Change log for php5 package in Ubuntu

175 of 307 results
Published in vivid-release 18 hours ago
Deleted in vivid-proposed (Reason: moved to release)
php5 (5.6.4+dfsg-4ubuntu2) vivid; urgency=medium

  * SECURITY UPDATE: out of bounds read via invalid php file
    - debian/patches/CVE-2014-9427.patch: fix bounds in
      sapi/cgi/cgi_main.c.
    - CVE-2014-9427
  * SECURITY UPDATE: out of bounds read in fileinfo
    - debian/patches/CVE-2014-9652.patch: properly check length in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-9652
  * SECURITY UPDATE: arbitrary code execution via improper handling of
    duplicate keys in unserializer, additional fix
    - debian/patches/CVE-2015-0231.patch: fix use after free in
      ext/standard/var_unserializer.*, added test to
      ext/standard/tests/strings/bug68710.phpt.
    - CVE-2015-0231
  * SECURITY UPDATE: arbitrary code execution or denial of service via
    crafted EXIF data
    - debian/patches/CVE-2015-0232.patch: fix uninitialized pointer free in
      ext/exif/exif.c.
    - CVE-2015-0232
  * SECURITY UPDATE: use after free in opcache component
    - debian/patches/CVE-2015-1351.patch: fix use after free in
      ext/opcache/zend_shared_alloc.c.
    - CVE-2015-1351
  * SECURITY UPDATE: null pointer dereference in pgsql
    - debian/patches/CVE-2015-1352.patch: properly set valid token in
      ext/pgsql/pgsql.c.
    - CVE-2015-1352
  * debian/patches/remove_readelf.patch: remove readelf.c from fileinfo as
    it isn't used, and is a source of confusion when doing security
    updates.
 -- Marc Deslauriers <email address hidden>   Tue, 17 Feb 2015 15:47:51 -0500
Published in precise-updates on 2015-02-17
Published in precise-security on 2015-02-17
php5 (5.3.10-1ubuntu3.16) precise-security; urgency=medium

  * SECURITY UPDATE: arbitrary code execution via improper handling of
    duplicate keys in unserializer
    - debian/patches/CVE-2014-8142.patch: fix use after free in
      ext/standard/var_unserializer.*, added test to
      ext/standard/tests/serialize/bug68594.phpt.
    - CVE-2014-8142
  * SECURITY UPDATE: arbitrary code execution via improper handling of
    duplicate keys in unserializer, additional fix
    - debian/patches/CVE-2015-0231.patch: fix use after free in
      ext/standard/var_unserializer.*, added test to
      ext/standard/tests/strings/bug68710.phpt.
    - CVE-2015-0231
  * debian/patches/remove_readelf.patch: remove readelf.c from fileinfo as
    it isn't used, and is a source of confusion when doing security
    updates.
  * debian/patches/CVE-2014-3710.patch: removed, wasn't needed.
 -- Marc Deslauriers <email address hidden>   Fri, 13 Feb 2015 11:53:39 -0500
Published in trusty-updates on 2015-02-17
Published in trusty-security on 2015-02-17
php5 (5.5.9+dfsg-1ubuntu4.6) trusty-security; urgency=medium

  * SECURITY UPDATE: arbitrary code execution via improper handling of
    duplicate keys in unserializer
    - debian/patches/CVE-2014-8142.patch: fix use after free in
      ext/standard/var_unserializer.*, added test to
      ext/standard/tests/serialize/bug68594.phpt.
    - CVE-2014-8142
  * SECURITY UPDATE: out of bounds read via invalid php file
    - debian/patches/CVE-2014-9427.patch: fix bounds in
      sapi/cgi/cgi_main.c.
    - CVE-2014-9427
  * SECURITY UPDATE: out of bounds read in fileinfo
    - debian/patches/CVE-2014-9652.patch: properly check length in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-9652
  * SECURITY UPDATE: arbitrary code execution via improper handling of
    duplicate keys in unserializer, additional fix
    - debian/patches/CVE-2015-0231.patch: fix use after free in
      ext/standard/var_unserializer.*, added test to
      ext/standard/tests/strings/bug68710.phpt.
    - CVE-2015-0231
  * SECURITY UPDATE: arbitrary code execution or denial of service via
    crafted EXIF data
    - debian/patches/CVE-2015-0232.patch: fix uninitialized pointer free in
      ext/exif/exif.c.
    - CVE-2015-0232
  * SECURITY UPDATE: use after free in opcache component
    - debian/patches/CVE-2015-1351.patch: fix use after free in
      ext/opcache/zend_shared_alloc.c.
    - CVE-2015-1351
  * SECURITY UPDATE: null pointer dereference in pgsql
    - debian/patches/CVE-2015-1352.patch: properly set valid token in
      ext/pgsql/pgsql.c.
    - CVE-2015-1352
  * debian/patches/remove_readelf.patch: remove readelf.c from fileinfo as
    it isn't used, and is a source of confusion when doing security
    updates.
  * debian/patches/CVE-2014-3710.patch: removed, wasn't needed.
 -- Marc Deslauriers <email address hidden>   Fri, 13 Feb 2015 11:15:38 -0500
Published in utopic-updates on 2015-02-17
Published in utopic-security on 2015-02-17
php5 (5.5.12+dfsg-2ubuntu4.2) utopic-security; urgency=medium

  * SECURITY UPDATE: arbitrary code execution via improper handling of
    duplicate keys in unserializer
    - debian/patches/CVE-2014-8142.patch: fix use after free in
      ext/standard/var_unserializer.*, added test to
      ext/standard/tests/serialize/bug68594.phpt.
    - CVE-2014-8142
  * SECURITY UPDATE: out of bounds read via invalid php file
    - debian/patches/CVE-2014-9427.patch: fix bounds in
      sapi/cgi/cgi_main.c.
    - CVE-2014-9427
  * SECURITY UPDATE: out of bounds read in fileinfo
    - debian/patches/CVE-2014-9652.patch: properly check length in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-9652
  * SECURITY UPDATE: arbitrary code execution via improper handling of
    duplicate keys in unserializer, additional fix
    - debian/patches/CVE-2015-0231.patch: fix use after free in
      ext/standard/var_unserializer.*, added test to
      ext/standard/tests/strings/bug68710.phpt.
    - CVE-2015-0231
  * SECURITY UPDATE: arbitrary code execution or denial of service via
    crafted EXIF data
    - debian/patches/CVE-2015-0232.patch: fix uninitialized pointer free in
      ext/exif/exif.c.
    - CVE-2015-0232
  * SECURITY UPDATE: use after free in opcache component
    - debian/patches/CVE-2015-1351.patch: fix use after free in
      ext/opcache/zend_shared_alloc.c.
    - CVE-2015-1351
  * SECURITY UPDATE: null pointer dereference in pgsql
    - debian/patches/CVE-2015-1352.patch: properly set valid token in
      ext/pgsql/pgsql.c.
    - CVE-2015-1352
  * debian/patches/remove_readelf.patch: remove readelf.c from fileinfo as
    it isn't used, and is a source of confusion when doing security
    updates.
  * debian/patches/CVE-2014-3710.patch: removed, wasn't needed.
 -- Marc Deslauriers <email address hidden>   Fri, 13 Feb 2015 08:10:41 -0500
Superseded in vivid-release 18 hours ago
Deleted in vivid-proposed (Reason: moved to release)
php5 (5.6.4+dfsg-4ubuntu1) vivid; urgency=medium

  * Merge from Debian testing (LP: #1411811). Remaining changes:
    - d/control: drop Build-Depends that are in universe: firebird-dev,
      libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
    - d/rules: drop configuration of packages that are in universe: qdgm, onig.
    - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
      interbase or firebird.
    - d/control: drop binary packages php5-imap, php5-interbase and php5-mcrypt
      since we have separate versions in universe.
    - d/modulelist: drop imap, interbase and mcrypt since we have separate
      versions in universe.
    - d/rules: drop configuration of imap and mcrypt since we have separate
      versions in universe.
    - d/source_php5.py, d/rules: add apport hook.
    - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
      as only the latter is in main.
  * Drop changes:
    - Reported fixed in upstream release of 5.6.0: quilt patches for
      CVE-2014-0237, CVE-2014-0238, CVE-2014-4049, CVE-2014-0207,
      CVE-2014-3478, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487,
      CVE-2014-3515, CVE-2014-4670, CVE-2014-4698, CVE-2014-4721,
      CVE-2014-3587 and CVE-2014-3597, and d/p/fix_systemd_ftbfs.patch.
    - Reported fixed in upstream release of 5.6.2: quilt patches for
      CVE-2014-3668, CVE-2014-3669 and CVE-2014-3670, and
      d/p/curl_embedded_null.patch.
    - Reported fixed in upstream release of 5.6.3: quilt patch for
      CVE-2014-3710.
    - Applied in Debian:
      + d/rules: stop mysql instance on clean just in case we failed in
        tests.
      + d/tests/{cgi,cli,mod-php}: dep8 tests for common use cases.
      + d/rules: export DEB_HOST_MULTIARCH properly.
      + d/rules: load dpkg-buildflags earlier, so that CFLAGS changes are not
        overridden.
 -- Robie Basak <email address hidden>   Tue, 27 Jan 2015 12:09:42 +0000
Superseded in vivid-release on 2015-02-02
Deleted in vivid-proposed on 2015-02-03 (Reason: moved to release)
php5 (5.5.12+dfsg-2ubuntu5) vivid; urgency=medium

  * SECURITY UPDATE: denial of service via buffer overflow in mkgmtime()
    - debian/patches/CVE-2014-3668.patch: properly handle sizes in
      ext/xmlrpc/libxmlrpc/xmlrpc.c, added test to
      ext/xmlrpc/tests/bug68027.phpt.
    - CVE-2014-3668
  * SECURITY UPDATE: integer overflow in unserialize()
    - debian/patches/CVE-2014-3669.patch: fix overflow in
      ext/standard/var_unserializer.{c,re}, added test to
      ext/standard/tests/serialize/bug68044.phpt.
    - CVE-2014-3669
  * SECURITY UPDATE: Heap corruption in exif_thumbnail()
    - debian/patches/CVE-2014-3670.patch: fix sizes in ext/exif/exif.c.
    - CVE-2014-3670
  * SECURITY UPDATE: out of bounds read in elf note headers in fileinfo()
    - debian/patches/CVE-2014-3710.patch: validate note headers in
      ext/fileinfo/libmagic/readelf.c.
    - CVE-2014-3710
  * SECURITY UPDATE: local file disclosure via curl NULL byte injection
    - debian/patches/curl_embedded_null.patch: don't accept curl options
      with embedded NULLs in ext/curl/interface.c, added test to
      ext/curl/tests/bug68089.phpt.
    - No CVE number
  * Fix FTBFS with systemd version in vivid
    - debian/patches/fix_systemd_ftbfs.patch: improve detection logic in
      sapi/fpm/config.m4.
 -- Marc Deslauriers <email address hidden>   Wed, 29 Oct 2014 11:56:11 -0400
Superseded in precise-updates on 2015-02-17
Superseded in precise-security on 2015-02-17
php5 (5.3.10-1ubuntu3.15) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service via buffer overflow in mkgmtime()
    - debian/patches/CVE-2014-3668.patch: properly handle sizes in
      ext/xmlrpc/libxmlrpc/xmlrpc.c, added test to
      ext/xmlrpc/tests/bug68027.phpt.
    - CVE-2014-3668
  * SECURITY UPDATE: integer overflow in unserialize()
    - debian/patches/CVE-2014-3669.patch: fix overflow in
      ext/standard/var_unserializer.{c,re}, added test to
      ext/standard/tests/serialize/bug68044.phpt.
    - CVE-2014-3669
  * SECURITY UPDATE: Heap corruption in exif_thumbnail()
    - debian/patches/CVE-2014-3670.patch: fix sizes in ext/exif/exif.c.
    - CVE-2014-3670
  * SECURITY UPDATE: out of bounds read in elf note headers in fileinfo()
    - debian/patches/CVE-2014-3710.patch: validate note headers in
      ext/fileinfo/libmagic/readelf.c.
    - CVE-2014-3710
  * SECURITY UPDATE: local file disclosure via curl NULL byte injection
    - debian/patches/curl_embedded_null.patch: don't accept curl options
      with embedded NULLs in ext/curl/interface.c, added test to
      ext/curl/tests/bug68089.phpt.
    - No CVE number
 -- Marc Deslauriers <email address hidden>   Tue, 28 Oct 2014 15:06:12 -0400
Superseded in trusty-updates on 2015-02-17
Superseded in trusty-security on 2015-02-17
php5 (5.5.9+dfsg-1ubuntu4.5) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service via buffer overflow in mkgmtime()
    - debian/patches/CVE-2014-3668.patch: properly handle sizes in
      ext/xmlrpc/libxmlrpc/xmlrpc.c, added test to
      ext/xmlrpc/tests/bug68027.phpt.
    - CVE-2014-3668
  * SECURITY UPDATE: integer overflow in unserialize()
    - debian/patches/CVE-2014-3669.patch: fix overflow in
      ext/standard/var_unserializer.{c,re}, added test to
      ext/standard/tests/serialize/bug68044.phpt.
    - CVE-2014-3669
  * SECURITY UPDATE: Heap corruption in exif_thumbnail()
    - debian/patches/CVE-2014-3670.patch: fix sizes in ext/exif/exif.c.
    - CVE-2014-3670
  * SECURITY UPDATE: out of bounds read in elf note headers in fileinfo()
    - debian/patches/CVE-2014-3710.patch: validate note headers in
      ext/fileinfo/libmagic/readelf.c.
    - CVE-2014-3710
  * SECURITY UPDATE: local file disclosure via curl NULL byte injection
    - debian/patches/curl_embedded_null.patch: don't accept curl options
      with embedded NULLs in ext/curl/interface.c, added test to
      ext/curl/tests/bug68089.phpt.
    - No CVE number
 -- Marc Deslauriers <email address hidden>   Tue, 28 Oct 2014 14:52:03 -0400
Superseded in utopic-updates on 2015-02-17
Superseded in utopic-security on 2015-02-17
php5 (5.5.12+dfsg-2ubuntu4.1) utopic-security; urgency=medium

  * SECURITY UPDATE: denial of service via buffer overflow in mkgmtime()
    - debian/patches/CVE-2014-3668.patch: properly handle sizes in
      ext/xmlrpc/libxmlrpc/xmlrpc.c, added test to
      ext/xmlrpc/tests/bug68027.phpt.
    - CVE-2014-3668
  * SECURITY UPDATE: integer overflow in unserialize()
    - debian/patches/CVE-2014-3669.patch: fix overflow in
      ext/standard/var_unserializer.{c,re}, added test to
      ext/standard/tests/serialize/bug68044.phpt.
    - CVE-2014-3669
  * SECURITY UPDATE: Heap corruption in exif_thumbnail()
    - debian/patches/CVE-2014-3670.patch: fix sizes in ext/exif/exif.c.
    - CVE-2014-3670
  * SECURITY UPDATE: out of bounds read in elf note headers in fileinfo()
    - debian/patches/CVE-2014-3710.patch: validate note headers in
      ext/fileinfo/libmagic/readelf.c.
    - CVE-2014-3710
  * SECURITY UPDATE: local file disclosure via curl NULL byte injection
    - debian/patches/curl_embedded_null.patch: don't accept curl options
      with embedded NULLs in ext/curl/interface.c, added test to
      ext/curl/tests/bug68089.phpt.
    - No CVE number
 -- Marc Deslauriers <email address hidden>   Tue, 28 Oct 2014 14:41:37 -0400
Published in lucid-updates on 2014-10-30
Published in lucid-security on 2014-10-30
php5 (5.3.2-1ubuntu4.28) lucid-security; urgency=medium

  * SECURITY UPDATE: denial of service via buffer overflow in mkgmtime()
    - debian/patches/CVE-2014-3668.patch: properly handle sizes in
      ext/xmlrpc/libxmlrpc/xmlrpc.c, added test to
      ext/xmlrpc/tests/bug68027.phpt.
    - CVE-2014-3668
  * SECURITY UPDATE: integer overflow in unserialize()
    - debian/patches/CVE-2014-3669.patch: fix overflow in
      ext/standard/var_unserializer.{c,re}, added test to
      ext/standard/tests/serialize/bug68044.phpt.
    - CVE-2014-3669
  * SECURITY UPDATE: Heap corruption in exif_thumbnail()
    - debian/patches/CVE-2014-3670.patch: fix sizes in ext/exif/exif.c.
    - CVE-2014-3670
  * SECURITY UPDATE: out of bounds read in elf note headers in fileinfo()
    - debian/patches/CVE-2014-3710.patch: validate note headers in
      ext/fileinfo/libmagic/readelf.c.
    - CVE-2014-3710
  * SECURITY UPDATE: local file disclosure via curl NULL byte injection
    - debian/patches/curl_embedded_null.patch: don't accept curl options
      with embedded NULLs in ext/curl/interface.c, added test to
      ext/curl/tests/bug68089.phpt.
    - No CVE number
 -- Marc Deslauriers <email address hidden>   Tue, 28 Oct 2014 15:17:04 -0400
Superseded in vivid-release on 2014-11-03
Published in utopic-release on 2014-09-22
Deleted in utopic-proposed (Reason: moved to release)
php5 (5.5.12+dfsg-2ubuntu4) utopic; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-3587.patch: check for array under-runs as well
      as over-runs in ext/fileinfo/libmagic/cdf.c
    - CVE-2014-3587
  * SECURITY UPDATE: denial of service in dns_get_record
    - debian/patches/CVE-2014-3597.patch: check for DNS overflows in
      ext/standard/dns.c
    - CVE-2014-3587
 -- Seth Arnold <email address hidden>   Wed, 03 Sep 2014 23:27:47 -0700
Superseded in lucid-updates on 2014-10-30
Superseded in lucid-security on 2014-10-30
php5 (5.3.2-1ubuntu4.27) lucid-security; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-3587.patch: check for array under-runs as well
      as over-runs in ext/fileinfo/libmagic/cdf.c
    - CVE-2014-3587
  * SECURITY UPDATE: denial of service in dns_get_record
    - debian/patches/CVE-2014-3597.patch: check for DNS overflows in
      ext/standard/dns.c
    - CVE-2014-3587
 -- Seth Arnold <email address hidden>   Wed, 03 Sep 2014 23:27:31 -0700
Superseded in precise-updates on 2014-10-30
Superseded in precise-security on 2014-10-30
php5 (5.3.10-1ubuntu3.14) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-3587.patch: check for array under-runs as well
      as over-runs in ext/fileinfo/libmagic/cdf.c
    - CVE-2014-3587
  * SECURITY UPDATE: denial of service in dns_get_record
    - debian/patches/CVE-2014-3597.patch: check for DNS overflows in
      ext/standard/dns.c
    - CVE-2014-3587
 -- Seth Arnold <email address hidden>   Wed, 03 Sep 2014 23:27:39 -0700
Superseded in trusty-updates on 2014-10-30
Superseded in trusty-security on 2014-10-30
php5 (5.5.9+dfsg-1ubuntu4.4) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-3587.patch: check for array under-runs as well
      as over-runs in ext/fileinfo/libmagic/cdf.c
    - CVE-2014-3587
  * SECURITY UPDATE: denial of service in dns_get_record
    - debian/patches/CVE-2014-3597.patch: check for DNS overflows in
      ext/standard/dns.c
    - CVE-2014-3587
 -- Seth Arnold <email address hidden>   Wed, 03 Sep 2014 23:33:06 -0700
Superseded in utopic-release on 2014-09-22
Deleted in utopic-proposed on 2014-09-23 (Reason: moved to release)
php5 (5.5.12+dfsg-2ubuntu3) utopic; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_read_short_sector
    - debian/patches/CVE-2014-0207.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0207
  * SECURITY UPDATE: denial of service in FileInfo mconvert
    - debian/patches/CVE-2014-3478.patch: properly handle truncated pascal
      string size in ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-3478
  * SECURITY UPDATE: denial of service in FileInfo cdf_check_stream_offset
    - debian/patches/CVE-2014-3479.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3479
  * SECURITY UPDATE: denial of service in FileInfo cdf_count_chain
    - debian/patches/CVE-2014-3480.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3480
  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-3487.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3487
  * SECURITY UPDATE: denial of service and possible code execution via
    unserialize() SPL type confusion
    - debian/patches/CVE-2014-3515.patch: properly check types in
      ext/spl/spl_array.c, ext/spl/spl_observer.c, added test to
      ext/spl/tests/SplObjectStorage_unserialize_bad.phpt.
    - CVE-2014-3515
  * SECURITY UPDATE: denial of service via SPL Iterators use-after-free
    - debian/patches/CVE-2014-4670.patch: fix use-after-free in
      ext/spl/spl_dllist.c, added test to ext/spl/tests/bug67538.phpt.
    - CVE-2014-4670
  * SECURITY UPDATE: denial of service via ArrayIterator use-after-free
    - debian/patches/CVE-2014-4698.patch: don't allow modifying ArrayObject
      during sorting in ext/spl/spl_array.c, added test to
      ext/spl/tests/bug67539.phpt.
    - CVE-2014-4698
  * SECURITY UPDATE: information leak via phpinfo (LP: #1338170)
    - debian/patches/CVE-2014-4721.patch: fix type confusion in
      ext/standard/info.c, added test to
      ext/standard/tests/general_functions/bug67498.phpt.
    - CVE-2014-4721
 -- Marc Deslauriers <email address hidden>   Wed, 09 Jul 2014 13:00:04 -0400
Superseded in lucid-updates on 2014-09-10
Superseded in lucid-security on 2014-09-09
php5 (5.3.2-1ubuntu4.26) lucid-security; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_read_short_sector
    - debian/patches/CVE-2014-0207.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0207
  * SECURITY UPDATE: denial of service in FileInfo cdf_count_chain
    - debian/patches/CVE-2014-3480.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3480
  * SECURITY UPDATE: denial of service and possible code execution via
    unserialize() SPL type confusion
    - debian/patches/CVE-2014-3515.patch: properly check types in
      ext/spl/spl_array.c, ext/spl/spl_observer.c, added test to
      ext/spl/tests/SplObjectStorage_unserialize_bad.phpt.
    - CVE-2014-3515
  * SECURITY UPDATE: denial of service via SPL Iterators use-after-free
    - debian/patches/CVE-2014-4670.patch: fix use-after-free in
      ext/spl/spl_dllist.c, added test to ext/spl/tests/bug67538.phpt.
    - CVE-2014-4670
  * SECURITY UPDATE: denial of service via ArrayIterator use-after-free
    - debian/patches/CVE-2014-4698.patch: don't allow modifying ArrayObject
      during sorting in ext/spl/spl_array.c, added test to
      ext/spl/tests/bug67539.phpt.
    - CVE-2014-4698
  * SECURITY UPDATE: information leak via phpinfo (LP: #1338170)
    - debian/patches/CVE-2014-4721.patch: fix type confusion in
      ext/standard/info.c, added test to
      ext/standard/tests/general_functions/bug67498.phpt.
    - CVE-2014-4721
 -- Marc Deslauriers <email address hidden>   Tue, 08 Jul 2014 21:22:42 -0400
Superseded in precise-updates on 2014-09-10
Superseded in precise-security on 2014-09-09
php5 (5.3.10-1ubuntu3.13) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_read_short_sector
    - debian/patches/CVE-2014-0207.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0207
  * SECURITY UPDATE: denial of service in FileInfo cdf_count_chain
    - debian/patches/CVE-2014-3480.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3480
  * SECURITY UPDATE: denial of service and possible code execution via
    unserialize() SPL type confusion
    - debian/patches/CVE-2014-3515.patch: properly check types in
      ext/spl/spl_array.c, ext/spl/spl_observer.c, added test to
      ext/spl/tests/SplObjectStorage_unserialize_bad.phpt.
    - CVE-2014-3515
  * SECURITY UPDATE: denial of service via SPL Iterators use-after-free
    - debian/patches/CVE-2014-4670.patch: fix use-after-free in
      ext/spl/spl_dllist.c, added test to ext/spl/tests/bug67538.phpt.
    - CVE-2014-4670
  * SECURITY UPDATE: denial of service via ArrayIterator use-after-free
    - debian/patches/CVE-2014-4698.patch: don't allow modifying ArrayObject
      during sorting in ext/spl/spl_array.c, added test to
      ext/spl/tests/bug67539.phpt.
    - CVE-2014-4698
  * SECURITY UPDATE: information leak via phpinfo (LP: #1338170)
    - debian/patches/CVE-2014-4721.patch: fix type confusion in
      ext/standard/info.c, added test to
      ext/standard/tests/general_functions/bug67498.phpt.
    - CVE-2014-4721
 -- Marc Deslauriers <email address hidden>   Mon, 07 Jul 2014 08:41:06 -0400
Published in saucy-updates on 2014-07-09
Published in saucy-security on 2014-07-09
php5 (5.5.3+dfsg-1ubuntu2.6) saucy-security; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_read_short_sector
    - debian/patches/CVE-2014-0207.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0207
  * SECURITY UPDATE: denial of service in FileInfo mconvert
    - debian/patches/CVE-2014-3478.patch: properly handle truncated pascal
      string size in ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-3478
  * SECURITY UPDATE: denial of service in FileInfo cdf_check_stream_offset
    - debian/patches/CVE-2014-3479.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3479
  * SECURITY UPDATE: denial of service in FileInfo cdf_count_chain
    - debian/patches/CVE-2014-3480.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3480
  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-3487.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3487
  * SECURITY UPDATE: denial of service and possible code execution via
    unserialize() SPL type confusion
    - debian/patches/CVE-2014-3515.patch: properly check types in
      ext/spl/spl_array.c, ext/spl/spl_observer.c, added test to
      ext/spl/tests/SplObjectStorage_unserialize_bad.phpt.
    - CVE-2014-3515
  * SECURITY UPDATE: denial of service via SPL Iterators use-after-free
    - debian/patches/CVE-2014-4670.patch: fix use-after-free in
      ext/spl/spl_dllist.c, added test to ext/spl/tests/bug67538.phpt.
    - CVE-2014-4670
  * SECURITY UPDATE: denial of service via ArrayIterator use-after-free
    - debian/patches/CVE-2014-4698.patch: don't allow modifying ArrayObject
      during sorting in ext/spl/spl_array.c, added test to
      ext/spl/tests/bug67539.phpt.
    - CVE-2014-4698
  * SECURITY UPDATE: information leak via phpinfo (LP: #1338170)
    - debian/patches/CVE-2014-4721.patch: fix type confusion in
      ext/standard/info.c, added test to
      ext/standard/tests/general_functions/bug67498.phpt.
    - CVE-2014-4721
 -- Marc Deslauriers <email address hidden>   Mon, 07 Jul 2014 07:46:31 -0400
Superseded in trusty-updates on 2014-09-10
Superseded in trusty-security on 2014-09-09
php5 (5.5.9+dfsg-1ubuntu4.3) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_read_short_sector
    - debian/patches/CVE-2014-0207.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0207
  * SECURITY UPDATE: denial of service in FileInfo mconvert
    - debian/patches/CVE-2014-3478.patch: properly handle truncated pascal
      string size in ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-3478
  * SECURITY UPDATE: denial of service in FileInfo cdf_check_stream_offset
    - debian/patches/CVE-2014-3479.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3479
  * SECURITY UPDATE: denial of service in FileInfo cdf_count_chain
    - debian/patches/CVE-2014-3480.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3480
  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-3487.patch: properly calculate sizes in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-3487
  * SECURITY UPDATE: denial of service and possible code execution via
    unserialize() SPL type confusion
    - debian/patches/CVE-2014-3515.patch: properly check types in
      ext/spl/spl_array.c, ext/spl/spl_observer.c, added test to
      ext/spl/tests/SplObjectStorage_unserialize_bad.phpt.
    - CVE-2014-3515
  * SECURITY UPDATE: denial of service via SPL Iterators use-after-free
    - debian/patches/CVE-2014-4670.patch: fix use-after-free in
      ext/spl/spl_dllist.c, added test to ext/spl/tests/bug67538.phpt.
    - CVE-2014-4670
  * SECURITY UPDATE: denial of service via ArrayIterator use-after-free
    - debian/patches/CVE-2014-4698.patch: don't allow modifying ArrayObject
      during sorting in ext/spl/spl_array.c, added test to
      ext/spl/tests/bug67539.phpt.
    - CVE-2014-4698
  * SECURITY UPDATE: information leak via phpinfo (LP: #1338170)
    - debian/patches/CVE-2014-4721.patch: fix type confusion in
      ext/standard/info.c, added test to
      ext/standard/tests/general_functions/bug67498.phpt.
    - CVE-2014-4721
 -- Marc Deslauriers <email address hidden>   Mon, 07 Jul 2014 07:44:21 -0400
Superseded in trusty-updates on 2014-07-09
Superseded in trusty-security on 2014-07-09
php5 (5.5.9+dfsg-1ubuntu4.2) trusty-security; urgency=medium

  * SECURITY UPDATE: better FastCGI socket permissions (LP: #1334337)
    - debian/rules: enable listen.owner and listen.group so that the socket
      is accessible to www-data by default. This allows most setups to
      continue working with the more restrictive permissions.
 -- Marc Deslauriers <email address hidden>   Wed, 25 Jun 2014 11:46:16 -0400
Superseded in saucy-updates on 2014-07-09
Superseded in saucy-security on 2014-07-09
php5 (5.5.3+dfsg-1ubuntu2.5) saucy-security; urgency=medium

  * SECURITY UPDATE: better FastCGI socket permissions (LP: #1334337)
    - debian/rules: enable listen.owner and listen.group so that the socket
      is accessible to www-data by default. This allows most setups to
      continue working with the more restrictive permissions.
 -- Marc Deslauriers <email address hidden>   Wed, 25 Jun 2014 11:52:07 -0400
Superseded in utopic-release on 2014-07-09
Deleted in utopic-proposed on 2014-07-11 (Reason: moved to release)
php5 (5.5.12+dfsg-2ubuntu2) utopic; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_unpack_summary_info
    - debian/patches/CVE-2014-0237.patch: remove file_printf calls in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0237
  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-0238.patch: fix infinite loop in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0238
  * SECURITY UPDATE: code execution via buffer overflow in DNS TXT record
    parsing
    - debian/patches/CVE-2014-4049.patch: check length in
      ext/standard/dns.c.
    - CVE-2014-4049
 -- Marc Deslauriers <email address hidden>   Thu, 19 Jun 2014 13:21:19 -0400
Superseded in lucid-updates on 2014-07-09
Superseded in lucid-security on 2014-07-09
php5 (5.3.2-1ubuntu4.25) lucid-security; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_unpack_summary_info
    - debian/patches/CVE-2014-0237.patch: remove file_printf calls in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0237
  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-0238.patch: fix infinite loop in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0238
  * SECURITY UPDATE: code execution via buffer overflow in DNS TXT record
    parsing
    - debian/patches/CVE-2014-4049.patch: check length in
      ext/standard/dns.c.
    - CVE-2014-4049
 -- Marc Deslauriers <email address hidden>   Thu, 19 Jun 2014 13:48:46 -0400
Superseded in precise-updates on 2014-07-09
Superseded in precise-security on 2014-07-09
php5 (5.3.10-1ubuntu3.12) precise-security; urgency=medium

  * SECURITY UPDATE: incorrect FastCGI socket permissions (LP: #1307027)
    - debian/patches/CVE-2014-0185.patch: default to 0660 in
      sapi/fpm/fpm/fpm_unix.c, sapi/fpm/php-fpm.conf.in.
    - CVE-2014-0185
  * SECURITY UPDATE: denial of service in FileInfo cdf_unpack_summary_info
    - debian/patches/CVE-2014-0237.patch: remove file_printf calls in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0237
  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-0238.patch: fix infinite loop in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0238
  * SECURITY UPDATE: code execution via buffer overflow in DNS TXT record
    parsing
    - debian/patches/CVE-2014-4049.patch: check length in
      ext/standard/dns.c.
    - CVE-2014-4049
 -- Marc Deslauriers <email address hidden>   Thu, 19 Jun 2014 13:44:17 -0400
Superseded in trusty-updates on 2014-06-25
Superseded in trusty-security on 2014-06-25
php5 (5.5.9+dfsg-1ubuntu4.1) trusty-security; urgency=medium

  * SECURITY UPDATE: incorrect FastCGI socket permissions (LP: #1307027)
    - debian/patches/CVE-2014-0185.patch: default to 0660 in
      sapi/fpm/fpm/fpm_unix.c, sapi/fpm/php-fpm.conf.in.
    - CVE-2014-0185
  * SECURITY UPDATE: denial of service in FileInfo cdf_unpack_summary_info
    - debian/patches/CVE-2014-0237.patch: remove file_printf calls in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0237
  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-0238.patch: fix infinite loop in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0238
  * SECURITY UPDATE: code execution via buffer overflow in DNS TXT record
    parsing
    - debian/patches/CVE-2014-4049.patch: check length in
      ext/standard/dns.c.
    - CVE-2014-4049
 -- Marc Deslauriers <email address hidden>   Thu, 19 Jun 2014 13:30:13 -0400
Superseded in saucy-updates on 2014-06-25
Superseded in saucy-security on 2014-06-25
php5 (5.5.3+dfsg-1ubuntu2.4) saucy-security; urgency=medium

  * SECURITY UPDATE: incorrect FastCGI socket permissions (LP: #1307027)
    - debian/patches/CVE-2014-0185.patch: default to 0660 in
      sapi/fpm/fpm/fpm_unix.c, sapi/fpm/php-fpm.conf.in.
    - CVE-2014-0185
  * SECURITY UPDATE: denial of service in FileInfo cdf_unpack_summary_info
    - debian/patches/CVE-2014-0237.patch: remove file_printf calls in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0237
  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-0238.patch: fix infinite loop in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0238
  * SECURITY UPDATE: code execution via buffer overflow in DNS TXT record
    parsing
    - debian/patches/CVE-2014-4049.patch: check length in
      ext/standard/dns.c.
    - CVE-2014-4049
 -- Marc Deslauriers <email address hidden>   Thu, 19 Jun 2014 13:33:33 -0400
Superseded in utopic-release on 2014-06-20
Deleted in utopic-proposed on 2014-06-21 (Reason: moved to release)
php5 (5.5.12+dfsg-2ubuntu1) utopic; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - d/control: drop Build-Depends that are in universe: firebird-dev,
      libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
    - d/rules: drop configuration of packages that are in universe: qdgm, onig.
    - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
      interbase or firebird.
    - d/rules: export DEB_HOST_MULTIARCH properly.
    - d/control: drop binary packages php5-imap, php5-interbase and php5-mcrypt
      since we have separate versions in universe.
    - d/modulelist: drop imap, interbase and mcrypt since we have separate
      versions in universe.
    - d/rules: drop configuration of imap and mcrypt since we have separate
      versions in universe.
    - d/source_php5.py, d/rules: add apport hook.
    - d/rules: stop mysql instance on clean just in case we failed in tests.
    - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
      as only the latter is in main.
    - debian/rules: re-enable tests
    - d/tests/{cgi,cli,mod-php}: dep8 tests for common use cases.
    - d/rules: load dpkg-buildflags earlier, so that CFLAGS changes are not
      overridden.
  * Drop changes (upstreamed / in-Debian):
    - CVE-2014-2270, CVE-2013-1943, imageconvolution-regression.patch:
      included in this merge
  * Drop changes (no longer needed):
    - d/rules, d/control: re-add use of dh_systemd as it is in main now.
    - php5-fpm.upstart: re-add "reload signal USR2" stanza, LTS was
      released.

Superseded in utopic-release on 2014-05-21
Published in trusty-release on 2014-04-09
Deleted in trusty-proposed (Reason: moved to release)
php5 (5.5.9+dfsg-1ubuntu4) trusty; urgency=medium

  * Comment out "reload signal USR2" stanza from php5-fpm to make the job
    compatible with Precise upstart, when it's still running as pid1
    during upgrade to trusty and before the restart. We'd rather support
    shorter down-time then reload interface. (LP: #1272788)
 -- Dimitri John Ledkov <email address hidden>   Wed, 09 Apr 2014 16:23:30 +0100
Superseded in lucid-updates on 2014-06-23
Superseded in lucid-security on 2014-06-23
php5 (5.3.2-1ubuntu4.24) lucid-security; urgency=medium

  * SECURITY UPDATE: denial of service in fileinfo via crafted offset in
    PE executable
    - debian/patches/CVE-2014-2270.patch: check bounds in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-2270
 -- Marc Deslauriers <email address hidden>   Thu, 03 Apr 2014 15:23:04 -0400
Superseded in trusty-release on 2014-04-09
Deleted in trusty-proposed on 2014-04-11 (Reason: moved to release)
php5 (5.5.9+dfsg-1ubuntu3) trusty; urgency=medium

  * SECURITY UPDATE: denial of service in fileinfo via crafted offset in
    PE executable
    - debian/patches/CVE-2014-2270.patch: check bounds in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-2270
 -- Marc Deslauriers <email address hidden>   Thu, 03 Apr 2014 15:12:10 -0400
Published in quantal-updates on 2014-04-07
Published in quantal-security on 2014-04-07
php5 (5.4.6-1ubuntu1.8) quantal-security; urgency=medium

  * SECURITY UPDATE: denial of service in fileinfo via crafted offset in
    PE executable
    - debian/patches/CVE-2014-2270.patch: check bounds in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-2270
 -- Marc Deslauriers <email address hidden>   Thu, 03 Apr 2014 15:18:45 -0400
Superseded in saucy-updates on 2014-06-23
Superseded in saucy-security on 2014-06-23
php5 (5.5.3+dfsg-1ubuntu2.3) saucy-security; urgency=medium

  * SECURITY UPDATE: denial of service in fileinfo via crafted offset in
    PE executable
    - debian/patches/CVE-2014-2270.patch: check bounds in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-2270
 -- Marc Deslauriers <email address hidden>   Thu, 03 Apr 2014 15:14:26 -0400
Superseded in precise-updates on 2014-06-23
Superseded in precise-security on 2014-06-23
php5 (5.3.10-1ubuntu3.11) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service in fileinfo via crafted offset in
    PE executable
    - debian/patches/CVE-2014-2270.patch: check bounds in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-2270
 -- Marc Deslauriers <email address hidden>   Thu, 03 Apr 2014 15:21:27 -0400
Superseded in trusty-release on 2014-04-04
Deleted in trusty-proposed on 2014-04-05 (Reason: moved to release)
php5 (5.5.9+dfsg-1ubuntu2) trusty; urgency=medium

  * SECURITY UPDATE: denial of service via crafted indirect offset value
    in fileinfo
    - debian/patches/CVE-2013-1943.patch: properly handle recursion in
      ext/fileinfo/libmagic/{ascmagic.c,file.h,funcs.c,softmagic.c}, added
      test to ext/fileinfo/tests/cve-2014-1943.phpt.
    - CVE-2013-1943
  * debian/patches/imageconvolution-regression.patch: fix regression in
    imageconvolution caused by security fix in 5.5.9.
 -- Marc Deslauriers <email address hidden>   Mon, 03 Mar 2014 13:42:25 -0500
Superseded in lucid-updates on 2014-04-07
Superseded in lucid-security on 2014-04-07
php5 (5.3.2-1ubuntu4.23) lucid-security; urgency=medium

  * SECURITY UPDATE: denial of service via crafted indirect offset value
    in fileinfo
    - debian/patches/CVE-2013-1943.patch: properly handle recursion in
      ext/fileinfo/libmagic/{ascmagic.c,file.h,funcs.c,softmagic.c}, added
      test to ext/fileinfo/tests/cve-2014-1943.phpt.
    - CVE-2013-1943
 -- Marc Deslauriers <email address hidden>   Fri, 28 Feb 2014 17:40:15 -0500
Superseded in precise-updates on 2014-04-07
Superseded in precise-security on 2014-04-07
php5 (5.3.10-1ubuntu3.10) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service via crafted indirect offset value
    in fileinfo
    - debian/patches/CVE-2013-1943.patch: properly handle recursion in
      ext/fileinfo/libmagic/{ascmagic.c,file.h,funcs.c,softmagic.c}, added
      test to ext/fileinfo/tests/cve-2014-1943.phpt.
    - CVE-2013-1943
 -- Marc Deslauriers <email address hidden>   Fri, 28 Feb 2014 14:55:00 -0500
Superseded in quantal-updates on 2014-04-07
Superseded in quantal-security on 2014-04-07
php5 (5.4.6-1ubuntu1.7) quantal-security; urgency=medium

  * SECURITY UPDATE: denial of service via crafted indirect offset value
    in fileinfo
    - debian/patches/CVE-2013-1943.patch: properly handle recursion in
      ext/fileinfo/libmagic/{ascmagic.c,file.h,funcs.c,softmagic.c}, added
      test to ext/fileinfo/tests/cve-2014-1943.phpt.
    - CVE-2013-1943
  * This package does _not_ contain the changes from .4.6-1ubuntu1.6 in
    quantal-proposed.
 -- Marc Deslauriers <email address hidden>   Fri, 28 Feb 2014 11:40:51 -0500
Superseded in saucy-updates on 2014-04-07
Superseded in saucy-security on 2014-04-07
php5 (5.5.3+dfsg-1ubuntu2.2) saucy-security; urgency=medium

  * SECURITY UPDATE: denial of service and possible code execution via
    multiple issues in gdImageCrop
    - debian/patches/CVE-2013-7226.patch: fix overflows and data type
      issues in ext/gd/gd.c,ext/gd/libgd/gd_crop.c, added test to
      ext/gd/tests/bug66356.phpt.
    - CVE-2013-7226
    - CVE-2013-7327
    - CVE-2013-7328
    - CVE-2014-2020
  * SECURITY UPDATE: denial of service via crafted indirect offset value
    in fileinfo
    - debian/patches/CVE-2013-1943.patch: properly handle recursion in
      ext/fileinfo/libmagic/{ascmagic.c,file.h,funcs.c,softmagic.c}, added
      test to ext/fileinfo/tests/cve-2014-1943.phpt.
    - CVE-2013-1943
  * debian/rules: re-enable tests.
 -- Marc Deslauriers <email address hidden>   Fri, 28 Feb 2014 11:15:03 -0500
Superseded in trusty-release on 2014-03-03
Deleted in trusty-proposed on 2014-03-05 (Reason: moved to release)
php5 (5.5.9+dfsg-1ubuntu1) trusty; urgency=medium

  * Merge from Debian testing. Remaining changes:
    - d/control: drop Build-Depends that are in universe: firebird-dev,
      libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
    - d/rules: drop configuration of packages that are in universe: qdgm, onig.
    - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
      interbase or firebird.
    - d/rules: export DEB_HOST_MULTIARCH properly.
    - d/control: drop binary packages php5-imap, php5-interbase and php5-mcrypt
      since we have separate versions in universe.
    - d/modulelist: drop imap, interbase and mcrypt since we have separate
      versions in universe.
    - d/rules: drop configuration of imap and mcrypt since we have separate
      versions in universe.
    - d/source_php5.py, d/rules: add apport hook.
    - d/rules: stop mysql instance on clean just in case we failed in tests.
    - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
      as only the latter is in main.
    - d/rules, d/control: drop use of dh_systemd as it is in universe.
    - debian/rules: re-enable tests
    - d/tests/{cgi,cli,mod-php}: dep8 tests for common use cases.
  * Drop changes (upstreamed to Debian):
    - d/p/use-system-timezone.patch, d/tests/system-timezone: use system
      timezone by default, instead of requiring it to be configured.
  * d/rules: load dpkg-buildflags earlier, so that CFLAGS changes are not
    overridden (LP: #1280044).

Superseded in trusty-release on 2014-02-20
Deleted in trusty-proposed on 2014-02-22 (Reason: moved to release)
php5 (5.5.8+dfsg-2ubuntu1) trusty; urgency=medium

  * Merge from Debian unstable. Remaining changes:
    - d/control: drop Build-Depends that are in universe: firebird-dev,
      libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
    - d/rules: drop configuration of packages that are in universe: qdgm,
      onig.
    - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
      interbase or firebird.
    - d/rules: export DEB_HOST_MULTIARCH properly.
    - d/control: drop binary packages php5-imap, php5-interbase and
      php5-mcrypt since we have separate versions in universe.
    - d/modulelist: drop imap, interbase and mcrypt since we have separate
      versions in universe.
    - d/rules: drop configuration of imap and mcrypt since we have separate
      versions in universe.
    - d/source_php5.py, d/rules: add apport hook.
    - d/rules: stop mysql instance on clean just in case we failed in tests.
    - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
      as only the latter is in main.
    - d/rules, d/control: drop use of dh_systemd as it is in universe.
    - debian/rules: re-enable tests
  * Previously undocumented changes:
    - d/tests/{cgi,cli,mod_php}: dep8 tests for common use cases.
  * Drop changes:
    - d/p/{CVE-2013-6420,CVE-2013-6712,fix-freetype-ftbfs}.patch: upstreamed.
    - d/control: relegate php5-json and pkg-php-tools from Recommends to
      Suggests as they are in universe: php5-json and pkg-php-tools are now in
      main (LP: #1242726).
    - d/control, d/rules: re-enable libedit-dev: libedit-dev is now enabled in
      Debian.
  * d/tests/mod-php: rename from mod_php; the previous name was illegal.
  * d/tests/{cgi,mod-php}: use new default Apache DocumentRoot /var/www/html.
  * d/p/use-system-timezone.patch, d/tests/system-timezone: use system
    timezone by default, instead of requiring it to be configured.
    (LP: #1244343).
 -- Robie Basak <email address hidden>   Tue, 21 Jan 2014 15:40:58 +0000
Deleted in quantal-proposed on 2014-03-04 (Reason: moved to -updates)
php5 (5.4.6-1ubuntu1.6) quantal; urgency=low

  * debian/patches/lp1102366.patch: properly reset rfc1867 callbacks to
    prevent segfault. (LP: #1102366)
 -- Marc Deslauriers <email address hidden>   Mon, 23 Dec 2013 09:00:58 -0500
Superseded in trusty-release on 2014-01-21
Deleted in trusty-proposed on 2014-01-23 (Reason: moved to release)
php5 (5.5.6+dfsg-1ubuntu2) trusty; urgency=medium

  * No change rebuild against libicu52
 -- Dimitri John Ledkov <email address hidden>   Sat, 28 Dec 2013 05:16:26 +0000
Superseded in trusty-release on 2013-12-31
Deleted in trusty-proposed on 2014-01-01 (Reason: moved to release)
php5 (5.5.6+dfsg-1ubuntu1) trusty; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - d/control: drop Build-Depends that are in universe: firebird-dev,
      libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
    - d/rules: drop configuration of packages that are in universe: qdgm,
      onig.
    - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
      interbase or firebird.
    - d/rules: export DEB_HOST_MULTIARCH properly.
    - d/control: drop binary packages php5-imap, php5-interbase and
      php5-mcrypt since we have separate versions in universe.
    - d/modulelist: drop imap, interbase and mcrypt since we have separate
      versions in universe.
    - d/rules: drop configuration of imap and mcrypt since we have separate
      versions in universe.
    - d/source_php5.py, d/rules: add apport hook.
    - d/rules: stop mysql instance on clean just in case we failed in tests.
    - d/control, d/rules: re-enable libedit-dev.
    - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
      as only the latter is in main.
    - d/rules, d/control: drop use of dh_systemd as it is in universe.
    - d/control: relegate php5-json and pkg-php-tools from Recommends to
      Suggests as they are in universe.
  * Dropped changes:
    - d/p/crash_in_get_zval_ptr_ptr_var.patch: upstream
  * SECURITY UPDATE: denial of service and possible code execution via
    malicious certificate
    - debian/patches/CVE-2013-6420.patch: properly validate timestr in
      ext/openssl/openssl.c, added ext/openssl/tests/cve-2013-6420.*.
    - CVE-2013-6420
  * SECURITY UPDATE: denial of service via crafted interval specification
    - debian/patches/CVE-2013-6712.patch: check error_count in
      ext/date/lib/parse_iso_intervals.*.
    - CVE-2013-6712
  * debian/patches/fix-freetype-ftbfs.patch: fix compilation with newer
    freetype
  * debian/rules: re-enable tests

Superseded in saucy-updates on 2014-03-03
Superseded in saucy-security on 2014-03-03
php5 (5.5.3+dfsg-1ubuntu2.1) saucy-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via
    malicious certificate
    - debian/patches/CVE-2013-6420.patch: properly validate timestr in
      ext/openssl/openssl.c, added ext/openssl/tests/cve-2013-6420.*.
    - CVE-2013-6420
  * SECURITY UPDATE: denial of service via crafted interval specification
    - debian/patches/CVE-2013-6712.patch: check error_count in
      ext/date/lib/parse_iso_intervals.*.
    - CVE-2013-6712
 -- Marc Deslauriers <email address hidden>   Wed, 11 Dec 2013 13:45:28 -0500
Superseded in lucid-updates on 2014-03-03
Superseded in lucid-security on 2014-03-03
php5 (5.3.2-1ubuntu4.22) lucid-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via
    malicious certificate
    - debian/patches/CVE-2013-6420.patch: properly validate timestr in
      ext/openssl/openssl.c, added ext/openssl/tests/cve-2013-6420.*.
    - CVE-2013-6420
  * SECURITY UPDATE: denial of service via crafted interval specification
    - debian/patches/CVE-2013-6712.patch: check error_count in
      ext/date/lib/parse_iso_intervals.*.
    - CVE-2013-6712
 -- Marc Deslauriers <email address hidden>   Wed, 11 Dec 2013 19:23:24 -0500
Superseded in quantal-updates on 2014-03-03
Superseded in quantal-security on 2014-03-03
php5 (5.4.6-1ubuntu1.5) quantal-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via
    malicious certificate
    - debian/patches/CVE-2013-6420.patch: properly validate timestr in
      ext/openssl/openssl.c, added ext/openssl/tests/cve-2013-6420.*.
    - CVE-2013-6420
  * SECURITY UPDATE: denial of service via crafted interval specification
    - debian/patches/CVE-2013-6712.patch: check error_count in
      ext/date/lib/parse_iso_intervals.*.
    - CVE-2013-6712
 -- Marc Deslauriers <email address hidden>   Wed, 11 Dec 2013 19:20:51 -0500
Published in raring-updates on 2013-12-12
Published in raring-security on 2013-12-12
php5 (5.4.9-4ubuntu2.4) raring-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via
    malicious certificate
    - debian/patches/CVE-2013-6420.patch: properly validate timestr in
      ext/openssl/openssl.c, added ext/openssl/tests/cve-2013-6420.*.
    - CVE-2013-6420
  * SECURITY UPDATE: denial of service via crafted interval specification
    - debian/patches/CVE-2013-6712.patch: check error_count in
      ext/date/lib/parse_iso_intervals.*.
    - CVE-2013-6712
 -- Marc Deslauriers <email address hidden>   Wed, 11 Dec 2013 19:19:30 -0500
Superseded in precise-updates on 2014-03-03
Superseded in precise-security on 2014-03-03
php5 (5.3.10-1ubuntu3.9) precise-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via
    malicious certificate
    - debian/patches/CVE-2013-6420.patch: properly validate timestr in
      ext/openssl/openssl.c, added ext/openssl/tests/cve-2013-6420.*.
    - CVE-2013-6420
  * SECURITY UPDATE: denial of service via crafted interval specification
    - debian/patches/CVE-2013-6712.patch: check error_count in
      ext/date/lib/parse_iso_intervals.*.
    - CVE-2013-6712
 -- Marc Deslauriers <email address hidden>   Wed, 11 Dec 2013 19:22:04 -0500
Superseded in trusty-release on 2013-12-12
Deleted in trusty-proposed on 2013-12-14 (Reason: moved to release)
php5 (5.5.3+dfsg-1ubuntu3) trusty; urgency=low

  * No change rebuild against db 5.3.
 -- Dmitrijs Ledkovs <email address hidden>   Sat, 02 Nov 2013 20:03:00 +0000
Superseded in trusty-release on 2013-11-03
Published in saucy-release on 2013-10-09
Deleted in saucy-proposed (Reason: moved to release)
php5 (5.5.3+dfsg-1ubuntu2) saucy; urgency=low

  * d/p/crash_in_get_zval_ptr_ptr_var.patch: cherry-pick from upstream to fix
    segfault (LP: #1236733).
 -- Robie Basak <email address hidden>   Wed, 09 Oct 2013 11:29:29 +0000
Superseded in precise-updates on 2013-12-12
Superseded in precise-security on 2013-12-12
php5 (5.3.10-1ubuntu3.8) precise-security; urgency=low

  * SECURITY UPDATE: SSL cert validation spoofing via NULL character in
    subjectAltName.
    - debian/patches/CVE-2013-4248.patch: validate subjectAltName in
      ext/openssl/openssl.c, added test to ext/openssl/tests/cve2013_4073*.
    - CVE-2013-4248
 -- Marc Deslauriers <email address hidden>   Wed, 04 Sep 2013 12:54:39 -0400
Superseded in quantal-updates on 2013-12-12
Superseded in quantal-security on 2013-12-12
php5 (5.4.6-1ubuntu1.4) quantal-security; urgency=low

  * SECURITY UPDATE: SSL cert validation spoofing via NULL character in
    subjectAltName.
    - debian/patches/CVE-2013-4248.patch: validate subjectAltName in
      ext/openssl/openssl.c, added test to ext/openssl/tests/cve2013_4073*.
    - CVE-2013-4248
 -- Marc Deslauriers <email address hidden>   Wed, 04 Sep 2013 11:07:56 -0400
Superseded in raring-updates on 2013-12-12
Superseded in raring-security on 2013-12-12
php5 (5.4.9-4ubuntu2.3) raring-security; urgency=low

  * SECURITY UPDATE: SSL cert validation spoofing via NULL character in
    subjectAltName.
    - debian/patches/CVE-2013-4248.patch: validate subjectAltName in
      ext/openssl/openssl.c, added test to ext/openssl/tests/cve2013_4073*.
    - CVE-2013-4248
 -- Marc Deslauriers <email address hidden>   Wed, 04 Sep 2013 10:59:04 -0400
Superseded in lucid-updates on 2013-12-12
Superseded in lucid-security on 2013-12-12
php5 (5.3.2-1ubuntu4.21) lucid-security; urgency=low

  * SECURITY UPDATE: SSL cert validation spoofing via NULL character in
    subjectAltName.
    - debian/patches/CVE-2013-4248.patch: validate subjectAltName in
      ext/openssl/openssl.c, added test to ext/openssl/tests/cve2013_4073*.
    - CVE-2013-4248
 -- Marc Deslauriers <email address hidden>   Wed, 04 Sep 2013 12:56:49 -0400
Superseded in saucy-release on 2013-10-09
Deleted in saucy-proposed on 2013-10-10 (Reason: moved to release)
php5 (5.5.3+dfsg-1ubuntu1) saucy; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - d/control: drop Build-Depends that are in universe: firebird-dev,
      libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
    - d/rules: drop configuration of packages that are in universe: qdgm,
      onig.
    - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
      interbase or firebird.
    - d/rules: export DEB_HOST_MULTIARCH properly.
    - d/control: drop binary packages php5-imap, php5-interbase and
      php5-mcrypt since we have separate versions in universe.
    - d/modulelist: drop imap, interbase and mcrypt since we have separate
      versions in universe.
    - d/rules: drop configuration of imap and mcrypt since we have separate
      versions in universe.
    - d/source_php5.py, d/rules: add apport hook.
    - d/rules: stop mysql instance on clean just in case we failed in tests.
    - d/control, d/rules: re-enable libedit-dev.
    - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
      as only the latter is in main.
    - d/rules, d/control: drop use of dh_systemd as it is in universe.
    - d/control: relegate php5-json and pkg-php-tools from Recommends to
      Suggests as they are in universe.

Superseded in saucy-release on 2013-09-04
Deleted in saucy-proposed on 2013-09-05 (Reason: moved to release)
php5 (5.5.1+dfsg-1ubuntu1) saucy; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - d/control: drop Build-Depends that are in universe: firebird-dev,
      libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
    - d/rules: drop configuration of packages that are in universe: qdgm,
      onig.
    - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
      interbase or firebird.
    - d/rules: export DEB_HOST_MULTIARCH properly.
    - d/control: drop binary packages php5-imap, php5-interbase and
      php5-mcrypt since we have separate versions in universe.
    - d/modulelist: drop imap, interbase and mcrypt since we have separate
      versions in universe.
    - d/rules: drop configuration of imap and mcrypt since we have separate
      versions in universe.
    - d/source_php5.py, d/rules: add apport hook.
    - d/rules: stop mysql instance on clean just in case we failed in tests.
    - d/control, d/rules: re-enable libedit-dev.
    - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
      as only the latter is in main.
    - d/rules, d/control: drop use of dh_systemd as it is in universe.
    - d/control: relegate php5-json and pkg-php-tools from Recommends to
      Suggests as they are in universe.

Superseded in saucy-release on 2013-07-25
Deleted in saucy-proposed on 2013-07-26 (Reason: moved to release)
php5 (5.5.0+dfsg-15ubuntu1) saucy; urgency=low

  * Merged from Debian unstable to get security fix.

Superseded in saucy-release on 2013-07-18
Deleted in saucy-proposed on 2013-07-20 (Reason: moved to release)
php5 (5.5.0+dfsg-14ubuntu1) saucy; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - d/control: drop Build-Depends that are in universe: firebird-dev,
      libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
    - d/rules: drop configuration of packages that are in universe: qdgm,
      onig.
    - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
      interbase or firebird.
    - d/rules: export DEB_HOST_MULTIARCH properly.
    - d/control: drop binary packages php5-imap, php5-interbase and
      php5-mcrypt since we have separate versions in universe.
    - d/modulelist: drop imap, interbase and mcrypt since we have separate
      versions in universe.
    - d/rules: drop configuration of imap and mcrypt since we have separate
      versions in universe.
    - d/source_php5.py, d/rules: add apport hook.
    - d/rules: stop mysql instance on clean just in case we failed in tests.
    - d/control, d/rules: re-enable libedit-dev.
    - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
      as only the latter is in main.
    - d/rules, d/control: drop use of dh_systemd as it is in universe.
    - d/control: relegate php5-json from Recommends to Suggests as it is in
      universe.
  * Relegate pkg-php-tools Recommends to Suggests as it is in universe.
 -- Robie Basak <email address hidden>   Wed, 17 Jul 2013 18:00:02 +0000
Superseded in raring-updates on 2013-09-05
Superseded in raring-security on 2013-09-05
php5 (5.4.9-4ubuntu2.2) raring-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via xml
    parser heap overflow
    - debian/patches/CVE-2013-4113.patch: check against XML_MAXLEVEL in
      ext/xml/xml.c, add test to ext/xml/tests/bug65236.phpt.
    - CVE-2013-4113
  * SECURITY UPDATE: denial of service via overflow in SdnToJewish
    - debian/patches/CVE-2013-4635.patch: check value in
      ext/calendar/jewish.c, add test to
      ext/calendar/tests/jdtojewish64.phpt.
    - CVE-2013-4635
 -- Marc Deslauriers <email address hidden>   Mon, 15 Jul 2013 09:42:36 -0400
Superseded in quantal-updates on 2013-09-05
Superseded in quantal-security on 2013-09-05
php5 (5.4.6-1ubuntu1.3) quantal-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via xml
    parser heap overflow
    - debian/patches/CVE-2013-4113.patch: check against XML_MAXLEVEL in
      ext/xml/xml.c, add test to ext/xml/tests/bug65236.phpt.
    - CVE-2013-4113
  * SECURITY UPDATE: denial of service via overflow in SdnToJewish
    - debian/patches/CVE-2013-4635.patch: check value in
      ext/calendar/jewish.c, add test to
      ext/calendar/tests/jdtojewish64.phpt.
    - CVE-2013-4635
 -- Marc Deslauriers <email address hidden>   Mon, 15 Jul 2013 09:48:22 -0400
Superseded in precise-updates on 2013-09-05
Superseded in precise-security on 2013-09-05
php5 (5.3.10-1ubuntu3.7) precise-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via xml
    parser heap overflow
    - debian/patches/CVE-2013-4113.patch: check against XML_MAXLEVEL in
      ext/xml/xml.c, add test to ext/xml/tests/bug65236.phpt.
    - CVE-2013-4113
  * SECURITY UPDATE: denial of service via overflow in SdnToJewish
    - debian/patches/CVE-2013-4635.patch: check value in
      ext/calendar/jewish.c, add test to
      ext/calendar/tests/jdtojewish64.phpt.
    - CVE-2013-4635
 -- Marc Deslauriers <email address hidden>   Mon, 15 Jul 2013 09:49:43 -0400
Superseded in lucid-updates on 2013-09-05
Superseded in lucid-security on 2013-09-05
php5 (5.3.2-1ubuntu4.20) lucid-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via xml
    parser heap overflow
    - debian/patches/CVE-2013-4113.patch: check against XML_MAXLEVEL in
      ext/xml/xml.c, add test to ext/xml/tests/bug65236.phpt.
    - CVE-2013-4113
  * SECURITY UPDATE: denial of service via overflow in SdnToJewish
    - debian/patches/CVE-2013-4635.patch: check value in
      ext/calendar/jewish.c, add test to
      ext/calendar/tests/jdtojewish64.phpt.
    - CVE-2013-4635
 -- Marc Deslauriers <email address hidden>   Mon, 15 Jul 2013 09:50:48 -0400
Superseded in saucy-proposed on 2013-07-17
php5 (5.5.0+dfsg-6ubuntu1) saucy; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - d/control: drop Build-Depends that are in universe: firebird-dev,
      libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
    - d/rules: drop configuration of packages that are in universe: qdgm,
      onig.
    - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
      interbase or firebird.
    - d/rules: export DEB_HOST_MULTIARCH properly.
    - d/control: drop binary packages php5-imap, php5-interbase and
      php5-mcrypt since we have separate versions in universe.
    - d/modulelist: drop imap, interbase and mcrypt since we have separate
      versions in universe.
    - d/rules: drop configuration of imap and mcrypt since we have separate
      versions in universe.
    - d/source_php5.py, d/rules: add apport hook.
    - d/rules: stop mysql instance on clean just in case we failed in tests.
    - d/control, d/rules: re-enable libedit-dev.
  * Remaining changes that were previously undocumented:
    - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
      as only the latter is in main.
  * Drop changes:
    - Add build-dependency on lemon, which we now need. This is evidently no
      longer required, since there is no sign of it being used in
      5.4.15-1ubuntu3.
    - Dropped libcurl-dev not in the archive. libcurl-dev is a virtual
      alternative, so doesn't need to be dropped.
    - debian/control: replace build-depends on mysql-server with
      mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and
      mysql-server-5.5 postinst confusion with starting up multiple
      mysqlds listening on the same port. The test infrastructure in packaging
      has changed, and now breaks without the mysql-server-5.5 postinst having
      run and created the mysql user. However, it also finds an available port
      itself so no longer conflicts with our mysql-server-5.5 postinst.
    - Patches included upstream:
      + debian/patches/CVE-2013-2110.patch
      + debian/patches/fix_gd_210.patch
      + debian/patches/CVE-2013-4635.patch
      + debian/patches/CVE-2013-4636.patch
  * Drop changes that were previously undocumented:
    - d/rules: adjust memory limits in .ini files. It appears that this was
      intended to be dropped back in 5.4.6-1ubuntu1, going by the old
      changelog entry.
    - d/rules: adjust openssl path in configure script. PHP still appears to
      configure, detect and build openssl-related components correctly
      regardless.
    - d/rules: disable parallel builds. There is no previous explanation as to
      why this was disabled, and having this in place is standard practice and
      in the Debian packaging.
    - d/rules: adjust PHP5_{HOST,BUILD}_GNU_TYPE. There is no previous
      explanation as to why this was present, and I can't find any regression
      that would be fixed by this change.
  * New changes:
    - d/rules, d/control: drop use of dh_systemd as it is in universe.
    - d/control: relegate php5-json from Recommends to Suggests as it is in
      universe.
 -- Robie Basak <email address hidden>   Mon, 15 Jul 2013 14:09:59 +0000
Superseded in saucy-release on 2013-07-18
Deleted in saucy-proposed on 2013-07-19 (Reason: moved to release)
php5 (5.4.15-1ubuntu3) saucy; urgency=low

  * SECURITY UPDATE: denial of service via overflow in SdnToJewish
    - debian/patches/CVE-2013-4635.patch: check value in
      ext/calendar/jewish.c, add test to
      ext/calendar/tests/jdtojewish64.phpt.
    - CVE-2013-4635
  * SECURITY UPDATE: denial of service via incorrect MIME type detection
    - debian/patches/CVE-2013-4636.patch: use efree in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2013-4636
 -- Marc Deslauriers <email address hidden>   Fri, 28 Jun 2013 08:20:11 -0400
Superseded in saucy-release on 2013-06-30
Deleted in saucy-proposed on 2013-07-01 (Reason: moved to release)
php5 (5.4.15-1ubuntu2) saucy; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via
    quoted_printable_encode overflow
    - debian/patches/CVE-2013-2110.patch: calculate proper string size in
      ext/standard/quot_print.c, add test to
      ext/standard/tests/strings/bug64879.phpt.
    - CVE-2013-2110
  * debian/patches/fix_gd_210.patch: fix php-gd compatibility with
    libgd2 2.1.0. (LP: #1188070)
 -- Marc Deslauriers <email address hidden>   Tue, 11 Jun 2013 09:19:47 -0400
Superseded in raring-updates on 2013-07-16
Superseded in raring-security on 2013-07-16
php5 (5.4.9-4ubuntu2.1) raring-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via
    quoted_printable_encode overflow
    - debian/patches/CVE-2013-2110.patch: calculate proper string size in
      ext/standard/quot_print.c, add test to
      ext/standard/tests/strings/bug64879.phpt.
    - CVE-2013-2110
 -- Marc Deslauriers <email address hidden>   Mon, 10 Jun 2013 16:02:40 -0400
Superseded in saucy-release on 2013-06-12
Deleted in saucy-proposed on 2013-06-13 (Reason: moved to release)
php5 (5.4.15-1ubuntu1) saucy; urgency=low

  * Merge from Debian experimental. Remaining changes:
    - d/rules: Simplify apache config settings since we never build
      interbase or firebird.
    - debian/rules: export DEB_HOST_MULTIARCH properly.
    - Add build-dependency on lemon, which we now need.
    - Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is
      in universe.
    - Dropped libcurl-dev not in the archive.
    - debian/control: replace build-depends on mysql-server with
      mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and
      mysql-server-5.5 postinst confusion with starting up multiple
      mysqlds listening on the same port.
    - Dropped php5-imap, php5-interbase, php5-mcrypt since we have
      versions already in universe.
    - Dropped libonig-dev and libqgdbm since its in universe. (libonig
      MIR has been declined due to an inactive upstream. So this is
      probably a permanent change).
    - modulelist: Drop imap, interbase, sybase, and mcrypt.
    - debian/rules:
      - Dropped building of mcrypt, imap, and interbase.
      - Install apport hook for php5.
      - stop mysql instance on clean just in case we failed in tests
    - debian/control, debian/rules: Re-enable libedit-dev.
  * Dropped changes:
    - debian/patches/CVE-2013-1643.patch: included upstream.

Superseded in saucy-release on 2013-06-02
Published in raring-release on 2013-03-11
Deleted in raring-proposed (Reason: moved to release)
php5 (5.4.9-4ubuntu2) raring; urgency=low

  * SECURITY UPDATE: arbitrary file disclosure via XML External Entity
    - debian/patches/CVE-2013-1643.patch: disable the entity loader in
      ext/libxml/libxml.c, ext/libxml/php_libxml.h, ext/soap/php_xml.c.
    - CVE-2013-1643
 -- Marc Deslauriers <email address hidden>   Fri, 08 Mar 2013 16:12:43 -0500

Available diffs

Superseded in lucid-updates on 2013-07-16
Superseded in lucid-security on 2013-07-16
php5 (5.3.2-1ubuntu4.19) lucid-security; urgency=low

  * SECURITY UPDATE: arbitrary file disclosure via XML External Entity
    - debian/patches/CVE-2013-1643.patch: disable the entity loader in
      ext/libxml/libxml.c, ext/libxml/php_libxml.h, ext/soap/php_xml.c.
    - CVE-2013-1643
 -- Marc Deslauriers <email address hidden>   Mon, 11 Mar 2013 07:49:54 -0400
Superseded in quantal-updates on 2013-07-16
Superseded in quantal-security on 2013-07-16
php5 (5.4.6-1ubuntu1.2) quantal-security; urgency=low

  * SECURITY UPDATE: arbitrary file disclosure via XML External Entity
    - debian/patches/CVE-2013-1643.patch: disable the entity loader in
      ext/libxml/libxml.c, ext/libxml/php_libxml.h, ext/soap/php_xml.c.
    - CVE-2013-1643
 -- Marc Deslauriers <email address hidden>   Fri, 08 Mar 2013 16:18:48 -0500
Superseded in precise-updates on 2013-07-16
Superseded in precise-security on 2013-07-16
php5 (5.3.10-1ubuntu3.6) precise-security; urgency=low

  * SECURITY UPDATE: arbitrary file disclosure via XML External Entity
    - debian/patches/CVE-2013-1643.patch: disable the entity loader in
      ext/libxml/libxml.c, ext/libxml/php_libxml.h, ext/soap/php_xml.c.
    - CVE-2013-1643
 -- Marc Deslauriers <email address hidden>   Fri, 08 Mar 2013 16:22:01 -0500
Published in oneiric-updates on 2013-03-13
Published in oneiric-security on 2013-03-13
php5 (5.3.6-13ubuntu3.10) oneiric-security; urgency=low

  * SECURITY UPDATE: arbitrary file disclosure via XML External Entity
    - debian/patches/CVE-2013-1643.patch: disable the entity loader in
      ext/libxml/libxml.c, ext/libxml/php_libxml.h, ext/soap/php_xml.c.
    - CVE-2013-1643
 -- Marc Deslauriers <email address hidden>   Fri, 08 Mar 2013 16:32:19 -0500
Published in hardy-updates on 2013-03-13
Published in hardy-security on 2013-03-13
php5 (5.2.4-2ubuntu5.27) hardy-security; urgency=low

  * SECURITY UPDATE: arbitrary file disclosure via XML External Entity
    - debian/patches/CVE-2013-1643.patch: disable the entity loader in
      ext/libxml/libxml.c, ext/libxml/php_libxml.h, ext/soap/php_xml.c.
    - CVE-2013-1643
 -- Marc Deslauriers <email address hidden>   Mon, 11 Mar 2013 07:55:03 -0400
Superseded in precise-updates on 2013-03-13
Superseded in precise-security on 2013-03-13
php5 (5.3.10-1ubuntu3.5) precise-security; urgency=low

  * SECURITY UPDATE: arbitrary memory disclosure (LP: #1099793)
    - debian/patches/CVE-2012-6113.patch: properly initialize length in
      ext/openssl/openssl.c.
    - CVE-2012-6113
 -- Marc Deslauriers <email address hidden>   Fri, 18 Jan 2013 09:49:22 -0500
Superseded in raring-release on 2013-03-11
Deleted in raring-proposed on 2013-03-13 (Reason: moved to release)
php5 (5.4.9-4ubuntu1) raring; urgency=low

  * Merge from Debian experimental. Remaining changes:
    - d/rules: Simplify apache config settings since we never build
      interbase or firebird.
    - debian/rules: export DEB_HOST_MULTIARCH properly.
    - Add build-dependency on lemon, which we now need.
    - Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is
      in universe.
    - Dropped libcurl-dev not in the archive.
    - debian/control: replace build-depends on mysql-server with
      mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and
      mysql-server-5.5 postinst confusion with starting up multiple
      mysqlds listening on the same port.
    - Dropped php5-imap, php5-interbase, php5-mcrypt since we have
      versions already in universe.
    - Dropped libonig-dev and libqgdbm since its in universe. (libonig
      MIR has been declined due to an inactive upstream. So this is
      probably a permanent change).
    - modulelist: Drop imap, interbase, sybase, and mcrypt.
    - debian/rules:
      - Dropped building of mcrypt, imap, and interbase.
      - Install apport hook for php5.
      - stop mysql instance on clean just in case we failed in tests
    - debian/control, debian/rules: Re-enable libedit-dev.
  * Dropped changes:
    - Re-add logic to guess default timezone from system to fix default
      timezone regression Cherry-picked from Debian 5.4.4-6 (also in
      Debian 5.4.6-2).
    - debian/patches/libxml290.patch: Fix FTBFS with libxml 2.9.0.
      (included upstream)

Available diffs

175 of 307 results