Change log for php7.0 package in Ubuntu
| 1 → 75 of 80 results | First • Previous • Next • Last |
php7.0 (7.0.33-0ubuntu0.16.04.16) xenial-security; urgency=medium
* SECURITY UPDATE: Possibly forge cookie
- debian/patches/CVE-2020-7070.patch: do not decode cookie names anymore
in main/php_variables.c, tests/basic/022.phpt, tests/basic/023.phpt,
tests/basic/bug79699.phpt.
- CVE-2020-7070
-- <email address hidden> (Leonidas S. Barbosa) Wed, 07 Oct 2020 14:47:16 -0300
Available diffs
php7.0 (7.0.33-0ubuntu0.16.04.15) xenial-security; urgency=medium
* SECURITY UPDATE: Denial of service through oversized memory allocated
- debian/patches/CVE-2019-11048.patch: changes types int to size_t
in main/rfc1867.c.
- CVE-2019-11048
-- <email address hidden> (Leonidas S. Barbosa) Tue, 26 May 2020 10:52:55 -0300
Available diffs
php7.0 (7.0.33-0ubuntu0.16.04.14) xenial-security; urgency=medium
* SECURITY UDPATE: Null dereference pointer
- debian/patches/CVE-2020-7062.patch: avoid null dereference in
ext/session/session.c, ext/session/tests/bug79221.phpt.
- CVE-2020-7062
* SECURITY UPDATE: Lax permissions on files added to tar with Phar
- debian/patches/CVE-2020-7063.patch: enforce correct permissions
for files add to tar with Phar in ext/phar/phar_object.c,
ext/phar/tests/bug79082.phpt, ext/phar/tests/test79082*.
- CVE-2020-7063
* SECURITY UPDATE: Read one byte of uninitialized memory
- debian/patches/CVE-2020-7064.patch: check length in
exif_process_TIFF_in_JPEG to avoid read uninitialized memory
ext/exif/exif.c, ext/exif/tests/bug79282.phpt.
- debian/patches/0001-Fix-test-bug79282.patch: fix test in
ext/exif/tests/bug79282.phpt.
- CVE-2020-7064
* SECURITY UPDATE: Truncated url due \0
- debian/patches/CVE-2020-7066.patch: check for get_headers
not accepting \0 in ext/standard/url.c.
- CVE-2020-7066
-- <email address hidden> (Leonidas S. Barbosa) Thu, 09 Apr 2020 11:27:04 -0300
Available diffs
- diff from 7.0.33-0ubuntu0.16.04.12 (in ~ubuntu-security-proposed/ubuntu/ppa) to 7.0.33-0ubuntu0.16.04.14 (4.0 KiB)
- diff from 7.0.33-0ubuntu0.16.04.14~test1 (in ~ubuntu-security-proposed/ubuntu/ppa) to 7.0.33-0ubuntu0.16.04.14 (4.1 KiB)
- diff from 7.0.33-0ubuntu0.16.04.14~test2 to 7.0.33-0ubuntu0.16.04.14 (629 bytes)
php7.0 (7.0.33-0ubuntu0.16.04.12) xenial-security; urgency=medium
* SECURITY REGRESSION: fpm patch for CVE-2015-9253
caused a regression OOM
- removing CVE-2015-9253.patch.
-- <email address hidden> (Leonidas S. Barbosa) Wed, 19 Feb 2020 10:47:31 -0300
Available diffs
php7.0 (7.0.33-0ubuntu0.16.04.11) xenial-security; urgency=medium
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2015-9253.patch: directly listen
on socket, instead duping it to STDIN in
sapi/fpm/fpm/fpm_children.c, sapi/fpm/fpm_stdio.c,
and added tests to sapi/fpm/tests/bug73342-nonblocking-stdio.phpt.
- CVE-2015-9253
* SECURITY UPDATE: Out of bounds read
- debian/patches/CVE-2020-7059.patch: fix OOB read in
php_strip_tags_ex in ext/standard/string.c and added test
ext/standard/tests/file/bug79099.phpt.
- CVE-2020-7059
* SECURITY UPDATE: Buffer-overflow
- debian/patches/CVE-2020-7060.patch: fix adding a check function
is_in_cp950_pua in ext/mbstring/libmbfl/filters/mbfilter_big5.c
and added test ext/mbstring/tests/bug79037.phpt.
- CVE-2020-7060
-- <email address hidden> (Leonidas S. Barbosa) Tue, 11 Feb 2020 12:42:36 -0300
Available diffs
php7.0 (7.0.33-0ubuntu0.16.04.9) xenial-security; urgency=medium
* SECURITY UPDATE: silently truncates
a class after a null byte
- debian/patches/CVE-2019-11045.patch: not accept
arbitrary strings in ext/spl/spl_directory.c,
ext/spl/tests/bug78863.phpt.
- CVE-2019-11045
* SECURITY UPDATE: Buffer underflow
- debian/patches/CVE-2019-11046.patch: not rely on `isdigit()`
to detect digits in ext/bcmath/libbcmath/src/str2num.c,
ext/bcmath/tests/bug78878.phpt.
- CVE-2019-11046
* SECURITY UPDATE: Heap-buffer-overflow
- debian/patches/CVE-2019-11047.patch: fix in ext/exif/exif.c,
ext/exif/tests/bug78910.phpt.
- CVE-2019-11047
* SECURITY UPDATE: Use-after-free
- debian/patches/CVE-2019-11050.patch: fix in
ext/exif/exif.c, ext/exif/tests/bug78793.phpt.
- CVE-2019-11050
* fixing test bug76557
- debian/patches/0001-Fixing-test-76557.patch.
-- <email address hidden> (Leonidas S. Barbosa) Fri, 10 Jan 2020 14:09:31 -0300
Available diffs
php7.0 (7.0.33-0ubuntu0.16.04.7) xenial-security; urgency=medium
* SECURITY UPDATE: RCE via env_path_info underflow
- debian/patches/CVE-2019-11043.patch: add check in
sapi/fpm/fpm/fpm_main.c.
- CVE-2019-11043
-- Marc Deslauriers <email address hidden> Thu, 24 Oct 2019 14:09:21 -0400
Available diffs
php7.0 (7.0.33-0ubuntu0.16.04.6) xenial-security; urgency=medium
* SECURITY UPDATE: Heap-buffer-overflow
- debian/patches/CVE-2019-11041.patch: check Thumbnail.size in order
to avoid an overflow in ext/exif.exif.c and adding test to
ext/exif/tests/bug78222.phpt.
- CVE-2019-11041
* SECURITY UPDATE: Heap-buffer-overflow
- debian/patches/CVE-2019-11042.patch: check ByteCount in order to
avoid an overflow in ext/exif/exif.c and adding tests to
ext/exif/tests/bug78256.phpt.
- CVE-2019-11042
-- <email address hidden> (Leonidas S. Barbosa) Mon, 12 Aug 2019 15:07:12 -0300
Available diffs
php7.0 (7.0.33-0ubuntu0.16.04.5) xenial-security; urgency=medium
* SECURITY UPDATE: overflow in exif_process_IFD_TAG
- debian/patches/CVE-2019-11036.patch: check dir_entry in
ext/exif/exif.c.
- CVE-2019-11036
* SECURITY UPDATE: out-of-bounds read in _php_iconv_mime_decode()
- debian/patches/CVE-2019-11039.patch: add an extra check in
ext/iconv/iconv.c.
- CVE-2019-11039
* SECURITY UPDATE: heap-buffer-overflow on php_jpg_get16
- debian/patches/CVE-2019-11040.patch: add an extra check in
ext/exif/exif.c.
- CVE-2019-11040
-- Marc Deslauriers <email address hidden> Tue, 04 Jun 2019 13:13:15 -0400
Available diffs
php7.0 (7.0.33-0ubuntu0.16.04.4) xenial-security; urgency=medium
* SECURITY UPDATE: Heap-buffer-overflow in php_ifd_get32s
- debian/patches/CVE-2019-11034.patch: check size in ext/exif/exif.c.
- CVE-2019-11034
* SECURITY UPDATE: Heap-buffer-overflow in exif_iif_add_value in EXIF
- debian/patches/CVE-2019-11035-1.patch: add checks to ext/exif/exif.c.
- debian/patches/CVE-2019-11035-2.patch: add casts to ext/exif/exif.c.
- debian/patches/CVE-2019-11035-3.patch: fix typo in ext/exif/exif.c.
- CVE-2019-11035
-- Marc Deslauriers <email address hidden> Thu, 18 Apr 2019 11:25:19 -0400
Available diffs
php7.0 (7.0.33-0ubuntu0.16.04.3) xenial-security; urgency=medium
* SECURITY UPDATE: Unauthorized users access
- debian/patches/CVE-2019-9637.patch: fix in
main/streams/plain_wrapper.c.
- CVE-2019-9637
* SECURITY UPDATE: Invalid read in exif_process_IFD_MAKERNOTE
- debian/patches/CVE-2019-9638-and-CVE-2019-9639-*.patch: fix in
ext/exif/exif.c, added tests in ext/exif/tests/bug77563.jpg,
ext/exif/tests/bug77563.phpt.
- CVE-2019-9638
- CVE-2019-9639
* SECURITY UPDATE: Invalid read
- debian/patches/CVE-2019-9640.patch: fix in
ext/exif/exif.c, added tests in ext/exif/tests/bug77540.jpg,
ext/exif/tests/bug77540.phpt.
- CVE-2019-9640
* SECURITY UPDATE: Unitialized read
- debian/patches/CVE-2019-9641.patch: fix in ext/exif/exif.c.
- CVE-2019-9641
* SECURITY UPDATE: Buffer overflow
- debian/patches/CVE-2019-9675.patch: fix in
ext/phar/tar.c, added tests in ext/phar/tests/bug71488.phpt,
ext/phar/tests/bug77586,phpt, ext/phar/tests/bug77586/files/*.
-- <email address hidden> (Leonidas S. Barbosa) Thu, 21 Mar 2019 09:49:35 -0300
Available diffs
php7.0 (7.0.33-0ubuntu0.16.04.2) xenial-security; urgency=medium
* SECURITY UPDATE: invalid memory access in xmlrpc_decode()
- debian/patches/CVE-2019-9020.patch: check length in
ext/xmlrpc/libxmlrpc/xml_element.c, added test to
ext/xmlrpc/tests/bug77242.phpt.
- CVE-2019-9020
* SECURITY UPDATE: buffer over-read in PHAR extension
- debian/patches/CVE-2019-9021.patch: properly calculate position in
ext/phar/phar.c, added test to ext/phar/tests/bug77247.phpt.
- CVE-2019-9021
* SECURITY UPDATE: buffer over-read in dns_get_record
- debian/patches/CVE-2019-9022-pre.patch: fix DNS_CAA record results
handling in ext/standard/dns.c,
ext/standard/tests/network/dns_get_record_caa.phpt.
- debian/patches/CVE-2019-9022.patch: check length in
ext/standard/dns.c.
- CVE-2019-9022
* SECURITY UPDATE: buffer over-reads in mbstring regex functions
- debian/patches/CVE-2019-9023-1.patch: don't read past buffer in
ext/mbstring/oniguruma/regparse.c, added test to
ext/mbstring/tests/bug77370.phpt.
- debian/patches/CVE-2019-9023-2.patch: check bounds in
ext/mbstring/oniguruma/regcomp.c, added test to
ext/mbstring/tests/bug77371.phpt.
- debian/patches/CVE-2019-9023-3.patch: add length checks to
ext/mbstring/oniguruma/enc/unicode.c,
ext/mbstring/oniguruma/regcomp.c, ext/mbstring/oniguruma/regparse.c,
ext/mbstring/oniguruma/regparse.h, added test to
ext/mbstring/tests/bug77371.phpt, ext/mbstring/tests/bug77381.phpt.
- debian/patches/CVE-2019-9023-4.patch: add new bounds checks to
ext/mbstring/oniguruma/enc/utf16_be.c,
ext/mbstring/oniguruma/enc/utf16_le.c,
ext/mbstring/oniguruma/enc/utf32_be.c,
ext/mbstring/oniguruma/enc/utf32_le.c, added test to
ext/mbstring/tests/bug77418.phpt.
- CVE-2019-9023
* SECURITY UPDATE: buffer over-read in xmlrpc_decode()
- debian/patches/CVE-2019-9024.patch: fix variable size in
ext/xmlrpc/libxmlrpc/base64.c, added test to
ext/xmlrpc/tests/bug77380.phpt.
- CVE-2019-9024
-- Marc Deslauriers <email address hidden> Tue, 05 Mar 2019 07:43:31 -0500
Available diffs
php7.0 (7.0.33-0ubuntu0.16.04.1) xenial-security; urgency=medium
* SECURITY UPDATE: Update to 7.0.33 to fix security issues
- CVE-2018-19518
- CVE-2018-19935
-- Mike Salvatore <email address hidden> Thu, 07 Feb 2019 10:52:32 -0400
Available diffs
php7.0 (7.0.32-0ubuntu0.16.04.1) xenial-security; urgency=medium
* SECURITY UPDATE: Update to 7.0.32 to fix security issues
- CVE-2018-14851
- CVE-2018-14883
-- Marc Deslauriers <email address hidden> Thu, 13 Sep 2018 09:53:39 -0400
Available diffs
php7.0 (7.0.30-0ubuntu0.16.04.1) xenial-security; urgency=medium
* SECURITY UPDATE: Update to 7.0.30 to fix security issues
- CVE-2018-10545, CVE-2018-10546, CVE-2018-10547, CVE-2018-10548,
CVE-2018-10549
-- Marc Deslauriers <email address hidden> Wed, 09 May 2018 13:31:14 -0400
Available diffs
php7.0 (7.0.28-0ubuntu0.16.04.1) xenial-security; urgency=medium
* New upstream release (7.0.28)
- LP: #1744148
- CVE-2018-5712
- CVE-2018-7584
-- Nishanth Aravamudan <email address hidden> Wed, 14 Mar 2018 15:22:51 -0700
Available diffs
| Obsolete in zesty-proposed |
php7.0 (7.0.22-0ubuntu0.17.04.1) zesty-security; urgency=medium
* New upstream release (7.0.22)
- LP: #1709489
* Drop:
- d/p/0048-Merge-OpenSSL-1.1.0-support-from-PHP-7.1-branch.patch
[ Fixed upstream in 7.0.19 ]
-- Nishanth Aravamudan <email address hidden> Tue, 08 Aug 2017 15:03:30 -0700
Available diffs
php7.0 (7.0.22-0ubuntu0.16.04.1) xenial-security; urgency=medium
* New upstream release (7.0.22)
- LP: #1709489
-- Nishanth Aravamudan <email address hidden> Tue, 08 Aug 2017 15:14:19 -0700
Available diffs
php7.0 (7.0.18-0ubuntu0.16.04.1) xenial; urgency=medium
* New upstream release 7.0.18
- LP: #1686237
- LP: #1674892
- Refresh patches for new upstream release
* Drop:
- debian/patches/0053-Fix-pdo_pgsql.patch: Fixed #73959 - lastInsertId
fails to throw an exception in pdsql. Thanks to andrewnester
<email address hidden>. Closes LP #1658289.
[ Fixed upstream in 7.0.16, prior changelog referred to wrong
patchfile ]
- SECURITY REGRESSION: large mysql requests broken (LP #1668017)
+ debian/patches/fix_74021.patch: fix fetch_array with more than
MEDIUMBLOB in ext/mysqlnd/mysqlnd_wireprotocol.c, added tests to
ext/mysqli/tests/bug73800.phpt, ext/mysqli/tests/bug74021.phpt.
[ Fixed upstream in 7.0.17 ]
* d/control{,.in}: Backport "libapache2-mod-phpX.Y now recommends
apache2 package (as this is what most people want anyway)" from
Debian 8.0.7-3 (LP: #1689646).
-- Nishanth Aravamudan <email address hidden> Wed, 10 May 2017 09:19:03 -0700
Available diffs
php7.0 (7.0.18-0ubuntu0.17.04.1) zesty; urgency=medium
* New upstream release 7.0.18
- LP: #1686237
- LP: #1674892
- Refresh patches for new upstream release
* Drop:
- debian/patches/0050-Fix-pdo_pgsql.patch: Fixed #73959 - lastInsertId
fails to throw an exception in pdsql. Thanks to andrewnester
<email address hidden>. Closes LP #1658289.
[ Fixed upstream in 7.0.16 ]
- SECURITY REGRESSION: large mysql requests broken (LP #1668017)
+ debian/patches/fix_74021.patch: fix fetch_array with more than
MEDIUMBLOB in ext/mysqlnd/mysqlnd_wireprotocol.c, added tests to
ext/mysqli/tests/bug73800.phpt, ext/mysqli/tests/bug74021.phpt.
[ Fixed upstream in 7.0.17 ]
-- Nishanth Aravamudan <email address hidden> Wed, 26 Apr 2017 16:59:48 -0700
Available diffs
php7.0 (7.0.18-0ubuntu0.16.10.1) yakkety; urgency=medium
* New upstream release 7.0.18
- LP: #1686237
- LP: #1674892
- Refresh patches for new upstream release
* Drop:
- debian/patches/0048-Fix-pdo_pgsql.patch: Fixed #73959 - lastInsertId
fails to throw an exception in pdsql. Thanks to andrewnester
<email address hidden>. Closes LP #1658289.
[ Fixed upstream in 7.0.16 ]
- SECURITY REGRESSION: large mysql requests broken (LP #1668017)
+ debian/patches/fix_74021.patch: fix fetch_array with more than
MEDIUMBLOB in ext/mysqlnd/mysqlnd_wireprotocol.c, added tests to
ext/mysqli/tests/bug73800.phpt, ext/mysqli/tests/bug74021.phpt.
[ Fixed upstream in 7.0.17 ]
-- Nishanth Aravamudan <email address hidden> Wed, 26 Apr 2017 16:55:19 -0700
Available diffs
| Deleted in artful-release (Reason: obsoleted by php7.1) |
| Deleted in artful-proposed (Reason: moved to release) |
php7.0 (7.0.18-2ubuntu1) artful; urgency=medium * Merge with Debian unstable (LP: #1686235). Remaining changes: - Drop dh-php from Recommends to Suggests so it can be demoted to universe (LP #1590623). + dh-php has gained a dependency on xml2 which is in universe. * Drop: - debian/patches/0050-Fix-pdo_pgsql.patch: Fixed #73959 - lastInsertId fails to throw an exception in pdsql. Thanks to andrewnester <email address hidden>. Closes LP #1658289. [ Fixed upstream in 7.0.16 ] - debian/patches/fix_74021.patch: Fix fetch_array with more than MEDIUMBLOB. Thanks to andrewnester <email address hidden>. Closes LP #1668017. [ Fixed upstream in 7.0.17 ] - Cherry-pick: 'Fix generating recommends for php extensions (Closes: #855467)' from 7.0.16-3 (LP #1663376). [ Fixed in Debian 7.0.16-3 ] -- Nishanth Aravamudan <email address hidden> Wed, 26 Apr 2017 09:34:48 -0700
Available diffs
- diff from 7.0.15-1ubuntu4 to 7.0.18-2ubuntu1 (269.7 KiB)
| Superseded in artful-release |
| Obsolete in zesty-release |
| Deleted in zesty-proposed (Reason: moved to release) |
php7.0 (7.0.15-1ubuntu4) zesty; urgency=medium
* Cherry-pick: 'Fix generating recommends for php extensions (Closes:
#855467)' from 7.0.16-3 (LP: #1663376).
-- Nishanth Aravamudan <email address hidden> Tue, 28 Feb 2017 13:33:59 -0800
Available diffs
php7.0 (7.0.15-0ubuntu0.16.10.4) yakkety-security; urgency=medium * SECURITY REGRESSION: large mysql requests broken (LP: #1668017) - debian/patches/fix_74021.patch: fix fetch_array with more than MEDIUMBLOB in ext/mysqlnd/mysqlnd_wireprotocol.c, added tests to ext/mysqli/tests/bug73800.phpt, ext/mysqli/tests/bug74021.phpt. -- Marc Deslauriers <email address hidden> Wed, 01 Mar 2017 10:50:27 -0500
Available diffs
php7.0 (7.0.15-0ubuntu0.16.04.4) xenial-security; urgency=medium * SECURITY REGRESSION: large mysql requests broken (LP: #1668017) - debian/patches/fix_74021.patch: fix fetch_array with more than MEDIUMBLOB in ext/mysqlnd/mysqlnd_wireprotocol.c, added tests to ext/mysqli/tests/bug73800.phpt, ext/mysqli/tests/bug74021.phpt. -- Marc Deslauriers <email address hidden> Wed, 01 Mar 2017 10:55:45 -0500
Available diffs
php7.0 (7.0.15-1ubuntu3) zesty; urgency=medium
* debian/patches/fix_74021.patch: Fix fetch_array with more than
MEDIUMBLOB. Thanks to andrewnester <email address hidden>.
Closes LP: #1668017.
-- Nishanth Aravamudan <email address hidden> Tue, 28 Feb 2017 13:22:45 -0800
Available diffs
| Deleted in yakkety-proposed (Reason: moved to -updates) |
php7.0 (7.0.15-0ubuntu0.16.10.3) yakkety; urgency=medium
* debian/patches/fix_74021.patch: Fix fetch_array with more than
MEDIUMBLOB. Thanks to andrewnester <email address hidden>.
Closes LP: #1668017.
-- Nishanth Aravamudan <email address hidden> Tue, 28 Feb 2017 13:20:57 -0800
Available diffs
| Deleted in xenial-proposed (Reason: moved to -updates) |
php7.0 (7.0.15-0ubuntu0.16.04.3) xenial; urgency=medium
* debian/patches/bug_74021.patch: Fix fetch_array with more than
MEDIUMBLOB. Thanks to andrewnester <email address hidden>.
Closes LP: #1668017.
-- Nishanth Aravamudan <email address hidden> Mon, 27 Feb 2017 13:55:02 -0800
Available diffs
php7.0 (7.0.15-0ubuntu0.16.04.2) xenial-security; urgency=medium * No change rebuild in the -security pocket. -- Marc Deslauriers <email address hidden> Thu, 23 Feb 2017 08:42:45 -0500
php7.0 (7.0.15-0ubuntu0.16.10.2) yakkety-security; urgency=medium * No change rebuild in the -security pocket. -- Marc Deslauriers <email address hidden> Thu, 23 Feb 2017 08:42:19 -0500
Available diffs
php7.0 (7.0.15-0ubuntu0.16.10.1) yakkety; urgency=medium
* New upstream release
- LP: #1663405
- Refresh patches for new upstream release.
* debian/patches/0048-Fix-pdo_pgsql.patch: Fixed #73959 - lastInsertId
fails to throw an exception in pdsql. Thanks to andrewnester
<email address hidden>. Closes LP: #1658289.
-- Nishanth Aravamudan <email address hidden> Tue, 14 Feb 2017 14:44:43 -0800
Available diffs
php7.0 (7.0.15-0ubuntu0.16.04.1) xenial; urgency=medium
* New upstream release
- LP: #1663405
- Refresh patches for new upstream release.
* debian/patches/0050-Fix-pdo_pgsql.patch: Fixed #73959 - lastInsertId
fails to throw an exception in pdsql. Thanks to andrewnester
<email address hidden>. Closes LP: #1658289.
-- Nishanth Aravamudan <email address hidden> Tue, 14 Feb 2017 14:53:34 -0800
Available diffs
php7.0 (7.0.15-1ubuntu2) zesty; urgency=medium
* debian/patches/0050-Fix-pdo_pgsql.patch: Fixed #73959 - lastInsertId
fails to throw an exception in pdsql. Thanks to andrewnester
<email address hidden>. Closes LP: #1658289.
-- Nishanth Aravamudan <email address hidden> Tue, 14 Feb 2017 13:44:31 -0800
Available diffs
php7.0 (7.0.15-1ubuntu1) zesty; urgency=medium * Merge with Debian unstable (LP: #1663081). Remaining changes: - Drop dh-php from Recommends to Suggests so it can be demoted to universe (LP #1590623). + dh-php has gained a dependency on xml2 which is in universe. -- Nishanth Aravamudan <email address hidden> Wed, 08 Feb 2017 17:06:48 -0800
Available diffs
- diff from 7.0.14-2ubuntu1 to 7.0.15-1ubuntu1 (188.0 KiB)
php7.0 (7.0.14-2ubuntu1) zesty; urgency=medium * Merge with Debian unstable (LP: #1656083). Remaining changes: - Drop dh-php from Recommends to Suggests so it can be demoted to universe (LP #1590623). + dh-php has gained a dependency on xml2 which is in universe. -- Nishanth Aravamudan <email address hidden> Thu, 12 Jan 2017 12:01:22 -0800
Available diffs
- diff from 7.0.13-2ubuntu1 to 7.0.14-2ubuntu1 (75.3 KiB)
php7.0 (7.0.13-0ubuntu0.16.04.1) xenial; urgency=medium
* New upstream release
- LP: #1645431
- Refresh patches for new upstream release.
* Drop:
- SECURITY UPDATE: proxy request header vulnerability (httpoxy)
+ debian/patches/CVE-2016-5385.patch: only use HTTP_PROXY from the
local environment in ext/standard/basic_functions.c, main/SAPI.c,
main/php_variables.c.
+ CVE-2016-5385
[ Fixed in 7.0.9 ]
- SECURITY UPDATE: inadequate error handling in bzread()
+ debian/patches/CVE-2016-5399.patch: do not allow reading past error
read in ext/bz2/bz2.c.
+ CVE-2016-5399
[ Fixed in 7.0.9 ]
- SECURITY UPDATE: integer overflow in the virtual_file_ex function
+ debian/patches/CVE-2016-6289.patch: properly check path_length in
Zend/zend_virtual_cwd.c.
+ CVE-2016-6289
[ Fixed in 7.0.9 ]
- SECURITY UPDATE: use after free in unserialize() with unexpected
session deserialization
+ debian/patches/CVE-2016-6290.patch: destroy var_hash properly in
ext/session/session.c, added test to ext/session/tests/bug72562.phpt.
+ CVE-2016-6290
[ Fixed in 7.0.9 ]
- SECURITY UPDATE: out of bounds read in exif_process_IFD_in_MAKERNOTE
+ debian/patches/CVE-2016-6291.patch: add more bounds checks to
ext/exif/exif.c.
+ CVE-2016-6291
[ Fixed in 7.0.9 ]
- SECURITY UPDATE: NULL pointer dereference in exif_process_user_comment
+ debian/patches/CVE-2016-6292.patch: properly handle encoding in
ext/exif/exif.c.
+ CVE-2016-6292
[ Fixed in 7.0.9 ]
- SECURITY UPDATE: locale_accept_from_http out-of-bounds access
+ debian/patches/CVE-2016-6294.patch: check length in
ext/intl/locale/locale_methods.c, added test to
ext/intl/tests/bug72533.phpt.
+ CVE-2016-6294
[ Fixed in 7.0.9 ]
- SECURITY UPDATE: use after free vulnerability in SNMP with GC and
unserialize()
+ debian/patches/CVE-2016-6295.patch: add new handler to
ext/snmp/snmp.c, add test to ext/snmp/tests/bug72479.phpt.
+ CVE-2016-6295
[ Fixed in 7.0.9 ]
- SECURITY UPDATE: heap buffer overflow in simplestring_addn
+ debian/patches/CVE-2016-6296.patch: prevent overflows in
ext/xmlrpc/libxmlrpc/simplestring.*.
+ CVE-2016-6296
[ Fixed in 7.0.9 ]
- SECURITY UPDATE: integer overflow in php_stream_zip_opener
+ debian/patches/CVE-2016-6297.patch: use size_t in
ext/zip/zip_stream.c.
+ CVE-2016-6297
[ Fixed in 7.0.9 ]
- debian/patches/fix_exif_tests.patch: fix exif test results after
security changes.
[ Fixed in 7.0.9 ]
- SECURITY UPDATE: denial of service or code execution via crafted
serialized data
+ debian/patches/CVE-2016-7124.patch: fix unserializing logic in
ext/session/session.c, ext/standard/var_unserializer.c*,
ext/wddx/wddx.c, added tests to
ext/standard/tests/serialize/bug72663.phpt,
ext/standard/tests/serialize/bug72663_2.phpt,
ext/standard/tests/serialize/bug72663_3.phpt.
+ CVE-2016-7124
[ Fixed in 7.0.10 ]
- SECURITY UPDATE: arbitrary-type session data injection
+ debian/patches/CVE-2016-7125.patch: consume data even if not storing
in ext/session/session.c, added test to
ext/session/tests/bug72681.phpt.
+ CVE-2016-7125
[ Fixed in 7.0.10 ]
- SECURITY UPDATE: denial of service and possible code execution in
imagegammacorrect function
+ debian/patches/CVE-2016-7127.patch: check gamma values in
ext/gd/gd.c, added test to ext/gd/tests/bug72730.phpt.
+ CVE-2016-7127
[ Fixed in 7.0.10 ]
- SECURITY UPDATE: information disclosure via exif_process_IFD_in_TIFF
+ debian/patches/CVE-2016-7128.patch: properly handle thumbnails in
ext/exif/exif.c.
+ CVE-2016-7128
[ Fixed in 7.0.10 ]
- SECURITY UPDATE: denial of service and possible code execution via
invalid ISO 8601 time value
+ debian/patches/CVE-2016-7129.patch: properly handle strings in
ext/wddx/wddx.c, added test to ext/wddx/tests/bug72749.phpt.
+ CVE-2016-7129
[ Fixed in 7.0.10 ]
- SECURITY UPDATE: denial of service and possible code execution via
invalid base64 binary value
+ debian/patches/CVE-2016-7130.patch: properly handle string in
ext/wddx/wddx.c, added test to ext/wddx/tests/bug72750.phpt.
+ CVE-2016-7130
[ Fixed in 7.0.10 ]
- SECURITY UPDATE: denial of service and possible code execution via
malformed wddxPacket XML document
+ debian/patches/CVE-2016-7131.patch: added checks to ext/wddx/wddx.c,
added tests to ext/wddx/tests/bug72790.phpt,
ext/wddx/tests/bug72799.phpt.
+ CVE-2016-7131
+ CVE-2016-7132
[ Fixed in 7.0.10 ]
- SECURITY UPDATE: denial of service and possible code execution via
long pathname
+ debian/patches/CVE-2016-7133.patch: fix memory allocator in
Zend/zend_alloc.c.
+ CVE-2016-7133
[ Fixed in 7.0.10 ]
- SECURITY UPDATE: denial of service and possible code execution via
long string and curl_escape call
+ debian/patches/CVE-2016-7134.patch: check both curl_escape and
curl_unescape in ext/curl/interface.c.
+ CVE-2016-7134
[ Fixed in 7.0.10 ]
- SECURITY UPDATE: denial of service and possible code execution via
crafted field metadata in MySQL driver
+ debian/patches/CVE-2016-7412.patch: validate field length in
ext/mysqlnd/mysqlnd_wireprotocol.c.
+ CVE-2016-7412
[ Fixed in 7.0.11 ]
- SECURITY UPDATE: denial of service and possible code execution via
malformed wddxPacket XML document
+ debian/patches/CVE-2016-7413.patch: fixed use-after-free in
ext/wddx/wddx.c, added test to ext/wddx/tests/bug72860.phpt.
+ CVE-2016-7413
[ Fixed in 7.0.11 ]
- SECURITY UPDATE: denial of service and possible code execution via
crafted PHAR archive
+ debian/patches/CVE-2016-7414.patch: validate signatures in
ext/phar/util.c, ext/phar/zip.c.
+ CVE-2016-7414
[ Fixed in 7.0.11 ]
- SECURITY UPDATE: denial of service and possible code execution via
MessageFormatter::formatMessage call with a long first argument
+ debian/patches/CVE-2016-7416.patch: added locale length check to
ext/intl/msgformat/msgformat_format.c.
+ CVE-2016-7416
[ Fixed in 7.0.11 ]
- SECURITY UPDATE: denial of service or code execution via crafted
serialized data
+ debian/patches/CVE-2016-7417.patch: added type check to
ext/spl/spl_array.c, added test to ext/spl/tests/bug73029.phpt, fix
test in ext/spl/tests/bug70068.phpt.
+ CVE-2016-7417
[ Fixed in 7.0.11 ]
- SECURITY UPDATE: denial of service and possible code execution via
malformed wddxPacket XML document
+ debian/patches/CVE-2016-7418.patch: fix out-of-bounds read in
ext/wddx/wddx.c, added test to ext/wddx/tests/bug73065.phpt.
+ CVE-2016-7418
[ Fixed in 7.0.11 ]
-- Nishanth Aravamudan <email address hidden> Mon, 28 Nov 2016 12:24:57 -0800
php7.0 (7.0.13-0ubuntu0.16.10.1) yakkety; urgency=medium
* New upstream release
- LP: #1645431
- Refresh patches for new upstream release.
* Drop:
- SECURITY UPDATE: proxy request header vulnerability (httpoxy)
+ debian/patches/CVE-2016-5385.patch: only use HTTP_PROXY from the
local environment in ext/standard/basic_functions.c, main/SAPI.c,
main/php_variables.c.
+ CVE-2016-5385
[ Fixed in 7.0.9 ]
- SECURITY UPDATE: inadequate error handling in bzread()
+ debian/patches/CVE-2016-5399.patch: do not allow reading past error
read in ext/bz2/bz2.c.
+ CVE-2016-5399
[ Fixed in 7.0.9 ]
- SECURITY UPDATE: integer overflow in the virtual_file_ex function
+ debian/patches/CVE-2016-6289.patch: properly check path_length in
Zend/zend_virtual_cwd.c.
+ CVE-2016-6289
[ Fixed in 7.0.9 ]
- SECURITY UPDATE: use after free in unserialize() with unexpected
session deserialization
+ debian/patches/CVE-2016-6290.patch: destroy var_hash properly in
ext/session/session.c, added test to ext/session/tests/bug72562.phpt.
+ CVE-2016-6290
[ Fixed in 7.0.9 ]
- SECURITY UPDATE: out of bounds read in exif_process_IFD_in_MAKERNOTE
+ debian/patches/CVE-2016-6291.patch: add more bounds checks to
ext/exif/exif.c.
+ CVE-2016-6291
[ Fixed in 7.0.9 ]
- SECURITY UPDATE: NULL pointer dereference in exif_process_user_comment
+ debian/patches/CVE-2016-6292.patch: properly handle encoding in
ext/exif/exif.c.
+ CVE-2016-6292
[ Fixed in 7.0.9 ]
- SECURITY UPDATE: locale_accept_from_http out-of-bounds access
+ debian/patches/CVE-2016-6294.patch: check length in
ext/intl/locale/locale_methods.c, added test to
ext/intl/tests/bug72533.phpt.
+ CVE-2016-6294
[ Fixed in 7.0.9 ]
- SECURITY UPDATE: use after free vulnerability in SNMP with GC and
unserialize()
+ debian/patches/CVE-2016-6295.patch: add new handler to
ext/snmp/snmp.c, add test to ext/snmp/tests/bug72479.phpt.
+ CVE-2016-6295
[ Fixed in 7.0.9 ]
- SECURITY UPDATE: heap buffer overflow in simplestring_addn
+ debian/patches/CVE-2016-6296.patch: prevent overflows in
ext/xmlrpc/libxmlrpc/simplestring.*.
+ CVE-2016-6296
[ Fixed in 7.0.9 ]
- SECURITY UPDATE: integer overflow in php_stream_zip_opener
+ debian/patches/CVE-2016-6297.patch: use size_t in
ext/zip/zip_stream.c.
+ CVE-2016-6297
[ Fixed in 7.0.9 ]
- debian/patches/fix_exif_tests.patch: fix exif test results after
security changes.
[ Fixed in 7.0.9 ]
- SECURITY UPDATE: denial of service or code execution via crafted
serialized data
+ debian/patches/CVE-2016-7124.patch: fix unserializing logic in
ext/session/session.c, ext/standard/var_unserializer.c*,
ext/wddx/wddx.c, added tests to
ext/standard/tests/serialize/bug72663.phpt,
ext/standard/tests/serialize/bug72663_2.phpt,
ext/standard/tests/serialize/bug72663_3.phpt.
+ CVE-2016-7124
[ Fixed in 7.0.10 ]
- SECURITY UPDATE: arbitrary-type session data injection
+ debian/patches/CVE-2016-7125.patch: consume data even if not storing
in ext/session/session.c, added test to
ext/session/tests/bug72681.phpt.
+ CVE-2016-7125
[ Fixed in 7.0.10 ]
- SECURITY UPDATE: denial of service and possible code execution in
imagegammacorrect function
+ debian/patches/CVE-2016-7127.patch: check gamma values in
ext/gd/gd.c, added test to ext/gd/tests/bug72730.phpt.
+ CVE-2016-7127
[ Fixed in 7.0.10 ]
- SECURITY UPDATE: information disclosure via exif_process_IFD_in_TIFF
+ debian/patches/CVE-2016-7128.patch: properly handle thumbnails in
ext/exif/exif.c.
+ CVE-2016-7128
[ Fixed in 7.0.10 ]
- SECURITY UPDATE: denial of service and possible code execution via
invalid ISO 8601 time value
+ debian/patches/CVE-2016-7129.patch: properly handle strings in
ext/wddx/wddx.c, added test to ext/wddx/tests/bug72749.phpt.
+ CVE-2016-7129
[ Fixed in 7.0.10 ]
- SECURITY UPDATE: denial of service and possible code execution via
invalid base64 binary value
+ debian/patches/CVE-2016-7130.patch: properly handle string in
ext/wddx/wddx.c, added test to ext/wddx/tests/bug72750.phpt.
+ CVE-2016-7130
[ Fixed in 7.0.10 ]
- SECURITY UPDATE: denial of service and possible code execution via
malformed wddxPacket XML document
+ debian/patches/CVE-2016-7131.patch: added checks to ext/wddx/wddx.c,
added tests to ext/wddx/tests/bug72790.phpt,
ext/wddx/tests/bug72799.phpt.
+ CVE-2016-7131
+ CVE-2016-7132
[ Fixed in 7.0.10 ]
- SECURITY UPDATE: denial of service and possible code execution via
long pathname
+ debian/patches/CVE-2016-7133.patch: fix memory allocator in
Zend/zend_alloc.c.
+ CVE-2016-7133
[ Fixed in 7.0.10 ]
- SECURITY UPDATE: denial of service and possible code execution via
long string and curl_escape call
+ debian/patches/CVE-2016-7134.patch: check both curl_escape and
curl_unescape in ext/curl/interface.c.
+ CVE-2016-7134
[ Fixed in 7.0.10 ]
- SECURITY UPDATE: denial of service and possible code execution via
crafted field metadata in MySQL driver
+ debian/patches/CVE-2016-7412.patch: validate field length in
ext/mysqlnd/mysqlnd_wireprotocol.c.
+ CVE-2016-7412
[ Fixed in 7.0.11 ]
- SECURITY UPDATE: denial of service and possible code execution via
malformed wddxPacket XML document
+ debian/patches/CVE-2016-7413.patch: fixed use-after-free in
ext/wddx/wddx.c, added test to ext/wddx/tests/bug72860.phpt.
+ CVE-2016-7413
[ Fixed in 7.0.11 ]
- SECURITY UPDATE: denial of service and possible code execution via
crafted PHAR archive
+ debian/patches/CVE-2016-7414.patch: validate signatures in
ext/phar/util.c, ext/phar/zip.c.
+ CVE-2016-7414
[ Fixed in 7.0.11 ]
- SECURITY UPDATE: denial of service and possible code execution via
MessageFormatter::formatMessage call with a long first argument
+ debian/patches/CVE-2016-7416.patch: added locale length check to
ext/intl/msgformat/msgformat_format.c.
+ CVE-2016-7416
[ Fixed in 7.0.11 ]
- SECURITY UPDATE: denial of service or code execution via crafted
serialized data
+ debian/patches/CVE-2016-7417.patch: added type check to
ext/spl/spl_array.c, added test to ext/spl/tests/bug73029.phpt, fix
test in ext/spl/tests/bug70068.phpt.
+ CVE-2016-7417
[ Fixed in 7.0.11 ]
- SECURITY UPDATE: denial of service and possible code execution via
malformed wddxPacket XML document
+ debian/patches/CVE-2016-7418.patch: fix out-of-bounds read in
ext/wddx/wddx.c, added test to ext/wddx/tests/bug73065.phpt.
+ CVE-2016-7418
[ Fixed in 7.0.11 ]
-- Nishanth Aravamudan <email address hidden> Mon, 28 Nov 2016 12:14:42 -0800
Available diffs
php7.0 (7.0.13-2ubuntu1) zesty; urgency=medium * Merge with Debian unstable (LP: #1645452). Remaining changes: - Drop dh-php from Recommends to Suggests so it can be demoted to universe (LP #1590623). + dh-php has gained a dependency on xml2 which is in universe. -- Nishanth Aravamudan <email address hidden> Mon, 28 Nov 2016 11:42:27 -0800
Available diffs
- diff from 7.0.12-2ubuntu2 to 7.0.13-2ubuntu1 (138.3 KiB)
php7.0 (7.0.12-2ubuntu2) zesty; urgency=medium * Drop d/p/* patch-files as per 7.0.12-2ubuntu1. -- Nishanth Aravamudan <email address hidden> Tue, 15 Nov 2016 09:30:40 -0800
Available diffs
- diff from 7.0.12-2ubuntu1 to 7.0.12-2ubuntu2 (17.9 KiB)
php7.0 (7.0.12-2ubuntu1) zesty; urgency=medium * Merge with Debian unstable (LP: #1641211). Remaining changes: - Drop dh-php from Recommends to Suggests so it can be demoted to universe (LP #1590623). + dh-php has gained a dependency on xml2 which is in universe. * Drop: - SECURITY UPDATE: proxy request header vulnerability (httpoxy) + debian/patches/CVE-2016-5385.patch: only use HTTP_PROXY from the local environment in ext/standard/basic_functions.c, main/SAPI.c, main/php_variables.c. + CVE-2016-5385 [ Fixed upstream in 7.0.9 ] - SECURITY UPDATE: inadequate error handling in bzread() + debian/patches/CVE-2016-5399.patch: do not allow reading past error read in ext/bz2/bz2.c. + CVE-2016-5399 [ Fixed upstream in 7.0.10 ] - SECURITY UPDATE: integer overflow in the virtual_file_ex function + debian/patches/CVE-2016-6289.patch: properly check path_length in Zend/zend_virtual_cwd.c. + CVE-2016-6289 [ Fixed upstream in 7.0.10 ] - SECURITY UPDATE: use after free in unserialize() with unexpected session deserialization + debian/patches/CVE-2016-6290.patch: destroy var_hash properly in ext/session/session.c, added test to ext/session/tests/bug72562.phpt. + CVE-2016-6290 [ Fixed upstream in 7.0.10 ] - SECURITY UPDATE: out of bounds read in exif_process_IFD_in_MAKERNOTE + debian/patches/CVE-2016-6291.patch: add more bounds checks to ext/exif/exif.c. + CVE-2016-6291 [ Fixed upstream in 7.0.10 ] - SECURITY UPDATE: NULL pointer dereference in exif_process_user_comment + debian/patches/CVE-2016-6292.patch: properly handle encoding in ext/exif/exif.c. + CVE-2016-6292 [ Fixed upstream in 7.0.10 ] - SECURITY UPDATE: locale_accept_from_http out-of-bounds access + debian/patches/CVE-2016-6294.patch: check length in ext/intl/locale/locale_methods.c, added test to ext/intl/tests/bug72533.phpt. + CVE-2016-6294 [ Fixed upstream in 7.0.10 ] - SECURITY UPDATE: use after free vulnerability in SNMP with GC and unserialize() + debian/patches/CVE-2016-6295.patch: add new handler to ext/snmp/snmp.c, add test to ext/snmp/tests/bug72479.phpt. + CVE-2016-6295 [ Fixed upstream in 7.0.10 ] - SECURITY UPDATE: heap buffer overflow in simplestring_addn + debian/patches/CVE-2016-6296.patch: prevent overflows in ext/xmlrpc/libxmlrpc/simplestring.*. + CVE-2016-6296 [ Fixed upstream in 7.0.10 ] - SECURITY UPDATE: integer overflow in php_stream_zip_opener + debian/patches/CVE-2016-6297.patch: use size_t in ext/zip/zip_stream.c. + CVE-2016-6297 [ Fixed upstream in 7.0.10 ] - debian/patches/fix_exif_tests.patch: fix exif test results after security changes. [ Fixed upstream in 7.0.10 ] - SECURITY UPDATE: denial of service or code execution via crafted serialized data + debian/patches/CVE-2016-7124.patch: fix unserializing logic in ext/session/session.c, ext/standard/var_unserializer.c*, ext/wddx/wddx.c, added tests to ext/standard/tests/serialize/bug72663.phpt, ext/standard/tests/serialize/bug72663_2.phpt, ext/standard/tests/serialize/bug72663_3.phpt. - CVE-2016-7124 [ Fixed upstream in 7.0.10 ] - SECURITY UPDATE: arbitrary-type session data injection + debian/patches/CVE-2016-7125.patch: consume data even if not storing in ext/session/session.c, added test to ext/session/tests/bug72681.phpt. + CVE-2016-7125 [ Fixed upstream in 7.0.10 ] - SECURITY UPDATE: denial of service and possible code execution in imagegammacorrect function + debian/patches/CVE-2016-7127.patch: check gamma values in ext/gd/gd.c, added test to ext/gd/tests/bug72730.phpt. + CVE-2016-7127 [ Fixed upstream in 7.0.10 ] - SECURITY UPDATE: information disclosure via exif_process_IFD_in_TIFF + debian/patches/CVE-2016-7128.patch: properly handle thumbnails in ext/exif/exif.c. + CVE-2016-7128 [ Fixed upstream in 7.0.10 ] - SECURITY UPDATE: denial of service and possible code execution via invalid ISO 8601 time value + debian/patches/CVE-2016-7129.patch: properly handle strings in ext/wddx/wddx.c, added test to ext/wddx/tests/bug72749.phpt. + CVE-2016-7129 [ Fixed upstream in 7.0.10 ] - SECURITY UPDATE: denial of service and possible code execution via invalid base64 binary value + debian/patches/CVE-2016-7130.patch: properly handle string in ext/wddx/wddx.c, added test to ext/wddx/tests/bug72750.phpt. + CVE-2016-7130 [ Fixed upstream in 7.0.10 ] - SECURITY UPDATE: denial of service and possible code execution via malformed wddxPacket XML document + debian/patches/CVE-2016-7131.patch: added checks to ext/wddx/wddx.c, added tests to ext/wddx/tests/bug72790.phpt, ext/wddx/tests/bug72799.phpt. + CVE-2016-7131 + CVE-2016-7132 [ Fixed upstream in 7.0.10 ] - SECURITY UPDATE: denial of service and possible code execution via long pathname + debian/patches/CVE-2016-7133.patch: fix memory allocator in Zend/zend_alloc.c. + CVE-2016-7133 [ Fixed upstream in 7.0.10 ] - SECURITY UPDATE: denial of service and possible code execution via long string and curl_escape call + debian/patches/CVE-2016-7134.patch: check both curl_escape and curl_unescape in ext/curl/interface.c. + CVE-2016-7134 [ Fixed upstream in 7.0.10 ] - SECURITY UPDATE: denial of service and possible code execution via crafted field metadata in MySQL driver + debian/patches/CVE-2016-7412.patch: validate field length in ext/mysqlnd/mysqlnd_wireprotocol.c. + CVE-2016-7412 [ Fixed upstream in 7.0.11 ] - SECURITY UPDATE: denial of service and possible code execution via malformed wddxPacket XML document + debian/patches/CVE-2016-7413.patch: fixed use-after-free in ext/wddx/wddx.c, added test to ext/wddx/tests/bug72860.phpt. + CVE-2016-7413 [ Fixed upstream in 7.0.11 ] - SECURITY UPDATE: denial of service and possible code execution via crafted PHAR archive + debian/patches/CVE-2016-7414.patch: validate signatures in ext/phar/util.c, ext/phar/zip.c. + CVE-2016-7414 [ Fixed upstream in 7.0.11 ] - SECURITY UPDATE: denial of service and possible code execution via MessageFormatter::formatMessage call with a long first argument + debian/patches/CVE-2016-7416.patch: added locale length check to ext/intl/msgformat/msgformat_format.c. + CVE-2016-7416 [ Fixed upstream in 7.0.11 ] - SECURITY UPDATE: denial of service or code execution via crafted serialized data + debian/patches/CVE-2016-7417.patch: added type check to ext/spl/spl_array.c, added test to ext/spl/tests/bug73029.phpt, fix test in ext/spl/tests/bug70068.phpt. + CVE-2016-7417 [ Fixed upstream in 7.0.11 ] - SECURITY UPDATE: denial of service and possible code execution via malformed wddxPacket XML document + debian/patches/CVE-2016-7418.patch: fix out-of-bounds read in ext/wddx/wddx.c, added test to ext/wddx/tests/bug73065.phpt. + CVE-2016-7418 [ Fixed upstream in 7.0.11 ] -- Nishanth Aravamudan <email address hidden> Mon, 14 Nov 2016 16:27:38 -0800
Available diffs
| Superseded in zesty-release |
| Obsolete in yakkety-release |
| Deleted in yakkety-proposed (Reason: moved to release) |
php7.0 (7.0.8-3ubuntu3) yakkety; urgency=medium
* SECURITY UPDATE: denial of service or code execution via crafted
serialized data
- debian/patches/CVE-2016-7124.patch: fix unserializing logic in
ext/session/session.c, ext/standard/var_unserializer.c*,
ext/wddx/wddx.c, added tests to
ext/standard/tests/serialize/bug72663.phpt,
ext/standard/tests/serialize/bug72663_2.phpt,
ext/standard/tests/serialize/bug72663_3.phpt.
- CVE-2016-7124
* SECURITY UPDATE: arbitrary-type session data injection
- debian/patches/CVE-2016-7125.patch: consume data even if not storing
in ext/session/session.c, added test to
ext/session/tests/bug72681.phpt.
- CVE-2016-7125
* SECURITY UPDATE: denial of service and possible code execution in
imagegammacorrect function
- debian/patches/CVE-2016-7127.patch: check gamma values in
ext/gd/gd.c, added test to ext/gd/tests/bug72730.phpt.
- CVE-2016-7127
* SECURITY UPDATE: information disclosure via exif_process_IFD_in_TIFF
- debian/patches/CVE-2016-7128.patch: properly handle thumbnails in
ext/exif/exif.c.
- CVE-2016-7128
* SECURITY UPDATE: denial of service and possible code execution via
invalid ISO 8601 time value
- debian/patches/CVE-2016-7129.patch: properly handle strings in
ext/wddx/wddx.c, added test to ext/wddx/tests/bug72749.phpt.
- CVE-2016-7129
* SECURITY UPDATE: denial of service and possible code execution via
invalid base64 binary value
- debian/patches/CVE-2016-7130.patch: properly handle string in
ext/wddx/wddx.c, added test to ext/wddx/tests/bug72750.phpt.
- CVE-2016-7130
* SECURITY UPDATE: denial of service and possible code execution via
malformed wddxPacket XML document
- debian/patches/CVE-2016-7131.patch: added checks to ext/wddx/wddx.c,
added tests to ext/wddx/tests/bug72790.phpt,
ext/wddx/tests/bug72799.phpt.
- CVE-2016-7131
- CVE-2016-7132
* SECURITY UPDATE: denial of service and possible code execution via
long pathname
- debian/patches/CVE-2016-7133.patch: fix memory allocator in
Zend/zend_alloc.c.
- CVE-2016-7133
* SECURITY UPDATE: denial of service and possible code execution via
long string and curl_escape call
- debian/patches/CVE-2016-7134.patch: check both curl_escape and
curl_unescape in ext/curl/interface.c.
- CVE-2016-7134
* SECURITY UPDATE: denial of service and possible code execution via
crafted field metadata in MySQL driver
- debian/patches/CVE-2016-7412.patch: validate field length in
ext/mysqlnd/mysqlnd_wireprotocol.c.
- CVE-2016-7412
* SECURITY UPDATE: denial of service and possible code execution via
malformed wddxPacket XML document
- debian/patches/CVE-2016-7413.patch: fixed use-after-free in
ext/wddx/wddx.c, added test to ext/wddx/tests/bug72860.phpt.
- CVE-2016-7413
* SECURITY UPDATE: denial of service and possible code execution via
crafted PHAR archive
- debian/patches/CVE-2016-7414.patch: validate signatures in
ext/phar/util.c, ext/phar/zip.c.
- CVE-2016-7414
* SECURITY UPDATE: denial of service and possible code execution via
MessageFormatter::formatMessage call with a long first argument
- debian/patches/CVE-2016-7416.patch: added locale length check to
ext/intl/msgformat/msgformat_format.c.
- CVE-2016-7416
* SECURITY UPDATE: denial of service or code execution via crafted
serialized data
- debian/patches/CVE-2016-7417.patch: added type check to
ext/spl/spl_array.c, added test to ext/spl/tests/bug73029.phpt, fix
test in ext/spl/tests/bug70068.phpt.
- CVE-2016-7417
* SECURITY UPDATE: denial of service and possible code execution via
malformed wddxPacket XML document
- debian/patches/CVE-2016-7418.patch: fix out-of-bounds read in
ext/wddx/wddx.c, added test to ext/wddx/tests/bug73065.phpt.
- CVE-2016-7418
-- Marc Deslauriers <email address hidden> Mon, 03 Oct 2016 15:48:48 -0400
Available diffs
- diff from 7.0.8-3ubuntu2 to 7.0.8-3ubuntu3 (12.1 KiB)
php7.0 (7.0.8-0ubuntu0.16.04.3) xenial-security; urgency=medium
* SECURITY UPDATE: denial of service or code execution via crafted
serialized data
- debian/patches/CVE-2016-7124.patch: fix unserializing logic in
ext/session/session.c, ext/standard/var_unserializer.c*,
ext/wddx/wddx.c, added tests to
ext/standard/tests/serialize/bug72663.phpt,
ext/standard/tests/serialize/bug72663_2.phpt,
ext/standard/tests/serialize/bug72663_3.phpt.
- CVE-2016-7124
* SECURITY UPDATE: arbitrary-type session data injection
- debian/patches/CVE-2016-7125.patch: consume data even if not storing
in ext/session/session.c, added test to
ext/session/tests/bug72681.phpt.
- CVE-2016-7125
* SECURITY UPDATE: denial of service and possible code execution in
imagegammacorrect function
- debian/patches/CVE-2016-7127.patch: check gamma values in
ext/gd/gd.c, added test to ext/gd/tests/bug72730.phpt.
- CVE-2016-7127
* SECURITY UPDATE: information disclosure via exif_process_IFD_in_TIFF
- debian/patches/CVE-2016-7128.patch: properly handle thumbnails in
ext/exif/exif.c.
- CVE-2016-7128
* SECURITY UPDATE: denial of service and possible code execution via
invalid ISO 8601 time value
- debian/patches/CVE-2016-7129.patch: properly handle strings in
ext/wddx/wddx.c, added test to ext/wddx/tests/bug72749.phpt.
- CVE-2016-7129
* SECURITY UPDATE: denial of service and possible code execution via
invalid base64 binary value
- debian/patches/CVE-2016-7130.patch: properly handle string in
ext/wddx/wddx.c, added test to ext/wddx/tests/bug72750.phpt.
- CVE-2016-7130
* SECURITY UPDATE: denial of service and possible code execution via
malformed wddxPacket XML document
- debian/patches/CVE-2016-7131.patch: added checks to ext/wddx/wddx.c,
added tests to ext/wddx/tests/bug72790.phpt,
ext/wddx/tests/bug72799.phpt.
- CVE-2016-7131
- CVE-2016-7132
* SECURITY UPDATE: denial of service and possible code execution via
long pathname
- debian/patches/CVE-2016-7133.patch: fix memory allocator in
Zend/zend_alloc.c.
- CVE-2016-7133
* SECURITY UPDATE: denial of service and possible code execution via
long string and curl_escape call
- debian/patches/CVE-2016-7134.patch: check both curl_escape and
curl_unescape in ext/curl/interface.c.
- CVE-2016-7134
* SECURITY UPDATE: denial of service and possible code execution via
crafted field metadata in MySQL driver
- debian/patches/CVE-2016-7412.patch: validate field length in
ext/mysqlnd/mysqlnd_wireprotocol.c.
- CVE-2016-7412
* SECURITY UPDATE: denial of service and possible code execution via
malformed wddxPacket XML document
- debian/patches/CVE-2016-7413.patch: fixed use-after-free in
ext/wddx/wddx.c, added test to ext/wddx/tests/bug72860.phpt.
- CVE-2016-7413
* SECURITY UPDATE: denial of service and possible code execution via
crafted PHAR archive
- debian/patches/CVE-2016-7414.patch: validate signatures in
ext/phar/util.c, ext/phar/zip.c.
- CVE-2016-7414
* SECURITY UPDATE: denial of service and possible code execution via
MessageFormatter::formatMessage call with a long first argument
- debian/patches/CVE-2016-7416.patch: added locale length check to
ext/intl/msgformat/msgformat_format.c.
- CVE-2016-7416
* SECURITY UPDATE: denial of service or code execution via crafted
serialized data
- debian/patches/CVE-2016-7417.patch: added type check to
ext/spl/spl_array.c, added test to ext/spl/tests/bug73029.phpt, fix
test in ext/spl/tests/bug70068.phpt.
- CVE-2016-7417
* SECURITY UPDATE: denial of service and possible code execution via
malformed wddxPacket XML document
- debian/patches/CVE-2016-7418.patch: fix out-of-bounds read in
ext/wddx/wddx.c, added test to ext/wddx/tests/bug73065.phpt.
- CVE-2016-7418
-- Marc Deslauriers <email address hidden> Mon, 03 Oct 2016 13:02:19 -0400
Available diffs
php7.0 (7.0.8-3ubuntu2) yakkety; urgency=medium
* SECURITY UPDATE: proxy request header vulnerability (httpoxy)
- debian/patches/CVE-2016-5385.patch: only use HTTP_PROXY from the
local environment in ext/standard/basic_functions.c, main/SAPI.c,
main/php_variables.c.
- CVE-2016-5385
* SECURITY UPDATE: inadequate error handling in bzread()
- debian/patches/CVE-2016-5399.patch: do not allow reading past error
read in ext/bz2/bz2.c.
- CVE-2016-5399
* SECURITY UPDATE: integer overflow in the virtual_file_ex function
- debian/patches/CVE-2016-6289.patch: properly check path_length in
Zend/zend_virtual_cwd.c.
- CVE-2016-6289
* SECURITY UPDATE: use after free in unserialize() with unexpected
session deserialization
- debian/patches/CVE-2016-6290.patch: destroy var_hash properly in
ext/session/session.c, added test to ext/session/tests/bug72562.phpt.
- CVE-2016-6290
* SECURITY UPDATE: out of bounds read in exif_process_IFD_in_MAKERNOTE
- debian/patches/CVE-2016-6291.patch: add more bounds checks to
ext/exif/exif.c.
- CVE-2016-6291
* SECURITY UPDATE: NULL pointer dereference in exif_process_user_comment
- debian/patches/CVE-2016-6292.patch: properly handle encoding in
ext/exif/exif.c.
- CVE-2016-6292
* SECURITY UPDATE: locale_accept_from_http out-of-bounds access
- debian/patches/CVE-2016-6294.patch: check length in
ext/intl/locale/locale_methods.c, added test to
ext/intl/tests/bug72533.phpt.
- CVE-2016-6294
* SECURITY UPDATE: use after free vulnerability in SNMP with GC and
unserialize()
- debian/patches/CVE-2016-6295.patch: add new handler to
ext/snmp/snmp.c, add test to ext/snmp/tests/bug72479.phpt.
- CVE-2016-6295
* SECURITY UPDATE: heap buffer overflow in simplestring_addn
- debian/patches/CVE-2016-6296.patch: prevent overflows in
ext/xmlrpc/libxmlrpc/simplestring.*.
- CVE-2016-6296
* SECURITY UPDATE: integer overflow in php_stream_zip_opener
- debian/patches/CVE-2016-6297.patch: use size_t in
ext/zip/zip_stream.c.
- CVE-2016-6297
* debian/patches/fix_exif_tests.patch: fix exif test results after
security changes.
-- Marc Deslauriers <email address hidden> Wed, 27 Jul 2016 08:14:20 -0400
Available diffs
php7.0 (7.0.8-0ubuntu0.16.04.2) xenial-security; urgency=medium
* SECURITY UPDATE: proxy request header vulnerability (httpoxy)
- debian/patches/CVE-2016-5385.patch: only use HTTP_PROXY from the
local environment in ext/standard/basic_functions.c, main/SAPI.c,
main/php_variables.c.
- CVE-2016-5385
* SECURITY UPDATE: inadequate error handling in bzread()
- debian/patches/CVE-2016-5399.patch: do not allow reading past error
read in ext/bz2/bz2.c.
- CVE-2016-5399
* SECURITY UPDATE: integer overflow in the virtual_file_ex function
- debian/patches/CVE-2016-6289.patch: properly check path_length in
Zend/zend_virtual_cwd.c.
- CVE-2016-6289
* SECURITY UPDATE: use after free in unserialize() with unexpected
session deserialization
- debian/patches/CVE-2016-6290.patch: destroy var_hash properly in
ext/session/session.c, added test to ext/session/tests/bug72562.phpt.
- CVE-2016-6290
* SECURITY UPDATE: out of bounds read in exif_process_IFD_in_MAKERNOTE
- debian/patches/CVE-2016-6291.patch: add more bounds checks to
ext/exif/exif.c.
- CVE-2016-6291
* SECURITY UPDATE: NULL pointer dereference in exif_process_user_comment
- debian/patches/CVE-2016-6292.patch: properly handle encoding in
ext/exif/exif.c.
- CVE-2016-6292
* SECURITY UPDATE: locale_accept_from_http out-of-bounds access
- debian/patches/CVE-2016-6294.patch: check length in
ext/intl/locale/locale_methods.c, added test to
ext/intl/tests/bug72533.phpt.
- CVE-2016-6294
* SECURITY UPDATE: use after free vulnerability in SNMP with GC and
unserialize()
- debian/patches/CVE-2016-6295.patch: add new handler to
ext/snmp/snmp.c, add test to ext/snmp/tests/bug72479.phpt.
- CVE-2016-6295
* SECURITY UPDATE: heap buffer overflow in simplestring_addn
- debian/patches/CVE-2016-6296.patch: prevent overflows in
ext/xmlrpc/libxmlrpc/simplestring.*.
- CVE-2016-6296
* SECURITY UPDATE: integer overflow in php_stream_zip_opener
- debian/patches/CVE-2016-6297.patch: use size_t in
ext/zip/zip_stream.c.
- CVE-2016-6297
* debian/patches/fix_exif_tests.patch: fix exif test results after
security changes.
-- Marc Deslauriers <email address hidden> Wed, 27 Jul 2016 11:22:49 -0400
php7.0 (7.0.8-3ubuntu1) yakkety; urgency=low * Merge with Debian unstable (LP: #1596735). Remaining changes: - Drop dh-php from Recommends to Suggests so it can be demoted to universe (LP: #1590623). + dh-php has gained a dependency on xml2 which is in universe.
Available diffs
- diff from 7.0.7-4ubuntu2 to 7.0.8-3ubuntu1 (34.0 KiB)
php7.0 (7.0.8-0ubuntu0.16.04.1) xenial; urgency=medium
* New upstream release
- Closes LP: #1596578
+ Fixed in upstream 7.0.6.
- Drop the following patches:
+ 0035-Fixed-bug-63171-script-hangs-if-odbc-call-during-tim.patch
[ Fixed in upstream 7.0.6 ]
+ 0046-Fix-ODBC-bug-for-varchars-returning-with-length-zero.patch
[ Fixed in upstream 7.0.6 ]
+ 0047-make-opcache-lockfile-path-configurable.patch
[ Fixed in upstream 7.0.6 ]
+ 0048-Fix-bug-71659.patch
[ Fixed in upstream 7.0.5 ]
+ 0050-Fix-use-of-UNDEF-instead-of-NULL-in-read_dimension.patch
[ Fixed in upstream 7.0.6 ]
+ 0051-backport-89a43425.patch
[ Fixed in upstream 7.0.5 ]
+ 0052-backport-186844be.patch
[ Fixed in upstream 7.0.5 ]
+ CVE-2015-8865-1.patch
[ Fixed in upstream 7.0.5 ]
+ CVE-2015-8865-2.patch
[ Fixed in upstream 7.0.5 ]
+ CVE-2016-3078.patch
[ Fixed in upstream 7.0.6 ]
+ CVE-2016-3132.patch
[ Fixed in upstream 7.0.6 ]
+ CVE-2016-4070.patch
[ Fixed in upstream 7.0.5 ]
+ CVE-2016-4071.patch
[ Fixed in upstream 7.0.5 ]
+ CVE-2016-4072.patch
[ Fixed in upstream 7.0.5 ]
+ CVE-2016-4073.patch
[ Fixed in upstream 7.0.5 ]
+ CVE-2016-4537.patch
[ Fixed in upstream 7.0.7 ]
+ CVE-2016-4539.patch
[ Fixed in upstream 7.0.7 ]
+ CVE-2016-4540.patch
[ Fixed in upstream 7.0.7 ]
+ CVE-2016-4542.patch
[ Fixed in upstream 7.0.7 ]
* Backport from Debian 7.0.6-7: 'Remove php-gettext from phpX.Y-common
provides as it clashes with existing package (Closes #823815)'
(LP: #1569128).
* Backport from Debian 7.0.6-8: 'Restore dba extension package'
(LP: #1595215).
* Regenerate d/control.
-- Nishanth Aravamudan <email address hidden> Mon, 20 Jun 2016 15:38:14 -0700
Available diffs
php7.0 (7.0.7-4ubuntu2) yakkety; urgency=medium
* Actually drop dh-php from Recommends to Suggests by modifying
d/control.in as well (LP: #1590623).
-- Nishanth Aravamudan <email address hidden> Thu, 09 Jun 2016 19:56:16 -0700
Available diffs
- diff from 7.0.7-4ubuntu1 to 7.0.7-4ubuntu2 (588 bytes)
php7.0 (7.0.7-4ubuntu1) yakkety; urgency=medium
* Drop dh-php from Recommends to Suggests so it can be demoted to
universe (LP: #1590623).
- dh-php has gained a dependency on xml2 which is in universe.
-- Nishanth Aravamudan <email address hidden> Wed, 08 Jun 2016 17:13:12 -0700
Available diffs
- diff from 7.0.4-7ubuntu4 to 7.0.7-4ubuntu1 (366.0 KiB)
- diff from 7.0.7-4 (in Debian) to 7.0.7-4ubuntu1 (864 bytes)
php7.0 (7.0.7-4) unstable; urgency=medium
* Don't break apache2 configuration if setenvif_module is not enabled
(Closes: #825933)
* Add notice about apache2 notices when apache2 package is installed
-- Ondřej Surý <email address hidden> Fri, 03 Jun 2016 13:22:25 +0200
Available diffs
- diff from 7.0.7-3 to 7.0.7-4 (848 bytes)
php7.0 (7.0.7-3) unstable; urgency=medium
* The alternative base-files dependency to *systemd* deps is also
required only on linux-any
-- Ondřej Surý <email address hidden> Fri, 27 May 2016 13:21:07 +0200
Available diffs
- diff from 7.0.4-7ubuntu4 (in Ubuntu) to 7.0.7-3 (365.7 KiB)
php7.0 (7.0.4-7ubuntu2.1) xenial-security; urgency=medium
* SECURITY UPDATE: buffer over-write in finfo_open with malformed magic
file
- debian/patches/CVE-2015-8665-1.patch: properly calculate length in
ext/fileinfo/libmagic/funcs.c, added test to
ext/fileinfo/tests/bug71527.*.
- debian/patches/CVE-2015-8665-2.patch: fix test in
ext/fileinfo/tests/bug68996.phpt.
- CVE-2015-8665
* SECURITY UPDATE: integer overflow in ZipArchive::getFrom*
- debian/patches/CVE-2016-3078.patch: use zend_string_safe_alloc in
ext/zip/php_zip.c.
- CVE-2016-3078
* SECURITY UPDATE: double-free via SplDoublyLinkedList::offsetSet and
invalid index
- debian/patches/CVE-2016-3132.patch: remove extra free in
ext/spl/spl_dllist.c, added test to ext/spl/tests/bug71735.phpt.
- CVE-2016-3132
* SECURITY UPDATE: integer overflow in php_raw_url_encode
- debian/patches/CVE-2016-4070.patch: use size_t in ext/standard/url.c.
- CVE-2016-4070
* SECURITY UPDATE: php_snmp_error() format string Vulnerability
- debian/patches/CVE-2016-4071.patch: use format string in
ext/snmp/snmp.c.
- CVE-2016-4071
* SECURITY UPDATE: invalid memory write in phar on filename containing
NULL
- debian/patches/CVE-2016-4072.patch: require valid paths in
ext/phar/phar.c, ext/phar/phar_object.c, fix tests in
ext/phar/tests/badparameters.phpt,
ext/phar/tests/bug64931/bug64931.phpt,
ext/phar/tests/create_path_error.phpt,
ext/phar/tests/phar_extract.phpt,
ext/phar/tests/phar_isvalidpharfilename.phpt,
ext/phar/tests/phar_unlinkarchive.phpt,
ext/phar/tests/pharfileinfo_construct.phpt.
- CVE-2016-4072
* SECURITY UPDATE: invalid negative size in mbfl_strcut
- debian/patches/CVE-2016-4073.patch: fix length checks in
ext/mbstring/libmbfl/mbfl/mbfilter.c.
- CVE-2016-4073
* SECURITY UPDATE: bcpowmod accepts negative scale and corrupts _one_
definition
- debian/patches/CVE-2016-4537.patch: properly detect scale in
ext/bcmath/bcmath.c, add test to ext/bcmath/tests/bug72093.phpt.
- CVE-2016-4537
- CVE-2016-4538
* SECURITY UPDATE: xml_parse_into_struct segmentation fault
- debian/patches/CVE-2016-4539.patch: check parser->level in
ext/xml/xml.c, added test to ext/xml/tests/bug72099.phpt.
- CVE-2016-4539
* SECURITY UPDATE: out-of-bounds reads in zif_grapheme_stripos and
zif_grapheme_strpos with negative offset
- debian/patches/CVE-2016-4540.patch: check bounds in
ext/intl/grapheme/grapheme_string.c, added test to
ext/intl/tests/bug72061.phpt.
- CVE-2016-4540
- CVE-2016-4541
* SECURITY UPDATE: out of bounds heap read access in exif header
processing
- debian/patches/CVE-2016-4542.patch: check sizes and length in
ext/exif/exif.c.
- CVE-2016-4542
- CVE-2016-4543
- CVE-2016-4544
* Re-enable test suite
- debian/rules, debian/setup-mysql.sh: updated for new MySQL version
and new layout.
-- Marc Deslauriers <email address hidden> Thu, 19 May 2016 11:04:26 -0400
Available diffs
php7.0 (7.0.4-7ubuntu4) yakkety; urgency=medium
* debian/patches/0053-backport-68ebfc87.patch: Fix bug #71624,
PHP_MODE_PROCESS_STDIN (CLI SAPI called with '-R') did not properly
set $argi and $argn. Closes LP: #1572465.
-- Nishanth Aravamudan <email address hidden> Wed, 20 Apr 2016 19:05:43 -0700
Available diffs
- diff from 7.0.4-7ubuntu2 to 7.0.4-7ubuntu4 (1.6 KiB)
- diff from 7.0.4-7ubuntu3 to 7.0.4-7ubuntu4 (1.5 KiB)
| Superseded in yakkety-proposed |
php7.0 (7.0.4-7ubuntu3) yakkety; urgency=medium * No-change rebuild for libicu soname change. -- Matthias Klose <email address hidden> Fri, 22 Apr 2016 22:59:16 +0000
Available diffs
- diff from 7.0.4-7ubuntu2 to 7.0.4-7ubuntu3 (345 bytes)
| Superseded in yakkety-release |
| Published in xenial-release |
| Deleted in xenial-proposed (Reason: moved to release) |
php7.0 (7.0.4-7ubuntu2) xenial; urgency=medium
* debian/patches/0052-backport-186844be.patch: Fix bug #71695: Global
variables are resreved before execution. Closes LP: #1569509.
-- Nishanth Aravamudan <email address hidden> Wed, 13 Apr 2016 12:45:21 -0700
Available diffs
php7.0 (7.0.4-7ubuntu1) xenial; urgency=medium * Merge with Debian unstable (LP: #1567158). Remaining changes: - debian/patches/0051-backport-89a43425.patch: Fix incompatible pointers on 64-bit. Closes LP #1558201. * Drop: - Add support for independent source packages php7.0 and php7.0-universe-source (LP #1555843): - d/control{,.in}: drop Build-Depends on firebird-dev, libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev and libzip-dev. - d/control: drop binary packages php7.0-imap, php7.0-interbase, php7.0-mcrypt and php7.0-zip and their reverse dependencies. - d/control{,.in}: add Build-Depends on dctrl-tools. - d/rules.d/ext-interbase.mk: add pdo config to interbase's config, as php7.0-universe-common will not use ext-common.mk. - d/control{,.in}: switch Build-Depends of netcat-traditional to netcat-openbsd as only the latter is in main. - d/rules: do not generate debian/tests/control when building for universe. - d/rules: use grep-dctrl to remove binary packages not generated by this source package during the build (dpkg-genchanges complains otherwise). - php7.0-interbase: Do not install pdo.so, as it is provided by php7.0-common (LP #1556486). [ Xenial now supports building packages in main with universe build-deps ] - debian/patches/0048-fix-bug-71659-pcre-segfault-in-twig-tests.patch: Replace bump regex with calculate_unit_length(). Closes LP: #1548442. [ merged in Debian ] * d/t/control{,.in}: add dependency on wget
Available diffs
- diff from 7.0.4-5ubuntu2 to 7.0.4-7ubuntu1 (13.3 KiB)
php7.0 (7.0.4-5ubuntu2) xenial; urgency=medium
* debian/patches/0048-fix-bug-71659-pcre-segfault-in-twig-tests.patch:
Replace bump regex with calculate_unit_length(). Closes LP:
#1548442.
* debian/patches/0049-backport-89a43425.patch: Fix incompatible
pointers on 64-bit. Closes LP: #1558201.
-- Nishanth Aravamudan <email address hidden> Wed, 16 Mar 2016 12:30:50 -0700
Available diffs
php7.0 (7.0.4-5ubuntu1) xenial; urgency=medium * Merge with Debian unstable (LP: #1553419). Remaining changes: - Add support for independent source packages php7.0 and php7.0-universe-source (LP #1555843): + d/control{,.in}: drop Build-Depends on firebird-dev, libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev and libzip-dev. + d/control: drop binary packages php7.0-imap, php7.0-interbase, php7.0-mcrypt and php7.0-zip and their reverse dependencies. + d/control{,.in}: add Build-Depends on dctrl-tools. + d/rules.d/ext-interbase.mk: add pdo config to interbase's config, as php7.0-universe-common will not use ext-common.mk. - d/control{,.in}: switch Build-Depends of netcat-traditional to netcat-openbsd as only the latter is in main. - d/rules: do not generate debian/tests/control when building for universe. - d/rules: use grep-dctrl to remove binary packages not generated by this source package during the build (dpkg-genchanges complains otherwise). * Drop: - d/rules: use grep{,-dctrl} to filter out makefile snippets and binary packages that require universe. [ Not present ] - Undocumented changes to debian/control. [ Prior merge churn] * php7.0-interbase: Do not install pdo.so, as it is provided by php7.0-common (LP: #1556486).
Available diffs
- diff from 7.0.3-9ubuntu1 to 7.0.4-5ubuntu1 (100.1 KiB)
- diff from 7.0.3-9ubuntu2 to 7.0.4-5ubuntu1 (98.4 KiB)
| Superseded in xenial-proposed |
php7.0 (7.0.3-9ubuntu2) xenial; urgency=medium
* Drop:
- Drop support for firebird, c-client, mcrypt, onig, qdbm and zip as
they are in universe (LP #1547245):
+ d/control: drop binary packages php7.0-imap, php7.0-interbase,
php7.0-mcrypt and php7.0-zip and their reverse dependencies.
+ d/rules.d: drop makefile snippets for imap, interbase, mcrypt
and zip extensions.
* Add support for independent source packages php7.0 and
php7.0-universe-source (LP: #1555843):
- php7.0-imap, php7.0-interbase, php7.0-mcrypt and php7.0-zip will
be provided by the latter, which will reside in universe.
- d/control{,.in}: add Build-Depends on dctrl-tools.
- d/control.in: drop Build-Depends on firebird-dev, libc-client-dev,
libmcrypt-dev, libonig-dev, libqdbm-dev and libzip-dev.
- d/rules: use grep{,-dctrl} to filter out makefile snippets and
binary packages that require universe.
- d/rules.d/ext-interbase.mk: add pdo config to interbase's config,
as php7.0-universe-common will not use ext-common.mk.
* d/control.in: switch Build-Depends of netcat-traditional to
netcat-openbsd as only the latter is in main.
* d/rules: do not generate debian/tests/control when building for
universe.
* d/rules: use grep-dctrl to remove binary packages not generated by
this source package during the build (dpkg-genchanges complains
otherwise).
-- Nishanth Aravamudan <email address hidden> Thu, 10 Mar 2016 15:40:59 -0800
Available diffs
php7.0 (7.0.3-9ubuntu1) xenial; urgency=medium * Merge with Debian unstable (LP: #1549407). Remaining changes: - Drop support for firebird, c-client, mcrypt, onig, qdbm and zip as they are in universe (LP #1547245): + d/control: drop Build-Depends on firebird-dev, libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev and libzip-dev. + d/control: drop binary packages php7.0-imap, php7.0-interbase, php7.0-mcrypt and php7.0-zip and their reverse dependencies. + d/rules.d: drop makefile snippets for imap, interbase, mcrypt and zip extensions. - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd as only the latter is in main.
Available diffs
| Superseded in xenial-proposed |
php7.0 (7.0.3-7ubuntu1) xenial; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Drop support for firebird, c-client, mcrypt, onig, qdbm and zip as
they are in universe (LP #1547245):
+ d/control: drop Build-Depends on firebird-dev, libc-client-dev,
libmcrypt-dev, libonig-dev, libqdbm-dev, libxmlrpc-epi and
libzip-dev.
+ d/control: drop binary packages php7.0-imap, php7.0-interbase,
php7.0-mcrypt and php7.0-xmlrpc and their reverse dependencies.
+ d/rules.d: drop makefile snippets for imap, interbase, mcrypt
and xmlrpc extensions.
- d/control: switch Build-Depends of netcat-traditional to
netcat-openbsd as only the latter is in main.
* Dropped changes:
- Drop support for xmlrpc as it is in universe (LP #1547700):
+ d/control: drop Build-Depends on libxmlrpc-epi
+ d/control: drop binary package php7.0-xmlrpc and its reverse
dependencies.
+ d/rules.d: drop makefile snippet for xmlrpc extension.
- d/rules: drop configuration of qdgm and zip.
+ dropped in Debian.
* Drop support for zip as it is in universe (LP: #1547245).
- d/control: drop binary package php7.0-zip.
- d/rules.d: drop makefile snippet for zip extension.
Available diffs
- diff from 7.0.3-5ubuntu1 to 7.0.3-7ubuntu1 (10.4 KiB)
| Superseded in xenial-proposed |
php7.0 (7.0.3-5ubuntu1) xenial; urgency=medium
* Drop support for firebird, c-client, mcrypt, onig, qdbm, xmlrpc and
zip as they are in universe (LP: #1547245):
- d/control: drop Build-Depends on firebird-dev, libc-client-dev,
libmcrypt-dev, libonig-dev, libqdbm-dev, libxmlrpc-epi and
libzip-dev.
- d/control: drop binary packages php7.0-imap, php7.0-interbase,
php7.0-mcrypt and php7.0-xmlrpc and their reverse dependencies.
- d/rules: drop configuration of qdgm and zip.
- d/rules.d: drop makefile snippets for imap, interbase, mcrypt and
xmlrpc extensions.
* d/control: switch Build-Depends of netcat-traditional to
netcat-openbsd as only the latter is in main.
-- Nishanth Aravamudan <email address hidden> Thu, 18 Feb 2016 16:11:00 -0800
Available diffs
php7.0 (7.0.3-5) unstable; urgency=medium [ Neal Gompa ] * Add a test for php-fpm [ Ondřej Surý ] * Don't depend directly on apache2 * Add patch to fix crash because of VM stack corruption (DEB.SURY.ORG #246) * Miscelaneous fixes related to off-tree ZTS builds -- Ondřej Surý <email address hidden> Wed, 17 Feb 2016 11:19:55 +0100
Available diffs
- diff from 7.0.3-4 to 7.0.3-5 (4.0 KiB)
php7.0 (7.0.3-4) unstable; urgency=medium * Resolve ltmain.sh link based on libtool version (Closes: #814271) -- Ondřej Surý <email address hidden> Mon, 15 Feb 2016 12:41:07 +0100
Available diffs
- diff from 7.0.3-3 to 7.0.3-4 (1.0 KiB)
| Superseded in xenial-release |
| Superseded in xenial-release |
| Deleted in xenial-proposed (Reason: moved to release) |
php7.0 (7.0.3-3) unstable; urgency=medium
[ Neal Gompa ]
* Update php-cgi apache httpd config for phpX.Y
* Add php-fpm apache httpd 2.4 configuration
* Enable shmop php module
[ Ondřej Surý ]
* The autopkgtests are now generated from templates in tests.in inside
debian/control rule
* Include pregenerated tests in the source package
* mod_phpX.c exports just major version in apache2 configuration
-- Ondřej Surý <email address hidden> Mon, 08 Feb 2016 11:50:20 +0100
Available diffs
- diff from 7.0.3-2 to 7.0.3-3 (2.3 KiB)
php7.0 (7.0.3-2) unstable; urgency=medium
* Add generic support for ZTS builds
* Update systzdata patch to v13 and get php-bug62172.patch
(Courtesy of Remi Collet's repository)
* Remove extra 20-opcache.ini (Caused by fixed extension priority
handling in src:php-defaults)
-- Ondřej Surý <email address hidden> Sat, 06 Feb 2016 15:27:55 +0100
Available diffs
- diff from 7.0.2-5 to 7.0.3-2 (216.0 KiB)
- diff from 7.0.3-1 to 7.0.3-2 (3.7 KiB)
php7.0 (7.0.3-1) unstable; urgency=medium * dh-php is unversioned * Imported Upstream version 7.0.3 * Rebase patches on top of 7.0.3 release -- Ondřej Surý <email address hidden> Fri, 05 Feb 2016 10:51:15 +0100
Available diffs
- diff from 7.0.2-5 to 7.0.3-1 (213.2 KiB)
php7.0 (7.0.2-5) unstable; urgency=medium
* Cleanup enabled modules even if php maintscript helpers are no longer
installed (Closes: #807652, #810690)
-- Ondřej Surý <email address hidden> Tue, 26 Jan 2016 10:19:20 +0100
Available diffs
- diff from 7.0.2-4 to 7.0.2-5 (568 bytes)
php7.0 (7.0.2-4) unstable; urgency=medium
* Unroll the update-alternatives loop in maintainer scripts
* Add versioned Depends on php@PHP_VERSION@-readline instead of
suggesting generic php-readline
* For versioned modules invoke versioned call to php(en|dis)mod from
maintainer scripts
* Each phpX.Y-<sapi> now Provides php-<sapi> to make php-pear
installable with src:php5.6
-- Ondřej Surý <email address hidden> Fri, 22 Jan 2016 11:05:23 +0100
Available diffs
- diff from 7.0.2-3 to 7.0.2-4 (1.7 KiB)
php7.0 (7.0.2-3) unstable; urgency=medium * Fail gracefully when other PHP module is enabled in Apache2 (Closes: #811005) -- Ondřej Surý <email address hidden> Fri, 15 Jan 2016 09:47:27 +0100
Available diffs
- diff from 7.0.2-1 to 7.0.2-3 (2.8 KiB)
php7.0 (7.0.2-1) unstable; urgency=medium * Imported Upstream version 7.0.2 * Rebase patches on top of 7.0.2 -- Ondřej Surý <email address hidden> Thu, 07 Jan 2016 16:05:30 +0100
Available diffs
- diff from 7.0.1-6 to 7.0.2-1 (31.0 KiB)
php7.0 (7.0.1-6) unstable; urgency=medium
* Add Conflicts: php5 stanza to php7.0.conf to hint a2enmod to not
enable both PHP 5 and PHP 7 modules (Closes: #810117)
* Build-Depend just on libpng-dev
-- Ondřej Surý <email address hidden> Thu, 07 Jan 2016 10:46:12 +0100
Available diffs
- diff from 7.0.1-5 to 7.0.1-6 (1.2 KiB)
php7.0 (7.0.1-5) unstable; urgency=medium * Prepare for src:php5 and src:php7.0 coinstallation * Add empty php_enable to php-cgi postinst, so it's never enabled by default (Closes: #809967) -- Ondřej Surý <email address hidden> Tue, 05 Jan 2016 11:16:20 +0100
Available diffs
- diff from 7.0.1-4 to 7.0.1-5 (1.5 KiB)
php7.0 (7.0.1-4) unstable; urgency=medium * Make Enchant, GMP and XSL extensions shared * Regenerate d/control -- Ondřej Surý <email address hidden> Tue, 29 Dec 2015 14:12:09 +0100
Available diffs
- diff from 7.0.1-3 to 7.0.1-4 (1.2 KiB)
| 1 → 75 of 80 results | First • Previous • Next • Last |
