d/rules: drop configuration of packages that are in universe: qdgm, onig.
    - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
      interbase or firebird.
    - d/control: drop binary packages php5-imap, php5-interbase and php5-mcrypt
      since we have separate versions in universe.
    - d/modulelist: drop imap, interbase and mcrypt since we have separate
      versions in universe.
    - d/rules: drop configuration of imap and mcrypt since we have separate
      versions in universe.
    - d/source_php5.py, d/rules: add apport hook.
    - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
      as only the latter is in main.
  * Drop changes:
    - Reported fixed in upstream release of 5.6.0: quilt patches for
      CVE-2014-0237, CVE-2014-0238, CVE-2014-4049, CVE-2014-0207,
      CVE-2014-3478, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487,
      CVE-2014-3515, CVE-2014-4670, CVE-2014-4698, CVE-2014-4721,
      CVE-2014-3587 and CVE-2014-3597, and d/p/fix_systemd_ftbfs.patch.
    - Reported fixed in upstream release of 5.6.2: quilt patches for
      CVE-2014-3668, CVE-2014-3669 and CVE-2014-3670, and
      d/p/curl_embedded_null.patch.
    - Reported fixed in upstream release of 5.6.3: quilt patch for
      CVE-2014-3710.
    - Applied in Debian:
      + d/rules: stop mysql instance on clean just in case we failed in
        tests.
      + d/tests/{cgi,cli,mod-php}: dep8 tests for common use cases.
      + d/rules: export DEB_HOST_MULTIARCH properly.
      + d/rules: load dpkg-buildflags earlier, so that CFLAGS changes are not
        overridden.
 -- Robie Basak <email address hidden>   Tue, 27 Jan 2015 12:09:42 +0000
Superseded in vivid-release on 2015-02-02
Deleted in vivid-proposed on 2015-02-03 (Reason: moved to release)
php5 (5.5.12+dfsg-2ubuntu5) vivid; urgency=medium

  * SECURITY UPDATE: denial of service via buffer overflow in mkgmtime()
    - debian/patches/CVE-2014-3668.patch: properly handle sizes in
      ext/xmlrpc/libxmlrpc/xmlrpc.c, added test to
      ext/xmlrpc/tests/bug68027.phpt.
    - CVE-2014-3668
  * SECURITY UPDATE: integer overflow in unserialize()
    - debian/patches/CVE-2014-3669.patch: fix overflow in
      ext/standard/var_unserializer.{c,re}, added test to
      ext/standard/tests/serialize/bug68044.phpt.
    - CVE-2014-3669
  * SECURITY UPDATE: Heap corruption in exif_thumbnail()
    - debian/patches/CVE-2014-3670.patch: fix sizes in ext/exif/exif.c.
    - CVE-2014-3670
  * SECURITY UPDATE: out of bounds read in elf note headers in fileinfo()
    - debian/patches/CVE-2014-3710.patch: validate note headers in
      ext/fileinfo/libmagic/readelf.c.
    - CVE-2014-3710
  * SECURITY UPDATE: local file disclosure via curl NULL byte injection
    - debian/patches/curl_embedded_null.patch: don't accept curl options
      with embedded NULLs in ext/curl/interface.c, added test to
      ext/curl/tests/bug68089.phpt.
    - No CVE number
  * Fix FTBFS with systemd version in vivid
    - debian/patches/fix_systemd_ftbfs.patch: improve detection logic in
      sapi/fpm/config.m4.
 -- Marc Deslauriers <email address hidden>   Wed, 29 Oct 2014 11:56:11 -0400
Superseded in precise-updates on 2015-02-17
Superseded in precise-security on 2015-02-17
php5 (5.3.10-1ubuntu3.15) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service via buffer overflow in mkgmtime()
    - debian/patches/CVE-2014-3668.patch: properly handle sizes in
      ext/xmlrpc/libxmlrpc/xmlrpc.c, added test to
      ext/xmlrpc/tests/bug68027.phpt.
    - CVE-2014-3668
  * SECURITY UPDATE: integer overflow in unserialize()
    - debian/patches/CVE-2014-3669.patch: fix overflow in
      ext/standard/var_unserializer.{c,re}, added test to
      ext/standard/tests/serialize/bug68044.phpt.
    - CVE-2014-3669
  * SECURITY UPDATE: Heap corruption in exif_thumbnail()
    - debian/patches/CVE-2014-3670.patch: fix sizes in ext/exif/exif.c.
    - CVE-2014-3670
  * SECURITY UPDATE: out of bounds read in elf note headers in fileinfo()
    - debian/patches/CVE-2014-3710.patch: validate note headers in
      ext/fileinfo/libmagic/readelf.c.
    - CVE-2014-3710
  * SECURITY UPDATE: local file disclosure via curl NULL byte injection
    - debian/patches/curl_embedded_null.patch: don't accept curl options
      with embedded NULLs in ext/curl/interface.c, added test to
      ext/curl/tests/bug68089.phpt.
    - No CVE number
 -- Marc Deslauriers <email address hidden>   Tue, 28 Oct 2014 15:06:12 -0400
Superseded in trusty-updates on 2015-02-17
Superseded in trusty-security on 2015-02-17
php5 (5.5.9+dfsg-1ubuntu4.5) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service via buffer overflow in mkgmtime()
    - debian/patches/CVE-2014-3668.patch: properly handle sizes in
      ext/xmlrpc/libxmlrpc/xmlrpc.c, added test to
      ext/xmlrpc/tests/bug68027.phpt.
    - CVE-2014-3668
  * SECURITY UPDATE: integer overflow in unserialize()
    - debian/patches/CVE-2014-3669.patch: fix overflow in
      ext/standard/var_unserializer.{c,re}, added test to
      ext/standard/tests/serialize/bug68044.phpt.
    - CVE-2014-3669
  * SECURITY UPDATE: Heap corruption in exif_thumbnail()
    - debian/patches/CVE-2014-3670.patch: fix sizes in ext/exif/exif.c.
    - CVE-2014-3670
  * SECURITY UPDATE: out of bounds read in elf note headers in fileinfo()
    - debian/patches/CVE-2014-3710.patch: validate note headers in
      ext/fileinfo/libmagic/readelf.c.
    - CVE-2014-3710
  * SECURITY UPDATE: local file disclosure via curl NULL byte injection
    - debian/patches/curl_embedded_null.patch: don't accept curl options
      with embedded NULLs in ext/curl/interface.c, added test to
      ext/curl/tests/bug68089.phpt.
    - No CVE number
 -- Marc Deslauriers <email address hidden>   Tue, 28 Oct 2014 14:52:03 -0400
Superseded in utopic-updates on 2015-02-17
Superseded in utopic-security on 2015-02-17
php5 (5.5.12+dfsg-2ubuntu4.1) utopic-security; urgency=medium

  * SECURITY UPDATE: denial of service via buffer overflow in mkgmtime()
    - debian/patches/CVE-2014-3668.patch: properly handle sizes in
      ext/xmlrpc/libxmlrpc/xmlrpc.c, added test to
      ext/xmlrpc/tests/bug68027.phpt.
    - CVE-2014-3668
  * SECURITY UPDATE: integer overflow in unserialize()
    - debian/patches/CVE-2014-3669.patch: fix overflow in
      ext/standard/var_unserializer.{c,re}, added test to
      ext/standard/tests/serialize/bug68044.phpt.
    - CVE-2014-3669
  * SECURITY UPDATE: Heap corruption in exif_thumbnail()
    - debian/patches/CVE-2014-3670.patch: fix sizes in ext/exif/exif.c.
    - CVE-2014-3670
  * SECURITY UPDATE: out of bounds read in elf note headers in fileinfo()
    - debian/patches/CVE-2014-3710.patch: validate note headers in
      ext/fileinfo/libmagic/readelf.c.
    - CVE-2014-3710
  * SECURITY UPDATE: local file disclosure via curl NULL byte injection
    - debian/patches/curl_embedded_null.patch: don't accept curl options
      with embedded NULLs in ext/curl/interface.c, added test to
      ext/curl/tests/bug68089.phpt.
    - No CVE number
 -- Marc Deslauriers <email address hidden>   Tue, 28 Oct 2014 14:41:37 -0400
Superseded in lucid-updates on 2015-03-18
Superseded in lucid-security on 2015-03-18
php5 (5.3.2-1ubuntu4.28) lucid-security; urgency=medium

  * SECURITY UPDATE: denial of service via buffer overflow in mkgmtime()
    - debian/patches/CVE-2014-3668.patch: properly handle sizes in
      ext/xmlrpc/libxmlrpc/xmlrpc.c, added test to
      ext/xmlrpc/tests/bug68027.phpt.
    - CVE-2014-3668
  * SECURITY UPDATE: integer overflow in unserialize()
    - debian/patches/CVE-2014-3669.patch: fix overflow in
      ext/standard/var_unserializer.{c,re}, added test to
      ext/standard/tests/serialize/bug68044.phpt.
    - CVE-2014-3669
  * SECURITY UPDATE: Heap corruption in exif_thumbnail()
    - debian/patches/CVE-2014-3670.patch: fix sizes in ext/exif/exif.c.
    - CVE-2014-3670
  * SECURITY UPDATE: out of bounds read in elf note headers in fileinfo()
    - debian/patches/CVE-2014-3710.patch: validate note headers in
      ext/fileinfo/libmagic/readelf.c.
    - CVE-2014-3710
  * SECURITY UPDATE: local file disclosure via curl NULL byte injection
    - debian/patches/curl_embedded_null.patch: don't accept curl options
      with embedded NULLs in ext/curl/interface.c, added test to
      ext/curl/tests/bug68089.phpt.
    - No CVE number
 -- Marc Deslauriers <email address hidden>   Tue, 28 Oct 2014 15:17:04 -0400
Superseded in vivid-release on 2014-11-03
Published in utopic-release on 2014-09-22
Deleted in utopic-proposed (Reason: moved to release)
php5 (5.5.12+dfsg-2ubuntu4) utopic; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-3587.patch: check for array under-runs as well
      as over-runs in ext/fileinfo/libmagic/cdf.c
    - CVE-2014-3587
  * SECURITY UPDATE: denial of service in dns_get_record
    - debian/patches/CVE-2014-3597.patch: check for DNS overflows in
      ext/standard/dns.c
    - CVE-2014-3587
 -- Seth Arnold <email address hidden>   Wed, 03 Sep 2014 23:27:47 -0700
Superseded in lucid-updates on 2014-10-30
Superseded in lucid-security on 2014-10-30
php5 (5.3.2-1ubuntu4.27) lucid-security; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-3587.patch: check for array under-runs as well
      as over-runs in ext/fileinfo/libmagic/cdf.c
    - CVE-2014-3587
  * SECURITY UPDATE: denial of service in dns_get_record
    - debian/patches/CVE-2014-3597.patch: check for DNS overflows in
      ext/standard/dns.c
    - CVE-2014-3587
 -- Seth Arnold <email address hidden>   Wed, 03 Sep 2014 23:27:31 -0700
Superseded in precise-updates on 2014-10-30
Superseded in precise-security on 2014-10-30
php5 (5.3.10-1ubuntu3.14) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-3587.patch: check for array under-runs as well
      as over-runs in ext/fileinfo/libmagic/cdf.c
    - CVE-2014-3587
  * SECURITY UPDATE: denial of service in dns_get_record
    - debian/patches/CVE-2014-3597.patch: check for DNS overflows in
      ext/standard/dns.c
    - CVE-2014-3587
 -- Seth Arnold <email address hidden>   Wed, 03 Sep 2014 23:27:39 -0700
Superseded in trusty-updates on 2014-10-30
Superseded in trusty-security on 2014-10-30
php5 (5.5.9+dfsg-1ubuntu4.4) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-3587.patch: check for array under-runs as well
      as over-runs in ext/fileinfo/libmagic/cdf.c
    - CVE-2014-3587
  * SECURITY UPDATE: denial of service in dns_get_record
    - debian/patches/CVE-2014-3597.patch: check for DNS overflows in
      ext/standard/dns.c
    - CVE-2014-3587
 -- Seth Arnold <email address hidden>   Wed, 03 Sep 2014 23:33:06 -0700
Superseded in utopic-release on 2014-09-22
Deleted in utopic-proposed on 2014-09-23 (Reason: moved to release)
php5 (5.5.12+dfsg-2ubuntu3) utopic; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_read_short_sector
    - debian/patches/CVE-2014-0207.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0207
  * SECURITY UPDATE: denial of service in FileInfo mconvert
    - debian/patches/CVE-2014-3478.patch: properly handle truncated pascal
      string size in ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-3478
  * SECURITY UPDATE: denial of service in FileInfo cdf_check_stream_offset
    - debian/patches/CVE-2014-3479.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3479
  * SECURITY UPDATE: denial of service in FileInfo cdf_count_chain
    - debian/patches/CVE-2014-3480.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3480
  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-3487.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3487
  * SECURITY UPDATE: denial of service and possible code execution via
    unserialize() SPL type confusion
    - debian/patches/CVE-2014-3515.patch: properly check types in
      ext/spl/spl_array.c, ext/spl/spl_observer.c, added test to
      ext/spl/tests/SplObjectStorage_unserialize_bad.phpt.
    - CVE-2014-3515
  * SECURITY UPDATE: denial of service via SPL Iterators use-after-free
    - debian/patches/CVE-2014-4670.patch: fix use-after-free in
      ext/spl/spl_dllist.c, added test to ext/spl/tests/bug67538.phpt.
    - CVE-2014-4670
  * SECURITY UPDATE: denial of service via ArrayIterator use-after-free
    - debian/patches/CVE-2014-4698.patch: don't allow modifying ArrayObject
      during sorting in ext/spl/spl_array.c, added test to
      ext/spl/tests/bug67539.phpt.
    - CVE-2014-4698
  * SECURITY UPDATE: information leak via phpinfo (LP: #1338170)
    - debian/patches/CVE-2014-4721.patch: fix type confusion in
      ext/standard/info.c, added test to
      ext/standard/tests/general_functions/bug67498.phpt.
    - CVE-2014-4721
 -- Marc Deslauriers <email address hidden>   Wed, 09 Jul 2014 13:00:04 -0400
Superseded in lucid-updates on 2014-09-10
Superseded in lucid-security on 2014-09-09
php5 (5.3.2-1ubuntu4.26) lucid-security; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_read_short_sector
    - debian/patches/CVE-2014-0207.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0207
  * SECURITY UPDATE: denial of service in FileInfo cdf_count_chain
    - debian/patches/CVE-2014-3480.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3480
  * SECURITY UPDATE: denial of service and possible code execution via
    unserialize() SPL type confusion
    - debian/patches/CVE-2014-3515.patch: properly check types in
      ext/spl/spl_array.c, ext/spl/spl_observer.c, added test to
      ext/spl/tests/SplObjectStorage_unserialize_bad.phpt.
    - CVE-2014-3515
  * SECURITY UPDATE: denial of service via SPL Iterators use-after-free
    - debian/patches/CVE-2014-4670.patch: fix use-after-free in
      ext/spl/spl_dllist.c, added test to ext/spl/tests/bug67538.phpt.
    - CVE-2014-4670
  * SECURITY UPDATE: denial of service via ArrayIterator use-after-free
    - debian/patches/CVE-2014-4698.patch: don't allow modifying ArrayObject
      during sorting in ext/spl/spl_array.c, added test to
      ext/spl/tests/bug67539.phpt.
    - CVE-2014-4698
  * SECURITY UPDATE: information leak via phpinfo (LP: #1338170)
    - debian/patches/CVE-2014-4721.patch: fix type confusion in
      ext/standard/info.c, added test to
      ext/standard/tests/general_functions/bug67498.phpt.
    - CVE-2014-4721
 -- Marc Deslauriers <email address hidden>   Tue, 08 Jul 2014 21:22:42 -0400
Superseded in precise-updates on 2014-09-10
Superseded in precise-security on 2014-09-09
php5 (5.3.10-1ubuntu3.13) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_read_short_sector
    - debian/patches/CVE-2014-0207.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0207
  * SECURITY UPDATE: denial of service in FileInfo cdf_count_chain
    - debian/patches/CVE-2014-3480.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3480
  * SECURITY UPDATE: denial of service and possible code execution via
    unserialize() SPL type confusion
    - debian/patches/CVE-2014-3515.patch: properly check types in
      ext/spl/spl_array.c, ext/spl/spl_observer.c, added test to
      ext/spl/tests/SplObjectStorage_unserialize_bad.phpt.
    - CVE-2014-3515
  * SECURITY UPDATE: denial of service via SPL Iterators use-after-free
    - debian/patches/CVE-2014-4670.patch: fix use-after-free in
      ext/spl/spl_dllist.c, added test to ext/spl/tests/bug67538.phpt.
    - CVE-2014-4670
  * SECURITY UPDATE: denial of service via ArrayIterator use-after-free
    - debian/patches/CVE-2014-4698.patch: don't allow modifying ArrayObject
      during sorting in ext/spl/spl_array.c, added test to
      ext/spl/tests/bug67539.phpt.
    - CVE-2014-4698
  * SECURITY UPDATE: information leak via phpinfo (LP: #1338170)
    - debian/patches/CVE-2014-4721.patch: fix type confusion in
      ext/standard/info.c, added test to
      ext/standard/tests/general_functions/bug67498.phpt.
    - CVE-2014-4721
 -- Marc Deslauriers <email address hidden>   Mon, 07 Jul 2014 08:41:06 -0400
Obsolete in saucy-updates on 2015-04-24
Obsolete in saucy-security on 2015-04-24
php5 (5.5.3+dfsg-1ubuntu2.6) saucy-security; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_read_short_sector
    - debian/patches/CVE-2014-0207.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0207
  * SECURITY UPDATE: denial of service in FileInfo mconvert
    - debian/patches/CVE-2014-3478.patch: properly handle truncated pascal
      string size in ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-3478
  * SECURITY UPDATE: denial of service in FileInfo cdf_check_stream_offset
    - debian/patches/CVE-2014-3479.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3479
  * SECURITY UPDATE: denial of service in FileInfo cdf_count_chain
    - debian/patches/CVE-2014-3480.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3480
  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-3487.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3487
  * SECURITY UPDATE: denial of service and possible code execution via
    unserialize() SPL type confusion
    - debian/patches/CVE-2014-3515.patch: properly check types in
      ext/spl/spl_array.c, ext/spl/spl_observer.c, added test to
      ext/spl/tests/SplObjectStorage_unserialize_bad.phpt.
    - CVE-2014-3515
  * SECURITY UPDATE: denial of service via SPL Iterators use-after-free
    - debian/patches/CVE-2014-4670.patch: fix use-after-free in
      ext/spl/spl_dllist.c, added test to ext/spl/tests/bug67538.phpt.
    - CVE-2014-4670
  * SECURITY UPDATE: denial of service via ArrayIterator use-after-free
    - debian/patches/CVE-2014-4698.patch: don't allow modifying ArrayObject
      during sorting in ext/spl/spl_array.c, added test to
      ext/spl/tests/bug67539.phpt.
    - CVE-2014-4698
  * SECURITY UPDATE: information leak via phpinfo (LP: #1338170)
    - debian/patches/CVE-2014-4721.patch: fix type confusion in
      ext/standard/info.c, added test to
      ext/standard/tests/general_functions/bug67498.phpt.
    - CVE-2014-4721
 -- Marc Deslauriers <email address hidden>   Mon, 07 Jul 2014 07:46:31 -0400
Superseded in trusty-updates on 2014-09-10
Superseded in trusty-security on 2014-09-09
php5 (5.5.9+dfsg-1ubuntu4.3) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_read_short_sector
    - debian/patches/CVE-2014-0207.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0207
  * SECURITY UPDATE: denial of service in FileInfo mconvert
    - debian/patches/CVE-2014-3478.patch: properly handle truncated pascal
      string size in ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-3478
  * SECURITY UPDATE: denial of service in FileInfo cdf_check_stream_offset
    - debian/patches/CVE-2014-3479.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3479
  * SECURITY UPDATE: denial of service in FileInfo cdf_count_chain
    - debian/patches/CVE-2014-3480.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3480
  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-3487.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3487
  * SECURITY UPDATE: denial of service and possible code execution via
    unserialize() SPL type confusion
    - debian/patches/CVE-2014-3515.patch: properly check types in
      ext/spl/spl_array.c, ext/spl/spl_observer.c, added test to
      ext/spl/tests/SplObjectStorage_unserialize_bad.phpt.
    - CVE-2014-3515
  * SECURITY UPDATE: denial of service via SPL Iterators use-after-free
    - debian/patches/CVE-2014-4670.patch: fix use-after-free in
      ext/spl/spl_dllist.c, added test to ext/spl/tests/bug67538.phpt.
    - CVE-2014-4670
  * SECURITY UPDATE: denial of service via ArrayIterator use-after-free
    - debian/patches/CVE-2014-4698.patch: don't allow modifying ArrayObject
      during sorting in ext/spl/spl_array.c, added test to
      ext/spl/tests/bug67539.phpt.
    - CVE-2014-4698
  * SECURITY UPDATE: information leak via phpinfo (LP: #1338170)
    - debian/patches/CVE-2014-4721.patch: fix type confusion in
      ext/standard/info.c, added test to
      ext/standard/tests/general_functions/bug67498.phpt.
    - CVE-2014-4721
 -- Marc Deslauriers <email address hidden>   Mon, 07 Jul 2014 07:44:21 -0400
Superseded in trusty-updates on 2014-07-09
Superseded in trusty-security on 2014-07-09
php5 (5.5.9+dfsg-1ubuntu4.2) trusty-security; urgency=medium

  * SECURITY UPDATE: better FastCGI socket permissions (LP: #1334337)
    - debian/rules: enable listen.owner and listen.group so that the socket
      is accessible to www-data by default. This allows most setups to
      continue working with the more restrictive permissions.
 -- Marc Deslauriers <email address hidden>   Wed, 25 Jun 2014 11:46:16 -0400
Superseded in saucy-updates on 2014-07-09
Superseded in saucy-security on 2014-07-09
php5 (5.5.3+dfsg-1ubuntu2.5) saucy-security; urgency=medium

  * SECURITY UPDATE: better FastCGI socket permissions (LP: #1334337)
    - debian/rules: enable listen.owner and listen.group so that the socket
      is accessible to www-data by default. This allows most setups to
      continue working with the more restrictive permissions.
 -- Marc Deslauriers <email address hidden>   Wed, 25 Jun 2014 11:52:07 -0400
Superseded in utopic-release on 2014-07-09
Deleted in utopic-proposed on 2014-07-11 (Reason: moved to release)
php5 (5.5.12+dfsg-2ubuntu2) utopic; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_unpack_summary_info
    - debian/patches/CVE-2014-0237.patch: remove file_printf calls in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0237
  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-0238.patch: fix infinite loop in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0238
  * SECURITY UPDATE: code execution via buffer overflow in DNS TXT record
    parsing
    - debian/patches/CVE-2014-4049.patch: check length in
      ext/standard/dns.c.
    - CVE-2014-4049
 -- Marc Deslauriers <email address hidden>   Thu, 19 Jun 2014 13:21:19 -0400
Superseded in lucid-updates on 2014-07-09
Superseded in lucid-security on 2014-07-09
php5 (5.3.2-1ubuntu4.25) lucid-security; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_unpack_summary_info
    - debian/patches/CVE-2014-0237.patch: remove file_printf calls in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0237
  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-0238.patch: fix infinite loop in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0238
  * SECURITY UPDATE: code execution via buffer overflow in DNS TXT record
    parsing
    - debian/patches/CVE-2014-4049.patch: check length in
      ext/standard/dns.c.
    - CVE-2014-4049
 -- Marc Deslauriers <email address hidden>   Thu, 19 Jun 2014 13:48:46 -0400
Superseded in precise-updates on 2014-07-09
Superseded in precise-security on 2014-07-09
php5 (5.3.10-1ubuntu3.12) precise-security; urgency=medium

  * SECURITY UPDATE: incorrect FastCGI socket permissions (LP: #1307027)
    - debian/patches/CVE-2014-0185.patch: default to 0660 in
      sapi/fpm/fpm/fpm_unix.c, sapi/fpm/php-fpm.conf.in.
    - CVE-2014-0185
  * SECURITY UPDATE: denial of service in FileInfo cdf_unpack_summary_info
    - debian/patches/CVE-2014-0237.patch: remove file_printf calls in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0237
  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-0238.patch: fix infinite loop in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0238
  * SECURITY UPDATE: code execution via buffer overflow in DNS TXT record
    parsing
    - debian/patches/CVE-2014-4049.patch: check length in
      ext/standard/dns.c.
    - CVE-2014-4049
 -- Marc Deslauriers <email address hidden>   Thu, 19 Jun 2014 13:44:17 -0400
Superseded in trusty-updates on 2014-06-25
Superseded in trusty-security on 2014-06-25
php5 (5.5.9+dfsg-1ubuntu4.1) trusty-security; urgency=medium

  * SECURITY UPDATE: incorrect FastCGI socket permissions (LP: #1307027)
    - debian/patches/CVE-2014-0185.patch: default to 0660 in
      sapi/fpm/fpm/fpm_unix.c, sapi/fpm/php-fpm.conf.in.
    - CVE-2014-0185
  * SECURITY UPDATE: denial of service in FileInfo cdf_unpack_summary_info
    - debian/patches/CVE-2014-0237.patch: remove file_printf calls in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0237
  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-0238.patch: fix infinite loop in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0238
  * SECURITY UPDATE: code execution via buffer overflow in DNS TXT record
    parsing
    - debian/patches/CVE-2014-4049.patch: check length in
      ext/standard/dns.c.
    - CVE-2014-4049
 -- Marc Deslauriers <email address hidden>   Thu, 19 Jun 2014 13:30:13 -0400
Superseded in saucy-updates on 2014-06-25
Superseded in saucy-security on 2014-06-25
php5 (5.5.3+dfsg-1ubuntu2.4) saucy-security; urgency=medium

  * SECURITY UPDATE: incorrect FastCGI socket permissions (LP: #1307027)
    - debian/patches/CVE-2014-0185.patch: default to 0660 in
      sapi/fpm/fpm/fpm_unix.c, sapi/fpm/php-fpm.conf.in.
    - CVE-2014-0185
  * SECURITY UPDATE: denial of service in FileInfo cdf_unpack_summary_info
    - debian/patches/CVE-2014-0237.patch: remove file_printf calls in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0237
  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-0238.patch: fix infinite loop in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0238
  * SECURITY UPDATE: code execution via buffer overflow in DNS TXT record
    parsing
    - debian/patches/CVE-2014-4049.patch: check length in
      ext/standard/dns.c.
    - CVE-2014-4049
 -- Marc Deslauriers <email address hidden>   Thu, 19 Jun 2014 13:33:33 -0400
Superseded in utopic-release on 2014-06-20
Deleted in utopic-proposed on 2014-06-21 (Reason: moved to release)
php5 (5.5.12+dfsg-2ubuntu1) utopic; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - d/control: drop Build-Depends that are in universe: firebird-dev,
      libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
    - d/rules: drop configuration of packages that are in universe: qdgm, onig.
    - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
      interbase or firebird.
    - d/rules: export DEB_HOST_MULTIARCH properly.
    - d/control: drop binary packages php5-imap, php5-interbase and php5-mcrypt
      since we have separate versions in universe.
    - d/modulelist: drop imap, interbase and mcrypt since we have separate
      versions in universe.
    - d/rules: drop configuration of imap and mcrypt since we have separate
      versions in universe.
    - d/source_php5.py, d/rules: add apport hook.
    - d/rules: stop mysql instance on clean just in case we failed in tests.
    - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
      as only the latter is in main.
    - debian/rules: re-enable tests
    - d/tests/{cgi,cli,mod-php}: dep8 tests for common use cases.
    - d/rules: load dpkg-buildflags earlier, so that CFLAGS changes are not
      overridden.
  * Drop changes (upstreamed / in-Debian):
    - CVE-2014-2270, CVE-2013-1943, imageconvolution-regression.patch:
      included in this merge
  * Drop changes (no longer needed):
    - d/rules, d/control: re-add use of dh_systemd as it is in main now.
    - php5-fpm.upstart: re-add "reload signal USR2" stanza, LTS was
      released.

Superseded in utopic-release on 2014-05-21
Published in trusty-release on 2014-04-09
Deleted in trusty-proposed (Reason: moved to release)
php5 (5.5.9+dfsg-1ubuntu4) trusty; urgency=medium

  * Comment out "reload signal USR2" stanza from php5-fpm to make the job
    compatible with Precise upstart, when it's still running as pid1
    during upgrade to trusty and before the restart. We'd rather support
    shorter down-time then reload interface. (LP: #1272788)
 -- Dimitri John Ledkov <email address hidden>   Wed, 09 Apr 2014 16:23:30 +0100
Superseded in lucid-updates on 2014-06-23
Superseded in lucid-security on 2014-06-23
php5 (5.3.2-1ubuntu4.24) lucid-security; urgency=medium

  * SECURITY UPDATE: denial of service in fileinfo via crafted offset in
    PE executable
    - debian/patches/CVE-2014-2270.patch: check bounds in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-2270
 -- Marc Deslauriers <email address hidden>   Thu, 03 Apr 2014 15:23:04 -0400
Superseded in trusty-release on 2014-04-09
Deleted in trusty-proposed on 2014-04-11 (Reason: moved to release)
php5 (5.5.9+dfsg-1ubuntu3) trusty; urgency=medium

  * SECURITY UPDATE: denial of service in fileinfo via crafted offset in
    PE executable
    - debian/patches/CVE-2014-2270.patch: check bounds in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-2270
 -- Marc Deslauriers <email address hidden>   Thu, 03 Apr 2014 15:12:10 -0400
Obsolete in quantal-updates on 2015-04-24
Obsolete in quantal-security on 2015-04-24
php5 (5.4.6-1ubuntu1.8) quantal-security; urgency=medium

  * SECURITY UPDATE: denial of service in fileinfo via crafted offset in
    PE executable
    - debian/patches/CVE-2014-2270.patch: check bounds in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-2270
 -- Marc Deslauriers <email address hidden>   Thu, 03 Apr 2014 15:18:45 -0400
Superseded in saucy-updates on 2014-06-23
Superseded in saucy-security on 2014-06-23
php5 (5.5.3+dfsg-1ubuntu2.3) saucy-security; urgency=medium

  * SECURITY UPDATE: denial of service in fileinfo via crafted offset in
    PE executable
    - debian/patches/CVE-2014-2270.patch: check bounds in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-2270
 -- Marc Deslauriers <email address hidden>   Thu, 03 Apr 2014 15:14:26 -0400
175 of 350 results