diff -pruN 5.6.17+dfsg-3/debian/changelog 5.6.17+dfsg-3ubuntu1/debian/changelog --- 5.6.17+dfsg-3/debian/changelog 2016-01-15 09:47:44.000000000 +0000 +++ 5.6.17+dfsg-3ubuntu1/debian/changelog 2016-01-21 19:32:58.000000000 +0000 @@ -1,3 +1,22 @@ +php5 (5.6.17+dfsg-3ubuntu1) xenial; urgency=medium + + * Merge from Debian. Remaining changes: + - Drop support for firebird, c-client, mcrypt, onig and qdbm as they + are in universe: + + d/control: drop Build-Depends on firebird-dev, libc-client-dev, + libmcrypt-dev, libonig-dev, libqdbm-dev. + + d/control: drop binary packages php5-imap, php5-interbase and + php5-mcrypt and their reverse dependencies. + + d/rules: drop configuration of qdgm, onig, imap, mcrypt. + + d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't + build interbase or firebird. + + d/modulelist: drop imap, interbase and mcrypt. + - d/control: switch Build-Depends of netcat-traditional to + netcat-openbsd as only the latter is in main. + - d/source_php5.py, d/rules: add apport hook. + + -- Marc Deslauriers Thu, 21 Jan 2016 14:32:01 -0500 + php5 (5.6.17+dfsg-3) unstable; urgency=medium * Fail gracefully when other PHP module is enabled in Apache2 @@ -51,6 +70,25 @@ php5 (5.6.16+dfsg-2) unstable; urgency=m -- Ondřej Surý Mon, 07 Dec 2015 17:15:51 +0100 +php5 (5.6.16+dfsg-1ubuntu1) xenial; urgency=medium + + * Merge from Debian. Remaining changes: + - Drop support for firebird, c-client, mcrypt, onig and qdbm as they + are in universe: + + d/control: drop Build-Depends on firebird-dev, libc-client-dev, + libmcrypt-dev, libonig-dev, libqdbm-dev. + + d/control: drop binary packages php5-imap, php5-interbase and + php5-mcrypt and their reverse dependencies. + + d/rules: drop configuration of qdgm, onig, imap, mcrypt. + + d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't + build interbase or firebird. + + d/modulelist: drop imap, interbase and mcrypt. + - d/control: switch Build-Depends of netcat-traditional to + netcat-openbsd as only the latter is in main. + - d/source_php5.py, d/rules: add apport hook. + + -- Marc Deslauriers Thu, 03 Dec 2015 09:57:24 -0500 + php5 (5.6.16+dfsg-1) unstable; urgency=medium * Imported Upstream version 5.6.16+dfsg @@ -101,6 +139,31 @@ php5 (5.6.15+dfsg-1) unstable; urgency=m -- Ondřej Surý Wed, 11 Nov 2015 12:00:46 +0100 +php5 (5.6.14+dfsg-1ubuntu1) xenial; urgency=medium + + * Merge from Debian. Remaining changes: + - Drop support for firebird, c-client, mcrypt, onig and qdbm as they + are in universe: + + d/control: drop Build-Depends on firebird-dev, libc-client-dev, + libmcrypt-dev, libonig-dev, libqdbm-dev. + + d/control: drop binary packages php5-imap, php5-interbase and + php5-mcrypt and their reverse dependencies. + + d/rules: drop configuration of qdgm, onig, imap, mcrypt. + + d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't + build interbase or firebird. + + d/modulelist: drop imap, interbase and mcrypt. + - d/control: switch Build-Depends of netcat-traditional to + netcat-openbsd as only the latter is in main. + - d/source_php5.py, d/rules: add apport hook. + * Drop changes (patches included upstream): + - CVE-2015-6831-1.patch, CVE-2015-6831-2.patch, CVE-2015-6831-3.patch, + CVE-2015-6832.patch, CVE-2015-6833-1.patch, CVE-2015-6833-2.patch, + CVE-2015-6834-1.patch, CVE-2015-6834-2.patch, CVE-2015-6834-3.patch, + CVE-2015-6835-1.patch, CVE-2015-6835-2.patch, CVE-2015-6836.patch, + CVE-2015-6837-6838.patch + + -- Marc Deslauriers Fri, 30 Oct 2015 11:44:07 -0400 + php5 (5.6.14+dfsg-1) unstable; urgency=medium * Imported Upstream version 5.6.14+dfsg @@ -166,6 +229,84 @@ php5 (5.6.12+dfsg-1) unstable; urgency=m -- Ondřej Surý Sun, 16 Aug 2015 10:34:01 +0200 +php5 (5.6.11+dfsg-1ubuntu3) wily; urgency=medium + + * SECURITY UPDATE: multiple use-after-free issues in unserialize() + - debian/patches/CVE-2015-6831-1.patch: fix SPLArrayObject in + ext/spl/spl_array.c, added test to ext/spl/tests/bug70166.phpt. + - debian/patches/CVE-2015-6831-2.patch: fix SplObjectStorage in + ext/spl/spl_observer.c, added test to ext/spl/tests/bug70168.phpt. + - debian/patches/CVE-2015-6831-3.patch: fix SplDoublyLinkedList in + ext/spl/spl_dllist.c, added test to ext/spl/tests/bug70169.phpt. + - CVE-2015-6831 + * SECURITY UPDATE: dangling pointer in the unserialization of ArrayObject + items + - debian/patches/CVE-2015-6832.patch: fix dangling pointer in + ext/spl/spl_array.c, added test to ext/spl/tests/bug70068.phpt. + - CVE-2015-6832 + * SECURITY UPDATE: phar files extracted outside of destination dir + - debian/patches/CVE-2015-6833-1.patch: limit extracted files to given + directory in ext/phar/phar_object.c. + - debian/patches/CVE-2015-6833-2.patch: use emalloc in + ext/phar/phar_object.c. + - CVE-2015-6833 + * SECURITY UPDATE: multiple vulnerabilities in unserialize() + - debian/patches/CVE-2015-6834-1.patch: fix use-after-free in + ext/standard/var.c, ext/standard/var_unserializer.*. + - debian/patches/CVE-2015-6834-2.patch: fix use-after-free in + ext/spl/spl_observer.c, added test to ext/spl/tests/bug70365.phpt. + - debian/patches/CVE-2015-6834-3.patch: fix use-after-free in + ext/spl/spl_dllist.c, added test to ext/spl/tests/bug70366.phpt. + - CVE-2015-6834 + * SECURITY UPDATE: use after free in session deserializer + - debian/patches/CVE-2015-6835-1.patch: fix use after free in + ext/session/session.c, ext/standard/var_unserializer.* + fixed tests in ext/session/tests/session_decode_error2.phpt, + ext/session/tests/session_decode_variation3.phpt. + - debian/patches/CVE-2015-6835-2.patch: add more fixes to + ext/session/session.c. + - CVE-2015-6835 + * SECURITY UPDATE: SOAP serialize_function_call() type confusion + - debian/patches/CVE-2015-6836.patch: check type in ext/soap/soap.c, + added test to ext/soap/tests/bug70388.phpt. + - CVE-2015-6836 + * SECURITY UPDATE: NULL pointer dereference in XSLTProcessor class + - debian/patches/CVE-2015-6837-6838.patch: fix logic in + ext/xsl/xsltprocessor.c. + - CVE-2015-6837 + - CVE-2015-6838 + + -- Marc Deslauriers Mon, 28 Sep 2015 07:26:44 -0400 + +php5 (5.6.11+dfsg-1ubuntu2) wily; urgency=medium + + * No-change rebuild against new libicu + + -- Iain Lane Wed, 05 Aug 2015 17:41:17 +0100 + +php5 (5.6.11+dfsg-1ubuntu1) wily; urgency=medium + + * Merge from Debian. Remaining changes: + - Drop support for firebird, c-client, mcrypt, onig and qdbm as they + are in universe: + + d/control: drop Build-Depends on firebird-dev, libc-client-dev, + libmcrypt-dev, libonig-dev, libqdbm-dev. + + d/control: drop binary packages php5-imap, php5-interbase and + php5-mcrypt and their reverse dependencies. + + d/rules: drop configuration of qdgm, onig, imap, mcrypt. + + d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't + build interbase or firebird. + + d/modulelist: drop imap, interbase and mcrypt. + - d/control: switch Build-Depends of netcat-traditional to + netcat-openbsd as only the latter is in main. + - d/source_php5.py, d/rules: add apport hook. + * New upstream version uses __builtin_clzl when __powerpc__ is defined, + improving performance on POWER systems (LP: #1458434). + * Drop changes (patches included upstream): CVE-2015-4598.patch, + CVE-2015-4643.patch, CVE-2015-4644.patch. + + -- Robie Basak Mon, 27 Jul 2015 11:15:34 +0000 + php5 (5.6.11+dfsg-1) unstable; urgency=medium * New upstream version 5.6.11+dfsg @@ -223,6 +364,48 @@ php5 (5.6.10+dfsg-1) unstable; urgency=m -- Ondřej Surý Mon, 15 Jun 2015 09:18:33 +0200 +php5 (5.6.9+dfsg-1ubuntu1) wily; urgency=medium + + * Merge from Debian. Remaining changes: + - d/control: drop Build-Depends that are in universe: firebird-dev, + libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev. + - d/rules: drop configuration of packages that are in universe: qdgm, onig. + - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build + interbase or firebird. + - d/control: drop binary packages php5-imap, php5-interbase and php5-mcrypt + since we have separate versions in universe. + - d/modulelist: drop imap, interbase and mcrypt since we have separate + versions in universe. + - d/rules: drop configuration of imap and mcrypt since we have separate + versions in universe. + - d/source_php5.py, d/rules: add apport hook. + - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd + as only the latter is in main. + * Dropped changes: + - patches included in new upstream version: CVE-2014-9427.patch, + CVE-2014-9652.patch, CVE-2015-0231.patch, CVE-2015-0232.patch, + CVE-2015-1351.patch, CVE-2015-1352.patch, remove_readelf.patch, + CVE-2014-9705.patch, CVE-2015-0273.patch, CVE-2015-2301.patch, + CVE-2015-2305.patch, CVE-2015-2331.patch, CVE-2015-2348.patch, + CVE-2015-2787.patch, CVE-2015-2783.patch, bug69218.patch, + bug69441.patch. + * SECURITY UPDATE: more missing file path null byte checks + - debian/patches/CVE-2015-4598.patch: add missing checks to + ext/dom/document.c, ext/gd/gd.c, fix test in + ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt. + - CVE-2015-4598 + * SECURITY UPDATE: arbitrary code execution via ftp server long reply to + a LIST command + - debian/patches/CVE-2015-4643.patch: prevent overflow check bypass in + ext/ftp/ftp.c. + - CVE-2015-4643 + * SECURITY UPDATE: denial of service via php_pgsql_meta_data + - debian/patches/CVE-2015-4644.patch: check return value in + ext/pgsql/pgsql.c, add test to ext/pgsql/pg_insert_002.phpt. + - CVE-2015-4644 + + -- Marc Deslauriers Mon, 06 Jul 2015 09:05:05 -0400 + php5 (5.6.9+dfsg-1) unstable; urgency=medium * New upstream version 5.6.9+dfsg @@ -467,6 +650,144 @@ php5 (5.6.5+dfsg-1) unstable; urgency=me -- Ondřej Surý Mon, 26 Jan 2015 12:00:58 +0100 +php5 (5.6.4+dfsg-4ubuntu6) vivid; urgency=medium + + * SECURITY UPDATE: potential remote code execution vulnerability when + used with the Apache 2.4 apache2handler + - debian/patches/bug69218.patch: perform proper cleanup in + sapi/apache2handler/sapi_apache2.c. + - CVE number pending + * SECURITY UPDATE: buffer overflow when parsing tar/zip/phar + - debian/patches/bug69441.patch: check lengths in + ext/phar/phar_internal.h. + - CVE number pending + * SECURITY UPDATE: buffer overflow in unserialize when parsing Phar + - debian/patches/CVE-2015-2783.patch: properly check lengths in + ext/phar/phar.c, ext/phar/phar_internal.h. + - CVE-2015-2783 + + -- Marc Deslauriers Fri, 17 Apr 2015 05:15:49 -0400 + +php5 (5.6.4+dfsg-4ubuntu5) vivid; urgency=medium + + * SECURITY UPDATE: move_uploaded_file filename restriction bypass + - debian/patches/CVE-2015-2348.patch: handle nulls in + ext/standard/basic_functions.c. + - CVE-2015-2348 + * SECURITY UPDATE: arbitrary code exection via process_nested_data + use-after-free + - debian/patches/CVE-2015-2787.patch: fix logic in + ext/standard/var_unserializer.*. + - CVE-2015-2787 + + -- Marc Deslauriers Thu, 02 Apr 2015 08:06:41 -0400 + +php5 (5.6.4+dfsg-4ubuntu4) vivid; urgency=medium + + * SECURITY UPDATE: heap overflow in regexp library + - debian/patches/CVE-2015-2305.patch: check for overflow in + ext/ereg/regex/regcomp.c. + - CVE-2015-2305 + * SECURITY UPDATE: integer overflow in zip module + - debian/patches/CVE-2015-2331.patch: check for overflow in + ext/zip/lib/zip_dirent.c. + - CVE-2015-2331 + + -- Marc Deslauriers Tue, 24 Mar 2015 15:12:32 -0400 + +php5 (5.6.4+dfsg-4ubuntu3) vivid; urgency=medium + + * SECURITY UPDATE: denial of service or possible code execution in + enchant + - debian/patches/CVE-2014-9705.patch: handle position better in + ext/enchant/enchant.c. + - CVE-2014-9705 + * SECURITY UPDATE: arbitrary code execution via use after free in + unserialize() with DateTimeZone and DateTime + - debian/patches/CVE-2015-0273.patch: fix use after free in + ext/date/php_date.c, added tests to ext/date/tests/bug68942.phpt, + ext/date/tests/bug68942_2.phpt. + - CVE-2015-0273 + * SECURITY UPDATE: denial of service or possible code execution in phar + - debian/patches/CVE-2015-2301.patch: fix use after free in + ext/phar/phar_object.c. + - CVE-2015-2301 + + -- Marc Deslauriers Mon, 16 Mar 2015 13:21:17 -0400 + +php5 (5.6.4+dfsg-4ubuntu2) vivid; urgency=medium + + * SECURITY UPDATE: out of bounds read via invalid php file + - debian/patches/CVE-2014-9427.patch: fix bounds in + sapi/cgi/cgi_main.c. + - CVE-2014-9427 + * SECURITY UPDATE: out of bounds read in fileinfo + - debian/patches/CVE-2014-9652.patch: properly check length in + ext/fileinfo/libmagic/softmagic.c. + - CVE-2014-9652 + * SECURITY UPDATE: arbitrary code execution via improper handling of + duplicate keys in unserializer, additional fix + - debian/patches/CVE-2015-0231.patch: fix use after free in + ext/standard/var_unserializer.*, added test to + ext/standard/tests/strings/bug68710.phpt. + - CVE-2015-0231 + * SECURITY UPDATE: arbitrary code execution or denial of service via + crafted EXIF data + - debian/patches/CVE-2015-0232.patch: fix uninitialized pointer free in + ext/exif/exif.c. + - CVE-2015-0232 + * SECURITY UPDATE: use after free in opcache component + - debian/patches/CVE-2015-1351.patch: fix use after free in + ext/opcache/zend_shared_alloc.c. + - CVE-2015-1351 + * SECURITY UPDATE: null pointer dereference in pgsql + - debian/patches/CVE-2015-1352.patch: properly set valid token in + ext/pgsql/pgsql.c. + - CVE-2015-1352 + * debian/patches/remove_readelf.patch: remove readelf.c from fileinfo as + it isn't used, and is a source of confusion when doing security + updates. + + -- Marc Deslauriers Tue, 17 Feb 2015 15:47:51 -0500 + +php5 (5.6.4+dfsg-4ubuntu1) vivid; urgency=medium + + * Merge from Debian testing (LP: #1411811). Remaining changes: + - d/control: drop Build-Depends that are in universe: firebird-dev, + libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev. + - d/rules: drop configuration of packages that are in universe: qdgm, onig. + - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build + interbase or firebird. + - d/control: drop binary packages php5-imap, php5-interbase and php5-mcrypt + since we have separate versions in universe. + - d/modulelist: drop imap, interbase and mcrypt since we have separate + versions in universe. + - d/rules: drop configuration of imap and mcrypt since we have separate + versions in universe. + - d/source_php5.py, d/rules: add apport hook. + - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd + as only the latter is in main. + * Drop changes: + - Reported fixed in upstream release of 5.6.0: quilt patches for + CVE-2014-0237, CVE-2014-0238, CVE-2014-4049, CVE-2014-0207, + CVE-2014-3478, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487, + CVE-2014-3515, CVE-2014-4670, CVE-2014-4698, CVE-2014-4721, + CVE-2014-3587 and CVE-2014-3597, and d/p/fix_systemd_ftbfs.patch. + - Reported fixed in upstream release of 5.6.2: quilt patches for + CVE-2014-3668, CVE-2014-3669 and CVE-2014-3670, and + d/p/curl_embedded_null.patch. + - Reported fixed in upstream release of 5.6.3: quilt patch for + CVE-2014-3710. + - Applied in Debian: + + d/rules: stop mysql instance on clean just in case we failed in + tests. + + d/tests/{cgi,cli,mod-php}: dep8 tests for common use cases. + + d/rules: export DEB_HOST_MULTIARCH properly. + + d/rules: load dpkg-buildflags earlier, so that CFLAGS changes are not + overridden. + + -- Robie Basak Tue, 27 Jan 2015 12:09:42 +0000 + php5 (5.6.4+dfsg-4) unstable; urgency=medium * Disable tests on ppc64* to workaround crashing mysql-server on ppc64el @@ -771,6 +1092,145 @@ php5 (5.6.0~alpha1+dfsg-1) experimental; -- Ondřej Surý Tue, 28 Jan 2014 13:47:52 +0100 +php5 (5.5.12+dfsg-2ubuntu5) vivid; urgency=medium + + * SECURITY UPDATE: denial of service via buffer overflow in mkgmtime() + - debian/patches/CVE-2014-3668.patch: properly handle sizes in + ext/xmlrpc/libxmlrpc/xmlrpc.c, added test to + ext/xmlrpc/tests/bug68027.phpt. + - CVE-2014-3668 + * SECURITY UPDATE: integer overflow in unserialize() + - debian/patches/CVE-2014-3669.patch: fix overflow in + ext/standard/var_unserializer.{c,re}, added test to + ext/standard/tests/serialize/bug68044.phpt. + - CVE-2014-3669 + * SECURITY UPDATE: Heap corruption in exif_thumbnail() + - debian/patches/CVE-2014-3670.patch: fix sizes in ext/exif/exif.c. + - CVE-2014-3670 + * SECURITY UPDATE: out of bounds read in elf note headers in fileinfo() + - debian/patches/CVE-2014-3710.patch: validate note headers in + ext/fileinfo/libmagic/readelf.c. + - CVE-2014-3710 + * SECURITY UPDATE: local file disclosure via curl NULL byte injection + - debian/patches/curl_embedded_null.patch: don't accept curl options + with embedded NULLs in ext/curl/interface.c, added test to + ext/curl/tests/bug68089.phpt. + - No CVE number + * Fix FTBFS with systemd version in vivid + - debian/patches/fix_systemd_ftbfs.patch: improve detection logic in + sapi/fpm/config.m4. + + -- Marc Deslauriers Wed, 29 Oct 2014 11:56:11 -0400 + +php5 (5.5.12+dfsg-2ubuntu4) utopic; urgency=medium + + * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info + - debian/patches/CVE-2014-3587.patch: check for array under-runs as well + as over-runs in ext/fileinfo/libmagic/cdf.c + - CVE-2014-3587 + * SECURITY UPDATE: denial of service in dns_get_record + - debian/patches/CVE-2014-3597.patch: check for DNS overflows in + ext/standard/dns.c + - CVE-2014-3587 + + -- Seth Arnold Wed, 03 Sep 2014 23:27:47 -0700 + +php5 (5.5.12+dfsg-2ubuntu3) utopic; urgency=medium + + * SECURITY UPDATE: denial of service in FileInfo cdf_read_short_sector + - debian/patches/CVE-2014-0207.patch: properly calculate sizes in + ext/fileinfo/libmagic/cdf.c. + - CVE-2014-0207 + * SECURITY UPDATE: denial of service in FileInfo mconvert + - debian/patches/CVE-2014-3478.patch: properly handle truncated pascal + string size in ext/fileinfo/libmagic/softmagic.c. + - CVE-2014-3478 + * SECURITY UPDATE: denial of service in FileInfo cdf_check_stream_offset + - debian/patches/CVE-2014-3479.patch: properly calculate sizes in + ext/fileinfo/libmagic/cdf.c. + - CVE-2014-3479 + * SECURITY UPDATE: denial of service in FileInfo cdf_count_chain + - debian/patches/CVE-2014-3480.patch: properly calculate sizes in + ext/fileinfo/libmagic/cdf.c. + - CVE-2014-3480 + * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info + - debian/patches/CVE-2014-3487.patch: properly calculate sizes in + ext/fileinfo/libmagic/cdf.c. + - CVE-2014-3487 + * SECURITY UPDATE: denial of service and possible code execution via + unserialize() SPL type confusion + - debian/patches/CVE-2014-3515.patch: properly check types in + ext/spl/spl_array.c, ext/spl/spl_observer.c, added test to + ext/spl/tests/SplObjectStorage_unserialize_bad.phpt. + - CVE-2014-3515 + * SECURITY UPDATE: denial of service via SPL Iterators use-after-free + - debian/patches/CVE-2014-4670.patch: fix use-after-free in + ext/spl/spl_dllist.c, added test to ext/spl/tests/bug67538.phpt. + - CVE-2014-4670 + * SECURITY UPDATE: denial of service via ArrayIterator use-after-free + - debian/patches/CVE-2014-4698.patch: don't allow modifying ArrayObject + during sorting in ext/spl/spl_array.c, added test to + ext/spl/tests/bug67539.phpt. + - CVE-2014-4698 + * SECURITY UPDATE: information leak via phpinfo (LP: #1338170) + - debian/patches/CVE-2014-4721.patch: fix type confusion in + ext/standard/info.c, added test to + ext/standard/tests/general_functions/bug67498.phpt. + - CVE-2014-4721 + + -- Marc Deslauriers Wed, 09 Jul 2014 13:00:04 -0400 + +php5 (5.5.12+dfsg-2ubuntu2) utopic; urgency=medium + + * SECURITY UPDATE: denial of service in FileInfo cdf_unpack_summary_info + - debian/patches/CVE-2014-0237.patch: remove file_printf calls in + ext/fileinfo/libmagic/cdf.c. + - CVE-2014-0237 + * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info + - debian/patches/CVE-2014-0238.patch: fix infinite loop in + ext/fileinfo/libmagic/cdf.c. + - CVE-2014-0238 + * SECURITY UPDATE: code execution via buffer overflow in DNS TXT record + parsing + - debian/patches/CVE-2014-4049.patch: check length in + ext/standard/dns.c. + - CVE-2014-4049 + + -- Marc Deslauriers Thu, 19 Jun 2014 13:21:19 -0400 + +php5 (5.5.12+dfsg-2ubuntu1) utopic; urgency=medium + + * Merge from Debian unstable. Remaining changes: + - d/control: drop Build-Depends that are in universe: firebird-dev, + libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev. + - d/rules: drop configuration of packages that are in universe: qdgm, onig. + - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build + interbase or firebird. + - d/rules: export DEB_HOST_MULTIARCH properly. + - d/control: drop binary packages php5-imap, php5-interbase and php5-mcrypt + since we have separate versions in universe. + - d/modulelist: drop imap, interbase and mcrypt since we have separate + versions in universe. + - d/rules: drop configuration of imap and mcrypt since we have separate + versions in universe. + - d/source_php5.py, d/rules: add apport hook. + - d/rules: stop mysql instance on clean just in case we failed in tests. + - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd + as only the latter is in main. + - debian/rules: re-enable tests + - d/tests/{cgi,cli,mod-php}: dep8 tests for common use cases. + - d/rules: load dpkg-buildflags earlier, so that CFLAGS changes are not + overridden. + * Drop changes (upstreamed / in-Debian): + - CVE-2014-2270, CVE-2013-1943, imageconvolution-regression.patch: + included in this merge + * Drop changes (no longer needed): + - d/rules, d/control: re-add use of dh_systemd as it is in main now. + - php5-fpm.upstart: re-add "reload signal USR2" stanza, LTS was + released. + + -- Dimitri John Ledkov Wed, 21 May 2014 13:21:08 +0100 + php5 (5.5.11+dfsg-3) unstable; urgency=medium * Add ~ to ${source:Version} everywhere, so backports don't break @@ -819,6 +1279,68 @@ php5 (5.5.10+dfsg-1) unstable; urgency=l -- Ondřej Surý Thu, 27 Mar 2014 14:07:57 +0100 +php5 (5.5.9+dfsg-1ubuntu4) trusty; urgency=medium + + * Comment out "reload signal USR2" stanza from php5-fpm to make the job + compatible with Precise upstart, when it's still running as pid1 + during upgrade to trusty and before the restart. We'd rather support + shorter down-time then reload interface. (LP: #1272788) + + -- Dimitri John Ledkov Wed, 09 Apr 2014 16:23:30 +0100 + +php5 (5.5.9+dfsg-1ubuntu3) trusty; urgency=medium + + * SECURITY UPDATE: denial of service in fileinfo via crafted offset in + PE executable + - debian/patches/CVE-2014-2270.patch: check bounds in + ext/fileinfo/libmagic/softmagic.c. + - CVE-2014-2270 + + -- Marc Deslauriers Thu, 03 Apr 2014 15:12:10 -0400 + +php5 (5.5.9+dfsg-1ubuntu2) trusty; urgency=medium + + * SECURITY UPDATE: denial of service via crafted indirect offset value + in fileinfo + - debian/patches/CVE-2013-1943.patch: properly handle recursion in + ext/fileinfo/libmagic/{ascmagic.c,file.h,funcs.c,softmagic.c}, added + test to ext/fileinfo/tests/cve-2014-1943.phpt. + - CVE-2013-1943 + * debian/patches/imageconvolution-regression.patch: fix regression in + imageconvolution caused by security fix in 5.5.9. + + -- Marc Deslauriers Mon, 03 Mar 2014 13:42:25 -0500 + +php5 (5.5.9+dfsg-1ubuntu1) trusty; urgency=medium + + * Merge from Debian testing. Remaining changes: + - d/control: drop Build-Depends that are in universe: firebird-dev, + libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev. + - d/rules: drop configuration of packages that are in universe: qdgm, onig. + - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build + interbase or firebird. + - d/rules: export DEB_HOST_MULTIARCH properly. + - d/control: drop binary packages php5-imap, php5-interbase and php5-mcrypt + since we have separate versions in universe. + - d/modulelist: drop imap, interbase and mcrypt since we have separate + versions in universe. + - d/rules: drop configuration of imap and mcrypt since we have separate + versions in universe. + - d/source_php5.py, d/rules: add apport hook. + - d/rules: stop mysql instance on clean just in case we failed in tests. + - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd + as only the latter is in main. + - d/rules, d/control: drop use of dh_systemd as it is in universe. + - debian/rules: re-enable tests + - d/tests/{cgi,cli,mod-php}: dep8 tests for common use cases. + * Drop changes (upstreamed to Debian): + - d/p/use-system-timezone.patch, d/tests/system-timezone: use system + timezone by default, instead of requiring it to be configured. + * d/rules: load dpkg-buildflags earlier, so that CFLAGS changes are not + overridden (LP: #1280044). + + -- Robie Basak Mon, 17 Feb 2014 16:58:27 +0000 + php5 (5.5.9+dfsg-1) unstable; urgency=medium * New upstream version 5.5.9+dfsg @@ -834,6 +1356,45 @@ php5 (5.5.8+dfsg-3) unstable; urgency=lo -- Ondřej Surý Fri, 24 Jan 2014 09:59:36 +0100 +php5 (5.5.8+dfsg-2ubuntu1) trusty; urgency=medium + + * Merge from Debian unstable. Remaining changes: + - d/control: drop Build-Depends that are in universe: firebird-dev, + libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev. + - d/rules: drop configuration of packages that are in universe: qdgm, + onig. + - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build + interbase or firebird. + - d/rules: export DEB_HOST_MULTIARCH properly. + - d/control: drop binary packages php5-imap, php5-interbase and + php5-mcrypt since we have separate versions in universe. + - d/modulelist: drop imap, interbase and mcrypt since we have separate + versions in universe. + - d/rules: drop configuration of imap and mcrypt since we have separate + versions in universe. + - d/source_php5.py, d/rules: add apport hook. + - d/rules: stop mysql instance on clean just in case we failed in tests. + - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd + as only the latter is in main. + - d/rules, d/control: drop use of dh_systemd as it is in universe. + - debian/rules: re-enable tests + * Previously undocumented changes: + - d/tests/{cgi,cli,mod_php}: dep8 tests for common use cases. + * Drop changes: + - d/p/{CVE-2013-6420,CVE-2013-6712,fix-freetype-ftbfs}.patch: upstreamed. + - d/control: relegate php5-json and pkg-php-tools from Recommends to + Suggests as they are in universe: php5-json and pkg-php-tools are now in + main (LP: #1242726). + - d/control, d/rules: re-enable libedit-dev: libedit-dev is now enabled in + Debian. + * d/tests/mod-php: rename from mod_php; the previous name was illegal. + * d/tests/{cgi,mod-php}: use new default Apache DocumentRoot /var/www/html. + * d/p/use-system-timezone.patch, d/tests/system-timezone: use system + timezone by default, instead of requiring it to be configured. + (LP: #1244343). + + -- Robie Basak Tue, 21 Jan 2014 15:40:58 +0000 + php5 (5.5.8+dfsg-2) unstable; urgency=medium * Re-enable dtrace only on architectures that support it @@ -871,6 +1432,53 @@ php5 (5.5.6+dfsg-2) unstable; urgency=hi -- Ondřej Surý Thu, 12 Dec 2013 11:07:11 +0100 +php5 (5.5.6+dfsg-1ubuntu2) trusty; urgency=medium + + * No change rebuild against libicu52 + + -- Dimitri John Ledkov Sat, 28 Dec 2013 05:16:26 +0000 + +php5 (5.5.6+dfsg-1ubuntu1) trusty; urgency=low + + * Merge from Debian unstable. Remaining changes: + - d/control: drop Build-Depends that are in universe: firebird-dev, + libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev. + - d/rules: drop configuration of packages that are in universe: qdgm, + onig. + - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build + interbase or firebird. + - d/rules: export DEB_HOST_MULTIARCH properly. + - d/control: drop binary packages php5-imap, php5-interbase and + php5-mcrypt since we have separate versions in universe. + - d/modulelist: drop imap, interbase and mcrypt since we have separate + versions in universe. + - d/rules: drop configuration of imap and mcrypt since we have separate + versions in universe. + - d/source_php5.py, d/rules: add apport hook. + - d/rules: stop mysql instance on clean just in case we failed in tests. + - d/control, d/rules: re-enable libedit-dev. + - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd + as only the latter is in main. + - d/rules, d/control: drop use of dh_systemd as it is in universe. + - d/control: relegate php5-json and pkg-php-tools from Recommends to + Suggests as they are in universe. + * Dropped changes: + - d/p/crash_in_get_zval_ptr_ptr_var.patch: upstream + * SECURITY UPDATE: denial of service and possible code execution via + malicious certificate + - debian/patches/CVE-2013-6420.patch: properly validate timestr in + ext/openssl/openssl.c, added ext/openssl/tests/cve-2013-6420.*. + - CVE-2013-6420 + * SECURITY UPDATE: denial of service via crafted interval specification + - debian/patches/CVE-2013-6712.patch: check error_count in + ext/date/lib/parse_iso_intervals.*. + - CVE-2013-6712 + * debian/patches/fix-freetype-ftbfs.patch: fix compilation with newer + freetype + * debian/rules: re-enable tests + + -- Marc Deslauriers Thu, 12 Dec 2013 11:54:36 -0500 + php5 (5.5.6+dfsg-1) unstable; urgency=low [ Lior Kaplan ] @@ -914,6 +1522,46 @@ php5 (5.5.4+dfsg-1) unstable; urgency=lo -- Ondřej Surý Fri, 27 Sep 2013 11:32:38 +0200 +php5 (5.5.3+dfsg-1ubuntu3) trusty; urgency=low + + * No change rebuild against db 5.3. + + -- Dmitrijs Ledkovs Sat, 02 Nov 2013 20:03:00 +0000 + +php5 (5.5.3+dfsg-1ubuntu2) saucy; urgency=low + + * d/p/crash_in_get_zval_ptr_ptr_var.patch: cherry-pick from upstream to fix + segfault (LP: #1236733). + + -- Robie Basak Wed, 09 Oct 2013 11:29:29 +0000 + +php5 (5.5.3+dfsg-1ubuntu1) saucy; urgency=low + + * Merge from Debian unstable. Remaining changes: + - d/control: drop Build-Depends that are in universe: firebird-dev, + libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev. + - d/rules: drop configuration of packages that are in universe: qdgm, + onig. + - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build + interbase or firebird. + - d/rules: export DEB_HOST_MULTIARCH properly. + - d/control: drop binary packages php5-imap, php5-interbase and + php5-mcrypt since we have separate versions in universe. + - d/modulelist: drop imap, interbase and mcrypt since we have separate + versions in universe. + - d/rules: drop configuration of imap and mcrypt since we have separate + versions in universe. + - d/source_php5.py, d/rules: add apport hook. + - d/rules: stop mysql instance on clean just in case we failed in tests. + - d/control, d/rules: re-enable libedit-dev. + - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd + as only the latter is in main. + - d/rules, d/control: drop use of dh_systemd as it is in universe. + - d/control: relegate php5-json and pkg-php-tools from Recommends to + Suggests as they are in universe. + + -- Marc Deslauriers Wed, 04 Sep 2013 08:24:35 -0400 + php5 (5.5.3+dfsg-1) unstable; urgency=low * New upstream version 5.5.3+dfs @@ -942,6 +1590,33 @@ php5 (5.5.1+dfsg-2) unstable; urgency=lo -- Ondřej Surý Mon, 05 Aug 2013 15:58:01 +0200 +php5 (5.5.1+dfsg-1ubuntu1) saucy; urgency=low + + * Merge from Debian unstable. Remaining changes: + - d/control: drop Build-Depends that are in universe: firebird-dev, + libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev. + - d/rules: drop configuration of packages that are in universe: qdgm, + onig. + - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build + interbase or firebird. + - d/rules: export DEB_HOST_MULTIARCH properly. + - d/control: drop binary packages php5-imap, php5-interbase and + php5-mcrypt since we have separate versions in universe. + - d/modulelist: drop imap, interbase and mcrypt since we have separate + versions in universe. + - d/rules: drop configuration of imap and mcrypt since we have separate + versions in universe. + - d/source_php5.py, d/rules: add apport hook. + - d/rules: stop mysql instance on clean just in case we failed in tests. + - d/control, d/rules: re-enable libedit-dev. + - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd + as only the latter is in main. + - d/rules, d/control: drop use of dh_systemd as it is in universe. + - d/control: relegate php5-json and pkg-php-tools from Recommends to + Suggests as they are in universe. + + -- Marc Deslauriers Wed, 24 Jul 2013 09:28:07 -0400 + php5 (5.5.1+dfsg-1) unstable; urgency=low * New upstream version 5.5.1+dfsg @@ -949,12 +1624,46 @@ php5 (5.5.1+dfsg-1) unstable; urgency=lo -- Ondřej Surý Mon, 22 Jul 2013 08:25:19 +0200 +php5 (5.5.0+dfsg-15ubuntu1) saucy; urgency=low + + * Merged from Debian unstable to get security fix. + + -- Marc Deslauriers Thu, 18 Jul 2013 11:48:29 -0400 + php5 (5.5.0+dfsg-15) unstable; urgency=low * CVE-2013-4113: Fix heap corruption in xml parser (Closes: #717139) -- Ondřej Surý Wed, 17 Jul 2013 16:12:39 +0200 +php5 (5.5.0+dfsg-14ubuntu1) saucy; urgency=low + + * Merge from Debian unstable. Remaining changes: + - d/control: drop Build-Depends that are in universe: firebird-dev, + libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev. + - d/rules: drop configuration of packages that are in universe: qdgm, + onig. + - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build + interbase or firebird. + - d/rules: export DEB_HOST_MULTIARCH properly. + - d/control: drop binary packages php5-imap, php5-interbase and + php5-mcrypt since we have separate versions in universe. + - d/modulelist: drop imap, interbase and mcrypt since we have separate + versions in universe. + - d/rules: drop configuration of imap and mcrypt since we have separate + versions in universe. + - d/source_php5.py, d/rules: add apport hook. + - d/rules: stop mysql instance on clean just in case we failed in tests. + - d/control, d/rules: re-enable libedit-dev. + - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd + as only the latter is in main. + - d/rules, d/control: drop use of dh_systemd as it is in universe. + - d/control: relegate php5-json from Recommends to Suggests as it is in + universe. + * Relegate pkg-php-tools Recommends to Suggests as it is in universe. + + -- Robie Basak Wed, 17 Jul 2013 18:00:02 +0000 + php5 (5.5.0+dfsg-14) unstable; urgency=low * Fix FTBFS: Remove symbols file and add an warning about embed SAPI @@ -1063,6 +1772,66 @@ php5 (5.5.0+dfsg-7) unstable; urgency=lo -- Ondřej Surý Tue, 09 Jul 2013 11:37:57 +0200 +php5 (5.5.0+dfsg-6ubuntu1) saucy; urgency=low + + * Merge from Debian unstable. Remaining changes: + - d/control: drop Build-Depends that are in universe: firebird-dev, + libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev. + - d/rules: drop configuration of packages that are in universe: qdgm, + onig. + - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build + interbase or firebird. + - d/rules: export DEB_HOST_MULTIARCH properly. + - d/control: drop binary packages php5-imap, php5-interbase and + php5-mcrypt since we have separate versions in universe. + - d/modulelist: drop imap, interbase and mcrypt since we have separate + versions in universe. + - d/rules: drop configuration of imap and mcrypt since we have separate + versions in universe. + - d/source_php5.py, d/rules: add apport hook. + - d/rules: stop mysql instance on clean just in case we failed in tests. + - d/control, d/rules: re-enable libedit-dev. + * Remaining changes that were previously undocumented: + - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd + as only the latter is in main. + * Drop changes: + - Add build-dependency on lemon, which we now need. This is evidently no + longer required, since there is no sign of it being used in + 5.4.15-1ubuntu3. + - Dropped libcurl-dev not in the archive. libcurl-dev is a virtual + alternative, so doesn't need to be dropped. + - debian/control: replace build-depends on mysql-server with + mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and + mysql-server-5.5 postinst confusion with starting up multiple + mysqlds listening on the same port. The test infrastructure in packaging + has changed, and now breaks without the mysql-server-5.5 postinst having + run and created the mysql user. However, it also finds an available port + itself so no longer conflicts with our mysql-server-5.5 postinst. + - Patches included upstream: + + debian/patches/CVE-2013-2110.patch + + debian/patches/fix_gd_210.patch + + debian/patches/CVE-2013-4635.patch + + debian/patches/CVE-2013-4636.patch + * Drop changes that were previously undocumented: + - d/rules: adjust memory limits in .ini files. It appears that this was + intended to be dropped back in 5.4.6-1ubuntu1, going by the old + changelog entry. + - d/rules: adjust openssl path in configure script. PHP still appears to + configure, detect and build openssl-related components correctly + regardless. + - d/rules: disable parallel builds. There is no previous explanation as to + why this was disabled, and having this in place is standard practice and + in the Debian packaging. + - d/rules: adjust PHP5_{HOST,BUILD}_GNU_TYPE. There is no previous + explanation as to why this was present, and I can't find any regression + that would be fixed by this change. + * New changes: + - d/rules, d/control: drop use of dh_systemd as it is in universe. + - d/control: relegate php5-json from Recommends to Suggests as it is in + universe. + + -- Robie Basak Mon, 15 Jul 2013 14:09:59 +0000 + php5 (5.5.0+dfsg-6) unstable; urgency=low [ Gianfranco Costamagna ] @@ -1330,6 +2099,106 @@ php5 (5.5.0~alpha1-1) experimental; urge -- Ondřej Surý Fri, 16 Nov 2012 15:22:45 +0100 +php5 (5.4.15-1ubuntu3) saucy; urgency=low + + * SECURITY UPDATE: denial of service via overflow in SdnToJewish + - debian/patches/CVE-2013-4635.patch: check value in + ext/calendar/jewish.c, add test to + ext/calendar/tests/jdtojewish64.phpt. + - CVE-2013-4635 + * SECURITY UPDATE: denial of service via incorrect MIME type detection + - debian/patches/CVE-2013-4636.patch: use efree in + ext/fileinfo/libmagic/softmagic.c. + - CVE-2013-4636 + + -- Marc Deslauriers Fri, 28 Jun 2013 08:20:11 -0400 + +php5 (5.4.15-1ubuntu2) saucy; urgency=low + + * SECURITY UPDATE: denial of service and possible code execution via + quoted_printable_encode overflow + - debian/patches/CVE-2013-2110.patch: calculate proper string size in + ext/standard/quot_print.c, add test to + ext/standard/tests/strings/bug64879.phpt. + - CVE-2013-2110 + * debian/patches/fix_gd_210.patch: fix php-gd compatibility with + libgd2 2.1.0. (LP: #1188070) + + -- Marc Deslauriers Tue, 11 Jun 2013 09:19:47 -0400 + +php5 (5.4.15-1ubuntu1) saucy; urgency=low + + * Merge from Debian experimental. Remaining changes: + - d/rules: Simplify apache config settings since we never build + interbase or firebird. + - debian/rules: export DEB_HOST_MULTIARCH properly. + - Add build-dependency on lemon, which we now need. + - Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is + in universe. + - Dropped libcurl-dev not in the archive. + - debian/control: replace build-depends on mysql-server with + mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and + mysql-server-5.5 postinst confusion with starting up multiple + mysqlds listening on the same port. + - Dropped php5-imap, php5-interbase, php5-mcrypt since we have + versions already in universe. + - Dropped libonig-dev and libqgdbm since its in universe. (libonig + MIR has been declined due to an inactive upstream. So this is + probably a permanent change). + - modulelist: Drop imap, interbase, sybase, and mcrypt. + - debian/rules: + - Dropped building of mcrypt, imap, and interbase. + - Install apport hook for php5. + - stop mysql instance on clean just in case we failed in tests + - debian/control, debian/rules: Re-enable libedit-dev. + * Dropped changes: + - debian/patches/CVE-2013-1643.patch: included upstream. + + -- Marc Deslauriers Sun, 19 May 2013 19:13:15 -0400 + +php5 (5.4.9-4ubuntu2) raring; urgency=low + + * SECURITY UPDATE: arbitrary file disclosure via XML External Entity + - debian/patches/CVE-2013-1643.patch: disable the entity loader in + ext/libxml/libxml.c, ext/libxml/php_libxml.h, ext/soap/php_xml.c. + - CVE-2013-1643 + + -- Marc Deslauriers Fri, 08 Mar 2013 16:12:43 -0500 + +php5 (5.4.9-4ubuntu1) raring; urgency=low + + * Merge from Debian experimental. Remaining changes: + - d/rules: Simplify apache config settings since we never build + interbase or firebird. + - debian/rules: export DEB_HOST_MULTIARCH properly. + - Add build-dependency on lemon, which we now need. + - Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is + in universe. + - Dropped libcurl-dev not in the archive. + - debian/control: replace build-depends on mysql-server with + mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and + mysql-server-5.5 postinst confusion with starting up multiple + mysqlds listening on the same port. + - Dropped php5-imap, php5-interbase, php5-mcrypt since we have + versions already in universe. + - Dropped libonig-dev and libqgdbm since its in universe. (libonig + MIR has been declined due to an inactive upstream. So this is + probably a permanent change). + - modulelist: Drop imap, interbase, sybase, and mcrypt. + - debian/rules: + - Dropped building of mcrypt, imap, and interbase. + - Install apport hook for php5. + - stop mysql instance on clean just in case we failed in tests + - debian/control, debian/rules: Re-enable libedit-dev. + * Dropped changes: + - Re-add logic to guess default timezone from system to fix default + timezone regression Cherry-picked from Debian 5.4.4-6 (also in + Debian 5.4.6-2). + - debian/patches/libxml290.patch: Fix FTBFS with libxml 2.9.0. + (included upstream) + + -- Clint Byrum Tue, 04 Dec 2012 13:57:33 -0800 + php5 (5.4.9-2) experimental; urgency=low * Introduce new (hopefully slightly smarter) way of not deleting still @@ -1377,6 +2246,49 @@ php5 (5.4.6-2) experimental; urgency=low -- Ondřej Surý Thu, 30 Aug 2012 13:30:54 +0200 +php5 (5.4.6-1ubuntu2) raring; urgency=low + + [ Robie Basak ] + * Re-add logic to guess default timezone from system to fix default timezone + regression (LP: #1069529). Cherry-picked from Debian 5.4.4-6 (also in + Debian 5.4.6-2). + + [ Marc Deslauriers ] + * debian/patches/libxml290.patch: Fix FTBFS with libxml 2.9.0. + + -- Marc Deslauriers Wed, 07 Nov 2012 11:54:55 -0500 + +php5 (5.4.6-1ubuntu1) quantal; urgency=low + + * Merge from Debian experimental (LP: #1006738 , LP: #1040212) + Remaining changes: + - d/rules: Simplify apache config settings since we never build + interbase or firebird. + - debian/rules: export DEB_HOST_MULTIARCH properly. + - Add build-dependency on lemon, which we now need. + - Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is + in universe. + - Dropped libcurl-dev not in the archive. + - debian/control: replace build-depends on mysql-server with + mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and + mysql-server-5.5 postinst confusion with starting up multiple + mysqlds listening on the same port. + - Dropped php5-imap, php5-interbase, php5-mcrypt since we have + versions already in universe. + - Dropped libonig-dev and libqgdbm since its in universe. (libonig + MIR has been declined due to an inactive upstream. So this is + probably a permanent change). + - modulelist: Drop imap, interbase, sybase, and mcrypt. + - debian/rules: + - Dropped building of mcrypt, imap, and interbase. + - Install apport hook for php5. + - stop mysql instance on clean just in case we failed in tests + - debian/control, debian/rules: Re-enable libedit-dev. + * Dropped Changes: + - debian/rules: change memory limits on example .ini files. + + -- Clint Byrum Wed, 22 Aug 2012 13:40:18 -0700 + php5 (5.4.6-1) experimental; urgency=low * Imported Upstream version 5.4.6 @@ -1448,6 +2360,33 @@ php5 (5.4.4-4) unstable; urgency=low -- Ondřej Surý Mon, 06 Aug 2012 13:01:42 +0200 +php5 (5.4.4-3ubuntu1) quantal; urgency=low + + * Merge from Debian unstable. (LP: #1014044) (LP: #1024355) + Remaining changes: + - d/rules: Simplify apache config settings since we never build + interbase or firebird. + - debian/rules: export DEB_HOST_MULTIARCH properly. + - Add build-dependency on lemon, which we now need. + - Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe. + - Dropped libcurl-dev not in the archive. + - debian/control: replace build-depends on mysql-server with + mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and + mysql-server-5.5 postinst confusion with starting up multiple + mysqlds listening on the same port. + - Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions + already in universe. + - Dropped libonig-dev and libqgdbm since its in universe. (libonig MIR + has been declined due to an inactive upstream. So this is probably + a permanent change). + - modulelist: Drop imap, interbase, sybase, and mcrypt. + - debian/rules: + * Dropped building of mcrypt, imap, and interbase. + * Install apport hook for php5. + * stop mysql instance on clean just in case we failed in tests + + -- Clint Byrum Mon, 23 Jul 2012 11:08:52 -0700 + php5 (5.4.4-3) unstable; urgency=low * Update ucf/ucfr scripts to not conflict between mysql and mysqlnd @@ -1463,6 +2402,58 @@ php5 (5.4.4-2) unstable; urgency=high -- Ondřej Surý Tue, 19 Jun 2012 09:09:13 +0200 +php5 (5.4.4-1ubuntu1) quantal; urgency=low + + * Merge from Debian unstable. Remaining changes: + - d/rules: Simplify apache config settings since we never build + interbase or firebird. + - debian/rules: export DEB_HOST_MULTIARCH properly. + - Add build-dependency on lemon, which we now need. + - Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe. + - Dropped libcurl-dev not in the archive. + - debian/control: replace build-depends on mysql-server with + mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and + mysql-server-5.5 postinst confusion with starting up multiple + mysqlds listening on the same port. + - Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions + already in universe. + - Dropped libonig-dev and libqgdbm since its in universe. (libonig MIR + has been declined due to an inactive upstream. So this is probably + a permanent change). + - modulelist: Drop imap, interbase, sybase, and mcrypt. + - debian/rules: + * Dropped building of mcrypt, imap, and interbase. + * Install apport hook for php5. + * stop mysql instance on clean just in case we failed in tests + * Dropped Changes: + * d/rules: enable Suhosin patch with PHP5_SUHOSIN=yes -- Upstream suhosin + has been slow to adopt PHP 5.4, and is showing signs of disengagement. + Therefore, we will follow Debian's lead and drop Suhosin for now. + - d/control: build-depend on mysql 5.5 instead of 5.1 for running tests. + -- Debian just deps on mysql-server + - Suggest php5-suhosin rather than recommends. -- Dropping suhosin + - d/setup-mysql.sh: modify to work with mysql 5.5 differences -- superseded + in Debian. + - Only build php5-sqlite for sqlite3, dropping the obsolete sqlite2. -- + superseded in Debian + - d/maxlifetime: Improve maxlifetime script to scan for more SAPIs and + scan all *.ini in conf.d directory. -- Change came from Debian + - d/libapache2-mod-php5.postinst,libapache2-mod-php5filter.postinst: + Restart apache on first install to ensure module is fully enabled. + -- Change came from Debian + - debian/patches/php5-CVE-2012-1823.patch: filter query strings that + are prefixed with '-' -- Fixed upstream + - debian/control: Recommend php5-dev for php-pear. -- This was a poorly + conceived idea anyway. + - Pre-Depend on a new enough version of dpkg for dpkg-maintscript-helper + rather than checking whether it exists at run-time, leading to more + predictable behaviour on upgrades. -- Applied in Debian + - d/p/gd-multiarch-fix.patch: superseded + * d/NEWS: add note explaining that SUHOSIN is no longer enabled in the + Ubuntu packages. + + -- Clint Byrum Mon, 18 Jun 2012 16:10:26 -0700 + php5 (5.4.4-1) unstable; urgency=low * Imported Upstream version 5.4.4 @@ -1776,6 +2767,74 @@ php5 (5.3.10-2) unstable; urgency=low -- Ondřej Surý Mon, 20 Feb 2012 17:40:24 +0100 +php5 (5.3.10-1ubuntu4) quantal; urgency=low + + * SECURITY UPDATE: php5-cgi query string parameters parsing + vulnerability + - debian/patches/php5-CVE-2012-1823.patch: filter query strings that + are prefixed with '-' + - CVE-2012-1823 + - CVE-2012-2311 + + -- Steve Beattie Wed, 23 May 2012 15:57:57 -0400 + +php5 (5.3.10-1ubuntu3) precise; urgency=low + + * Cherry picked fixes from Debian testing: + - d/maxlifetime: Improve maxlifetime script to scan for more SAPIs and + scan all *.ini in conf.d directory. + (LP: #916065). + - d/libapache2-mod-php5.postinst,libapache2-mod-php5filter.postinst: + Restart apache on first install to ensure module is fully enabled. + (LP: #953081). + + -- James Page Wed, 11 Apr 2012 14:27:10 +0100 + +php5 (5.3.10-1ubuntu2) precise; urgency=low + + * Pre-Depend on a new enough version of dpkg for dpkg-maintscript-helper + rather than checking whether it exists at run-time, leading to more + predictable behaviour on upgrades. + + -- Colin Watson Mon, 05 Mar 2012 12:21:35 +0000 + +php5 (5.3.10-1ubuntu1) precise; urgency=low + + * Merge from Debian testing. Remaining changes: + - d/control: build-depend on mysql 5.5 instead of 5.1 for running tests. + - d/setup-mysql.sh: modify to work with mysql 5.5 differences + - debian/rules: export DEB_HOST_MULTIARCH properly. + - Only build php5-sqlite for sqlite3, dropping the obsolete sqlite2. + - Add build-dependency on lemon, which we now need. + - Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe. + - Dropped libcurl-dev not in the archive. + - debian/control: replace build-depends on mysql-server with + mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and + mysql-server-5.5 postinst confusion with starting up multiple + mysqlds listening on the same port. + - Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions + already in universe. + - Suggest php5-suhosin rather than recommends. + - Dropped libonig-dev and libqgdbm since its in universe. (libonig MIR + has been declined due to an inactive upstream. So this is probably + a permanent change). + - modulelist: Drop imap, interbase, sybase, and mcrypt. + - debian/rules: + * Dropped building of mcrypt, imap, and interbase. + * Install apport hook for php5. + * stop mysql instance on clean just in case we failed in tests + - debian/control: Recommend php5-dev for php-pear. + * Dropped Changes: + - d/patches/CVE-2011-4566.patch: Applied upstream + - debian/rules: --enable-pcntl for cgi as well. (Applied in Debian) + * d/rules: enable Suhosin patch with PHP5_SUHOSIN=yes + * d/NEWS: add note explaining that SUHOSIN *is* enabled in the Ubuntu + package. + * d/rules: Simplify apache config settings since we never build + interbase or firebird. + + -- Clint Byrum Thu, 16 Feb 2012 03:17:18 -0800 + php5 (5.3.10-1) unstable; urgency=high [ Raphael Geissert ] @@ -1868,6 +2927,53 @@ php5 (5.3.9-1) unstable; urgency=low -- Ondřej Surý Wed, 11 Jan 2012 16:33:20 +0100 +php5 (5.3.8.0-1ubuntu3) precise; urgency=low + + * SECURITY UPDATE: Denial of service and possible information disclosure + via exif integer overflow + - debian/patches/CVE-2011-4566.patch: fix count checks in + ext/exif/exif.c. + - CVE-2011-4566 + + -- Marc Deslauriers Mon, 12 Dec 2011 15:14:28 -0500 + +php5 (5.3.8.0-1ubuntu2) precise; urgency=low + + * d/control: build-depend on mysql 5.5 instead of 5.1 for running tests. + * d/setup-mysql.sh: modify to work with mysql 5.5 differences + + -- Clint Byrum Thu, 24 Nov 2011 10:28:38 -0800 + +php5 (5.3.8.0-1ubuntu1) precise; urgency=low + + * Resynchronise with Debian. Remaining changes: + - debian/rules: export DEB_HOST_MULTIARCH properly. + - Only build php5-sqlite for sqlite3, dropping the obsolete sqlite2. + - Add build-dependency on lemon, which we now need. + - Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe. + - Dropped libcurl-dev not in the archive. + - debian/control: replace build-depends on mysql-server with + mysql-server-core-5.1 and mysql-client-5.1 to avoid upstart and + mysql-server-5.1 postinst confusion with starting up multiple + mysqlds listening on the same port. + - Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions + already in universe. + - Suggest php5-suhosin rather than recommends. + - Dropped libonig-dev and libqgdbm since its in universe. (libonig MIR + has been declined due to an inactive upstream. So this is probably + a permanent change). + - modulelist: Drop imap, interbase, sybase, and mcrypt. + - debian/rules: + * Dropped building of mcrypt, imap, and interbase. + * Install apport hook for php5. + * stop mysql instance on clean just in case we failed in tests + - debian/control: Recommend php5-dev for php-pear. + - debian/rules: --enable-pcntl for cgi as well. + * debian/patches/temporary-path-fixes-for-multiarch.patch: Handle + multiarch libmysqlclient as well. + + -- Colin Watson Wed, 23 Nov 2011 12:58:51 +0000 + php5 (5.3.8.0-1) unstable; urgency=low * Re-re-imported upstream version 5.3.8, as a new sourceful update, @@ -1875,6 +2981,40 @@ php5 (5.3.8.0-1) unstable; urgency=low -- Sean Finney Thu, 27 Oct 2011 17:17:02 +0200 +php5 (5.3.8-2ubuntu2) precise; urgency=low + + * Rebuild for libicu48. + + -- Colin Watson Wed, 23 Nov 2011 10:54:32 +0000 + +php5 (5.3.8-2ubuntu1) precise; urgency=low + + * Merge with Debian; remaining changes: + - debian/rules: export DEB_HOST_MULTIARCH properly. + - Only build php5-sqlite for sqlite3, dropping the obsolete sqlite2. + - Add build-dependency on lemon, which we now need. + - Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe. + - Dropped libcurl-dev not in the archive. + - debian/control: replace build-depends on mysql-server with + mysql-server-core-5.1 and mysql-client-5.1 to avoid upstart and + mysql-server-5.1 postinst confusion with starting up multiple + mysqlds listening on the same port. + - Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions + already in universe. + - Suggest php5-suhosin rather than recommends. + - Dropped libonig-dev and libqgdbm since its in universe. (libonig MIR + has been declined due to an inactive upstream. So this is probably + a permanent change). + - modulelist: Drop imap, interbase, sybase, and mcrypt. + - debian/rules: + * Dropped building of mcrypt, imap, and interbase. + * Install apport hook for php5. + * stop mysql instance on clean just in case we failed in tests + - debian/control: Recommend php5-dev for php-pear. + - debian/rules: --enable-pcntl for cgi as well. + + -- Matthias Klose Tue, 18 Oct 2011 15:39:03 +0200 + php5 (5.3.8-2) unstable; urgency=low * Fix botched upload when git-buildpackage didn't play well with @@ -1903,6 +3043,65 @@ php5 (5.3.7-1) unstable; urgency=low -- Ondřej Surý Fri, 19 Aug 2011 14:18:03 +0200 +php5 (5.3.6-13ubuntu3) oneiric; urgency=low + + * debian/rules: export DEB_HOST_MULTIARCH properly, so that I don't spend + an hour scratching my head at './debian/rules configure' not working + right. + * Only build php5-sqlite for sqlite3, dropping the obsolete sqlite2. + * Add build-dependency on lemon, which we now need. + + -- Steve Langasek Wed, 24 Aug 2011 21:40:27 +0000 + +php5 (5.3.6-13ubuntu2) oneiric; urgency=low + + * debian/rules: build with --with-openssl instead of --with-openssl=/usr, + to autodetect libraries in multiarch directories. + * debian/patches/temporary-path-fixes-for-multiarch.patch: add ldap + multiarch checks. LP: #826601. + + -- Steve Langasek Tue, 16 Aug 2011 06:14:55 +0000 + +php5 (5.3.6-13ubuntu1) oneiric; urgency=low + + * Merge from debian unstable. Remaining changes: + * Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe. + * Dropped libcurl-dev not in the archive. + * debian/control: replace build-depends on mysql-server with + mysql-server-core-5.1 and mysql-client-5.1 to avoid upstart and + mysql-server-5.1 postinst confusion with starting up multiple + mysqlds listening on the same port. + * Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions + already in universe. + * Suggest php5-suhosin rather than recommends. + * Dropped libonig-dev and libqgdbm since its in universe. (libonig MIR + has been declined due to an inactive upstream. So this is probably + a permanent change). + * modulelist: Drop imap, interbase, sybase, and mcrypt. + * debian/rules: + * Dropped building of mcrypt, imap, and interbase. + * Install apport hook for php5. + * stop mysql instance on clean just in case we failed in tests + * debian/control: Recommend php5-dev for php-pear. + * debian/rules: --enable-pcntl for cgi as well. + * debian/patches/temporary-path-fixes-for-multiarch.patch: as a stopgap + for natty, patch the various config.m4 files for modules whose + libraries have moved to the multiarch dir; we can't use --with-libdir + yet because that requires all the build-deps to have moved. Thanks to + Jonathan Marsden for preparing this patch. + * debian/patches/fpm-config.patch: Update php-fpm.conf(pool.d/con) + to do initial chdir to / as suggest by Olaf van van der Spek + to detect early problems if php5-fpm needs a write access to + initial chdir. + * SECURITY UPDATE: use-after-free vulnerability + - debian/patches/php5-CVE-2011-1148.patch: improve reference + counting + - CVE-2011-1148 + * debian/rules: set DEB_HOST_MULTIARCH to enable 'debian/rules' for + building. + + -- Chuck Short Mon, 25 Jul 2011 19:14:12 +0100 + php5 (5.3.6-13) unstable; urgency=low * Fix CVE-2011-2483: 8-bit character mishandling allows different @@ -1933,6 +3132,59 @@ php5 (5.3.6-12) unstable; urgency=low -- Ondřej Surý Wed, 15 Jun 2011 11:06:40 +0200 +php5 (5.3.6-11ubuntu1) oneiric; urgency=low + + * Merge from debian unstable. Remaining changes: + * Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe. + * Dropped libcurl-dev not in the archive. + * debian/control: replace build-depends on mysql-server with + mysql-server-core-5.1 and mysql-client-5.1 to avoid upstart and + mysql-server-5.1 postinst confusion with starting up multiple + mysqlds listening on the same port. + * Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions + already in universe. + * Suggest php5-suhosin rather than recommends. + * Dropped libonig-dev and libqgdbm since its in universe. (libonig MIR + has been declined due to an inactive upstream. So this is probably + a permanent change). + * modulelist: Drop imap, interbase, sybase, and mcrypt. + * debian/rules: + * Dropped building of mcrypt, imap, and interbase. + * Install apport hook for php5. + * stop mysql instance on clean just in case we failed in tests + * debian/control: Recommend php5-dev for php-pear. + * debian/rules: --enable-pcntl for cgi as well. + * debian/patches/temporary-path-fixes-for-multiarch.patch: as a stopgap + for natty, patch the various config.m4 files for modules whose + libraries have moved to the multiarch dir; we can't use --with-libdir + yet because that requires all the build-deps to have moved. Thanks to + Jonathan Marsden for preparing this patch. + * debian/patches/fpm-config.patch: Update php-fpm.conf(pool.d/con) + to do initial chdir to / as suggest by Olaf van van der Spek + to detect early problems if php5-fpm needs a write access to + initial chdir. + * SECURITY UPDATE: use-after-free vulnerability + - debian/patches/php5-CVE-2011-1148.patch: improve reference + counting + - CVE-2011-1148 + * debian/rules: set DEB_HOST_MULTIARCH to enable 'debian/rules' for + building. + * Dropped Changes: + * Dropped libmysqlclient15-dev, build against mysql 5.1. -- Dropped in debian. + * Dropped locales-all. -- Now has alternative language-pack-de for use in tests. + * debian/php5-fpm.init: backport changes from Debian package to run + configuration check. Removes check for /var/www which broke stand- + alone installation of php5-fpm. -- superseded upstream + * All CVE's not mentioned above (applied upstream or in Debian) + * debian/patches/configure-as-needed.patch. Work around suspicious + configure macros to fix a build failure with --as-needed + * debian/patches/backport-upstream-lp592442.patch: Backport upstream fix + for ssl fopen issues. -- applied in Debian + * debian/patches/lp564920-fix-big-files.patch: Fix downloading of large + files -- applied in Debian + + -- Clint Byrum Wed, 25 May 2011 10:34:40 -0700 + php5 (5.3.6-11) unstable; urgency=low * Use more reasonable default number of processes for PHP5-FPM @@ -2059,6 +3311,168 @@ php5 (5.3.6-1) unstable; urgency=low -- Ondřej Surý Fri, 18 Mar 2011 15:51:50 +0100 +php5 (5.3.5-1ubuntu7.2) natty-security; urgency=low + + * debian/patches/php5-pear-CVE-2011-1144-regression.patch: fix + mkdir parenthesis issue and PEAR::raiseErro typo (LP: #774452) + + -- Steve Beattie Sat, 30 Apr 2011 16:00:39 -0700 + +php5 (5.3.5-1ubuntu7.1) natty-security; urgency=low + + * SECURITY UPDATE: arbitrary files removal via cronjob + - debian/php5-common.php5.cron.d: take greater care when removing + session files. + - http://git.debian.org/?p=pkg-php%2Fphp.git;a=commitdiff_plain;h=d09fd04ed7bfcf7f008360c6a42025108925df09 + - CVE-2011-0441 + * SECURITY UPDATE: symlink tmp races in pear install + - debian/patches/php5-pear-CVE-2011-1072.patch: improved + tempfile handling. + - debian/rules: apply patch manually after unpacking PEAR phar + archive. + - CVE-2011-1072 + * SECURITY UPDATE: more symlink races in pear install + - debian/patches/php5-pear-CVE-2011-1144.patch: add TOCTOU save + file handler. + - debian/rules: apply patch manually after unpacking PEAR phar + archive. + - CVE-2011-1144 + * SECURITY UPDATE: denial of service through application crash with + invalid images + - debian/patches/php5-CVE-2010-4698.patch: verify anti-aliasing + steps are either 4 or 16. + - CVE-2010-4698 + * SECURITY UPDATE: denial of service through application crash + - debian/patches/php5-CVE-2011-0420.patch: improve grapheme_extract() + argument validation. + - CVE-2011-0420 + * SECURITY UPDATE: denial of service through application crash + - debian/patches/php5-CVE-2011-0421.patch: fail operation gracefully + when handling zero sized zipfile with the FL_UNCHANGED argument + - CVE-2011-0421 + * SECURITY UPDATE: denial of service through application crash when + handling images with invalid exif tags + - debian/patches/php5-CVE-2011-0708.patch: stricter exif checking + - CVE-2011-0708 + * SECURITY UPDATE: denial of service and possible data disclosure + through integer overflow + - debian/patches/php5-CVE-2011-1092.patch: better boundary + condition checks in shmop_read() + - CVE-2011-1092 + * SECURITY UPDATE: use-after-free vulnerability + - debian/patches/php5-CVE-2011-1148.patch: improve reference + counting + - CVE-2011-1148 + * SECURITY UPDATE: format string vulnerability + - debian/patches/php5-CVE-2011-1153.patch: correctly quote format + strings + - CVE-2011-1153 + * SECURITY UPDATE: denial of service through buffer overflow crash + (code execution mitigated by compilation with Fortify Source) + - debian/patches/php5-CVE-2011-1464.patch: limit amount of precision + to ensure fitting within MAX_BUF_SIZE + - CVE-2011-1464 + * SECURITY UPDATE: denial of service through application crash + - debian/patches/php5-CVE-2011-1467.patch: check for invalid + attribute symbols in NumberFormatter::setSymbol() + - CVE-2011-1467 + * SECURITY UPDATE: denial of service through memory leak + - debian/patches/php5-CVE-2011-1468.patch: fix memory leak of + openssl contexts + - CVE-2011-1468 + * SECURITY UPDATE: denial of service through application crash + when using HTTP proxy with the FTP wrapper + - debian/patches/php5-CVE-2011-1469.patch: improve pointer handling + - CVE-2011-1469 + * SECURITY UPDATE: denial of service through application crash when + handling ziparchive streams + - debian/patches/php5-CVE-2011-1470.patch: set necessary elements of + the meta data structure + - CVE-2011-1470 + * SECURITY UPDATE: denial of service through application crash when + handling malformed zip files + - debian/patches/php5-CVE-2011-1471.patch: correct integer + signedness error when handling zip_fread() return value. + - CVE-2011-1471 + * debian/control: replace build-depends on mysql-server with + mysql-server-core-5.1 and mysql-client-5.1 to avoid upstart and + mysql-server-5.1 postinst confusion with starting up multiple + mysqlds listening on the same port. + + -- Steve Beattie Tue, 26 Apr 2011 08:34:26 -0700 + +php5 (5.3.5-1ubuntu7) natty; urgency=low + + * debian/php5-fpm.init: backport changes from Debian package to run + configuration check. Removes check for /var/www which broke stand- + alone installation of php5-fpm. (LP: #753924) + * debian/rules: set DEB_HOST_MULTIARCH to enable 'debian/rules' for + building. + + -- Clint Byrum Tue, 12 Apr 2011 14:21:14 -0700 + +php5 (5.3.5-1ubuntu6) natty; urgency=low + + * debian/patches/fpm-config.patch: Update php-fpm.conf(pool.d/con) + to do initial chdir to / as suggest by Olaf van van der Spek + to detect early problems if php5-fpm needs a write access to + initial chdir. + * debian/patches/backport-upstream-lp592442.patch: Backport upstream fix + for ssl fopen issues. (LP: #592442) + + -- Chuck Short Fri, 01 Apr 2011 09:29:49 -0400 + +php5 (5.3.5-1ubuntu5) natty; urgency=low + + * debian/patches/temporary-path-fixes-for-multiarch.patch: as a stopgap + for natty, patch the various config.m4 files for modules whose + libraries have moved to the multiarch dir; we can't use --with-libdir + yet because that requires all the build-deps to have moved. Thanks to + Jonathan Marsden for preparing this patch. LP: #739977. + * debian/patches/ubuntu/ubuntu-php-version.patch: drop. This is an + autogenerated file. + + -- Steve Langasek Thu, 24 Mar 2011 22:34:00 +0000 + +php5 (5.3.5-1ubuntu4) natty; urgency=low + + * debian/control: Recommend php5-dev for php-pear. (LP: #634359) + * debian/rules: --enable-pcntl for cgi as well. (LP: #658346) + + -- Chuck Short Mon, 14 Mar 2011 10:34:00 -0400 + +php5 (5.3.5-1ubuntu3) natty; urgency=low + + * debian/php5-fpm.init: Fix logic from previous commit. + + -- Chuck Short Mon, 14 Mar 2011 08:18:17 -0400 + +php5 (5.3.5-1ubuntu2) natty; urgency=low + + * debian/php5-fpm.init: Dont start fpm if /var/www doesnt exist. + (LP: #731572) + + -- Chuck Short Fri, 11 Mar 2011 16:29:24 -0500 + +php5 (5.3.5-1ubuntu1) natty; urgency=low + + * Merge from debian/unstable. Remaining changes: + - debian/control: + * Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe. + * Dropped libmysqlclient15-dev, build against mysql 5.1. + * Dropped libcurl-dev not in the archive. + * Suggest php5-suhosin rather than recommends. + * Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions + already in universe. + * Dropped libonig-dev and libqgdbm since its in universe. (will be re-added in lucid+1) + - modulelist: Drop imap, interbase, sybase, and mcrypt. + - debian/rules: + * Dropped building of mcrypt, imap, and interbase. + * Install apport hook for php5. + * stop mysql instance on clean just in case we failed in tests + + -- Chuck Short Tue, 22 Feb 2011 09:46:37 -0500 + php5 (5.3.5-1) unstable; urgency=low * Imported Upstream version 5.3.5 @@ -2069,6 +3483,32 @@ php5 (5.3.5-1) unstable; urgency=low -- Ondřej Surý Wed, 16 Feb 2011 15:17:32 +0100 +php5 (5.3.3-7ubuntu1) natty; urgency=low + + * Merge from debian unstable. Remaining changes: + - debian/control: + * Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe. + * Dropped libmysqlclient15-dev, build against mysql 5.1. + * Dropped libcurl-dev not in the archive. + * Suggest php5-suhosin rather than recommends. + * Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions + already in universe. + * Dropped libonig-dev and libqgdbm since its in universe. (will be re-added in lucid+1) + * Dropped locales-all. + - modulelist: Drop imap, interbase, sybase, and mcrypt. + - debian/rules: + * Dropped building of mcrypt, imap, and interbase. + * Install apport hook for php5. + * stop mysql instance on clean just in case we failed in tests + - Dropped debian/patches/fix-upstream-bug53632.patch, used debian's instead. + - Dropped debian/patches/mssql-fix-segfault.patch, use debian's instead. + - debian/patches/configure-as-needed.patch. Work around suspicious + configure macros to fix a build failure with --as-needed + - debian/patches/php52389-pgsql-segfault.patch: removing, causes error + handling to fail. + + -- Chuck Short Fri, 07 Jan 2011 22:44:56 +0000 + php5 (5.3.3-7) unstable; urgency=low * Cherry pick patches for: @@ -2161,6 +3601,119 @@ php5 (5.3.3-2) unstable; urgency=low -- Ondřej Surý Thu, 21 Oct 2010 16:57:53 +0200 +php5 (5.3.3-1ubuntu12) natty; urgency=low + + * debian/patches/fix-upstream-bug53632.patch: Fix infinite loop bug (php bug #53632) + (LP: #697181) + + -- Chuck Short Fri, 07 Jan 2011 12:57:59 -0500 + +php5 (5.3.3-1ubuntu11) natty; urgency=low + + * Add debian/patches/mssql-fix-segfault.patch: Fixes segfault on missing + parameters for mssql. Upstream php bug #52843 and LP: #611316. + + -- Clint Byrum Fri, 03 Dec 2010 23:45:19 -0800 + +php5 (5.3.3-1ubuntu10) natty; urgency=low + + * debian/patches/configure-as-needed.patch. Work around suspicious + configure macros to fix a build failure with --as-needed (Clint Byrum). + Addresses #676672. + + -- Matthias Klose Wed, 24 Nov 2010 10:44:36 +0100 + +php5 (5.3.3-1ubuntu9.1) maverick-proposed; urgency=low + + * debian/patches/php52389-pgsql-segfault.patch: removing, + causes error handling to fail (LP: #660227) + + -- Clint Byrum Thu, 14 Oct 2010 06:46:02 -0700 + +php5 (5.3.3-1ubuntu9) maverick; urgency=low + + * SECURITY UPDATE: arbitrary memory disclosure and possible code + execution via phar extension + - debian/patches/CVE-2010-2950.patch: use correct format string in + ext/phar/stream.c. + - CVE-2010-2094 + - CVE-2010-2950 + + -- Marc Deslauriers Mon, 20 Sep 2010 14:56:33 -0400 + +php5 (5.3.3-1ubuntu8) maverick; urgency=low + + * Build-depend on netcat-openbsd | netcat, instead of just netcat (only + in universe). + + -- Matthias Klose Fri, 17 Sep 2010 14:33:13 +0200 + +php5 (5.3.3-1ubuntu7) maverick; urgency=low + + * debian/setup-mysql.sh: Copy mysqld to local dir during build to avoid + apparmor restrictions (LP: #638401) + * debian/rules: stop mysql instance on clean just in case we failed in tests + + -- Clint Byrum Wed, 15 Sep 2010 10:48:32 -0700 + +php5 (5.3.3-1ubuntu6) maverick; urgency=low + + * Undo sybase debugging libraries split: keeping a smaller delta with Debian + is more important than demoting sybase to universe. + + -- Mathias Gug Wed, 25 Aug 2010 14:04:57 -0400 + +php5 (5.3.3-1ubuntu5) maverick; urgency=low + + * Drop sybase libraries to universe: + Move debugging libraries to php5-sybase-dbg: + - debian/control: + + create php5-sybase-dbg package. + + drop php5-sybase as php5-dbg dependency. + - debian/rules: move sybase debugging libraries to php5-sybase-dbg. + + -- Mathias Gug Fri, 20 Aug 2010 19:13:55 -0400 + +php5 (5.3.3-1ubuntu4) maverick; urgency=low + + * debian/php5-module.ini: # replaced with ; (LP: #591286) + * debian/patches/php52389-pgsql-segfault.patch (LP: #607646) + - Applying patch for upstream bug that causes segfaults in pgsql + + -- Clint Byrum Fri, 13 Aug 2010 00:07:15 -0700 + +php5 (5.3.3-1ubuntu3) maverick; urgency=low + + * debian/patches/lp564920-fix-big-files.patch: Fix downloading of large + files (LP: #564920) + + -- Clint Byrum Fri, 06 Aug 2010 13:10:17 -0700 + +php5 (5.3.3-1ubuntu2) maverick; urgency=low + + * debian/control: Use netcat rather than netcat-traditional. + + -- Chuck Short Thu, 05 Aug 2010 20:00:34 -0500 + +php5 (5.3.3-1ubuntu1) maverick; urgency=low + + * Merge from debian experimental: + - debian/control: + * Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe. + * Dropped libmysqlclient15-dev, build against mysql 5.1. + * Dropped libcurl-dev not in the archive. + * Suggest php5-suhosin rather than recommends. + * Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions already in + universe. + * Dropped libonig-dev and libqgdbm since its in universe. (will be re-added in lucid+1) + * Dropped locales-all. + - modulelist: Drop imap, interbase, and mcrypt. + - debian/rules: + * Dropped building of mcrypt, imap, and interbase. + * Install apport hook for php5. + + -- Chuck Short Sun, 01 Aug 2010 14:28:03 -0500 + php5 (5.3.3-1) experimental; urgency=low * Upload PHP 5.3.3 to experimental for further testing @@ -2214,6 +3767,61 @@ php5 (5.3.2-2) unstable; urgency=low -- Raphael Geissert Sun, 18 Jul 2010 15:35:06 -0500 +php5 (5.3.2-1ubuntu5) maverick; urgency=low + + * debian/php5-module.ini: Comment should be "#" not ";". (LP: #573436) + * debian/patches/cherrypick-upstream-51740.diff: Fix acinclude.ac macro check. (LP: #576910) + * debian/patches/cherrypick-upstream-48361.diff: Fix regression with getPathInfo() + doesn't return parent info (LP: #576910) + * debian/patches/session_save_path.patch: ave PHP sessions to + /var/lib/php rather than /tmp. (LP: #573222) + + -- Chuck Short Tue, 25 May 2010 10:17:00 -0400 + +php5 (5.3.2-1ubuntu4.1) lucid-proposed; urgency=low + + * debian/patches/fix-mysql-badmem.patch: Fix mysql crash when using php5-cgi. (LP: #567043) + + -- Chuck Short Mon, 03 May 2010 11:23:43 -0400 + +php5 (5.3.2-1ubuntu4) lucid; urgency=low + + * debian/control, debian/rules: Re-enable libedit-dev. (LP: #548823) + + -- Chuck Short Mon, 05 Apr 2010 15:33:21 -0400 + +php5 (5.3.2-1ubuntu3) lucid; urgency=low + + * debian/control: Fix upgrade of php5-ldap from 5.3.1. (LP: #) + + -- Chuck Short Sun, 28 Mar 2010 15:41:34 -0400 + +php5 (5.3.2-1ubuntu2) lucid; urgency=low + + * debian/control: Dont build with libmcrypt-dev. + + -- Chuck Short Fri, 26 Mar 2010 14:39:36 -0400 + +php5 (5.3.2-1ubuntu1) lucid; urgency=low + + * Merge from debian unstable: + - debian/control: + * Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe. + * Dropped libmysqlclient15-dev, build against mysql 5.1. + * Dropped libcurl-dev not in the archive. + * Suggest php5-suhosin rather than recommends. + * Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions already in + universe. + * Dropped libonig-dev and libqgdbm since its in universe. (will be re-added in lucid+1) + * Dropped locales-all. + - modulelist: Drop imap, interbase, and mcrypt. + - debian/rules: + * Dropped building of mcrypt, imap, and interbase. + * Install apport hook for php5. + - Dropped debian/patches/libedit_is_editline.patch. + + -- Chuck Short Tue, 16 Mar 2010 09:09:50 -0400 + php5 (5.3.2-1) unstable; urgency=high [ Sean Finney ] diff -pruN 5.6.17+dfsg-3/debian/control 5.6.17+dfsg-3ubuntu1/debian/control --- 5.6.17+dfsg-3/debian/control 2016-01-15 09:47:44.000000000 +0000 +++ 5.6.17+dfsg-3ubuntu1/debian/control 2016-01-21 19:33:16.000000000 +0000 @@ -1,7 +1,8 @@ Source: php5 Section: php Priority: optional -Maintainer: Debian PHP Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian PHP Maintainers Uploaders: Ondřej Surý , Thijs Kinkhorst , Lior Kaplan @@ -15,12 +16,10 @@ Build-Depends: apache2-dev (>= 2.4), chrpath, debhelper (>= 9), dpkg-dev (>= 1.16.1~), - firebird-dev [!hurd-any !m68k !hppa !ppc64] | firebird2.5-dev [!hurd-any !m68k !hppa !ppc64] | firebird2.1-dev [!hurd-any !m68k !hppa !ppc64], flex, freetds-dev, libapr1-dev (>= 1.2.7-8), libbz2-dev, - libc-client-dev, libcurl4-openssl-dev | libcurl-dev, libdb-dev, libedit-dev (>= 2.11-20080614-4), @@ -37,16 +36,13 @@ Build-Depends: apache2-dev (>= 2.4), libkrb5-dev, libldap2-dev, libmagic-dev, - libmcrypt-dev, libmhash-dev (>= 0.8.8), libmysqlclient-dev | libmysqlclient15-dev, - libonig-dev, libpam0g-dev, libpcre3-dev (>= 6.6), libpng-dev, libpq-dev, libpspell-dev, - libqdbm-dev, librecode-dev, libsasl2-dev, libsnmp-dev, @@ -63,7 +59,7 @@ Build-Depends: apache2-dev (>= 2.4), locales-all | language-pack-de, mysql-server | virtual-mysql-server, netbase, - netcat-traditional, + netcat-openbsd | netcat, re2c, unixodbc-dev, zlib1g-dev, @@ -317,7 +313,7 @@ Description: Files for PHP5 module devel for web development and can be embedded into HTML. Package: php5-dbg -Depends: ${misc:Depends}, php5-common (= ${binary:Version}), libapache2-mod-php5 (= ${binary:Version}) | libapache2-mod-php5filter (= ${binary:Version}) | php5-cgi (= ${binary:Version}) | php5-cli (= ${binary:Version}) | php5-fpm (= ${binary:Version}) | libphp5-embed (= ${binary:Version}) | php5-curl (= ${binary:Version}) | php5-enchant (= ${binary:Version}) | php5-gd (= ${binary:Version}) | php5-gmp (= ${binary:Version}) | php5-imap (= ${binary:Version}) | php5-interbase (= ${binary:Version}) | php5-intl (= ${binary:Version}) | php5-ldap (= ${binary:Version}) | php5-mcrypt (= ${binary:Version}) | php5-readline (= ${binary:Version}) | php5-mysql (= ${binary:Version}) | php5-mysqlnd (= ${binary:Version}) | php5-odbc (= ${binary:Version}) | php5-pgsql (= ${binary:Version}) | php5-pspell (= ${binary:Version}) | php5-recode (= ${binary:Version}) | php5-snmp (= ${binary:Version}) | php5-sqlite (= ${binary:Version}) | php5-sybase (= ${binary:Version}) | php5-tidy (= ${binary:Version}) | php5-xmlrpc (= ${binary:Version}) | php5-xsl (= ${binary:Version}) +Depends: ${misc:Depends}, php5-common (= ${binary:Version}), libapache2-mod-php5 (= ${binary:Version}) | libapache2-mod-php5filter (= ${binary:Version}) | php5-cgi (= ${binary:Version}) | php5-cli (= ${binary:Version}) | php5-fpm (= ${binary:Version}) | libphp5-embed (= ${binary:Version}) | php5-curl (= ${binary:Version}) | php5-enchant (= ${binary:Version}) | php5-gd (= ${binary:Version}) | php5-gmp (= ${binary:Version}) | php5-intl (= ${binary:Version}) | php5-ldap (= ${binary:Version}) | php5-readline (= ${binary:Version}) | php5-mysql (= ${binary:Version}) | php5-mysqlnd (= ${binary:Version}) | php5-odbc (= ${binary:Version}) | php5-pgsql (= ${binary:Version}) | php5-pspell (= ${binary:Version}) | php5-recode (= ${binary:Version}) | php5-snmp (= ${binary:Version}) | php5-sqlite (= ${binary:Version}) | php5-sybase (= ${binary:Version}) | php5-tidy (= ${binary:Version}) | php5-xmlrpc (= ${binary:Version}) | php5-xsl (= ${binary:Version}) Recommends: gdb Section: debug Priority: extra @@ -396,28 +392,6 @@ Description: GMP module for php5 open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML. -Package: php5-imap -Architecture: any -Depends: ${shlibs:Depends}, ${php:Depends}, ${misc:Depends}, php5-common (= ${binary:Version}), ucf -Pre-Depends: ${misc:Pre-Depends} -Description: IMAP module for php5 - This package provides a module for IMAP functions in PHP scripts. - . - PHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely-used - open source general-purpose scripting language that is especially suited - for web development and can be embedded into HTML. - -Package: php5-interbase -Architecture: linux-any kfreebsd-any -Depends: ${shlibs:Depends}, ${php:Depends}, ${misc:Depends}, php5-common (= ${binary:Version}), ucf -Pre-Depends: ${misc:Pre-Depends} -Description: interbase/firebird module for php5 - This package provides a module for interbase/firebird functions in PHP scripts. - . - PHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely-used - open source general-purpose scripting language that is especially suited - for web development and can be embedded into HTML. - Package: php5-intl Architecture: any Depends: ${shlibs:Depends}, ${php:Depends}, ${misc:Depends}, php5-common (= ${binary:Version}), ucf @@ -441,17 +415,6 @@ Description: LDAP module for php5 . PHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely-used open source general-purpose scripting language that is especially suited - for web development and can be embedded into HTML. - -Package: php5-mcrypt -Architecture: any -Depends: ${shlibs:Depends}, ${php:Depends}, ${misc:Depends}, php5-common (= ${binary:Version}), ucf -Pre-Depends: ${misc:Pre-Depends} -Description: MCrypt module for php5 - This package provides a module for MCrypt functions in PHP scripts. - . - PHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely-used - open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML. Package: php5-readline diff -pruN 5.6.17+dfsg-3/debian/modulelist 5.6.17+dfsg-3ubuntu1/debian/modulelist --- 5.6.17+dfsg-3/debian/modulelist 2016-01-15 09:47:44.000000000 +0000 +++ 5.6.17+dfsg-3ubuntu1/debian/modulelist 2016-01-21 19:32:23.000000000 +0000 @@ -3,11 +3,8 @@ common PDO pdo 10 enchant Enchant gd GD gmp GMP -imap IMAP -interbase Interbase intl Internationalisation ldap LDAP -mcrypt MCrypt mysql MySQL mysqlnd MySQL mysqlnd 10 odbc ODBC diff -pruN 5.6.17+dfsg-3/debian/rules 5.6.17+dfsg-3ubuntu1/debian/rules --- 5.6.17+dfsg-3/debian/rules 2016-01-15 09:47:44.000000000 +0000 +++ 5.6.17+dfsg-3ubuntu1/debian/rules 2016-01-21 19:32:23.000000000 +0000 @@ -40,12 +40,6 @@ ifeq ($(DEB_HOST_ARCH),$(filter $(DEB_HO RUN_TESTS = no endif -ifneq ($(DEB_HOST_ARCH),$(filter $(DEB_HOST_ARCH),hurd-i386 m68k hppa ppc64)) - CONFIGURE_APACHE_ARGS = --with-interbase=shared,/usr --with-pdo-firebird=shared,/usr -else - CONFIGURE_APACHE_ARGS = --without-interbase --without-pdo-firebird -endif - ifeq (yes,$(RUN_TESTS)) MYSQL_PORT := $(shell for i in $$(seq 1025 3600 | sort -R); do nc -z localhost $$i || { echo $$i; exit; } ; done) MYSQL_DATA_DIR ?= $(shell readlink -f mysql_db) @@ -133,14 +127,12 @@ COMMON_CONFIG=--build=$(DEB_BUILD_GNU_TY --with-bz2 \ --enable-ctype \ --with-db4 \ - --with-qdbm=/usr \ --without-gdbm \ --with-iconv \ --enable-exif \ --enable-ftp \ --with-gettext \ --enable-mbstring \ - --with-onig=/usr \ --with-pcre-regex=/usr \ --enable-shmop \ --enable-sockets \ @@ -304,13 +296,10 @@ configure-apache2-stamp: prepared-stamp --with-png-dir=shared,/usr \ --with-freetype-dir=shared,/usr \ --with-vpx-dir=shared,/usr \ - --with-imap=shared,/usr \ - --with-imap-ssl \ --enable-intl=shared \ --without-t1lib \ --with-ldap=shared,/usr \ --with-ldap-sasl=/usr \ - --with-mcrypt=shared,/usr \ --with-mysql=shared,/usr \ --with-mysqli=shared,/usr/bin/mysql_config \ --with-pspell=shared,/usr \ @@ -703,6 +692,9 @@ endif cp debian/php5-dev.lintian-overrides $(CURDIR)/debian/php5-dev/usr/share/lintian/overrides/php5-dev cp debian/php-pear.lintian-overrides $(CURDIR)/debian/php-pear/usr/share/lintian/overrides/php-pear + # install the apport hook + install -D -m 644 debian/source_php5.py debian/php5-common/usr/share/apport/package-hooks/source_php5.py + # install some generic lintian overrides ext=`debian/php5-dev/usr/bin/php-config5 --extension-dir | cut -b2- `; \ for sapi in php5-cli php5-phpdbg php5-fpm php5-cgi libapache2-mod-php5 libapache2-mod-php5filter libphp5-embed; do \ diff -pruN 5.6.17+dfsg-3/debian/source_php5.py 5.6.17+dfsg-3ubuntu1/debian/source_php5.py --- 5.6.17+dfsg-3/debian/source_php5.py 1970-01-01 00:00:00.000000000 +0000 +++ 5.6.17+dfsg-3ubuntu1/debian/source_php5.py 2016-01-21 19:32:23.000000000 +0000 @@ -0,0 +1,57 @@ +#!/usr/bin/python + +'''PHP5 Apport interface + +Copyright (C) 2010 Canonical Ltd. +Author: Chuck Short + +This program is free software; you can redistribute it and/or modify it +under the terms of the GNU General Public License as published by the +Free Software Foundation; either version 2 of the License, or (at your +option) any later version. See http://www.gnu.org/copyleft/gpl.html for +the full text of the license. +''' + +import os +import subprocess +from apport.hookutils import * + +def _add_my_conf_files(report, filename): + if not os.path.exists(filename): + return + + key = 'PHPConf' + path_to_key(filename) + report[key] = "" + for line in read_file(filename).split('\n'): + try: + if 'mysql.default_password ' in line.split('=')[0]: + line = "%s = @@APPORTREPLACED@@" % (line.split('=')[0]) + if 'mysqli.default_pw ' in line.split('=')[0]: + line = "%s = @@APPORTREPLACED@@" % (line.split('=')[0]) + if 'ifx.default_password ' in line.split('=')[0]: + line = "%s = @@APPORTREPLACED@@" % (line.split('=')[0]) + report[key] += line + '\n' + except IndexError: + continue + +def add_info(report): + _add_my_conf_files(report, '/etc/php5/apache2/php.ini') + _add_my_conf_files(report, '/etc/php5/cli/php5.ini') + + # packages in main + packages=['php5', 'php-common', 'libapache2-mod-php5', 'libapache2-mod-php5filter' + 'php5-cgi', 'php5-cli', 'php5-dev', 'php5-dbg', 'php-pear', 'php5-curl', 'php5-gd' + 'php5-gmp', 'php5-ldap', 'php5-mhash', 'php5-mysql', 'php5-odbc', 'php5-pgsql', + 'php5-pspell', 'php5-recode', 'php5-snmp', 'php5-sqlite', 'php5-sybase', 'php5-tidy', + 'php5-xmlrpc', 'php5-xsl'] + + versions = '' + for package in packages: + try: + version = packaging.get_version(package) + except ValueError: + version = 'N/A' + if version is None: + version = 'N/A' + versions += '%s %s\n' %(package, version) + report['PHPInstalledModules'] = versions