Ubuntu
php7.4 package

Change log for php7.4 package in Ubuntu

153 of 53 results FirstPreviousNextLast
Published in focal-updates
Published in focal-security 
php7.4 (7.4.3-4ubuntu2.23) focal-security; urgency=medium

  * SECURITY UPDATE: Invalid user information
    - debian/patches/CVE-2024-5458.patch: improves filters validation
      in ext/filter/logical_filters.c and adds test
      in ext/filter/tests/ghsa-w8qr-v226-r27w.phpt.
    - CVE-2024-5458

 -- Leonidas Da Silva Barbosa <email address hidden>  Mon, 17 Jun 2024 10:22:20 -0300
Superseded in focal-updates
Superseded in focal-security 
php7.4 (7.4.3-4ubuntu2.22) focal-security; urgency=medium

  * SECURITY UPDATE: Heap buffer-overflow
    - debian/patches/CVE-2022-4900.patch: prevent potential buffer
      overflow for large valye of php_cli_server_workers_max in
      sapi/cli/php_cli_server.c.
    - CVE-2022-4900
  * SECURITY UPDATE: Cookie by pass
    - debian/patches/CVE-2024-2756.patch: adds more mangling rules
      in main/php_variable.c.
    - CVE-2024-2756
  * SECURITY UPDATE: Account take over risk
    - debian/patches/CVE-2024-3096.patch: disallow null character in bcrypt
      password in ext/standard/password.c,
      ext/standard/tests/password_bcrypt_errors.phpt.
    - CVE-2024-3096

 -- Leonidas Da Silva Barbosa <email address hidden>  Wed, 01 May 2024 07:11:33 -0300
Deleted in focal-proposed (Reason: moved to -updates) 
php7.4 (7.4.3-4ubuntu2.21) focal; urgency=medium

  * d/p/fix-segfault-in-fpm_status_export_to_zval.patch: fix segmentation
    fault in fpm_status_export_to_zval. (LP: #2057576)

 -- Athos Ribeiro <email address hidden>  Wed, 10 Apr 2024 09:36:03 -0300
Superseded in focal-updates
Superseded in focal-security 
php7.4 (7.4.3-4ubuntu2.20) focal-security; urgency=medium

  * SECURITY UPDATE: Disclosure sensitive information
    - debian/patches/CVE-2023-3823.patch: sanitieze libxml2 globals
      before parsing in ext/dom/document.c, ext/dom/documentfragment.c,
      xml_global_state_entity_loader_bypass.phpt, ext/libxml/php_libxml.h,
      ext/simplexml/simplexml.c, xml_global_state_entity_loader_bypass.phpt,
      ext/soap/php_xml.c, ext/xml/compat.c, ext/xmlreader/php_xmlreader.c,
      xml_global_state_entity_loader_bypass.phpt, ext/xsl/xsltprocessor.c,
      ext/zend_test/test.c.
    - CVE-2023-3823
  * SECURITY UPDATE: Stack buffer overflow
    - debian/patches/CVE-2023-3824.patch: fix buffer mismanagement in
      phar_dir_read(), and in files ext/phar/dirstream.c,
      ext/phar/tests/GHSA-jqcx-ccgx-xwhv.phpt.
    - CVE-2023-3824

 -- Leonidas Da Silva Barbosa <email address hidden>  Wed, 21 Feb 2024 10:54:34 -0300
Superseded in focal-updates
Superseded in focal-security 
php7.4 (7.4.3-4ubuntu2.19) focal-security; urgency=medium

  * SECURITY UPDATE: Missing error check and insufficient random
    bytes
    - debian/patches/CVE-2023-3247-1.patch: fixes missing randomness
      check and insufficient random byes for SOAP HTTP digest
      in ext/soap/php_http.c.
    - debian/patches/CVE-2023-3247-2.patch: fix wrong backporting of previous
      soap patch.
    - CVE-2023-3247

 -- Leonidas Da Silva Barbosa <email address hidden>  Tue, 27 Jun 2023 12:49:59 -0300
Superseded in focal-updates
Superseded in focal-security 
php7.4 (7.4.3-4ubuntu2.18) focal-security; urgency=medium

  * SECURITY UPDATE: password_verify() accepts invalid Blowfish hashes
    - debian/patches/CVE-2023-0567-1.patch: fix validation of malformed
      BCrypt hashes in ext/standard/crypt_blowfish.c,
      ext/standard/tests/crypt/bcrypt_salt_dollar.phpt.
    - debian/patches/CVE-2023-0567-2.patch: fix possible buffer overread in
      php_crypt() in ext/standard/crypt.c,
      ext/standard/tests/password/password_bcrypt_short.phpt.
    - CVE-2023-0567
  * SECURITY UPDATE: off-by-one in core path resolution function
    - debian/patches/CVE-2023-0568.patch: fix array overrun when appending
      slash to paths in ext/dom/document.c, ext/xmlreader/php_xmlreader.c,
      main/fopen_wrappers.c.
    - CVE-2023-0568
  * SECURITY UPDATE: DoS via excessive number of parts in HTTP form upload
    - debian/patches/CVE-2023-0662-1.patch: introduce
      max_multipart_body_parts INI in main/main.c, main/rfc1867.c.
    - debian/patches/CVE-2023-0662-2.patch: fix repeated warning for file
      uploads limit exceeding in main/rfc1867.c.
    - CVE-2023-0662

 -- Marc Deslauriers <email address hidden>  Thu, 23 Feb 2023 07:43:23 -0500
Superseded in focal-updates
Superseded in focal-security 
php7.4 (7.4.3-4ubuntu2.17) focal-security; urgency=medium

  * SECURITY UPDATE: Integer overflow
    - debian/patches/CVE-2022-31631.patch: fix check
      unquotedlen size in ext/pdo_sqlite/sqlite_driver.c.
    - CVE-2022-31631

 -- Leonidas Da Silva Barbosa <email address hidden>  Tue, 10 Jan 2023 12:37:44 -0300
Superseded in focal-updates
Deleted in focal-proposed (Reason: moved to -updates) 
php7.4 (7.4.3-4ubuntu2.16) focal; urgency=medium

  [ Athos Ribeiro ]
  * d/rules: fix PHP_EXTRA_VERSION setting. (LP: #1989196)
  * Test PHP_EXTRA_VERSION setting with autopkgtest.

  [ Matthew Ruffell ]
  * No longer throw an error when serializing uninitialized typed
    properties with __sleep(), which makes serializing objects with
    __sleep() behave the same as serializing objects without
    __sleep(). (LP: #1999598)
    - d/p/lp-1999598-Fix-bug-79447.patch

 -- Athos Ribeiro <email address hidden>  Thu, 15 Sep 2022 19:53:21 -0300
Superseded in focal-updates
Superseded in focal-security 
php7.4 (7.4.3-4ubuntu2.15) focal-security; urgency=medium

  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2022-31628-1.patch: adding a recursion limit
      in ext/phar/phar.c, ext/phar/tests/bug81726.phpt.
    - debian/source/include-binaries: add ext/phar/tests/bug81726.gz.
    - debian/patches/CVE-2022-31628-2.patch: avoid a second check in
      ext/phar/phar.c.
    - CVE-2022-31628
  * SECURITY UPDATE: Cookie injection
    - debian/patches/CVE-2022-31629.patch: don't mangle HTTP
      variable names that clash with ones that have a specific semantic
      meaning in ext/standard/test/bug81727.phpt,
      main/php_variables.c.
    - CVE-2022-31629
  * SECURITY UPDATE: Out of bounds read
    - debian/patches/CVE-2022-31630.patch: adds validation in
      imageloadfont() for OOB in ext/gd/gd.c, ext/gd/tests/bug81739.phpt.
    - CVE-2022-31630
  * SECURITY UPDATE: Buffer overflow
    - debian/patches/CVE-2022-37454.patch: fixes buffer overflow in
      hash_update() on long parameter in
      ext/hash/sha3/generic32lc/KeccakSponge.inc,
      ext/hash/sha3/generic64lc/KeccakSponge.inc.
    - CVE-2022-37454

 -- Leonidas Da Silva Barbosa <email address hidden>  Wed, 02 Nov 2022 06:53:44 -0300
Deleted in focal-proposed (Reason: moved to -updates) 
php7.4 (7.4.3-4ubuntu2.14) focal; urgency=medium

  * d/rules: fix PHP_EXTRA_VERSION setting. (LP: #1989196)
  * Test PHP_EXTRA_VERSION setting with autopkgtest.

 -- Athos Ribeiro <email address hidden>  Thu, 15 Sep 2022 19:53:21 -0300
Superseded in focal-updates
Deleted in focal-proposed (Reason: moved to -updates) 
php7.4 (7.4.3-4ubuntu2.13) focal; urgency=medium

  * d/p/0047-Update-gcc-func-attr-macro.patch: fix detection of unknown gcc
    function attributes. (LP: #1882279)

 -- Athos Ribeiro <email address hidden>  Wed, 17 Aug 2022 10:29:56 -0300
Superseded in focal-updates
Superseded in focal-security 
php7.4 (7.4.3-4ubuntu2.12) focal-security; urgency=medium

  * SECURITY UPDATE: RCE via Uninitialized array in pg_query_params()
    - debian/patches/CVE-2022-31625.patch: don't free parameters which
      haven't initialized yet in ext/pgsql/pgsql.c,
      ext/pgsql/tests/bug81720.phpt.
    - CVE-2022-31625
  * SECURITY UPDATE: RCE via mysqlnd/pdo password buffer overflow
    - debian/patches/CVE-20022-31626.patch: properly calculate size in
      ext/mysqlnd/mysqlnd_wireprotocol.c.
    - CVE-2022-31626

 -- Marc Deslauriers <email address hidden>  Mon, 13 Jun 2022 09:43:30 -0400
Superseded in focal-updates
Deleted in focal-proposed (Reason: moved to -updates) 
php7.4 (7.4.3-4ubuntu2.11) focal; urgency=medium

  * d/p/0048-Fix-bug-79603-by-retrying-on-RTD-key-collision.patch: retry on RTD
    key collision. (LP: #1968228)

 -- Athos Ribeiro <email address hidden>  Thu, 05 May 2022 21:16:42 -0300
Superseded in focal-updates
Superseded in focal-security 
php7.4 (7.4.3-4ubuntu2.10) focal-security; urgency=medium

  * SECURITY UPDATE: DoS in zend_string_extend function
    - debian/patches/CVE-2017-8923.patch: fix integer Overflow when
      concatenating strings in Zend/zend_vm_def.h, Zend/zend_vm_execute.h.
    - CVE-2017-8923
  * SECURITY UPDATE: out of bounds access in php_pcre_replace_impl
    - debian/patches/CVE-2017-9118-pre1.patch: fix heap buffer overflow via
      str_repeat in Zend/zend_operators.c, Zend/zend_string.h.
    - debian/patches/CVE-2017-9118-pre2.patch: fix memory corruption in
      preg_replace/preg_replace_callback in ext/pcre/php_pcre.c,
      ext/pcre/tests/bug79188.phpt.
    - debian/patches/CVE-2017-9118-pre3.patch: fix too much memory is
      allocated for preg_replace() in ext/pcre/php_pcre.c,
      ext/pcre/tests/bug81243.phpt.
    - debian/patches/CVE-2017-9118.patch: fix out of bounds in
      php_pcre_replace_impl in Zend/zend_string.h, ext/pcre/php_pcre.c.
    - CVE-2017-9118
  * SECURITY UPDATE: DoS via memory consumption in i_zval_ptr_dtor
    - debian/patches/CVE-2017-9119.patch: handle memory limit error during
      string reallocation correctly in Zend/zend_string.h.
    - CVE-2017-9119
  * SECURITY UPDATE: DoS via integer overflow in mysqli_real_escape_string
    - debian/patches/CVE-2017-9120.patch: fix overflow in
      ext/mysqli/mysqli_api.c.
    - CVE-2017-9120
  * SECURITY UPDATE: filename truncation issue in XML parsing functions
    - debian/patches/CVE-2021-21707.patch: special character is breaking
      the path in xml function in ext/dom/domimplementation.c,
      ext/dom/tests/bug79971_2.phpt, ext/libxml/libxml.c,
      ext/simplexml/tests/bug79971_1.phpt,
      ext/simplexml/tests/bug79971_1.xml.
    - CVE-2021-21707

 -- Marc Deslauriers <email address hidden>  Wed, 02 Mar 2022 10:36:52 -0500
Superseded in focal-updates
Superseded in focal-security 
php7.4 (7.4.3-4ubuntu2.9) focal-security; urgency=medium

  * SECURITY UPDATE: Use after free
    - debian/patches/CVE-2021-21708.patch: change the call to
      zval_ptr_dtor in ext/filter/logical_filters.c to be done
      after a validation is succeeded, and add a test for this
      case in ext/filter/tests/bug81708.phpt
    - CVE-2021-21708

 -- Rodrigo Figueiredo Zaiden <email address hidden>  Thu, 24 Feb 2022 11:55:48 -0300
Obsolete in hirsute-updates
Deleted in hirsute-proposed (Reason: moved to -updates) 
php7.4 (7.4.16-1ubuntu2.3) hirsute; urgency=medium

  * d/p/0047-fix-exception-infinite-loop.patch: Fix ErrorException infinite
    loop (LP: #1951031)

 -- Athos Ribeiro <email address hidden>  Thu, 25 Nov 2021 18:36:47 -0300
Superseded in focal-updates
Deleted in focal-proposed (Reason: moved to -updates) 
php7.4 (7.4.3-4ubuntu2.8) focal; urgency=medium

  * d/p/0047-fix-exception-infinite-loop.patch: Fix ErrorException infinite
    loop (LP: #1951031)

 -- Athos Ribeiro <email address hidden>  Thu, 25 Nov 2021 20:16:22 -0300
Superseded in hirsute-updates
Obsolete in hirsute-security 
php7.4 (7.4.16-1ubuntu2.2) hirsute-security; urgency=medium

  * SECURITY UPDATE: Out of bounds read/write
    - debian/patches/CVE-2021-21703.patch: The main change is to
      store scoreboard procs directly to the variable sized
      array rather than indirectly through the pointer in
      sapi/fpm/fpm/fpm_children.c, sapi/fpm/fpm/fpm_request.c,
      sapi/fpm/fpm/fpm_scoreboard.c, sapi/fpm/fpm/fpm_scoreboard.h,
      sapi/fpm/fpm/fpm_status.c, sapi/fpm/fpm/fpm_worker_pool.c.
    - CVE-2021-21703

 -- Leonidas Da Silva Barbosa <email address hidden>  Tue, 26 Oct 2021 13:46:20 -0300
Superseded in focal-updates
Superseded in focal-security 
php7.4 (7.4.3-4ubuntu2.7) focal-security; urgency=medium

  * SECURITY UPDATE: Out of bounds read/write
    - debian/patches/CVE-2021-21703.patch: The main change is to
      store scoreboard procs directly to the variable sized
      array rather than indirectly through the pointer in
      sapi/fpm/fpm/fpm_children.c, sapi/fpm/fpm/fpm_request.c,
      sapi/fpm/fpm/fpm_scoreboard.c, sapi/fpm/fpm/fpm_scoreboard.h,
      sapi/fpm/fpm/fpm_status.c, sapi/fpm/fpm/fpm_worker_pool.c.
    - CVE-2021-21703

 -- Leonidas Da Silva Barbosa <email address hidden>  Mon, 25 Oct 2021 15:20:54 -0300
Superseded in focal-updates
Deleted in focal-proposed (Reason: moved to -updates) 
php7.4 (7.4.3-4ubuntu2.6) focal; urgency=medium

  * Fix a segmentation fault and implement support for using cursors
    on prepared statements in the mysqli database driver. (LP: #1939853)
    - d/p/lp-1939853-1-Fix-Segfault-with-get_result-and-PS-cursors.patch
    - d/p/lp-1939853-2-MySQLnd-Support-cursors-in-store-get-result.patch

 -- Matthew Ruffell <email address hidden>  Fri, 13 Aug 2021 17:39:12 +1200
Superseded in focal-updates
Superseded in focal-security 
php7.4 (7.4.3-4ubuntu2.5) focal-security; urgency=medium

  * SECURITY UPDATE: crash or info disclosure via PHAR zip file
    - debian/patches/CVE-2020-7068.patch: fix use after free in
      ext/phar/zip.c.
    - CVE-2020-7068
  * SECURITY UPDATE: incorrect URL validation
    - debian/patches/CVE-2020-7071-1.patch: make sure userinfo is valid
      according to RFC 3986 in ext/filter/tests/bug77423.phpt,
      ext/standard/url.c.
    - debian/patches/CVE-2020-7071-2.patch: revert previous fix and use a
      better one in ext/filter/logical_filters.c,
      ext/filter/tests/bug77423.phpt, ext/standard/url.c.
    - debian/patches/CVE-2020-7071-3.patch: remove unneeded function in
      ext/standard/url.c.
    - CVE-2020-7071
  * SECURITY UPDATE: crash via malformed XML data in SOAP extension
    - debian/patches/CVE-2021-21702-1.patch: check strings in
      ext/soap/php_sdl.c, ext/soap/php_xml.c, ext/soap/tests/bug80672.phpt,
      ext/soap/tests/bug80672.xml.
    - debian/patches/CVE-2021-21702-2.patch: fix compiler warning in
      ext/soap/php_sdl.c.
    - CVE-2021-21702
  * SECURITY UPDATE: multiple issues in the pdo_firebase module
    - debian/patches/CVE-2021-21704-1.patch: prevent overflow in
      ext/pdo_firebird/firebird_statement.c.
    - debian/patches/CVE-2021-21704-2.patch: verify result_size in
      ext/pdo_firebird/firebird_statement.c.
    - debian/patches/CVE-2021-21704-3.patch: verify result_size in
      ext/pdo_firebird/firebird_driver.c.
    - debian/patches/CVE-2021-21704-4.patch: don't overflow stack in
      ext/pdo_firebird/firebird_driver.c.
    - CVE-2021-21704
  * SECURITY UPDATE: SSRF bypass
    - debian/patches/CVE-2021-21705.patch: check password in
      ext/filter/logical_filters.c, ext/filter/tests/bug81122.phpt.
    - debian/patches/CVE-2021-21705-2.patch: fix compiler warning in
      ext/filter/logical_filters.c.
    - CVE-2021-21705

 -- Marc Deslauriers <email address hidden>  Mon, 05 Jul 2021 11:13:35 -0400
Obsolete in groovy-updates
Obsolete in groovy-security 
php7.4 (7.4.9-1ubuntu1.2) groovy-security; urgency=medium

  * SECURITY UPDATE: incorrect URL validation
    - debian/patches/CVE-2020-7071-1.patch: make sure userinfo is valid
      according to RFC 3986 in ext/filter/tests/bug77423.phpt,
      ext/standard/url.c.
    - debian/patches/CVE-2020-7071-2.patch: revert previous fix and use a
      better one in ext/filter/logical_filters.c,
      ext/filter/tests/bug77423.phpt, ext/standard/url.c.
    - debian/patches/CVE-2020-7071-3.patch: remove unneeded function in
      ext/standard/url.c.
    - CVE-2020-7071
  * SECURITY UPDATE: crash via malformed XML data in SOAP extension
    - debian/patches/CVE-2021-21702-1.patch: check strings in
      ext/soap/php_sdl.c, ext/soap/php_xml.c, ext/soap/tests/bug80672.phpt,
      ext/soap/tests/bug80672.xml.
    - debian/patches/CVE-2021-21702-2.patch: fix compiler warning in
      ext/soap/php_sdl.c.
    - CVE-2021-21702
  * SECURITY UPDATE: multiple issues in the pdo_firebase module
    - debian/patches/CVE-2021-21704-1.patch: prevent overflow in
      ext/pdo_firebird/firebird_statement.c.
    - debian/patches/CVE-2021-21704-2.patch: verify result_size in
      ext/pdo_firebird/firebird_statement.c.
    - debian/patches/CVE-2021-21704-3.patch: verify result_size in
      ext/pdo_firebird/firebird_driver.c.
    - debian/patches/CVE-2021-21704-4.patch: don't overflow stack in
      ext/pdo_firebird/firebird_driver.c.
    - CVE-2021-21704
  * SECURITY UPDATE: SSRF bypass
    - debian/patches/CVE-2021-21705.patch: check password in
      ext/filter/logical_filters.c, ext/filter/tests/bug81122.phpt.
    - debian/patches/CVE-2021-21705-2.patch: fix compiler warning in
      ext/filter/logical_filters.c.
    - CVE-2021-21705

 -- Marc Deslauriers <email address hidden>  Mon, 05 Jul 2021 09:33:00 -0400
Superseded in hirsute-updates
Superseded in hirsute-security 
php7.4 (7.4.16-1ubuntu2.1) hirsute-security; urgency=medium

  * SECURITY UPDATE: multiple issues in the pdo_firebase module
    - debian/patches/CVE-2021-21704-1.patch: prevent overflow in
      ext/pdo_firebird/firebird_statement.c.
    - debian/patches/CVE-2021-21704-2.patch: verify result_size in
      ext/pdo_firebird/firebird_statement.c.
    - debian/patches/CVE-2021-21704-3.patch: verify result_size in
      ext/pdo_firebird/firebird_driver.c.
    - debian/patches/CVE-2021-21704-4.patch: don't overflow stack in
      ext/pdo_firebird/firebird_driver.c.
    - CVE-2021-21704
  * SECURITY UPDATE: SSRF bypass
    - debian/patches/CVE-2021-21705.patch: check password in
      ext/filter/logical_filters.c, ext/filter/tests/bug81122.phpt.
    - debian/patches/CVE-2021-21705-2.patch: fix compiler warning in
      ext/filter/logical_filters.c.
    - CVE-2021-21705

 -- Marc Deslauriers <email address hidden>  Mon, 05 Jul 2021 09:04:38 -0400
Deleted in impish-proposed (Reason: php7.4 is currently being removed and so this rebuild is ...) 
php7.4 (7.4.16-1ubuntu3) impish; urgency=medium

  * No-change rebuild due to OpenLDAP soname bump.

 -- Sergio Durigan Junior <email address hidden>  Mon, 21 Jun 2021 18:07:28 -0400

Available diffs

Deleted in impish-release (Reason: Superseded by php8.0; LP: #1927264)
Obsolete in hirsute-release
Deleted in hirsute-proposed (Reason: Moved to hirsute) 
php7.4 (7.4.16-1ubuntu2) hirsute; urgency=medium

  * Disable lto builds. Same as in Fedora. OpenSuse had some success.

 -- Matthias Klose <email address hidden>  Tue, 23 Mar 2021 17:15:03 +0100
Superseded in hirsute-proposed 
php7.4 (7.4.16-1ubuntu1) hirsute; urgency=medium

  * Merge with Debian; remaining changes:
    - d/control, d/control.in: Conflict with mod-php from php7.2 and
      php7.3 to ensure safe upgrade path for apache2.
      (LP 1850933)
    - libapache2-mod-php.postinst.extra: Disable other mod-php versions.
      Fixes failure when upgrading from previous versions of mod-php.
      (LP 1865218)

Available diffs

Superseded in hirsute-proposed 
php7.4 (7.4.11-1ubuntu5) hirsute; urgency=medium

  * No-change rebuild.

 -- Matthias Klose <email address hidden>  Tue, 23 Mar 2021 13:33:59 +0100

Available diffs

Superseded in hirsute-release
Deleted in hirsute-proposed (Reason: Moved to hirsute) 
php7.4 (7.4.11-1ubuntu4) hirsute; urgency=medium

  * Rebuild with the new libzip soname

 -- Sebastien Bacher <email address hidden>  Thu, 04 Mar 2021 16:20:59 +0100

Available diffs

Superseded in hirsute-release
Deleted in hirsute-proposed (Reason: moved to Release) 
php7.4 (7.4.11-1ubuntu3) hirsute; urgency=medium

  * No-change upload to build against net-snmp on armhf.

 -- Sergio Durigan Junior <email address hidden>  Thu, 07 Jan 2021 20:07:29 -0500
Superseded in hirsute-proposed 
php7.4 (7.4.11-1ubuntu2) hirsute; urgency=medium

  * No-change upload due to net-snmp transition.

 -- Sergio Durigan Junior <email address hidden>  Thu, 07 Jan 2021 15:07:46 -0500

Available diffs

Superseded in hirsute-release
Deleted in hirsute-proposed (Reason: moved to Release) 
php7.4 (7.4.11-1ubuntu1) hirsute; urgency=medium

  * Merge with Debian unstable. Remaining changes:
    - d/control, d/control.in: Conflict with mod-php from php7.2 and
      php7.3 to ensure safe upgrade path for apache2.
      (LP 1850933)
    - libapache2-mod-php.postinst.extra: Disable other mod-php versions.
      Fixes failure when upgrading from previous versions of mod-php.
      (LP 1865218)

  * Dropped changes, applied upstream:
    * SECURITY UPDATE: Incorrect encryption data
      - debian/patches/CVE-2020-7069.patch: fix wrong ciphertext/tag
        in AES-CCM encryption for a 12 bytes IV in ext/openssl/openssl.c,
        ext/openssl/tests/cipher_tests.inc, ext/openssl/openssl_*_ccm.phpt.
      - CVE-2020-7069
    * SECURITY UPDATE: Possibly forge cookie
      - debian/patches/CVE-2020-7070.patch: do not decode cookie names anymore
        in main/php_variables.c, tests/basic/022.phpt, tests/basic/023.phpt,
        tests/basic/bug79699.phpt.
      - CVE-2020-7070
Superseded in hirsute-release
Deleted in hirsute-proposed (Reason: moved to Release)
Superseded in groovy-updates
Superseded in groovy-security 
php7.4 (7.4.9-1ubuntu1.1) groovy-security; urgency=medium

  * SECURITY UPDATE: Incorrect encryption data
    - debian/patches/CVE-2020-7069.patch: fix wrong ciphertext/tag
      in AES-CCM encryption for a 12 bytes IV in ext/openssl/openssl.c,
      ext/openssl/tests/cipher_tests.inc, ext/openssl/openssl_*_ccm.phpt.
    - CVE-2020-7069
  * SECURITY UPDATE: Possibly forge cookie
    - debian/patches/CVE-2020-7070.patch: do not decode cookie names anymore
      in main/php_variables.c, tests/basic/022.phpt, tests/basic/023.phpt,
      tests/basic/bug79699.phpt.
    - CVE-2020-7070

 -- <email address hidden> (Leonidas S. Barbosa)  Mon, 26 Oct 2020 12:17:14 -0300
Superseded in focal-updates
Superseded in focal-security 
php7.4 (7.4.3-4ubuntu2.4) focal-security; urgency=medium

  * SECURITY UPDATE: Incorrect encryption data
    - debian/patches/CVE-2020-7069.patch: fix wrong ciphertext/tag
      in AES-CCM encryption for a 12 bytes IV in ext/openssl/openssl.c,
      ext/openssl/tests/cipher_tests.inc, ext/openssl/openssl_*_ccm.phpt.
    - CVE-2020-7069
  * SECURITY UPDATE: Possibly forge cookie
    - debian/patches/CVE-2020-7070.patch: do not decode cookie names anymore
      in main/php_variables.c, tests/basic/022.phpt, tests/basic/023.phpt,
      tests/basic/bug79699.phpt.
    - CVE-2020-7070

 -- <email address hidden> (Leonidas S. Barbosa)  Tue, 06 Oct 2020 12:47:56 -0300
Deleted in focal-proposed (Reason: moved to -updates) 
php7.4 (7.4.3-4ubuntu2.3) focal; urgency=medium

  * d/p/0041-Fix-79019-Copied-cURL-handles-upload-empty-file.patch,
    d/p/0042-Fix-79013-Content-Length-missing-when-posting-a-curl.patch:
    Fix issue with cURL causing chunked mode for file transfers.
    (LP: #1887826)

 -- Bryce Harrington <email address hidden>  Thu, 03 Sep 2020 13:06:34 -0700
Superseded in hirsute-release
Obsolete in groovy-release
Deleted in groovy-proposed (Reason: moved to Release) 
php7.4 (7.4.9-1ubuntu1) groovy; urgency=medium

  * Merge with Debian unstable. Remaining changes:
    - d/control, d/control.in: Conflict with mod-php from php7.2 and
      php7.3 to ensure safe upgrade path for apache2.
      (LP #1850933)
    - libapache2-mod-php.postinst.extra: Disable other mod-php versions.
      Fixes failure when upgrading from previous versions of mod-php.
      (LP 1865218)
  * Dropped:
    - SECURITY UPDATE: Denial of service through oversized memory allocated
      + debian/patches/CVE-2019-11048.patch: changes types int to size_t
        in main/rfc1867.c.
      + CVE-2019-11048
      [Fixed in 7.4.6]

 -- Bryce Harrington <email address hidden>  Fri, 21 Aug 2020 16:31:19 -0700
Superseded in groovy-proposed 
php7.4 (7.4.5-1ubuntu3) groovy; urgency=medium

  * No change rebuild against new libffi ABI.

 -- Dimitri John Ledkov <email address hidden>  Thu, 20 Aug 2020 13:42:12 +0100
Superseded in groovy-release
Deleted in groovy-proposed (Reason: moved to Release) 
php7.4 (7.4.5-1ubuntu2) groovy; urgency=medium

  * No-change rebuild against libicu67

 -- Steve Langasek <email address hidden>  Tue, 28 Jul 2020 16:14:33 +0000
Superseded in groovy-proposed 
php7.4 (7.4.5-1ubuntu1) groovy; urgency=medium

  * Merge with Debian unstable. Remaining changes:
    - d/control, d/control.in: Conflict with mod-php from php7.2 and
      php7.3 to ensure safe upgrade path for apache2.
      (Fixes LP #1850933)
    - libapache2-mod-php.postinst.extra: Disable other mod-php versions.
      Fixes failure when upgrading from previous versions of mod-php.
      (LP 1865218)
    - SECURITY UPDATE: Denial of service through oversized memory allocated
      + debian/patches/CVE-2019-11048.patch: changes types int to size_t
        in main/rfc1867.c.
      + CVE-2019-11048
  * Fixes from upstream included in merge:
    - Content-Length missing when posting a curlFile with curl
      (LP: #1887826)
  * Dropped:
    - SECURITY UPDATE: Read one byte of uninitialized memory
      + debian/patches/CVE-2020-7064.patch: check length in
        exif_process_TIFF_in_JPEG to avoid read uninitialized memory
        ext/exif/exif.c, ext/exif/tests/bug79282.phpt.
      + CVE-2020-7064
      [Fixed in 7.4.5-1]
    - SECURITY UPDATE: Memory corruption, crash and potentially code execution
      + debian/patches/CVE-2020-7065.patch: make sure that negative values are
        properly compared in ext/mbstring/php_unicode.c,
        ext/mbstring/tests/bug70371.phpt.
      + CVE-2020-7065
      [Fixed in 7.4.5-1]
    - SECURITY UPDATE: Truncated url due \0
      + debian/patches/CVE-2020-7066.patch: check for get_headers
        not accepting \0 in ext/standard/url.c.
      + CVE-2020-7066
      [Fixed in 7.4.5-1]

 -- Bryce Harrington <email address hidden>  Thu, 16 Jul 2020 13:20:11 -0700

Available diffs

Superseded in groovy-release
Deleted in groovy-proposed (Reason: moved to Release) 
php7.4 (7.4.3-4ubuntu4) groovy; urgency=medium

  * SECURITY UPDATE: Denial of service through oversized memory allocated
    - debian/patches/CVE-2019-11048.patch: changes types int to size_t
      in main/rfc1867.c.
    - CVE-2019-11048

 -- <email address hidden> (Leonidas S. Barbosa)  Mon, 25 May 2020 09:41:37 -0300

Available diffs

Superseded in focal-updates
Superseded in focal-security 
php7.4 (7.4.3-4ubuntu2.2) focal-security; urgency=medium

  * SECURITY UPDATE: Denial of service through oversized memory allocated
    - debian/patches/CVE-2019-11048.patch: changes types int to size_t
      in main/rfc1867.c.
    - CVE-2019-11048

 -- <email address hidden> (Leonidas S. Barbosa)  Tue, 26 May 2020 09:24:22 -0300
Superseded in groovy-release
Deleted in groovy-proposed (Reason: moved to Release) 
php7.4 (7.4.3-4ubuntu3) groovy; urgency=medium

  * libapache2-mod-php.postinst.extra: Disable other mod-php versions.
    Fixes failure when upgrading from previous versions of mod-php.
    (LP: #1865218)

 -- Bryce Harrington <email address hidden>  Tue, 21 Apr 2020 23:04:30 +0000
Deleted in focal-proposed (Reason: moved to -updates) 
php7.4 (7.4.3-4ubuntu2.1) focal; urgency=medium

  * libapache2-mod-php.postinst.extra: Disable other mod-php versions.
    Fixes failure when upgrading from previous versions of mod-php.
    (LP: #1865218)

 -- Bryce Harrington <email address hidden>  Tue, 21 Apr 2020 23:04:30 +0000

Available diffs

Superseded in focal-updates
Superseded in focal-security 
php7.4 (7.4.3-4ubuntu1.1) focal-security; urgency=medium

  * SECURITY UPDATE: Read one byte of uninitialized memory
    - debian/patches/CVE-2020-7064.patch: check length in
      exif_process_TIFF_in_JPEG to avoid read uninitialized memory
      ext/exif/exif.c, ext/exif/tests/bug79282.phpt.
    - CVE-2020-7064
  * SECURITY UPDATE: Memory corruption, crash and potentially code execution
    - debian/patches/CVE-2020-7065.patch: make sure that negative values are
      properly compared in ext/mbstring/php_unicode.c,
      ext/mbstring/tests/bug70371.phpt.
    - CVE-2020-7065
  * SECURITY UPDATE: Truncated url due \0
    - debian/patches/CVE-2020-7066.patch: check for get_headers
      not accepting \0 in ext/standard/url.c.
    - CVE-2020-7066

 -- <email address hidden> (Leonidas S. Barbosa)  Tue, 05 May 2020 09:14:27 -0300
Superseded in groovy-proposed
Deleted in focal-proposed (Reason: Will be re-uploaded via -security by the security team) 
php7.4 (7.4.3-4ubuntu2) focal; urgency=medium

  * SECURITY UPDATE: Read one byte of uninitialized memory
    - debian/patches/CVE-2020-7064.patch: check length in
      exif_process_TIFF_in_JPEG to avoid read uninitialized memory
      ext/exif/exif.c, ext/exif/tests/bug79282.phpt.
    - CVE-2020-7064
  * SECURITY UPDATE: Memory corruption, crash and potentially code execution
    - debian/patches/CVE-2020-7065.patch: make sure that negative values are
      properly compared in ext/mbstring/php_unicode.c,
      ext/mbstring/tests/bug70371.phpt.
    - CVE-2020-7065
  * SECURITY UPDATE: Truncated url due \0
    - debian/patches/CVE-2020-7066.patch: check for get_headers
      not accepting \0 in ext/standard/url.c.
    - CVE-2020-7066

 -- <email address hidden> (Leonidas S. Barbosa)  Mon, 13 Apr 2020 09:32:06 -0300

Available diffs

Superseded in groovy-release
Published in focal-release
Deleted in focal-proposed (Reason: moved to Release) 
php7.4 (7.4.3-4ubuntu1) focal; urgency=medium

  * d/control, d/control.in: Conflict with mod-php from php7.2 and
    php7.3 to ensure safe upgrade path for apache2.
    (Fixes LP: #1850933)

 -- Bryce Harrington <email address hidden>  Thu, 26 Mar 2020 20:24:23 +0000

Available diffs

Superseded in focal-release
Deleted in focal-proposed (Reason: moved to Release) 
php7.4 (7.4.3-4build2) focal; urgency=medium

  * No-change rebuild for icu soname change.

 -- Matthias Klose <email address hidden>  Tue, 03 Mar 2020 21:34:56 +0100

Available diffs

Superseded in focal-release
Deleted in focal-proposed (Reason: moved to Release) 
php7.4 (7.4.3-4build1) focal; urgency=medium

  * No-change rebuild to enable build for i386

 -- Steve Langasek <email address hidden>  Tue, 25 Feb 2020 14:37:54 -0800
Superseded in focal-proposed
Superseded in focal-proposed 
php7.4 (7.4.3-4) unstable; urgency=medium

  * Remove /etc/init/php@PHP_VERSION@-fpm.conf, not
    /etc/init/php@PHP_VERSION@.conf (Closes: #951745)

 -- Ondřej Surý <email address hidden>  Sun, 23 Feb 2020 08:07:28 +0100

Available diffs

Superseded in focal-proposed 
php7.4 (7.4.3-3) unstable; urgency=medium

  * Fixup upstart removal (missing prepare-files update) (Closes: #951745)

 -- Ondřej Surý <email address hidden>  Fri, 21 Feb 2020 18:01:35 +0100

Available diffs

Superseded in focal-proposed 
php7.4 (7.4.3-1) unstable; urgency=medium

  * Remove upstart support, use systemd-tmpfiles to create tmpfiles
    (Closes: #923032)
  * New upstream version 7.4.3

 -- Ondřej Surý <email address hidden>  Thu, 20 Feb 2020 13:12:06 +0100
Superseded in focal-proposed 
php7.4 (7.4.2-7build1) focal; urgency=medium

  * No-change rebuild for icu soname change.

 -- Matthias Klose <email address hidden>  Thu, 13 Feb 2020 09:08:09 +0100
Superseded in focal-proposed 
php7.4 (7.4.2-7) unstable; urgency=medium

  * Add a note about PIDFile= and pid= match in php-fpm.conf
  * Silently ignore errors from update-alternatives in php-fpm.service

 -- Ondřej Surý <email address hidden>  Sat, 08 Feb 2020 13:04:50 +0100

Available diffs

Superseded in focal-proposed 
php7.4 (7.4.1-1) unstable; urgency=medium

  * Update d/watch for final release
  * New upstream version 7.4.1

 -- Ondřej Surý <email address hidden>  Wed, 18 Dec 2019 15:42:42 +0100
153 of 53 results FirstPreviousNextLast