-
php5 (5.4.9-4ubuntu2.4) raring-security; urgency=low
* SECURITY UPDATE: denial of service and possible code execution via
malicious certificate
- debian/patches/CVE-2013-6420.patch: properly validate timestr in
ext/openssl/openssl.c, added ext/openssl/tests/cve-2013-6420.*.
- CVE-2013-6420
* SECURITY UPDATE: denial of service via crafted interval specification
- debian/patches/CVE-2013-6712.patch: check error_count in
ext/date/lib/parse_iso_intervals.*.
- CVE-2013-6712
-- Marc Deslauriers <email address hidden> Wed, 11 Dec 2013 19:19:30 -0500
-
php5 (5.4.9-4ubuntu2.3) raring-security; urgency=low
* SECURITY UPDATE: SSL cert validation spoofing via NULL character in
subjectAltName.
- debian/patches/CVE-2013-4248.patch: validate subjectAltName in
ext/openssl/openssl.c, added test to ext/openssl/tests/cve2013_4073*.
- CVE-2013-4248
-- Marc Deslauriers <email address hidden> Wed, 04 Sep 2013 10:59:04 -0400
-
php5 (5.4.9-4ubuntu2.2) raring-security; urgency=low
* SECURITY UPDATE: denial of service and possible code execution via xml
parser heap overflow
- debian/patches/CVE-2013-4113.patch: check against XML_MAXLEVEL in
ext/xml/xml.c, add test to ext/xml/tests/bug65236.phpt.
- CVE-2013-4113
* SECURITY UPDATE: denial of service via overflow in SdnToJewish
- debian/patches/CVE-2013-4635.patch: check value in
ext/calendar/jewish.c, add test to
ext/calendar/tests/jdtojewish64.phpt.
- CVE-2013-4635
-- Marc Deslauriers <email address hidden> Mon, 15 Jul 2013 09:42:36 -0400
-
php5 (5.4.9-4ubuntu2.1) raring-security; urgency=low
* SECURITY UPDATE: denial of service and possible code execution via
quoted_printable_encode overflow
- debian/patches/CVE-2013-2110.patch: calculate proper string size in
ext/standard/quot_print.c, add test to
ext/standard/tests/strings/bug64879.phpt.
- CVE-2013-2110
-- Marc Deslauriers <email address hidden> Mon, 10 Jun 2013 16:02:40 -0400
-
php5 (5.4.9-4ubuntu2) raring; urgency=low
* SECURITY UPDATE: arbitrary file disclosure via XML External Entity
- debian/patches/CVE-2013-1643.patch: disable the entity loader in
ext/libxml/libxml.c, ext/libxml/php_libxml.h, ext/soap/php_xml.c.
- CVE-2013-1643
-- Marc Deslauriers <email address hidden> Fri, 08 Mar 2013 16:12:43 -0500
-
php5 (5.4.9-4ubuntu1) raring; urgency=low
* Merge from Debian experimental. Remaining changes:
- d/rules: Simplify apache config settings since we never build
interbase or firebird.
- debian/rules: export DEB_HOST_MULTIARCH properly.
- Add build-dependency on lemon, which we now need.
- Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is
in universe.
- Dropped libcurl-dev not in the archive.
- debian/control: replace build-depends on mysql-server with
mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and
mysql-server-5.5 postinst confusion with starting up multiple
mysqlds listening on the same port.
- Dropped php5-imap, php5-interbase, php5-mcrypt since we have
versions already in universe.
- Dropped libonig-dev and libqgdbm since its in universe. (libonig
MIR has been declined due to an inactive upstream. So this is
probably a permanent change).
- modulelist: Drop imap, interbase, sybase, and mcrypt.
- debian/rules:
- Dropped building of mcrypt, imap, and interbase.
- Install apport hook for php5.
- stop mysql instance on clean just in case we failed in tests
- debian/control, debian/rules: Re-enable libedit-dev.
* Dropped changes:
- Re-add logic to guess default timezone from system to fix default
timezone regression Cherry-picked from Debian 5.4.4-6 (also in
Debian 5.4.6-2).
- debian/patches/libxml290.patch: Fix FTBFS with libxml 2.9.0.
(included upstream)
php5 (5.4.9-4) experimental; urgency=low
* Make the sessionclean script compatible with awk != gawk
php5 (5.4.9-3) experimental; urgency=low
* Fix typo in path to session clean script in cron file
(Closes: #694736)
php5 (5.4.9-2) experimental; urgency=low
* Introduce new (hopefully slightly smarter) way of not deleting still
used session files
php5 (5.4.9-1) experimental; urgency=low
[ Lior Kaplan ]
* Support removing dangling symlinks, users are allowed to remove
configuration files
* Exit with code 0 even if module symlink doesn't exist (Closes: #692013)
[ Ondřej Surý ]
* Imported Upstream version 5.4.9
* Remove all traces of suhosin patch from debian sources
* Convert to 3.0 (quilt) debian source format (Closes: #694543)
* Remove broken MultiArch patch from upstream and replace it with new
Debian's version
* Replace Breaks with Conflict for php5-suhosin
* Remove useless .la file from libphp5-embed
php5 (5.4.8-1) experimental; urgency=low
* Imported Upstream version 5.4.8
+ Update patches for new release
* Remove IfModule to always interpret PHP if the module is enabled
* Fix extended DES crypt when salt != 9
* Fix libphp5-embed linking:
+ Expose all installed (and not built time) SAPIs via php-config --php-sapis
+ Add /usr/lib/php5 to php-config --ldflags output to allow linking with libphp5.so
* Add new lintian-overrides for libphp5-embed
* Add logrotate script for php5-fpm (Closes: #683415)
* Add more warning text about new php5_cgi apache2 module (Closes: #687307)
* Add Breaks: php5-suhosin so people don't try to use it with PHP 5.4
php5 (5.4.6-2) experimental; urgency=low
* Merge 5.4.4-5, 5.4.4-6 and 5.4.4-7 changes
-- Clint Byrum <email address hidden> Tue, 04 Dec 2012 13:57:33 -0800
-
php5 (5.4.6-1ubuntu2) raring; urgency=low
[ Robie Basak ]
* Re-add logic to guess default timezone from system to fix default timezone
regression (LP: #1069529). Cherry-picked from Debian 5.4.4-6 (also in
Debian 5.4.6-2).
[ Marc Deslauriers ]
* debian/patches/libxml290.patch: Fix FTBFS with libxml 2.9.0.
-- Marc Deslauriers <email address hidden> Wed, 07 Nov 2012 11:54:55 -0500
-
php5 (5.4.6-1ubuntu1) quantal; urgency=low
* Merge from Debian experimental (LP: #1006738 , LP: #1040212)
Remaining changes:
- d/rules: Simplify apache config settings since we never build
interbase or firebird.
- debian/rules: export DEB_HOST_MULTIARCH properly.
- Add build-dependency on lemon, which we now need.
- Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is
in universe.
- Dropped libcurl-dev not in the archive.
- debian/control: replace build-depends on mysql-server with
mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and
mysql-server-5.5 postinst confusion with starting up multiple
mysqlds listening on the same port.
- Dropped php5-imap, php5-interbase, php5-mcrypt since we have
versions already in universe.
- Dropped libonig-dev and libqgdbm since its in universe. (libonig
MIR has been declined due to an inactive upstream. So this is
probably a permanent change).
- modulelist: Drop imap, interbase, sybase, and mcrypt.
- debian/rules:
- Dropped building of mcrypt, imap, and interbase.
- Install apport hook for php5.
- stop mysql instance on clean just in case we failed in tests
- debian/control, debian/rules: Re-enable libedit-dev.
* Dropped Changes:
- debian/rules: change memory limits on example .ini files.
php5 (5.4.6-1) experimental; urgency=low
* Imported Upstream version 5.4.6
* Apply another fix to compile --without-system-tzdata
(Courtesy of Michael Heimpold)
* Get rid of empty examples directory (Closes: #684108), but
keep parent directory to store test-results.txt among others
* Provide sensible default configuration for PHP-CGI files
(Closes: #685340)
* Add NEWS text about default extension configuration
* Update NEWS and README.Debian based on debian-l10n-english review
(Courtesy of Justing B Rye)
php5 (5.4.5-1) experimental; urgency=low
* Imported Upstream version 5.4.5
* Update patches for PHP 5.4.5 release
* Compile with system libzip (upstream has added support for that)
php5 (5.4.4-4) unstable; urgency=low
* Fix php5-fpm segfault (PHP#62205)
* CVE-2012-2688: potential overflow in _php_stream_scandir
(Closes: #683274)
* Improve security in CGI section in README.Debian (Closes: #674205)
-- Clint Byrum <email address hidden> Wed, 22 Aug 2012 13:40:18 -0700
