Change log for php5 package in Debian
151 → 225 of 250 results | First • Previous • Next • Last |
Superseded in squeeze-release |
php5 (5.3.3-7+squeeze14) squeeze-security; urgency=high * CVE-2012-2688: potential overflow in _php_stream_scandir * CVE-2012-3450: parsing bug in PDO can lead to access violations -- Ondřej Surý <email address hidden> Mon, 06 Aug 2012 15:47:26 +0200
Superseded in experimental-release |
php5 (5.4.6-2) experimental; urgency=low * Merge 5.4.4-5, 5.4.4-6 and 5.4.4-7 changes -- Ondřej Surý <email address hidden> Thu, 30 Aug 2012 13:30:54 +0200
php5 (5.4.4-7) unstable; urgency=low * Add explanatory text about MultiViews negotiation support to README.Debian with additions from Christoph Anton Mitterer (Closes: #670945) -- Ondřej Surý <email address hidden> Wed, 29 Aug 2012 09:18:14 +0200
php5 (5.4.4-6) unstable; urgency=low * Merge a fix for zlib.output_compression from the upstream git (Closes: #683432) * Re-add logic to guess default timezone from system (Closes: #673763) and remove the spurious warning about the selection. * Fix invalid generated tar files from PEAR Archive/Tar package (Closes: #680251) * Merge a couple of upstream fixes from PHP 5.4.5 and 5.4.6: + Fixed bug #62653: (unset($array[$float]) causes a crash). + Fixed bug #62565 (Crashes due non-initialized internal properties_table). + Fixed bug #61964 (finfo_open with directory causes invalid free). + Fixed bug #62564 (Extending MessageFormatter and adding property causes crash). + Fixed bug #62594 (segfault in mysqlnd_res_meta::set_mode). + Fixed bug #62616 (ArrayIterator::count() from IteratorIterator instance gives Segmentation fault). + Fixed bug #62373 (serialize() generates wrong reference to the object). + Fixed bug #61998 (Using traits with method aliases appears to result in crash during execution). + Fixed bug #55042 (Erealloc in iconv.c unsafe). + Fixed bug #62266 (Custom extension segfaults during xmlParseFile with FPM SAPI) -- Ondřej Surý <email address hidden> Thu, 23 Aug 2012 13:59:49 +0200
php5 (5.4.4-5) unstable; urgency=low * Get rid of empty examples directory (Closes: #684108) * Provide sensible default configuration for PHP MIME-types inside Apache 2 configuration (Closes: #685340) * Add NEWS text about more strict extension configuration * Update NEWS and README.Debian based on debian-l10n-english review (Courtesy of Justing B Rye) -- Ondřej Surý <email address hidden> Tue, 21 Aug 2012 17:05:06 +0200
Superseded in experimental-release |
php5 (5.4.6-1) experimental; urgency=low * Imported Upstream version 5.4.6 * Apply another fix to compile --without-system-tzdata (Courtesy of Michael Heimpold) * Get rid of empty examples directory (Closes: #684108), but keep parent directory to store test-results.txt among others * Provide sensible default configuration for PHP-CGI files (Closes: #685340) * Add NEWS text about default extension configuration * Update NEWS and README.Debian based on debian-l10n-english review (Courtesy of Justing B Rye) -- Ondřej Surý <email address hidden> Tue, 21 Aug 2012 12:37:12 +0200
php5 (5.4.4-4) unstable; urgency=low * Fix php5-fpm segfault (PHP#62205) * CVE-2012-2688: potential overflow in _php_stream_scandir (Closes: #683274) * Improve security in CGI section in README.Debian (Closes: #674205) -- Ondřej Surý <email address hidden> Mon, 06 Aug 2012 13:01:42 +0200
php5 (5.4.4-3) unstable; urgency=low * Update ucf/ucfr scripts to not conflict between mysql and mysqlnd extension (Closes: #678371) -- Ondřej Surý <email address hidden> Thu, 21 Jun 2012 11:22:05 +0200
php5 (5.4.4-2) unstable; urgency=high * Fix PHP5-FPM not reporting errors to web server (nginx) (Closes: #677994) * Bump urgency to high to replace the RC2 version in testing sooner. -- Ondřej Surý <email address hidden> Tue, 19 Jun 2012 09:09:13 +0200
php5 (5.4.4-1) unstable; urgency=low * Imported Upstream version 5.4.4 * Generate 16 char salt instead of 12 char salt for SHA-512 -- Ondřej Surý <email address hidden> Thu, 14 Jun 2012 16:03:51 +0200
php5 (5.4.4~rc2-1) unstable; urgency=low * Imported Upstream version 5.4.4~rc2 -- Ondřej Surý <email address hidden> Thu, 31 May 2012 10:58:14 +0200
Superseded in sid-release |
php5 (5.4.4~rc1-1) unstable; urgency=low * Imported Upstream version 5.4.4~rc1 + CVE-2012-2386: Fix integer overflow leading to heap-buffer overflow in the Phar extension * Remove some READMEs removed by upstream + README.SVN-RULES - upstream has moved to git + README.Zeus - Zeus Web Server is dead * CVE-2012-2386: one additional, similar vulnerable code construct in the Phar extension -- Ondřej Surý <email address hidden> Tue, 29 May 2012 12:12:27 +0200
php5 (5.4.3-6) unstable; urgency=low [ Ondřej Surý ] * Merge 5.3.10-1 and 5.3.10-2 changelog * Remove *.patch from .gitignore, it broke adding quilt patches * Revert "Use system libzip (Pulled from Fedora)" (Closes: #674151) * Add patch to fix tt-rss backend php crash (Closes: #666200) [ Thorsten Glaser ] * Add support for Linux/m68k atomics needed by the FPM SAPI (Closes: #672277) [ Gedalya ] * Add logrotate script for php5-fpm (Closes: #673558) -- Ondřej Surý <email address hidden> Mon, 28 May 2012 10:43:44 +0200
php5 (5.4.3-5) unstable; urgency=low * Pull patches from Fedora: + Update use_embedded_timezonedb.patch to r8: fix compile error without --with-system-tzdata configured + Add ldconfig post/postun for -embedded (Hans de Goede) + Use RTLD_NOW instead of RTLD_LAZY (pulled from Fedora) + Use system libzip (pulled from Fedora) * Disable undefined ZIP_OVERWRITE to allow compile with system libzip -- Ondřej Surý <email address hidden> Mon, 21 May 2012 13:37:35 +0200
php5 (5.4.3-4) unstable; urgency=low * Fix tests ([ERROR] Can't start server: bind-address refers to multiple interfaces!) (Closes: #672588) -- Ondřej Surý <email address hidden> Tue, 15 May 2012 18:01:55 +0200
php5 (5.4.3-3) unstable; urgency=low * Disable log redirection in debian/setup-mysql.sh to help diagnose the setup-mysql.sh failure (still not fixed, but not reproduceable on my local box) -- Ondřej Surý <email address hidden> Tue, 15 May 2012 14:27:12 +0200
php5 (5.4.3-2) unstable; urgency=low * Add --no-defaults to rest of the mysql commands in setup-mysql.sh script (Closes: #672588) * Add debugging info to debian/setup-mysql.sh to help diagnose any further problems -- Ondřej Surý <email address hidden> Tue, 15 May 2012 10:26:34 +0200
Superseded in squeeze-release |
php5 (5.3.3-7+squeeze8) squeeze-security; urgency=low * Deprecated error should use E_DEPRECATED and not E_WARNING (Closes: #632838) * CVE-2012-0781: Fix for Tidy::diagnose() NULL pointer dereference * CVE-2011-4153: Fix PHP 5 does not always check the return value of the zend_strndup function * CVE-2010-4697: use-after-free vulnerability * CVE-2011-1092: denial of service and possible data disclosure through integer overflow * CVE-2011-1148: improve reference counting * CVE-2011-1464: limit amount of precision to ensure fitting within MAX_BUF_SIZE * CVE-2011-1467: check for invalid attribute symbols in NumberFormatter::setSymbol() * CVE-2011-1468: fix memory leak of openssl contexts * CVE-2011-1469: improve pointer handling to fix denial of service through application crash when using HTTP proxy with the FTP wrapper * CVE-2011-1470: denial of service through application crash when handling ziparchive streams * CVE-2011-1657: DoS in zip handling due to addGlob() crashing on invalid flags * CVE-2011-3182: DoS due to failure to check for memory allocation errors * CVE-2011-3267: DoS in errorlog() when passed NULL * CVE-2012-0788: PDORow session denial of service * CVE-2012-0831: magic_quotes_gpc remote disable vulnerability (NOTE: magic_quotes_gpc is DEPRECATED and will be removed from PHP 5.4, e.g. you should not use them in any case!) * CVE-2011-1072,CVE-2011-1144: symlink tmp races in pear install -- Ondřej Surý <email address hidden> Fri, 10 Feb 2012 10:21:11 +0100
php5 (5.4.3-1) unstable; urgency=low * Imported Upstream version 5.4.3 + CVE-2012-2311: Complete fix for PHP-CGI query string parameter vulnerability + CVE-2012-2329: Fix a buffer overflow vulnerability in the apache_request_headers() (PHP 5.3 is not vulnerable) -- Ondřej Surý <email address hidden> Wed, 09 May 2012 08:48:10 +0200
php5 (5.4.2-1) unstable; urgency=low * Imported Upstream version 5.4.2 + [CVE-2012-1823] Fix PHP-CGI query string parameter vulnerability. -- Ondřej Surý <email address hidden> Fri, 04 May 2012 08:47:42 +0200
php5 (5.4.1-1) unstable; urgency=low * Imported Upstream version 5.4.1 + Fixed insufficient validating of upload name leading to corrupted $_FILES indices). (CVE-2012-1172). + Add open_basedir checks to readline_write_history and readline_read_history. + Add Apache 2.4 support (.deb package in experimental comming soon) + Added debug info handler to DOM objects. * Remove Breaks: on php applications on maintainer requests: + simplesamlphp + php-horde-auth * Add better configuration snippet for CGI (Closes: #571795) * Update a description of PHP language based on the text from upstream web page (http://www.php.net/manual/en/intro-whatis.php) * Enable embed SAPI (Closes: #380731) * Add lintian override for libphp5-embed: embedded-library usr/lib/libphp5.so: file * Add ldconfig to libphp5-embed.{postinst,postrm} * Fix #EXTRA# processing for SAPIs (extra ; at the end of sed cmd) -- Ondřej Surý <email address hidden> Thu, 03 May 2012 13:29:07 +0200
Superseded in sid-release |
php5 (5.4.1~rc1-1) unstable; urgency=low * Add information about flavor of INI file inside the INI file, install php.ini-development INI to /usr/share/php5 (Closes: #667711) * Imported Upstream version 5.4.1~rc1 * Update patches for the 5.4.1RC1 release -- Ondřej Surý <email address hidden> Fri, 06 Apr 2012 15:04:08 +0200
php5 (5.4.0-4) unstable; urgency=low * Change id -u+getent combo to whoami (Courtesy of Michiel van Leening) * Fix missing FOUND declaration (pulled from dotdeb) * Add Breaks for all known broken packages not working with PHP 5.4 (Closes: #666411) -- Ondřej Surý <email address hidden> Fri, 06 Apr 2012 12:46:14 +0200
php5 (5.4.0-3) unstable; urgency=high [ Thijs Kinkhorst ] * Correct version number; 5.4.0~rc7-3 never existed * Add placeholder build-arch, build-indep targets * Each module needs to depend on ucf, as it's used in postinst * Newer version of roundcube available that isn't broken anymore * Checked for policy 3.9.3 [ Ondřej Surý ] * Remove Pre-Depends on dpkg-maintscript-helper * Remove obsolete configure options * Add support for *.extra.{post,pre}{inst,rm} files * Add support for MultiArch libgd2-xpm-dev * Add support for MultiArch libmysqlclient-dev * Add Lior to maintainers * setup-mysql.sh changed to: + never run as root (fix needed for MySQL 5.5 in pbuilder) + drop and create database test which may or may not exist * Restart apache2 instead of reloading on first install (Closes: #589386) [ Julien Cristau ] * Fix postinst scripts to not use 'local' outside functions (Closes: #664853, #664849) -- Ondřej Surý <email address hidden> Wed, 14 Mar 2012 08:49:32 +0100
Published in lenny-release |
php5 (5.2.6.dfsg.1-1+lenny16) oldstable-security; urgency=low * Fix UMR in php_register_variable_ex (pull from upstream SVN) -- Ondřej Surý <email address hidden> Fri, 03 Feb 2012 09:01:31 +0100
php5 (5.4.0-2) unstable; urgency=low * Build depend on libpng-dev | libpng12-dev (Closes: #662466) -- Ondřej Surý <email address hidden> Mon, 05 Mar 2012 13:26:06 +0100
php5 (5.4.0-1) unstable; urgency=low * PHP 5.4 has landed in unstable * Imported Upstream version 5.4.0 * Use $(filter pattern...,text) instead of $(findstring find,in) in debian/rules to match against space separated list of words and not substrings (Closes: #660647) -- Ondřej Surý <email address hidden> Sat, 03 Mar 2012 16:03:12 +0100
Deleted in experimental-release (Reason: None provided.) |
php5 (5.4.0~rc8-2) experimental; urgency=low * Use $(filter pattern...,text) instead of $(findstring find,in) in debian/rules to match against space separated list of words and not just substrings (i386 != hurd-i386) (Closes: #660647) -- Ondřej Surý <email address hidden> Mon, 20 Feb 2012 17:26:54 +0100
php5 (5.3.10-2) unstable; urgency=low * Use $(filter pattern...,text) instead of $(findstring find,in) in debian/rules to match against space separated list of words and not substrings (Closes: #660647) * CVE-2012-0831: magic_quotes_gpc remote disable vulnerability (NOTE: magic_quotes_gpc is DEPRECATED and will be removed from PHP 5.4, e.g. you should not use them!), also fix regression in CVE-2012-0831 (LP#930115) * Depends on non-forking fuser in psmisc (Closes: #633100) * Add Pre-Depends: dpkg (>= 1.15.7.2~) | dpkg-maintscript-helper to allow single upgrade path (dpkg-maintscript-helper package will be provided for Ubuntu Lucid PPA) -- Ondřej Surý <email address hidden> Mon, 20 Feb 2012 17:40:24 +0100
Superseded in experimental-release |
php5 (5.4.0~rc8-1) experimental; urgency=low * Imported Upstream version 5.4.0~rc8 * Improve maxlifetime script to scan for more SAPIs and scan all *.ini in conf.d directory * Move php5-mysqlnd to Priority: extra to make debcheck happy * Check for dpkg-maintscript-helper existence in php5-fpm maintainer scripts * Add Pre-Depends: dpkg (>= 1.15.7.2~) | dpkg-maintscript-helper to allow single upgrade path (dpkg-maintscript-helper package will be provided for Ubuntu Lucid PPA) -- Ondřej Surý <email address hidden> Fri, 17 Feb 2012 21:37:05 +0100
Deleted in experimental-release (Reason: None provided.) |
php5 (5.4.0~rc7-2) experimental; urgency=low * Use corrected module PHPAPI (20100525) and not (220100525) * Use $ZEND_MODULE_API_NO for $DEBIAN_PHP_API. Check for PHPAPI changes, so we don't become binary incompatible without knowing it. * Update debian/README.Debian.security: + register_globals was removed from PHP 5.4 + Remove safe_mode (removed upstream) and update and reformat text slightly + Reviewed by english l10n team (thanks a lot) * php5-fpm now listen on socket instead of localhost by default (Closes: #650204) * Add NEWS about change of default location of php5-fpm socket * Stop php5-fpm on runlevels 0 1 6 (Closes: #650203) * Add -ignore_readdir_race to find call in session cleanup (#634864) * Don't prefix extension list automatically, it's done by subsvars now (Closes: #633491) * Depends on non-forking fuser in psmisc (Closes: #633100) * php5-common.README.Debian additions and cleanup: + Add a paragraph about PHP_INI_SCAN_DIR (Closes: #659123) + Reformat README.Debian to common formatting + Mention php5-fpm where appropriate + Use 'PHP 5' and 'Apache HTTP Server' instead of php5 and apache2 -- Ondřej Surý <email address hidden> Thu, 09 Feb 2012 00:03:26 +0100
Superseded in experimental-release |
php5 (5.4.0~rc7-1) experimental; urgency=low [ Thijs Kinkhorst ] * Textual improvements to README.Debian.security, NEWS (closes: #632675,#643015,#658208). [ Ondřej Surý ] * Imported Upstream version 5.4.0~rc7 + CVE-2012-0830: Fixed arbitrary remote code execution vulnerability reported by Stefan Esser. + CVE-2011-3389: Fix possible attack in SSL sockets with SSL 3.0/TLS 1.0. -- Ondřej Surý <email address hidden> Fri, 03 Feb 2012 11:03:39 +0100
php5 (5.3.10-1) unstable; urgency=high [ Raphael Geissert ] * Remove myself from uploaders * Randomly choose the mysql server's port [ Ondřej Surý ] * Fix use_embedded_timezonedb.patch in custom builds (Courtesy of Dominic Scheirlinck) (Closes: #652599) * Fix typo in firebird2.1-dev build dependency * Update gbp.conf for 5.3.x branch * Imported Upstream version 5.3.10 + CVE-2012-0830: Fixed arbitrary remote code execution vulnerability reported by Stefan Esser. -- Ondřej Surý <email address hidden> Fri, 03 Feb 2012 09:38:06 +0100
Superseded in experimental-release |
php5 (5.4.0~rc6-3) experimental; urgency=low * ucfize php5-module.* and store priority in module .ini file * Store dsonames in maintainer scripts to make postrm work * Make php5enmod idempotent -- Ondřej Surý <email address hidden> Thu, 02 Feb 2012 12:25:54 +0100
Superseded in experimental-release |
php5 (5.4.0~rc6-2) experimental; urgency=low * Merge all changes from Debian unstable branch (up to 5.3.9-6) * Fix -Wformat-security error in mysqlnd * Add php5{en,dis}mod to enable/disable modules from maintainer scripts (Closes: #447826, #582320, #627145) (Initial work courtesy of Clint Byrum) * Modify comments in php.inis to match compiled default session * Adjust new 5.3 patches for 5.4 branch * Ensure pdo.so is loaded before all other modules * Add trigger to restart php5-fpm when module is installed/removed * Remove --with-ttf and --with-t1lib (Closes: #658248, #638755) * Add debian/NEWS item about missing t1lib functions -- Ondřej Surý <email address hidden> Wed, 01 Feb 2012 18:27:30 +0100
php5 (5.3.9-6) unstable; urgency=low * Build MySQL extensions with Native Driver as an alternative (Closes: #576412) * Set default mysql socket location to /var/run/mysqld/mysqld.sock * Move php5-sqlite postinst code to postinst.extra * Cherry-pick patches from Fedora: + Fix mysqlnd socket location fix + Define _GNU_SOURCE in the configure.in + Typing fixes in dba extension + Don't add RPATH to extensions * Add missing check for dpkg-maintscript-helper in sqlite preinst and postrm * Add code to specify priority of modules to load mysqlnd.so before mysql.so and mysqli.so in php5-mysqlnd package * Alter version in rm_conffile call to 5.3.9~ to handle all possible versions due binNMUs (Closes: #656495) * Add more condition when to remove empty postinst script -- Ondřej Surý <email address hidden> Tue, 31 Jan 2012 15:25:57 +0100
php5 (5.3.9-5) unstable; urgency=low * Use DEB_HOST_ARCH, not DEB_HOST_ARCH_OS to check where to build firebird module (Closes: #645401) * Add back firebird2.5-dev and firebird2.1-dev to allow backports * Disable tests on hurd-i386 for now, because it FTBFS * Don't fail if suhosin is not enabled (Closes: #657808) -- Ondřej Surý <email address hidden> Sun, 29 Jan 2012 09:27:28 +0100
php5 (5.3.9-4) unstable; urgency=low * Remove suhosin patch from description and add short NEWS about disabling Suhosin patch (Closes: #657697) * Re-enable firebird extension build on armhf and powerpcspe (Closes: #657691) -- Ondřej Surý <email address hidden> Sat, 28 Jan 2012 08:50:42 +0100
php5 (5.3.9-3) unstable; urgency=low * Don't build firebird extension on hurd, m68k, hppa, ppc64, armhf and powerpcspe (Closes: #651070) * Avoid ptrace hungs when building on hurd * Check for dpkg-maintscript-helper existence instead of hard dpkg dependency to allow backported packaged on older (Ubuntu lucid) systems * Remove Suhosin patch, but add PHP5_SUHOSIN=no/yes option to debian/rules * Update patches after suhosin.patch removal and update suhosin.patch to cleanly apply as a last patch in the series * Replace firebird2.[15]-dev (transitional) dependencies with firebird-dev * More Firebird adjustments, don't build the extension on more ports, where firebird-dev is not available -- Ondřej Surý <email address hidden> Fri, 27 Jan 2012 11:02:48 +0100
php5 (5.3.9-2) unstable; urgency=low * Handle sqlite.so removal (remove conffile) (Closes: #656495) * Add Breaks: roundcube-sqlite since we no longer ship sqlite.so -- Ondřej Surý <email address hidden> Tue, 24 Jan 2012 09:55:56 +0100
Superseded in experimental-release |
php5 (5.4.0~rc6-1) experimental; urgency=low * Imported Upstream version 5.4.0~rc6 -- Ondřej Surý <email address hidden> Fri, 20 Jan 2012 15:30:48 +0100
Superseded in experimental-release |
php5 (5.4.0~rc5-1) experimental; urgency=low * Imported Upstream version 5.4.0~rc5 * Update patches for new release * Disable suhosin patch -- Ondřej Surý <email address hidden> Thu, 19 Jan 2012 19:23:36 +0100
php5 (5.3.9-1) unstable; urgency=low * Remove obsolete sqlite(2) module from php5-sqlite * Use correct signals in php5-fpm init script (Closes: #645934) * Imported Upstream version 5.3.9 * Adapt debian/patches to 5.3.9 release -- Ondřej Surý <email address hidden> Wed, 11 Jan 2012 16:33:20 +0100
php5 (5.3.8.0-1) unstable; urgency=low * Re-re-imported upstream version 5.3.8, as a new sourceful update, in order to prevent the package from remaining as a native package. -- Sean Finney <email address hidden> Thu, 27 Oct 2011 17:17:02 +0200
Superseded in experimental-release |
php5 (5.4.0~beta2-1) experimental; urgency=low * Remove obsolete sqlite(2) module from php5-sqlite * Use correct signals in php5-fpm init script (Closes: #645934) * Update gbp.conf for experimental branch * Imported Upstream version 5.4.0~beta2 * Refresh patches for the 5.4.0beta2 release * Remove php.ini-paranoid, it's almost useless now * Remove safe_mode setting from suhosin, it has been removed upstream * Remove the php_stream stuff to allow compiling with system-wide libgd * php5-common.docs: Don't install non-existant TODO file -- Ondřej Surý <email address hidden> Sat, 22 Oct 2011 18:39:33 +0200
Superseded in squeeze-release |
php5 (5.3.3-7+squeeze3) squeeze-security; urgency=low * Fix CVE-2011-2202: File path injection vulnerability in RFC1867 File upload filename * Refresh CVE-2011-2202 patch * Update gbp.conf for debian-squeeze branch -- Ondřej Surý <email address hidden> Tue, 28 Jun 2011 10:03:34 +0200
Superseded in lenny-release |
php5 (5.2.6.dfsg.1-1+lenny13) oldstable-security; urgency=low * Remove stray php_printf from CVE-2010-2531 (Closes: #632194) -- Ondřej Surý <email address hidden> Fri, 01 Jul 2011 09:49:45 +0200
php5 (5.3.8-2) unstable; urgency=low * Fix botched upload when git-buildpackage didn't play well with bz2 upstream archive * Add additional temporary fix for MultiArch OpenSSL -- Ondřej Surý <email address hidden> Mon, 12 Sep 2011 09:06:10 +0200
php5 (5.3.8-1) unstable; urgency=low * Imported Upstream version 5.3.8 * Refresh patches to 5.3.8 release * Pull fixes for DateTime tests from upstream SVN * Add additional temporary fix for MultiArch for sybase/mssql -- Ondřej Surý <email address hidden> Wed, 24 Aug 2011 13:13:51 +0200
php5 (5.3.7-1) unstable; urgency=low * Imported Upstream version 5.3.7 * Update patches to the new 5.3.7 release and remove those merged upstream * Don't require autoconf 2.59 and lower, we'll deal with consequences * Add MultiArch fix for LDAP libraries * Remove PEAR patching with CVE-2011-1144.patch which was merged upstream -- Ondřej Surý <email address hidden> Fri, 19 Aug 2011 14:18:03 +0200
php5 (5.3.6-13) unstable; urgency=low * Fix CVE-2011-2483: 8-bit character mishandling allows different password pairs to produce the same hash (Closes: #631347) * Add support for $2x$ identifier as blowfish variant in crypt.c to allow backward compatibility with old invalid hashes * Return fail string (*0) on invalid Blowfish salt rounds * Add NEWS item about incompatible blowfish hashes * Fix CVE-2011-1938: Stack-based buffer overflow in the socket_connect function in ext/sockets/sockets.c in PHP 5.3.3 through 5.3.6 might allow context-dependent attackers to execute arbitrary code via a long pathname for a UNIX socket. -- Ondřej Surý <email address hidden> Mon, 04 Jul 2011 12:41:07 +0200
Superseded in squeeze-release |
php5 (5.3.3-7+squeeze1) squeeze-security; urgency=high * Fix CVE-2011-0441: arbitrary files removal via cronjob (Closes #618489) -- Raphael Geissert <email address hidden> Thu, 17 Mar 2011 21:06:26 -0600
php5 (5.3.6-12) unstable; urgency=low * Bump standards version to 3.9.2 * Update cron.d code to even safer variant (Courtesy of Bob Proulx) * Small optimization in cron.d script (Courtesy of Marcus Cobden) * Add firebird2.1-dev option to allow backports * Pull (and fix broken patch) multiarch workaround from Ubuntu natty * Add error message when phpize is not found (Closes: #627937) * Enable pcntl extension for CGI builds (Closes: #627941), but disable all pcntl functions by default * File path injection vulnerability in RFC1867 File upload filename [CVE-2011-2202] -- Ondřej Surý <email address hidden> Wed, 15 Jun 2011 11:06:40 +0200
php5 (5.3.6-11) unstable; urgency=low * Use more reasonable default number of processes for PHP5-FPM * Enable firebird support everywhere also in debian/rules * Don't delete still used session files (Closes: #626640) * Enable building of php5-interbase by adding Architecture: any to debian/control * Use dh_prep instead of dh_clean -k -- Ondřej Surý <email address hidden> Sat, 14 May 2011 22:15:32 +0200
php5 (5.3.6-10) unstable; urgency=low * Purge .start files in postrm, not in prerm (Closes: #607520) * Register config files to UCF Registry -- Ondřej Surý <email address hidden> Sat, 30 Apr 2011 13:16:27 +0200
php5 (5.3.6-9) unstable; urgency=low * Make sure even harded to not left any stale file after purging the package (Closes: #607520) * Move libapache2-mod-php5filter to extra to satisfy policy * Remove oldstable dependcy on firebird2.0-dev * Enable php5-interbase on all platforms and update build dependency on firebird2.5-dev * Import backported upstream fix for fopen fails on some SSL urls * Remove windows devel file from php5-dev * Add more lintian-overrides: + Missing dependency on phpapi for php5-common is not missing + php-pear is keeping it's original directory structure + Double the filenames (./usr vs usr) to fix difference between lintian versions + the embedded file library (libmagic) is unfortunately a custom one and cannot be replaced by system one (it's on the TODO list) -- Ondřej Surý <email address hidden> Thu, 28 Apr 2011 13:37:07 +0200
php5 (5.3.6-8) unstable; urgency=low * Provides/Replaces/Conflicts: php5-idn (Closes: #547117) * Build depend on libdb-dev (>= 5.1) (Closes: #621443) -- Ondřej Surý <email address hidden> Sun, 10 Apr 2011 23:27:44 +0200
php5 (5.3.6-7) unstable; urgency=low * Disable SSLv2 when disabled in OpenSSL (Closes: #620776) -- Ondřej Surý <email address hidden> Mon, 04 Apr 2011 08:40:25 +0200
php5 (5.3.6-6) unstable; urgency=low * Fix order of do_check in php5-fpm.init to check for the right return code -- Ondřej Surý <email address hidden> Thu, 31 Mar 2011 11:46:49 +0200
php5 (5.3.6-5) unstable; urgency=low * Don't fail the php5-fpm init.d script if VERBOSE is `no' * Fix some compile errors with --enable-maintainer-zts as reported by Raphaël Gertz * Make php5-fpm init.d script even less verbose on startup -- Ondřej Surý <email address hidden> Mon, 28 Mar 2011 17:05:17 +0200
php5 (5.3.6-4) unstable; urgency=low * Merged r308688 fix s/raiseErro/raiseError/ and fixed parenthese in r309043 (Closes: #619307) (Courtesy of upstream and Ernesto Domato) * Make locales-all build dependency useful by fixing language tests to use de_DE.UTF-8 * Debian packaging: + Allow easy porting to Ubuntu by adding alternate dependency for locales-all -> language-pack-de, because only german locale is used in the tests + Fix missing debhelper token in php5-fpm.preinst * Explicitly set pm.start_servers in php5-fpm to make it quiet * Update php5-fpm.init according to latest /etc/init.d/skeleton (Closes: #619383) -- Ondřej Surý <email address hidden> Wed, 23 Mar 2011 16:44:28 +0100
php5 (5.3.6-2) unstable; urgency=low * Update default configuration file for php5-fpm (Closes: #619104) * Depend only on libdb4.8-dev | libdb4.6-dev to match apache2 (Closes: #619036) + Will coordinate change to db5.1 with apache2 maintainer -- Ondřej Surý <email address hidden> Mon, 21 Mar 2011 11:54:04 +0100
php5 (5.3.6-1) unstable; urgency=low * Imported Upstream version 5.3.6 + PEAR updated to 1.9.2 (CVE-2011-1072) * Cherry-pick CVE-2011-1144 from PEAR 1.9.3 (Closes: #546164) * Debian packaging: + Start using pristine-tar + Remove patches merged upstream or otherwise deprecated + Move php5-fpm.postrm extras to debian/rules * FPM SAPI changes: + Set initial chdir to /tmp in www pool (Closes: #601243) + Rename main configuration file to php-fpm.conf to match upstream + Enable error reporting in init.d file + Patch FPM SAPI to use Debian php-fpm.conf as default * Fix regression with missing CRYPT_SALT_LENGTH (Closes: #603012) * Generate SHA512 salt string when provided salt is null (Closes: #581170) * Fix FTBFS with gold or ld --no-add-needed (Closes: #615770) * Don't mmap large >4GB files * CVE-2011-0441: Be more careful when removing session files (Closes: #618489) -- Ondřej Surý <email address hidden> Fri, 18 Mar 2011 15:51:50 +0100
php5 (5.3.5-1) unstable; urgency=low * Imported Upstream version 5.3.5 * Updated suhosin patch to 0.9.10 * Add Conflict: with php5-idn to php5-intl (Closes: #610935) * Build the FPM SAPI (Closes: #603174) * Adapted (and removed upstream-applied) patches to php 5.3.5 -- Ondřej Surý <email address hidden> Wed, 16 Feb 2011 15:17:32 +0100
php5 (5.3.3-7) unstable; urgency=low * Cherry pick patches for: + double free vulnerability in the imap_do_open function in the IMAP extension (CVE-2010-4150) + infinite loop with x87 CPU + extract() to not overwrite $GLOBALS and $this when using EXTR_OVERWRITE + crash if aa steps are invalid in GD extension + crash with entitity declaration in simplexml.c + NULL dereference in Zend language scanner + integer overflow in SdnToJulian + memory leaks and possible crash introduced by NULL poisoning patch + leaks and crash when passing the callback as a variable + leak in highlight_string + segmentation fault in pgsql_stmt_execute when postgres is down + segmentation fault when extending SplFixedArray + segmentation fault when node is NULL in simplexml.c + segmentation fault when using several cloned intl objects + segmentation fault when using bad column_number in sqlite3 columnName * Add comment about cherry picked patches (and last revision) from upstream SVN to README.source -- Ondřej Surý <email address hidden> Wed, 05 Jan 2011 11:06:20 +0100
php5 (5.3.3-6) unstable; urgency=medium * Cherry-pick fix for crashes on invalid parameters in intl extension. (CVE-2010-4409). * Cherry pick fix for crash in zip extract method (possible CWE-170) * Cherry pick fix for unaligned memory access in ext/hash/hash_tiger.c * Update CVE-2010-3870 to include test case * Cherry pick complete fix to reject filenames with NULL (CVE requested) -- Ondřej Surý <email address hidden> Tue, 07 Dec 2010 11:15:58 +0100
php5 (5.3.3-5) unstable; urgency=high * Add firebird support for armhf (Closes: #604526) * More updates to open_basedir (Closes: #605391) -- Ondřej Surý <email address hidden> Tue, 30 Nov 2010 12:00:37 +0100
php5 (5.3.3-4) unstable; urgency=low * Cherry pick patches for (Closes: #603751): + NULL pointer dereference in ZipArchive::getArchiveComment (CVE-2010-3709) + utf8_decode xml_utf8_decode vulnerability (CVE-2010-3870) + mb_strcut() returns garbage with the excessive length parameter (CVE-2010-4156) + possible flaw in open_basedir (CVE-2010-3436) + segfault in SplFileObject::fscanf + memory leak in PDO::FETCH_INTO + crash when storing many SPLFixedArray in an array + possible crash in php_mssql_get_column_content_without_type() + cURL leaks handle and causes assertion error (CURLOPT_STDERR) + segfault when optional parameters are not passed in to mssql_connect + segfault when ssl stream option capture_peer_cert_chain used + crash in GC because of incorrect reference counting + crash when calling enchant_broker_get_dict_path before set_path + crash in pdo_firebird getAttribute() -- Ondřej Surý <email address hidden> Wed, 17 Nov 2010 10:31:58 +0100
php5 (5.3.3-3) unstable; urgency=high * Fix segfault in filter_var with FILTER_VALIDATE_EMAIL with large amount of data (CVE-2010-3710, Closes: #601619) -- Ondřej Surý <email address hidden> Wed, 27 Oct 2010 23:39:37 +0200
php5 (5.3.3-2) unstable; urgency=low * Upload 5.3.3 to unstable + Fixes CVE-2010-2225, CVE-2010-2094, CVE-2010-1917, CVE-2010-1866, CVE-2010-2531, CVE-2010-3065. * Don't build FPM SAPI now * Bump standards version to 3.9.1 * Synchronize system crypt patch * Cherry pick upstream fix for format vulnerability in phar/stream.c + Fixes CVE-2010-2950. * Set explicit error level to hide warnings on systems with modified php.ini (Closes: #590485) * Apply patch to fix loading of extensions without [PHP] section (Closes: #595761) * Set session.gc_probability back to 0 (Closes: #595706) * Update PHP5 description to not include references to C, Java and Perl (Closes: #351032) -- Ondřej Surý <email address hidden> Thu, 21 Oct 2010 16:57:53 +0200
Superseded in lenny-release |
php5 (5.2.6.dfsg.1-1+lenny9) stable-security; urgency=high * Fix CVE-2010-1917: stack consumption on the fnmatch() function * Fix CVE-2010-2225: use-after-free in the SplObjectStorage unserializer * Fix MOPS-2010-60: arbitrary session variables injection -- Raphael Geissert <email address hidden> Tue, 03 Aug 2010 21:37:14 -0400
Deleted in experimental-release (Reason: None provided.) |
php5 (5.3.3-1) experimental; urgency=low * Upload PHP 5.3.3 to experimental for further testing + Fixes odbc_autocommit (Closes: #586570) + Adds support for sqlite3_busy_timout (Closes: #589473) + Fixes CVE-2010-2225, CVE-2010-2094, CVE-2010-1917, CVE-2010-1866 and other CVEs that do not apply to the Debian packages or are irrelevant as per the pre-5.3.2-2 security policy. * Changes pending update from unstable: + Use system crypt * Build the FPM SAPI. -- Raphael Geissert <email address hidden> Sat, 31 Jul 2010 15:53:12 -0400
php5 (5.3.2-2) unstable; urgency=low [ Ondřej Surý ] * Fix unittest about failing crypt() calls with invalid salt [ Raphael Geissert ] * Cherry pick upstream fix for mysqli_ssl_set (Closes: #572122) * Cherry pick patch to reset error status on beginTransaction() * Cherry pick patch to add missing definition of JSON_ERROR_UTF8 * Cherry pick patch to fix SplFileInfo::getPathName() * Cherry pick patch to fix a memory leak in the cyclical gc * Cherry pick fix for memory leak in date when gc is enabled * Cherry pick patch to fix an unaligned mem access in the dba ext * Cherry pick fix for memory issues in mysqli_options (Closes: #577784) * Set default session.save_path to /var/lib/php5 (Closes: #576593) * Don't install an extra copy of php.ini-production * Remove obsolete TODO list * Add debian/source/format and set it to 1.0 * Add doc-base registration for Structuctures_Graph documentation * Cherry pick patch to fix multiple typos * Synchronize enchant patch with changes committed upstream * Cherry pick patch to workaround BDB 4.8 bc changes (Closes: #570149) * Cherry pick patch to allow the timeout on mssql to be effective p/query * Cherry pick patch to correctly determine length of doc_root * Cherry pick patch to fix a memory leak in SoapServer::handle * Cherry pick patch to fix SplFileInf::fscanf()'s prototype * Test the mysql extensions too * Update the security policy for Squeeze and greater * Include ext_skel script (Closes: #530757) [ Sean Finney ] * Fix for parallel FTBFS in (Closes: #584348) * Import upstream fix for pdo_mysql segfaults (Closes: #581911) - thanks to Richard van den Berg <email address hidden> * Dynamically determine maxlifetime if possible. (Closes: #504053) - thanks to Chris Butler <email address hidden> -- Raphael Geissert <email address hidden> Sun, 18 Jul 2010 15:35:06 -0500
Superseded in lenny-release |
php5 (5.2.6.dfsg.1-1+lenny8) stable-security; urgency=high * Fix CVE-2010-0397: null pointer dereference when processing invalid XML-RPC requests (Closes: #573573) -- Raphael Geissert <email address hidden> Sun, 14 Mar 2010 01:05:03 -0600
php5 (5.3.2-1) unstable; urgency=high [ Sean Finney ] * Fix improper signed overflow detection in filter extension (Closes: #570287) * Another integer overflow/underflow logic fix. (Closes: #570144) * new debian patch fix_filter_var_email_test.patch (Closes: #571764) * New debian patch fix_var_dump_64bit.phpt.patch (Closes: #571772) * New debian patch use_embedded_timezonedb_fixes.patch (Closes: #571762) [ Raphael Geissert ] * Build with qdbm support * Really run extensions' tests * Add a note about user_dirs in apache conf file (Closes: #571714) * Fix typo in debian/NEWS * Don't install a(nother) useless Structures_Graph sh script * Re-enable short_open_tag for CLI too (Closes: #573367) * Disable memory limit in CLI, letting ulimit do its job (Closes: #407425) * Fix the locale name in some tests (Closes: #573511) * Fix some gd tests that need the bundled library * Fix a null pointer dereference when processing invalid XML-RPC requests (CVE-2010-0397, Closes: #573573) * Fix an unaligned memory access in enchant_dict_suggest() * Fix another unaligned memory access in enchant * Test that the list of extensions to test is never empty * Update the list of alternative dependencies of php5-dbg * debian/rules cleanup * debian/control cleanup * Build against the system oniguruma library * Add libjpeg-dev as an alternative to libjpeg62-dev for future transitions [ Ondřej Surý ] * Imported Upstream version 5.3.2 * Updated suhosin patch to 0.9.9.1 version. * Removed debian/patches/suhosin_page_size_fixes.patch. (Closes: #571974) * Refreshed debian/patches/001-libtool_fixes.patch * Refreshed debian/patches/006-debian_quirks.patch * Adapt debian patches to 5.3.2. * Remove "binary" contents from debian/patches/fix_var_dump_64bit.phpt.patch * New debian patch fix_broken_sha2_test.patch * New debian patch always_use_system_crypt.patch (Closes: #572601) * New debian patch php_crypt_revamped.patch (Closes: #572601) -- Raphael Geissert <email address hidden> Sat, 13 Mar 2010 15:11:48 -0600
151 → 225 of 250 results | First • Previous • Next • Last |