-
php5 (5.4.6-1ubuntu1.8) quantal-security; urgency=medium
* SECURITY UPDATE: denial of service in fileinfo via crafted offset in
PE executable
- debian/patches/CVE-2014-2270.patch: check bounds in
ext/fileinfo/libmagic/softmagic.c.
- CVE-2014-2270
-- Marc Deslauriers <email address hidden> Thu, 03 Apr 2014 15:18:45 -0400
-
php5 (5.4.6-1ubuntu1.7) quantal-security; urgency=medium
* SECURITY UPDATE: denial of service via crafted indirect offset value
in fileinfo
- debian/patches/CVE-2013-1943.patch: properly handle recursion in
ext/fileinfo/libmagic/{ascmagic.c,file.h,funcs.c,softmagic.c}, added
test to ext/fileinfo/tests/cve-2014-1943.phpt.
- CVE-2013-1943
* This package does _not_ contain the changes from .4.6-1ubuntu1.6 in
quantal-proposed.
-- Marc Deslauriers <email address hidden> Fri, 28 Feb 2014 11:40:51 -0500
-
php5 (5.4.6-1ubuntu1.6) quantal; urgency=low
* debian/patches/lp1102366.patch: properly reset rfc1867 callbacks to
prevent segfault. (LP: #1102366)
-- Marc Deslauriers <email address hidden> Mon, 23 Dec 2013 09:00:58 -0500
-
php5 (5.4.6-1ubuntu1.5) quantal-security; urgency=low
* SECURITY UPDATE: denial of service and possible code execution via
malicious certificate
- debian/patches/CVE-2013-6420.patch: properly validate timestr in
ext/openssl/openssl.c, added ext/openssl/tests/cve-2013-6420.*.
- CVE-2013-6420
* SECURITY UPDATE: denial of service via crafted interval specification
- debian/patches/CVE-2013-6712.patch: check error_count in
ext/date/lib/parse_iso_intervals.*.
- CVE-2013-6712
-- Marc Deslauriers <email address hidden> Wed, 11 Dec 2013 19:20:51 -0500
-
php5 (5.4.6-1ubuntu1.4) quantal-security; urgency=low
* SECURITY UPDATE: SSL cert validation spoofing via NULL character in
subjectAltName.
- debian/patches/CVE-2013-4248.patch: validate subjectAltName in
ext/openssl/openssl.c, added test to ext/openssl/tests/cve2013_4073*.
- CVE-2013-4248
-- Marc Deslauriers <email address hidden> Wed, 04 Sep 2013 11:07:56 -0400
-
php5 (5.4.6-1ubuntu1.3) quantal-security; urgency=low
* SECURITY UPDATE: denial of service and possible code execution via xml
parser heap overflow
- debian/patches/CVE-2013-4113.patch: check against XML_MAXLEVEL in
ext/xml/xml.c, add test to ext/xml/tests/bug65236.phpt.
- CVE-2013-4113
* SECURITY UPDATE: denial of service via overflow in SdnToJewish
- debian/patches/CVE-2013-4635.patch: check value in
ext/calendar/jewish.c, add test to
ext/calendar/tests/jdtojewish64.phpt.
- CVE-2013-4635
-- Marc Deslauriers <email address hidden> Mon, 15 Jul 2013 09:48:22 -0400
-
php5 (5.4.6-1ubuntu1.2) quantal-security; urgency=low
* SECURITY UPDATE: arbitrary file disclosure via XML External Entity
- debian/patches/CVE-2013-1643.patch: disable the entity loader in
ext/libxml/libxml.c, ext/libxml/php_libxml.h, ext/soap/php_xml.c.
- CVE-2013-1643
-- Marc Deslauriers <email address hidden> Fri, 08 Mar 2013 16:18:48 -0500
-
php5 (5.4.6-1ubuntu1.1) quantal-proposed; urgency=low
* Re-add logic to guess default timezone from system to fix default timezone
regression (LP: #1069529). Cherry-picked from Debian 5.4.4-6 (also in
Debian 5.4.6-2).
-- Robie Basak <email address hidden> Wed, 24 Oct 2012 10:04:51 +0000
-
php5 (5.4.6-1ubuntu1) quantal; urgency=low
* Merge from Debian experimental (LP: #1006738 , LP: #1040212)
Remaining changes:
- d/rules: Simplify apache config settings since we never build
interbase or firebird.
- debian/rules: export DEB_HOST_MULTIARCH properly.
- Add build-dependency on lemon, which we now need.
- Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is
in universe.
- Dropped libcurl-dev not in the archive.
- debian/control: replace build-depends on mysql-server with
mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and
mysql-server-5.5 postinst confusion with starting up multiple
mysqlds listening on the same port.
- Dropped php5-imap, php5-interbase, php5-mcrypt since we have
versions already in universe.
- Dropped libonig-dev and libqgdbm since its in universe. (libonig
MIR has been declined due to an inactive upstream. So this is
probably a permanent change).
- modulelist: Drop imap, interbase, sybase, and mcrypt.
- debian/rules:
- Dropped building of mcrypt, imap, and interbase.
- Install apport hook for php5.
- stop mysql instance on clean just in case we failed in tests
- debian/control, debian/rules: Re-enable libedit-dev.
* Dropped Changes:
- debian/rules: change memory limits on example .ini files.
php5 (5.4.6-1) experimental; urgency=low
* Imported Upstream version 5.4.6
* Apply another fix to compile --without-system-tzdata
(Courtesy of Michael Heimpold)
* Get rid of empty examples directory (Closes: #684108), but
keep parent directory to store test-results.txt among others
* Provide sensible default configuration for PHP-CGI files
(Closes: #685340)
* Add NEWS text about default extension configuration
* Update NEWS and README.Debian based on debian-l10n-english review
(Courtesy of Justing B Rye)
php5 (5.4.5-1) experimental; urgency=low
* Imported Upstream version 5.4.5
* Update patches for PHP 5.4.5 release
* Compile with system libzip (upstream has added support for that)
php5 (5.4.4-4) unstable; urgency=low
* Fix php5-fpm segfault (PHP#62205)
* CVE-2012-2688: potential overflow in _php_stream_scandir
(Closes: #683274)
* Improve security in CGI section in README.Debian (Closes: #674205)
-- Clint Byrum <email address hidden> Wed, 22 Aug 2012 13:40:18 -0700
-
php5 (5.4.4-3ubuntu1) quantal; urgency=low
* Merge from Debian unstable. (LP: #1014044) (LP: #1024355)
Remaining changes:
- d/rules: Simplify apache config settings since we never build
interbase or firebird.
- debian/rules: export DEB_HOST_MULTIARCH properly.
- Add build-dependency on lemon, which we now need.
- Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe.
- Dropped libcurl-dev not in the archive.
- debian/control: replace build-depends on mysql-server with
mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and
mysql-server-5.5 postinst confusion with starting up multiple
mysqlds listening on the same port.
- Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions
already in universe.
- Dropped libonig-dev and libqgdbm since its in universe. (libonig MIR
has been declined due to an inactive upstream. So this is probably
a permanent change).
- modulelist: Drop imap, interbase, sybase, and mcrypt.
- debian/rules:
* Dropped building of mcrypt, imap, and interbase.
* Install apport hook for php5.
* stop mysql instance on clean just in case we failed in tests
php5 (5.4.4-3) unstable; urgency=low
* Update ucf/ucfr scripts to not conflict between mysql and mysqlnd
extension (Closes: #678371)
php5 (5.4.4-2) unstable; urgency=high
* Fix PHP5-FPM not reporting errors to web server (nginx)
(Closes: #677994)
* Bump urgency to high to replace the RC2 version in testing sooner.
-- Clint Byrum <email address hidden> Mon, 23 Jul 2012 11:08:52 -0700
-
php5 (5.4.4-1ubuntu1) quantal; urgency=low
* Merge from Debian unstable. Remaining changes:
- d/rules: Simplify apache config settings since we never build
interbase or firebird.
- debian/rules: export DEB_HOST_MULTIARCH properly.
- Add build-dependency on lemon, which we now need.
- Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe.
- Dropped libcurl-dev not in the archive.
- debian/control: replace build-depends on mysql-server with
mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and
mysql-server-5.5 postinst confusion with starting up multiple
mysqlds listening on the same port.
- Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions
already in universe.
- Dropped libonig-dev and libqgdbm since its in universe. (libonig MIR
has been declined due to an inactive upstream. So this is probably
a permanent change).
- modulelist: Drop imap, interbase, sybase, and mcrypt.
- debian/rules:
* Dropped building of mcrypt, imap, and interbase.
* Install apport hook for php5.
* stop mysql instance on clean just in case we failed in tests
* Dropped Changes:
* d/rules: enable Suhosin patch with PHP5_SUHOSIN=yes -- Upstream suhosin
has been slow to adopt PHP 5.4, and is showing signs of disengagement.
Therefore, we will follow Debian's lead and drop Suhosin for now.
- d/control: build-depend on mysql 5.5 instead of 5.1 for running tests.
-- Debian just deps on mysql-server
- Suggest php5-suhosin rather than recommends. -- Dropping suhosin
- d/setup-mysql.sh: modify to work with mysql 5.5 differences -- superseded
in Debian.
- Only build php5-sqlite for sqlite3, dropping the obsolete sqlite2. --
superseded in Debian
- d/maxlifetime: Improve maxlifetime script to scan for more SAPIs and
scan all *.ini in conf.d directory. -- Change came from Debian
- d/libapache2-mod-php5.postinst,libapache2-mod-php5filter.postinst:
Restart apache on first install to ensure module is fully enabled.
-- Change came from Debian
- debian/patches/php5-CVE-2012-1823.patch: filter query strings that
are prefixed with '-' -- Fixed upstream
- debian/control: Recommend php5-dev for php-pear. -- This was a poorly
conceived idea anyway.
- Pre-Depend on a new enough version of dpkg for dpkg-maintscript-helper
rather than checking whether it exists at run-time, leading to more
predictable behaviour on upgrades. -- Applied in Debian
- d/p/gd-multiarch-fix.patch: superseded
* d/NEWS: add note explaining that SUHOSIN is no longer enabled in the
Ubuntu packages.
php5 (5.4.4-1) unstable; urgency=low
* Imported Upstream version 5.4.4
* Generate 16 char salt instead of 12 char salt for SHA-512
php5 (5.4.4~rc2-1) unstable; urgency=low
* Imported Upstream version 5.4.4~rc2
php5 (5.4.4~rc1-1) unstable; urgency=low
* Imported Upstream version 5.4.4~rc1
+ CVE-2012-2386: Fix integer overflow leading to heap-buffer overflow
in the Phar extension
* Remove some READMEs removed by upstream
+ README.SVN-RULES - upstream has moved to git
+ README.Zeus - Zeus Web Server is dead
* CVE-2012-2386: one additional, similar vulnerable code construct in
the Phar extension
php5 (5.4.3-6) unstable; urgency=low
[ Ondřej Surý ]
* Merge 5.3.10-1 and 5.3.10-2 changelog
* Remove *.patch from .gitignore, it broke adding quilt patches
* Revert "Use system libzip (Pulled from Fedora)" (Closes: #674151)
* Add patch to fix tt-rss backend php crash (Closes: #666200)
[ Thorsten Glaser ]
* Add support for Linux/m68k atomics needed by the FPM SAPI
(Closes: #672277)
[ Gedalya ]
* Add logrotate script for php5-fpm (Closes: #673558)
php5 (5.4.3-5) unstable; urgency=low
* Pull patches from Fedora:
+ Update use_embedded_timezonedb.patch to r8: fix compile error
without --with-system-tzdata configured
+ Add ldconfig post/postun for -embedded (Hans de Goede)
+ Use RTLD_NOW instead of RTLD_LAZY (pulled from Fedora)
+ Use system libzip (pulled from Fedora)
* Disable undefined ZIP_OVERWRITE to allow compile with system libzip
php5 (5.4.3-4) unstable; urgency=low
* Fix tests ([ERROR] Can't start server: bind-address refers to
multiple interfaces!) (Closes: #672588)
php5 (5.4.3-3) unstable; urgency=low
* Disable log redirection in debian/setup-mysql.sh to help diagnose
the setup-mysql.sh failure (still not fixed, but not reproduceable
on my local box)
php5 (5.4.3-2) unstable; urgency=low
* Add --no-defaults to rest of the mysql commands in setup-mysql.sh
script (Closes: #672588)
* Add debugging info to debian/setup-mysql.sh to help diagnose any
further problems
php5 (5.4.3-1) unstable; urgency=low
* Imported Upstream version 5.4.3
+ CVE-2012-2311: Complete fix for PHP-CGI query string parameter
vulnerability
+ CVE-2012-2329: Fix a buffer overflow vulnerability in the
apache_request_headers() (PHP 5.3 is not vulnerable)
php5 (5.4.2-1) unstable; urgency=low
* Imported Upstream version 5.4.2
+ CVE-2012-1823: Fix PHP-CGI query string parameter vulnerability.
php5 (5.4.1-1) unstable; urgency=low
* Imported Upstream version 5.4.1
+ Fixed insufficient validating of upload name leading to corrupted
$_FILES indices). (CVE-2012-1172).
+ Add open_basedir checks to readline_write_history and
readline_read_history.
+ Add Apache 2.4 support (.deb package in experimental comming soon)
+ Added debug info handler to DOM objects.
* Remove Breaks: on php applications on maintainer requests:
+ simplesamlphp
+ php-horde-auth
* Add better configuration snippet for CGI (Closes: #571795)
* Update a description of PHP language based on the text from upstream
web page (http://www.php.net/manual/en/intro-whatis.php)
* Enable embed SAPI (Closes: #380731)
* Add lintian override for libphp5-embed: embedded-library
usr/lib/libphp5.so: file
* Add ldconfig to libphp5-embed.{postinst,postrm}
* Fix #EXTRA# processing for SAPIs (extra ; at the end of sed cmd)
php5 (5.4.1~rc1-1) unstable; urgency=low
* Add information about flavor of INI file inside the INI file,
install php.ini-development INI to /usr/share/php5 (Closes: #667711)
* Imported Upstream version 5.4.1~rc1
* Update patches for the 5.4.1RC1 release
php5 (5.4.0-4) unstable; urgency=low
* Change id -u+getent combo to whoami (Courtesy of Michiel van
Leening)
* Fix missing FOUND declaration (pulled from dotdeb)
* Add Breaks for all known broken packages not working with PHP 5.4
(Closes: #666411)
php5 (5.4.0-3) unstable; urgency=high
[ Thijs Kinkhorst ]
* Correct version number; 5.4.0~rc7-3 never existed
* Add placeholder build-arch, build-indep targets
* Each module needs to depend on ucf, as it's used in postinst
* Newer version of roundcube available that isn't broken anymore
* Checked for policy 3.9.3
[ Ondřej Surý ]
* Remove Pre-Depends on dpkg-maintscript-helper
* Remove obsolete configure options
* Add support for *.extra.{post,pre}{inst,rm} files
* Add support for MultiArch libgd2-xpm-dev
* Add support for MultiArch libmysqlclient-dev
* Add Lior to maintainers
* setup-mysql.sh changed to:
+ never run as root (fix needed for MySQL 5.5 in pbuilder)
+ drop and create database test which may or may not exist
* Restart apache2 instead of reloading on first install
(Closes: #589386)
[ Julien Cristau ]
* Fix postinst scripts to not use 'local' outside functions (Closes:
#664853, #664849)
php5 (5.4.0-2) unstable; urgency=low
* Build depend on libpng-dev | libpng12-dev (Closes: #662466)
php5 (5.4.0-1) unstable; urgency=low
* PHP 5.4 has landed in unstable
* Imported Upstream version 5.4.0
* Use $(filter pattern...,text) instead of $(findstring find,in) in
debian/rules to match against space separated list of words and not
substrings (Closes: #660647)
php5 (5.4.0~rc8-2) experimental; urgency=low
* Use $(filter pattern...,text) instead of $(findstring find,in) in
debian/rules to match against space separated list of words and not
just substrings (i386 != hurd-i386) (Closes: #660647)
php5 (5.4.0~rc8-1) experimental; urgency=low
* Imported Upstream version 5.4.0~rc8
* Improve maxlifetime script to scan for more SAPIs and scan all *.ini
in conf.d directory
* Move php5-mysqlnd to Priority: extra to make debcheck happy
* Check for dpkg-maintscript-helper existence in php5-fpm maintainer
scripts
* Add Pre-Depends: dpkg (>= 1.15.7.2~) | dpkg-maintscript-helper to
allow single upgrade path (dpkg-maintscript-helper package will be
provided for Ubuntu Lucid PPA)
php5 (5.4.0~rc7-2) experimental; urgency=low
* Use corrected module PHPAPI (20100525) and not (220100525)
* Use $ZEND_MODULE_API_NO for $DEBIAN_PHP_API. Check for PHPAPI
changes, so we don't become binary incompatible without knowing it.
* Update debian/README.Debian.security:
+ register_globals was removed from PHP 5.4
+ Remove safe_mode (removed upstream) and update and reformat text
slightly
+ Reviewed by english l10n team (thanks a lot)
* php5-fpm now listen on socket instead of localhost by default
(Closes: #650204)
* Add NEWS about change of default location of php5-fpm socket
* Stop php5-fpm on runlevels 0 1 6 (Closes: #650203)
* Add -ignore_readdir_race to find call in session cleanup (#634864)
* Don't prefix extension list automatically, it's done by subsvars now
(Closes: #633491)
* Depends on non-forking fuser in psmisc (Closes: #633100)
* php5-common.README.Debian additions and cleanup:
+ Add a paragraph about PHP_INI_SCAN_DIR (Closes: #659123)
+ Reformat README.Debian to common formatting
+ Mention php5-fpm where appropriate
+ Use 'PHP 5' and 'Apache HTTP Server' instead of php5 and apache2
php5 (5.4.0~rc7-1) experimental; urgency=low
[ Thijs Kinkhorst ]
* Textual improvements to README.Debian.security, NEWS
(closes: #632675,#643015,#658208).
[ Ondřej Surý ]
* Imported Upstream version 5.4.0~rc7
+ CVE-2012-0830: Fix PHP remote vulnerability (code injection) in the
implementation of the max_input_vars configuration variable
+ CVE-2011-3389: Fix possible attack in SSL sockets with SSL 3.0/TLS 1.0.
php5 (5.4.0~rc6-3) experimental; urgency=low
* ucfize php5-module.* and store priority in module .ini file
* Store dsonames in maintainer scripts to make postrm work
* Make php5enmod idempotent
php5 (5.4.0~rc6-2) experimental; urgency=low
* Merge all changes from Debian unstable branch (up to 5.3.9-6)
* Fix -Wformat-security error in mysqlnd
* Add php5{en,dis}mod to enable/disable modules from maintainer
scripts (Closes: #447826, #582320, #627145)
(Initial work courtesy of Clint Byrum)
* Modify comments in php.inis to match compiled default session
* Adjust new 5.3 patches for 5.4 branch
* Ensure pdo.so is loaded before all other modules
* Add trigger to restart php5-fpm when module is installed/removed
* Remove --with-ttf and --with-t1lib (Closes: #658248, #638755)
* Add debian/NEWS item about missing t1lib functions
php5 (5.4.0~rc6-1) experimental; urgency=low
* Imported Upstream version 5.4.0~rc6
php5 (5.4.0~rc5-1) experimental; urgency=low
* Imported Upstream version 5.4.0~rc5
* Update patches for new release
* Disable suhosin patch
php5 (5.4.0~beta2-1) experimental; urgency=low
* Remove obsolete sqlite(2) module from php5-sqlite
* Use correct signals in php5-fpm init script (Closes: #645934)
* Update gbp.conf for experimental branch
* Imported Upstream version 5.4.0~beta2
* Refresh patches for the 5.4.0beta2 release
* Remove php.ini-paranoid, it's almost useless now
* Remove safe_mode setting from suhosin, it has been removed upstream
* Remove the php_stream stuff to allow compiling with system-wide
libgd
* php5-common.docs: Don't install non-existant TODO file
php5 (5.3.10-2) unstable; urgency=low
* Use $(filter pattern...,text) instead of $(findstring find,in) in
debian/rules to match against space separated list of words and not
substrings (Closes: #660647)
* CVE-2012-0831: magic_quotes_gpc remote disable vulnerability (NOTE:
magic_quotes_gpc is DEPRECATED and will be removed from PHP 5.4,
e.g. you should not use them!), also fix regression in CVE-2012-0831
(LP#930115)
* Depends on non-forking fuser in psmisc (Closes: #633100)
* Add Pre-Depends: dpkg (>= 1.15.7.2~) | dpkg-maintscript-helper to
allow single upgrade path (dpkg-maintscript-helper package will be
provided for Ubuntu Lucid PPA)
-- Clint Byrum <email address hidden> Mon, 18 Jun 2012 16:10:26 -0700
-
php5 (5.3.10-1ubuntu4) quantal; urgency=low
* SECURITY UPDATE: php5-cgi query string parameters parsing
vulnerability
- debian/patches/php5-CVE-2012-1823.patch: filter query strings that
are prefixed with '-'
- CVE-2012-1823
- CVE-2012-2311
-- Steve Beattie <email address hidden> Wed, 23 May 2012 15:57:57 -0400
-
php5 (5.3.10-1ubuntu3) precise; urgency=low
* Cherry picked fixes from Debian testing:
- d/maxlifetime: Improve maxlifetime script to scan for more SAPIs and
scan all *.ini in conf.d directory.
(LP: #916065).
- d/libapache2-mod-php5.postinst,libapache2-mod-php5filter.postinst:
Restart apache on first install to ensure module is fully enabled.
(LP: #953081).
-- James Page <email address hidden> Wed, 11 Apr 2012 14:27:10 +0100
