Change log for php5 package in Ubuntu
| 76 → 150 of 362 results | First • Previous • Next • Last |
php5 (5.5.3+dfsg-1ubuntu2.5) saucy-security; urgency=medium * SECURITY UPDATE: better FastCGI socket permissions (LP: #1334337) - debian/rules: enable listen.owner and listen.group so that the socket is accessible to www-data by default. This allows most setups to continue working with the more restrictive permissions. -- Marc Deslauriers <email address hidden> Wed, 25 Jun 2014 11:52:07 -0400
Available diffs
php5 (5.5.12+dfsg-2ubuntu2) utopic; urgency=medium
* SECURITY UPDATE: denial of service in FileInfo cdf_unpack_summary_info
- debian/patches/CVE-2014-0237.patch: remove file_printf calls in
ext/fileinfo/libmagic/cdf.c.
- CVE-2014-0237
* SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
- debian/patches/CVE-2014-0238.patch: fix infinite loop in
ext/fileinfo/libmagic/cdf.c.
- CVE-2014-0238
* SECURITY UPDATE: code execution via buffer overflow in DNS TXT record
parsing
- debian/patches/CVE-2014-4049.patch: check length in
ext/standard/dns.c.
- CVE-2014-4049
-- Marc Deslauriers <email address hidden> Thu, 19 Jun 2014 13:21:19 -0400
Available diffs
php5 (5.3.2-1ubuntu4.25) lucid-security; urgency=medium
* SECURITY UPDATE: denial of service in FileInfo cdf_unpack_summary_info
- debian/patches/CVE-2014-0237.patch: remove file_printf calls in
ext/fileinfo/libmagic/cdf.c.
- CVE-2014-0237
* SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
- debian/patches/CVE-2014-0238.patch: fix infinite loop in
ext/fileinfo/libmagic/cdf.c.
- CVE-2014-0238
* SECURITY UPDATE: code execution via buffer overflow in DNS TXT record
parsing
- debian/patches/CVE-2014-4049.patch: check length in
ext/standard/dns.c.
- CVE-2014-4049
-- Marc Deslauriers <email address hidden> Thu, 19 Jun 2014 13:48:46 -0400
Available diffs
php5 (5.3.10-1ubuntu3.12) precise-security; urgency=medium * SECURITY UPDATE: incorrect FastCGI socket permissions (LP: #1307027) - debian/patches/CVE-2014-0185.patch: default to 0660 in sapi/fpm/fpm/fpm_unix.c, sapi/fpm/php-fpm.conf.in. - CVE-2014-0185 * SECURITY UPDATE: denial of service in FileInfo cdf_unpack_summary_info - debian/patches/CVE-2014-0237.patch: remove file_printf calls in ext/fileinfo/libmagic/cdf.c. - CVE-2014-0237 * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info - debian/patches/CVE-2014-0238.patch: fix infinite loop in ext/fileinfo/libmagic/cdf.c. - CVE-2014-0238 * SECURITY UPDATE: code execution via buffer overflow in DNS TXT record parsing - debian/patches/CVE-2014-4049.patch: check length in ext/standard/dns.c. - CVE-2014-4049 -- Marc Deslauriers <email address hidden> Thu, 19 Jun 2014 13:44:17 -0400
Available diffs
php5 (5.5.9+dfsg-1ubuntu4.1) trusty-security; urgency=medium * SECURITY UPDATE: incorrect FastCGI socket permissions (LP: #1307027) - debian/patches/CVE-2014-0185.patch: default to 0660 in sapi/fpm/fpm/fpm_unix.c, sapi/fpm/php-fpm.conf.in. - CVE-2014-0185 * SECURITY UPDATE: denial of service in FileInfo cdf_unpack_summary_info - debian/patches/CVE-2014-0237.patch: remove file_printf calls in ext/fileinfo/libmagic/cdf.c. - CVE-2014-0237 * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info - debian/patches/CVE-2014-0238.patch: fix infinite loop in ext/fileinfo/libmagic/cdf.c. - CVE-2014-0238 * SECURITY UPDATE: code execution via buffer overflow in DNS TXT record parsing - debian/patches/CVE-2014-4049.patch: check length in ext/standard/dns.c. - CVE-2014-4049 -- Marc Deslauriers <email address hidden> Thu, 19 Jun 2014 13:30:13 -0400
Available diffs
php5 (5.5.3+dfsg-1ubuntu2.4) saucy-security; urgency=medium * SECURITY UPDATE: incorrect FastCGI socket permissions (LP: #1307027) - debian/patches/CVE-2014-0185.patch: default to 0660 in sapi/fpm/fpm/fpm_unix.c, sapi/fpm/php-fpm.conf.in. - CVE-2014-0185 * SECURITY UPDATE: denial of service in FileInfo cdf_unpack_summary_info - debian/patches/CVE-2014-0237.patch: remove file_printf calls in ext/fileinfo/libmagic/cdf.c. - CVE-2014-0237 * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info - debian/patches/CVE-2014-0238.patch: fix infinite loop in ext/fileinfo/libmagic/cdf.c. - CVE-2014-0238 * SECURITY UPDATE: code execution via buffer overflow in DNS TXT record parsing - debian/patches/CVE-2014-4049.patch: check length in ext/standard/dns.c. - CVE-2014-4049 -- Marc Deslauriers <email address hidden> Thu, 19 Jun 2014 13:33:33 -0400
Available diffs
php5 (5.5.12+dfsg-2ubuntu1) utopic; urgency=medium
* Merge from Debian unstable. Remaining changes:
- d/control: drop Build-Depends that are in universe: firebird-dev,
libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
- d/rules: drop configuration of packages that are in universe: qdgm, onig.
- d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
interbase or firebird.
- d/rules: export DEB_HOST_MULTIARCH properly.
- d/control: drop binary packages php5-imap, php5-interbase and php5-mcrypt
since we have separate versions in universe.
- d/modulelist: drop imap, interbase and mcrypt since we have separate
versions in universe.
- d/rules: drop configuration of imap and mcrypt since we have separate
versions in universe.
- d/source_php5.py, d/rules: add apport hook.
- d/rules: stop mysql instance on clean just in case we failed in tests.
- d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
as only the latter is in main.
- debian/rules: re-enable tests
- d/tests/{cgi,cli,mod-php}: dep8 tests for common use cases.
- d/rules: load dpkg-buildflags earlier, so that CFLAGS changes are not
overridden.
* Drop changes (upstreamed / in-Debian):
- CVE-2014-2270, CVE-2013-1943, imageconvolution-regression.patch:
included in this merge
* Drop changes (no longer needed):
- d/rules, d/control: re-add use of dh_systemd as it is in main now.
- php5-fpm.upstart: re-add "reload signal USR2" stanza, LTS was
released.
Available diffs
| Superseded in utopic-release |
| Published in trusty-release |
| Deleted in trusty-proposed (Reason: moved to release) |
php5 (5.5.9+dfsg-1ubuntu4) trusty; urgency=medium
* Comment out "reload signal USR2" stanza from php5-fpm to make the job
compatible with Precise upstart, when it's still running as pid1
during upgrade to trusty and before the restart. We'd rather support
shorter down-time then reload interface. (LP: #1272788)
-- Dimitri John Ledkov <email address hidden> Wed, 09 Apr 2014 16:23:30 +0100
Available diffs
php5 (5.3.2-1ubuntu4.24) lucid-security; urgency=medium
* SECURITY UPDATE: denial of service in fileinfo via crafted offset in
PE executable
- debian/patches/CVE-2014-2270.patch: check bounds in
ext/fileinfo/libmagic/softmagic.c.
- CVE-2014-2270
-- Marc Deslauriers <email address hidden> Thu, 03 Apr 2014 15:23:04 -0400
Available diffs
php5 (5.5.9+dfsg-1ubuntu3) trusty; urgency=medium
* SECURITY UPDATE: denial of service in fileinfo via crafted offset in
PE executable
- debian/patches/CVE-2014-2270.patch: check bounds in
ext/fileinfo/libmagic/softmagic.c.
- CVE-2014-2270
-- Marc Deslauriers <email address hidden> Thu, 03 Apr 2014 15:12:10 -0400
Available diffs
php5 (5.4.6-1ubuntu1.8) quantal-security; urgency=medium
* SECURITY UPDATE: denial of service in fileinfo via crafted offset in
PE executable
- debian/patches/CVE-2014-2270.patch: check bounds in
ext/fileinfo/libmagic/softmagic.c.
- CVE-2014-2270
-- Marc Deslauriers <email address hidden> Thu, 03 Apr 2014 15:18:45 -0400
Available diffs
php5 (5.5.3+dfsg-1ubuntu2.3) saucy-security; urgency=medium
* SECURITY UPDATE: denial of service in fileinfo via crafted offset in
PE executable
- debian/patches/CVE-2014-2270.patch: check bounds in
ext/fileinfo/libmagic/softmagic.c.
- CVE-2014-2270
-- Marc Deslauriers <email address hidden> Thu, 03 Apr 2014 15:14:26 -0400
Available diffs
php5 (5.3.10-1ubuntu3.11) precise-security; urgency=medium
* SECURITY UPDATE: denial of service in fileinfo via crafted offset in
PE executable
- debian/patches/CVE-2014-2270.patch: check bounds in
ext/fileinfo/libmagic/softmagic.c.
- CVE-2014-2270
-- Marc Deslauriers <email address hidden> Thu, 03 Apr 2014 15:21:27 -0400
Available diffs
php5 (5.5.9+dfsg-1ubuntu2) trusty; urgency=medium
* SECURITY UPDATE: denial of service via crafted indirect offset value
in fileinfo
- debian/patches/CVE-2013-1943.patch: properly handle recursion in
ext/fileinfo/libmagic/{ascmagic.c,file.h,funcs.c,softmagic.c}, added
test to ext/fileinfo/tests/cve-2014-1943.phpt.
- CVE-2013-1943
* debian/patches/imageconvolution-regression.patch: fix regression in
imageconvolution caused by security fix in 5.5.9.
-- Marc Deslauriers <email address hidden> Mon, 03 Mar 2014 13:42:25 -0500
Available diffs
php5 (5.3.2-1ubuntu4.23) lucid-security; urgency=medium
* SECURITY UPDATE: denial of service via crafted indirect offset value
in fileinfo
- debian/patches/CVE-2013-1943.patch: properly handle recursion in
ext/fileinfo/libmagic/{ascmagic.c,file.h,funcs.c,softmagic.c}, added
test to ext/fileinfo/tests/cve-2014-1943.phpt.
- CVE-2013-1943
-- Marc Deslauriers <email address hidden> Fri, 28 Feb 2014 17:40:15 -0500
Available diffs
php5 (5.3.10-1ubuntu3.10) precise-security; urgency=medium
* SECURITY UPDATE: denial of service via crafted indirect offset value
in fileinfo
- debian/patches/CVE-2013-1943.patch: properly handle recursion in
ext/fileinfo/libmagic/{ascmagic.c,file.h,funcs.c,softmagic.c}, added
test to ext/fileinfo/tests/cve-2014-1943.phpt.
- CVE-2013-1943
-- Marc Deslauriers <email address hidden> Fri, 28 Feb 2014 14:55:00 -0500
Available diffs
php5 (5.4.6-1ubuntu1.7) quantal-security; urgency=medium
* SECURITY UPDATE: denial of service via crafted indirect offset value
in fileinfo
- debian/patches/CVE-2013-1943.patch: properly handle recursion in
ext/fileinfo/libmagic/{ascmagic.c,file.h,funcs.c,softmagic.c}, added
test to ext/fileinfo/tests/cve-2014-1943.phpt.
- CVE-2013-1943
* This package does _not_ contain the changes from .4.6-1ubuntu1.6 in
quantal-proposed.
-- Marc Deslauriers <email address hidden> Fri, 28 Feb 2014 11:40:51 -0500
Available diffs
php5 (5.5.3+dfsg-1ubuntu2.2) saucy-security; urgency=medium
* SECURITY UPDATE: denial of service and possible code execution via
multiple issues in gdImageCrop
- debian/patches/CVE-2013-7226.patch: fix overflows and data type
issues in ext/gd/gd.c,ext/gd/libgd/gd_crop.c, added test to
ext/gd/tests/bug66356.phpt.
- CVE-2013-7226
- CVE-2013-7327
- CVE-2013-7328
- CVE-2014-2020
* SECURITY UPDATE: denial of service via crafted indirect offset value
in fileinfo
- debian/patches/CVE-2013-1943.patch: properly handle recursion in
ext/fileinfo/libmagic/{ascmagic.c,file.h,funcs.c,softmagic.c}, added
test to ext/fileinfo/tests/cve-2014-1943.phpt.
- CVE-2013-1943
* debian/rules: re-enable tests.
-- Marc Deslauriers <email address hidden> Fri, 28 Feb 2014 11:15:03 -0500
Available diffs
php5 (5.5.9+dfsg-1ubuntu1) trusty; urgency=medium
* Merge from Debian testing. Remaining changes:
- d/control: drop Build-Depends that are in universe: firebird-dev,
libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
- d/rules: drop configuration of packages that are in universe: qdgm, onig.
- d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
interbase or firebird.
- d/rules: export DEB_HOST_MULTIARCH properly.
- d/control: drop binary packages php5-imap, php5-interbase and php5-mcrypt
since we have separate versions in universe.
- d/modulelist: drop imap, interbase and mcrypt since we have separate
versions in universe.
- d/rules: drop configuration of imap and mcrypt since we have separate
versions in universe.
- d/source_php5.py, d/rules: add apport hook.
- d/rules: stop mysql instance on clean just in case we failed in tests.
- d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
as only the latter is in main.
- d/rules, d/control: drop use of dh_systemd as it is in universe.
- debian/rules: re-enable tests
- d/tests/{cgi,cli,mod-php}: dep8 tests for common use cases.
* Drop changes (upstreamed to Debian):
- d/p/use-system-timezone.patch, d/tests/system-timezone: use system
timezone by default, instead of requiring it to be configured.
* d/rules: load dpkg-buildflags earlier, so that CFLAGS changes are not
overridden (LP: #1280044).
Available diffs
php5 (5.5.8+dfsg-2ubuntu1) trusty; urgency=medium
* Merge from Debian unstable. Remaining changes:
- d/control: drop Build-Depends that are in universe: firebird-dev,
libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
- d/rules: drop configuration of packages that are in universe: qdgm,
onig.
- d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
interbase or firebird.
- d/rules: export DEB_HOST_MULTIARCH properly.
- d/control: drop binary packages php5-imap, php5-interbase and
php5-mcrypt since we have separate versions in universe.
- d/modulelist: drop imap, interbase and mcrypt since we have separate
versions in universe.
- d/rules: drop configuration of imap and mcrypt since we have separate
versions in universe.
- d/source_php5.py, d/rules: add apport hook.
- d/rules: stop mysql instance on clean just in case we failed in tests.
- d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
as only the latter is in main.
- d/rules, d/control: drop use of dh_systemd as it is in universe.
- debian/rules: re-enable tests
* Previously undocumented changes:
- d/tests/{cgi,cli,mod_php}: dep8 tests for common use cases.
* Drop changes:
- d/p/{CVE-2013-6420,CVE-2013-6712,fix-freetype-ftbfs}.patch: upstreamed.
- d/control: relegate php5-json and pkg-php-tools from Recommends to
Suggests as they are in universe: php5-json and pkg-php-tools are now in
main (LP: #1242726).
- d/control, d/rules: re-enable libedit-dev: libedit-dev is now enabled in
Debian.
* d/tests/mod-php: rename from mod_php; the previous name was illegal.
* d/tests/{cgi,mod-php}: use new default Apache DocumentRoot /var/www/html.
* d/p/use-system-timezone.patch, d/tests/system-timezone: use system
timezone by default, instead of requiring it to be configured.
(LP: #1244343).
-- Robie Basak <email address hidden> Tue, 21 Jan 2014 15:40:58 +0000
Available diffs
| Deleted in quantal-proposed (Reason: moved to -updates) |
php5 (5.4.6-1ubuntu1.6) quantal; urgency=low
* debian/patches/lp1102366.patch: properly reset rfc1867 callbacks to
prevent segfault. (LP: #1102366)
-- Marc Deslauriers <email address hidden> Mon, 23 Dec 2013 09:00:58 -0500
Available diffs
php5 (5.5.6+dfsg-1ubuntu2) trusty; urgency=medium * No change rebuild against libicu52 -- Dimitri John Ledkov <email address hidden> Sat, 28 Dec 2013 05:16:26 +0000
Available diffs
php5 (5.5.6+dfsg-1ubuntu1) trusty; urgency=low
* Merge from Debian unstable. Remaining changes:
- d/control: drop Build-Depends that are in universe: firebird-dev,
libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
- d/rules: drop configuration of packages that are in universe: qdgm,
onig.
- d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
interbase or firebird.
- d/rules: export DEB_HOST_MULTIARCH properly.
- d/control: drop binary packages php5-imap, php5-interbase and
php5-mcrypt since we have separate versions in universe.
- d/modulelist: drop imap, interbase and mcrypt since we have separate
versions in universe.
- d/rules: drop configuration of imap and mcrypt since we have separate
versions in universe.
- d/source_php5.py, d/rules: add apport hook.
- d/rules: stop mysql instance on clean just in case we failed in tests.
- d/control, d/rules: re-enable libedit-dev.
- d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
as only the latter is in main.
- d/rules, d/control: drop use of dh_systemd as it is in universe.
- d/control: relegate php5-json and pkg-php-tools from Recommends to
Suggests as they are in universe.
* Dropped changes:
- d/p/crash_in_get_zval_ptr_ptr_var.patch: upstream
* SECURITY UPDATE: denial of service and possible code execution via
malicious certificate
- debian/patches/CVE-2013-6420.patch: properly validate timestr in
ext/openssl/openssl.c, added ext/openssl/tests/cve-2013-6420.*.
- CVE-2013-6420
* SECURITY UPDATE: denial of service via crafted interval specification
- debian/patches/CVE-2013-6712.patch: check error_count in
ext/date/lib/parse_iso_intervals.*.
- CVE-2013-6712
* debian/patches/fix-freetype-ftbfs.patch: fix compilation with newer
freetype
* debian/rules: re-enable tests
Available diffs
php5 (5.5.3+dfsg-1ubuntu2.1) saucy-security; urgency=low
* SECURITY UPDATE: denial of service and possible code execution via
malicious certificate
- debian/patches/CVE-2013-6420.patch: properly validate timestr in
ext/openssl/openssl.c, added ext/openssl/tests/cve-2013-6420.*.
- CVE-2013-6420
* SECURITY UPDATE: denial of service via crafted interval specification
- debian/patches/CVE-2013-6712.patch: check error_count in
ext/date/lib/parse_iso_intervals.*.
- CVE-2013-6712
-- Marc Deslauriers <email address hidden> Wed, 11 Dec 2013 13:45:28 -0500
Available diffs
php5 (5.3.2-1ubuntu4.22) lucid-security; urgency=low
* SECURITY UPDATE: denial of service and possible code execution via
malicious certificate
- debian/patches/CVE-2013-6420.patch: properly validate timestr in
ext/openssl/openssl.c, added ext/openssl/tests/cve-2013-6420.*.
- CVE-2013-6420
* SECURITY UPDATE: denial of service via crafted interval specification
- debian/patches/CVE-2013-6712.patch: check error_count in
ext/date/lib/parse_iso_intervals.*.
- CVE-2013-6712
-- Marc Deslauriers <email address hidden> Wed, 11 Dec 2013 19:23:24 -0500
Available diffs
php5 (5.4.6-1ubuntu1.5) quantal-security; urgency=low
* SECURITY UPDATE: denial of service and possible code execution via
malicious certificate
- debian/patches/CVE-2013-6420.patch: properly validate timestr in
ext/openssl/openssl.c, added ext/openssl/tests/cve-2013-6420.*.
- CVE-2013-6420
* SECURITY UPDATE: denial of service via crafted interval specification
- debian/patches/CVE-2013-6712.patch: check error_count in
ext/date/lib/parse_iso_intervals.*.
- CVE-2013-6712
-- Marc Deslauriers <email address hidden> Wed, 11 Dec 2013 19:20:51 -0500
Available diffs
php5 (5.4.9-4ubuntu2.4) raring-security; urgency=low
* SECURITY UPDATE: denial of service and possible code execution via
malicious certificate
- debian/patches/CVE-2013-6420.patch: properly validate timestr in
ext/openssl/openssl.c, added ext/openssl/tests/cve-2013-6420.*.
- CVE-2013-6420
* SECURITY UPDATE: denial of service via crafted interval specification
- debian/patches/CVE-2013-6712.patch: check error_count in
ext/date/lib/parse_iso_intervals.*.
- CVE-2013-6712
-- Marc Deslauriers <email address hidden> Wed, 11 Dec 2013 19:19:30 -0500
Available diffs
php5 (5.3.10-1ubuntu3.9) precise-security; urgency=low
* SECURITY UPDATE: denial of service and possible code execution via
malicious certificate
- debian/patches/CVE-2013-6420.patch: properly validate timestr in
ext/openssl/openssl.c, added ext/openssl/tests/cve-2013-6420.*.
- CVE-2013-6420
* SECURITY UPDATE: denial of service via crafted interval specification
- debian/patches/CVE-2013-6712.patch: check error_count in
ext/date/lib/parse_iso_intervals.*.
- CVE-2013-6712
-- Marc Deslauriers <email address hidden> Wed, 11 Dec 2013 19:22:04 -0500
Available diffs
php5 (5.5.3+dfsg-1ubuntu3) trusty; urgency=low * No change rebuild against db 5.3. -- Dmitrijs Ledkovs <email address hidden> Sat, 02 Nov 2013 20:03:00 +0000
Available diffs
| Superseded in trusty-release |
| Obsolete in saucy-release |
| Deleted in saucy-proposed (Reason: moved to release) |
php5 (5.5.3+dfsg-1ubuntu2) saucy; urgency=low
* d/p/crash_in_get_zval_ptr_ptr_var.patch: cherry-pick from upstream to fix
segfault (LP: #1236733).
-- Robie Basak <email address hidden> Wed, 09 Oct 2013 11:29:29 +0000
Available diffs
php5 (5.3.10-1ubuntu3.8) precise-security; urgency=low
* SECURITY UPDATE: SSL cert validation spoofing via NULL character in
subjectAltName.
- debian/patches/CVE-2013-4248.patch: validate subjectAltName in
ext/openssl/openssl.c, added test to ext/openssl/tests/cve2013_4073*.
- CVE-2013-4248
-- Marc Deslauriers <email address hidden> Wed, 04 Sep 2013 12:54:39 -0400
Available diffs
php5 (5.4.6-1ubuntu1.4) quantal-security; urgency=low
* SECURITY UPDATE: SSL cert validation spoofing via NULL character in
subjectAltName.
- debian/patches/CVE-2013-4248.patch: validate subjectAltName in
ext/openssl/openssl.c, added test to ext/openssl/tests/cve2013_4073*.
- CVE-2013-4248
-- Marc Deslauriers <email address hidden> Wed, 04 Sep 2013 11:07:56 -0400
Available diffs
php5 (5.4.9-4ubuntu2.3) raring-security; urgency=low
* SECURITY UPDATE: SSL cert validation spoofing via NULL character in
subjectAltName.
- debian/patches/CVE-2013-4248.patch: validate subjectAltName in
ext/openssl/openssl.c, added test to ext/openssl/tests/cve2013_4073*.
- CVE-2013-4248
-- Marc Deslauriers <email address hidden> Wed, 04 Sep 2013 10:59:04 -0400
Available diffs
php5 (5.3.2-1ubuntu4.21) lucid-security; urgency=low
* SECURITY UPDATE: SSL cert validation spoofing via NULL character in
subjectAltName.
- debian/patches/CVE-2013-4248.patch: validate subjectAltName in
ext/openssl/openssl.c, added test to ext/openssl/tests/cve2013_4073*.
- CVE-2013-4248
-- Marc Deslauriers <email address hidden> Wed, 04 Sep 2013 12:56:49 -0400
Available diffs
php5 (5.5.3+dfsg-1ubuntu1) saucy; urgency=low
* Merge from Debian unstable. Remaining changes:
- d/control: drop Build-Depends that are in universe: firebird-dev,
libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
- d/rules: drop configuration of packages that are in universe: qdgm,
onig.
- d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
interbase or firebird.
- d/rules: export DEB_HOST_MULTIARCH properly.
- d/control: drop binary packages php5-imap, php5-interbase and
php5-mcrypt since we have separate versions in universe.
- d/modulelist: drop imap, interbase and mcrypt since we have separate
versions in universe.
- d/rules: drop configuration of imap and mcrypt since we have separate
versions in universe.
- d/source_php5.py, d/rules: add apport hook.
- d/rules: stop mysql instance on clean just in case we failed in tests.
- d/control, d/rules: re-enable libedit-dev.
- d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
as only the latter is in main.
- d/rules, d/control: drop use of dh_systemd as it is in universe.
- d/control: relegate php5-json and pkg-php-tools from Recommends to
Suggests as they are in universe.
Available diffs
php5 (5.5.1+dfsg-1ubuntu1) saucy; urgency=low
* Merge from Debian unstable. Remaining changes:
- d/control: drop Build-Depends that are in universe: firebird-dev,
libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
- d/rules: drop configuration of packages that are in universe: qdgm,
onig.
- d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
interbase or firebird.
- d/rules: export DEB_HOST_MULTIARCH properly.
- d/control: drop binary packages php5-imap, php5-interbase and
php5-mcrypt since we have separate versions in universe.
- d/modulelist: drop imap, interbase and mcrypt since we have separate
versions in universe.
- d/rules: drop configuration of imap and mcrypt since we have separate
versions in universe.
- d/source_php5.py, d/rules: add apport hook.
- d/rules: stop mysql instance on clean just in case we failed in tests.
- d/control, d/rules: re-enable libedit-dev.
- d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
as only the latter is in main.
- d/rules, d/control: drop use of dh_systemd as it is in universe.
- d/control: relegate php5-json and pkg-php-tools from Recommends to
Suggests as they are in universe.
Available diffs
php5 (5.5.0+dfsg-15ubuntu1) saucy; urgency=low * Merged from Debian unstable to get security fix.
Available diffs
php5 (5.5.0+dfsg-14ubuntu1) saucy; urgency=low
* Merge from Debian unstable. Remaining changes:
- d/control: drop Build-Depends that are in universe: firebird-dev,
libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
- d/rules: drop configuration of packages that are in universe: qdgm,
onig.
- d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
interbase or firebird.
- d/rules: export DEB_HOST_MULTIARCH properly.
- d/control: drop binary packages php5-imap, php5-interbase and
php5-mcrypt since we have separate versions in universe.
- d/modulelist: drop imap, interbase and mcrypt since we have separate
versions in universe.
- d/rules: drop configuration of imap and mcrypt since we have separate
versions in universe.
- d/source_php5.py, d/rules: add apport hook.
- d/rules: stop mysql instance on clean just in case we failed in tests.
- d/control, d/rules: re-enable libedit-dev.
- d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
as only the latter is in main.
- d/rules, d/control: drop use of dh_systemd as it is in universe.
- d/control: relegate php5-json from Recommends to Suggests as it is in
universe.
* Relegate pkg-php-tools Recommends to Suggests as it is in universe.
-- Robie Basak <email address hidden> Wed, 17 Jul 2013 18:00:02 +0000
Available diffs
php5 (5.4.9-4ubuntu2.2) raring-security; urgency=low
* SECURITY UPDATE: denial of service and possible code execution via xml
parser heap overflow
- debian/patches/CVE-2013-4113.patch: check against XML_MAXLEVEL in
ext/xml/xml.c, add test to ext/xml/tests/bug65236.phpt.
- CVE-2013-4113
* SECURITY UPDATE: denial of service via overflow in SdnToJewish
- debian/patches/CVE-2013-4635.patch: check value in
ext/calendar/jewish.c, add test to
ext/calendar/tests/jdtojewish64.phpt.
- CVE-2013-4635
-- Marc Deslauriers <email address hidden> Mon, 15 Jul 2013 09:42:36 -0400
Available diffs
php5 (5.4.6-1ubuntu1.3) quantal-security; urgency=low
* SECURITY UPDATE: denial of service and possible code execution via xml
parser heap overflow
- debian/patches/CVE-2013-4113.patch: check against XML_MAXLEVEL in
ext/xml/xml.c, add test to ext/xml/tests/bug65236.phpt.
- CVE-2013-4113
* SECURITY UPDATE: denial of service via overflow in SdnToJewish
- debian/patches/CVE-2013-4635.patch: check value in
ext/calendar/jewish.c, add test to
ext/calendar/tests/jdtojewish64.phpt.
- CVE-2013-4635
-- Marc Deslauriers <email address hidden> Mon, 15 Jul 2013 09:48:22 -0400
Available diffs
php5 (5.3.10-1ubuntu3.7) precise-security; urgency=low
* SECURITY UPDATE: denial of service and possible code execution via xml
parser heap overflow
- debian/patches/CVE-2013-4113.patch: check against XML_MAXLEVEL in
ext/xml/xml.c, add test to ext/xml/tests/bug65236.phpt.
- CVE-2013-4113
* SECURITY UPDATE: denial of service via overflow in SdnToJewish
- debian/patches/CVE-2013-4635.patch: check value in
ext/calendar/jewish.c, add test to
ext/calendar/tests/jdtojewish64.phpt.
- CVE-2013-4635
-- Marc Deslauriers <email address hidden> Mon, 15 Jul 2013 09:49:43 -0400
Available diffs
php5 (5.3.2-1ubuntu4.20) lucid-security; urgency=low
* SECURITY UPDATE: denial of service and possible code execution via xml
parser heap overflow
- debian/patches/CVE-2013-4113.patch: check against XML_MAXLEVEL in
ext/xml/xml.c, add test to ext/xml/tests/bug65236.phpt.
- CVE-2013-4113
* SECURITY UPDATE: denial of service via overflow in SdnToJewish
- debian/patches/CVE-2013-4635.patch: check value in
ext/calendar/jewish.c, add test to
ext/calendar/tests/jdtojewish64.phpt.
- CVE-2013-4635
-- Marc Deslauriers <email address hidden> Mon, 15 Jul 2013 09:50:48 -0400
Available diffs
| Superseded in saucy-proposed |
php5 (5.5.0+dfsg-6ubuntu1) saucy; urgency=low
* Merge from Debian unstable. Remaining changes:
- d/control: drop Build-Depends that are in universe: firebird-dev,
libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
- d/rules: drop configuration of packages that are in universe: qdgm,
onig.
- d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
interbase or firebird.
- d/rules: export DEB_HOST_MULTIARCH properly.
- d/control: drop binary packages php5-imap, php5-interbase and
php5-mcrypt since we have separate versions in universe.
- d/modulelist: drop imap, interbase and mcrypt since we have separate
versions in universe.
- d/rules: drop configuration of imap and mcrypt since we have separate
versions in universe.
- d/source_php5.py, d/rules: add apport hook.
- d/rules: stop mysql instance on clean just in case we failed in tests.
- d/control, d/rules: re-enable libedit-dev.
* Remaining changes that were previously undocumented:
- d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
as only the latter is in main.
* Drop changes:
- Add build-dependency on lemon, which we now need. This is evidently no
longer required, since there is no sign of it being used in
5.4.15-1ubuntu3.
- Dropped libcurl-dev not in the archive. libcurl-dev is a virtual
alternative, so doesn't need to be dropped.
- debian/control: replace build-depends on mysql-server with
mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and
mysql-server-5.5 postinst confusion with starting up multiple
mysqlds listening on the same port. The test infrastructure in packaging
has changed, and now breaks without the mysql-server-5.5 postinst having
run and created the mysql user. However, it also finds an available port
itself so no longer conflicts with our mysql-server-5.5 postinst.
- Patches included upstream:
+ debian/patches/CVE-2013-2110.patch
+ debian/patches/fix_gd_210.patch
+ debian/patches/CVE-2013-4635.patch
+ debian/patches/CVE-2013-4636.patch
* Drop changes that were previously undocumented:
- d/rules: adjust memory limits in .ini files. It appears that this was
intended to be dropped back in 5.4.6-1ubuntu1, going by the old
changelog entry.
- d/rules: adjust openssl path in configure script. PHP still appears to
configure, detect and build openssl-related components correctly
regardless.
- d/rules: disable parallel builds. There is no previous explanation as to
why this was disabled, and having this in place is standard practice and
in the Debian packaging.
- d/rules: adjust PHP5_{HOST,BUILD}_GNU_TYPE. There is no previous
explanation as to why this was present, and I can't find any regression
that would be fixed by this change.
* New changes:
- d/rules, d/control: drop use of dh_systemd as it is in universe.
- d/control: relegate php5-json from Recommends to Suggests as it is in
universe.
-- Robie Basak <email address hidden> Mon, 15 Jul 2013 14:09:59 +0000
Available diffs
php5 (5.4.15-1ubuntu3) saucy; urgency=low
* SECURITY UPDATE: denial of service via overflow in SdnToJewish
- debian/patches/CVE-2013-4635.patch: check value in
ext/calendar/jewish.c, add test to
ext/calendar/tests/jdtojewish64.phpt.
- CVE-2013-4635
* SECURITY UPDATE: denial of service via incorrect MIME type detection
- debian/patches/CVE-2013-4636.patch: use efree in
ext/fileinfo/libmagic/softmagic.c.
- CVE-2013-4636
-- Marc Deslauriers <email address hidden> Fri, 28 Jun 2013 08:20:11 -0400
Available diffs
php5 (5.4.15-1ubuntu2) saucy; urgency=low
* SECURITY UPDATE: denial of service and possible code execution via
quoted_printable_encode overflow
- debian/patches/CVE-2013-2110.patch: calculate proper string size in
ext/standard/quot_print.c, add test to
ext/standard/tests/strings/bug64879.phpt.
- CVE-2013-2110
* debian/patches/fix_gd_210.patch: fix php-gd compatibility with
libgd2 2.1.0. (LP: #1188070)
-- Marc Deslauriers <email address hidden> Tue, 11 Jun 2013 09:19:47 -0400
Available diffs
php5 (5.4.9-4ubuntu2.1) raring-security; urgency=low
* SECURITY UPDATE: denial of service and possible code execution via
quoted_printable_encode overflow
- debian/patches/CVE-2013-2110.patch: calculate proper string size in
ext/standard/quot_print.c, add test to
ext/standard/tests/strings/bug64879.phpt.
- CVE-2013-2110
-- Marc Deslauriers <email address hidden> Mon, 10 Jun 2013 16:02:40 -0400
Available diffs
php5 (5.4.15-1ubuntu1) saucy; urgency=low
* Merge from Debian experimental. Remaining changes:
- d/rules: Simplify apache config settings since we never build
interbase or firebird.
- debian/rules: export DEB_HOST_MULTIARCH properly.
- Add build-dependency on lemon, which we now need.
- Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is
in universe.
- Dropped libcurl-dev not in the archive.
- debian/control: replace build-depends on mysql-server with
mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and
mysql-server-5.5 postinst confusion with starting up multiple
mysqlds listening on the same port.
- Dropped php5-imap, php5-interbase, php5-mcrypt since we have
versions already in universe.
- Dropped libonig-dev and libqgdbm since its in universe. (libonig
MIR has been declined due to an inactive upstream. So this is
probably a permanent change).
- modulelist: Drop imap, interbase, sybase, and mcrypt.
- debian/rules:
- Dropped building of mcrypt, imap, and interbase.
- Install apport hook for php5.
- stop mysql instance on clean just in case we failed in tests
- debian/control, debian/rules: Re-enable libedit-dev.
* Dropped changes:
- debian/patches/CVE-2013-1643.patch: included upstream.
Available diffs
| Superseded in saucy-release |
| Obsolete in raring-release |
| Deleted in raring-proposed (Reason: moved to release) |
php5 (5.4.9-4ubuntu2) raring; urgency=low
* SECURITY UPDATE: arbitrary file disclosure via XML External Entity
- debian/patches/CVE-2013-1643.patch: disable the entity loader in
ext/libxml/libxml.c, ext/libxml/php_libxml.h, ext/soap/php_xml.c.
- CVE-2013-1643
-- Marc Deslauriers <email address hidden> Fri, 08 Mar 2013 16:12:43 -0500
Available diffs
php5 (5.3.2-1ubuntu4.19) lucid-security; urgency=low
* SECURITY UPDATE: arbitrary file disclosure via XML External Entity
- debian/patches/CVE-2013-1643.patch: disable the entity loader in
ext/libxml/libxml.c, ext/libxml/php_libxml.h, ext/soap/php_xml.c.
- CVE-2013-1643
-- Marc Deslauriers <email address hidden> Mon, 11 Mar 2013 07:49:54 -0400
Available diffs
php5 (5.4.6-1ubuntu1.2) quantal-security; urgency=low
* SECURITY UPDATE: arbitrary file disclosure via XML External Entity
- debian/patches/CVE-2013-1643.patch: disable the entity loader in
ext/libxml/libxml.c, ext/libxml/php_libxml.h, ext/soap/php_xml.c.
- CVE-2013-1643
-- Marc Deslauriers <email address hidden> Fri, 08 Mar 2013 16:18:48 -0500
Available diffs
php5 (5.3.10-1ubuntu3.6) precise-security; urgency=low
* SECURITY UPDATE: arbitrary file disclosure via XML External Entity
- debian/patches/CVE-2013-1643.patch: disable the entity loader in
ext/libxml/libxml.c, ext/libxml/php_libxml.h, ext/soap/php_xml.c.
- CVE-2013-1643
-- Marc Deslauriers <email address hidden> Fri, 08 Mar 2013 16:22:01 -0500
Available diffs
php5 (5.3.6-13ubuntu3.10) oneiric-security; urgency=low
* SECURITY UPDATE: arbitrary file disclosure via XML External Entity
- debian/patches/CVE-2013-1643.patch: disable the entity loader in
ext/libxml/libxml.c, ext/libxml/php_libxml.h, ext/soap/php_xml.c.
- CVE-2013-1643
-- Marc Deslauriers <email address hidden> Fri, 08 Mar 2013 16:32:19 -0500
Available diffs
php5 (5.2.4-2ubuntu5.27) hardy-security; urgency=low
* SECURITY UPDATE: arbitrary file disclosure via XML External Entity
- debian/patches/CVE-2013-1643.patch: disable the entity loader in
ext/libxml/libxml.c, ext/libxml/php_libxml.h, ext/soap/php_xml.c.
- CVE-2013-1643
-- Marc Deslauriers <email address hidden> Mon, 11 Mar 2013 07:55:03 -0400
Available diffs
php5 (5.3.10-1ubuntu3.5) precise-security; urgency=low * SECURITY UPDATE: arbitrary memory disclosure (LP: #1099793) - debian/patches/CVE-2012-6113.patch: properly initialize length in ext/openssl/openssl.c. - CVE-2012-6113 -- Marc Deslauriers <email address hidden> Fri, 18 Jan 2013 09:49:22 -0500
Available diffs
- diff from 5.3.10-1ubuntu3.4 to 5.3.10-1ubuntu3.5 (846 bytes)
php5 (5.4.9-4ubuntu1) raring; urgency=low
* Merge from Debian experimental. Remaining changes:
- d/rules: Simplify apache config settings since we never build
interbase or firebird.
- debian/rules: export DEB_HOST_MULTIARCH properly.
- Add build-dependency on lemon, which we now need.
- Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is
in universe.
- Dropped libcurl-dev not in the archive.
- debian/control: replace build-depends on mysql-server with
mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and
mysql-server-5.5 postinst confusion with starting up multiple
mysqlds listening on the same port.
- Dropped php5-imap, php5-interbase, php5-mcrypt since we have
versions already in universe.
- Dropped libonig-dev and libqgdbm since its in universe. (libonig
MIR has been declined due to an inactive upstream. So this is
probably a permanent change).
- modulelist: Drop imap, interbase, sybase, and mcrypt.
- debian/rules:
- Dropped building of mcrypt, imap, and interbase.
- Install apport hook for php5.
- stop mysql instance on clean just in case we failed in tests
- debian/control, debian/rules: Re-enable libedit-dev.
* Dropped changes:
- Re-add logic to guess default timezone from system to fix default
timezone regression Cherry-picked from Debian 5.4.4-6 (also in
Debian 5.4.6-2).
- debian/patches/libxml290.patch: Fix FTBFS with libxml 2.9.0.
(included upstream)
Available diffs
- diff from 5.4.6-1ubuntu2 to 5.4.9-4ubuntu1 (641.6 KiB)
php5 (5.4.6-1ubuntu2) raring; urgency=low
[ Robie Basak ]
* Re-add logic to guess default timezone from system to fix default timezone
regression (LP: #1069529). Cherry-picked from Debian 5.4.4-6 (also in
Debian 5.4.6-2).
[ Marc Deslauriers ]
* debian/patches/libxml290.patch: Fix FTBFS with libxml 2.9.0.
-- Marc Deslauriers <email address hidden> Wed, 07 Nov 2012 11:54:55 -0500
Available diffs
php5 (5.4.6-1ubuntu1.1) quantal-proposed; urgency=low
* Re-add logic to guess default timezone from system to fix default timezone
regression (LP: #1069529). Cherry-picked from Debian 5.4.4-6 (also in
Debian 5.4.6-2).
-- Robie Basak <email address hidden> Wed, 24 Oct 2012 10:04:51 +0000
Available diffs
- diff from 5.4.6-1ubuntu1 to 5.4.6-1ubuntu1.1 (861 bytes)
php5 (5.2.4-2ubuntu5.26) hardy-security; urgency=low
* SECURITY UPDATE: HTTP response-splitting issue with %0D sequences
- debian/patches/CVE-2011-1398.patch: properly handle %0D and NUL in
main/SAPI.c.
- CVE-2011-1398
- CVE-2012-4388
* SECURITY UPDATE: denial of service and possible code execution via
_php_stream_scandir function (LP: #1028064)
- debian/patches/CVE-2012-2688.patch: prevent overflow in
main/streams/streams.c.
- CVE-2012-2688
* SECURITY UPDATE: denial of service via PDO extension crafted parameter
- debian/patches/CVE-2012-3450.patch: improve logic in
ext/pdo/pdo_sql_parser.re, regenerate ext/pdo/pdo_sql_parser.c, add
test to ext/pdo_mysql/tests/bug_61755.phpt.
- CVE-2012-3450
-- Marc Deslauriers <email address hidden> Wed, 12 Sep 2012 11:51:06 -0400
Available diffs
php5 (5.3.2-1ubuntu4.18) lucid-security; urgency=low
* SECURITY UPDATE: HTTP response-splitting issue with %0D sequences
- debian/patches/CVE-2011-1398.patch: properly handle %0D and NUL in
main/SAPI.c, added tests to ext/standard/tests/*, fix test suite
failures in ext/phar/phar_object.c.
- CVE-2011-1398
- CVE-2012-4388
* SECURITY UPDATE: denial of service and possible code execution via
_php_stream_scandir function (LP: #1028064)
- debian/patches/CVE-2012-2688.patch: prevent overflow in
main/streams/streams.c.
- CVE-2012-2688
* SECURITY UPDATE: denial of service via PDO extension crafted parameter
- debian/patches/CVE-2012-3450.patch: improve logic in
ext/pdo/pdo_sql_parser.re, regenerate ext/pdo/pdo_sql_parser.c, add
test to ext/pdo_mysql/tests/bug_61755.phpt.
- CVE-2012-3450
-- Marc Deslauriers <email address hidden> Wed, 12 Sep 2012 11:33:30 -0400
Available diffs
php5 (5.3.5-1ubuntu7.11) natty-security; urgency=low
* SECURITY UPDATE: HTTP response-splitting issue with %0D sequences
- debian/patches/CVE-2011-1398.patch: properly handle %0D and NUL in
main/SAPI.c, added tests to ext/standard/tests/*, fix test suite
failures in ext/phar/phar_object.c.
- CVE-2011-1398
- CVE-2012-4388
* SECURITY UPDATE: denial of service and possible code execution via
_php_stream_scandir function (LP: #1028064)
- debian/patches/CVE-2012-2688.patch: prevent overflow in
main/streams/streams.c.
- CVE-2012-2688
* SECURITY UPDATE: denial of service via PDO extension crafted parameter
- debian/patches/CVE-2012-3450.patch: improve logic in
ext/pdo/pdo_sql_parser.re, regenerate ext/pdo/pdo_sql_parser.c, add
test to ext/pdo_mysql/tests/bug_61755.phpt.
- CVE-2012-3450
-- Marc Deslauriers <email address hidden> Wed, 12 Sep 2012 09:11:28 -0400
Available diffs
php5 (5.3.6-13ubuntu3.9) oneiric-security; urgency=low
* SECURITY UPDATE: HTTP response-splitting issue with %0D sequences
- debian/patches/CVE-2011-1398.patch: properly handle %0D and NUL in
main/SAPI.c, added tests to ext/standard/tests/*, fix test suite
failures in ext/phar/phar_object.c.
- CVE-2011-1398
- CVE-2012-4388
* SECURITY UPDATE: denial of service and possible code execution via
_php_stream_scandir function (LP: #1028064)
- debian/patches/CVE-2012-2688.patch: prevent overflow in
main/streams/streams.c.
- CVE-2012-2688
* SECURITY UPDATE: denial of service via PDO extension crafted parameter
- debian/patches/CVE-2012-3450.patch: improve logic in
ext/pdo/pdo_sql_parser.re, regenerate ext/pdo/pdo_sql_parser.c, add
test to ext/pdo_mysql/tests/bug_61755.phpt.
- CVE-2012-3450
-- Marc Deslauriers <email address hidden> Wed, 12 Sep 2012 09:09:05 -0400
Available diffs
php5 (5.3.10-1ubuntu3.4) precise-security; urgency=low
* SECURITY UPDATE: HTTP response-splitting issue with %0D sequences
- debian/patches/CVE-2011-1398.patch: properly handle %0D and NUL in
main/SAPI.c, added tests to ext/standard/tests/*, fix test suite
failures in ext/phar/phar_object.c.
- CVE-2011-1398
- CVE-2012-4388
* SECURITY UPDATE: denial of service and possible code execution via
_php_stream_scandir function (LP: #1028064)
- debian/patches/CVE-2012-2688.patch: prevent overflow in
main/streams/streams.c.
- CVE-2012-2688
* SECURITY UPDATE: denial of service via PDO extension crafted parameter
- debian/patches/CVE-2012-3450.patch: improve logic in
ext/pdo/pdo_sql_parser.re, regenerate ext/pdo/pdo_sql_parser.c, add
test to ext/pdo_mysql/tests/bug_61755.phpt.
- CVE-2012-3450
-- Marc Deslauriers <email address hidden> Tue, 11 Sep 2012 11:28:52 -0400
Available diffs
php5 (5.3.10-1ubuntu3.3) precise-proposed; urgency=low
* Applies upstream bug fixes for several issues and bugs:
* php5-fpm segfaults with error 4 in libc-2.15.so
(LP: #1006738. Bug Priority: High)
* PHP5-FPM not reporting errors to web server (nginx)
(LP: #1014044. Bug Priority: Medium)
-- Thomas Ward <email address hidden> Tue, 31 Jul 2012 21:15:08 -0400
Available diffs
php5 (5.4.6-1ubuntu1) quantal; urgency=low * Merge from Debian experimental (LP: #1006738 , LP: #1040212) Remaining changes: - d/rules: Simplify apache config settings since we never build interbase or firebird. - debian/rules: export DEB_HOST_MULTIARCH properly. - Add build-dependency on lemon, which we now need. - Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe. - Dropped libcurl-dev not in the archive. - debian/control: replace build-depends on mysql-server with mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and mysql-server-5.5 postinst confusion with starting up multiple mysqlds listening on the same port. - Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions already in universe. - Dropped libonig-dev and libqgdbm since its in universe. (libonig MIR has been declined due to an inactive upstream. So this is probably a permanent change). - modulelist: Drop imap, interbase, sybase, and mcrypt. - debian/rules: - Dropped building of mcrypt, imap, and interbase. - Install apport hook for php5. - stop mysql instance on clean just in case we failed in tests - debian/control, debian/rules: Re-enable libedit-dev. * Dropped Changes: - debian/rules: change memory limits on example .ini files.
Available diffs
- diff from 5.4.4-3ubuntu1 to 5.4.6-1ubuntu1 (382.0 KiB)
| Superseded in quantal-release |
php5 (5.4.4-3ubuntu1) quantal; urgency=low * Merge from Debian unstable. (LP: #1014044) (LP: #1024355) Remaining changes: - d/rules: Simplify apache config settings since we never build interbase or firebird. - debian/rules: export DEB_HOST_MULTIARCH properly. - Add build-dependency on lemon, which we now need. - Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe. - Dropped libcurl-dev not in the archive. - debian/control: replace build-depends on mysql-server with mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and mysql-server-5.5 postinst confusion with starting up multiple mysqlds listening on the same port. - Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions already in universe. - Dropped libonig-dev and libqgdbm since its in universe. (libonig MIR has been declined due to an inactive upstream. So this is probably a permanent change). - modulelist: Drop imap, interbase, sybase, and mcrypt. - debian/rules: * Dropped building of mcrypt, imap, and interbase. * Install apport hook for php5. * stop mysql instance on clean just in case we failed in tests
Available diffs
| Superseded in quantal-release |
php5 (5.4.4-1ubuntu1) quantal; urgency=low
* Merge from Debian unstable. Remaining changes:
- d/rules: Simplify apache config settings since we never build
interbase or firebird.
- debian/rules: export DEB_HOST_MULTIARCH properly.
- Add build-dependency on lemon, which we now need.
- Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe.
- Dropped libcurl-dev not in the archive.
- debian/control: replace build-depends on mysql-server with
mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and
mysql-server-5.5 postinst confusion with starting up multiple
mysqlds listening on the same port.
- Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions
already in universe.
- Dropped libonig-dev and libqgdbm since its in universe. (libonig MIR
has been declined due to an inactive upstream. So this is probably
a permanent change).
- modulelist: Drop imap, interbase, sybase, and mcrypt.
- debian/rules:
* Dropped building of mcrypt, imap, and interbase.
* Install apport hook for php5.
* stop mysql instance on clean just in case we failed in tests
* Dropped Changes:
* d/rules: enable Suhosin patch with PHP5_SUHOSIN=yes -- Upstream suhosin
has been slow to adopt PHP 5.4, and is showing signs of disengagement.
Therefore, we will follow Debian's lead and drop Suhosin for now.
- d/control: build-depend on mysql 5.5 instead of 5.1 for running tests.
-- Debian just deps on mysql-server
- Suggest php5-suhosin rather than recommends. -- Dropping suhosin
- d/setup-mysql.sh: modify to work with mysql 5.5 differences -- superseded
in Debian.
- Only build php5-sqlite for sqlite3, dropping the obsolete sqlite2. --
superseded in Debian
- d/maxlifetime: Improve maxlifetime script to scan for more SAPIs and
scan all *.ini in conf.d directory. -- Change came from Debian
- d/libapache2-mod-php5.postinst,libapache2-mod-php5filter.postinst:
Restart apache on first install to ensure module is fully enabled.
-- Change came from Debian
- debian/patches/php5-CVE-2012-1823.patch: filter query strings that
are prefixed with '-' -- Fixed upstream
- debian/control: Recommend php5-dev for php-pear. -- This was a poorly
conceived idea anyway.
- Pre-Depend on a new enough version of dpkg for dpkg-maintscript-helper
rather than checking whether it exists at run-time, leading to more
predictable behaviour on upgrades. -- Applied in Debian
- d/p/gd-multiarch-fix.patch: superseded
* d/NEWS: add note explaining that SUHOSIN is no longer enabled in the
Ubuntu packages.
Available diffs
php5 (5.3.2-1ubuntu4.17) lucid-security; urgency=low
* SECURITY UPDATE: denial of service via invalid tidy objects
- debian/patches/CVE-2012-0781.patch: track initialization in
ext/tidy/tidy.c, added tests to ext/tidy/tests/004.phpt,
ext/tidy/tests/bug54682.phpt.
- CVE-2012-0781
* SECURITY UPDATE: denial of service or possible directory traversal via
invalid filename.
- debian/patches/CVE-2012-1172.patch: ensure brackets get closed in
main/rfc1867.c, add test to tests/basic/bug55500.phpt.
- CVE-2012-1172
* SECURITY UPDATE: password truncation via invalid byte
- debian/patches/CVE-2012-2143.patch: improve logic in
ext/standard/crypt_freesec.c, add test to
ext/standard/tests/strings/crypt_chars.phpt.
- CVE-2012-2143
* SECURITY UPDATE: crypto() empty salt string issue
- debian/patches/php_crypt_revamped.patch: Return fail string on
invalid Blowfish salt rounds, fix regression when the salt is empty.
- CVE-2012-2317
* SECURITY UPDATE: improve php5-cgi query string parameter parsing
- debian/patches/CVE-2012-233x.patch: improve parsing in
sapi/cgi/cgi_main.c.
- CVE-2012-2335
- CVE-2012-2336
* SECURITY UPDATE: phar extension heap overflow
- debian/patches/CVE-2012-2386.patch: check for overflow in
ext/phar/tar.c.
- CVE-2012-2386
-- Marc Deslauriers <email address hidden> Tue, 12 Jun 2012 15:51:23 -0400
Available diffs
php5 (5.3.5-1ubuntu7.10) natty-security; urgency=low
* SECURITY UPDATE: denial of service via invalid tidy objects
- debian/patches/CVE-2012-0781.patch: track initialization in
ext/tidy/tidy.c, added tests to ext/tidy/tests/004.phpt,
ext/tidy/tests/bug54682.phpt.
- CVE-2012-0781
* SECURITY UPDATE: denial of service or possible directory traversal via
invalid filename.
- debian/patches/CVE-2012-1172.patch: ensure brackets get closed in
main/rfc1867.c, add test to tests/basic/bug55500.phpt.
- CVE-2012-1172
* SECURITY UPDATE: password truncation via invalid byte
- debian/patches/CVE-2012-2143.patch: improve logic in
ext/standard/crypt_freesec.c, add test to
ext/standard/tests/strings/crypt_chars.phpt.
- CVE-2012-2143
* SECURITY UPDATE: crypto() empty salt string issue
- debian/patches/{php_crypt_revamped,use_system_crypt_fixes}.patch:
Return fail string on invalid Blowfish salt rounds, fix regression
when the salt is empty.
- CVE-2012-2317
* SECURITY UPDATE: improve php5-cgi query string parameter parsing
- debian/patches/CVE-2012-233x.patch: improve parsing in
sapi/cgi/cgi_main.c.
- CVE-2012-2335
- CVE-2012-2336
* SECURITY UPDATE: phar extension heap overflow
- debian/patches/CVE-2012-2386.patch: check for overflow in
ext/phar/tar.c.
- CVE-2012-2386
-- Marc Deslauriers <email address hidden> Tue, 12 Jun 2012 15:38:21 -0400
Available diffs
php5 (5.2.4-2ubuntu5.25) hardy-security; urgency=low
* SECURITY UPDATE: denial of service via invalid tidy objects
- debian/patches/CVE-2012-0781.patch: track initialization in
ext/tidy/tidy.c, added tests to ext/tidy/tests/004.phpt,
ext/tidy/tests/bug54682.phpt.
- CVE-2012-0781
* SECURITY UPDATE: denial of service or possible directory traversal via
invalid filename.
- debian/patches/CVE-2012-1172.patch: ensure brackets get closed in
main/rfc1867.c, add test to tests/basic/bug55500.phpt.
- CVE-2012-1172
* SECURITY UPDATE: improve php5-cgi query string parameter parsing
- debian/patches/CVE-2012-233x.patch: improve parsing in
sapi/cgi/cgi_main.c.
- CVE-2012-2335
- CVE-2012-2336
-- Marc Deslauriers <email address hidden> Tue, 12 Jun 2012 16:02:25 -0400
Available diffs
php5 (5.3.6-13ubuntu3.8) oneiric-security; urgency=low
* SECURITY UPDATE: denial of service via invalid tidy objects
- debian/patches/CVE-2012-0781.patch: track initialization in
ext/tidy/tidy.c, added tests to ext/tidy/tests/004.phpt,
ext/tidy/tests/bug54682.phpt.
- CVE-2012-0781
* SECURITY UPDATE: denial of service or possible directory traversal via
invalid filename.
- debian/patches/CVE-2012-1172.patch: ensure brackets get closed in
main/rfc1867.c, add test to tests/basic/bug55500.phpt.
- CVE-2012-1172
* SECURITY UPDATE: password truncation via invalid byte
- debian/patches/CVE-2012-2143.patch: improve logic in
ext/standard/crypt_freesec.c, add test to
ext/standard/tests/strings/crypt_chars.phpt.
- CVE-2012-2143
* SECURITY UPDATE: improve php5-cgi query string parameter parsing
- debian/patches/CVE-2012-233x.patch: improve parsing in
sapi/cgi/cgi_main.c.
- CVE-2012-2335
- CVE-2012-2336
* SECURITY UPDATE: phar extension heap overflow
- debian/patches/CVE-2012-2386.patch: check for overflow in
ext/phar/tar.c.
- CVE-2012-2386
-- Marc Deslauriers <email address hidden> Tue, 12 Jun 2012 15:31:43 -0400
Available diffs
php5 (5.3.10-1ubuntu3.2) precise-security; urgency=low
* SECURITY UPDATE: denial of service via invalid tidy objects
- debian/patches/CVE-2012-0781.patch: track initialization in
ext/tidy/tidy.c, added tests to ext/tidy/tests/004.phpt,
ext/tidy/tests/bug54682.phpt.
- CVE-2012-0781
* SECURITY UPDATE: denial of service or possible directory traversal via
invalid filename.
- debian/patches/CVE-2012-1172.patch: ensure brackets get closed in
main/rfc1867.c, add test to tests/basic/bug55500.phpt.
- CVE-2012-1172
* SECURITY UPDATE: password truncation via invalid byte
- debian/patches/CVE-2012-2143.patch: improve logic in
ext/standard/crypt_freesec.c, add test to
ext/standard/tests/strings/crypt_chars.phpt.
- CVE-2012-2143
* SECURITY UPDATE: improve php5-cgi query string parameter parsing
- debian/patches/CVE-2012-233x.patch: improve parsing in
sapi/cgi/cgi_main.c.
- CVE-2012-2335
- CVE-2012-2336
* SECURITY UPDATE: phar extension heap overflow
- debian/patches/CVE-2012-2386.patch: check for overflow in
ext/phar/tar.c.
- CVE-2012-2386
-- Marc Deslauriers <email address hidden> Tue, 12 Jun 2012 13:40:37 -0400
Available diffs
| Superseded in quantal-release |
php5 (5.3.10-1ubuntu4) quantal; urgency=low
* SECURITY UPDATE: php5-cgi query string parameters parsing
vulnerability
- debian/patches/php5-CVE-2012-1823.patch: filter query strings that
are prefixed with '-'
- CVE-2012-1823
- CVE-2012-2311
-- Steve Beattie <email address hidden> Wed, 23 May 2012 15:57:57 -0400
Available diffs
php5 (5.3.10-1ubuntu3.1) precise-security; urgency=low
* SECURITY UPDATE: php5-cgi query string parameters parsing
vulnerability
- debian/patches/php5-CVE-2012-1823.patch: filter query strings that
are prefixed with '-'
- CVE-2012-1823
- CVE-2012-2311
-- Steve Beattie <email address hidden> Thu, 03 May 2012 15:42:08 -0700
Available diffs
php5 (5.2.4-2ubuntu5.24) hardy-security; urgency=low
* SECURITY UPDATE: php5-cgi query string parameters parsing
vulnerability
- debian/patches/php5-CVE-2012-1823.patch: filter query strings that
are prefixed with '-'
- CVE-2012-1823
- CVE-2012-2311
-- Steve Beattie <email address hidden> Thu, 03 May 2012 15:33:40 -0700
Available diffs
php5 (5.3.6-13ubuntu3.7) oneiric-security; urgency=low
* SECURITY UPDATE: php5-cgi query string parameters parsing
vulnerability
- debian/patches/php5-CVE-2012-1823.patch: filter query strings that
are prefixed with '-'
- CVE-2012-1823
- CVE-2012-2311
-- Steve Beattie <email address hidden> Thu, 03 May 2012 15:12:00 -0700
Available diffs
| 76 → 150 of 362 results | First • Previous • Next • Last |
