php5 5.3.6-13ubuntu1 source package in Ubuntu

Changelog

php5 (5.3.6-13ubuntu1) oneiric; urgency=low

  * Merge from debian unstable.  Remaining changes:
    * Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe.
    * Dropped libcurl-dev not in the archive.
    * debian/control: replace build-depends on mysql-server with
      mysql-server-core-5.1 and mysql-client-5.1 to avoid upstart and
      mysql-server-5.1 postinst confusion with starting up multiple
      mysqlds listening on the same port.
    * Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions
      already in universe.
    * Suggest php5-suhosin rather than recommends.
    * Dropped libonig-dev and libqgdbm since its in universe. (libonig MIR
      has been declined due to an inactive upstream. So this is probably
      a permanent change).
    * modulelist: Drop imap, interbase, sybase, and mcrypt.
    * debian/rules:
      * Dropped building of mcrypt, imap, and interbase.
      * Install apport hook for php5.
      * stop mysql instance on clean just in case we failed in tests
    * debian/control: Recommend php5-dev for php-pear.
    * debian/rules: --enable-pcntl for cgi as well.
    * debian/patches/temporary-path-fixes-for-multiarch.patch: as a stopgap
      for natty, patch the various config.m4 files for modules whose
      libraries have moved to the multiarch dir; we can't use --with-libdir
      yet because that requires all the build-deps to have moved.  Thanks to
      Jonathan Marsden for preparing this patch.
    * debian/patches/fpm-config.patch: Update php-fpm.conf(pool.d/con)
      to do initial chdir to / as suggest by Olaf van van der Spek
      to detect early problems if php5-fpm needs a write access to
      initial chdir.
    * SECURITY UPDATE: use-after-free vulnerability
      - debian/patches/php5-CVE-2011-1148.patch: improve reference
        counting
      - CVE-2011-1148
    * debian/rules: set DEB_HOST_MULTIARCH to enable 'debian/rules' for
      building.

php5 (5.3.6-13) unstable; urgency=low

  * Fix CVE-2011-2483: 8-bit character mishandling allows different
    password pairs to produce the same hash (Closes: #631347)
  * Add support for $2x$ identifier as blowfish variant in crypt.c to
    allow backward compatibility with old invalid hashes
  * Return fail string (*0) on invalid Blowfish salt rounds
  * Add NEWS item about incompatible blowfish hashes
  * Fix CVE-2011-1938: Stack-based buffer overflow in the socket_connect
    function in ext/sockets/sockets.c in PHP 5.3.3 through 5.3.6 might
    allow context-dependent attackers to execute arbitrary code via a
    long pathname for a UNIX socket.

php5 (5.3.6-12) unstable; urgency=low

  * Bump standards version to 3.9.2
  * Update cron.d code to even safer variant (Courtesy of Bob Proulx)
  * Small optimization in cron.d script (Courtesy of Marcus Cobden)
  * Add firebird2.1-dev option to allow backports
  * Pull (and fix broken patch) multiarch workaround from obuntu nattybuntu natty
   Add error message when phpeze is not found (Closes: #627937)
  * Enable pcntl extension for CGI builds (Closes: #627941), but
    disable all pcntl functions by default
  * File path injection vulnerability in RFC1867 File upload filename
    [CVE-2011-2202]
 -- Chuck Short <email address hidden>   Mon, 25 Jul 2011 19:14:12 +0100