Change log for php5 package in Debian
| 151 → 225 of 250 results | First • Previous • Next • Last |
| Superseded in squeeze-release |
php5 (5.3.3-7+squeeze14) squeeze-security; urgency=high * CVE-2012-2688: potential overflow in _php_stream_scandir * CVE-2012-3450: parsing bug in PDO can lead to access violations -- Ondřej Surý <email address hidden> Mon, 06 Aug 2012 15:47:26 +0200
| Superseded in experimental-release |
php5 (5.4.6-2) experimental; urgency=low * Merge 5.4.4-5, 5.4.4-6 and 5.4.4-7 changes -- Ondřej Surý <email address hidden> Thu, 30 Aug 2012 13:30:54 +0200
php5 (5.4.4-7) unstable; urgency=low
* Add explanatory text about MultiViews negotiation support to
README.Debian with additions from Christoph Anton Mitterer
(Closes: #670945)
-- Ondřej Surý <email address hidden> Wed, 29 Aug 2012 09:18:14 +0200
php5 (5.4.4-6) unstable; urgency=low
* Merge a fix for zlib.output_compression from the upstream git
(Closes: #683432)
* Re-add logic to guess default timezone from system (Closes: #673763)
and remove the spurious warning about the selection.
* Fix invalid generated tar files from PEAR Archive/Tar package
(Closes: #680251)
* Merge a couple of upstream fixes from PHP 5.4.5 and 5.4.6:
+ Fixed bug #62653: (unset($array[$float]) causes a crash).
+ Fixed bug #62565 (Crashes due non-initialized internal
properties_table).
+ Fixed bug #61964 (finfo_open with directory causes invalid free).
+ Fixed bug #62564 (Extending MessageFormatter and adding property causes
crash).
+ Fixed bug #62594 (segfault in mysqlnd_res_meta::set_mode).
+ Fixed bug #62616 (ArrayIterator::count() from IteratorIterator instance
gives Segmentation fault).
+ Fixed bug #62373 (serialize() generates wrong reference to the object).
+ Fixed bug #61998 (Using traits with method aliases appears to result in
crash during execution).
+ Fixed bug #55042 (Erealloc in iconv.c unsafe).
+ Fixed bug #62266 (Custom extension segfaults during xmlParseFile with
FPM SAPI)
-- Ondřej Surý <email address hidden> Thu, 23 Aug 2012 13:59:49 +0200
php5 (5.4.4-5) unstable; urgency=low
* Get rid of empty examples directory (Closes: #684108)
* Provide sensible default configuration for PHP MIME-types inside
Apache 2 configuration (Closes: #685340)
* Add NEWS text about more strict extension configuration
* Update NEWS and README.Debian based on debian-l10n-english review
(Courtesy of Justing B Rye)
-- Ondřej Surý <email address hidden> Tue, 21 Aug 2012 17:05:06 +0200
| Superseded in experimental-release |
php5 (5.4.6-1) experimental; urgency=low
* Imported Upstream version 5.4.6
* Apply another fix to compile --without-system-tzdata
(Courtesy of Michael Heimpold)
* Get rid of empty examples directory (Closes: #684108), but
keep parent directory to store test-results.txt among others
* Provide sensible default configuration for PHP-CGI files
(Closes: #685340)
* Add NEWS text about default extension configuration
* Update NEWS and README.Debian based on debian-l10n-english review
(Courtesy of Justing B Rye)
-- Ondřej Surý <email address hidden> Tue, 21 Aug 2012 12:37:12 +0200
php5 (5.4.4-4) unstable; urgency=low
* Fix php5-fpm segfault (PHP#62205)
* CVE-2012-2688: potential overflow in _php_stream_scandir
(Closes: #683274)
* Improve security in CGI section in README.Debian (Closes: #674205)
-- Ondřej Surý <email address hidden> Mon, 06 Aug 2012 13:01:42 +0200
php5 (5.4.4-3) unstable; urgency=low
* Update ucf/ucfr scripts to not conflict between mysql and mysqlnd
extension (Closes: #678371)
-- Ondřej Surý <email address hidden> Thu, 21 Jun 2012 11:22:05 +0200
php5 (5.4.4-2) unstable; urgency=high
* Fix PHP5-FPM not reporting errors to web server (nginx)
(Closes: #677994)
* Bump urgency to high to replace the RC2 version in testing sooner.
-- Ondřej Surý <email address hidden> Tue, 19 Jun 2012 09:09:13 +0200
php5 (5.4.4-1) unstable; urgency=low * Imported Upstream version 5.4.4 * Generate 16 char salt instead of 12 char salt for SHA-512 -- Ondřej Surý <email address hidden> Thu, 14 Jun 2012 16:03:51 +0200
php5 (5.4.4~rc2-1) unstable; urgency=low * Imported Upstream version 5.4.4~rc2 -- Ondřej Surý <email address hidden> Thu, 31 May 2012 10:58:14 +0200
| Superseded in sid-release |
php5 (5.4.4~rc1-1) unstable; urgency=low
* Imported Upstream version 5.4.4~rc1
+ CVE-2012-2386: Fix integer overflow leading to heap-buffer overflow
in the Phar extension
* Remove some READMEs removed by upstream
+ README.SVN-RULES - upstream has moved to git
+ README.Zeus - Zeus Web Server is dead
* CVE-2012-2386: one additional, similar vulnerable code construct in
the Phar extension
-- Ondřej Surý <email address hidden> Tue, 29 May 2012 12:12:27 +0200
php5 (5.4.3-6) unstable; urgency=low
[ Ondřej Surý ]
* Merge 5.3.10-1 and 5.3.10-2 changelog
* Remove *.patch from .gitignore, it broke adding quilt patches
* Revert "Use system libzip (Pulled from Fedora)" (Closes: #674151)
* Add patch to fix tt-rss backend php crash (Closes: #666200)
[ Thorsten Glaser ]
* Add support for Linux/m68k atomics needed by the FPM SAPI
(Closes: #672277)
[ Gedalya ]
* Add logrotate script for php5-fpm (Closes: #673558)
-- Ondřej Surý <email address hidden> Mon, 28 May 2012 10:43:44 +0200
php5 (5.4.3-5) unstable; urgency=low
* Pull patches from Fedora:
+ Update use_embedded_timezonedb.patch to r8: fix compile error
without --with-system-tzdata configured
+ Add ldconfig post/postun for -embedded (Hans de Goede)
+ Use RTLD_NOW instead of RTLD_LAZY (pulled from Fedora)
+ Use system libzip (pulled from Fedora)
* Disable undefined ZIP_OVERWRITE to allow compile with system libzip
-- Ondřej Surý <email address hidden> Mon, 21 May 2012 13:37:35 +0200
php5 (5.4.3-4) unstable; urgency=low
* Fix tests ([ERROR] Can't start server: bind-address refers to
multiple interfaces!) (Closes: #672588)
-- Ondřej Surý <email address hidden> Tue, 15 May 2012 18:01:55 +0200
php5 (5.4.3-3) unstable; urgency=low
* Disable log redirection in debian/setup-mysql.sh to help diagnose
the setup-mysql.sh failure (still not fixed, but not reproduceable
on my local box)
-- Ondřej Surý <email address hidden> Tue, 15 May 2012 14:27:12 +0200
php5 (5.4.3-2) unstable; urgency=low
* Add --no-defaults to rest of the mysql commands in setup-mysql.sh
script (Closes: #672588)
* Add debugging info to debian/setup-mysql.sh to help diagnose any
further problems
-- Ondřej Surý <email address hidden> Tue, 15 May 2012 10:26:34 +0200
| Superseded in squeeze-release |
php5 (5.3.3-7+squeeze8) squeeze-security; urgency=low
* Deprecated error should use E_DEPRECATED and not E_WARNING
(Closes: #632838)
* CVE-2012-0781: Fix for Tidy::diagnose() NULL pointer dereference
* CVE-2011-4153: Fix PHP 5 does not always check the return value of
the zend_strndup function
* CVE-2010-4697: use-after-free vulnerability
* CVE-2011-1092: denial of service and possible data disclosure
through integer overflow
* CVE-2011-1148: improve reference counting
* CVE-2011-1464: limit amount of precision to ensure fitting within
MAX_BUF_SIZE
* CVE-2011-1467: check for invalid attribute symbols in
NumberFormatter::setSymbol()
* CVE-2011-1468: fix memory leak of openssl contexts
* CVE-2011-1469: improve pointer handling to fix denial of service
through application crash when using HTTP proxy with the FTP wrapper
* CVE-2011-1470: denial of service through application crash when
handling ziparchive streams
* CVE-2011-1657: DoS in zip handling due to addGlob() crashing on
invalid flags
* CVE-2011-3182: DoS due to failure to check for memory allocation
errors
* CVE-2011-3267: DoS in errorlog() when passed NULL
* CVE-2012-0788: PDORow session denial of service
* CVE-2012-0831: magic_quotes_gpc remote disable vulnerability
(NOTE: magic_quotes_gpc is DEPRECATED and will be removed from
PHP 5.4, e.g. you should not use them in any case!)
* CVE-2011-1072,CVE-2011-1144: symlink tmp races in pear install
-- Ondřej Surý <email address hidden> Fri, 10 Feb 2012 10:21:11 +0100
php5 (5.4.3-1) unstable; urgency=low
* Imported Upstream version 5.4.3
+ CVE-2012-2311: Complete fix for PHP-CGI query string parameter
vulnerability
+ CVE-2012-2329: Fix a buffer overflow vulnerability in the
apache_request_headers() (PHP 5.3 is not vulnerable)
-- Ondřej Surý <email address hidden> Wed, 09 May 2012 08:48:10 +0200
php5 (5.4.2-1) unstable; urgency=low
* Imported Upstream version 5.4.2
+ [CVE-2012-1823] Fix PHP-CGI query string parameter vulnerability.
-- Ondřej Surý <email address hidden> Fri, 04 May 2012 08:47:42 +0200
php5 (5.4.1-1) unstable; urgency=low
* Imported Upstream version 5.4.1
+ Fixed insufficient validating of upload name leading to corrupted
$_FILES indices). (CVE-2012-1172).
+ Add open_basedir checks to readline_write_history and
readline_read_history.
+ Add Apache 2.4 support (.deb package in experimental comming soon)
+ Added debug info handler to DOM objects.
* Remove Breaks: on php applications on maintainer requests:
+ simplesamlphp
+ php-horde-auth
* Add better configuration snippet for CGI (Closes: #571795)
* Update a description of PHP language based on the text from upstream
web page (http://www.php.net/manual/en/intro-whatis.php)
* Enable embed SAPI (Closes: #380731)
* Add lintian override for libphp5-embed: embedded-library
usr/lib/libphp5.so: file
* Add ldconfig to libphp5-embed.{postinst,postrm}
* Fix #EXTRA# processing for SAPIs (extra ; at the end of sed cmd)
-- Ondřej Surý <email address hidden> Thu, 03 May 2012 13:29:07 +0200
| Superseded in sid-release |
php5 (5.4.1~rc1-1) unstable; urgency=low
* Add information about flavor of INI file inside the INI file,
install php.ini-development INI to /usr/share/php5 (Closes: #667711)
* Imported Upstream version 5.4.1~rc1
* Update patches for the 5.4.1RC1 release
-- Ondřej Surý <email address hidden> Fri, 06 Apr 2012 15:04:08 +0200
php5 (5.4.0-4) unstable; urgency=low
* Change id -u+getent combo to whoami (Courtesy of Michiel van
Leening)
* Fix missing FOUND declaration (pulled from dotdeb)
* Add Breaks for all known broken packages not working with PHP 5.4
(Closes: #666411)
-- Ondřej Surý <email address hidden> Fri, 06 Apr 2012 12:46:14 +0200
php5 (5.4.0-3) unstable; urgency=high
[ Thijs Kinkhorst ]
* Correct version number; 5.4.0~rc7-3 never existed
* Add placeholder build-arch, build-indep targets
* Each module needs to depend on ucf, as it's used in postinst
* Newer version of roundcube available that isn't broken anymore
* Checked for policy 3.9.3
[ Ondřej Surý ]
* Remove Pre-Depends on dpkg-maintscript-helper
* Remove obsolete configure options
* Add support for *.extra.{post,pre}{inst,rm} files
* Add support for MultiArch libgd2-xpm-dev
* Add support for MultiArch libmysqlclient-dev
* Add Lior to maintainers
* setup-mysql.sh changed to:
+ never run as root (fix needed for MySQL 5.5 in pbuilder)
+ drop and create database test which may or may not exist
* Restart apache2 instead of reloading on first install
(Closes: #589386)
[ Julien Cristau ]
* Fix postinst scripts to not use 'local' outside functions (Closes:
#664853, #664849)
-- Ondřej Surý <email address hidden> Wed, 14 Mar 2012 08:49:32 +0100
| Published in lenny-release |
php5 (5.2.6.dfsg.1-1+lenny16) oldstable-security; urgency=low * Fix UMR in php_register_variable_ex (pull from upstream SVN) -- Ondřej Surý <email address hidden> Fri, 03 Feb 2012 09:01:31 +0100
php5 (5.4.0-2) unstable; urgency=low * Build depend on libpng-dev | libpng12-dev (Closes: #662466) -- Ondřej Surý <email address hidden> Mon, 05 Mar 2012 13:26:06 +0100
php5 (5.4.0-1) unstable; urgency=low
* PHP 5.4 has landed in unstable
* Imported Upstream version 5.4.0
* Use $(filter pattern...,text) instead of $(findstring find,in) in
debian/rules to match against space separated list of words and not
substrings (Closes: #660647)
-- Ondřej Surý <email address hidden> Sat, 03 Mar 2012 16:03:12 +0100
| Deleted in experimental-release (Reason: None provided.) |
php5 (5.4.0~rc8-2) experimental; urgency=low
* Use $(filter pattern...,text) instead of $(findstring find,in) in
debian/rules to match against space separated list of words and not
just substrings (i386 != hurd-i386) (Closes: #660647)
-- Ondřej Surý <email address hidden> Mon, 20 Feb 2012 17:26:54 +0100
php5 (5.3.10-2) unstable; urgency=low
* Use $(filter pattern...,text) instead of $(findstring find,in) in
debian/rules to match against space separated list of words and not
substrings (Closes: #660647)
* CVE-2012-0831: magic_quotes_gpc remote disable vulnerability (NOTE:
magic_quotes_gpc is DEPRECATED and will be removed from PHP 5.4,
e.g. you should not use them!), also fix regression in CVE-2012-0831
(LP#930115)
* Depends on non-forking fuser in psmisc (Closes: #633100)
* Add Pre-Depends: dpkg (>= 1.15.7.2~) | dpkg-maintscript-helper to
allow single upgrade path (dpkg-maintscript-helper package will be
provided for Ubuntu Lucid PPA)
-- Ondřej Surý <email address hidden> Mon, 20 Feb 2012 17:40:24 +0100
| Superseded in experimental-release |
php5 (5.4.0~rc8-1) experimental; urgency=low
* Imported Upstream version 5.4.0~rc8
* Improve maxlifetime script to scan for more SAPIs and scan all *.ini
in conf.d directory
* Move php5-mysqlnd to Priority: extra to make debcheck happy
* Check for dpkg-maintscript-helper existence in php5-fpm maintainer
scripts
* Add Pre-Depends: dpkg (>= 1.15.7.2~) | dpkg-maintscript-helper to
allow single upgrade path (dpkg-maintscript-helper package will be
provided for Ubuntu Lucid PPA)
-- Ondřej Surý <email address hidden> Fri, 17 Feb 2012 21:37:05 +0100
| Deleted in experimental-release (Reason: None provided.) |
php5 (5.4.0~rc7-2) experimental; urgency=low
* Use corrected module PHPAPI (20100525) and not (220100525)
* Use $ZEND_MODULE_API_NO for $DEBIAN_PHP_API. Check for PHPAPI
changes, so we don't become binary incompatible without knowing it.
* Update debian/README.Debian.security:
+ register_globals was removed from PHP 5.4
+ Remove safe_mode (removed upstream) and update and reformat text
slightly
+ Reviewed by english l10n team (thanks a lot)
* php5-fpm now listen on socket instead of localhost by default
(Closes: #650204)
* Add NEWS about change of default location of php5-fpm socket
* Stop php5-fpm on runlevels 0 1 6 (Closes: #650203)
* Add -ignore_readdir_race to find call in session cleanup (#634864)
* Don't prefix extension list automatically, it's done by subsvars now
(Closes: #633491)
* Depends on non-forking fuser in psmisc (Closes: #633100)
* php5-common.README.Debian additions and cleanup:
+ Add a paragraph about PHP_INI_SCAN_DIR (Closes: #659123)
+ Reformat README.Debian to common formatting
+ Mention php5-fpm where appropriate
+ Use 'PHP 5' and 'Apache HTTP Server' instead of php5 and apache2
-- Ondřej Surý <email address hidden> Thu, 09 Feb 2012 00:03:26 +0100
| Superseded in experimental-release |
php5 (5.4.0~rc7-1) experimental; urgency=low
[ Thijs Kinkhorst ]
* Textual improvements to README.Debian.security, NEWS
(closes: #632675,#643015,#658208).
[ Ondřej Surý ]
* Imported Upstream version 5.4.0~rc7
+ CVE-2012-0830: Fixed arbitrary remote code execution vulnerability
reported by Stefan Esser.
+ CVE-2011-3389: Fix possible attack in SSL sockets with SSL 3.0/TLS 1.0.
-- Ondřej Surý <email address hidden> Fri, 03 Feb 2012 11:03:39 +0100
php5 (5.3.10-1) unstable; urgency=high
[ Raphael Geissert ]
* Remove myself from uploaders
* Randomly choose the mysql server's port
[ Ondřej Surý ]
* Fix use_embedded_timezonedb.patch in custom builds (Courtesy of
Dominic Scheirlinck) (Closes: #652599)
* Fix typo in firebird2.1-dev build dependency
* Update gbp.conf for 5.3.x branch
* Imported Upstream version 5.3.10
+ CVE-2012-0830: Fixed arbitrary remote code execution vulnerability
reported by Stefan Esser.
-- Ondřej Surý <email address hidden> Fri, 03 Feb 2012 09:38:06 +0100
| Superseded in experimental-release |
php5 (5.4.0~rc6-3) experimental; urgency=low * ucfize php5-module.* and store priority in module .ini file * Store dsonames in maintainer scripts to make postrm work * Make php5enmod idempotent -- Ondřej Surý <email address hidden> Thu, 02 Feb 2012 12:25:54 +0100
| Superseded in experimental-release |
php5 (5.4.0~rc6-2) experimental; urgency=low
* Merge all changes from Debian unstable branch (up to 5.3.9-6)
* Fix -Wformat-security error in mysqlnd
* Add php5{en,dis}mod to enable/disable modules from maintainer
scripts (Closes: #447826, #582320, #627145)
(Initial work courtesy of Clint Byrum)
* Modify comments in php.inis to match compiled default session
* Adjust new 5.3 patches for 5.4 branch
* Ensure pdo.so is loaded before all other modules
* Add trigger to restart php5-fpm when module is installed/removed
* Remove --with-ttf and --with-t1lib (Closes: #658248, #638755)
* Add debian/NEWS item about missing t1lib functions
-- Ondřej Surý <email address hidden> Wed, 01 Feb 2012 18:27:30 +0100
php5 (5.3.9-6) unstable; urgency=low
* Build MySQL extensions with Native Driver as an alternative
(Closes: #576412)
* Set default mysql socket location to /var/run/mysqld/mysqld.sock
* Move php5-sqlite postinst code to postinst.extra
* Cherry-pick patches from Fedora:
+ Fix mysqlnd socket location fix
+ Define _GNU_SOURCE in the configure.in
+ Typing fixes in dba extension
+ Don't add RPATH to extensions
* Add missing check for dpkg-maintscript-helper in sqlite preinst
and postrm
* Add code to specify priority of modules to load mysqlnd.so before
mysql.so and mysqli.so in php5-mysqlnd package
* Alter version in rm_conffile call to 5.3.9~ to handle all possible
versions due binNMUs (Closes: #656495)
* Add more condition when to remove empty postinst script
-- Ondřej Surý <email address hidden> Tue, 31 Jan 2012 15:25:57 +0100
php5 (5.3.9-5) unstable; urgency=low
* Use DEB_HOST_ARCH, not DEB_HOST_ARCH_OS to check where to build
firebird module (Closes: #645401)
* Add back firebird2.5-dev and firebird2.1-dev to allow backports
* Disable tests on hurd-i386 for now, because it FTBFS
* Don't fail if suhosin is not enabled (Closes: #657808)
-- Ondřej Surý <email address hidden> Sun, 29 Jan 2012 09:27:28 +0100
php5 (5.3.9-4) unstable; urgency=low
* Remove suhosin patch from description and add short NEWS about
disabling Suhosin patch (Closes: #657697)
* Re-enable firebird extension build on armhf and powerpcspe
(Closes: #657691)
-- Ondřej Surý <email address hidden> Sat, 28 Jan 2012 08:50:42 +0100
php5 (5.3.9-3) unstable; urgency=low
* Don't build firebird extension on hurd, m68k, hppa, ppc64, armhf and
powerpcspe (Closes: #651070)
* Avoid ptrace hungs when building on hurd
* Check for dpkg-maintscript-helper existence instead of hard dpkg
dependency to allow backported packaged on older (Ubuntu lucid)
systems
* Remove Suhosin patch, but add PHP5_SUHOSIN=no/yes option to
debian/rules
* Update patches after suhosin.patch removal and update suhosin.patch to
cleanly apply as a last patch in the series
* Replace firebird2.[15]-dev (transitional) dependencies with
firebird-dev
* More Firebird adjustments, don't build the extension on more ports,
where firebird-dev is not available
-- Ondřej Surý <email address hidden> Fri, 27 Jan 2012 11:02:48 +0100
php5 (5.3.9-2) unstable; urgency=low * Handle sqlite.so removal (remove conffile) (Closes: #656495) * Add Breaks: roundcube-sqlite since we no longer ship sqlite.so -- Ondřej Surý <email address hidden> Tue, 24 Jan 2012 09:55:56 +0100
| Superseded in experimental-release |
php5 (5.4.0~rc6-1) experimental; urgency=low * Imported Upstream version 5.4.0~rc6 -- Ondřej Surý <email address hidden> Fri, 20 Jan 2012 15:30:48 +0100
| Superseded in experimental-release |
php5 (5.4.0~rc5-1) experimental; urgency=low * Imported Upstream version 5.4.0~rc5 * Update patches for new release * Disable suhosin patch -- Ondřej Surý <email address hidden> Thu, 19 Jan 2012 19:23:36 +0100
php5 (5.3.9-1) unstable; urgency=low * Remove obsolete sqlite(2) module from php5-sqlite * Use correct signals in php5-fpm init script (Closes: #645934) * Imported Upstream version 5.3.9 * Adapt debian/patches to 5.3.9 release -- Ondřej Surý <email address hidden> Wed, 11 Jan 2012 16:33:20 +0100
php5 (5.3.8.0-1) unstable; urgency=low
* Re-re-imported upstream version 5.3.8, as a new sourceful update,
in order to prevent the package from remaining as a native package.
-- Sean Finney <email address hidden> Thu, 27 Oct 2011 17:17:02 +0200
| Superseded in experimental-release |
php5 (5.4.0~beta2-1) experimental; urgency=low
* Remove obsolete sqlite(2) module from php5-sqlite
* Use correct signals in php5-fpm init script (Closes: #645934)
* Update gbp.conf for experimental branch
* Imported Upstream version 5.4.0~beta2
* Refresh patches for the 5.4.0beta2 release
* Remove php.ini-paranoid, it's almost useless now
* Remove safe_mode setting from suhosin, it has been removed upstream
* Remove the php_stream stuff to allow compiling with system-wide
libgd
* php5-common.docs: Don't install non-existant TODO file
-- Ondřej Surý <email address hidden> Sat, 22 Oct 2011 18:39:33 +0200
| Superseded in squeeze-release |
php5 (5.3.3-7+squeeze3) squeeze-security; urgency=low
* Fix CVE-2011-2202: File path injection vulnerability in RFC1867 File
upload filename
* Refresh CVE-2011-2202 patch
* Update gbp.conf for debian-squeeze branch
-- Ondřej Surý <email address hidden> Tue, 28 Jun 2011 10:03:34 +0200
| Superseded in lenny-release |
php5 (5.2.6.dfsg.1-1+lenny13) oldstable-security; urgency=low * Remove stray php_printf from CVE-2010-2531 (Closes: #632194) -- Ondřej Surý <email address hidden> Fri, 01 Jul 2011 09:49:45 +0200
php5 (5.3.8-2) unstable; urgency=low
* Fix botched upload when git-buildpackage didn't play well with
bz2 upstream archive
* Add additional temporary fix for MultiArch OpenSSL
-- Ondřej Surý <email address hidden> Mon, 12 Sep 2011 09:06:10 +0200
php5 (5.3.8-1) unstable; urgency=low * Imported Upstream version 5.3.8 * Refresh patches to 5.3.8 release * Pull fixes for DateTime tests from upstream SVN * Add additional temporary fix for MultiArch for sybase/mssql -- Ondřej Surý <email address hidden> Wed, 24 Aug 2011 13:13:51 +0200
php5 (5.3.7-1) unstable; urgency=low
* Imported Upstream version 5.3.7
* Update patches to the new 5.3.7 release and remove those merged
upstream
* Don't require autoconf 2.59 and lower, we'll deal with consequences
* Add MultiArch fix for LDAP libraries
* Remove PEAR patching with CVE-2011-1144.patch which was merged upstream
-- Ondřej Surý <email address hidden> Fri, 19 Aug 2011 14:18:03 +0200
php5 (5.3.6-13) unstable; urgency=low * Fix CVE-2011-2483: 8-bit character mishandling allows different password pairs to produce the same hash (Closes: #631347) * Add support for $2x$ identifier as blowfish variant in crypt.c to allow backward compatibility with old invalid hashes * Return fail string (*0) on invalid Blowfish salt rounds * Add NEWS item about incompatible blowfish hashes * Fix CVE-2011-1938: Stack-based buffer overflow in the socket_connect function in ext/sockets/sockets.c in PHP 5.3.3 through 5.3.6 might allow context-dependent attackers to execute arbitrary code via a long pathname for a UNIX socket. -- Ondřej Surý <email address hidden> Mon, 04 Jul 2011 12:41:07 +0200
| Superseded in squeeze-release |
php5 (5.3.3-7+squeeze1) squeeze-security; urgency=high * Fix CVE-2011-0441: arbitrary files removal via cronjob (Closes #618489) -- Raphael Geissert <email address hidden> Thu, 17 Mar 2011 21:06:26 -0600
php5 (5.3.6-12) unstable; urgency=low * Bump standards version to 3.9.2 * Update cron.d code to even safer variant (Courtesy of Bob Proulx) * Small optimization in cron.d script (Courtesy of Marcus Cobden) * Add firebird2.1-dev option to allow backports * Pull (and fix broken patch) multiarch workaround from Ubuntu natty * Add error message when phpize is not found (Closes: #627937) * Enable pcntl extension for CGI builds (Closes: #627941), but disable all pcntl functions by default * File path injection vulnerability in RFC1867 File upload filename [CVE-2011-2202] -- Ondřej Surý <email address hidden> Wed, 15 Jun 2011 11:06:40 +0200
php5 (5.3.6-11) unstable; urgency=low * Use more reasonable default number of processes for PHP5-FPM * Enable firebird support everywhere also in debian/rules * Don't delete still used session files (Closes: #626640) * Enable building of php5-interbase by adding Architecture: any to debian/control * Use dh_prep instead of dh_clean -k -- Ondřej Surý <email address hidden> Sat, 14 May 2011 22:15:32 +0200
php5 (5.3.6-10) unstable; urgency=low * Purge .start files in postrm, not in prerm (Closes: #607520) * Register config files to UCF Registry -- Ondřej Surý <email address hidden> Sat, 30 Apr 2011 13:16:27 +0200
php5 (5.3.6-9) unstable; urgency=low * Make sure even harded to not left any stale file after purging the package (Closes: #607520) * Move libapache2-mod-php5filter to extra to satisfy policy * Remove oldstable dependcy on firebird2.0-dev * Enable php5-interbase on all platforms and update build dependency on firebird2.5-dev * Import backported upstream fix for fopen fails on some SSL urls * Remove windows devel file from php5-dev * Add more lintian-overrides: + Missing dependency on phpapi for php5-common is not missing + php-pear is keeping it's original directory structure + Double the filenames (./usr vs usr) to fix difference between lintian versions + the embedded file library (libmagic) is unfortunately a custom one and cannot be replaced by system one (it's on the TODO list) -- Ondřej Surý <email address hidden> Thu, 28 Apr 2011 13:37:07 +0200
php5 (5.3.6-8) unstable; urgency=low * Provides/Replaces/Conflicts: php5-idn (Closes: #547117) * Build depend on libdb-dev (>= 5.1) (Closes: #621443) -- Ondřej Surý <email address hidden> Sun, 10 Apr 2011 23:27:44 +0200
php5 (5.3.6-7) unstable; urgency=low * Disable SSLv2 when disabled in OpenSSL (Closes: #620776) -- Ondřej Surý <email address hidden> Mon, 04 Apr 2011 08:40:25 +0200
php5 (5.3.6-6) unstable; urgency=low * Fix order of do_check in php5-fpm.init to check for the right return code -- Ondřej Surý <email address hidden> Thu, 31 Mar 2011 11:46:49 +0200
php5 (5.3.6-5) unstable; urgency=low * Don't fail the php5-fpm init.d script if VERBOSE is `no' * Fix some compile errors with --enable-maintainer-zts as reported by Raphaël Gertz * Make php5-fpm init.d script even less verbose on startup -- Ondřej Surý <email address hidden> Mon, 28 Mar 2011 17:05:17 +0200
php5 (5.3.6-4) unstable; urgency=low * Merged r308688 fix s/raiseErro/raiseError/ and fixed parenthese in r309043 (Closes: #619307) (Courtesy of upstream and Ernesto Domato) * Make locales-all build dependency useful by fixing language tests to use de_DE.UTF-8 * Debian packaging: + Allow easy porting to Ubuntu by adding alternate dependency for locales-all -> language-pack-de, because only german locale is used in the tests + Fix missing debhelper token in php5-fpm.preinst * Explicitly set pm.start_servers in php5-fpm to make it quiet * Update php5-fpm.init according to latest /etc/init.d/skeleton (Closes: #619383) -- Ondřej Surý <email address hidden> Wed, 23 Mar 2011 16:44:28 +0100
php5 (5.3.6-2) unstable; urgency=low * Update default configuration file for php5-fpm (Closes: #619104) * Depend only on libdb4.8-dev | libdb4.6-dev to match apache2 (Closes: #619036) + Will coordinate change to db5.1 with apache2 maintainer -- Ondřej Surý <email address hidden> Mon, 21 Mar 2011 11:54:04 +0100
php5 (5.3.6-1) unstable; urgency=low * Imported Upstream version 5.3.6 + PEAR updated to 1.9.2 (CVE-2011-1072) * Cherry-pick CVE-2011-1144 from PEAR 1.9.3 (Closes: #546164) * Debian packaging: + Start using pristine-tar + Remove patches merged upstream or otherwise deprecated + Move php5-fpm.postrm extras to debian/rules * FPM SAPI changes: + Set initial chdir to /tmp in www pool (Closes: #601243) + Rename main configuration file to php-fpm.conf to match upstream + Enable error reporting in init.d file + Patch FPM SAPI to use Debian php-fpm.conf as default * Fix regression with missing CRYPT_SALT_LENGTH (Closes: #603012) * Generate SHA512 salt string when provided salt is null (Closes: #581170) * Fix FTBFS with gold or ld --no-add-needed (Closes: #615770) * Don't mmap large >4GB files * CVE-2011-0441: Be more careful when removing session files (Closes: #618489) -- Ondřej Surý <email address hidden> Fri, 18 Mar 2011 15:51:50 +0100
php5 (5.3.5-1) unstable; urgency=low * Imported Upstream version 5.3.5 * Updated suhosin patch to 0.9.10 * Add Conflict: with php5-idn to php5-intl (Closes: #610935) * Build the FPM SAPI (Closes: #603174) * Adapted (and removed upstream-applied) patches to php 5.3.5 -- Ondřej Surý <email address hidden> Wed, 16 Feb 2011 15:17:32 +0100
php5 (5.3.3-7) unstable; urgency=low * Cherry pick patches for: + double free vulnerability in the imap_do_open function in the IMAP extension (CVE-2010-4150) + infinite loop with x87 CPU + extract() to not overwrite $GLOBALS and $this when using EXTR_OVERWRITE + crash if aa steps are invalid in GD extension + crash with entitity declaration in simplexml.c + NULL dereference in Zend language scanner + integer overflow in SdnToJulian + memory leaks and possible crash introduced by NULL poisoning patch + leaks and crash when passing the callback as a variable + leak in highlight_string + segmentation fault in pgsql_stmt_execute when postgres is down + segmentation fault when extending SplFixedArray + segmentation fault when node is NULL in simplexml.c + segmentation fault when using several cloned intl objects + segmentation fault when using bad column_number in sqlite3 columnName * Add comment about cherry picked patches (and last revision) from upstream SVN to README.source -- Ondřej Surý <email address hidden> Wed, 05 Jan 2011 11:06:20 +0100
php5 (5.3.3-6) unstable; urgency=medium * Cherry-pick fix for crashes on invalid parameters in intl extension. (CVE-2010-4409). * Cherry pick fix for crash in zip extract method (possible CWE-170) * Cherry pick fix for unaligned memory access in ext/hash/hash_tiger.c * Update CVE-2010-3870 to include test case * Cherry pick complete fix to reject filenames with NULL (CVE requested) -- Ondřej Surý <email address hidden> Tue, 07 Dec 2010 11:15:58 +0100
php5 (5.3.3-5) unstable; urgency=high * Add firebird support for armhf (Closes: #604526) * More updates to open_basedir (Closes: #605391) -- Ondřej Surý <email address hidden> Tue, 30 Nov 2010 12:00:37 +0100
php5 (5.3.3-4) unstable; urgency=low
* Cherry pick patches for (Closes: #603751):
+ NULL pointer dereference in ZipArchive::getArchiveComment
(CVE-2010-3709)
+ utf8_decode xml_utf8_decode vulnerability (CVE-2010-3870)
+ mb_strcut() returns garbage with the excessive length parameter
(CVE-2010-4156)
+ possible flaw in open_basedir (CVE-2010-3436)
+ segfault in SplFileObject::fscanf
+ memory leak in PDO::FETCH_INTO
+ crash when storing many SPLFixedArray in an array
+ possible crash in php_mssql_get_column_content_without_type()
+ cURL leaks handle and causes assertion error (CURLOPT_STDERR)
+ segfault when optional parameters are not passed in to mssql_connect
+ segfault when ssl stream option capture_peer_cert_chain used
+ crash in GC because of incorrect reference counting
+ crash when calling enchant_broker_get_dict_path before set_path
+ crash in pdo_firebird getAttribute()
-- Ondřej Surý <email address hidden> Wed, 17 Nov 2010 10:31:58 +0100
php5 (5.3.3-3) unstable; urgency=high
* Fix segfault in filter_var with FILTER_VALIDATE_EMAIL with large
amount of data (CVE-2010-3710, Closes: #601619)
-- Ondřej Surý <email address hidden> Wed, 27 Oct 2010 23:39:37 +0200
php5 (5.3.3-2) unstable; urgency=low
* Upload 5.3.3 to unstable
+ Fixes CVE-2010-2225, CVE-2010-2094, CVE-2010-1917, CVE-2010-1866,
CVE-2010-2531, CVE-2010-3065.
* Don't build FPM SAPI now
* Bump standards version to 3.9.1
* Synchronize system crypt patch
* Cherry pick upstream fix for format vulnerability in phar/stream.c
+ Fixes CVE-2010-2950.
* Set explicit error level to hide warnings on systems with modified
php.ini (Closes: #590485)
* Apply patch to fix loading of extensions without [PHP] section
(Closes: #595761)
* Set session.gc_probability back to 0 (Closes: #595706)
* Update PHP5 description to not include references to C, Java and
Perl (Closes: #351032)
-- Ondřej Surý <email address hidden> Thu, 21 Oct 2010 16:57:53 +0200
| Superseded in lenny-release |
php5 (5.2.6.dfsg.1-1+lenny9) stable-security; urgency=high
* Fix CVE-2010-1917: stack consumption on the fnmatch() function
* Fix CVE-2010-2225: use-after-free in the SplObjectStorage
unserializer
* Fix MOPS-2010-60: arbitrary session variables injection
-- Raphael Geissert <email address hidden> Tue, 03 Aug 2010 21:37:14 -0400
| Deleted in experimental-release (Reason: None provided.) |
php5 (5.3.3-1) experimental; urgency=low
* Upload PHP 5.3.3 to experimental for further testing
+ Fixes odbc_autocommit (Closes: #586570)
+ Adds support for sqlite3_busy_timout (Closes: #589473)
+ Fixes CVE-2010-2225, CVE-2010-2094, CVE-2010-1917, CVE-2010-1866
and other CVEs that do not apply to the Debian packages or are
irrelevant as per the pre-5.3.2-2 security policy.
* Changes pending update from unstable:
+ Use system crypt
* Build the FPM SAPI.
-- Raphael Geissert <email address hidden> Sat, 31 Jul 2010 15:53:12 -0400
php5 (5.3.2-2) unstable; urgency=low
[ Ondřej Surý ]
* Fix unittest about failing crypt() calls with invalid salt
[ Raphael Geissert ]
* Cherry pick upstream fix for mysqli_ssl_set (Closes: #572122)
* Cherry pick patch to reset error status on beginTransaction()
* Cherry pick patch to add missing definition of JSON_ERROR_UTF8
* Cherry pick patch to fix SplFileInfo::getPathName()
* Cherry pick patch to fix a memory leak in the cyclical gc
* Cherry pick fix for memory leak in date when gc is enabled
* Cherry pick patch to fix an unaligned mem access in the dba ext
* Cherry pick fix for memory issues in mysqli_options (Closes: #577784)
* Set default session.save_path to /var/lib/php5 (Closes: #576593)
* Don't install an extra copy of php.ini-production
* Remove obsolete TODO list
* Add debian/source/format and set it to 1.0
* Add doc-base registration for Structuctures_Graph documentation
* Cherry pick patch to fix multiple typos
* Synchronize enchant patch with changes committed upstream
* Cherry pick patch to workaround BDB 4.8 bc changes (Closes: #570149)
* Cherry pick patch to allow the timeout on mssql to be effective p/query
* Cherry pick patch to correctly determine length of doc_root
* Cherry pick patch to fix a memory leak in SoapServer::handle
* Cherry pick patch to fix SplFileInf::fscanf()'s prototype
* Test the mysql extensions too
* Update the security policy for Squeeze and greater
* Include ext_skel script (Closes: #530757)
[ Sean Finney ]
* Fix for parallel FTBFS in (Closes: #584348)
* Import upstream fix for pdo_mysql segfaults (Closes: #581911)
- thanks to Richard van den Berg <email address hidden>
* Dynamically determine maxlifetime if possible. (Closes: #504053)
- thanks to Chris Butler <email address hidden>
-- Raphael Geissert <email address hidden> Sun, 18 Jul 2010 15:35:06 -0500
| Superseded in lenny-release |
php5 (5.2.6.dfsg.1-1+lenny8) stable-security; urgency=high
* Fix CVE-2010-0397: null pointer dereference when processing invalid
XML-RPC requests (Closes: #573573)
-- Raphael Geissert <email address hidden> Sun, 14 Mar 2010 01:05:03 -0600
php5 (5.3.2-1) unstable; urgency=high
[ Sean Finney ]
* Fix improper signed overflow detection in filter extension
(Closes: #570287)
* Another integer overflow/underflow logic fix. (Closes: #570144)
* new debian patch fix_filter_var_email_test.patch (Closes: #571764)
* New debian patch fix_var_dump_64bit.phpt.patch (Closes: #571772)
* New debian patch use_embedded_timezonedb_fixes.patch (Closes: #571762)
[ Raphael Geissert ]
* Build with qdbm support
* Really run extensions' tests
* Add a note about user_dirs in apache conf file (Closes: #571714)
* Fix typo in debian/NEWS
* Don't install a(nother) useless Structures_Graph sh script
* Re-enable short_open_tag for CLI too (Closes: #573367)
* Disable memory limit in CLI, letting ulimit do its job (Closes: #407425)
* Fix the locale name in some tests (Closes: #573511)
* Fix some gd tests that need the bundled library
* Fix a null pointer dereference when processing invalid XML-RPC
requests (CVE-2010-0397, Closes: #573573)
* Fix an unaligned memory access in enchant_dict_suggest()
* Fix another unaligned memory access in enchant
* Test that the list of extensions to test is never empty
* Update the list of alternative dependencies of php5-dbg
* debian/rules cleanup
* debian/control cleanup
* Build against the system oniguruma library
* Add libjpeg-dev as an alternative to libjpeg62-dev for future
transitions
[ Ondřej Surý ]
* Imported Upstream version 5.3.2
* Updated suhosin patch to 0.9.9.1 version.
* Removed debian/patches/suhosin_page_size_fixes.patch. (Closes: #571974)
* Refreshed debian/patches/001-libtool_fixes.patch
* Refreshed debian/patches/006-debian_quirks.patch
* Adapt debian patches to 5.3.2.
* Remove "binary" contents from
debian/patches/fix_var_dump_64bit.phpt.patch
* New debian patch fix_broken_sha2_test.patch
* New debian patch always_use_system_crypt.patch (Closes: #572601)
* New debian patch php_crypt_revamped.patch (Closes: #572601)
-- Raphael Geissert <email address hidden> Sat, 13 Mar 2010 15:11:48 -0600
| 151 → 225 of 250 results | First • Previous • Next • Last |
