[ubuntu/wily-proposed] php5 5.6.9+dfsg-1ubuntu1 (Accepted)
Marc Deslauriers
marc.deslauriers at ubuntu.com
Mon Jul 6 17:21:16 UTC 2015
php5 (5.6.9+dfsg-1ubuntu1) wily; urgency=medium
* Merge from Debian. Remaining changes:
- d/control: drop Build-Depends that are in universe: firebird-dev,
libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
- d/rules: drop configuration of packages that are in universe: qdgm, onig.
- d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
interbase or firebird.
- d/control: drop binary packages php5-imap, php5-interbase and php5-mcrypt
since we have separate versions in universe.
- d/modulelist: drop imap, interbase and mcrypt since we have separate
versions in universe.
- d/rules: drop configuration of imap and mcrypt since we have separate
versions in universe.
- d/source_php5.py, d/rules: add apport hook.
- d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
as only the latter is in main.
* Dropped changes:
- patches included in new upstream version: CVE-2014-9427.patch,
CVE-2014-9652.patch, CVE-2015-0231.patch, CVE-2015-0232.patch,
CVE-2015-1351.patch, CVE-2015-1352.patch, remove_readelf.patch,
CVE-2014-9705.patch, CVE-2015-0273.patch, CVE-2015-2301.patch,
CVE-2015-2305.patch, CVE-2015-2331.patch, CVE-2015-2348.patch,
CVE-2015-2787.patch, CVE-2015-2783.patch, bug69218.patch,
bug69441.patch.
* SECURITY UPDATE: more missing file path null byte checks
- debian/patches/CVE-2015-4598.patch: add missing checks to
ext/dom/document.c, ext/gd/gd.c, fix test in
ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt.
- CVE-2015-4598
* SECURITY UPDATE: arbitrary code execution via ftp server long reply to
a LIST command
- debian/patches/CVE-2015-4643.patch: prevent overflow check bypass in
ext/ftp/ftp.c.
- CVE-2015-4643
* SECURITY UPDATE: denial of service via php_pgsql_meta_data
- debian/patches/CVE-2015-4644.patch: check return value in
ext/pgsql/pgsql.c, add test to ext/pgsql/pg_insert_002.phpt.
- CVE-2015-4644
php5 (5.6.9+dfsg-1) unstable; urgency=medium
* New upstream version 5.6.9+dfsg
- Core:
. Fixed bug #69467 (Wrong checked for the interface by using Trait).
. Fixed bug #69420 (Invalid read in zend_std_get_method).
. Fixed bug #60022 ("use statement [...] has no effect" depends on
leading backslash).
. Fixed bug #67314 (Segmentation fault in gc_remove_zval_from_buffer).
. Fixed bug #68652 (segmentation fault in destructor).
. Fixed bug #69419 (Returning compatible sub generator produces a
warning).
. Fixed bug #69472 (php_sys_readlink ignores misc errors from
GetFinalPathNameByHandleA).
. Fixed bug #69364 (PHP Multipart/form-data remote dos Vulnerability).
. Fixed bug #69403 (str_repeat() sign mismatch based memory corruption).
. Fixed bug #69418 (CVE-2006-7243 fix regressions in 5.4+).
. Fixed bug #69522 (heap buffer overflow in unpack()).
- FTP:
. Fixed bug #69545 (Integer overflow in ftp_genlist() resulting in
heap overflow).
- ODBC:
. Fixed bug #69354 (Incorrect use of SQLColAttributes with ODBC 3.0).
. Fixed bug #69474 (ODBC: Query with same field name from two tables
returns incorrect result).
. Fixed bug #69381 (out of memory with sage odbc driver).
- OpenSSL:
. Fixed bug #69402 (Reading empty SSL stream hangs until timeout).
- PCNTL:
. Fixed bug #68598 (pcntl_exec() should not allow null char).
- PCRE
. Upgraded pcrelib to 8.37.
- Phar:
. Fixed bug #69453 (Memory Corruption in phar_parse_tarfile when entry
filename starts with null).
* Rebased patches on top of 5.6.9+dfsg version
php5 (5.6.8+dfsg-1) unstable; urgency=medium
* New upstream version 5.6.8+dfsg
- Core:
. Fixed bug #66609 (php crashes with __get() and ++ operator in some cases).
(Dmitry, Laruence)
. Fixed bug #68021 (get_browser() browser_name_regex returns non-utf-8
characters). (Tjerk)
. Fixed bug #68917 (parse_url fails on some partial urls). (Wei Dai)
. Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM
configuration options). (Anatol Belski)
. Additional fix for bug #69152 (Type confusion vulnerability in
exception::getTraceAsString). (Stas)
. Fixed bug #69210 (serialize function return corrupted data when sleep has
non-string values). (Juan Basso)
. Fixed bug #69212 (Leaking VIA_HANDLER func when exception thrown in
__call/... arg passing). (Nikita)
. Fixed bug #69221 (Segmentation fault when using a generator in combination
with an Iterator). (Nikita)
. Fixed bug #69337 (php_stream_url_wrap_http_ex() type-confusion
vulnerability). (Stas)
. Fixed bug #69353 (Missing null byte checks for paths in various PHP
extensions). (Stas)
- Apache2handler:
. Fixed bug #69218 (potential remote code execution with apache 2.4
apache2handler). (Gerrit Venema)
- cURL:
. Implemented FR#69278 (HTTP2 support). (Masaki Kagaya)
. Fixed bug #68739 (Missing break / control flow). (Laruence)
. Fixed bug #69316 (Use-after-free in php_curl related to
CURLOPT_FILE/_INFILE/_WRITEHEADER). (Laruence)
- Date:
. Fixed bug #69336 (Issues with "last day of <monthname>"). (Derick Rethans)
- Enchant:
. Fixed bug #65406 (Enchant broker plugins are in the wrong place in windows
builds). (Anatol)
- Ereg:
. Fixed bug #68740 (NULL Pointer Dereference). (Laruence)
- Fileinfo:
. Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or
segfault). (Anatol Belski)
- Filter:
. Fixed bug #69202: (FILTER_FLAG_STRIP_BACKTICK ignored unless other
flags are used). (Jeff Welch)
. Fixed bug #69203 (FILTER_FLAG_STRIP_HIGH doesn't strip ASCII 127). (Jeff
Welch)
- OPCache:
. Fixed bug #69297 (function_exists strange behavior with OPCache on
disabled function). (Laruence)
. Fixed bug #69281 (opcache_is_script_cached no longer works). (danack)
. Fixed bug #68677 (Use After Free). (CVE-2015-1351) (Laruence)
- OpenSSL
. Fixed bugs #68853, #65137 (Buffered crypto stream data breaks IO polling
in stream_select() contexts) (Chris Wright)
. Fixed bug #69197 (openssl_pkcs7_sign handles default value incorrectly)
(Daniel Lowrey)
. Fixed bug #69215 (Crypto servers should send client CA list)
(Daniel Lowrey)
. Add a check for RAND_egd to allow compiling against LibreSSL (Leigh)
- Phar:
. Fixed bug #64343 (PharData::extractTo fails for tarball created by BSD tar).
(Mike)
. Fixed bug #64931 (phar_add_file is too restrictive on filename). (Mike)
. Fixed bug #65467 (Call to undefined method cli_arg_typ_string). (Mike)
. Fixed bug #67761 (Phar::mapPhar fails for Phars inside a path containing
".tar"). (Mike)
. Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar). (Stas)
. Fixed bug #69441 (Buffer Overflow when parsing tar/zip/phar in
phar_set_inode). (Stas)
- Postgres:
. Fixed bug #68741 (Null pointer dereference). (CVE-2015-1352) (Laruence)
- SPL:
. Fixed bug #69227 (Use after free in zval_scan caused by
spl_object_storage_get_gc). (adam dot scarr at 99designs dot com)
- SOAP:
. Fixed bug #69293 (NEW segfault when using SoapClient::__setSoapHeader
(bisected, regression)). (Laruence)
- Sqlite3:
. Fixed bug #68760 (SQLITE segfaults if custom collator throws an exception).
(Dan Ackroyd)
. Fixed bug #69287 (Upgrade bundled libsqlite to 3.8.8.3). (Anatol)
. Fixed bug #66550 (SQLite prepared statement use-after-free). (Sean Heelan)
* Update d/gbp.conf to new config style
* Update patches for 5.6.8 release
* Switch to gbp pq patch management
php5 (5.6.7+dfsg-1) unstable; urgency=medium
* New upstream version 5.6.7+dfsg
- Core:
. Fixed bug #69174 (leaks when unused inner class use traits
precedence).
. Fixed bug #69139 (Crash in gc_zval_possible_root on unserialize).
. Fixed bug #69121 (Segfault in get_current_user when script owner is
not in passwd with ZTS build).
. Fixed bug #65593 (Segfault when calling ob_start from output
buffering callback).
. Fixed bug #68986 (pointer returned by
php_stream_fopen_temporary_file not validated in memory.c).
. Fixed bug #68166 (Exception with invalid character causes segv).
. Fixed bug #69141 (Missing arguments in reflection info for some
builtin functions).
. Fixed bug #68976 (Use After Free Vulnerability in unserialize())
(CVE-2015-0231).
. Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM
configuration options).
. Fixed bug #69207 (move_uploaded_file allows nulls in path).
- CGI:
. Fixed bug #69015 (php-cgi's getopt does not see $argv).
- CLI:
. Fixed bug #67741 (auto_prepend_file messes up __LINE__).
- cURL:
. Fixed bug #69088 (PHP_MINIT_FUNCTION does not fully initialize cURL
on Win32).
. Add CURLPROXY_SOCKS4A and CURLPROXY_SOCKS5_HOSTNAME constants if
supported by libcurl.
- Ereg:
. Fixed bug #69248 (heap overflow vulnerability in regcomp.c)
(CVE-2015-2305).
- FPM:
. Fixed bug #68822 (request time is reset too early).
- ODBC:
. Fixed bug #68964 (Allowed memory size exhausted with odbc_exec).
- Opcache:
. Fixed bug #69159 (Opcache causes problem when passing a variable
variable to a function).
. Fixed bug #69125 (Array numeric string as key).
. Fixed bug #69038 (switch(SOMECONSTANT) misbehaves).
- OpenSSL:
. Fixed bug #68912 (Segmentation fault at openssl_spki_new).
. Fixed bug #61285, #68329, #68046, #41631 (encrypted streams don't
observe socket timeouts).
. Fixed bug #68920 (use strict peer_fingerprint input checks)
. Fixed bug #68879 (IP Address fields in subjectAltNames not used)
. Fixed bug #68265 (SAN match fails with trailing DNS dot)
. Fixed bug #67403 (Add signatureType to openssl_x509_parse)
. Fixed bug (#69195 Inconsistent stream crypto values across versions)
- pgsql:
. Fixed bug #68638 (pg_update() fails to store infinite values).
- Readline:
. Fixed bug #69054 (Null dereference in
readline_(read|write)_history() without parameters).
- SOAP:
. Fixed bug #69085 (SoapClient's __call() type confusion through
unserialize()).
- SPL:
. Fixed bug #69108 ("Segmentation fault" when (de)serializing
SplObjectStorage).
. Fixed bug #68557 (RecursiveDirectoryIterator::seek(0) broken after
calling getChildren()).
- ZIP:
. Fixed bug #69253 (ZIP Integer Overflow leads to writing past heap
boundary) (CVE-2015-2331).
* Refresh patches for 5.6.7 release
* Pull a patch to fix SQL_DESC_OCTET_LENGTH not supported by ADS ODBC
driver (PHP#68350) from Debian wheezy PHP 5.4 branch
* Fix PHP segfault in zend_hash_find (PHP#68486)
* Move PEAR-Builder-print-info-about-php5-dev.patch to debian/ as it's
not a quilt patch
php5 (5.6.6+dfsg-2) unstable; urgency=medium
* Fix use after free in 'opcache' component of PHP (CVE-2015-1351)
* Fix NULL Pointer Deference in pgsql (CVE-2015-1352) (Closes: #777033)
php5 (5.6.6+dfsg-1) unstable; urgency=medium
* New upstream version 5.6.6+dfsg
* Pull patch from DragonFly BSD Project to limit the pattern space to
avoid a 32-bit overflow in Henry Spencer regular expressions (regex)
library (Closes: #778389)
* Update patches for 5.6.6 release
php5 (5.6.5+dfsg-2) unstable; urgency=high
* Add patch to revert upstream commit on feof that broke Horde and
others (Courtesy of Mike Gabriel) (Closes: #778374)
php5 (5.6.5+dfsg-1) unstable; urgency=medium
* New upstream version 5.6.5+dfsg
* Security vulnerabilities fixed:
+ Core
- Fixed bug #68710 (Use After Free Vulnerability in PHP's
unserialize()). (CVE-2015-0231)
+ CGI:
- Fixed bug #68618 (out of bounds read crashes
php-cgi). (CVE-2014-9427)
+ EXIF:
- Fixed bug #68799: Free called on unitialized
pointer. (CVE-2015-0232)
* Update patches for 5.6.5 release
Date: Mon, 06 Jul 2015 09:05:05 -0400
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/php5/5.6.9+dfsg-1ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 06 Jul 2015 09:05:05 -0400
Source: php5
Binary: php5 php5-common libapache2-mod-php5 libapache2-mod-php5filter php5-cgi php5-cli php5-phpdbg php5-fpm libphp5-embed php5-dev php5-dbg php-pear php5-curl php5-enchant php5-gd php5-gmp php5-intl php5-ldap php5-readline php5-mysql php5-mysqlnd php5-odbc php5-pgsql php5-pspell php5-recode php5-snmp php5-sqlite php5-sybase php5-tidy php5-xmlrpc php5-xsl
Architecture: source
Version: 5.6.9+dfsg-1ubuntu1
Distribution: wily
Urgency: high
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Description:
libapache2-mod-php5 - server-side, HTML-embedded scripting language (Apache 2 module)
libapache2-mod-php5filter - server-side, HTML-embedded scripting language (apache 2 filter mo
libphp5-embed - HTML-embedded scripting language (Embedded SAPI library)
php-pear - PEAR - PHP Extension and Application Repository
php5 - server-side, HTML-embedded scripting language (metapackage)
php5-cgi - server-side, HTML-embedded scripting language (CGI binary)
php5-cli - command-line interpreter for the php5 scripting language
php5-common - Common files for packages built from the php5 source
php5-curl - CURL module for php5
php5-dbg - Debug symbols for PHP5
php5-dev - Files for PHP5 module development
php5-enchant - Enchant module for php5
php5-fpm - server-side, HTML-embedded scripting language (FPM-CGI binary)
php5-gd - GD module for php5
php5-gmp - GMP module for php5
php5-intl - internationalisation module for php5
php5-ldap - LDAP module for php5
php5-mysql - MySQL module for php5
php5-mysqlnd - MySQL module for php5 (Native Driver)
php5-odbc - ODBC module for php5
php5-pgsql - PostgreSQL module for php5
php5-phpdbg - server-side, HTML-embedded scripting language (PHPDBG binary)
php5-pspell - pspell module for php5
php5-readline - Readline module for php5
php5-recode - recode module for php5
php5-snmp - SNMP module for php5
php5-sqlite - SQLite module for php5
php5-sybase - Sybase / MS SQL Server module for php5
php5-tidy - tidy module for php5
php5-xmlrpc - XML-RPC module for php5
php5-xsl - XSL module for php5
Closes: 777033 778374 778389
Changes:
php5 (5.6.9+dfsg-1ubuntu1) wily; urgency=medium
.
* Merge from Debian. Remaining changes:
- d/control: drop Build-Depends that are in universe: firebird-dev,
libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
- d/rules: drop configuration of packages that are in universe: qdgm, onig.
- d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
interbase or firebird.
- d/control: drop binary packages php5-imap, php5-interbase and php5-mcrypt
since we have separate versions in universe.
- d/modulelist: drop imap, interbase and mcrypt since we have separate
versions in universe.
- d/rules: drop configuration of imap and mcrypt since we have separate
versions in universe.
- d/source_php5.py, d/rules: add apport hook.
- d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
as only the latter is in main.
* Dropped changes:
- patches included in new upstream version: CVE-2014-9427.patch,
CVE-2014-9652.patch, CVE-2015-0231.patch, CVE-2015-0232.patch,
CVE-2015-1351.patch, CVE-2015-1352.patch, remove_readelf.patch,
CVE-2014-9705.patch, CVE-2015-0273.patch, CVE-2015-2301.patch,
CVE-2015-2305.patch, CVE-2015-2331.patch, CVE-2015-2348.patch,
CVE-2015-2787.patch, CVE-2015-2783.patch, bug69218.patch,
bug69441.patch.
* SECURITY UPDATE: more missing file path null byte checks
- debian/patches/CVE-2015-4598.patch: add missing checks to
ext/dom/document.c, ext/gd/gd.c, fix test in
ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt.
- CVE-2015-4598
* SECURITY UPDATE: arbitrary code execution via ftp server long reply to
a LIST command
- debian/patches/CVE-2015-4643.patch: prevent overflow check bypass in
ext/ftp/ftp.c.
- CVE-2015-4643
* SECURITY UPDATE: denial of service via php_pgsql_meta_data
- debian/patches/CVE-2015-4644.patch: check return value in
ext/pgsql/pgsql.c, add test to ext/pgsql/pg_insert_002.phpt.
- CVE-2015-4644
.
php5 (5.6.9+dfsg-1) unstable; urgency=medium
.
* New upstream version 5.6.9+dfsg
- Core:
. Fixed bug #69467 (Wrong checked for the interface by using Trait).
. Fixed bug #69420 (Invalid read in zend_std_get_method).
. Fixed bug #60022 ("use statement [...] has no effect" depends on
leading backslash).
. Fixed bug #67314 (Segmentation fault in gc_remove_zval_from_buffer).
. Fixed bug #68652 (segmentation fault in destructor).
. Fixed bug #69419 (Returning compatible sub generator produces a
warning).
. Fixed bug #69472 (php_sys_readlink ignores misc errors from
GetFinalPathNameByHandleA).
. Fixed bug #69364 (PHP Multipart/form-data remote dos Vulnerability).
. Fixed bug #69403 (str_repeat() sign mismatch based memory corruption).
. Fixed bug #69418 (CVE-2006-7243 fix regressions in 5.4+).
. Fixed bug #69522 (heap buffer overflow in unpack()).
- FTP:
. Fixed bug #69545 (Integer overflow in ftp_genlist() resulting in
heap overflow).
- ODBC:
. Fixed bug #69354 (Incorrect use of SQLColAttributes with ODBC 3.0).
. Fixed bug #69474 (ODBC: Query with same field name from two tables
returns incorrect result).
. Fixed bug #69381 (out of memory with sage odbc driver).
- OpenSSL:
. Fixed bug #69402 (Reading empty SSL stream hangs until timeout).
- PCNTL:
. Fixed bug #68598 (pcntl_exec() should not allow null char).
- PCRE
. Upgraded pcrelib to 8.37.
- Phar:
. Fixed bug #69453 (Memory Corruption in phar_parse_tarfile when entry
filename starts with null).
* Rebased patches on top of 5.6.9+dfsg version
.
php5 (5.6.8+dfsg-1) unstable; urgency=medium
.
* New upstream version 5.6.8+dfsg
- Core:
. Fixed bug #66609 (php crashes with __get() and ++ operator in some cases).
(Dmitry, Laruence)
. Fixed bug #68021 (get_browser() browser_name_regex returns non-utf-8
characters). (Tjerk)
. Fixed bug #68917 (parse_url fails on some partial urls). (Wei Dai)
. Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM
configuration options). (Anatol Belski)
. Additional fix for bug #69152 (Type confusion vulnerability in
exception::getTraceAsString). (Stas)
. Fixed bug #69210 (serialize function return corrupted data when sleep has
non-string values). (Juan Basso)
. Fixed bug #69212 (Leaking VIA_HANDLER func when exception thrown in
__call/... arg passing). (Nikita)
. Fixed bug #69221 (Segmentation fault when using a generator in combination
with an Iterator). (Nikita)
. Fixed bug #69337 (php_stream_url_wrap_http_ex() type-confusion
vulnerability). (Stas)
. Fixed bug #69353 (Missing null byte checks for paths in various PHP
extensions). (Stas)
- Apache2handler:
. Fixed bug #69218 (potential remote code execution with apache 2.4
apache2handler). (Gerrit Venema)
- cURL:
. Implemented FR#69278 (HTTP2 support). (Masaki Kagaya)
. Fixed bug #68739 (Missing break / control flow). (Laruence)
. Fixed bug #69316 (Use-after-free in php_curl related to
CURLOPT_FILE/_INFILE/_WRITEHEADER). (Laruence)
- Date:
. Fixed bug #69336 (Issues with "last day of <monthname>"). (Derick Rethans)
- Enchant:
. Fixed bug #65406 (Enchant broker plugins are in the wrong place in windows
builds). (Anatol)
- Ereg:
. Fixed bug #68740 (NULL Pointer Dereference). (Laruence)
- Fileinfo:
. Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or
segfault). (Anatol Belski)
- Filter:
. Fixed bug #69202: (FILTER_FLAG_STRIP_BACKTICK ignored unless other
flags are used). (Jeff Welch)
. Fixed bug #69203 (FILTER_FLAG_STRIP_HIGH doesn't strip ASCII 127). (Jeff
Welch)
- OPCache:
. Fixed bug #69297 (function_exists strange behavior with OPCache on
disabled function). (Laruence)
. Fixed bug #69281 (opcache_is_script_cached no longer works). (danack)
. Fixed bug #68677 (Use After Free). (CVE-2015-1351) (Laruence)
- OpenSSL
. Fixed bugs #68853, #65137 (Buffered crypto stream data breaks IO polling
in stream_select() contexts) (Chris Wright)
. Fixed bug #69197 (openssl_pkcs7_sign handles default value incorrectly)
(Daniel Lowrey)
. Fixed bug #69215 (Crypto servers should send client CA list)
(Daniel Lowrey)
. Add a check for RAND_egd to allow compiling against LibreSSL (Leigh)
- Phar:
. Fixed bug #64343 (PharData::extractTo fails for tarball created by BSD tar).
(Mike)
. Fixed bug #64931 (phar_add_file is too restrictive on filename). (Mike)
. Fixed bug #65467 (Call to undefined method cli_arg_typ_string). (Mike)
. Fixed bug #67761 (Phar::mapPhar fails for Phars inside a path containing
".tar"). (Mike)
. Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar). (Stas)
. Fixed bug #69441 (Buffer Overflow when parsing tar/zip/phar in
phar_set_inode). (Stas)
- Postgres:
. Fixed bug #68741 (Null pointer dereference). (CVE-2015-1352) (Laruence)
- SPL:
. Fixed bug #69227 (Use after free in zval_scan caused by
spl_object_storage_get_gc). (adam dot scarr at 99designs dot com)
- SOAP:
. Fixed bug #69293 (NEW segfault when using SoapClient::__setSoapHeader
(bisected, regression)). (Laruence)
- Sqlite3:
. Fixed bug #68760 (SQLITE segfaults if custom collator throws an exception).
(Dan Ackroyd)
. Fixed bug #69287 (Upgrade bundled libsqlite to 3.8.8.3). (Anatol)
. Fixed bug #66550 (SQLite prepared statement use-after-free). (Sean Heelan)
* Update d/gbp.conf to new config style
* Update patches for 5.6.8 release
* Switch to gbp pq patch management
.
php5 (5.6.7+dfsg-1) unstable; urgency=medium
.
* New upstream version 5.6.7+dfsg
- Core:
. Fixed bug #69174 (leaks when unused inner class use traits
precedence).
. Fixed bug #69139 (Crash in gc_zval_possible_root on unserialize).
. Fixed bug #69121 (Segfault in get_current_user when script owner is
not in passwd with ZTS build).
. Fixed bug #65593 (Segfault when calling ob_start from output
buffering callback).
. Fixed bug #68986 (pointer returned by
php_stream_fopen_temporary_file not validated in memory.c).
. Fixed bug #68166 (Exception with invalid character causes segv).
. Fixed bug #69141 (Missing arguments in reflection info for some
builtin functions).
. Fixed bug #68976 (Use After Free Vulnerability in unserialize())
(CVE-2015-0231).
. Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM
configuration options).
. Fixed bug #69207 (move_uploaded_file allows nulls in path).
- CGI:
. Fixed bug #69015 (php-cgi's getopt does not see $argv).
- CLI:
. Fixed bug #67741 (auto_prepend_file messes up __LINE__).
- cURL:
. Fixed bug #69088 (PHP_MINIT_FUNCTION does not fully initialize cURL
on Win32).
. Add CURLPROXY_SOCKS4A and CURLPROXY_SOCKS5_HOSTNAME constants if
supported by libcurl.
- Ereg:
. Fixed bug #69248 (heap overflow vulnerability in regcomp.c)
(CVE-2015-2305).
- FPM:
. Fixed bug #68822 (request time is reset too early).
- ODBC:
. Fixed bug #68964 (Allowed memory size exhausted with odbc_exec).
- Opcache:
. Fixed bug #69159 (Opcache causes problem when passing a variable
variable to a function).
. Fixed bug #69125 (Array numeric string as key).
. Fixed bug #69038 (switch(SOMECONSTANT) misbehaves).
- OpenSSL:
. Fixed bug #68912 (Segmentation fault at openssl_spki_new).
. Fixed bug #61285, #68329, #68046, #41631 (encrypted streams don't
observe socket timeouts).
. Fixed bug #68920 (use strict peer_fingerprint input checks)
. Fixed bug #68879 (IP Address fields in subjectAltNames not used)
. Fixed bug #68265 (SAN match fails with trailing DNS dot)
. Fixed bug #67403 (Add signatureType to openssl_x509_parse)
. Fixed bug (#69195 Inconsistent stream crypto values across versions)
- pgsql:
. Fixed bug #68638 (pg_update() fails to store infinite values).
- Readline:
. Fixed bug #69054 (Null dereference in
readline_(read|write)_history() without parameters).
- SOAP:
. Fixed bug #69085 (SoapClient's __call() type confusion through
unserialize()).
- SPL:
. Fixed bug #69108 ("Segmentation fault" when (de)serializing
SplObjectStorage).
. Fixed bug #68557 (RecursiveDirectoryIterator::seek(0) broken after
calling getChildren()).
- ZIP:
. Fixed bug #69253 (ZIP Integer Overflow leads to writing past heap
boundary) (CVE-2015-2331).
* Refresh patches for 5.6.7 release
* Pull a patch to fix SQL_DESC_OCTET_LENGTH not supported by ADS ODBC
driver (PHP#68350) from Debian wheezy PHP 5.4 branch
* Fix PHP segfault in zend_hash_find (PHP#68486)
* Move PEAR-Builder-print-info-about-php5-dev.patch to debian/ as it's
not a quilt patch
.
php5 (5.6.6+dfsg-2) unstable; urgency=medium
.
* Fix use after free in 'opcache' component of PHP (CVE-2015-1351)
* Fix NULL Pointer Deference in pgsql (CVE-2015-1352) (Closes: #777033)
.
php5 (5.6.6+dfsg-1) unstable; urgency=medium
.
* New upstream version 5.6.6+dfsg
* Pull patch from DragonFly BSD Project to limit the pattern space to
avoid a 32-bit overflow in Henry Spencer regular expressions (regex)
library (Closes: #778389)
* Update patches for 5.6.6 release
.
php5 (5.6.5+dfsg-2) unstable; urgency=high
.
* Add patch to revert upstream commit on feof that broke Horde and
others (Courtesy of Mike Gabriel) (Closes: #778374)
.
php5 (5.6.5+dfsg-1) unstable; urgency=medium
.
* New upstream version 5.6.5+dfsg
* Security vulnerabilities fixed:
+ Core
- Fixed bug #68710 (Use After Free Vulnerability in PHP's
unserialize()). (CVE-2015-0231)
+ CGI:
- Fixed bug #68618 (out of bounds read crashes
php-cgi). (CVE-2014-9427)
+ EXIF:
- Fixed bug #68799: Free called on unitialized
pointer. (CVE-2015-0232)
* Update patches for 5.6.5 release
Checksums-Sha1:
50cd6484d1fe588933f16f0f50bfaa28ef581b4a 4767 php5_5.6.9+dfsg-1ubuntu1.dsc
1567c69b53e3297e7e66a15f4aea4bbc1983754f 11479356 php5_5.6.9+dfsg.orig.tar.xz
1b2ae08f356200012389b0c2dd59b9de85ab9abd 133168 php5_5.6.9+dfsg-1ubuntu1.debian.tar.xz
Checksums-Sha256:
5eaf3ca8a81c20e999eb931a4c954f585ddf6ee0fb11f9c8203641a1c2644cbf 4767 php5_5.6.9+dfsg-1ubuntu1.dsc
f08927dd1bd9d3cf8036dd8564346d38c2fe9e6958b30f3779317f4257e05a0c 11479356 php5_5.6.9+dfsg.orig.tar.xz
e036a314630294257b6356a8d287588560e83fef88b4b798a231580131773097 133168 php5_5.6.9+dfsg-1ubuntu1.debian.tar.xz
Files:
3b6b825cf9564362fa7722467eeac7e3 4767 php optional php5_5.6.9+dfsg-1ubuntu1.dsc
85d0750d97175e496749cdfeb01b9b66 11479356 php optional php5_5.6.9+dfsg.orig.tar.xz
db86e13dba72665847143e306c8381f2 133168 php optional php5_5.6.9+dfsg-1ubuntu1.debian.tar.xz
Original-Maintainer: Debian PHP Maintainers <pkg-php-maint at lists.alioth.debian.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVmreoAAoJEGVp2FWnRL6TU0EP/R05Bs+6EV+CHbdRpW3O60aB
+h01c/iD9HE7PAl2EoVMhb9j0YYxorozUR7UmIjqEcZ26PKjNdel9P5uDz7+YmVU
cleFApuUBDpYJdPCuQKGwEVTqsLhvx/6iCQSmh2utntvE0OfL22bXYuCPwAwCFug
/DRkZ+4Ll8FlTSlPLTg/H8R3inlzFBFnH9F1eK2KApFWxbwwHB21zou4Ae0doI9A
9ehLoBtLs7MB+O1sskr4WlzXdQZheoxdBTXl2mX5n8xtdfmsRwZhI74NJ0stzqLx
X9t5QlWANmPo0qPwYfRMyOAQ5dVEJZdfh1bezVU1eqYHBxUWQVyDNsBAcfhkdWeY
DrYgtB1cidTr76ZVvIdFw/pDTNTO3lFFg1QwYX6Yto2sFeMOP+HqzYIYXWuxIYk4
Hxcr9WB/ghBz6cFsqbmBTc1wN5K/Zmi2vWoHAyKN5CmPzy7YmbcKKOHGC1FeyfYK
00ZlqOyK560Z/1sqbelhIvN039sdgq/mPRu08KOuvysLndmbKEQNVK4htCmQyJdW
6il2p/84AGeb8pVyby8O/mJQ2wJaYA6VZZu3OlEJmDPN4m6gzqXccih3JrBejrlw
5qnnQOdEeeIt4gPN2PHgHIHPHrHsGEStOySTDeh3XZpg6ulJ73938d58Rys7thWA
f3zHDv8M0Xt1OiLzyoD+
=nhYY
-----END PGP SIGNATURE-----
More information about the Wily-changes
mailing list