-
php5 (5.2.6.dfsg.1-1+lenny16) oldstable-security; urgency=low
* Fix UMR in php_register_variable_ex (pull from upstream SVN)
-- Ondřej Surý <email address hidden> Fri, 03 Feb 2012 09:01:31 +0100
-
php5 (5.2.6.dfsg.1-1+lenny13) oldstable-security; urgency=low
* Remove stray php_printf from CVE-2010-2531 (Closes: #632194)
-- Ondřej Surý <email address hidden> Fri, 01 Jul 2011 09:49:45 +0200
-
php5 (5.2.6.dfsg.1-1+lenny9) stable-security; urgency=high
* Fix CVE-2010-1917: stack consumption on the fnmatch() function
* Fix CVE-2010-2225: use-after-free in the SplObjectStorage
unserializer
* Fix MOPS-2010-60: arbitrary session variables injection
-- Raphael Geissert <email address hidden> Tue, 03 Aug 2010 21:37:14 -0400
-
php5 (5.2.6.dfsg.1-1+lenny8) stable-security; urgency=high
* Fix CVE-2010-0397: null pointer dereference when processing invalid
XML-RPC requests (Closes: #573573)
-- Raphael Geissert <email address hidden> Sun, 14 Mar 2010 01:05:03 -0600
-
php5 (5.2.6.dfsg.1-1+lenny4) stable-security; urgency=high
* CVE-2009-2687: DoS via malformed JPEG images with invalid offset fields
(Closes: #535888)
* CVE-2009-2626: remote memory disclosure via ini_* functions
(Closes: #540605)
* CVE-2009-3292: multiple missing checks processing exif image data
* CVE-2009-3291: improper handling of nul character in CommonName fields
of X509 certificates
* max_file_uploads: prevent, by limiting, temporary files exhaustion DoS
* Add an entry to debian/NEWS about the new per-request file uploads limit
-- Raphael Geissert <email address hidden> Sat, 21 Nov 2009 18:28:12 -0600
-
php5 (5.2.6.dfsg.1-1+lenny3) stable-security; urgency=low
[ Sean Finney ]
* CVE-2008-5814: XSS vulnerability via display_errors (Closes: #523028)
* CVE-2009-0754.patch: mbstring.func_overload leakage between apache2
vhosts (Closes: #523049)
* CVE-2009-1271: remote DoS in json_decode()
* add note about CVE-2009-1272 in previous version's changelog entry
[ Mark A. Hershberger ]
* fix clean target to keep source in a consistant state for multiple builds
-- Sean Finney <email address hidden> Sun, 26 Apr 2009 21:37:57 +0200
-
php5 (5.2.6.dfsg.1-1+lenny2) testing-security; urgency=low
[ Sean Finney ]
* Do not add -O2 to CFLAGS if DEB_BUILD_OPTIONS contains noopt.
* Security related fixes:
- php: inifile handler for the dba functions can be used to truncate a file
Patch: dba-inifile-truncation.patch (closes: #507101).
- CVE-2008-5658.patch: ZipArchive::extractTo directory traversal
Patch: CVE-2008-5658.patch (closes: #507857).
Thanks to Pierre Joye for help with the patch.
[ Raphael Geissert ]
* Picked up some patches from Gentoo (most included in PHP 5.2.7 and later):
+ patches/gentoo/005_stream_context_set_params-crash.patch
+ patches/gentoo/006_PDORow-crash.patch
+ patches/gentoo/007_dom-setAttributeNode-crash.patch
+ patches/gentoo/009_array-function-crashes.patch
+ patches/gentoo/010_ticks-zts-crashes.patch
+ patches/gentoo/015_CVE-2008-2665-wrapper-safemode-bypass.patch
+ patches/gentoo/017_xmlrpc-invalid-callback-crash.patch
+ patches/gentoo/019_new-memory-corruption.patch
+ patches/gentoo/freetds-compat.patch
- was deprecated_freetds_check.patch
-- Sean Finney <email address hidden> Sun, 25 Jan 2009 15:06:34 +0100
-
php5 (5.2.6.dfsg.1-0.1~lenny1) testing; urgency=low
* Non-maintainer upload.
* Remove exts/dbase from orig tarball (Closes: #341420)
-- Ben Hutchings <email address hidden> Sat, 29 Nov 2008 19:19:28 +0000
-
php5 (5.2.6-5) unstable; urgency=high
* Update debian/copyright to document that the DFSG-unfree email
requirement in ext/standard/rand.c has been rescinded by the
copyrightholder (Closes: #498621).
-- Thijs Kinkhorst <email address hidden> Sun, 05 Oct 2008 11:32:35 +0200
