-
php5 (5.5.3+dfsg-1ubuntu2.6) saucy-security; urgency=medium
* SECURITY UPDATE: denial of service in FileInfo cdf_read_short_sector
- debian/patches/CVE-2014-0207.patch: properly calculate sizes in
ext/fileinfo/libmagic/cdf.c.
- CVE-2014-0207
* SECURITY UPDATE: denial of service in FileInfo mconvert
- debian/patches/CVE-2014-3478.patch: properly handle truncated pascal
string size in ext/fileinfo/libmagic/softmagic.c.
- CVE-2014-3478
* SECURITY UPDATE: denial of service in FileInfo cdf_check_stream_offset
- debian/patches/CVE-2014-3479.patch: properly calculate sizes in
ext/fileinfo/libmagic/cdf.c.
- CVE-2014-3479
* SECURITY UPDATE: denial of service in FileInfo cdf_count_chain
- debian/patches/CVE-2014-3480.patch: properly calculate sizes in
ext/fileinfo/libmagic/cdf.c.
- CVE-2014-3480
* SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
- debian/patches/CVE-2014-3487.patch: properly calculate sizes in
ext/fileinfo/libmagic/cdf.c.
- CVE-2014-3487
* SECURITY UPDATE: denial of service and possible code execution via
unserialize() SPL type confusion
- debian/patches/CVE-2014-3515.patch: properly check types in
ext/spl/spl_array.c, ext/spl/spl_observer.c, added test to
ext/spl/tests/SplObjectStorage_unserialize_bad.phpt.
- CVE-2014-3515
* SECURITY UPDATE: denial of service via SPL Iterators use-after-free
- debian/patches/CVE-2014-4670.patch: fix use-after-free in
ext/spl/spl_dllist.c, added test to ext/spl/tests/bug67538.phpt.
- CVE-2014-4670
* SECURITY UPDATE: denial of service via ArrayIterator use-after-free
- debian/patches/CVE-2014-4698.patch: don't allow modifying ArrayObject
during sorting in ext/spl/spl_array.c, added test to
ext/spl/tests/bug67539.phpt.
- CVE-2014-4698
* SECURITY UPDATE: information leak via phpinfo (LP: #1338170)
- debian/patches/CVE-2014-4721.patch: fix type confusion in
ext/standard/info.c, added test to
ext/standard/tests/general_functions/bug67498.phpt.
- CVE-2014-4721
-- Marc Deslauriers <email address hidden> Mon, 07 Jul 2014 07:46:31 -0400
-
php5 (5.5.3+dfsg-1ubuntu2.5) saucy-security; urgency=medium
* SECURITY UPDATE: better FastCGI socket permissions (LP: #1334337)
- debian/rules: enable listen.owner and listen.group so that the socket
is accessible to www-data by default. This allows most setups to
continue working with the more restrictive permissions.
-- Marc Deslauriers <email address hidden> Wed, 25 Jun 2014 11:52:07 -0400
-
php5 (5.5.3+dfsg-1ubuntu2.4) saucy-security; urgency=medium
* SECURITY UPDATE: incorrect FastCGI socket permissions (LP: #1307027)
- debian/patches/CVE-2014-0185.patch: default to 0660 in
sapi/fpm/fpm/fpm_unix.c, sapi/fpm/php-fpm.conf.in.
- CVE-2014-0185
* SECURITY UPDATE: denial of service in FileInfo cdf_unpack_summary_info
- debian/patches/CVE-2014-0237.patch: remove file_printf calls in
ext/fileinfo/libmagic/cdf.c.
- CVE-2014-0237
* SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
- debian/patches/CVE-2014-0238.patch: fix infinite loop in
ext/fileinfo/libmagic/cdf.c.
- CVE-2014-0238
* SECURITY UPDATE: code execution via buffer overflow in DNS TXT record
parsing
- debian/patches/CVE-2014-4049.patch: check length in
ext/standard/dns.c.
- CVE-2014-4049
-- Marc Deslauriers <email address hidden> Thu, 19 Jun 2014 13:33:33 -0400
-
php5 (5.5.3+dfsg-1ubuntu2.3) saucy-security; urgency=medium
* SECURITY UPDATE: denial of service in fileinfo via crafted offset in
PE executable
- debian/patches/CVE-2014-2270.patch: check bounds in
ext/fileinfo/libmagic/softmagic.c.
- CVE-2014-2270
-- Marc Deslauriers <email address hidden> Thu, 03 Apr 2014 15:14:26 -0400
-
php5 (5.5.3+dfsg-1ubuntu2.2) saucy-security; urgency=medium
* SECURITY UPDATE: denial of service and possible code execution via
multiple issues in gdImageCrop
- debian/patches/CVE-2013-7226.patch: fix overflows and data type
issues in ext/gd/gd.c,ext/gd/libgd/gd_crop.c, added test to
ext/gd/tests/bug66356.phpt.
- CVE-2013-7226
- CVE-2013-7327
- CVE-2013-7328
- CVE-2014-2020
* SECURITY UPDATE: denial of service via crafted indirect offset value
in fileinfo
- debian/patches/CVE-2013-1943.patch: properly handle recursion in
ext/fileinfo/libmagic/{ascmagic.c,file.h,funcs.c,softmagic.c}, added
test to ext/fileinfo/tests/cve-2014-1943.phpt.
- CVE-2013-1943
* debian/rules: re-enable tests.
-- Marc Deslauriers <email address hidden> Fri, 28 Feb 2014 11:15:03 -0500
-
php5 (5.5.3+dfsg-1ubuntu2.1) saucy-security; urgency=low
* SECURITY UPDATE: denial of service and possible code execution via
malicious certificate
- debian/patches/CVE-2013-6420.patch: properly validate timestr in
ext/openssl/openssl.c, added ext/openssl/tests/cve-2013-6420.*.
- CVE-2013-6420
* SECURITY UPDATE: denial of service via crafted interval specification
- debian/patches/CVE-2013-6712.patch: check error_count in
ext/date/lib/parse_iso_intervals.*.
- CVE-2013-6712
-- Marc Deslauriers <email address hidden> Wed, 11 Dec 2013 13:45:28 -0500
-
php5 (5.5.3+dfsg-1ubuntu2) saucy; urgency=low
* d/p/crash_in_get_zval_ptr_ptr_var.patch: cherry-pick from upstream to fix
segfault (LP: #1236733).
-- Robie Basak <email address hidden> Wed, 09 Oct 2013 11:29:29 +0000
-
php5 (5.5.3+dfsg-1ubuntu1) saucy; urgency=low
* Merge from Debian unstable. Remaining changes:
- d/control: drop Build-Depends that are in universe: firebird-dev,
libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
- d/rules: drop configuration of packages that are in universe: qdgm,
onig.
- d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
interbase or firebird.
- d/rules: export DEB_HOST_MULTIARCH properly.
- d/control: drop binary packages php5-imap, php5-interbase and
php5-mcrypt since we have separate versions in universe.
- d/modulelist: drop imap, interbase and mcrypt since we have separate
versions in universe.
- d/rules: drop configuration of imap and mcrypt since we have separate
versions in universe.
- d/source_php5.py, d/rules: add apport hook.
- d/rules: stop mysql instance on clean just in case we failed in tests.
- d/control, d/rules: re-enable libedit-dev.
- d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
as only the latter is in main.
- d/rules, d/control: drop use of dh_systemd as it is in universe.
- d/control: relegate php5-json and pkg-php-tools from Recommends to
Suggests as they are in universe.
php5 (5.5.3+dfsg-1) unstable; urgency=low
* New upstream version 5.5.3+dfs
* Update patches for 5.5.3 release
php5 (5.5.2+dfsg-1) unstable; urgency=low
* New upstream version 5.5.2+dfsg
* Update and refresh patches for 5.5.2 release
* Add handling for mpm_itk to libapache2-mod-php5{,filter}
(Closes: #720278)
* Add php5-readline to php5-cli Recommends to hint that it's needed
for functional php -a
php5 (5.5.1+dfsg-2) unstable; urgency=low
* Move apache2 (>= 2.4) from Pre-Depend to Depends (Closes: #711454)
* Install the headers from CGI build to get mysqlnd headers into
php5-dev package (Closes: #690395)
* Use small helper script instead of shell blog to check FPM
configuration (Closes: #718627)
-- Marc Deslauriers <email address hidden> Wed, 04 Sep 2013 08:24:35 -0400
-
php5 (5.5.1+dfsg-1ubuntu1) saucy; urgency=low
* Merge from Debian unstable. Remaining changes:
- d/control: drop Build-Depends that are in universe: firebird-dev,
libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
- d/rules: drop configuration of packages that are in universe: qdgm,
onig.
- d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
interbase or firebird.
- d/rules: export DEB_HOST_MULTIARCH properly.
- d/control: drop binary packages php5-imap, php5-interbase and
php5-mcrypt since we have separate versions in universe.
- d/modulelist: drop imap, interbase and mcrypt since we have separate
versions in universe.
- d/rules: drop configuration of imap and mcrypt since we have separate
versions in universe.
- d/source_php5.py, d/rules: add apport hook.
- d/rules: stop mysql instance on clean just in case we failed in tests.
- d/control, d/rules: re-enable libedit-dev.
- d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
as only the latter is in main.
- d/rules, d/control: drop use of dh_systemd as it is in universe.
- d/control: relegate php5-json and pkg-php-tools from Recommends to
Suggests as they are in universe.
php5 (5.5.1+dfsg-1) unstable; urgency=low
* New upstream version 5.5.1+dfsg
* Update patches for 5.5.1 release
-- Marc Deslauriers <email address hidden> Wed, 24 Jul 2013 09:28:07 -0400
-
php5 (5.5.0+dfsg-15ubuntu1) saucy; urgency=low
* Merged from Debian unstable to get security fix.
php5 (5.5.0+dfsg-15) unstable; urgency=low
* CVE-2013-4113: Fix heap corruption in xml parser (Closes: #717139)
-- Marc Deslauriers <email address hidden> Thu, 18 Jul 2013 11:48:29 -0400
-
php5 (5.5.0+dfsg-14ubuntu1) saucy; urgency=low
* Merge from Debian unstable. Remaining changes:
- d/control: drop Build-Depends that are in universe: firebird-dev,
libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
- d/rules: drop configuration of packages that are in universe: qdgm,
onig.
- d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
interbase or firebird.
- d/rules: export DEB_HOST_MULTIARCH properly.
- d/control: drop binary packages php5-imap, php5-interbase and
php5-mcrypt since we have separate versions in universe.
- d/modulelist: drop imap, interbase and mcrypt since we have separate
versions in universe.
- d/rules: drop configuration of imap and mcrypt since we have separate
versions in universe.
- d/source_php5.py, d/rules: add apport hook.
- d/rules: stop mysql instance on clean just in case we failed in tests.
- d/control, d/rules: re-enable libedit-dev.
- d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
as only the latter is in main.
- d/rules, d/control: drop use of dh_systemd as it is in universe.
- d/control: relegate php5-json from Recommends to Suggests as it is in
universe.
* Relegate pkg-php-tools Recommends to Suggests as it is in universe.
-- Robie Basak <email address hidden> Wed, 17 Jul 2013 18:00:02 +0000
-
php5 (5.5.0+dfsg-6ubuntu1) saucy; urgency=low
* Merge from Debian unstable. Remaining changes:
- d/control: drop Build-Depends that are in universe: firebird-dev,
libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
- d/rules: drop configuration of packages that are in universe: qdgm,
onig.
- d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
interbase or firebird.
- d/rules: export DEB_HOST_MULTIARCH properly.
- d/control: drop binary packages php5-imap, php5-interbase and
php5-mcrypt since we have separate versions in universe.
- d/modulelist: drop imap, interbase and mcrypt since we have separate
versions in universe.
- d/rules: drop configuration of imap and mcrypt since we have separate
versions in universe.
- d/source_php5.py, d/rules: add apport hook.
- d/rules: stop mysql instance on clean just in case we failed in tests.
- d/control, d/rules: re-enable libedit-dev.
* Remaining changes that were previously undocumented:
- d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
as only the latter is in main.
* Drop changes:
- Add build-dependency on lemon, which we now need. This is evidently no
longer required, since there is no sign of it being used in
5.4.15-1ubuntu3.
- Dropped libcurl-dev not in the archive. libcurl-dev is a virtual
alternative, so doesn't need to be dropped.
- debian/control: replace build-depends on mysql-server with
mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and
mysql-server-5.5 postinst confusion with starting up multiple
mysqlds listening on the same port. The test infrastructure in packaging
has changed, and now breaks without the mysql-server-5.5 postinst having
run and created the mysql user. However, it also finds an available port
itself so no longer conflicts with our mysql-server-5.5 postinst.
- Patches included upstream:
+ debian/patches/CVE-2013-2110.patch
+ debian/patches/fix_gd_210.patch
+ debian/patches/CVE-2013-4635.patch
+ debian/patches/CVE-2013-4636.patch
* Drop changes that were previously undocumented:
- d/rules: adjust memory limits in .ini files. It appears that this was
intended to be dropped back in 5.4.6-1ubuntu1, going by the old
changelog entry.
- d/rules: adjust openssl path in configure script. PHP still appears to
configure, detect and build openssl-related components correctly
regardless.
- d/rules: disable parallel builds. There is no previous explanation as to
why this was disabled, and having this in place is standard practice and
in the Debian packaging.
- d/rules: adjust PHP5_{HOST,BUILD}_GNU_TYPE. There is no previous
explanation as to why this was present, and I can't find any regression
that would be fixed by this change.
* New changes:
- d/rules, d/control: drop use of dh_systemd as it is in universe.
- d/control: relegate php5-json from Recommends to Suggests as it is in
universe.
-- Robie Basak <email address hidden> Mon, 15 Jul 2013 14:09:59 +0000
-
php5 (5.4.15-1ubuntu3) saucy; urgency=low
* SECURITY UPDATE: denial of service via overflow in SdnToJewish
- debian/patches/CVE-2013-4635.patch: check value in
ext/calendar/jewish.c, add test to
ext/calendar/tests/jdtojewish64.phpt.
- CVE-2013-4635
* SECURITY UPDATE: denial of service via incorrect MIME type detection
- debian/patches/CVE-2013-4636.patch: use efree in
ext/fileinfo/libmagic/softmagic.c.
- CVE-2013-4636
-- Marc Deslauriers <email address hidden> Fri, 28 Jun 2013 08:20:11 -0400
-
php5 (5.4.15-1ubuntu2) saucy; urgency=low
* SECURITY UPDATE: denial of service and possible code execution via
quoted_printable_encode overflow
- debian/patches/CVE-2013-2110.patch: calculate proper string size in
ext/standard/quot_print.c, add test to
ext/standard/tests/strings/bug64879.phpt.
- CVE-2013-2110
* debian/patches/fix_gd_210.patch: fix php-gd compatibility with
libgd2 2.1.0. (LP: #1188070)
-- Marc Deslauriers <email address hidden> Tue, 11 Jun 2013 09:19:47 -0400
-
php5 (5.4.15-1ubuntu1) saucy; urgency=low
* Merge from Debian experimental. Remaining changes:
- d/rules: Simplify apache config settings since we never build
interbase or firebird.
- debian/rules: export DEB_HOST_MULTIARCH properly.
- Add build-dependency on lemon, which we now need.
- Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is
in universe.
- Dropped libcurl-dev not in the archive.
- debian/control: replace build-depends on mysql-server with
mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and
mysql-server-5.5 postinst confusion with starting up multiple
mysqlds listening on the same port.
- Dropped php5-imap, php5-interbase, php5-mcrypt since we have
versions already in universe.
- Dropped libonig-dev and libqgdbm since its in universe. (libonig
MIR has been declined due to an inactive upstream. So this is
probably a permanent change).
- modulelist: Drop imap, interbase, sybase, and mcrypt.
- debian/rules:
- Dropped building of mcrypt, imap, and interbase.
- Install apport hook for php5.
- stop mysql instance on clean just in case we failed in tests
- debian/control, debian/rules: Re-enable libedit-dev.
* Dropped changes:
- debian/patches/CVE-2013-1643.patch: included upstream.
php5 (5.4.15-1) unstable; urgency=low
* Imported Upstream version 5.4.15
* Update patches for new release
* Upload to unstable
php5 (5.4.14-1) experimental; urgency=low
* Disable -gstabs usage, which was breaking clang builds and is not needed.
* Imported Upstream version 5.4.14
* Refresh patches for 5.4.14 release
php5 (5.4.13-2) experimental; urgency=low
* Add php5-readline based on libedit (Courtesy of Andreas Pour)
* Add -n to run-tests.php for php to not pick-up any local php.ini.
It's not a problem on sbuilds, but it might break when building
locally. (Courtesy of Andreas Pour)
php5 (5.4.13-1) experimental; urgency=low
* Imported Upstream version 5.4.13
* Update patches for 5.4.13 release
php5 (5.4.12-2) experimental; urgency=low
* Enable interactive mode in php5-cli (Closes: #341868)
php5 (5.4.12-1) experimental; urgency=low
[ Lior Kaplan ]
* manpage: Add -S, -t options. Align -B, -E with the cli usage (Closes: #698525)
[ Ondřej Surý ]
* Imported Upstream version 5.4.12
* Update patches for 5.4.12 release
php5 (5.4.11-1) experimental; urgency=low
* Install logrotate script in php5-fpm package (Closes: #673558)
* Imported Upstream version 5.4.11
* Update patches for 5.4.11 release
-- Marc Deslauriers <email address hidden> Sun, 19 May 2013 19:13:15 -0400
-
php5 (5.4.9-4ubuntu2) raring; urgency=low
* SECURITY UPDATE: arbitrary file disclosure via XML External Entity
- debian/patches/CVE-2013-1643.patch: disable the entity loader in
ext/libxml/libxml.c, ext/libxml/php_libxml.h, ext/soap/php_xml.c.
- CVE-2013-1643
-- Marc Deslauriers <email address hidden> Fri, 08 Mar 2013 16:12:43 -0500
