php5-lliurex (5.6.11+dfsg-1~lliurex2) xenial; urgency=medium * Add mcrypt module -- Juan Ramon Pelegrina Tue, 16 May 2017 14:38:58 +0200 php5-lliurex (5.6.11+dfsg-1~lliurex1) xenial; urgency=medium * Repackage php5 4 the old times ;-) -- M.Angel Juan Thu, 14 Apr 2016 16:37:44 +0200 php5 (5.6.11+dfsg-1ubuntu3.1) wily-security; urgency=medium * SECURITY UPDATE: null pointer dereference in phar_get_fp_offset() - debian/patches/CVE-2015-7803.patch: check link in ext/phar/util.c. - CVE-2015-7803 * SECURITY UPDATE: uninitialized pointer in phar_make_dirstream() - debian/patches/CVE-2015-7804.patch: check filename length in ext/phar/util.c, ext/phar/zip.c. - CVE-2015-7804 -- Marc Deslauriers Tue, 27 Oct 2015 16:47:59 -0400 php5 (5.6.11+dfsg-1ubuntu3) wily; urgency=medium * SECURITY UPDATE: multiple use-after-free issues in unserialize() - debian/patches/CVE-2015-6831-1.patch: fix SPLArrayObject in ext/spl/spl_array.c, added test to ext/spl/tests/bug70166.phpt. - debian/patches/CVE-2015-6831-2.patch: fix SplObjectStorage in ext/spl/spl_observer.c, added test to ext/spl/tests/bug70168.phpt. - debian/patches/CVE-2015-6831-3.patch: fix SplDoublyLinkedList in ext/spl/spl_dllist.c, added test to ext/spl/tests/bug70169.phpt. - CVE-2015-6831 * SECURITY UPDATE: dangling pointer in the unserialization of ArrayObject items - debian/patches/CVE-2015-6832.patch: fix dangling pointer in ext/spl/spl_array.c, added test to ext/spl/tests/bug70068.phpt. - CVE-2015-6832 * SECURITY UPDATE: phar files extracted outside of destination dir - debian/patches/CVE-2015-6833-1.patch: limit extracted files to given directory in ext/phar/phar_object.c. - debian/patches/CVE-2015-6833-2.patch: use emalloc in ext/phar/phar_object.c. - CVE-2015-6833 * SECURITY UPDATE: multiple vulnerabilities in unserialize() - debian/patches/CVE-2015-6834-1.patch: fix use-after-free in ext/standard/var.c, ext/standard/var_unserializer.*. - debian/patches/CVE-2015-6834-2.patch: fix use-after-free in ext/spl/spl_observer.c, added test to ext/spl/tests/bug70365.phpt. - debian/patches/CVE-2015-6834-3.patch: fix use-after-free in ext/spl/spl_dllist.c, added test to ext/spl/tests/bug70366.phpt. - CVE-2015-6834 * SECURITY UPDATE: use after free in session deserializer - debian/patches/CVE-2015-6835-1.patch: fix use after free in ext/session/session.c, ext/standard/var_unserializer.* fixed tests in ext/session/tests/session_decode_error2.phpt, ext/session/tests/session_decode_variation3.phpt. - debian/patches/CVE-2015-6835-2.patch: add more fixes to ext/session/session.c. - CVE-2015-6835 * SECURITY UPDATE: SOAP serialize_function_call() type confusion - debian/patches/CVE-2015-6836.patch: check type in ext/soap/soap.c, added test to ext/soap/tests/bug70388.phpt. - CVE-2015-6836 * SECURITY UPDATE: NULL pointer dereference in XSLTProcessor class - debian/patches/CVE-2015-6837-6838.patch: fix logic in ext/xsl/xsltprocessor.c. - CVE-2015-6837 - CVE-2015-6838 -- Marc Deslauriers Mon, 28 Sep 2015 07:26:44 -0400 php5 (5.6.11+dfsg-1ubuntu2) wily; urgency=medium * No-change rebuild against new libicu -- Iain Lane Wed, 05 Aug 2015 17:41:17 +0100 php5 (5.6.11+dfsg-1ubuntu1) wily; urgency=medium * Merge from Debian. Remaining changes: - Drop support for firebird, c-client, mcrypt, onig and qdbm as they are in universe: + d/control: drop Build-Depends on firebird-dev, libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev. + d/control: drop binary packages php5-imap, php5-interbase and php5-mcrypt and their reverse dependencies. + d/rules: drop configuration of qdgm, onig, imap, mcrypt. + d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build interbase or firebird. + d/modulelist: drop imap, interbase and mcrypt. - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd as only the latter is in main. - d/source_php5.py, d/rules: add apport hook. * New upstream version uses __builtin_clzl when __powerpc__ is defined, improving performance on POWER systems (LP: #1458434). * Drop changes (patches included upstream): CVE-2015-4598.patch, CVE-2015-4643.patch, CVE-2015-4644.patch. -- Robie Basak Mon, 27 Jul 2015 11:15:34 +0000 php5 (5.6.11+dfsg-1) unstable; urgency=medium * New upstream version 5.6.11+dfsg * Finish the transition to libsystemd, but allow backports (Closes: #779780) * Refresh patches using gbp pq rebase/export -- Ondřej Surý Wed, 15 Jul 2015 12:47:39 +0200 php5 (5.6.10+dfsg-1) unstable; urgency=medium [ Ondřej Surý ] * New upstream version 5.6.10+dfsg - Core: . Fixed bug #66048 (temp. directory is cached during multiple requests). . Fixed bug #69566 (Conditional jump or move depends on uninitialised value in extension trait). . Fixed bug #69599 (Strange generator+exception+variadic crash). . Fixed bug #69628 (complex GLOB_BRACE fails on Windows). . Fixed POST data processing slowdown due to small input buffer size on Windows. . Fixed bug #69646 (OS command injection vulnerability in escapeshellarg). . Fixed bug #69719 (Incorrect handling of paths with NULs). - FTP . Improved fix for bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). - GD: . Fixed bug #69479 (GD fails to build with newer libvpx). - Iconv: . Fixed bug #48147 (iconv with //IGNORE cuts the string). - Litespeed SAPI: . Fixed bug #68812 (Unchecked return value). - Mail: . Fixed bug #68776 (mail() does not have mail header injection prevention for additional headers). - MCrypt: . Added file descriptor caching to mcrypt_create_iv() - Opcache . Fixed bug #69549 (Memory leak with opcache.optimization_level=0xFFFFFFFF). - Phar: . Fixed bug #69680 (phar symlink in binary directory broken). - Postgres: . Fixed bug #69667 (segfault in php_pgsql_meta_data). - Sqlite3: . Upgrade bundled sqlite to 3.8.10.2. (CVE-2015-3414, CVE-2015-3415, CVE-2015-3416) * Rebase patches using gbp pq rebase [ Thijs Kinkhorst ] * Add patch to remove build timestamps from binaries to make the build process reproducible. * Fix path to php5-cgi.conf in README.Debian, thanks Jean-Michel Vourgere (closes: #788802). * Remove references to apache2-prefork-mpm package. This has been removed as a separate package (Closes: #791592). -- Ondřej Surý Mon, 15 Jun 2015 09:18:33 +0200 php5 (5.6.9+dfsg-1ubuntu1) wily; urgency=medium * Merge from Debian. Remaining changes: - d/control: drop Build-Depends that are in universe: firebird-dev, libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev. - d/rules: drop configuration of packages that are in universe: qdgm, onig. - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build interbase or firebird. - d/control: drop binary packages php5-imap, php5-interbase and php5-mcrypt since we have separate versions in universe. - d/modulelist: drop imap, interbase and mcrypt since we have separate versions in universe. - d/rules: drop configuration of imap and mcrypt since we have separate versions in universe. - d/source_php5.py, d/rules: add apport hook. - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd as only the latter is in main. * Dropped changes: - patches included in new upstream version: CVE-2014-9427.patch, CVE-2014-9652.patch, CVE-2015-0231.patch, CVE-2015-0232.patch, CVE-2015-1351.patch, CVE-2015-1352.patch, remove_readelf.patch, CVE-2014-9705.patch, CVE-2015-0273.patch, CVE-2015-2301.patch, CVE-2015-2305.patch, CVE-2015-2331.patch, CVE-2015-2348.patch, CVE-2015-2787.patch, CVE-2015-2783.patch, bug69218.patch, bug69441.patch. * SECURITY UPDATE: more missing file path null byte checks - debian/patches/CVE-2015-4598.patch: add missing checks to ext/dom/document.c, ext/gd/gd.c, fix test in ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt. - CVE-2015-4598 * SECURITY UPDATE: arbitrary code execution via ftp server long reply to a LIST command - debian/patches/CVE-2015-4643.patch: prevent overflow check bypass in ext/ftp/ftp.c. - CVE-2015-4643 * SECURITY UPDATE: denial of service via php_pgsql_meta_data - debian/patches/CVE-2015-4644.patch: check return value in ext/pgsql/pgsql.c, add test to ext/pgsql/pg_insert_002.phpt. - CVE-2015-4644 -- Marc Deslauriers Mon, 06 Jul 2015 09:05:05 -0400 php5 (5.6.9+dfsg-1) unstable; urgency=medium * New upstream version 5.6.9+dfsg - Core: . Fixed bug #69467 (Wrong checked for the interface by using Trait). . Fixed bug #69420 (Invalid read in zend_std_get_method). . Fixed bug #60022 ("use statement [...] has no effect" depends on leading backslash). . Fixed bug #67314 (Segmentation fault in gc_remove_zval_from_buffer). . Fixed bug #68652 (segmentation fault in destructor). . Fixed bug #69419 (Returning compatible sub generator produces a warning). . Fixed bug #69472 (php_sys_readlink ignores misc errors from GetFinalPathNameByHandleA). . Fixed bug #69364 (PHP Multipart/form-data remote dos Vulnerability). . Fixed bug #69403 (str_repeat() sign mismatch based memory corruption). . Fixed bug #69418 (CVE-2006-7243 fix regressions in 5.4+). . Fixed bug #69522 (heap buffer overflow in unpack()). - FTP: . Fixed bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). - ODBC: . Fixed bug #69354 (Incorrect use of SQLColAttributes with ODBC 3.0). . Fixed bug #69474 (ODBC: Query with same field name from two tables returns incorrect result). . Fixed bug #69381 (out of memory with sage odbc driver). - OpenSSL: . Fixed bug #69402 (Reading empty SSL stream hangs until timeout). - PCNTL: . Fixed bug #68598 (pcntl_exec() should not allow null char). - PCRE . Upgraded pcrelib to 8.37. - Phar: . Fixed bug #69453 (Memory Corruption in phar_parse_tarfile when entry filename starts with null). * Rebased patches on top of 5.6.9+dfsg version -- Ondřej Surý Fri, 22 May 2015 09:35:03 +0200 php5 (5.6.8+dfsg-1) unstable; urgency=medium * New upstream version 5.6.8+dfsg - Core: . Fixed bug #66609 (php crashes with __get() and ++ operator in some cases). (Dmitry, Laruence) . Fixed bug #68021 (get_browser() browser_name_regex returns non-utf-8 characters). (Tjerk) . Fixed bug #68917 (parse_url fails on some partial urls). (Wei Dai) . Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options). (Anatol Belski) . Additional fix for bug #69152 (Type confusion vulnerability in exception::getTraceAsString). (Stas) . Fixed bug #69210 (serialize function return corrupted data when sleep has non-string values). (Juan Basso) . Fixed bug #69212 (Leaking VIA_HANDLER func when exception thrown in __call/... arg passing). (Nikita) . Fixed bug #69221 (Segmentation fault when using a generator in combination with an Iterator). (Nikita) . Fixed bug #69337 (php_stream_url_wrap_http_ex() type-confusion vulnerability). (Stas) . Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions). (Stas) - Apache2handler: . Fixed bug #69218 (potential remote code execution with apache 2.4 apache2handler). (Gerrit Venema) - cURL: . Implemented FR#69278 (HTTP2 support). (Masaki Kagaya) . Fixed bug #68739 (Missing break / control flow). (Laruence) . Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER). (Laruence) - Date: . Fixed bug #69336 (Issues with "last day of "). (Derick Rethans) - Enchant: . Fixed bug #65406 (Enchant broker plugins are in the wrong place in windows builds). (Anatol) - Ereg: . Fixed bug #68740 (NULL Pointer Dereference). (Laruence) - Fileinfo: . Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault). (Anatol Belski) - Filter: . Fixed bug #69202: (FILTER_FLAG_STRIP_BACKTICK ignored unless other flags are used). (Jeff Welch) . Fixed bug #69203 (FILTER_FLAG_STRIP_HIGH doesn't strip ASCII 127). (Jeff Welch) - OPCache: . Fixed bug #69297 (function_exists strange behavior with OPCache on disabled function). (Laruence) . Fixed bug #69281 (opcache_is_script_cached no longer works). (danack) . Fixed bug #68677 (Use After Free). (CVE-2015-1351) (Laruence) - OpenSSL . Fixed bugs #68853, #65137 (Buffered crypto stream data breaks IO polling in stream_select() contexts) (Chris Wright) . Fixed bug #69197 (openssl_pkcs7_sign handles default value incorrectly) (Daniel Lowrey) . Fixed bug #69215 (Crypto servers should send client CA list) (Daniel Lowrey) . Add a check for RAND_egd to allow compiling against LibreSSL (Leigh) - Phar: . Fixed bug #64343 (PharData::extractTo fails for tarball created by BSD tar). (Mike) . Fixed bug #64931 (phar_add_file is too restrictive on filename). (Mike) . Fixed bug #65467 (Call to undefined method cli_arg_typ_string). (Mike) . Fixed bug #67761 (Phar::mapPhar fails for Phars inside a path containing ".tar"). (Mike) . Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar). (Stas) . Fixed bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode). (Stas) - Postgres: . Fixed bug #68741 (Null pointer dereference). (CVE-2015-1352) (Laruence) - SPL: . Fixed bug #69227 (Use after free in zval_scan caused by spl_object_storage_get_gc). (adam dot scarr at 99designs dot com) - SOAP: . Fixed bug #69293 (NEW segfault when using SoapClient::__setSoapHeader (bisected, regression)). (Laruence) - Sqlite3: . Fixed bug #68760 (SQLITE segfaults if custom collator throws an exception). (Dan Ackroyd) . Fixed bug #69287 (Upgrade bundled libsqlite to 3.8.8.3). (Anatol) . Fixed bug #66550 (SQLite prepared statement use-after-free). (Sean Heelan) * Update d/gbp.conf to new config style * Update patches for 5.6.8 release * Switch to gbp pq patch management -- Ondřej Surý Sat, 02 May 2015 10:01:38 +0200 php5 (5.6.7+dfsg-1) unstable; urgency=medium * New upstream version 5.6.7+dfsg - Core: . Fixed bug #69174 (leaks when unused inner class use traits precedence). . Fixed bug #69139 (Crash in gc_zval_possible_root on unserialize). . Fixed bug #69121 (Segfault in get_current_user when script owner is not in passwd with ZTS build). . Fixed bug #65593 (Segfault when calling ob_start from output buffering callback). . Fixed bug #68986 (pointer returned by php_stream_fopen_temporary_file not validated in memory.c). . Fixed bug #68166 (Exception with invalid character causes segv). . Fixed bug #69141 (Missing arguments in reflection info for some builtin functions). . Fixed bug #68976 (Use After Free Vulnerability in unserialize()) (CVE-2015-0231). . Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options). . Fixed bug #69207 (move_uploaded_file allows nulls in path). - CGI: . Fixed bug #69015 (php-cgi's getopt does not see $argv). - CLI: . Fixed bug #67741 (auto_prepend_file messes up __LINE__). - cURL: . Fixed bug #69088 (PHP_MINIT_FUNCTION does not fully initialize cURL on Win32). . Add CURLPROXY_SOCKS4A and CURLPROXY_SOCKS5_HOSTNAME constants if supported by libcurl. - Ereg: . Fixed bug #69248 (heap overflow vulnerability in regcomp.c) (CVE-2015-2305). - FPM: . Fixed bug #68822 (request time is reset too early). - ODBC: . Fixed bug #68964 (Allowed memory size exhausted with odbc_exec). - Opcache: . Fixed bug #69159 (Opcache causes problem when passing a variable variable to a function). . Fixed bug #69125 (Array numeric string as key). . Fixed bug #69038 (switch(SOMECONSTANT) misbehaves). - OpenSSL: . Fixed bug #68912 (Segmentation fault at openssl_spki_new). . Fixed bug #61285, #68329, #68046, #41631 (encrypted streams don't observe socket timeouts). . Fixed bug #68920 (use strict peer_fingerprint input checks) . Fixed bug #68879 (IP Address fields in subjectAltNames not used) . Fixed bug #68265 (SAN match fails with trailing DNS dot) . Fixed bug #67403 (Add signatureType to openssl_x509_parse) . Fixed bug (#69195 Inconsistent stream crypto values across versions) - pgsql: . Fixed bug #68638 (pg_update() fails to store infinite values). - Readline: . Fixed bug #69054 (Null dereference in readline_(read|write)_history() without parameters). - SOAP: . Fixed bug #69085 (SoapClient's __call() type confusion through unserialize()). - SPL: . Fixed bug #69108 ("Segmentation fault" when (de)serializing SplObjectStorage). . Fixed bug #68557 (RecursiveDirectoryIterator::seek(0) broken after calling getChildren()). - ZIP: . Fixed bug #69253 (ZIP Integer Overflow leads to writing past heap boundary) (CVE-2015-2331). * Refresh patches for 5.6.7 release * Pull a patch to fix SQL_DESC_OCTET_LENGTH not supported by ADS ODBC driver (PHP#68350) from Debian wheezy PHP 5.4 branch * Fix PHP segfault in zend_hash_find (PHP#68486) * Move PEAR-Builder-print-info-about-php5-dev.patch to debian/ as it's not a quilt patch -- Ondřej Surý Tue, 24 Mar 2015 11:19:21 +0100 php5 (5.6.6+dfsg-2) unstable; urgency=medium * Fix use after free in 'opcache' component of PHP (CVE-2015-1351) * Fix NULL Pointer Deference in pgsql (CVE-2015-1352) (Closes: #777033) -- Ondřej Surý Tue, 24 Feb 2015 07:54:59 +0100 php5 (5.6.6+dfsg-1) unstable; urgency=medium * New upstream version 5.6.6+dfsg * Pull patch from DragonFly BSD Project to limit the pattern space to avoid a 32-bit overflow in Henry Spencer regular expressions (regex) library (Closes: #778389) * Update patches for 5.6.6 release -- Ondřej Surý Fri, 20 Feb 2015 10:08:13 +0100 php5 (5.6.5+dfsg-2) unstable; urgency=high * Add patch to revert upstream commit on feof that broke Horde and others (Courtesy of Mike Gabriel) (Closes: #778374) -- Ondřej Surý Tue, 17 Feb 2015 09:39:33 +0100 php5 (5.6.5+dfsg-1) unstable; urgency=medium * New upstream version 5.6.5+dfsg * Security vulnerabilities fixed: + Core - Fixed bug #68710 (Use After Free Vulnerability in PHP's unserialize()). (CVE-2015-0231) + CGI: - Fixed bug #68618 (out of bounds read crashes php-cgi). (CVE-2014-9427) + EXIF: - Fixed bug #68799: Free called on unitialized pointer. (CVE-2015-0232) * Update patches for 5.6.5 release -- Ondřej Surý Mon, 26 Jan 2015 12:00:58 +0100 php5 (5.6.4+dfsg-4ubuntu6) vivid; urgency=medium * SECURITY UPDATE: potential remote code execution vulnerability when used with the Apache 2.4 apache2handler - debian/patches/bug69218.patch: perform proper cleanup in sapi/apache2handler/sapi_apache2.c. - CVE number pending * SECURITY UPDATE: buffer overflow when parsing tar/zip/phar - debian/patches/bug69441.patch: check lengths in ext/phar/phar_internal.h. - CVE number pending * SECURITY UPDATE: buffer overflow in unserialize when parsing Phar - debian/patches/CVE-2015-2783.patch: properly check lengths in ext/phar/phar.c, ext/phar/phar_internal.h. - CVE-2015-2783 -- Marc Deslauriers Fri, 17 Apr 2015 05:15:49 -0400 php5 (5.6.4+dfsg-4ubuntu5) vivid; urgency=medium * SECURITY UPDATE: move_uploaded_file filename restriction bypass - debian/patches/CVE-2015-2348.patch: handle nulls in ext/standard/basic_functions.c. - CVE-2015-2348 * SECURITY UPDATE: arbitrary code exection via process_nested_data use-after-free - debian/patches/CVE-2015-2787.patch: fix logic in ext/standard/var_unserializer.*. - CVE-2015-2787 -- Marc Deslauriers Thu, 02 Apr 2015 08:06:41 -0400 php5 (5.6.4+dfsg-4ubuntu4) vivid; urgency=medium * SECURITY UPDATE: heap overflow in regexp library - debian/patches/CVE-2015-2305.patch: check for overflow in ext/ereg/regex/regcomp.c. - CVE-2015-2305 * SECURITY UPDATE: integer overflow in zip module - debian/patches/CVE-2015-2331.patch: check for overflow in ext/zip/lib/zip_dirent.c. - CVE-2015-2331 -- Marc Deslauriers Tue, 24 Mar 2015 15:12:32 -0400 php5 (5.6.4+dfsg-4ubuntu3) vivid; urgency=medium * SECURITY UPDATE: denial of service or possible code execution in enchant - debian/patches/CVE-2014-9705.patch: handle position better in ext/enchant/enchant.c. - CVE-2014-9705 * SECURITY UPDATE: arbitrary code execution via use after free in unserialize() with DateTimeZone and DateTime - debian/patches/CVE-2015-0273.patch: fix use after free in ext/date/php_date.c, added tests to ext/date/tests/bug68942.phpt, ext/date/tests/bug68942_2.phpt. - CVE-2015-0273 * SECURITY UPDATE: denial of service or possible code execution in phar - debian/patches/CVE-2015-2301.patch: fix use after free in ext/phar/phar_object.c. - CVE-2015-2301 -- Marc Deslauriers Mon, 16 Mar 2015 13:21:17 -0400 php5 (5.6.4+dfsg-4ubuntu2) vivid; urgency=medium * SECURITY UPDATE: out of bounds read via invalid php file - debian/patches/CVE-2014-9427.patch: fix bounds in sapi/cgi/cgi_main.c. - CVE-2014-9427 * SECURITY UPDATE: out of bounds read in fileinfo - debian/patches/CVE-2014-9652.patch: properly check length in ext/fileinfo/libmagic/softmagic.c. - CVE-2014-9652 * SECURITY UPDATE: arbitrary code execution via improper handling of duplicate keys in unserializer, additional fix - debian/patches/CVE-2015-0231.patch: fix use after free in ext/standard/var_unserializer.*, added test to ext/standard/tests/strings/bug68710.phpt. - CVE-2015-0231 * SECURITY UPDATE: arbitrary code execution or denial of service via crafted EXIF data - debian/patches/CVE-2015-0232.patch: fix uninitialized pointer free in ext/exif/exif.c. - CVE-2015-0232 * SECURITY UPDATE: use after free in opcache component - debian/patches/CVE-2015-1351.patch: fix use after free in ext/opcache/zend_shared_alloc.c. - CVE-2015-1351 * SECURITY UPDATE: null pointer dereference in pgsql - debian/patches/CVE-2015-1352.patch: properly set valid token in ext/pgsql/pgsql.c. - CVE-2015-1352 * debian/patches/remove_readelf.patch: remove readelf.c from fileinfo as it isn't used, and is a source of confusion when doing security updates. -- Marc Deslauriers Tue, 17 Feb 2015 15:47:51 -0500 php5 (5.6.4+dfsg-4ubuntu1) vivid; urgency=medium * Merge from Debian testing (LP: #1411811). Remaining changes: - d/control: drop Build-Depends that are in universe: firebird-dev, libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev. - d/rules: drop configuration of packages that are in universe: qdgm, onig. - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build interbase or firebird. - d/control: drop binary packages php5-imap, php5-interbase and php5-mcrypt since we have separate versions in universe. - d/modulelist: drop imap, interbase and mcrypt since we have separate versions in universe. - d/rules: drop configuration of imap and mcrypt since we have separate versions in universe. - d/source_php5.py, d/rules: add apport hook. - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd as only the latter is in main. * Drop changes: - Reported fixed in upstream release of 5.6.0: quilt patches for CVE-2014-0237, CVE-2014-0238, CVE-2014-4049, CVE-2014-0207, CVE-2014-3478, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487, CVE-2014-3515, CVE-2014-4670, CVE-2014-4698, CVE-2014-4721, CVE-2014-3587 and CVE-2014-3597, and d/p/fix_systemd_ftbfs.patch. - Reported fixed in upstream release of 5.6.2: quilt patches for CVE-2014-3668, CVE-2014-3669 and CVE-2014-3670, and d/p/curl_embedded_null.patch. - Reported fixed in upstream release of 5.6.3: quilt patch for CVE-2014-3710. - Applied in Debian: + d/rules: stop mysql instance on clean just in case we failed in tests. + d/tests/{cgi,cli,mod-php}: dep8 tests for common use cases. + d/rules: export DEB_HOST_MULTIARCH properly. + d/rules: load dpkg-buildflags earlier, so that CFLAGS changes are not overridden. -- Robie Basak Tue, 27 Jan 2015 12:09:42 +0000 php5 (5.6.4+dfsg-4) unstable; urgency=medium * Disable tests on ppc64* to workaround crashing mysql-server on ppc64el (Workaround: #774795) -- Ondřej Surý Thu, 08 Jan 2015 15:41:29 +0100 php5 (5.6.4+dfsg-3) unstable; urgency=medium * Use noawait variants for deb-triggers to break the dependency loop (Closes: #774559) -- Ondřej Surý Mon, 05 Jan 2015 14:27:19 +0100 php5 (5.6.4+dfsg-2) unstable; urgency=medium * Pull upstream fixes for severe performance issues on pathological input in ext/fileinfo/libmagic/ copy (CVE-2014-8116, CVE-2014-8117) * Use ${misc:Pre-Depends} instead of hardcoded pre-dependency on dpkg -- Ondřej Surý Tue, 30 Dec 2014 22:12:33 +0100 php5 (5.6.4+dfsg-1) unstable; urgency=medium * New upstream version 5.6.4+dfsg * Update patches for 5.6.4+dfsg release -- Ondřej Surý Sun, 21 Dec 2014 19:11:08 +0100 php5 (5.6.3+dfsg-1) unstable; urgency=medium * Apply patch from PHP#68104 to fix segfaults in Zend OpCache (Closes: #754432) * Add libapparmor-dev to Build-Depends to enable apparmor chagehat in php5-fpm (Closes: #764173) * New upstream version 5.6.3+dfsg * Update patches for 5.6.3+dfsg release * Fix couple of PHP-FPM bugs unsuitable for release (Courtesy of Remi Collet) + Fixed bug #68420 (listen=9000 listens to ipv6 localhost instead of all addresses). + Fixed bug #68421 (access.format='%R' doesn't log ipv6 address). + Fixed bug #68423 (PHP-FPM will no longer load all pools). + Fixed bug #68428 (listen.allowed_clients is IPv4 only). + Fixed bug #68381 (fpm_unix_init_main ignores log_level). -- Ondřej Surý Wed, 19 Nov 2014 12:11:38 +0100 php5 (5.6.2+dfsg-1) unstable; urgency=medium [ Thijs Kinkhorst ] * Checked for policy 3.9.6, no changes. [ Ondřej Surý ] * New upstream version 5.6.2+dfsg * Update patches for 5.6.2+dfsg release -- Ondřej Surý Fri, 17 Oct 2014 16:22:47 +0200 php5 (5.6.1+dfsg-1) unstable; urgency=medium * New upstream version 5.6.1+dfsg -- Thijs Kinkhorst Wed, 15 Oct 2014 13:25:54 +0000 php5 (5.6.0+dfsg-1) unstable; urgency=medium * New upstream version 5.6.0+dfsg * Drop debian/patches/gdIOCtx.patch as it's no longer needed * Use printf instead of echo to print all SAPIS (https://wiki.ubuntu.com/DashAsBinSh#echo) -- Ondřej Surý Thu, 28 Aug 2014 14:47:48 +0200 php5 (5.6.0~rc4+dfsg-4) unstable; urgency=medium * Remove unnoticed bashism from sessionclean script -- Ondřej Surý Tue, 19 Aug 2014 17:10:40 +0200 php5 (5.6.0~rc4+dfsg-3) unstable; urgency=medium * Even more fixes and improvements to session cleaning script -- Ondřej Surý Tue, 19 Aug 2014 10:46:05 +0200 php5 (5.6.0~rc4+dfsg-2) unstable; urgency=medium * Sanitize $PATH in php5-common postinst script (Closes: #758185) * Update the sessionclean script to only check for SAPI processes (Courtesy of Steve Kamerman) * Other various minor improvements in the session cleanup script -- Ondřej Surý Mon, 18 Aug 2014 12:16:56 +0200 php5 (5.6.0~rc4+dfsg-1) unstable; urgency=medium * New upstream version 5.6.0~rc4+dfsg * Update patches for 5.6.0~rc4+dfsg release * Don't Recommend php5-cli when Depending on it * Update /var/lib/php5 non-standard-dir-perm lintian override * Remove patch that reverted upstream patch that broke mod_fastcgi as this was fixed upstream -- Ondřej Surý Thu, 14 Aug 2014 16:54:05 +0200 php5 (5.6.0~rc3+dfsg-2) unstable; urgency=medium * Add WARNING about the need to modify the cron job if the session handling has been modified * Change the default session.save_path to /var/lib/php5/sessions * Clean session files sorted into subdirectories (Closes: #719982) * Make sessionclean script also respect session.save_path and session.save_handler (Closes: #720381) * Limit the session cleanup only to sess_* files to prevent accidental deletion of other files * Use \0 as a new line delimiter when reading the session directory list (Thanks Goswin Brederlow for review and tips) * Bump debhelper compat version to v9 (Closes: #696590) -- Ondřej Surý Thu, 14 Aug 2014 15:04:08 +0200 php5 (5.6.0~rc3+dfsg-1) unstable; urgency=medium * Add dependency on libpcre3-dev in php5-dev package (PHP#67658) * New upstream version 5.6.0~rc3+dfsg * Refresh patches for 5.6.0~rc3+dfsg release -- Ondřej Surý Fri, 01 Aug 2014 11:18:34 +0200 php5 (5.6.0~rc2+dfsg-5) unstable; urgency=medium * Fix null byte suffix after keys in getallheaders() result (Closes: #755115) -- Ondřej Surý Sun, 20 Jul 2014 16:57:51 +0200 php5 (5.6.0~rc2+dfsg-4) unstable; urgency=medium [ Ondřej Surý ] * Fix invalid reportbug script directory in the php5 package (Closes: #754775) * Fix missing backslash that made php.ini-production empty (Closes: #755057) [ Andreas Schwab ] * Fix double free or corruption (!prev) on m68k (Closes: #714041) -- Ondřej Surý Thu, 17 Jul 2014 12:46:05 +0200 php5 (5.6.0~rc2+dfsg-3) unstable; urgency=medium * Remove Sean Finney from Uploaders; Thanks for all the hard work! * Revert upstream patch that broke mod_fastcgi (Closes: #754384) -- Ondřej Surý Fri, 11 Jul 2014 09:29:36 +0200 php5 (5.6.0~rc2+dfsg-2) unstable; urgency=medium * d/rules: Remove /usr from ./configure invocation to help multiarch * Add getallheaders() function to php5-fpm (Closes: #742497) * Install phar executable and its man page (Closes: #740876) * Move some php5-maintscript-helper messages to debug severity (Closes: #752102) * Disable expose_php in standard php.ini-production (Closes: #582204) -- Ondřej Surý Wed, 09 Jul 2014 15:20:18 +0200 php5 (5.6.0~rc2+dfsg-1) unstable; urgency=medium * New upstream version 5.6.0~rc2+dfsg * Update patches for 5.6.0~rc2+dfsg release * Align our patches with Fedora packaging (Courtesy of Remi Collet) * Enable the tests again (Closes: #752099) * Use Apache 2.4 updated Allow/Deny directives (Closes: #738959) * Strip /usr from libedit, so the libedit is correctly found * Hack around the configure ordering that checks for phpdbg before checking for libedit (https://github.com/krakjoe/phpdbg/issues/103) * Add builtin extension list to phpdbg -- Ondřej Surý Wed, 02 Jul 2014 15:50:39 +0200 php5 (5.6.0~rc1+dfsg-3) unstable; urgency=medium * Add a duplicate signal handler to php5-fpm to issue reload on SIGHUP (Ubuntu#1242376) -- Ondřej Surý Wed, 02 Jul 2014 11:48:34 +0200 php5 (5.6.0~rc1+dfsg-2) unstable; urgency=medium * Pull upstream fix for phpinfo() Type Confusion Information Leak (PHP#67498) -- Ondřej Surý Mon, 30 Jun 2014 09:28:23 +0200 php5 (5.6.0~rc1+dfsg-1) unstable; urgency=medium * New upstream version 5.6.0~rc1+dfsg * Add new phpdbg SAPI for easier PHP debugging * d/repack.sh: Switch the repack script to use dpt repack from pkg-perl-tools -- Ondřej Surý Mon, 23 Jun 2014 14:16:54 +0200 php5 (5.6.0~beta4+dfsg-4) unstable; urgency=medium * Fix regression introduced by patch for bug PHP#67072 * Fix regression introduced in fix for bug PHP#67118 -- Ondřej Surý Wed, 18 Jun 2014 09:51:49 +0200 php5 (5.6.0~beta4+dfsg-3) unstable; urgency=high * [CVE-2014-4049]: Fix potential segfault in dns_get_record() -- Ondřej Surý Fri, 13 Jun 2014 15:21:53 +0200 php5 (5.6.0~beta4+dfsg-2) unstable; urgency=medium * Add UPGRADING document to php5-common and list backwards incompatible changes to d/NEWS (Closes: #750890) -- Ondřej Surý Tue, 10 Jun 2014 14:08:57 +0200 php5 (5.6.0~beta4+dfsg-1) unstable; urgency=medium [ Thijs Kinkhorst ] * Drop scary "DO NOT USE IT IN PRODUCTION" news entry. (Closes: #750682) [ Ondřej Surý ] * New upstream version 5.6.0~beta4+dfsg -- Ondřej Surý Tue, 10 Jun 2014 14:08:49 +0200 php5 (5.6.0~beta3+dfsg-2) unstable; urgency=low * Remove extra wrong replacement from 5.5.0 to 5.6.0 * Drop the +lfs from phpapi we don't need it for transition anymore * Upload to unstable (start the transition period) -- Ondřej Surý Wed, 28 May 2014 11:59:05 +0200 php5 (5.6.0~beta3+dfsg-1) experimental; urgency=medium * Set default listen.{owner,group} to www-data:www-data * Add more bash magick to the dfsg repack script * Merge some minor changes from Ubuntu + d/rules: export DEB_HOST_MULTIARCH properly + d/rules: stop mysql instance on clean just in case we failed in tests. + d/tests/{cgi,cli,mod-php}: dep8 tests for common use cases. * New upstream version 5.6.0~beta3+dfsg * Update patches for 5.6.0~beta3+dfsg release -- Ondřej Surý Tue, 27 May 2014 16:56:30 +0200 php5 (5.6.0~beta2+dfsg-1) experimental; urgency=medium * Update patches for 5.6.0~beta2 release * New upstream version 5.6.0~beta2+dfsg * Import patch to fix zlib extension naming in LFS builds (Ubuntu#1315888) * Pull upstream patch to fix mysqli build when building against libmysqlclient -- Ondřej Surý Mon, 05 May 2014 12:10:08 +0200 php5 (5.6.0~beta1+dfsg-2) experimental; urgency=medium * Merge remaining changes from PHP 5.5 packaging * Reenable LARGEFILE support (Closes: #738984) -- Ondřej Surý Tue, 22 Apr 2014 13:24:32 +0200 php5 (5.6.0~beta1+dfsg-1) experimental; urgency=low * Reenable LARGEFILE support (Closes: #738984) * New upstream version 5.6.0~beta1+dfsg * Update patches for 5.6.0~beta1+dfsg release -- Ondřej Surý Thu, 17 Apr 2014 11:13:36 +0200 php5 (5.6.0~alpha3+dfsg-1) experimental; urgency=medium * New upstream version 5.6.0~alpha3+dfsg * Update patches for 5.6.0~alpha3 release -- Ondřej Surý Thu, 27 Mar 2014 15:42:58 +0100 php5 (5.6.0~alpha2+dfsg-1) experimental; urgency=medium * New upstream version 5.6.0~alpha2+dfsg * Install CLI specific ini file with PCNTL enabled (Closes: #720434) * Use php_admin_flag in Apache settings (Closes: #690964) -- Lior Kaplan Fri, 14 Feb 2014 22:59:41 +0200 php5 (5.6.0~alpha1+dfsg-1) experimental; urgency=medium * New upstream version 5.6.0~alpha1+dfsg * PHPAPI has changed. Yay, yet another transition\! * Update patches for 5.6.0~alpha1 release * Fix -Wformat=security errors in phpdbg * Remove unsafe tmpnam usage in phpdbg * Crude hack to make apache2filter work by copying the function from apache2handler * Don't install README.PHP4-TO-PHP5-THIN-CHANGES; removed upstream -- Ondřej Surý Tue, 28 Jan 2014 13:47:52 +0100 php5 (5.5.12+dfsg-2ubuntu5) vivid; urgency=medium * SECURITY UPDATE: denial of service via buffer overflow in mkgmtime() - debian/patches/CVE-2014-3668.patch: properly handle sizes in ext/xmlrpc/libxmlrpc/xmlrpc.c, added test to ext/xmlrpc/tests/bug68027.phpt. - CVE-2014-3668 * SECURITY UPDATE: integer overflow in unserialize() - debian/patches/CVE-2014-3669.patch: fix overflow in ext/standard/var_unserializer.{c,re}, added test to ext/standard/tests/serialize/bug68044.phpt. - CVE-2014-3669 * SECURITY UPDATE: Heap corruption in exif_thumbnail() - debian/patches/CVE-2014-3670.patch: fix sizes in ext/exif/exif.c. - CVE-2014-3670 * SECURITY UPDATE: out of bounds read in elf note headers in fileinfo() - debian/patches/CVE-2014-3710.patch: validate note headers in ext/fileinfo/libmagic/readelf.c. - CVE-2014-3710 * SECURITY UPDATE: local file disclosure via curl NULL byte injection - debian/patches/curl_embedded_null.patch: don't accept curl options with embedded NULLs in ext/curl/interface.c, added test to ext/curl/tests/bug68089.phpt. - No CVE number * Fix FTBFS with systemd version in vivid - debian/patches/fix_systemd_ftbfs.patch: improve detection logic in sapi/fpm/config.m4. -- Marc Deslauriers Wed, 29 Oct 2014 11:56:11 -0400 php5 (5.5.12+dfsg-2ubuntu4) utopic; urgency=medium * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info - debian/patches/CVE-2014-3587.patch: check for array under-runs as well as over-runs in ext/fileinfo/libmagic/cdf.c - CVE-2014-3587 * SECURITY UPDATE: denial of service in dns_get_record - debian/patches/CVE-2014-3597.patch: check for DNS overflows in ext/standard/dns.c - CVE-2014-3587 -- Seth Arnold Wed, 03 Sep 2014 23:27:47 -0700 php5 (5.5.12+dfsg-2ubuntu3) utopic; urgency=medium * SECURITY UPDATE: denial of service in FileInfo cdf_read_short_sector - debian/patches/CVE-2014-0207.patch: properly calculate sizes in ext/fileinfo/libmagic/cdf.c. - CVE-2014-0207 * SECURITY UPDATE: denial of service in FileInfo mconvert - debian/patches/CVE-2014-3478.patch: properly handle truncated pascal string size in ext/fileinfo/libmagic/softmagic.c. - CVE-2014-3478 * SECURITY UPDATE: denial of service in FileInfo cdf_check_stream_offset - debian/patches/CVE-2014-3479.patch: properly calculate sizes in ext/fileinfo/libmagic/cdf.c. - CVE-2014-3479 * SECURITY UPDATE: denial of service in FileInfo cdf_count_chain - debian/patches/CVE-2014-3480.patch: properly calculate sizes in ext/fileinfo/libmagic/cdf.c. - CVE-2014-3480 * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info - debian/patches/CVE-2014-3487.patch: properly calculate sizes in ext/fileinfo/libmagic/cdf.c. - CVE-2014-3487 * SECURITY UPDATE: denial of service and possible code execution via unserialize() SPL type confusion - debian/patches/CVE-2014-3515.patch: properly check types in ext/spl/spl_array.c, ext/spl/spl_observer.c, added test to ext/spl/tests/SplObjectStorage_unserialize_bad.phpt. - CVE-2014-3515 * SECURITY UPDATE: denial of service via SPL Iterators use-after-free - debian/patches/CVE-2014-4670.patch: fix use-after-free in ext/spl/spl_dllist.c, added test to ext/spl/tests/bug67538.phpt. - CVE-2014-4670 * SECURITY UPDATE: denial of service via ArrayIterator use-after-free - debian/patches/CVE-2014-4698.patch: don't allow modifying ArrayObject during sorting in ext/spl/spl_array.c, added test to ext/spl/tests/bug67539.phpt. - CVE-2014-4698 * SECURITY UPDATE: information leak via phpinfo (LP: #1338170) - debian/patches/CVE-2014-4721.patch: fix type confusion in ext/standard/info.c, added test to ext/standard/tests/general_functions/bug67498.phpt. - CVE-2014-4721 -- Marc Deslauriers Wed, 09 Jul 2014 13:00:04 -0400 php5 (5.5.12+dfsg-2ubuntu2) utopic; urgency=medium * SECURITY UPDATE: denial of service in FileInfo cdf_unpack_summary_info - debian/patches/CVE-2014-0237.patch: remove file_printf calls in ext/fileinfo/libmagic/cdf.c. - CVE-2014-0237 * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info - debian/patches/CVE-2014-0238.patch: fix infinite loop in ext/fileinfo/libmagic/cdf.c. - CVE-2014-0238 * SECURITY UPDATE: code execution via buffer overflow in DNS TXT record parsing - debian/patches/CVE-2014-4049.patch: check length in ext/standard/dns.c. - CVE-2014-4049 -- Marc Deslauriers Thu, 19 Jun 2014 13:21:19 -0400 php5 (5.5.12+dfsg-2ubuntu1) utopic; urgency=medium * Merge from Debian unstable. Remaining changes: - d/control: drop Build-Depends that are in universe: firebird-dev, libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev. - d/rules: drop configuration of packages that are in universe: qdgm, onig. - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build interbase or firebird. - d/rules: export DEB_HOST_MULTIARCH properly. - d/control: drop binary packages php5-imap, php5-interbase and php5-mcrypt since we have separate versions in universe. - d/modulelist: drop imap, interbase and mcrypt since we have separate versions in universe. - d/rules: drop configuration of imap and mcrypt since we have separate versions in universe. - d/source_php5.py, d/rules: add apport hook. - d/rules: stop mysql instance on clean just in case we failed in tests. - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd as only the latter is in main. - debian/rules: re-enable tests - d/tests/{cgi,cli,mod-php}: dep8 tests for common use cases. - d/rules: load dpkg-buildflags earlier, so that CFLAGS changes are not overridden. * Drop changes (upstreamed / in-Debian): - CVE-2014-2270, CVE-2013-1943, imageconvolution-regression.patch: included in this merge * Drop changes (no longer needed): - d/rules, d/control: re-add use of dh_systemd as it is in main now. - php5-fpm.upstart: re-add "reload signal USR2" stanza, LTS was released. -- Dimitri John Ledkov Wed, 21 May 2014 13:21:08 +0100 php5 (5.5.11+dfsg-3) unstable; urgency=medium * Add ~ to ${source:Version} everywhere, so backports don't break * Resolve the dependency hell between php5-common and php5-json by moving the php5-json dependecy to SAPIs (except libphp5-embed) (Closes: #743890, #719942) -- Ondřej Surý Sat, 19 Apr 2014 15:19:27 +0200 php5 (5.5.11+dfsg-2) unstable; urgency=medium * Revert "Reenable LARGEFILE support" (Closes: #743842) -- Lior Kaplan Tue, 08 Apr 2014 11:02:48 +0300 php5 (5.5.11+dfsg-1) unstable; urgency=medium [ Ondřej Surý ] * Reenable LARGEFILE support (Closes: #738984) [ Lior Kaplan ] * New Upstream version 5.5.11+dfsg -- Lior Kaplan Sun, 06 Apr 2014 17:46:53 +0300 php5 (5.5.10+dfsg-1) unstable; urgency=low [ Ondřej Surý ] * Run dh_systemd_{enable,start} without arguments (Closes: #737282) * Split dh-php5 into a separate package * Don't use reopen-logs in logrotate script, but send USR1 directly to main pid of php5-fpm; #compat-non-sysv-rc * Move PIDFILE to /run * Implement more robust way of handling php5-fpm reopen logs from logrotate [ Thijs Kinkhorst ] * Add virtual-mysql-server to mysql-server B-D. * Checked for policy 3.9.5, no changes. [ Ondřej Surý ] * New upstream version 5.5.10+dfsg * Update dfsg-repack.sh script to remove upstream .gitignore from repacked tarball * Update patches for 5.5.10 release -- Ondřej Surý Thu, 27 Mar 2014 14:07:57 +0100 php5 (5.5.9+dfsg-1ubuntu4) trusty; urgency=medium * Comment out "reload signal USR2" stanza from php5-fpm to make the job compatible with Precise upstart, when it's still running as pid1 during upgrade to trusty and before the restart. We'd rather support shorter down-time then reload interface. (LP: #1272788) -- Dimitri John Ledkov Wed, 09 Apr 2014 16:23:30 +0100 php5 (5.5.9+dfsg-1ubuntu3) trusty; urgency=medium * SECURITY UPDATE: denial of service in fileinfo via crafted offset in PE executable - debian/patches/CVE-2014-2270.patch: check bounds in ext/fileinfo/libmagic/softmagic.c. - CVE-2014-2270 -- Marc Deslauriers Thu, 03 Apr 2014 15:12:10 -0400 php5 (5.5.9+dfsg-1ubuntu2) trusty; urgency=medium * SECURITY UPDATE: denial of service via crafted indirect offset value in fileinfo - debian/patches/CVE-2013-1943.patch: properly handle recursion in ext/fileinfo/libmagic/{ascmagic.c,file.h,funcs.c,softmagic.c}, added test to ext/fileinfo/tests/cve-2014-1943.phpt. - CVE-2013-1943 * debian/patches/imageconvolution-regression.patch: fix regression in imageconvolution caused by security fix in 5.5.9. -- Marc Deslauriers Mon, 03 Mar 2014 13:42:25 -0500 php5 (5.5.9+dfsg-1ubuntu1) trusty; urgency=medium * Merge from Debian testing. Remaining changes: - d/control: drop Build-Depends that are in universe: firebird-dev, libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev. - d/rules: drop configuration of packages that are in universe: qdgm, onig. - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build interbase or firebird. - d/rules: export DEB_HOST_MULTIARCH properly. - d/control: drop binary packages php5-imap, php5-interbase and php5-mcrypt since we have separate versions in universe. - d/modulelist: drop imap, interbase and mcrypt since we have separate versions in universe. - d/rules: drop configuration of imap and mcrypt since we have separate versions in universe. - d/source_php5.py, d/rules: add apport hook. - d/rules: stop mysql instance on clean just in case we failed in tests. - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd as only the latter is in main. - d/rules, d/control: drop use of dh_systemd as it is in universe. - debian/rules: re-enable tests - d/tests/{cgi,cli,mod-php}: dep8 tests for common use cases. * Drop changes (upstreamed to Debian): - d/p/use-system-timezone.patch, d/tests/system-timezone: use system timezone by default, instead of requiring it to be configured. * d/rules: load dpkg-buildflags earlier, so that CFLAGS changes are not overridden (LP: #1280044). -- Robie Basak Mon, 17 Feb 2014 16:58:27 +0000 php5 (5.5.9+dfsg-1) unstable; urgency=medium * New upstream version 5.5.9+dfsg * Install CLI specific ini file with PCNTL enabled (Closes: #720434) * Use php_admin_flag in Apache settings (Closes: #690964) -- Lior Kaplan Fri, 07 Feb 2014 16:21:04 +0200 php5 (5.5.8+dfsg-3) unstable; urgency=low * Fix regression in system fallback for date_default_timezone_get() (Closes: #730771) -- Ondřej Surý Fri, 24 Jan 2014 09:59:36 +0100 php5 (5.5.8+dfsg-2ubuntu1) trusty; urgency=medium * Merge from Debian unstable. Remaining changes: - d/control: drop Build-Depends that are in universe: firebird-dev, libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev. - d/rules: drop configuration of packages that are in universe: qdgm, onig. - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build interbase or firebird. - d/rules: export DEB_HOST_MULTIARCH properly. - d/control: drop binary packages php5-imap, php5-interbase and php5-mcrypt since we have separate versions in universe. - d/modulelist: drop imap, interbase and mcrypt since we have separate versions in universe. - d/rules: drop configuration of imap and mcrypt since we have separate versions in universe. - d/source_php5.py, d/rules: add apport hook. - d/rules: stop mysql instance on clean just in case we failed in tests. - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd as only the latter is in main. - d/rules, d/control: drop use of dh_systemd as it is in universe. - debian/rules: re-enable tests * Previously undocumented changes: - d/tests/{cgi,cli,mod_php}: dep8 tests for common use cases. * Drop changes: - d/p/{CVE-2013-6420,CVE-2013-6712,fix-freetype-ftbfs}.patch: upstreamed. - d/control: relegate php5-json and pkg-php-tools from Recommends to Suggests as they are in universe: php5-json and pkg-php-tools are now in main (LP: #1242726). - d/control, d/rules: re-enable libedit-dev: libedit-dev is now enabled in Debian. * d/tests/mod-php: rename from mod_php; the previous name was illegal. * d/tests/{cgi,mod-php}: use new default Apache DocumentRoot /var/www/html. * d/p/use-system-timezone.patch, d/tests/system-timezone: use system timezone by default, instead of requiring it to be configured. (LP: #1244343). -- Robie Basak Tue, 21 Jan 2014 15:40:58 +0000 php5 (5.5.8+dfsg-2) unstable; urgency=medium * Re-enable dtrace only on architectures that support it -- Lior Kaplan Sun, 12 Jan 2014 00:56:04 +0200 php5 (5.5.8+dfsg-1) unstable; urgency=medium * New upstream version 5.5.8+dfsg - Includes fix for CVE-2013-6712 - Includes fix for freetype2 include directory (replaces our patch) * Add missing PATH_MAX in use_embedded_timezonedb patch to fix hurd-i386 FTBFS -- Lior Kaplan Sat, 11 Jan 2014 14:37:19 +0200 php5 (5.5.7+dfsg-2) unstable; urgency=low * Enable dtrace only on architectures that support it -- Ondřej Surý Thu, 12 Dec 2013 23:54:26 +0100 php5 (5.5.7+dfsg-1) unstable; urgency=high * New upstream version 5.5.7+dfsg + [CVE-2013-6420]: Fix memory corruption in openssl_x509_parse (Closes: #731895) * Enable dtrace/systemtap support (Closes: #730528) -- Ondřej Surý Thu, 12 Dec 2013 20:49:21 +0100 php5 (5.5.6+dfsg-2) unstable; urgency=high * [CVE-2013-6420]: Fix memory corruption in openssl_x509_parse (Closes: #731895) * [CVE-2013-6712] Fix heap buffer over-read in DateInterval (Closes: #731112) * Add patch to fix freetype2 include directory (Closes: #731698) -- Ondřej Surý Thu, 12 Dec 2013 11:07:11 +0100 php5 (5.5.6+dfsg-1ubuntu2) trusty; urgency=medium * No change rebuild against libicu52 -- Dimitri John Ledkov Sat, 28 Dec 2013 05:16:26 +0000 php5 (5.5.6+dfsg-1ubuntu1) trusty; urgency=low * Merge from Debian unstable. Remaining changes: - d/control: drop Build-Depends that are in universe: firebird-dev, libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev. - d/rules: drop configuration of packages that are in universe: qdgm, onig. - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build interbase or firebird. - d/rules: export DEB_HOST_MULTIARCH properly. - d/control: drop binary packages php5-imap, php5-interbase and php5-mcrypt since we have separate versions in universe. - d/modulelist: drop imap, interbase and mcrypt since we have separate versions in universe. - d/rules: drop configuration of imap and mcrypt since we have separate versions in universe. - d/source_php5.py, d/rules: add apport hook. - d/rules: stop mysql instance on clean just in case we failed in tests. - d/control, d/rules: re-enable libedit-dev. - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd as only the latter is in main. - d/rules, d/control: drop use of dh_systemd as it is in universe. - d/control: relegate php5-json and pkg-php-tools from Recommends to Suggests as they are in universe. * Dropped changes: - d/p/crash_in_get_zval_ptr_ptr_var.patch: upstream * SECURITY UPDATE: denial of service and possible code execution via malicious certificate - debian/patches/CVE-2013-6420.patch: properly validate timestr in ext/openssl/openssl.c, added ext/openssl/tests/cve-2013-6420.*. - CVE-2013-6420 * SECURITY UPDATE: denial of service via crafted interval specification - debian/patches/CVE-2013-6712.patch: check error_count in ext/date/lib/parse_iso_intervals.*. - CVE-2013-6712 * debian/patches/fix-freetype-ftbfs.patch: fix compilation with newer freetype * debian/rules: re-enable tests -- Marc Deslauriers Thu, 12 Dec 2013 11:54:36 -0500 php5 (5.5.6+dfsg-1) unstable; urgency=low [ Lior Kaplan ] * Fix lintian systemd-service-file-refers-to-obsolete-target [ Ondřej Surý ] * Add support for reload signal in upstart init job * New upstream version 5.5.6+dfsg * Update patches for 5.5.6+dfsg release -- Ondřej Surý Thu, 21 Nov 2013 09:59:57 +0100 php5 (5.5.5+dfsg-1) unstable; urgency=low * New upstream version 5.5.5+dfsg - Remove merged patches: shtool_mkdir_-p_-race-condition, 0001-Add-information-about-which-INI-file-is-which-inside, Zend_OpCache_GNUHurd_fix and mssql-null-exception * Delete 116-posixness_fix patch, Hurd builds successfully without it -- Lior Kaplan Sat, 19 Oct 2013 15:49:21 +0300 php5 (5.5.4+dfsg-1) unstable; urgency=low [ Thijs Kinkhorst ] * In maintscripts not emit 'no action required' messages to console (closes: #724001). [ Lior Kaplan ] * Remove obsolete patches: 004-ldap_fix, 036-fd_setsize_fix, 043-recode_size_t, 045-exif_nesting_level, 047-zts_with_dl and 108-64_bit_datetime. * Add patch info (description, author and bug number) * Delete patches we don't apply during build * Add a reference to GNU/Hurd porting guidelines [ Ondřej Surý ] * New upstream version 5.5.4+dfsg * Remove SHA2 broken test patch; merged upstream * Refresh patches for 5.5.4 release -- Ondřej Surý Fri, 27 Sep 2013 11:32:38 +0200 php5 (5.5.3+dfsg-1ubuntu3) trusty; urgency=low * No change rebuild against db 5.3. -- Dmitrijs Ledkovs Sat, 02 Nov 2013 20:03:00 +0000 php5 (5.5.3+dfsg-1ubuntu2) saucy; urgency=low * d/p/crash_in_get_zval_ptr_ptr_var.patch: cherry-pick from upstream to fix segfault (LP: #1236733). -- Robie Basak Wed, 09 Oct 2013 11:29:29 +0000 php5 (5.5.3+dfsg-1ubuntu1) saucy; urgency=low * Merge from Debian unstable. Remaining changes: - d/control: drop Build-Depends that are in universe: firebird-dev, libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev. - d/rules: drop configuration of packages that are in universe: qdgm, onig. - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build interbase or firebird. - d/rules: export DEB_HOST_MULTIARCH properly. - d/control: drop binary packages php5-imap, php5-interbase and php5-mcrypt since we have separate versions in universe. - d/modulelist: drop imap, interbase and mcrypt since we have separate versions in universe. - d/rules: drop configuration of imap and mcrypt since we have separate versions in universe. - d/source_php5.py, d/rules: add apport hook. - d/rules: stop mysql instance on clean just in case we failed in tests. - d/control, d/rules: re-enable libedit-dev. - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd as only the latter is in main. - d/rules, d/control: drop use of dh_systemd as it is in universe. - d/control: relegate php5-json and pkg-php-tools from Recommends to Suggests as they are in universe. -- Marc Deslauriers Wed, 04 Sep 2013 08:24:35 -0400 php5 (5.5.3+dfsg-1) unstable; urgency=low * New upstream version 5.5.3+dfs * Update patches for 5.5.3 release -- Ondřej Surý Fri, 23 Aug 2013 14:49:34 +0200 php5 (5.5.2+dfsg-1) unstable; urgency=low * New upstream version 5.5.2+dfsg * Update and refresh patches for 5.5.2 release * Add handling for mpm_itk to libapache2-mod-php5{,filter} (Closes: #720278) * Add php5-readline to php5-cli Recommends to hint that it's needed for functional php -a -- Ondřej Surý Tue, 20 Aug 2013 13:17:24 +0200 php5 (5.5.1+dfsg-2) unstable; urgency=low * Move apache2 (>= 2.4) from Pre-Depend to Depends (Closes: #711454) * Install the headers from CGI build to get mysqlnd headers into php5-dev package (Closes: #690395) * Use small helper script instead of shell blog to check FPM configuration (Closes: #718627) -- Ondřej Surý Mon, 05 Aug 2013 15:58:01 +0200 php5 (5.5.1+dfsg-1ubuntu1) saucy; urgency=low * Merge from Debian unstable. Remaining changes: - d/control: drop Build-Depends that are in universe: firebird-dev, libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev. - d/rules: drop configuration of packages that are in universe: qdgm, onig. - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build interbase or firebird. - d/rules: export DEB_HOST_MULTIARCH properly. - d/control: drop binary packages php5-imap, php5-interbase and php5-mcrypt since we have separate versions in universe. - d/modulelist: drop imap, interbase and mcrypt since we have separate versions in universe. - d/rules: drop configuration of imap and mcrypt since we have separate versions in universe. - d/source_php5.py, d/rules: add apport hook. - d/rules: stop mysql instance on clean just in case we failed in tests. - d/control, d/rules: re-enable libedit-dev. - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd as only the latter is in main. - d/rules, d/control: drop use of dh_systemd as it is in universe. - d/control: relegate php5-json and pkg-php-tools from Recommends to Suggests as they are in universe. -- Marc Deslauriers Wed, 24 Jul 2013 09:28:07 -0400 php5 (5.5.1+dfsg-1) unstable; urgency=low * New upstream version 5.5.1+dfsg * Update patches for 5.5.1 release -- Ondřej Surý Mon, 22 Jul 2013 08:25:19 +0200 php5 (5.5.0+dfsg-15ubuntu1) saucy; urgency=low * Merged from Debian unstable to get security fix. -- Marc Deslauriers Thu, 18 Jul 2013 11:48:29 -0400 php5 (5.5.0+dfsg-15) unstable; urgency=low * CVE-2013-4113: Fix heap corruption in xml parser (Closes: #717139) -- Ondřej Surý Wed, 17 Jul 2013 16:12:39 +0200 php5 (5.5.0+dfsg-14ubuntu1) saucy; urgency=low * Merge from Debian unstable. Remaining changes: - d/control: drop Build-Depends that are in universe: firebird-dev, libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev. - d/rules: drop configuration of packages that are in universe: qdgm, onig. - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build interbase or firebird. - d/rules: export DEB_HOST_MULTIARCH properly. - d/control: drop binary packages php5-imap, php5-interbase and php5-mcrypt since we have separate versions in universe. - d/modulelist: drop imap, interbase and mcrypt since we have separate versions in universe. - d/rules: drop configuration of imap and mcrypt since we have separate versions in universe. - d/source_php5.py, d/rules: add apport hook. - d/rules: stop mysql instance on clean just in case we failed in tests. - d/control, d/rules: re-enable libedit-dev. - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd as only the latter is in main. - d/rules, d/control: drop use of dh_systemd as it is in universe. - d/control: relegate php5-json from Recommends to Suggests as it is in universe. * Relegate pkg-php-tools Recommends to Suggests as it is in universe. -- Robie Basak Wed, 17 Jul 2013 18:00:02 +0000 php5 (5.5.0+dfsg-14) unstable; urgency=low * Fix FTBFS: Remove symbols file and add an warning about embed SAPI API/ABI to libphp5-embed package description. -- Ondřej Surý Wed, 17 Jul 2013 12:02:46 +0200 php5 (5.5.0+dfsg-13) unstable; urgency=low * Call php5query from reportbug with the full path to executable (Closes: #716952) * Create conf.d directories also in php5-common postinst (the real fix for #716893) * Move Provides: phpapi-version to php5-common to fix invalid resolving of dependencies (Closes: #709027) * Move libphp5.so to /usr/lib (Closes: #708112) * Fail the build if phpapi has changed, not just warning which nobody notices * Fix typo in bug script installation path reporbug -> reportbug * Remove $(PHP_VERSION) from libphp5 SONAME, so it doesn't break with every new debian release * Add symbols file for libphp5.so * Correctly call dh_makeshlibs now when libphp5.so is in /usr/lib -- Ondřej Surý Tue, 16 Jul 2013 15:35:48 +0200 php5 (5.5.0+dfsg-12) unstable; urgency=low * Re-create (and re-remove) conf.d symlinks when module is already enabled (disabled) (Closes: #716893) * Add backwards compatibility for modules with priority (Closes: #716833) * Add Breaks: php-crypt-gpg (<< 1.3.2) to php5-common (Closes: #716856) * Add php5-fpm.dirs with needed /etc/php5/fpm/conf.d directory -- Ondřej Surý Mon, 15 Jul 2013 09:19:34 +0200 php5 (5.5.0+dfsg-11) unstable; urgency=low * Make php5 compatible with php5-xcache 3.1~svn1282+1-1 * Add reportbug scripts and controls for php5-sapi and php5-module (+ simple php5 redirect to php5-common). This should make the bugreports from people using reportbug more informative. * Make .ini files in reportbug more terse (remove comments and blank lines) -- Ondřej Surý Thu, 11 Jul 2013 14:30:59 +0200 php5 (5.5.0+dfsg-10) unstable; urgency=low * Install correct SAPI names to /usr/share/php5/sapi/ for libapache2-mod-php5(filter) (Closes: #716659) * Introduce list_parts helper function in php5-helper + Don't fail php5query -M if the module list is empty + Don't list current directory if the SAPI list is empty * Fix even more different glitches when something bad happends in php5enmod and php5query helper scripts -- Ondřej Surý Thu, 11 Jul 2013 09:10:03 +0200 php5 (5.5.0+dfsg-9) unstable; urgency=low * Add Breaks: php5-json (<< 1.3.1) to unbreak php5-json (and in turn pkg-php-tools that depends on php5-json) * Cleanup old Breaks: from 5.3 to 5.4 transition -- Ondřej Surý Wed, 10 Jul 2013 13:02:57 +0200 php5 (5.5.0+dfsg-8) unstable; urgency=low * NOTE: The php5_invoke script is still too chatty, but we need that to debug possible bugs. It will be made less chatty when we feel more confident that everything works as it should be. * Drop dh_phpize scripts in favor of dh_phppear * Add Recommends on pkg-php-tools in php5-dev * Add missing libapache2-mod-php5filter.postinst.extra * Introduce automatic module registry, which add or remove module from the registry if called with -s ALL (Closes: #715493) * Finish renaming /var/lib/php5/module/ to /var/lib/php5/modules/ and don't create /var/lib/php5/sessions/ -- Ondřej Surý Wed, 10 Jul 2013 09:55:28 +0200 php5 (5.5.0+dfsg-7) unstable; urgency=low [ Ondřej Surý ] * This release introduces several major packaging changes: + php5{en,dis}mod now accepts -s argument to selectively enable/disable module for specific SAPI; The -s also accepts ALL as an argument (Closes: #505743) + php5{en,dis}mod now records a state for a module and has two modi operandi: local administrator and maintainer script This has been lousely modeled after apache2 packaging scripts. Thanks Arno Töll for his work on dh_apache2, I have used some parts of it. + Packages can now depend on dh_php5 (provided by php5-dev) which provides: dh_php5, dh_phpize and dh_phpize_clean (also with dh integration). See php-apcu for an example how to build an PHP 5 extension now. The scripts definitely needs some improvements since I can't read nor write perl code without getting dizzy. + There's a new php5query script (again lousely modeled after Apache 2 a2query script) which you can use to query status of module (-m) and/or SAPI (-s) and also to list modules (-M) and SAPIs (-S). + This still needs more documentation and less ducktape. Contributions are welcome and to be discussed in pkg-php-maint mailing list first. -- Ondřej Surý Tue, 09 Jul 2013 11:37:57 +0200 php5 (5.5.0+dfsg-6ubuntu1) saucy; urgency=low * Merge from Debian unstable. Remaining changes: - d/control: drop Build-Depends that are in universe: firebird-dev, libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev. - d/rules: drop configuration of packages that are in universe: qdgm, onig. - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build interbase or firebird. - d/rules: export DEB_HOST_MULTIARCH properly. - d/control: drop binary packages php5-imap, php5-interbase and php5-mcrypt since we have separate versions in universe. - d/modulelist: drop imap, interbase and mcrypt since we have separate versions in universe. - d/rules: drop configuration of imap and mcrypt since we have separate versions in universe. - d/source_php5.py, d/rules: add apport hook. - d/rules: stop mysql instance on clean just in case we failed in tests. - d/control, d/rules: re-enable libedit-dev. * Remaining changes that were previously undocumented: - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd as only the latter is in main. * Drop changes: - Add build-dependency on lemon, which we now need. This is evidently no longer required, since there is no sign of it being used in 5.4.15-1ubuntu3. - Dropped libcurl-dev not in the archive. libcurl-dev is a virtual alternative, so doesn't need to be dropped. - debian/control: replace build-depends on mysql-server with mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and mysql-server-5.5 postinst confusion with starting up multiple mysqlds listening on the same port. The test infrastructure in packaging has changed, and now breaks without the mysql-server-5.5 postinst having run and created the mysql user. However, it also finds an available port itself so no longer conflicts with our mysql-server-5.5 postinst. - Patches included upstream: + debian/patches/CVE-2013-2110.patch + debian/patches/fix_gd_210.patch + debian/patches/CVE-2013-4635.patch + debian/patches/CVE-2013-4636.patch * Drop changes that were previously undocumented: - d/rules: adjust memory limits in .ini files. It appears that this was intended to be dropped back in 5.4.6-1ubuntu1, going by the old changelog entry. - d/rules: adjust openssl path in configure script. PHP still appears to configure, detect and build openssl-related components correctly regardless. - d/rules: disable parallel builds. There is no previous explanation as to why this was disabled, and having this in place is standard practice and in the Debian packaging. - d/rules: adjust PHP5_{HOST,BUILD}_GNU_TYPE. There is no previous explanation as to why this was present, and I can't find any regression that would be fixed by this change. * New changes: - d/rules, d/control: drop use of dh_systemd as it is in universe. - d/control: relegate php5-json from Recommends to Suggests as it is in universe. -- Robie Basak Mon, 15 Jul 2013 14:09:59 +0000 php5 (5.5.0+dfsg-6) unstable; urgency=low [ Gianfranco Costamagna ] * Fixed debian/watch file [ Ondřej Surý ] * Mangle apache2filter DSO name before running dh_apache2 (Closes: #714713) * Don't fail upstart/systemd job if no ERRORS in config file is found -- Ondřej Surý Wed, 03 Jul 2013 14:26:32 +0200 php5 (5.5.0+dfsg-5) unstable; urgency=low * Build with systemd only on linux-any (Closes: #714728) * Fix FTBFS introduced by multiarched libgmp-dev (affected by #675577) -- Ondřej Surý Tue, 02 Jul 2013 13:38:11 +0200 php5 (5.5.0+dfsg-4) unstable; urgency=low * Install systemd service file only to php5-fpm package (Closes: #713948) -- Ondřej Surý Mon, 24 Jun 2013 09:13:43 +0200 php5 (5.5.0+dfsg-3) unstable; urgency=low * Utilize new php5-fpm --nodaemonize and --daemonize options in sysvinit, upstart and systemd jobs * Enable FPM systemd support to report health to systemd * Switch systemd job type to notify as we have a support for sd_notify compiled in now -- Ondřej Surý Sun, 23 Jun 2013 16:09:32 +0200 php5 (5.5.0+dfsg-2) unstable; urgency=low * Use dh-systemd to enable systemd support for starting php5-fpm (along with existing sysvinit and upstart support) -- Ondřej Surý Sun, 23 Jun 2013 12:37:58 +0200 php5 (5.5.0+dfsg-1) unstable; urgency=low * New upstream version 5.5.0+dfsg * Update dfsg-repack.sh script to handle upstream .xz tarballs better * Update patches to 5.5.0+dfsg release -- Ondřej Surý Fri, 21 Jun 2013 13:55:06 +0200 php5 (5.5.0~rc3+dfsg-2) unstable; urgency=low [Ondřej Surý] * Make the php5{en,dis}mod less picky on removed files or changed symlinks to prevent breakages on upgrades where users have mangled with the files and symlinks in /etc/php5/{mods-available,conf.d}. [Thijs Kinkhorst] * Override license-problem-json-evil for README.REDIST.BINS. * Put all licences statically in debian/copyright. -- Ondřej Surý Tue, 11 Jun 2013 10:02:33 +0200 php5 (5.5.0~rc3+dfsg-1) unstable; urgency=low * New upstream version 5.5.0~rc3+dfsg * Pre-Depend on apache2 (>= 2.4) to workaround #711454 * php5-common now suggests php5-user-cache virtual package which is provided by php5-apcu, php5-yac and php5-xcache. * Make the Breaks on php5-suhosin versioned to allow suhosin backports when there's a new upstream version (Acked by suhosin maintainer) * Disable running tests on mipsen until #710937 is fixed -- Ondřej Surý Thu, 06 Jun 2013 20:53:09 +0200 php5 (5.5.0~rc2+dfsg-2) unstable; urgency=low * Don't depend on lsof on hurd-any and kfreebsd-any and make the call in sessionclean optional (Closes: #710684) * Add initial support to php5-fpm for systemd service and upstart job in addition to sysvinit script * Update systzdata patch to v10 * Add php5-json to Recommends to declare strong dependency at least in jessie -- Ondřej Surý Sat, 01 Jun 2013 17:58:09 +0200 php5 (5.5.0~rc2+dfsg-1) unstable; urgency=low * Imported Upstream version 5.5.0~rc2+dfsg * Update patches for 5.5.0~rc2 release -- Ondřej Surý Mon, 27 May 2013 21:39:36 +0200 php5 (5.5.0~rc1+dfsg-2) unstable; urgency=low [ Thijs Kinkhorst ] * Wrap long line in php5-readline extended description. * Switch from hardening-wrapper to dpkg-buildflags. * Canonicalise Vcs-* fields as suggested by Lintian. * Checked for policy 3.9.4, no changes necessary. [ Ondřej Surý ] * Install Zend Opcache into php5-common (Closes: #709314) * Add support for handling zend_extension(s) in addition to extensions (Thanks to Yaacov Akiba Slama for catching that) * Upload to unstable -- Ondřej Surý Thu, 23 May 2013 09:07:41 +0200 php5 (5.5.0~rc1+dfsg-1) experimental; urgency=low * Imported Upstream version 5.5.0~rc1+dfsg * Enable VPX (WEBP) support in GD extension * Add dfsg-repack.sh script to remove non-free JSON module (Closes: #692613) * Remove php5-json from Provides, since that's no longer true -- Ondřej Surý Fri, 17 May 2013 14:41:41 +0200 php5 (5.5.0~rc1-3) experimental; urgency=low * Add dependency on lsof (Closes: #708087) * Add versioned conflicts with php-apc (<< 4.0.0) that is in fact php5-apcu, and php5-xdebug (<< 2.2.2) that added support for PHP 5.5 * Enable VPX (WEBP) support in GD extension * Prepare for libgd2-dev to libgd-dev rename -- Ondřej Surý Wed, 15 May 2013 10:13:02 +0200 php5 (5.5.0~rc1-2) experimental; urgency=low * Load Apache 2.4 maintainer script helper and conditionally define the conditional function php5_enable if that succeeds (Closes: #707659) -- Ondřej Surý Fri, 10 May 2013 08:21:48 +0200 php5 (5.5.0~rc1-1) experimental; urgency=low * Imported Upstream version 5.5.0~rc1 * Remove php5-5.5.0~rc1~0~78c79a2d5b.patch since PHP 5.5.0RC1 is out -- Ondřej Surý Thu, 09 May 2013 19:21:03 +0200 php5 (5.5.0~beta4-4) experimental; urgency=low * Use #DEBHELPER# capability of dh_apache2 to install/remove modules * Rewrite and unify dpkg maintfiles and fix php5-cgi postinst script (Closes: #707131) -- Ondřej Surý Tue, 07 May 2013 11:04:25 +0200 php5 (5.5.0~beta4-3) experimental; urgency=low [Thijs Kinkhorst] * debian/control: Remove ${apache2:Depends} substvar to allow installing the modules with Apache 2.4. -- Ondřej Surý Mon, 06 May 2013 19:35:44 +0200 php5 (5.5.0~beta4-2) experimental; urgency=low * Pull upstream git fixes to have the latest ext/gd tree * Update patches on top of current php.git * Update package to use Apache 2.4 (Closes: #666820) * Update Build-Depends to apache2-dev (>= 2.4) * short_open_tag now defaults to Off (Closes: #142178) * Add opcache.so to list of forbidden extensions in test run -- Ondřej Surý Mon, 06 May 2013 19:35:25 +0200 php5 (5.5.0~beta4-1) experimental; urgency=low * Imported Upstream version 5.5.0~beta4 * Hardcode MAXPATHLEN to 4096 if undefined to fix GNU Hurd build * Update gd-2.1.0 patch to not include antialias functions not provided by GD 2.1.0 library * Require libgd2-dev (>= 2.1.0~alpha~4) to have compatible version -- Ondřej Surý Thu, 25 Apr 2013 13:07:28 +0200 php5 (5.5.0~beta3-1) experimental; urgency=low * Imported Upstream version 5.5.0~beta3 * Update patches to 5.5.0~beta3 release * Fix GNU Hurd check in also in ext/opcache/config.m4 and configure * Add support for GD >= 2.1.0, possibly (Closes: #704457) -- Ondřej Surý Thu, 11 Apr 2013 17:25:42 +0200 php5 (5.5.0~beta2-1) experimental; urgency=low * Imported Upstream version 5.5.0~beta2 * Fix compilation on GNU Hurd (Courtesy of Svante Signell) * Refresh and delete merged patches in php 5.5.0beta2 -- Ondřej Surý Fri, 29 Mar 2013 01:38:38 +0100 php5 (5.5.0~beta1-2) experimental; urgency=low * Add php5-readline based on libedit (Courtesy of Andreas Pour) * Add -n to run-tests.php for php to not pick-up any local php.ini. It's not a problem on sbuilds, but it might break when building locally. (Courtesy of Andreas Pour) * XCache will support PHP 5.5 from version 3.1 * Disable -gstabs usage, which was breaking clang builds and is not needed. * Remove .gitignore from git * Pull upstream fix for kFreeBSD builds -- Ondřej Surý Tue, 26 Mar 2013 21:26:33 +0100 php5 (5.5.0~beta1-1) experimental; urgency=low * Imported Upstream version 5.5.0~beta1 + Includes Zend OPCache (Closes: #700577) * Refresh patches for release 5.5.0~beta1 * Add Breaks for other low-level Zend OpCache and debug packages -- Ondřej Surý Fri, 22 Mar 2013 08:39:49 +0100 php5 (5.5.0~alpha5-2) experimental; urgency=low * Enable interactive mode in php5-cli (Closes: #341868) -- Ondřej Surý Tue, 05 Mar 2013 16:39:21 +0100 php5 (5.5.0~alpha5-1) experimental; urgency=low * Imported Upstream version 5.5.0~alpha5 * Update patches for 5.5.0~alpha5 release -- Ondřej Surý Mon, 25 Feb 2013 16:38:27 +0100 php5 (5.5.0~alpha4-1) experimental; urgency=low * Imported Upstream version 5.5.0~alpha4 * Update patches for 5.5.0~alpha4 release -- Ondřej Surý Tue, 19 Feb 2013 13:44:13 +0100 php5 (5.5.0~alpha3-1) experimental; urgency=low * Merged changes from wheezy/sid + Fix typo in path to session clean script in cron file + Install logrotate script in php5-fpm package * Imported Upstream version 5.5.0~alpha3 * Update patches for new release + Patch debian/patches/libxml-reset-the-handler.patch has been merged upstream * Make the sessionclean script compatible with awk != gawk -- Ondřej Surý Wed, 16 Jan 2013 09:17:30 +0100 php5 (5.5.0~alpha1-1) experimental; urgency=low * Imported Upstream version 5.5.0~alpha1 * Return to PHP versions of crypt() functions, it's to big burden to carry on the patch * fix_crash_in__php_mssql_get_column_content_without_type.patch: remove patch, it has been merged upstream * Update&refresh patches to PHP 5.5 branch * Slim down the 006-debian_quirks.patch by removing PIKE related patch * Remove number of old possibly unneeded patches * Remove broken MultiArch patch from upstream and replace it with new Debian's version -- Ondřej Surý Fri, 16 Nov 2012 15:22:45 +0100 php5 (5.4.15-1ubuntu3) saucy; urgency=low * SECURITY UPDATE: denial of service via overflow in SdnToJewish - debian/patches/CVE-2013-4635.patch: check value in ext/calendar/jewish.c, add test to ext/calendar/tests/jdtojewish64.phpt. - CVE-2013-4635 * SECURITY UPDATE: denial of service via incorrect MIME type detection - debian/patches/CVE-2013-4636.patch: use efree in ext/fileinfo/libmagic/softmagic.c. - CVE-2013-4636 -- Marc Deslauriers Fri, 28 Jun 2013 08:20:11 -0400 php5 (5.4.15-1ubuntu2) saucy; urgency=low * SECURITY UPDATE: denial of service and possible code execution via quoted_printable_encode overflow - debian/patches/CVE-2013-2110.patch: calculate proper string size in ext/standard/quot_print.c, add test to ext/standard/tests/strings/bug64879.phpt. - CVE-2013-2110 * debian/patches/fix_gd_210.patch: fix php-gd compatibility with libgd2 2.1.0. (LP: #1188070) -- Marc Deslauriers Tue, 11 Jun 2013 09:19:47 -0400 php5 (5.4.15-1ubuntu1) saucy; urgency=low * Merge from Debian experimental. Remaining changes: - d/rules: Simplify apache config settings since we never build interbase or firebird. - debian/rules: export DEB_HOST_MULTIARCH properly. - Add build-dependency on lemon, which we now need. - Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe. - Dropped libcurl-dev not in the archive. - debian/control: replace build-depends on mysql-server with mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and mysql-server-5.5 postinst confusion with starting up multiple mysqlds listening on the same port. - Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions already in universe. - Dropped libonig-dev and libqgdbm since its in universe. (libonig MIR has been declined due to an inactive upstream. So this is probably a permanent change). - modulelist: Drop imap, interbase, sybase, and mcrypt. - debian/rules: - Dropped building of mcrypt, imap, and interbase. - Install apport hook for php5. - stop mysql instance on clean just in case we failed in tests - debian/control, debian/rules: Re-enable libedit-dev. * Dropped changes: - debian/patches/CVE-2013-1643.patch: included upstream. -- Marc Deslauriers Sun, 19 May 2013 19:13:15 -0400 php5 (5.4.9-4ubuntu2) raring; urgency=low * SECURITY UPDATE: arbitrary file disclosure via XML External Entity - debian/patches/CVE-2013-1643.patch: disable the entity loader in ext/libxml/libxml.c, ext/libxml/php_libxml.h, ext/soap/php_xml.c. - CVE-2013-1643 -- Marc Deslauriers Fri, 08 Mar 2013 16:12:43 -0500 php5 (5.4.9-4ubuntu1) raring; urgency=low * Merge from Debian experimental. Remaining changes: - d/rules: Simplify apache config settings since we never build interbase or firebird. - debian/rules: export DEB_HOST_MULTIARCH properly. - Add build-dependency on lemon, which we now need. - Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe. - Dropped libcurl-dev not in the archive. - debian/control: replace build-depends on mysql-server with mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and mysql-server-5.5 postinst confusion with starting up multiple mysqlds listening on the same port. - Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions already in universe. - Dropped libonig-dev and libqgdbm since its in universe. (libonig MIR has been declined due to an inactive upstream. So this is probably a permanent change). - modulelist: Drop imap, interbase, sybase, and mcrypt. - debian/rules: - Dropped building of mcrypt, imap, and interbase. - Install apport hook for php5. - stop mysql instance on clean just in case we failed in tests - debian/control, debian/rules: Re-enable libedit-dev. * Dropped changes: - Re-add logic to guess default timezone from system to fix default timezone regression Cherry-picked from Debian 5.4.4-6 (also in Debian 5.4.6-2). - debian/patches/libxml290.patch: Fix FTBFS with libxml 2.9.0. (included upstream) -- Clint Byrum Tue, 04 Dec 2012 13:57:33 -0800 php5 (5.4.9-2) experimental; urgency=low * Introduce new (hopefully slightly smarter) way of not deleting still used session files -- Ondřej Surý Thu, 29 Nov 2012 08:48:24 +0100 php5 (5.4.9-1) experimental; urgency=low [ Lior Kaplan ] * Support removing dangling symlinks, users are allowed to remove configuration files * Exit with code 0 even if module symlink doesn't exist (Closes: #692013) [ Ondřej Surý ] * Imported Upstream version 5.4.9 * Remove all traces of suhosin patch from debian sources * Convert to 3.0 (quilt) debian source format (Closes: #694543) * Remove broken MultiArch patch from upstream and replace it with new Debian's version * Replace Breaks with Conflict for php5-suhosin * Remove useless .la file from libphp5-embed -- Ondřej Surý Tue, 27 Nov 2012 16:54:48 +0100 php5 (5.4.8-1) experimental; urgency=low * Imported Upstream version 5.4.8 + Update patches for new release * Remove IfModule to always interpret PHP if the module is enabled * Fix extended DES crypt when salt != 9 * Fix libphp5-embed linking: + Expose all installed (and not built time) SAPIs via php-config --php-sapis + Add /usr/lib/php5 to php-config --ldflags output to allow linking with libphp5.so * Add new lintian-overrides for libphp5-embed * Add logrotate script for php5-fpm (Closes: #683415) * Add more warning text about new php5_cgi apache2 module (Closes: #687307) * Add Breaks: php5-suhosin so people don't try to use it with PHP 5.4 -- Ondřej Surý Thu, 25 Oct 2012 16:05:34 +0200 php5 (5.4.6-2) experimental; urgency=low * Merge 5.4.4-5, 5.4.4-6 and 5.4.4-7 changes -- Ondřej Surý Thu, 30 Aug 2012 13:30:54 +0200 php5 (5.4.6-1ubuntu2) raring; urgency=low [ Robie Basak ] * Re-add logic to guess default timezone from system to fix default timezone regression (LP: #1069529). Cherry-picked from Debian 5.4.4-6 (also in Debian 5.4.6-2). [ Marc Deslauriers ] * debian/patches/libxml290.patch: Fix FTBFS with libxml 2.9.0. -- Marc Deslauriers Wed, 07 Nov 2012 11:54:55 -0500 php5 (5.4.6-1ubuntu1) quantal; urgency=low * Merge from Debian experimental (LP: #1006738 , LP: #1040212) Remaining changes: - d/rules: Simplify apache config settings since we never build interbase or firebird. - debian/rules: export DEB_HOST_MULTIARCH properly. - Add build-dependency on lemon, which we now need. - Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe. - Dropped libcurl-dev not in the archive. - debian/control: replace build-depends on mysql-server with mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and mysql-server-5.5 postinst confusion with starting up multiple mysqlds listening on the same port. - Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions already in universe. - Dropped libonig-dev and libqgdbm since its in universe. (libonig MIR has been declined due to an inactive upstream. So this is probably a permanent change). - modulelist: Drop imap, interbase, sybase, and mcrypt. - debian/rules: - Dropped building of mcrypt, imap, and interbase. - Install apport hook for php5. - stop mysql instance on clean just in case we failed in tests - debian/control, debian/rules: Re-enable libedit-dev. * Dropped Changes: - debian/rules: change memory limits on example .ini files. -- Clint Byrum Wed, 22 Aug 2012 13:40:18 -0700 php5 (5.4.6-1) experimental; urgency=low * Imported Upstream version 5.4.6 * Apply another fix to compile --without-system-tzdata (Courtesy of Michael Heimpold) -- Ondřej Surý Tue, 21 Aug 2012 12:37:12 +0200 php5 (5.4.5-1) experimental; urgency=low * Imported Upstream version 5.4.5 * Update patches for PHP 5.4.5 release * Compile with system libzip (upstream has added support for that) -- Ondřej Surý Mon, 23 Jul 2012 11:12:08 +0200 php5 (5.4.4-7) unstable; urgency=low * Add explanatory text about MultiViews negotiation support to README.Debian with additions from Christoph Anton Mitterer (Closes: #670945) -- Ondřej Surý Wed, 29 Aug 2012 09:18:14 +0200 php5 (5.4.4-6) unstable; urgency=low * Merge a fix for zlib.output_compression from the upstream git (Closes: #683432) * Re-add logic to guess default timezone from system (Closes: #673763) and remove the spurious warning about the selection. * Fix invalid generated tar files from PEAR Archive/Tar package (Closes: #680251) * Merge a couple of upstream fixes from PHP 5.4.5 and 5.4.6: + Fixed bug #62653: (unset($array[$float]) causes a crash). + Fixed bug #62565 (Crashes due non-initialized internal properties_table). + Fixed bug #61964 (finfo_open with directory causes invalid free). + Fixed bug #62564 (Extending MessageFormatter and adding property causes crash). + Fixed bug #62594 (segfault in mysqlnd_res_meta::set_mode). + Fixed bug #62616 (ArrayIterator::count() from IteratorIterator instance gives Segmentation fault). + Fixed bug #62373 (serialize() generates wrong reference to the object). + Fixed bug #61998 (Using traits with method aliases appears to result in crash during execution). + Fixed bug #55042 (Erealloc in iconv.c unsafe). + Fixed bug #62266 (Custom extension segfaults during xmlParseFile with FPM SAPI) -- Ondřej Surý Thu, 23 Aug 2012 13:59:49 +0200 php5 (5.4.4-5) unstable; urgency=low * Get rid of empty examples directory (Closes: #684108) * Provide sensible default configuration for PHP MIME-types inside Apache 2 configuration (Closes: #685340) * Add NEWS text about more strict extension configuration * Update NEWS and README.Debian based on debian-l10n-english review (Courtesy of Justing B Rye) -- Ondřej Surý Tue, 21 Aug 2012 17:05:06 +0200 php5 (5.4.4-4) unstable; urgency=low * Fix php5-fpm segfault (PHP#62205) * CVE-2012-2688: potential overflow in _php_stream_scandir (Closes: #683274) * Improve security in CGI section in README.Debian (Closes: #674205) -- Ondřej Surý Mon, 06 Aug 2012 13:01:42 +0200 php5 (5.4.4-3ubuntu1) quantal; urgency=low * Merge from Debian unstable. (LP: #1014044) (LP: #1024355) Remaining changes: - d/rules: Simplify apache config settings since we never build interbase or firebird. - debian/rules: export DEB_HOST_MULTIARCH properly. - Add build-dependency on lemon, which we now need. - Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe. - Dropped libcurl-dev not in the archive. - debian/control: replace build-depends on mysql-server with mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and mysql-server-5.5 postinst confusion with starting up multiple mysqlds listening on the same port. - Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions already in universe. - Dropped libonig-dev and libqgdbm since its in universe. (libonig MIR has been declined due to an inactive upstream. So this is probably a permanent change). - modulelist: Drop imap, interbase, sybase, and mcrypt. - debian/rules: * Dropped building of mcrypt, imap, and interbase. * Install apport hook for php5. * stop mysql instance on clean just in case we failed in tests -- Clint Byrum Mon, 23 Jul 2012 11:08:52 -0700 php5 (5.4.4-3) unstable; urgency=low * Update ucf/ucfr scripts to not conflict between mysql and mysqlnd extension (Closes: #678371) -- Ondřej Surý Thu, 21 Jun 2012 11:22:05 +0200 php5 (5.4.4-2) unstable; urgency=high * Fix PHP5-FPM not reporting errors to web server (nginx) (Closes: #677994) * Bump urgency to high to replace the RC2 version in testing sooner. -- Ondřej Surý Tue, 19 Jun 2012 09:09:13 +0200 php5 (5.4.4-1ubuntu1) quantal; urgency=low * Merge from Debian unstable. Remaining changes: - d/rules: Simplify apache config settings since we never build interbase or firebird. - debian/rules: export DEB_HOST_MULTIARCH properly. - Add build-dependency on lemon, which we now need. - Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe. - Dropped libcurl-dev not in the archive. - debian/control: replace build-depends on mysql-server with mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and mysql-server-5.5 postinst confusion with starting up multiple mysqlds listening on the same port. - Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions already in universe. - Dropped libonig-dev and libqgdbm since its in universe. (libonig MIR has been declined due to an inactive upstream. So this is probably a permanent change). - modulelist: Drop imap, interbase, sybase, and mcrypt. - debian/rules: * Dropped building of mcrypt, imap, and interbase. * Install apport hook for php5. * stop mysql instance on clean just in case we failed in tests * Dropped Changes: * d/rules: enable Suhosin patch with PHP5_SUHOSIN=yes -- Upstream suhosin has been slow to adopt PHP 5.4, and is showing signs of disengagement. Therefore, we will follow Debian's lead and drop Suhosin for now. - d/control: build-depend on mysql 5.5 instead of 5.1 for running tests. -- Debian just deps on mysql-server - Suggest php5-suhosin rather than recommends. -- Dropping suhosin - d/setup-mysql.sh: modify to work with mysql 5.5 differences -- superseded in Debian. - Only build php5-sqlite for sqlite3, dropping the obsolete sqlite2. -- superseded in Debian - d/maxlifetime: Improve maxlifetime script to scan for more SAPIs and scan all *.ini in conf.d directory. -- Change came from Debian - d/libapache2-mod-php5.postinst,libapache2-mod-php5filter.postinst: Restart apache on first install to ensure module is fully enabled. -- Change came from Debian - debian/patches/php5-CVE-2012-1823.patch: filter query strings that are prefixed with '-' -- Fixed upstream - debian/control: Recommend php5-dev for php-pear. -- This was a poorly conceived idea anyway. - Pre-Depend on a new enough version of dpkg for dpkg-maintscript-helper rather than checking whether it exists at run-time, leading to more predictable behaviour on upgrades. -- Applied in Debian - d/p/gd-multiarch-fix.patch: superseded * d/NEWS: add note explaining that SUHOSIN is no longer enabled in the Ubuntu packages. -- Clint Byrum Mon, 18 Jun 2012 16:10:26 -0700 php5 (5.4.4-1) unstable; urgency=low * Imported Upstream version 5.4.4 * Generate 16 char salt instead of 12 char salt for SHA-512 -- Ondřej Surý Thu, 14 Jun 2012 16:03:51 +0200 php5 (5.4.4~rc2-1) unstable; urgency=low * Imported Upstream version 5.4.4~rc2 -- Ondřej Surý Thu, 31 May 2012 10:58:14 +0200 php5 (5.4.4~rc1-1) unstable; urgency=low * Imported Upstream version 5.4.4~rc1 + CVE-2012-2386: Fix integer overflow leading to heap-buffer overflow in the Phar extension * Remove some READMEs removed by upstream + README.SVN-RULES - upstream has moved to git + README.Zeus - Zeus Web Server is dead * CVE-2012-2386: one additional, similar vulnerable code construct in the Phar extension -- Ondřej Surý Tue, 29 May 2012 12:12:27 +0200 php5 (5.4.3-6) unstable; urgency=low [ Ondřej Surý ] * Merge 5.3.10-1 and 5.3.10-2 changelog * Remove *.patch from .gitignore, it broke adding quilt patches * Revert "Use system libzip (Pulled from Fedora)" (Closes: #674151) * Add patch to fix tt-rss backend php crash (Closes: #666200) [ Thorsten Glaser ] * Add support for Linux/m68k atomics needed by the FPM SAPI (Closes: #672277) [ Gedalya ] * Add logrotate script for php5-fpm (Closes: #673558) -- Ondřej Surý Mon, 28 May 2012 10:43:44 +0200 php5 (5.4.3-5) unstable; urgency=low * Pull patches from Fedora: + Update use_embedded_timezonedb.patch to r8: fix compile error without --with-system-tzdata configured + Add ldconfig post/postun for -embedded (Hans de Goede) + Use RTLD_NOW instead of RTLD_LAZY (pulled from Fedora) + Use system libzip (pulled from Fedora) * Disable undefined ZIP_OVERWRITE to allow compile with system libzip -- Ondřej Surý Mon, 21 May 2012 13:37:35 +0200 php5 (5.4.3-4) unstable; urgency=low * Fix tests ([ERROR] Can't start server: bind-address refers to multiple interfaces!) (Closes: #672588) -- Ondřej Surý Tue, 15 May 2012 18:01:55 +0200 php5 (5.4.3-3) unstable; urgency=low * Disable log redirection in debian/setup-mysql.sh to help diagnose the setup-mysql.sh failure (still not fixed, but not reproduceable on my local box) -- Ondřej Surý Tue, 15 May 2012 14:27:12 +0200 php5 (5.4.3-2) unstable; urgency=low * Add --no-defaults to rest of the mysql commands in setup-mysql.sh script (Closes: #672588) * Add debugging info to debian/setup-mysql.sh to help diagnose any further problems -- Ondřej Surý Tue, 15 May 2012 10:26:34 +0200 php5 (5.4.3-1) unstable; urgency=low * Imported Upstream version 5.4.3 + CVE-2012-2311: Complete fix for PHP-CGI query string parameter vulnerability + CVE-2012-2329: Fix a buffer overflow vulnerability in the apache_request_headers() (PHP 5.3 is not vulnerable) -- Ondřej Surý Wed, 09 May 2012 08:48:10 +0200 php5 (5.4.2-1) unstable; urgency=low * Imported Upstream version 5.4.2 + CVE-2012-1823: Fix PHP-CGI query string parameter vulnerability. -- Ondřej Surý Fri, 04 May 2012 08:47:42 +0200 php5 (5.4.1-1) unstable; urgency=low * Imported Upstream version 5.4.1 + Fixed insufficient validating of upload name leading to corrupted $_FILES indices). (CVE-2012-1172). + Add open_basedir checks to readline_write_history and readline_read_history. + Add Apache 2.4 support (.deb package in experimental comming soon) + Added debug info handler to DOM objects. * Remove Breaks: on php applications on maintainer requests: + simplesamlphp + php-horde-auth * Add better configuration snippet for CGI (Closes: #571795) * Update a description of PHP language based on the text from upstream web page (http://www.php.net/manual/en/intro-whatis.php) * Enable embed SAPI (Closes: #380731) * Add lintian override for libphp5-embed: embedded-library usr/lib/libphp5.so: file * Add ldconfig to libphp5-embed.{postinst,postrm} * Fix #EXTRA# processing for SAPIs (extra ; at the end of sed cmd) -- Ondřej Surý Thu, 03 May 2012 13:29:07 +0200 php5 (5.4.1~rc1-1) unstable; urgency=low * Add information about flavor of INI file inside the INI file, install php.ini-development INI to /usr/share/php5 (Closes: #667711) * Imported Upstream version 5.4.1~rc1 * Update patches for the 5.4.1RC1 release -- Ondřej Surý Fri, 06 Apr 2012 15:04:08 +0200 php5 (5.4.0-4) unstable; urgency=low * Change id -u+getent combo to whoami (Courtesy of Michiel van Leening) * Fix missing FOUND declaration (pulled from dotdeb) * Add Breaks for all known broken packages not working with PHP 5.4 (Closes: #666411) -- Ondřej Surý Fri, 06 Apr 2012 12:46:14 +0200 php5 (5.4.0-3) unstable; urgency=high [ Thijs Kinkhorst ] * Correct version number; 5.4.0~rc7-3 never existed * Add placeholder build-arch, build-indep targets * Each module needs to depend on ucf, as it's used in postinst * Newer version of roundcube available that isn't broken anymore * Checked for policy 3.9.3 [ Ondřej Surý ] * Remove Pre-Depends on dpkg-maintscript-helper * Remove obsolete configure options * Add support for *.extra.{post,pre}{inst,rm} files * Add support for MultiArch libgd2-xpm-dev * Add support for MultiArch libmysqlclient-dev * Add Lior to maintainers * setup-mysql.sh changed to: + never run as root (fix needed for MySQL 5.5 in pbuilder) + drop and create database test which may or may not exist * Restart apache2 instead of reloading on first install (Closes: #589386) [ Julien Cristau ] * Fix postinst scripts to not use 'local' outside functions (Closes: #664853, #664849) -- Ondřej Surý Wed, 14 Mar 2012 08:49:32 +0100 php5 (5.4.0-2) unstable; urgency=low * Build depend on libpng-dev | libpng12-dev (Closes: #662466) -- Ondřej Surý Mon, 05 Mar 2012 13:26:06 +0100 php5 (5.4.0-1) unstable; urgency=low * PHP 5.4 has landed in unstable * Imported Upstream version 5.4.0 * Use $(filter pattern...,text) instead of $(findstring find,in) in debian/rules to match against space separated list of words and not substrings (Closes: #660647) -- Ondřej Surý Sat, 03 Mar 2012 16:03:12 +0100 php5 (5.4.0~rc8-2) experimental; urgency=low * Use $(filter pattern...,text) instead of $(findstring find,in) in debian/rules to match against space separated list of words and not just substrings (i386 != hurd-i386) (Closes: #660647) -- Ondřej Surý Mon, 20 Feb 2012 17:26:54 +0100 php5 (5.4.0~rc8-1) experimental; urgency=low * Imported Upstream version 5.4.0~rc8 * Improve maxlifetime script to scan for more SAPIs and scan all *.ini in conf.d directory * Move php5-mysqlnd to Priority: extra to make debcheck happy * Check for dpkg-maintscript-helper existence in php5-fpm maintainer scripts * Add Pre-Depends: dpkg (>= 1.15.7.2~) | dpkg-maintscript-helper to allow single upgrade path (dpkg-maintscript-helper package will be provided for Ubuntu Lucid PPA) -- Ondřej Surý Fri, 17 Feb 2012 21:37:05 +0100 php5 (5.4.0~rc7-2) experimental; urgency=low * Use corrected module PHPAPI (20100525) and not (220100525) * Use $ZEND_MODULE_API_NO for $DEBIAN_PHP_API. Check for PHPAPI changes, so we don't become binary incompatible without knowing it. * Update debian/README.Debian.security: + register_globals was removed from PHP 5.4 + Remove safe_mode (removed upstream) and update and reformat text slightly + Reviewed by english l10n team (thanks a lot) * php5-fpm now listen on socket instead of localhost by default (Closes: #650204) * Add NEWS about change of default location of php5-fpm socket * Stop php5-fpm on runlevels 0 1 6 (Closes: #650203) * Add -ignore_readdir_race to find call in session cleanup (#634864) * Don't prefix extension list automatically, it's done by subsvars now (Closes: #633491) * Depends on non-forking fuser in psmisc (Closes: #633100) * php5-common.README.Debian additions and cleanup: + Add a paragraph about PHP_INI_SCAN_DIR (Closes: #659123) + Reformat README.Debian to common formatting + Mention php5-fpm where appropriate + Use 'PHP 5' and 'Apache HTTP Server' instead of php5 and apache2 -- Ondřej Surý Thu, 09 Feb 2012 00:03:26 +0100 php5 (5.4.0~rc7-1) experimental; urgency=low [ Thijs Kinkhorst ] * Textual improvements to README.Debian.security, NEWS (closes: #632675,#643015,#658208). [ Ondřej Surý ] * Imported Upstream version 5.4.0~rc7 + CVE-2012-0830: Fix PHP remote vulnerability (code injection) in the implementation of the max_input_vars configuration variable + CVE-2011-3389: Fix possible attack in SSL sockets with SSL 3.0/TLS 1.0. -- Ondřej Surý Fri, 03 Feb 2012 11:03:39 +0100 php5 (5.4.0~rc6-3) experimental; urgency=low * ucfize php5-module.* and store priority in module .ini file * Store dsonames in maintainer scripts to make postrm work * Make php5enmod idempotent -- Ondřej Surý Thu, 02 Feb 2012 12:25:54 +0100 php5 (5.4.0~rc6-2) experimental; urgency=low * Merge all changes from Debian unstable branch (up to 5.3.9-6) * Fix -Wformat-security error in mysqlnd * Add php5{en,dis}mod to enable/disable modules from maintainer scripts (Closes: #447826, #582320, #627145) (Initial work courtesy of Clint Byrum) * Modify comments in php.inis to match compiled default session * Adjust new 5.3 patches for 5.4 branch * Ensure pdo.so is loaded before all other modules * Add trigger to restart php5-fpm when module is installed/removed * Remove --with-ttf and --with-t1lib (Closes: #658248, #638755) * Add debian/NEWS item about missing t1lib functions -- Ondřej Surý Wed, 01 Feb 2012 18:27:30 +0100 php5 (5.4.0~rc6-1) experimental; urgency=low * Imported Upstream version 5.4.0~rc6 -- Ondřej Surý Fri, 20 Jan 2012 15:30:48 +0100 php5 (5.4.0~rc5-1) experimental; urgency=low * Imported Upstream version 5.4.0~rc5 * Update patches for new release * Disable suhosin patch -- Ondřej Surý Thu, 19 Jan 2012 19:23:36 +0100 php5 (5.4.0~beta2-1) experimental; urgency=low * Remove obsolete sqlite(2) module from php5-sqlite * Use correct signals in php5-fpm init script (Closes: #645934) * Update gbp.conf for experimental branch * Imported Upstream version 5.4.0~beta2 * Refresh patches for the 5.4.0beta2 release * Remove php.ini-paranoid, it's almost useless now * Remove safe_mode setting from suhosin, it has been removed upstream * Remove the php_stream stuff to allow compiling with system-wide libgd * php5-common.docs: Don't install non-existant TODO file -- Ondřej Surý Sat, 22 Oct 2011 18:39:33 +0200 php5 (5.3.10-2) unstable; urgency=low * Use $(filter pattern...,text) instead of $(findstring find,in) in debian/rules to match against space separated list of words and not substrings (Closes: #660647) * CVE-2012-0831: magic_quotes_gpc remote disable vulnerability (NOTE: magic_quotes_gpc is DEPRECATED and will be removed from PHP 5.4, e.g. you should not use them!), also fix regression in CVE-2012-0831 (LP#930115) * Depends on non-forking fuser in psmisc (Closes: #633100) * Add Pre-Depends: dpkg (>= 1.15.7.2~) | dpkg-maintscript-helper to allow single upgrade path (dpkg-maintscript-helper package will be provided for Ubuntu Lucid PPA) -- Ondřej Surý Mon, 20 Feb 2012 17:40:24 +0100 php5 (5.3.10-1ubuntu4) quantal; urgency=low * SECURITY UPDATE: php5-cgi query string parameters parsing vulnerability - debian/patches/php5-CVE-2012-1823.patch: filter query strings that are prefixed with '-' - CVE-2012-1823 - CVE-2012-2311 -- Steve Beattie Wed, 23 May 2012 15:57:57 -0400 php5 (5.3.10-1ubuntu3) precise; urgency=low * Cherry picked fixes from Debian testing: - d/maxlifetime: Improve maxlifetime script to scan for more SAPIs and scan all *.ini in conf.d directory. (LP: #916065). - d/libapache2-mod-php5.postinst,libapache2-mod-php5filter.postinst: Restart apache on first install to ensure module is fully enabled. (LP: #953081). -- James Page Wed, 11 Apr 2012 14:27:10 +0100 php5 (5.3.10-1ubuntu2) precise; urgency=low * Pre-Depend on a new enough version of dpkg for dpkg-maintscript-helper rather than checking whether it exists at run-time, leading to more predictable behaviour on upgrades. -- Colin Watson Mon, 05 Mar 2012 12:21:35 +0000 php5 (5.3.10-1ubuntu1) precise; urgency=low * Merge from Debian testing. Remaining changes: - d/control: build-depend on mysql 5.5 instead of 5.1 for running tests. - d/setup-mysql.sh: modify to work with mysql 5.5 differences - debian/rules: export DEB_HOST_MULTIARCH properly. - Only build php5-sqlite for sqlite3, dropping the obsolete sqlite2. - Add build-dependency on lemon, which we now need. - Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe. - Dropped libcurl-dev not in the archive. - debian/control: replace build-depends on mysql-server with mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and mysql-server-5.5 postinst confusion with starting up multiple mysqlds listening on the same port. - Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions already in universe. - Suggest php5-suhosin rather than recommends. - Dropped libonig-dev and libqgdbm since its in universe. (libonig MIR has been declined due to an inactive upstream. So this is probably a permanent change). - modulelist: Drop imap, interbase, sybase, and mcrypt. - debian/rules: * Dropped building of mcrypt, imap, and interbase. * Install apport hook for php5. * stop mysql instance on clean just in case we failed in tests - debian/control: Recommend php5-dev for php-pear. * Dropped Changes: - d/patches/CVE-2011-4566.patch: Applied upstream - debian/rules: --enable-pcntl for cgi as well. (Applied in Debian) * d/rules: enable Suhosin patch with PHP5_SUHOSIN=yes * d/NEWS: add note explaining that SUHOSIN *is* enabled in the Ubuntu package. * d/rules: Simplify apache config settings since we never build interbase or firebird. -- Clint Byrum Thu, 16 Feb 2012 03:17:18 -0800 php5 (5.3.10-1) unstable; urgency=high [ Raphael Geissert ] * Remove myself from uploaders * Randomly choose the mysql server's port [ Ondřej Surý ] * Fix use_embedded_timezonedb.patch in custom builds (Courtesy of Dominic Scheirlinck) (Closes: #652599) * Fix typo in firebird2.1-dev build dependency * Update gbp.conf for 5.3.x branch * Imported Upstream version 5.3.10 + CVE-2012-0830: Fix PHP remote vulnerability (code injection) in the implementation of the max_input_vars configuration variable -- Ondřej Surý Fri, 03 Feb 2012 09:38:06 +0100 php5 (5.3.9-6) unstable; urgency=low * Build MySQL extensions with Native Driver as an alternative (Closes: #576412) * Set default mysql socket location to /var/run/mysqld/mysqld.sock * Move php5-sqlite postinst code to postinst.extra * Cherry-pick patches from Fedora: + Fix mysqlnd socket location fix + Define _GNU_SOURCE in the configure.in + Typing fixes in dba extension + Don't add RPATH to extensions * Add missing check for dpkg-maintscript-helper in sqlite preinst and postrm * Add code to specify priority of modules to load mysqlnd.so before mysql.so and mysqli.so in php5-mysqlnd package * Alter version in rm_conffile call to 5.3.9~ to handle all possible versions due binNMUs (Closes: #656495) * Add more condition when to remove empty postinst script -- Ondřej Surý Tue, 31 Jan 2012 15:25:57 +0100 php5 (5.3.9-5) unstable; urgency=low * Use DEB_HOST_ARCH, not DEB_HOST_ARCH_OS to check where to build firebird module (Closes: #645401) * Add back firebird2.5-dev and firebird2.1-dev to allow backports * Disable tests on hurd-i386 for now, because it FTBFS * Don't fail if suhosin is not enabled (Closes: #657808) -- Ondřej Surý Sun, 29 Jan 2012 09:27:28 +0100 php5 (5.3.9-4) unstable; urgency=low * Remove suhosin patch from description and add short NEWS about disabling Suhosin patch (Closes: #657697) * Re-enable firebird extension build on armhf and powerpcspe (Closes: #657691) -- Ondřej Surý Sat, 28 Jan 2012 08:50:42 +0100 php5 (5.3.9-3) unstable; urgency=low * Don't build firebird extension on hurd, m68k, hppa, ppc64, armhf and powerpcspe (Closes: #651070) * Avoid ptrace hungs when building on hurd * Check for dpkg-maintscript-helper existence instead of hard dpkg dependency to allow backported packaged on older (Ubuntu lucid) systems * Remove Suhosin patch, but add PHP5_SUHOSIN=no/yes option to debian/rules * Update patches after suhosin.patch removal and update suhosin.patch to cleanly apply as a last patch in the series * Replace firebird2.[15]-dev (transitional) dependencies with firebird-dev * More Firebird adjustments, don't build the extension on more ports, where firebird-dev is not available -- Ondřej Surý Fri, 27 Jan 2012 11:02:48 +0100 php5 (5.3.9-2) unstable; urgency=low * Handle sqlite.so removal (remove conffile) (Closes: #656495) * Add Breaks: roundcube-sqlite since we no longer ship sqlite.so -- Ondřej Surý Tue, 24 Jan 2012 09:55:56 +0100 php5 (5.3.9-1) unstable; urgency=low * Remove obsolete sqlite(2) module from php5-sqlite * Use correct signals in php5-fpm init script (Closes: #645934) * Imported Upstream version 5.3.9 * Adapt debian/patches to 5.3.9 release -- Ondřej Surý Wed, 11 Jan 2012 16:33:20 +0100 php5 (5.3.8.0-1ubuntu3) precise; urgency=low * SECURITY UPDATE: Denial of service and possible information disclosure via exif integer overflow - debian/patches/CVE-2011-4566.patch: fix count checks in ext/exif/exif.c. - CVE-2011-4566 -- Marc Deslauriers Mon, 12 Dec 2011 15:14:28 -0500 php5 (5.3.8.0-1ubuntu2) precise; urgency=low * d/control: build-depend on mysql 5.5 instead of 5.1 for running tests. * d/setup-mysql.sh: modify to work with mysql 5.5 differences -- Clint Byrum Thu, 24 Nov 2011 10:28:38 -0800 php5 (5.3.8.0-1ubuntu1) precise; urgency=low * Resynchronise with Debian. Remaining changes: - debian/rules: export DEB_HOST_MULTIARCH properly. - Only build php5-sqlite for sqlite3, dropping the obsolete sqlite2. - Add build-dependency on lemon, which we now need. - Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe. - Dropped libcurl-dev not in the archive. - debian/control: replace build-depends on mysql-server with mysql-server-core-5.1 and mysql-client-5.1 to avoid upstart and mysql-server-5.1 postinst confusion with starting up multiple mysqlds listening on the same port. - Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions already in universe. - Suggest php5-suhosin rather than recommends. - Dropped libonig-dev and libqgdbm since its in universe. (libonig MIR has been declined due to an inactive upstream. So this is probably a permanent change). - modulelist: Drop imap, interbase, sybase, and mcrypt. - debian/rules: * Dropped building of mcrypt, imap, and interbase. * Install apport hook for php5. * stop mysql instance on clean just in case we failed in tests - debian/control: Recommend php5-dev for php-pear. - debian/rules: --enable-pcntl for cgi as well. * debian/patches/temporary-path-fixes-for-multiarch.patch: Handle multiarch libmysqlclient as well. -- Colin Watson Wed, 23 Nov 2011 12:58:51 +0000 php5 (5.3.8.0-1) unstable; urgency=low * Re-re-imported upstream version 5.3.8, as a new sourceful update, in order to prevent the package from remaining as a native package. -- Sean Finney Thu, 27 Oct 2011 17:17:02 +0200 php5 (5.3.8-2ubuntu2) precise; urgency=low * Rebuild for libicu48. -- Colin Watson Wed, 23 Nov 2011 10:54:32 +0000 php5 (5.3.8-2ubuntu1) precise; urgency=low * Merge with Debian; remaining changes: - debian/rules: export DEB_HOST_MULTIARCH properly. - Only build php5-sqlite for sqlite3, dropping the obsolete sqlite2. - Add build-dependency on lemon, which we now need. - Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe. - Dropped libcurl-dev not in the archive. - debian/control: replace build-depends on mysql-server with mysql-server-core-5.1 and mysql-client-5.1 to avoid upstart and mysql-server-5.1 postinst confusion with starting up multiple mysqlds listening on the same port. - Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions already in universe. - Suggest php5-suhosin rather than recommends. - Dropped libonig-dev and libqgdbm since its in universe. (libonig MIR has been declined due to an inactive upstream. So this is probably a permanent change). - modulelist: Drop imap, interbase, sybase, and mcrypt. - debian/rules: * Dropped building of mcrypt, imap, and interbase. * Install apport hook for php5. * stop mysql instance on clean just in case we failed in tests - debian/control: Recommend php5-dev for php-pear. - debian/rules: --enable-pcntl for cgi as well. -- Matthias Klose Tue, 18 Oct 2011 15:39:03 +0200 php5 (5.3.8-2) unstable; urgency=low * Fix botched upload when git-buildpackage didn't play well with bz2 upstream archive * Add additional temporary fix for MultiArch OpenSSL -- Ondřej Surý Mon, 12 Sep 2011 09:06:10 +0200 php5 (5.3.8-1) unstable; urgency=low * Imported Upstream version 5.3.8 * Refresh patches to 5.3.8 release * Pull fixes for DateTime tests from upstream SVN * Add additional temporary fix for MultiArch for sybase/mssql -- Ondřej Surý Wed, 24 Aug 2011 13:13:51 +0200 php5 (5.3.7-1) unstable; urgency=low * Imported Upstream version 5.3.7 * Update patches to the new 5.3.7 release and remove those merged upstream * Don't require autoconf 2.59 and lower, we'll deal with consequences * Add MultiArch fix for LDAP libraries * Remove PEAR patching with CVE-2011-1144.patch which was merged upstream -- Ondřej Surý Fri, 19 Aug 2011 14:18:03 +0200 php5 (5.3.6-13ubuntu3) oneiric; urgency=low * debian/rules: export DEB_HOST_MULTIARCH properly, so that I don't spend an hour scratching my head at './debian/rules configure' not working right. * Only build php5-sqlite for sqlite3, dropping the obsolete sqlite2. * Add build-dependency on lemon, which we now need. -- Steve Langasek Wed, 24 Aug 2011 21:40:27 +0000 php5 (5.3.6-13ubuntu2) oneiric; urgency=low * debian/rules: build with --with-openssl instead of --with-openssl=/usr, to autodetect libraries in multiarch directories. * debian/patches/temporary-path-fixes-for-multiarch.patch: add ldap multiarch checks. LP: #826601. -- Steve Langasek Tue, 16 Aug 2011 06:14:55 +0000 php5 (5.3.6-13ubuntu1) oneiric; urgency=low * Merge from debian unstable. Remaining changes: * Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe. * Dropped libcurl-dev not in the archive. * debian/control: replace build-depends on mysql-server with mysql-server-core-5.1 and mysql-client-5.1 to avoid upstart and mysql-server-5.1 postinst confusion with starting up multiple mysqlds listening on the same port. * Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions already in universe. * Suggest php5-suhosin rather than recommends. * Dropped libonig-dev and libqgdbm since its in universe. (libonig MIR has been declined due to an inactive upstream. So this is probably a permanent change). * modulelist: Drop imap, interbase, sybase, and mcrypt. * debian/rules: * Dropped building of mcrypt, imap, and interbase. * Install apport hook for php5. * stop mysql instance on clean just in case we failed in tests * debian/control: Recommend php5-dev for php-pear. * debian/rules: --enable-pcntl for cgi as well. * debian/patches/temporary-path-fixes-for-multiarch.patch: as a stopgap for natty, patch the various config.m4 files for modules whose libraries have moved to the multiarch dir; we can't use --with-libdir yet because that requires all the build-deps to have moved. Thanks to Jonathan Marsden for preparing this patch. * debian/patches/fpm-config.patch: Update php-fpm.conf(pool.d/con) to do initial chdir to / as suggest by Olaf van van der Spek to detect early problems if php5-fpm needs a write access to initial chdir. * SECURITY UPDATE: use-after-free vulnerability - debian/patches/php5-CVE-2011-1148.patch: improve reference counting - CVE-2011-1148 * debian/rules: set DEB_HOST_MULTIARCH to enable 'debian/rules' for building. -- Chuck Short Mon, 25 Jul 2011 19:14:12 +0100 php5 (5.3.6-13) unstable; urgency=low * Fix CVE-2011-2483: 8-bit character mishandling allows different password pairs to produce the same hash (Closes: #631347) * Add support for $2x$ identifier as blowfish variant in crypt.c to allow backward compatibility with old invalid hashes * Return fail string (*0) on invalid Blowfish salt rounds * Add NEWS item about incompatible blowfish hashes * Fix CVE-2011-1938: Stack-based buffer overflow in the socket_connect function in ext/sockets/sockets.c in PHP 5.3.3 through 5.3.6 might allow context-dependent attackers to execute arbitrary code via a long pathname for a UNIX socket. -- Ondřej Surý Mon, 04 Jul 2011 12:41:07 +0200 php5 (5.3.6-12) unstable; urgency=low * Bump standards version to 3.9.2 * Update cron.d code to even safer variant (Courtesy of Bob Proulx) * Small optimization in cron.d script (Courtesy of Marcus Cobden) * Add firebird2.1-dev option to allow backports * Pull (and fix broken patch) multiarch workaround from Ubuntu natty * Add error message when phpize is not found (Closes: #627937) * Enable pcntl extension for CGI builds (Closes: #627941), but disable all pcntl functions by default * File path injection vulnerability in RFC1867 File upload filename [CVE-2011-2202] -- Ondřej Surý Wed, 15 Jun 2011 11:06:40 +0200 php5 (5.3.6-11ubuntu1) oneiric; urgency=low * Merge from debian unstable. Remaining changes: * Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe. * Dropped libcurl-dev not in the archive. * debian/control: replace build-depends on mysql-server with mysql-server-core-5.1 and mysql-client-5.1 to avoid upstart and mysql-server-5.1 postinst confusion with starting up multiple mysqlds listening on the same port. * Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions already in universe. * Suggest php5-suhosin rather than recommends. * Dropped libonig-dev and libqgdbm since its in universe. (libonig MIR has been declined due to an inactive upstream. So this is probably a permanent change). * modulelist: Drop imap, interbase, sybase, and mcrypt. * debian/rules: * Dropped building of mcrypt, imap, and interbase. * Install apport hook for php5. * stop mysql instance on clean just in case we failed in tests * debian/control: Recommend php5-dev for php-pear. * debian/rules: --enable-pcntl for cgi as well. * debian/patches/temporary-path-fixes-for-multiarch.patch: as a stopgap for natty, patch the various config.m4 files for modules whose libraries have moved to the multiarch dir; we can't use --with-libdir yet because that requires all the build-deps to have moved. Thanks to Jonathan Marsden for preparing this patch. * debian/patches/fpm-config.patch: Update php-fpm.conf(pool.d/con) to do initial chdir to / as suggest by Olaf van van der Spek to detect early problems if php5-fpm needs a write access to initial chdir. * SECURITY UPDATE: use-after-free vulnerability - debian/patches/php5-CVE-2011-1148.patch: improve reference counting - CVE-2011-1148 * debian/rules: set DEB_HOST_MULTIARCH to enable 'debian/rules' for building. * Dropped Changes: * Dropped libmysqlclient15-dev, build against mysql 5.1. -- Dropped in debian. * Dropped locales-all. -- Now has alternative language-pack-de for use in tests. * debian/php5-fpm.init: backport changes from Debian package to run configuration check. Removes check for /var/www which broke stand- alone installation of php5-fpm. -- superseded upstream * All CVE's not mentioned above (applied upstream or in Debian) * debian/patches/configure-as-needed.patch. Work around suspicious configure macros to fix a build failure with --as-needed * debian/patches/backport-upstream-lp592442.patch: Backport upstream fix for ssl fopen issues. -- applied in Debian * debian/patches/lp564920-fix-big-files.patch: Fix downloading of large files -- applied in Debian -- Clint Byrum Wed, 25 May 2011 10:34:40 -0700 php5 (5.3.6-11) unstable; urgency=low * Use more reasonable default number of processes for PHP5-FPM * Enable firebird support everywhere also in debian/rules * Don't delete still used session files (Closes: #626640) * Enable building of php5-interbase by adding Architecture: any to debian/control * Use dh_prep instead of dh_clean -k -- Ondřej Surý Sat, 14 May 2011 22:15:32 +0200 php5 (5.3.6-10) unstable; urgency=low * Purge .start files in postrm, not in prerm (Closes: #607520) * Register config files to UCF Registry -- Ondřej Surý Sat, 30 Apr 2011 13:16:27 +0200 php5 (5.3.6-9) unstable; urgency=low * Make sure even harded to not left any stale file after purging the package (Closes: #607520) * Move libapache2-mod-php5filter to extra to satisfy policy * Remove oldstable dependcy on firebird2.0-dev * Enable php5-interbase on all platforms and update build dependency on firebird2.5-dev * Import backported upstream fix for fopen fails on some SSL urls * Remove windows devel file from php5-dev * Add more lintian-overrides: + Missing dependency on phpapi for php5-common is not missing + php-pear is keeping it's original directory structure + Double the filenames (./usr vs usr) to fix difference between lintian versions + the embedded file library (libmagic) is unfortunately a custom one and cannot be replaced by system one (it's on the TODO list) -- Ondřej Surý Thu, 28 Apr 2011 13:37:07 +0200 php5 (5.3.6-8) unstable; urgency=low * Provides/Replaces/Conflicts: php5-idn (Closes: #547117) * Build depend on libdb-dev (>= 5.1) (Closes: #621443) -- Ondřej Surý Sun, 10 Apr 2011 23:27:44 +0200 php5 (5.3.6-7) unstable; urgency=low * Disable SSLv2 when disabled in OpenSSL (Closes: #620776) -- Ondřej Surý Mon, 04 Apr 2011 08:40:25 +0200 php5 (5.3.6-6) unstable; urgency=low * Fix order of do_check in php5-fpm.init to check for the right return code -- Ondřej Surý Thu, 31 Mar 2011 11:46:49 +0200 php5 (5.3.6-5) unstable; urgency=low * Don't fail the php5-fpm init.d script if VERBOSE is `no' * Fix some compile errors with --enable-maintainer-zts as reported by Raphaël Gertz * Make php5-fpm init.d script even less verbose on startup -- Ondřej Surý Mon, 28 Mar 2011 17:05:17 +0200 php5 (5.3.6-4) unstable; urgency=low * Merged r308688 fix s/raiseErro/raiseError/ and fixed parenthese in r309043 (Closes: #619307) (Courtesy of upstream and Ernesto Domato) * Make locales-all build dependency useful by fixing language tests to use de_DE.UTF-8 * Debian packaging: + Allow easy porting to Ubuntu by adding alternate dependency for locales-all -> language-pack-de, because only german locale is used in the tests + Fix missing debhelper token in php5-fpm.preinst * Explicitly set pm.start_servers in php5-fpm to make it quiet * Update php5-fpm.init according to latest /etc/init.d/skeleton (Closes: #619383) -- Ondřej Surý Wed, 23 Mar 2011 16:44:28 +0100 php5 (5.3.6-3) unstable; urgency=low * Update php-fpm.conf(pool.d/www.conf) to do initial chdir to / as suggested by Olaf van der Spek to detect early problems if php5-fpm needs a write access to initial chdir. Also fix brown-paper-bug which made the setting new chdir not work because we already modify it elsewhere (Closes: #601243) -- Ondřej Surý Mon, 21 Mar 2011 16:27:01 +0100 php5 (5.3.6-2) unstable; urgency=low * Update default configuration file for php5-fpm (Closes: #619104) * Depend only on libdb4.8-dev | libdb4.6-dev to match apache2 (Closes: #619036) + Will coordinate change to db5.1 with apache2 maintainer -- Ondřej Surý Mon, 21 Mar 2011 11:54:04 +0100 php5 (5.3.6-1) unstable; urgency=low * Imported Upstream version 5.3.6 + PEAR updated to 1.9.2 (CVE-2011-1072) * Cherry-pick CVE-2011-1144 from PEAR 1.9.3 (Closes: #546164) * Debian packaging: + Start using pristine-tar + Remove patches merged upstream or otherwise deprecated + Move php5-fpm.postrm extras to debian/rules * FPM SAPI changes: + Set initial chdir to /tmp in www pool (Closes: #601243) + Rename main configuration file to php-fpm.conf to match upstream + Enable error reporting in init.d file + Patch FPM SAPI to use Debian php-fpm.conf as default * Fix regression with missing CRYPT_SALT_LENGTH (Closes: #603012) * Generate SHA512 salt string when provided salt is null (Closes: #581170) * Fix FTBFS with gold or ld --no-add-needed (Closes: #615770) * Don't mmap large >4GB files * CVE-2011-0441: Be more careful when removing session files (Closes: #618489) -- Ondřej Surý Fri, 18 Mar 2011 15:51:50 +0100 php5 (5.3.5-1ubuntu7.2) natty-security; urgency=low * debian/patches/php5-pear-CVE-2011-1144-regression.patch: fix mkdir parenthesis issue and PEAR::raiseErro typo (LP: #774452) -- Steve Beattie Sat, 30 Apr 2011 16:00:39 -0700 php5 (5.3.5-1ubuntu7.1) natty-security; urgency=low * SECURITY UPDATE: arbitrary files removal via cronjob - debian/php5-common.php5.cron.d: take greater care when removing session files. - http://git.debian.org/?p=pkg-php%2Fphp.git;a=commitdiff_plain;h=d09fd04ed7bfcf7f008360c6a42025108925df09 - CVE-2011-0441 * SECURITY UPDATE: symlink tmp races in pear install - debian/patches/php5-pear-CVE-2011-1072.patch: improved tempfile handling. - debian/rules: apply patch manually after unpacking PEAR phar archive. - CVE-2011-1072 * SECURITY UPDATE: more symlink races in pear install - debian/patches/php5-pear-CVE-2011-1144.patch: add TOCTOU save file handler. - debian/rules: apply patch manually after unpacking PEAR phar archive. - CVE-2011-1144 * SECURITY UPDATE: denial of service through application crash with invalid images - debian/patches/php5-CVE-2010-4698.patch: verify anti-aliasing steps are either 4 or 16. - CVE-2010-4698 * SECURITY UPDATE: denial of service through application crash - debian/patches/php5-CVE-2011-0420.patch: improve grapheme_extract() argument validation. - CVE-2011-0420 * SECURITY UPDATE: denial of service through application crash - debian/patches/php5-CVE-2011-0421.patch: fail operation gracefully when handling zero sized zipfile with the FL_UNCHANGED argument - CVE-2011-0421 * SECURITY UPDATE: denial of service through application crash when handling images with invalid exif tags - debian/patches/php5-CVE-2011-0708.patch: stricter exif checking - CVE-2011-0708 * SECURITY UPDATE: denial of service and possible data disclosure through integer overflow - debian/patches/php5-CVE-2011-1092.patch: better boundary condition checks in shmop_read() - CVE-2011-1092 * SECURITY UPDATE: use-after-free vulnerability - debian/patches/php5-CVE-2011-1148.patch: improve reference counting - CVE-2011-1148 * SECURITY UPDATE: format string vulnerability - debian/patches/php5-CVE-2011-1153.patch: correctly quote format strings - CVE-2011-1153 * SECURITY UPDATE: denial of service through buffer overflow crash (code execution mitigated by compilation with Fortify Source) - debian/patches/php5-CVE-2011-1464.patch: limit amount of precision to ensure fitting within MAX_BUF_SIZE - CVE-2011-1464 * SECURITY UPDATE: denial of service through application crash - debian/patches/php5-CVE-2011-1467.patch: check for invalid attribute symbols in NumberFormatter::setSymbol() - CVE-2011-1467 * SECURITY UPDATE: denial of service through memory leak - debian/patches/php5-CVE-2011-1468.patch: fix memory leak of openssl contexts - CVE-2011-1468 * SECURITY UPDATE: denial of service through application crash when using HTTP proxy with the FTP wrapper - debian/patches/php5-CVE-2011-1469.patch: improve pointer handling - CVE-2011-1469 * SECURITY UPDATE: denial of service through application crash when handling ziparchive streams - debian/patches/php5-CVE-2011-1470.patch: set necessary elements of the meta data structure - CVE-2011-1470 * SECURITY UPDATE: denial of service through application crash when handling malformed zip files - debian/patches/php5-CVE-2011-1471.patch: correct integer signedness error when handling zip_fread() return value. - CVE-2011-1471 * debian/control: replace build-depends on mysql-server with mysql-server-core-5.1 and mysql-client-5.1 to avoid upstart and mysql-server-5.1 postinst confusion with starting up multiple mysqlds listening on the same port. -- Steve Beattie Tue, 26 Apr 2011 08:34:26 -0700 php5 (5.3.5-1ubuntu7) natty; urgency=low * debian/php5-fpm.init: backport changes from Debian package to run configuration check. Removes check for /var/www which broke stand- alone installation of php5-fpm. (LP: #753924) * debian/rules: set DEB_HOST_MULTIARCH to enable 'debian/rules' for building. -- Clint Byrum Tue, 12 Apr 2011 14:21:14 -0700 php5 (5.3.5-1ubuntu6) natty; urgency=low * debian/patches/fpm-config.patch: Update php-fpm.conf(pool.d/con) to do initial chdir to / as suggest by Olaf van van der Spek to detect early problems if php5-fpm needs a write access to initial chdir. * debian/patches/backport-upstream-lp592442.patch: Backport upstream fix for ssl fopen issues. (LP: #592442) -- Chuck Short Fri, 01 Apr 2011 09:29:49 -0400 php5 (5.3.5-1ubuntu5) natty; urgency=low * debian/patches/temporary-path-fixes-for-multiarch.patch: as a stopgap for natty, patch the various config.m4 files for modules whose libraries have moved to the multiarch dir; we can't use --with-libdir yet because that requires all the build-deps to have moved. Thanks to Jonathan Marsden for preparing this patch. LP: #739977. * debian/patches/ubuntu/ubuntu-php-version.patch: drop. This is an autogenerated file. -- Steve Langasek Thu, 24 Mar 2011 22:34:00 +0000 php5 (5.3.5-1ubuntu4) natty; urgency=low * debian/control: Recommend php5-dev for php-pear. (LP: #634359) * debian/rules: --enable-pcntl for cgi as well. (LP: #658346) -- Chuck Short Mon, 14 Mar 2011 10:34:00 -0400 php5 (5.3.5-1ubuntu3) natty; urgency=low * debian/php5-fpm.init: Fix logic from previous commit. -- Chuck Short Mon, 14 Mar 2011 08:18:17 -0400 php5 (5.3.5-1ubuntu2) natty; urgency=low * debian/php5-fpm.init: Dont start fpm if /var/www doesnt exist. (LP: #731572) -- Chuck Short Fri, 11 Mar 2011 16:29:24 -0500 php5 (5.3.5-1ubuntu1) natty; urgency=low * Merge from debian/unstable. Remaining changes: - debian/control: * Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe. * Dropped libmysqlclient15-dev, build against mysql 5.1. * Dropped libcurl-dev not in the archive. * Suggest php5-suhosin rather than recommends. * Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions already in universe. * Dropped libonig-dev and libqgdbm since its in universe. (will be re-added in lucid+1) - modulelist: Drop imap, interbase, sybase, and mcrypt. - debian/rules: * Dropped building of mcrypt, imap, and interbase. * Install apport hook for php5. * stop mysql instance on clean just in case we failed in tests -- Chuck Short Tue, 22 Feb 2011 09:46:37 -0500 php5 (5.3.5-1) unstable; urgency=low * Imported Upstream version 5.3.5 * Updated suhosin patch to 0.9.10 * Add Conflict: with php5-idn to php5-intl (Closes: #610935) * Build the FPM SAPI (Closes: #603174) * Adapted (and removed upstream-applied) patches to php 5.3.5 -- Ondřej Surý Wed, 16 Feb 2011 15:17:32 +0100 php5 (5.3.3-7ubuntu1) natty; urgency=low * Merge from debian unstable. Remaining changes: - debian/control: * Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe. * Dropped libmysqlclient15-dev, build against mysql 5.1. * Dropped libcurl-dev not in the archive. * Suggest php5-suhosin rather than recommends. * Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions already in universe. * Dropped libonig-dev and libqgdbm since its in universe. (will be re-added in lucid+1) * Dropped locales-all. - modulelist: Drop imap, interbase, sybase, and mcrypt. - debian/rules: * Dropped building of mcrypt, imap, and interbase. * Install apport hook for php5. * stop mysql instance on clean just in case we failed in tests - Dropped debian/patches/fix-upstream-bug53632.patch, used debian's instead. - Dropped debian/patches/mssql-fix-segfault.patch, use debian's instead. - debian/patches/configure-as-needed.patch. Work around suspicious configure macros to fix a build failure with --as-needed - debian/patches/php52389-pgsql-segfault.patch: removing, causes error handling to fail. -- Chuck Short Fri, 07 Jan 2011 22:44:56 +0000 php5 (5.3.3-7) unstable; urgency=low * Cherry pick patches for: + double free vulnerability in the imap_do_open function in the IMAP extension (CVE-2010-4150) + infinite loop with x87 CPU + extract() to not overwrite $GLOBALS and $this when using EXTR_OVERWRITE + crash if aa steps are invalid in GD extension + crash with entitity declaration in simplexml.c + NULL dereference in Zend language scanner + integer overflow in SdnToJulian + memory leaks and possible crash introduced by NULL poisoning patch + leaks and crash when passing the callback as a variable + leak in highlight_string + segmentation fault in pgsql_stmt_execute when postgres is down + segmentation fault when extending SplFixedArray + segmentation fault when node is NULL in simplexml.c + segmentation fault when using several cloned intl objects + segmentation fault when using bad column_number in sqlite3 columnName * Add comment about cherry picked patches (and last revision) from upstream SVN to README.source -- Ondřej Surý Wed, 05 Jan 2011 11:06:20 +0100 php5 (5.3.3-6) unstable; urgency=medium * Cherry-pick fix for crashes on invalid parameters in intl extension. (CVE-2010-4409). * Cherry pick fix for crash in zip extract method (possible CWE-170) * Cherry pick fix for unaligned memory access in ext/hash/hash_tiger.c * Update CVE-2010-3870 to include test case * Cherry pick complete fix to reject filenames with NULL (CVE requested) -- Ondřej Surý Tue, 07 Dec 2010 11:15:58 +0100 php5 (5.3.3-5) unstable; urgency=high * Add firebird support for armhf (Closes: #604526) * More updates to open_basedir (Closes: #605391) -- Ondřej Surý Tue, 30 Nov 2010 12:00:37 +0100 php5 (5.3.3-4) unstable; urgency=low * Cherry pick patches for (Closes: #603751): + NULL pointer dereference in ZipArchive::getArchiveComment (CVE-2010-3709) + utf8_decode xml_utf8_decode vulnerability (CVE-2010-3870) + mb_strcut() returns garbage with the excessive length parameter (CVE-2010-4156) + possible flaw in open_basedir (CVE-2010-3436) + segfault in SplFileObject::fscanf + memory leak in PDO::FETCH_INTO + crash when storing many SPLFixedArray in an array + possible crash in php_mssql_get_column_content_without_type() + cURL leaks handle and causes assertion error (CURLOPT_STDERR) + segfault when optional parameters are not passed in to mssql_connect + segfault when ssl stream option capture_peer_cert_chain used + crash in GC because of incorrect reference counting + crash when calling enchant_broker_get_dict_path before set_path + crash in pdo_firebird getAttribute() -- Ondřej Surý Wed, 17 Nov 2010 10:31:58 +0100 php5 (5.3.3-3) unstable; urgency=high * Fix segfault in filter_var with FILTER_VALIDATE_EMAIL with large amount of data (CVE-2010-3710, Closes: #601619) -- Ondřej Surý Wed, 27 Oct 2010 23:39:37 +0200 php5 (5.3.3-2) unstable; urgency=low * Upload 5.3.3 to unstable + Fixes CVE-2010-2225, CVE-2010-2094, CVE-2010-1917, CVE-2010-1866, CVE-2010-2531, CVE-2010-3065. * Don't build FPM SAPI now * Bump standards version to 3.9.1 * Synchronize system crypt patch * Cherry pick upstream fix for format vulnerability in phar/stream.c + Fixes CVE-2010-2950. * Set explicit error level to hide warnings on systems with modified php.ini (Closes: #590485) * Apply patch to fix loading of extensions without [PHP] section (Closes: #595761) * Set session.gc_probability back to 0 (Closes: #595706) * Update PHP5 description to not include references to C, Java and Perl (Closes: #351032) -- Ondřej Surý Thu, 21 Oct 2010 16:57:53 +0200 php5 (5.3.3-1ubuntu12) natty; urgency=low * debian/patches/fix-upstream-bug53632.patch: Fix infinite loop bug (php bug #53632) (LP: #697181) -- Chuck Short Fri, 07 Jan 2011 12:57:59 -0500 php5 (5.3.3-1ubuntu11) natty; urgency=low * Add debian/patches/mssql-fix-segfault.patch: Fixes segfault on missing parameters for mssql. Upstream php bug #52843 and LP: #611316. -- Clint Byrum Fri, 03 Dec 2010 23:45:19 -0800 php5 (5.3.3-1ubuntu10) natty; urgency=low * debian/patches/configure-as-needed.patch. Work around suspicious configure macros to fix a build failure with --as-needed (Clint Byrum). Addresses #676672. -- Matthias Klose Wed, 24 Nov 2010 10:44:36 +0100 php5 (5.3.3-1ubuntu9.1) maverick-proposed; urgency=low * debian/patches/php52389-pgsql-segfault.patch: removing, causes error handling to fail (LP: #660227) -- Clint Byrum Thu, 14 Oct 2010 06:46:02 -0700 php5 (5.3.3-1ubuntu9) maverick; urgency=low * SECURITY UPDATE: arbitrary memory disclosure and possible code execution via phar extension - debian/patches/CVE-2010-2950.patch: use correct format string in ext/phar/stream.c. - CVE-2010-2094 - CVE-2010-2950 -- Marc Deslauriers Mon, 20 Sep 2010 14:56:33 -0400 php5 (5.3.3-1ubuntu8) maverick; urgency=low * Build-depend on netcat-openbsd | netcat, instead of just netcat (only in universe). -- Matthias Klose Fri, 17 Sep 2010 14:33:13 +0200 php5 (5.3.3-1ubuntu7) maverick; urgency=low * debian/setup-mysql.sh: Copy mysqld to local dir during build to avoid apparmor restrictions (LP: #638401) * debian/rules: stop mysql instance on clean just in case we failed in tests -- Clint Byrum Wed, 15 Sep 2010 10:48:32 -0700 php5 (5.3.3-1ubuntu6) maverick; urgency=low * Undo sybase debugging libraries split: keeping a smaller delta with Debian is more important than demoting sybase to universe. -- Mathias Gug Wed, 25 Aug 2010 14:04:57 -0400 php5 (5.3.3-1ubuntu5) maverick; urgency=low * Drop sybase libraries to universe: Move debugging libraries to php5-sybase-dbg: - debian/control: + create php5-sybase-dbg package. + drop php5-sybase as php5-dbg dependency. - debian/rules: move sybase debugging libraries to php5-sybase-dbg. -- Mathias Gug Fri, 20 Aug 2010 19:13:55 -0400 php5 (5.3.3-1ubuntu4) maverick; urgency=low * debian/php5-module.ini: # replaced with ; (LP: #591286) * debian/patches/php52389-pgsql-segfault.patch (LP: #607646) - Applying patch for upstream bug that causes segfaults in pgsql -- Clint Byrum Fri, 13 Aug 2010 00:07:15 -0700 php5 (5.3.3-1ubuntu3) maverick; urgency=low * debian/patches/lp564920-fix-big-files.patch: Fix downloading of large files (LP: #564920) -- Clint Byrum Fri, 06 Aug 2010 13:10:17 -0700 php5 (5.3.3-1ubuntu2) maverick; urgency=low * debian/control: Use netcat rather than netcat-traditional. -- Chuck Short Thu, 05 Aug 2010 20:00:34 -0500 php5 (5.3.3-1ubuntu1) maverick; urgency=low * Merge from debian experimental: - debian/control: * Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe. * Dropped libmysqlclient15-dev, build against mysql 5.1. * Dropped libcurl-dev not in the archive. * Suggest php5-suhosin rather than recommends. * Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions already in universe. * Dropped libonig-dev and libqgdbm since its in universe. (will be re-added in lucid+1) * Dropped locales-all. - modulelist: Drop imap, interbase, and mcrypt. - debian/rules: * Dropped building of mcrypt, imap, and interbase. * Install apport hook for php5. -- Chuck Short Sun, 01 Aug 2010 14:28:03 -0500 php5 (5.3.3-1) experimental; urgency=low * Upload PHP 5.3.3 to experimental for further testing + Fixes odbc_autocommit (Closes: #586570) + Adds support for sqlite3_busy_timout (Closes: #589473) + Fixes CVE-2010-2225, CVE-2010-2094, CVE-2010-1917, CVE-2010-1866 and other CVEs that do not apply to the Debian packages or are irrelevant as per the pre-5.3.2-2 security policy. * Changes pending update from unstable: + Use system crypt * Build the FPM SAPI. -- Raphael Geissert Sat, 31 Jul 2010 15:53:12 -0400 php5 (5.3.2-2) unstable; urgency=low [ Ondřej Surý ] * Fix unittest about failing crypt() calls with invalid salt [ Raphael Geissert ] * Cherry pick upstream fix for mysqli_ssl_set (Closes: #572122) * Cherry pick patch to reset error status on beginTransaction() * Cherry pick patch to add missing definition of JSON_ERROR_UTF8 * Cherry pick patch to fix SplFileInfo::getPathName() * Cherry pick patch to fix a memory leak in the cyclical gc * Cherry pick fix for memory leak in date when gc is enabled * Cherry pick patch to fix an unaligned mem access in the dba ext * Cherry pick fix for memory issues in mysqli_options (Closes: #577784) * Set default session.save_path to /var/lib/php5 (Closes: #576593) * Don't install an extra copy of php.ini-production * Remove obsolete TODO list * Add debian/source/format and set it to 1.0 * Add doc-base registration for Structuctures_Graph documentation * Cherry pick patch to fix multiple typos * Synchronize enchant patch with changes committed upstream * Cherry pick patch to workaround BDB 4.8 bc changes (Closes: #570149) * Cherry pick patch to allow the timeout on mssql to be effective p/query * Cherry pick patch to correctly determine length of doc_root * Cherry pick patch to fix a memory leak in SoapServer::handle * Cherry pick patch to fix SplFileInf::fscanf()'s prototype * Test the mysql extensions too * Update the security policy for Squeeze and greater * Include ext_skel script (Closes: #530757) [ Sean Finney ] * Fix for parallel FTBFS in (Closes: #584348) * Import upstream fix for pdo_mysql segfaults (Closes: #581911) - thanks to Richard van den Berg * Dynamically determine maxlifetime if possible. (Closes: #504053) - thanks to Chris Butler -- Raphael Geissert Sun, 18 Jul 2010 15:35:06 -0500 php5 (5.3.2-1ubuntu5) maverick; urgency=low * debian/php5-module.ini: Comment should be "#" not ";". (LP: #573436) * debian/patches/cherrypick-upstream-51740.diff: Fix acinclude.ac macro check. (LP: #576910) * debian/patches/cherrypick-upstream-48361.diff: Fix regression with getPathInfo() doesn't return parent info (LP: #576910) * debian/patches/session_save_path.patch: ave PHP sessions to /var/lib/php rather than /tmp. (LP: #573222) -- Chuck Short Tue, 25 May 2010 10:17:00 -0400 php5 (5.3.2-1ubuntu4.1) lucid-proposed; urgency=low * debian/patches/fix-mysql-badmem.patch: Fix mysql crash when using php5-cgi. (LP: #567043) -- Chuck Short Mon, 03 May 2010 11:23:43 -0400 php5 (5.3.2-1ubuntu4) lucid; urgency=low * debian/control, debian/rules: Re-enable libedit-dev. (LP: #548823) -- Chuck Short Mon, 05 Apr 2010 15:33:21 -0400 php5 (5.3.2-1ubuntu3) lucid; urgency=low * debian/control: Fix upgrade of php5-ldap from 5.3.1. (LP: #) -- Chuck Short Sun, 28 Mar 2010 15:41:34 -0400 php5 (5.3.2-1ubuntu2) lucid; urgency=low * debian/control: Dont build with libmcrypt-dev. -- Chuck Short Fri, 26 Mar 2010 14:39:36 -0400 php5 (5.3.2-1ubuntu1) lucid; urgency=low * Merge from debian unstable: - debian/control: * Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe. * Dropped libmysqlclient15-dev, build against mysql 5.1. * Dropped libcurl-dev not in the archive. * Suggest php5-suhosin rather than recommends. * Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions already in universe. * Dropped libonig-dev and libqgdbm since its in universe. (will be re-added in lucid+1) * Dropped locales-all. - modulelist: Drop imap, interbase, and mcrypt. - debian/rules: * Dropped building of mcrypt, imap, and interbase. * Install apport hook for php5. - Dropped debian/patches/libedit_is_editline.patch. -- Chuck Short Tue, 16 Mar 2010 09:09:50 -0400 php5 (5.3.2-1) unstable; urgency=high [ Sean Finney ] * Fix improper signed overflow detection in filter extension (Closes: #570287) * Another integer overflow/underflow logic fix. (Closes: #570144) * new debian patch fix_filter_var_email_test.patch (Closes: #571764) * New debian patch fix_var_dump_64bit.phpt.patch (Closes: #571772) * New debian patch use_embedded_timezonedb_fixes.patch (Closes: #571762) [ Raphael Geissert ] * Build with qdbm support * Really run extensions' tests * Add a note about user_dirs in apache conf file (Closes: #571714) * Fix typo in debian/NEWS * Don't install a(nother) useless Structures_Graph sh script * Re-enable short_open_tag for CLI too (Closes: #573367) * Disable memory limit in CLI, letting ulimit do its job (Closes: #407425) * Fix the locale name in some tests (Closes: #573511) * Fix some gd tests that need the bundled library * Fix a null pointer dereference when processing invalid XML-RPC requests (CVE-2010-0397, Closes: #573573) * Fix an unaligned memory access in enchant_dict_suggest() * Fix another unaligned memory access in enchant * Test that the list of extensions to test is never empty * Update the list of alternative dependencies of php5-dbg * debian/rules cleanup * debian/control cleanup * Build against the system oniguruma library * Add libjpeg-dev as an alternative to libjpeg62-dev for future transitions [ Ondřej Surý ] * Imported Upstream version 5.3.2 * Updated suhosin patch to 0.9.9.1 version. * Removed debian/patches/suhosin_page_size_fixes.patch. (Closes: #571974) * Refreshed debian/patches/001-libtool_fixes.patch * Refreshed debian/patches/006-debian_quirks.patch * Adapt debian patches to 5.3.2. * Remove "binary" contents from debian/patches/fix_var_dump_64bit.phpt.patch * New debian patch fix_broken_sha2_test.patch * New debian patch always_use_system_crypt.patch (Closes: #572601) * New debian patch php_crypt_revamped.patch (Closes: #572601) -- Raphael Geissert Sat, 13 Mar 2010 15:11:48 -0600 php5 (5.3.1-5) unstable; urgency=low [ Sean Finney ] * Pass full path to php cli executable for unit tests * dont-gitclean-in-build.patch: Don't run git-clean via buildconf * update debian patch page_size_fixes.patch with upstream bug ref * new debian patch broken_5.3_test-posix_uname.patch (Closes: #570286) [ Raphael Geissert ] * Add build-dependency on netbase to fix a test (Closes: #570291) * Suhosin PAGE_SIZE fixes have been already forwarded * Fix a race condition on shtool's mkdir -p (Closes: #570111) * Actually test the binary that is to be shipped in the -cli package * Add some more documentation about the build system * Documentation updates * Update the suhosin patch version information * Build-dep on locales-all to enable multiple tests * Don't ship empty maintainer scripts * Add patch to allow building with qdbm * Test the extensions that don't require a special setup * Get the correct list of built-in extensions of apache2filter -- Raphael Geissert Mon, 22 Feb 2010 10:41:51 -0600 php5 (5.3.1-4) unstable; urgency=low [ Raphael Geissert ] * Pass -O0 when using 'noopt' to actually disable any optimization * Add patch to use sysconf() to determine the page size * Add patch to remove PAGE_SIZE assumptions in suhosin code * Fix an unaligned memory access in the phar extension * Fix another unaligned memory access * Print the expected/actual output of failed test * Add missing PEAR directory (Closes: #542483) * Build sqlite3 as shared (Closes: #568956) * Add some more documentation about the source package [ Sean Finney ] * New debian patch fix_broken_5.3_tests.patch -- Raphael Geissert Thu, 11 Feb 2010 02:22:47 -0600 php5 (5.3.1-3) unstable; urgency=low [ Ondřej Surý ] * get rid of php4 dependencies * Enable short_open_tag again (Closes: #537099) * fix dependency on automake1.4 in php5-dev package * fix typo s/firefox/firebird/ in changelog * Removed long inactive Adam Conrad and Jeroen van Wolffelaar from uploaders [ Raphael Geissert ] * Fix maintainer scripts to use php.ini-production (Closes: #565130) * Revert b22a350: Turn the phpapi dependencies into php5 | phpapi * Allow parallel building via parallel=n * Build with the hardening wrapper * Remove no-longer-needed dfsg-repack script * Add DEP-3-format metadata to some of the patches * Build the intl extension * Drop exif_read_data-segfault patch, merged upstream * Build the enchant extension * Add ${misc:Depends} where missing * Disable mod_php in user directories (Closes: #555606) * Add missing comment character to php.ini-paranoid (Closes: #564622) * Build the interbase extension on all the supported architectures [ Sean Finney ] * 5.3 upload for unstable. - Includes backported fix for "ref converted to value" (Closes: #556237). -- Raphael Geissert Sun, 07 Feb 2010 23:31:51 -0600 php5 (5.3.1-2) experimental; urgency=low * Merged changes from 5.2.x sid branch. * Adapt mssql-null-exception.patch and sybase-alias.patch to 5.3.1 * Update strcmp_null-OnUpdateErrorLog.patch; merged upstream, leave a patch with a test case * Removed check_ini_on_modify_status.patch and gentoo/117- 4_digit_year_big_endian.patch; merged upstream * Removed max_file_uploads.patch; no need for backwards compatibility between major releases * Refreshed 112-proc_open.patch,exif_read_data-segfault.patch * Fix duplicate Provides: in debian/control introduced by cherry- picking 94f0ec3 * Update sybase aliases to include correct arguments, needed for 5.3.x * Update Build-Depends: to include firebird2.1-dev as preferred alternative (Closes: #564691) * Reformat Build-Depends: to one-dependency-per-line * Reduce number of libdb*-dev to include only version in stable/testing/unstable * Switch to automake (>= 1.11) | automake1.11, depend on autoconf >= 2.63 (Closes: #549148) -- Ondřej Surý Mon, 11 Jan 2010 16:56:01 +0100 php5 (5.3.1-1) experimental; urgency=low * Imported Upstream version 5.3.1 * Change dependcy to libdb-dev instead on arbitrary version of libdb4.x-dev * Refreshed 006-debian_quirks patch to apply cleanly. * Removed 114-php_gd_segfault.patch, merged upstream. * Refreshed 115-autoconf_ftbfs.patch to apply cleanly * Updated suhosin.patch to 0.9.8 version for php-5.3.1 * Refreshed 001-libtool_fixes.patch * Refreshed 004-ldap_fix.patch * Refreshed 013-force_getaddrinfo.patch * Refreshed 036-fd_setsize_fix.patch * Refreshed 052-phpinfo_no_configure.patch * Refreshed 053-extension_api.patch * Refreshed 108-64_bit_datetime.patch * Refreshed 113-php.ini_securitynotes.patch * Refreshed 116-posixness_fix.patch * Refreshed gentoo/006_ext-curl-set_opt-crash.patch * Refreshed gentoo/009_ob-memory-leaks.patch * Refreshed libedit_is_editline.patch * Refreshed suhosin.patch * Add .gitignore file to ignore .pc/ directory * Removed README.CVS-RULES from debian/php5-common.docs, file is no longer shipped by upstream. -- Ondřej Surý Thu, 07 Jan 2010 17:21:47 +0100 php5 (5.3.0-3) experimental; urgency=low * Fix segmentation fault in php-gd (Closes: #543496) * Update suhosin patch to 0.9.8 *BETA* and enable it again * Fix FTBFS with current autoconf/automake (Closes: #542906, #542088) * Add avr32-linux-gnu to no -gstabs toolchains (Closes: #543278) * Fix FTBFS on Debian Hurd (Closes: #530281) * Use updated (v7) version of use_embedded_timezonedb.patch (Closes: #535770) -- Ondřej Surý Tue, 25 Aug 2009 16:12:13 +0200 php5 (5.2.12.dfsg.1-2) unstable; urgency=low * Update Build-Depends: to include firebird2.1-dev as preferred alternative (Closes: #564691) * Reformat Build-Depends: to one-dependency-per-line * Reduce number of firebird*-dev to include only version in stable/testing/unstable * Reduce number of libdb*-dev to include only version in stable/testing/unstable * Switch to automake (>= 1.11) | automake1.11, depend on autoconf (>= 2.63) (Closes: #549148) -- Ondřej Surý Mon, 11 Jan 2010 17:31:33 +0100 php5 (5.2.12.dfsg.1-1) unstable; urgency=low [ Thijs Kinkhorst ] * Change comment in module .ini snippets from # to ; to avoid deprecation warnings with PHP 5.3.0. [ Ondřej Surý ] * Imported Upstream version 5.2.12.dfsg.1 * Removed manpage_spelling.patch, merged upstream. * Removed libedit_is_editline.patch, merged upstream. * Refreshed max_file_uploads.patch, patch can be removed, it's kept to raise max_file_uploads to 50. * Refreshed and updated suhosin.patch * Refreshed 001-libtool_fixes.patch, 004-ldap_fix.patch, 006-debian_quirks.patch, 013-force_getaddrinfo.patch, 034-apache2_umask_fix.patch, 053-extension_api.patch, 056-mime_magic_liberal.patch, 115-autoconf_ftbfs.patch, gentoo/009_ob-memory-leaks.patch, mssql-null-exception.patch, use_embedded_timezonedb.patch * Removed autogenerated main/php_config.h.in from suhosin.patch (Ubuntu: #493761) * Short open tags are On again in php.ini-dist (Closes: #537099) * Don't leave .start if we are purging (Closes: #561739) * Add README.Debian file to /usr/share/doc/php-pear/PEAR, so the directory is not deleted (Closes: #563437, #542483) [ Upstream ] * Fix default pear.php.net channel definitions (Closes: #559029) -- Ondřej Surý Fri, 08 Jan 2010 18:18:43 +0100 php5 (5.2.11.dfsg.1-2) unstable; urgency=high * max_file_uploads: limit the maximum number of file uploads to 50 + Reduces the chances of a temporary file exhaustion DoS * Add libdb4.8-dev as an alternative dependency (Closes: #555945) * Add libdb-dev as another alternative, hopefully the last one (Closes: #548486) * Add a versioned dependency on libtool 2.2 (Closes: #548015) * Use FilesMatch and SetHandler on apache setups (Closes: #491928) * Gentoo patch ext-curl-set_opt-crash has already been merged upstream * Drop unused lintian override -- Raphael Geissert Sat, 21 Nov 2009 13:37:51 -0600 php5 (5.2.11.dfsg.1-1) unstable; urgency=low * New upstream release [ Fixes incorporated upstream ] * Fix 4-year digit year on big-endian platforms (Closes: #542301) * patch curl_streams_sleep.patch * patch strcmp_null-OnUpdateErrorLog.patch (partially addresses #540605) * patch check_ini_on_modify_status.patch [ Raphael Geissert ] * Add aliases to the mssql functions on the sybase extension (Closes: #523073) * Fix the rows_affected alias, it should be affected_rows * Avoid possible memory dumps via PG on restored ini values (Closes: #540605) [ Ondrej Sury ] * Fix FTBFS with current autoconf/automake (Closes: #542906, #542088) * Add avr32-linux-gnu to no -gstabs toolchains (Closes: #543278) * Fix FTBFS on Debian Hurd (Closes: #530281) * fix whitespace in libapache2-mod-php5.postinst [ Sean Finney ] * incorporate/ack previous NMU's, thanks Andreas. * update debian patch 115-autoconf_ftbfs.patch for new upstream version * update debian patch fix_broken_upstream_tests.patch * update debian patch mssql-null-exception.patch * refresh various quilt patches against new upstream version * remove no longer needed "legacy" support for conffile migration * add dpkg trigger in the apache2 and apache2filter sapis for reloading apache2 on extension updates (Closes: #490023, #524206) * let libmysqlclient15-dev be a fallback alternative for libmysqlclient-dev in case someone wants to backport the package. * update list of installed documentation -- Sean Finney Sun, 20 Sep 2009 11:05:35 +0200 php5 (5.2.10.dfsg.1-2.2) unstable; urgency=medium * Non-maintainer upload. * Drop hand-crafted dependency on libmysqlclient15. -- Andreas Barth Mon, 31 Aug 2009 09:22:16 +0200 php5 (5.2.10.dfsg.1-2.1) unstable; urgency=medium * Non-maintainer upload. * Fix FTBFS with new autoconf. Thanks to Russ Allbery for the patch. Closes: #542906 -- Andreas Barth Sun, 30 Aug 2009 13:49:40 +0200 php5 (5.2.10.dfsg.1-2) unstable; urgency=low * Declare that PEAR replaces XML_UTIL (Closes: #534621) * Bump standards-version, no change needed * Fix an unconditional limit on dblib_driver.c (Closes: #534881) * Fix a segfault on exif_data_read with corrupted jpg files (Closes: #535888) * Recommend php5-suhosin, as suggested by Thijs (Closes: #529760) * Set sysconfig to /etc, to avoid getting /usr/etc in PHP_SYSCONFDIR * Add myself to uploaders * Fix the path to PEAR's config, directly in rules (Closes: #507762) -- Raphael Geissert Thu, 09 Jul 2009 18:25:48 -0500 php5 (5.3.0-2) experimental; urgency=low * update configuration file names to new upstream naming convention -- Sean Finney Wed, 01 Jul 2009 09:12:10 +0200 php5 (5.3.0-1) experimental; urgency=low * New Upstream Version [ Sean Finney ] * use ';' instead of '#' as comments in module ini files * remove binary package for php5-mhash which is now built-in * update removed windows modules in 006-debian_quirks.patch * quilt refresh for new upstream release -- Sean Finney Tue, 30 Jun 2009 20:09:07 +0200 php5 (5.3.0~RC4-1) UNRELEASED; urgency=low * New Upstream Version [ Sean Finney ] * (temporarily) disable suhosin patch while it does not apply to 5.3 * refresh various debian patches, fixing whitespace and offsets * copy the gbp.conf from debian-sid and adapt it for experimental * cherry-pick relevant gentoo patches from unstable * cherry-pick debian fixes in libtool2.2.patch from unstable * Update package sections to match override. [ Raphael Geissert ] * Detect the path to ltmain.sh at build time and set conflicts appropriately * Add libdb4.7-dev as an ORed build dependency to fix FTBFS * Update the Vcs-* fields to reflect the move from svn to git * Turn the phpapi dependencies into php5 | phpapi to fix installability issues * Bump Standards-Version to 3.8.1, no change needed * Add a set of lintian overrides for some FP spelling-error-in-binary [ Thijs Kinkhorst ] * Update php5-cli package description to make it more neutral -- Sean Finney Mon, 29 Jun 2009 07:54:51 +0200 php5 (5.3.0~RC1-1) unstable; urgency=low * New Upstream Version -- Mark A. Hershberger Wed, 25 Mar 2009 19:39:48 -0400 php5 (5.2.9.dfsg.1-1) unstable; urgency=low * New upstream release (closes: #520538). - fixes regressions with parsing via libxml2 (closes: #520246, #520423). [ Sean Finney ] * Refresh all patches. * Update suhosin patch to 5.2.9, remove autotools-generated files (configure, php_config.h.in) and .dsp files from patch. * remove obsolete configure options from ./configure: --enable-memory-limit, --enable-track-vars, --enable-trans-sid, --enable-filepro and --enable-dbx. * Remove obsoleted patches which have been incorporated upstream: - snmp_leaks.patch - BG-initializing-fix.patch - CVE-2008-2829.patch - CVE-2008-3658.patch - CVE-2008-3659.patch - CVE-2008-3660.patch - CVE-2008-5557.patch - CVE-2008-5658.patch - pdo-fetchobject-prototype-error.patch - zend_object_handlers-invalid-write.patch - dba-inifile-truncation.patch - gentoo/freetds-compat.patch - gentoo/010_ticks-zts-crashes.patch - gentoo/019_new-memory-corruption.patch - gentoo/009_array-function-crashes.patch - gentoo/015_CVE-2008-2665-wrapper-safemode-bypass.patch - gentoo/017_xmlrpc-invalid-callback-crash.patch - gentoo/007_dom-setAttributeNode-crash.patch - gentoo/006_PDORow-crash.patch - gentoo/005_stream_context_set_params-crash.patch * Update fix_broken_upstream_tests.patch, one of the tests is fixed. -- Sean Finney Tue, 24 Mar 2009 19:05:09 +0100 php5 (5.2.6.dfsg.1-3) unstable; urgency=low [ Sean Finney ] * Do not add -O2 to CFLAGS if DEB_BUILD_OPTIONS contains noopt. * Security related fixes: - php: inifile handler for the dba functions can be used to truncate a file Patch: dba-inifile-truncation.patch (closes: #507101). - CVE-2008-5658.patch: ZipArchive::extractTo directory traversal Patch: CVE-2008-5658.patch (closes: #507857). Thanks to Pierre Joye for help with the patch. [ Raphael Geissert ] * Picked up some patches from Gentoo (most included in PHP 5.2.7 and later): + patches/gentoo/005_stream_context_set_params-crash.patch + patches/gentoo/006_PDORow-crash.patch + patches/gentoo/007_dom-setAttributeNode-crash.patch + patches/gentoo/009_array-function-crashes.patch + patches/gentoo/010_ticks-zts-crashes.patch + patches/gentoo/015_CVE-2008-2665-wrapper-safemode-bypass.patch + patches/gentoo/017_xmlrpc-invalid-callback-crash.patch + patches/gentoo/019_new-memory-corruption.patch + patches/gentoo/freetds-compat.patch - was deprecated_freetds_check.patch -- Sean Finney Sat, 24 Jan 2009 21:17:13 +0100 php5 (5.2.6.dfsg.1-2) unstable; urgency=low [ Sean Finney ] * Make sure a file used to track state is properly removed in the postinst, thanks Raphael (closes: #511049). [ Thijs Kinkhorst ] * Fix watch file to mangle version. [ Raphael Geissert ] * Ship script used to take an upstream tarball and remove the non DFSG-free stuff, update watch file accordingly. -- Sean Finney Tue, 13 Jan 2009 08:24:36 +0100 php5 (5.2.6.dfsg.1-1) unstable; urgency=high [ Sean Finney ] * Incorporate previous NMU. * Updated system tzdata patch from Joe Orton. * Removed tzdb-nofree_ents_ifnotzdata.patch, which is now incorporated into Joe's patch. * Two backported fixes from 5.2.8, thanks to Olivier Bonvalet for looking them up. - Upstream bug #46157 (PDOStatement::fetchObject prototype error) Patch: pdo-fetchobject-prototype-error.patch - Upstream bug #46308 (Invalid write in zend object handler / getter) Patch: zend_object_handlers-invalid-write.patch * Security related fixes: - CVE-2008-5624: Incorporate fix from 5.3 for proper initialization of uid/gid for apache2 sapi. Patch: BG-initializing-fix.patch - CVE-2008-5557: heap overflows in the mbstring extension. Patch: CVE-2008-5557.patch (closes: #511493). [ Thijs Kinkhorst ] * Correct description typo, thanks Mathias Brodala (Closes: #508989). -- Sean Finney Mon, 12 Jan 2009 12:12:36 +0100 php5 (5.2.6.dfsg.1-0.1) unstable; urgency=low * Non-maintainer upload. * Remove exts/dbase from orig tarball (Closes: #341420) -- Ben Hutchings Sat, 29 Nov 2008 19:19:28 +0000 php5 (5.2.6-5) unstable; urgency=high * Update debian/copyright to document that the DFSG-unfree email requirement in ext/standard/rand.c has been rescinded by the copyrightholder (Closes: #498621). -- Thijs Kinkhorst Sun, 05 Oct 2008 11:32:35 +0200 php5 (5.2.6-4) unstable; urgency=high [ Sean Finney ] * Take three unreleased fixes from upstream CVS: - CVE-2008-3658: Buffer overflow in the imageloadfont function. Patch: CVE-2008-3658.patch (closes: #499989) - CVE-2008-3659: Buffer overflow in the memnstr function. Patch: CVE-2008-3659.patch (closes: #499988) - CVE-2008-3660: Remote DoS in fastcgi module Patch: CVE-2008-3660.patch (closes: #499987) [ Raphael Geissert ] * snmp_leaks.patch: fixes memory leaks in the snmp extension (Closes: #423296) - Thanks to Rodrigo Campos for the follow up - Thanks to Federico Cuello for the original patch * php5-dev.lintian-override: fix it so it actually works -- Sean Finney Sun, 14 Sep 2008 14:25:11 +0200 php5 (5.2.6-3) unstable; urgency=high [ Thijs Kinkhorst ] * Drop unneeded php5-timezonedb Suggests and obsolete php3 Conflicts. * Add documentation about the timezonedb change (Closes: #492025). [ Adam Conrad ] * Modify 033-we_WANT_libtool.patch to cope with newer versions of libtool that only copy auxilliary files when --install is used, while still working with older versions that DTRT without. [ Raphael Geissert ] * debian/rules: + Avoid installing useless test suites in php-pear (Closes: #478995) + Remove any empty directory in php-pear + Also get rid of usr/share/php/data/Structures_Graph/* - Those were meant to be used by upstream maintainer * debian/php5-dev.lintian-overrides: - usr/lib/php5/build/run-tests.php is not meant to be used directly * debian/control: bumped Standards Version to 3.8.0, no changes needed * bad_whatis_entries.patch: fixes the whatis entries of all the manpages * deprecated_freetds_check.patch: fixes the freetds detection routine + Closes: #494230 - Thanks to jklowden@freetds.org and the Gentoo folks for the patch (RC bugfix, upload urgency bumped) * debian/libapache2-mod-php5*-{prerm,postinst}: - Create a status file when removing the package (but not purging) while having the mod enabled so reinstallation of the package does not end up disabling the module (Closes: #471548) [ Sean Finney ] * Bump dependency on libmysqlclient15off to require the version from lenny or later, in order to avoid subtle problems not previously detected with libmysqlclient_r on mixed etch/lenny/sid systems (closes: #495575). -- Sean Finney Wed, 20 Aug 2008 19:32:02 +0200 php5 (5.2.6-2) unstable; urgency=high [ Raphael Geissert ] * Lintian-based changes: - also install a lintian override for libapache2-mod-php5filter - fixed the generic lintian overrides so they are meaningful - dropping linda overrides, linda is gone now - s/meta-package/metapackage * debian/control: - Updated php5's description so it mentions three instead of only two server-side SAPIs - Depend on php5-cli in php-pear (Closes: #482517) + Previous change reverted because of PEAR packages FTBFS - {B-,}Depend on tzdata to avoid crashes caused by the tz ext patch - Dropped some versioned {b-,}dependencies that are satisified even on sarge * php.ini-*: state that when using a custom save_path, gc_probability should also be set (Closes: #388808, #321460) * tzdb-nofree_ents_ifnotzdata.patch: avoid free'ing ents when the tz dir does not exist (Closes: #483461) [ Sean Finney ] * Fix for CVE-2008-2829: unsafe usage of deprecated imap functions Patch: CVE-2008-2829.patch * Modifications to suhosin.patch due to alignment problems on some architectures. Thanks to Stefan Esser for the initial suggestion. (Closes: #481737). * Rename the apache2 filter module to libphp5filter.so, to prevent conflicting filenames for symbols in the debug package. -- Sean Finney Thu, 03 Jul 2008 08:14:45 +0200 php5 (5.2.6-1) unstable; urgency=medium * New upstream release. Fixes several security issues of unknown impact: + possible stack buffer overflow in the FastCGI SAPI + integer overflow in printf() + unknown issue CVE-2008-0599 + a safe_mode bypass in cURL + incomplete multibyte chars inside escapeshellcmd() [ Sean Finney ] * New patch (use_embedded_timezonedb.patch) allows us to default to using the system provided timezone database instead of the one bundled with PHP. Many thanks to Joe Orten from Red Hat for the patch! (closes: #447174, #471104). * Updated the Suhosin patch to v0.9.6 (5.2.6). * New patch: force_libmysqlclient_r.patch, forcing the build system to link against the threadsafe libmysqlclient without having to enable the other zts features in php. This is required since the apr libraries are now linking against this as well and mysql exports the same symbols from both libraries. Thanks to Stefan Fritsch (closes: #469081). * Massaged/updated various other patches in debian/patches * Update copyright information to have information about non-trivial patches worthy of copyright attributions, and update information about current debian maintainers. * Add some useful quilt settings in debian/rules to lower the amount of noise in future quilt updates. * Now building a php5 apache2 module with filter-module support in a new libapache2-mod-php5filter package (closes: #438120). [ Thijs Kinkhorst ] * Checked for policy 3.7.3, no changes. [ Raphael Geissert ] * Build a php5-dbg package with the debug symbols of the SAPIs & extensions + Bump debhelper dependency to >= 5 as dh_strip behaves differently. * debian/watch: refactored so it can actually be used to download the tarball * debian/rules: removed bashisms (Closes: #478613) * debian/control: add a notice about Suhosin being applied (Closes: #471324) + Additionally make sure the PHP boilerplate is the same for each package * debian/patches/manpage_spelling.patch: - fix spelling mistakes in man page (Closes: #413712) * debian/NEWS: s/suhosin/Suhosin (Closes: #434351) * debian/control: removed ORed postgresql-dev build-dep (Closes: #429981) + postgresql-dev is a transitional package since etch * Override the following lintian messages: + SAPI packages package-contains-empty-directory usr/lib/php5/20060613+lfs/ + php5-common package-contains-empty-directory usr/lib/php5/libexec/ * Set our custom PHP_PEAR_DOWNLOAD_DIR when building the pear stuff + Avoids the creation of /tmp/pear (Closes: #463979) * Replaced all 'make' with '$(MAKE)' so any extra flag is preserved * debian/rules: s/DEB_BUILD_ARCH/DEB_HOST_ARCH + HOST is the machine the package is built for. * Recommend php5-cli instead of depending on it in php-pear (Closes: #243214) + php5-cli is only needed by the, rearely used, pear installer * debian/README.source: inform how to generate php5-dbg's Depends * debian/patches/029-php.ini_paranoid.patch: updated (Closes: #459814) + Thanks to Javier Fernández-Sanguino Peña Changes: - includes some variables which were no present in the first version and removes modules not available in PHP5. Also fixes typos in comments which have since been fixed in php.ini-dist - adds notes (Debian-specific) of which security features applications should not rely on - add more information of why some variables were enabled - reorder the description of changes to suit the location in the config file - add notes of deprecated features in PHP6 - add more (suggested) changes to the session module to make a more secure use and storage of session IDs. - remove the 'include' function from the list of disabled functions as it is quite common for most applications - modify the valid 'include_path' to make it really paranoid ('.' is not allowed anymore) - adjust locations of directories, including the upload dir and session dir - proper definition for sql.safe_mode and description (missing in php.ini-dist of what it is really for) - added session configuration variables which are not available in php.ini-dist together with recommended paranoid values (session.referer_check, session.entropy_file, session.entropy_length) - added more information to session configuration (not available in php.ini) based on the information at php.net * Lintian-based changes: - debian/php5-common.dirs: do NOT create usr/share/doc/php5-common/PEAR/ - fixed a hyphen-used-as-minus-sign in php5(1):319 - get rid of usr/share/php/data/Structures_Graph/LICENSE in php-pear * Move /usr/share/php/docs to /usr/share/doc/pear-php/PEAR (Closes: #331034) [ Steve Langasek ] * Step down from the PHP maintenance team, removing myself from uploaders. So long, and thanks for all the fish! -- Sean Finney Sun, 04 May 2008 21:15:47 +0200 php5 (5.2.5-3) unstable; urgency=high * zend_parse_parameters does not handle size_t's, causing issues with 043-recode_size_t.patch and segmentation faults for recode-using pages. changed problematic parameters back to "int" and added an overflow check. thanks to Thomas Stegbauer, Tim Dijkstra, Bart Cortooms, Sebastian Göbel, and Vincent Tondellier for their reports. closes: #459020. -- Sean Finney Thu, 21 Feb 2008 00:59:21 +0100 php5 (5.2.5-2) unstable; urgency=low * debian/patches/libdb_is_-ldb: reorder the search for db4 instances to give precedence to -ldb, so that we always get the version that matches the installed -dev package instead of whichever most recent version php upstream currently knows about. Closes: #463397. * Update suhosin patch to not patch .dsp files (and config.w32), which are irrelevant to Unix builds and seem to cause problems for clean patching/unpatching. -- Steve Langasek Fri, 01 Feb 2008 18:46:15 +0000 php5 (5.2.5-1) unstable; urgency=low [ Sean Finney ] * New upstream release * Updated suhosin patch for 5.2.5 minus ./configure as before. * Workaround for xargs not handling extra long cmdlines in session cleanup script (Closes: #461755). * Remove unneccesary DEB_BUILD_GNU_TYPE fudging (Closes: #429066). Thanks to Riku Voipio for the report/patch. [ Raphael Geissert ] * debian/rules: now DEB_BUILD_OPTIONS=nocheck aware * Updated description of the php5 meta-package to reflect removal of apache (Closes: #418038) * Capitalise apache where needed (Closes: #439575) * Homepage is now a control entry (moved from Description), Closes: #439578 * Fixed test-results.txt target so parallel package building doesn't fail * Added Suggests: php5-timezonedb to all the SAPIs [ Steve Langasek ] * Add ${shlibs:Depends} to php5-common, since it does build ELF objects now (pdo.so) * Update build-deps to libdb4.6-dev now that libaprutil1-dev has switched. Closes: #461192. -- Steve Langasek Thu, 17 Jan 2008 13:39:17 -0800 php5 (5.2.4-2) unstable; urgency=low [ sean finney ] * for posterity revised previous changelog to reference the CVE id's of security issues resolved by the latest upstream release. * lintian: use debian/compat instead of DH_COMPAT in debian/rules. * lintian: use source:Version and binary:Version where appropriate, instead of Source-Version * lintian: remove a couple pieces of cruft in the changelog that were causing false-postive wrong-bug-number-in-closes, but were generally useless anyway. [ Raphael Geissert ] * Using test-results.txt as a target * cronjob now checks for existance of /usr/lib/php5/maxlifetime (Closes: #439286) * Fixed memory limit of 1232M in php.ini for cli (Closes: #440624) * Build the interbase extension using firebird2.0-dev (Closes: #433736) * Unapply patches with debian/rules clean [ Steve Langasek ] * Don't patch configure or php_config.h.in in suhosin.patch, as these are auto-generated and including them in the patch results in a race condition for the necessary build-time regeneration. Thanks to Daniel Schepler for reporting, and to Damyan Ivanov for helping to sort out the fix. Closes: #443637. * Also remove the modified auto-generated files in the clean target, which triggers a warning about disappearing files when building the source package but avoids carrying irrelevant diffs to these files in the Debian diff. * Now that the testsuite is being run at build time, test failures cause a bunch of junk files to be left around in the Debian diff. So clean up several false-positive failures: - 052-phpinfo_no_configure.patch: we're patching the output of phpinfo(), so patch the test as well - fix_broken_upstream_tests.patch: use a local directory for tests that use sessions, skip the phpinfo test after all because it doesn't appear to be compatible with current testsuite behavior, and disable the moneyformat test if en_US locale is not available. There are still several other failing tests, but these are not false positives and remain enabled pending investigation. -- sean finney Wed, 24 Oct 2007 21:51:14 +0200 php5 (5.2.4-1) unstable; urgency=low * New upstream release. * Security issues resolved in the latest release: - CVE-2007-2519 - Directory traversal vulnerability in PEAR [ sean finney ] * patch from Jan Wagner to be able to conditionally disable any patches that break binary-compatibility with official php binary-only extensions. see debian/rules for more information. * now incorporate the php unit tests into the build process. for those interested the output is stored in the file /usr/share/doc/php5-common/test-results.txt . * by default we now ship with enable_dl = Off, as there are some fairly significant ramifications security-wise to having it on. * we shipping with the suhosin patch enabled by default. special thanks to Blars Blarson for providing a sparc machine for testing purposes with 5.2.3 (closes: #397179). * new binary package php5-gmp, with the newly enabled gmp extension, since whatever reason for not doing so either never existed or no no longer exists (closes: #344137). Build-Depends added for libgmp3-dev. [ Steve Langasek ] * php5-module.postinst: don't assume that the postinst is only relevant when called with 'configure' as an argument, some future debhelper code could apply in the case of other methods of invocation. * Clean up build dependencies for recent library transitions: - libsnmp-dev is now the real package name, and is supported as a virtual package for backports. - re-add firebird2-dev as an alternative to firebird1.5-dev, to support backports. - the curl -dev package name has changed from libcurl3-openssl-dev to libcurl4-openssl-dev; update to the proper name, with libcurl-dev as an alternative. * Switch php5-sybase to use the mssql extension instead of the sybase_ct extension. Closes: #418734, #329065. -- sean finney Sun, 16 Sep 2007 14:46:06 +0200 php5 (5.2.3-1) unstable; urgency=low * new upstream release. * upstream has incorporated the last of the recent CVE fixes, so the patches have been removed. * change build dependencies for firebird2-dev -> firebird1.5-dev, as the firebird maintainer has changed names in order to provide more clarity since there's also a firebird2.0 now (closes: #427181). * now include, but do not apply by default, the suhosin patch. see NEWS.Debian for more information. -- sean finney Mon, 04 Jun 2007 22:02:10 +0200 php5 (5.2.2-2) unstable; urgency=low [sean finney] - build with --with-ldap-sasl and modify build-depends to include libsasl2-dev in order to get the ldap_sasl_bind function (closes: #422490). - the json extension is now on by default in php builds, so there's no need for the php5-json package. added a Provides/Conflicts to help set an upgrade path. - apache 1.x support is soon disappearing. as a consequence we are no longer building the libapache-mod-php5 module. the php5 metapackage should as a result bring in libapache2-mod-php5 by default for those who already have it installed. -- sean finney Sun, 20 May 2007 21:59:56 +0200 php5 (5.2.2-1) unstable; urgency=low [ sean finney ] * new upstream release (closes: #422405). * /most/ of the previous CVE patches have been committed upstream, though: - the patch for MOPB-41 was fixed in a different way and we'll be keeping our fix for the time being. - it doesn't seem like MOPB-45 has been fixed yet. * remove build-dependency option on libmysqlclient12-dev, since the mysqli option requires it, and 15 is in stable now anyway. thanks to Henk van de kamer for finding this (closes: #422224). * now includes requested fix for mysql row counts (closes: #418471). * needle/haystack issues are reported fixed (closes: #399924). * oh yeah, because we're using quilt now: (closes: #338315). * update build-deps to libdb4.5-dev | libdb4.4-dev (closes: #421929). note that the resulting php packages won't actually build against libdb4.5 until all of our build-dependant packages do too. -- sean finney Sat, 05 May 2007 19:56:30 +0200 php5 (5.2.0-12) unstable; urgency=high [ sean finney ] * modify the build-depends to play more nicely when the net-snmp maintainers decide to change their package names (closes: #421061). -- sean finney Tue, 01 May 2007 14:24:01 +0200 php5 (5.2.0-11) unstable; urgency=high [ sean finney ] * The following security issues are addressed with this update: - CVE-2007-0910/MOPB-32 session_decode() Double Free Vulnerability * note that this is an update to the previous version of the upstream fix for CVE-2007-0910, which introduced a seperate exploit path. - CVE-2007-1286/MOPB-04 unserialize() ZVAL Reference Counter Overflow - CVE-2007-1380/MOPB-10 php_binary Session Deserialization Information Leak - CVE-2007-1375/MOPB-14 substr_compare() Information Leak Vulnerability - CVE-2007-1376/MOPB-15 shmop Functions Resource Verification Vulnerability - CVE-2007-1453/MOPB-18 ext/filter HTML Tag Stripping Bypass Vulnerability - CVE-2007-1453/MOPB-19 ext/filter Space Trimming Buffer Underflow Vuln. - CVE-2007-1521/MOPB-22 session_regenerate_id() Double Free Vulnerability - CVE-2007-1583/MOPB-26 mb_parse_str() register_globals Activation Vuln. - CVE-2007-1700/MOPB-30 _SESSION unset() Vulnerability - CVE-2007-1718/MOPB-34 mail() Header Injection - CVE-2007-1777/MOPB-35 zip_entry_read() Integer Overflow Vulnerability - CVE-2007-1887-1888/MOPB-41 sqlite_udf_decode_binary() Buffer Overflow - CVE-2007-1824/MOPB-42 php_stream_filter_create() Off By One Vulnerablity - CVE-2007-1889/MOPB-44 Memory Manager Signed Comparision Vulnerability - CVE-2007-1900/MOPB-45 ext/filter Email Validation Vulnerability * The other security issues resulting from the "Month of PHP bugs" either did not affect the version of php5 shipped in unstable, or did not merit a security update according to the established security policy for php in debian. You are encouraged to verify that your configuration is not affected by any of the other vulnerabilities by visiting: http://www.php-security.org/ * other, less interesting changes: - now use quilt for managing local patches. - massage all of the patches, eliminating fuzz and offsets. -- sean finney Mon, 23 Apr 2007 19:02:51 +0200 php5 (5.2.0-10) unstable; urgency=high [ sean finney ] * The php security update contained a regression in the streams module. this version contains an updated version of the patch for CVE-2007-0906 (116-CVE-2007-0906_streams.patch), which should fix the regression. Thanks to Martin Pitt for noticing this. * Fix the patch names in the previous changelog entry, and fix a factual inaccuracy that was accidentally pasted from the php4 changelog. * The previous update was missing two fixes from CVE-2007-0906: * interbase: (116-CVE-2007-0906_interbase.patch) * zip: (116-CVE-2007-0906_zip.patch) -- sean finney Wed, 07 Mar 2007 23:11:29 +0100 php5 (5.2.0-9) unstable; urgency=high [ sean finney ] * The following security issues are addressed with this update: - CVE-2007-0906: Multiple buffer overflows in various code: * session (116-CVE-2007-0906_session.patch) * imap (116-CVE-2007-0906_imap.patch) * str_replace: (116-CVE-2007-0906_string.patch) * the sqlite and mail related vulnerabilities in this CVE do not affect the php5 source packages. - CVE-2007-0907: sapi_header_op buffer underflow (116-CVE-2007-0907.patch) - CVE-2007-0908: wddx information disclosure (116-CVE-2007-0908.patch) - CVE-2007-0909: More buffer overflows: * the odbc_result_all function (116-CVE-2007-0909_odbc.patch) * various formatted print functions (116-CVE-2007-0909_print.patch) - CVE-2007-0910: Clobbering of super-globals (116-CVE-2007-0910.patch) - CVE-2007-0988: 64bit unserialize DoS (116-CVE-2007-0988.patch) Closes: #410995. * The package maintainers would like to thank Joe Orton from redhat and Martin Pitt from ubuntu for their help in preparation of this update. * backport upstream fix for AUTH PLAIN support in imap extension Closes: #401712. -- sean finney Sat, 03 Mar 2007 11:13:33 +0100 php5 (5.2.0-8) unstable; urgency=high [ sean finney ] * Update package information to say simply "Apache 2" instead of "Apache 2.0" (ref: #400306). * Update package description for php-pear to mention needing phpN-dev for building PECL extensions (closes: #401825). * Add mention of Freetype fonts to php5-gd package description, thanks to Ole Laursen for the suggestion (closes: #387881). * Include a backported version of upstream's fix for alignment calculatations which cause FTBFS problems for some arches. Thanks to Roman Zippel for finding this (closes: #401129). patch: 114-zend_alloc.c_m68k_alignment.patch * Remove --enable-yp, as it's no longer used and seperately packaged. Thanks to Martijn Grendelman for mentioning this (closes: #402161). * Add mention to README.Debian of needing to restart apache when installing modules (closes: #392249). * Don't strip the DSO modules if building with DEB_BUILD_OPTIONS containing nostrip * Backported a patch from upstream CVS to fix a rather nasty memory leak in zend_alloc (closes: #402506). patch: 115-zend_alloc.c_memleak.patch * The memleak and FTBFS are targeted at etch, and there aren't any other significant changes, so priority=high. -- sean finney Sun, 17 Dec 2006 16:49:35 +0100 php5 (5.2.0-7) unstable; urgency=high [ Steve Langasek ] * Also disable firebird in the PDO config for archs other than i386/amd64. -- sean finney Fri, 24 Nov 2006 15:20:53 +0100 php5 (5.2.0-6) unstable; urgency=high [ sean finney ] * firebird2-dev (and thus php5-interbase) is only available on i386/amd64, so update the control/rules information accordingly. thanks to Bastian Blank for reporting this (closes: #399558). -- sean finney Wed, 22 Nov 2006 19:04:04 +0100 php5 (5.2.0-5) unstable; urgency=high [ sean finney ] * bring some of the mainline php4 modules back into the php source package instead of distributing them in independant source packages: - php5-imap - php5-interbase - php5-mcrypt - php5-pspell - php5-tidy these modules are still provided in the same binary packages as before, but will now be built in tandem with the core php packages. * fix for pdo.so duplicate loading warnings, thanks to Jan Wagner (closes: #398367, #399248). -- sean finney Mon, 20 Nov 2006 12:41:37 +0100 php5 (5.2.0-4) unstable; urgency=high * Re-re-enable LFS support, forward-porting vorlon's fixes in the php4 tree. * Add a bit of support in upgrade scripts to avoid unnecessary ucf prompting during upgrades (closes: #398363). * Update build-dependencies to reflect that libpcre3-dev >= 6.6 is required. Thanks to Jan Wagner for pointing this out. * loosen dependencys for libapache2-mod-php5 to allow usage with apache2-mpm-itk as an alternative to prefork. Closes: #398580, #398481. -- sean finney Wed, 15 Nov 2006 08:33:28 +0100 php5 (5.2.0-3) unstable; urgency=high * Unify PHP options for pear binaries to: -d output_buffering=1 -d open_basedir="" -d safe_mode=0 -d memory_limit="-1" (Closes: #397625) * [debian/rules]: Enable PDO building only in apache2 build. -- Ondřej Surý Fri, 10 Nov 2006 14:09:00 +0100 php5 (5.2.0-2) unstable; urgency=high [ Ondřej Surý ] * Revert Large File Support for this moment. We will try to found root of the problem for etch, but we do not promise anything. (Closes: #397465) -- Ondřej Surý Wed, 8 Nov 2006 01:13:48 +0100 php5 (5.2.0-1) unstable; urgency=high [ sean finney ] * new upstream release. since this means the 5.1 series is deadware in the eyes of its developers, we better get on this train before it's too late. Note: this also fixes the htmlentities() exploit. Reference: CVE-2006-5465. Closes: #396766. * s/postinst/postrm/ on one critical line in debian/rules. whoops. Thanks to Bart Martens for finding this (closes: #396873). * as a pennance i've enabled LFS support (closes: #359686). * new version now includes all mbstring headers (closes: #391368). * enable new built-in zip support. * enable pdo support for currently supported db types, and place the extensions in the respective extension packages. future db types will be added, but probably post-etch as they will probably introduce new packages/dependencies (closes: #348882). * move the mysqli module into the mysql module's package, and remove the no longer necessary mysqli package. * massaging/removal of various patches to upstream changes: D patches/106-strptime_xopen.patch D patches/110-CVE-2006-4812_zend_alloc.patch M patches/006-debian_quirks.patch D patches/111-mbstring-headers.patch M patches/053-extension_api.patch [ Ondřej Surý ] * Package checked, upload to unstable. -- Ondřej Surý Tue, 7 Nov 2006 09:26:51 +0100 php5 (5.1.6-6) unstable; urgency=high [ sean finney ] * add notes to php.ini(-dist) about "unsupported" security features. patch: 113-php.ini_securitynotes.patch [ Ondřej Surý ] * SECURITY: include patch for html buffer overflows in ext/standard/html.c Reference: CVE-2006-5465 Patch: 114-CVE-2006-5465_htmlentities.patch Closes: #396766 -- Ondřej Surý Fri, 3 Nov 2006 12:32:50 +0100 php5 (5.1.6-5) unstable; urgency=high [sean finney] * add a README.Debian.security to clarify how we handle/respond to security problems in stable releases. * SECURITY: include patch for integer overflow in zend_alloc.c. Reference: CVE-2006-04812 (closes: #391586). patch: 110-CVE-2006-4812_zend_alloc.patch * bump the debhelper compatibility level to 4. * remove cyclic depends for mysql/mysqli. * the long overdue rework of configuration file handling. this also removes the need for debconf and template translations (closes: #361211, #393788, #388697). * start using ucf to manage the the various SAPI php.ini files. * cleanup and consolidation of a few things in the ./debian dir * bump the memory limit to 32M for the cli API (closes: #375070, #340586). * include a fix for missing mbstring headers reported by Jan Wagner (closes: #391368). patch: 111-mbstring-headers.patch. * include support for PTY's in proc_open, as reported by Eike Dehling. according to php's BTS (http://bugs.php.net/bug.php?id=39224) the feature was disabled only because the configure script couldn't accurately determine whether the feature was available, and we know it is :) (closes: #381438). patch: 112-proc_open.patch. * update standards-version to 3.7.2 -- sean finney Sat, 28 Oct 2006 14:29:44 +0200 php5 (5.1.6-4) unstable; urgency=high [sean finney] * no longer build against GPL'd gdbm library (closes: #390452). * updated apache2 module dependencies to build against and coexist with apache2.2 (closes: #390455). -- sean finney Sat, 07 Oct 2006 12:06:09 +0200 php5 (5.1.6-3) unstable; urgency=low [ sean finney ] * php5 was building against db4.3 even though db4.4 headers were installed. fix applied to ./ext/dba/config.m4 while we wait for a real fix from upstream (closes: #388601). -- sean finney Mon, 02 Oct 2006 17:42:50 +0200 php5 (5.1.6-2) unstable; urgency=low [ sean finney ] * enable the mysqli extension (closes: #320835). -- sean finney Tue, 19 Sep 2006 19:31:27 +0200 php5 (5.1.6-1) unstable; urgency=high [ Adam Conrad ] * Drop 041-shut_up_snmp.patch, which was no longer needed as of 5.1.0. [ Ondřej Surý ] * Acknowledge NMU. * New upstream release (Closes: #383596) - Added missing safe_mode/open_basedir checks inside the error_log(), file_exists(), imap_open() and imap_reopen() functions. - Fixed overflows inside str_repeat() and wordwrap() functions on 64bit systems. - Fixed possible open_basedir/safe_mode bypass in cURL extension and with realpath cache. (CVE-2006-2563) (Closes: #370165) - Fixed overflow in GD extension on invalid GIF images. - Fixed a buffer overflow inside sscanf() function. (CVE-2006-4020) (Closes: #382256) - Fixed an out of bounds read inside stripos() function. - Fixed memory_limit restriction on 64 bit system (really with 5.1.6). * Bump libdb build-dep from libdb4.3 to libdb4.4, to match with apache. -- Ondřej Surý Sat, 19 Aug 2006 14:41:43 +0200 php5 (5.1.4-0.1) unstable; urgency=high * Non-maintainer upload. * New upstream release. (Closes: #366109) * Fixes information leak in html_entity_decode() (CVE-2006-1490). (Closes: #359907) * Fixes phpinfo() XSS (CVE-2006-0996). (Closes: #361914) * Fixes copy() safe mode bypass (CVE-2006-1608). (Closes: #361915) * Fixes tempnam() open_basedir bypass (CVE-2006-1494). (Closes: #361916) * Fixes wordwrap() buffer overflow (CVE-2006-1990). (Closes: #365312) * Fixes substr_compare() DoS condition (CVE-2006-1991). * Fixes crash during too deep recursion (CVE-2006-1549). (Closes: #361917) * Fixes injection in mb_send_mail() (CVE-2006-1014, CVE-2006-1015); not mentioned in upstream changelog. (Closes: #368595) * 044-strtod_arm_fix.patch: Adapted for new upstream; pulled in from Piotr Roszatycki's packages. * 108-64bit_datetime.patch: Patch to fix possible segfault on systems where sizeof(void*) > sizeof(int); patch from David Mosberger-Tang. -- Steinar H. Gunderson Tue, 13 Jun 2006 22:38:33 +0200 php5 (5.1.2-1) unstable; urgency=low * New upstream bugfix and security update release (closes: #347894) - Fixes multiple cross-site-scripting vulnerabilities; CVE-2006-0208 - Resolves multiple HTTP response splitting vulnerabilities, allowing arbitrary header injection via Set-Cookie headers; see CVE-2006-0207 - While we don't currently build it, this release also fixes a format string vulnerability in the mysqli extension; see CVE-2006-0200 - Includes a new version of the PEAR installer that seems to have a slightly better clue about the difference between INSTALL_ROOT and PHP_PEAR_INSTALL_DIR, fixing pear.conf (closes: #346479, #346501) * While the above is partially true, the PEAR installer is still a bit broken (it won't install correctly under fakeroot anymore, YAY), so shuffle debian/rules to have a build-pear-stamp target, as a stopgap. * Add 106-strptime_xopen.patch, moving the _XOPEN_SOURCE definition down in ext/standard/datetime.c, below the php.h include (closes: #346550) * Add 107-reflection_is_ext.patch, munging ext/reflection/config.m4 to properly call the PHP_ARG_ENABLE macro for an extension, not built-in. * Stop php-pear from Replacing and Conflicting with php-html-template-it, as we only now ship the bare essential to make the pear installer go. -- Adam Conrad Mon, 16 Jan 2006 16:12:31 +1100 php5 (5.1.1-1) unstable; urgency=low * New upstream bugfix release, skipping the problematic 5.1.0 release: - Fixes a zend.ze1_compatibility_mode segfault (closes: #333374) - Remove libtool patch from acinclude.m4, now integrated upstream. - Remove 038-round_test_fix.patch, now integrated upstream. - Remove 049-exported-headers.patch, as upstream's build system has gotten more clever about what they should and shouldn't export. - Remove 054-open_basedir_slash.patch, now integrated upstream. - Remove 055-gd_safe_mode_checks.patch, fixed differently upstream. - Mangle 101-sqlite_is_shared.patch, to deal with upstream changes. - Remove 104-64_bit_serialize.patch, now integrated upstream. - Remove 105-64_bit_imagettftext.patch, now integrated upstream. * Many security vulnerabilities fixed (closes: #341368, #336005, #336654): - Resolves a local denial of service in the apache2 SAPI, which can be triggered by using session.save_path in .htaccess; CVE-2005-3319 - Resolves an infinite loop in the exif_read_data function which can be triggered with a specially-crafted JPEG image; CVE-2005-3353 - Resolves a vulnerability in the parse_str function whereby a remote attacker can fool PHP into turning on register_globals, thus making applications vulnerable to global variable injections; CVE-2005-3389 - Resolves a vulnerability in the RFC1867 file upload feature where, if register_globals is enabled, a remote attacker can modify the GLOBALS array with a multipart/form-data POST request; see CVE-2005-3390 - Resolves numerous safe_mode and open_basedir bypasses; CVE-2005-3391 - Resolves INI settings leaks in the apache2 SAPI, leading to safe_mode and open_basedir bypasses between virtual hosts; CVE-2005-3392 - Resolves a CRLF injection vulnerability in the mb_send_mail function, allowing injection of arbitrary mail headers; see CVE-2005-3883 - Includes PEAR 1.4.5, resolving a vulnerability in the pear installer which could lead to arbitrary code execution; see CVE-2005-4154 * Bump libdb build-dep from libdb4.2 to libdb4.3, to match with apache. * Bump our MySQL build-dep to 5.0's libmysqlclient15-dev (closes: #343793) * Automate the process of getting the list of built-in modules into the package descriptions, so it stays fresh in the future (closes: #341867) * Intentionally disable PDO support until I've sorted out the best way to deal with shipping this shiny new feature that won't break the world. * The new PEAR happens to fix the Command.php greedy match bug filed in Debian as part of the fix for the wider security issue (closes: #334969) * Create 056-mime_magic_strings.patch, making the mime_magic extension more liberal about what mime-types is accepts, as well as making it skip over ones it dislikes, rather than disabling itself (closes: #335674) * Add 057-no_apache_installed.patch, to stop spewing a mess of errors in configure because we don't have the apache binaries in the build chroot. * Fix small typo in the php5-xsl package description (closes: #344816) -- Adam Conrad Thu, 15 Dec 2005 14:46:56 +1100 php5 (5.0.5-3) unstable; urgency=low * Build-Depend on libcurl3-openssl-dev, since libcurl3-dev is going away soon. Keep libcurl3-dev as an alternate for backporting (see: #334367) * Switch from libmysqlclient12 to libmysqlclient14; this puts us on the *other* side of the line regarding which combinations of DSOs cause segfaults, so hopefully the others catch up with us soon (closes: #332453) * Look for magic.mime in /usr/share/file now instead of /usr/share/misc/file, as the path has been changed to comply with the FHS (see: #334510) * Make the above backportable as well, by searching for both files, and picking the one that's currently installed on the user's system. * Include swedish debconf translation from Daniel Nylander (closes: #330763) * Make pear use '/usr/bin/php' instead of just 'php' to make sure we don't get some random binary on $PATH that won't work right (closes: #329415) * Set PHP_PEAR_SIG_BIN to /usr/bin/gpg, and have php-pear Recommends: gnupg -- Adam Conrad Fri, 21 Oct 2005 02:30:19 +1000 php5 (5.0.5-2) unstable; urgency=medium * Remove Andres Salomon from the Uploaders field, at his request. Thanks for all your work on the PHP packages, Andres, now fix our kernel bugs. * Add 054-open_basedir_slash.patch, which fixes a bug where if open_basedir is set to "/foo/", users can access files in "/foobar/", which is not the documented behaviour; this addresses CAN-2005-3054 (see: #323585) * Add 104-64_bit_serialize.patch from Joe Orton, resolving a segfault when serializing objects on all 64-bit architectures (closes: #329768) * Add 105-64_bit_imagettftext.patch, fixing a type mismatch in the GD extension, causing memory corruption on 64-bit arches (closes: #331001) * Add 055-gd_safe_mode_checks.patch from PHP CVS, adding missing safe_mode checks to the _php_image_output and _php_image_output_ctx GD functions. * Make php-pear Provide, Replace, and Conflict php-html-template-it, which we appear to have absorbed into the main PEAR packaging (closes: #332393) -- Adam Conrad Tue, 27 Sep 2005 16:09:29 +1000 php5 (5.0.5-1) unstable; urgency=low * New upstream release, adjust patch offsets and fuzz, and drop patches: - Drop 009-snmp-int-sizes.patch, finally fixed upstream. - Drop 051-gcc-4.0.patch, fixed differently upstream. - Drop 102-php_streams.patch, fixed upstream. - Drop 103-catch_segv.patch, also fixed upstream. - Includes PEAR XML_RPC fix for CAN-2005-2498. - Includes phpinfo() XSS fix for CVE-2005-3388. * Distribute the shiny new manpages for php-config and phpize. -- Adam Conrad Mon, 12 Sep 2005 02:29:24 +1000 php5 (5.0.4-4) unstable; urgency=low * Ondřej Surý : - Add patch from CVS to fix regression in PHP 5.0.4, where file related functions all stop reading at 2,000,000 bytes (closes: #321930) * Adam Conrad : - Enable support for gdbm files in the dba handler; half the base system already appears to depend on libgdm, so we can't make things worse. - Add another patch from CVS to fix a segfault in the catch/throw handler under interesting nesting cases (closes: #322507) - Rebuild against libsnmp9-dev for new libsnmp SOVER (closes: #327107) -- Adam Conrad Thu, 8 Sep 2005 00:36:36 +1000 php5 (5.0.4-3) unstable; urgency=low * And fix the module/extension API situation one last time, this time we read ZEND_EXTENSION_API_NO, ZEND_MODULE_API_NO, and PHP_API_VERSION, pick the most recent of the three, assume things broke in ways we're not willing to cope with, and both change the extension directory to use that value, as well as setting it to the provides/depends for the various SAPI and extension packages. * Add a new option to php-config, 'php-config --phpapi', which extension packagers should now be using to get the current phpapi they're building against and set their dependencies accordingly. * Strip the -gnu off the end of the DEB_*_* variables and drop the versioned dpkg-dev build-dep to ease backporting to sarge and hoary; doing so in such a way as to still allow for easy cross-compiling. * Add postgresql-dev build-dep alternate for easy hoary/sarge backports. * Make libapache2-mod-php5 the default alternate dependency for the php5 metapackage, since we really do want to encourage the apache upgrade. * Make php5-dev stop shipping copies of files from autotools-dev, shtool, and libtool, and instead symlink to them and depend on those packages, thus avoiding the shtool issues from CAN-2005-1751 and CAN-2005-1759. -- Adam Conrad Sun, 31 Jul 2005 03:05:08 +1000 php5 (5.0.4-2) unstable; urgency=low * We now have a mailing list. Set the maintainer to the list, and move myself to Uploaders where, apparently, I belong. * Use ZEND_MODULE_API_NO rather than PHP_API_VERSION for extension deps, as recent upstream ABI breakage in 4.4.0 leads me to believe this is the only constant they actually bother to update on ABI changes. * Bring back some concflicts that went missing (libapache-mod-php5 needs to conflict with libapache-mod-php4 and older versions of php4, while the two libapache2-mod-php[45] modules also need to conflict). * Adjust debian/watch to not match on upstream's alpha/beta/rc releases. -- Adam Conrad Wed, 27 Jul 2005 22:30:42 +1000 php5 (5.0.4-1) unstable; urgency=low * Initial PHP5 release; packaging forked from php4 4:4.3.11-1. - Closes: #262977, #293832 * Ondrej Sury : - Removed some obsolete cruft, since there wasn't any previous php5 packages there is no need, to check /usr/share/doc/*, etc. - Removed apache2 IfModule hack, it's been fixed in php5. - Updated patches to php5, removing those which are obsolete. - Changes xslt extension to xsl (using libxslt). - Updated debian/* including changelog. - Raised update-alternatives priority to 50. * Adam Conrad : - Merged with php4 4:4.4.0-1 packaging. - Re-roll upstream tarball to include PEAR::XML_RPC 1.3.3, which includes a security fix for CVE CAN-2005-1921. - Bump to Standards-Version 3.6.2, with no source changes. - Stop distributing the phpextdist binary, as upstream has stopped. - Drop the ext_skel binary and skeleton dir from php5-dev, as it has been deemed obsolete upstream and the version in the tarball is not considered useful anymore. PEAR::PECL_Gen upstream will replace it. - Fix longstanding broken shebang lines in debconf config scripts. - Remove lintian overrides for modules; lintian no longer complains about missing shlibs for libraries outside the linker path. - Add a linda override for the non-standard directory permissions on /var/lib/php5 in php5-common. - Rename php5-pear to php-pear, have it replace php4-pear, and depend on php5-cli OR php4-cli; make sure it works with both. - Compile in SOAP extension (closes: #307580) - Enable SQLite extension as shared, make the xmlrpc extension shared. - Enabled the pgsql extension, and disabled the imap extension (which will be moving to another source package and become the example package for out-of-tree builds). -- Adam Conrad Sat, 16 Jul 2005 23:42:36 +1000 php4 (4:4.3.11-1) unstable; urgency=low * New upstream release (closes: #304052) - Drop CVS patches, we're back in step with upstream versions. - Remove 048-x509_multiple_orgUnits.patch, incorporated in 4.3.11. - Remove 050-4.3.11_file_copy_fix.patch, incorporated in 4.3.11. - Remove 040-curl_open_basedir.patch, as upstream has solved this in a different fashion. - Adjust patches for offset and fuzz. - Remove bits from debian/rules dealing with the DB PEAR extension, since it's no longer shipped in the php4-pear package. * Rebuild against newer version of freetds library (closes: #317369) * Add 052-phpinfo_no_configure.patch, which disables the display of our "Configure Command" in phpinfo(), which was the source of many bogus bug reports over the years, due to people misinterpreting its meaning. * New translations to Vietnamese and Russian (closes: #316821, #310199) - vi.po contributed by Clytie Siddall - ru.po contributed by Yuriy Talakan' * Mention FastCGI in the description of php4-cgi (closes: #310810) -- Adam Conrad Mon, 4 Jul 2005 17:47:32 +1000 php4 (4:4.3.10-15) unstable; urgency=low * Bring back the shipping of /usr/share/doc symlinks in our packages, as this, in concert with moving the migration detection from preinst to postinst (which was done in the last upload), seems to give us the sanest upgrade path. Thanks to Steve Langasek for smacking me around with unpack/upgrade scenarios for a while to convince me of this. -- Adam Conrad Mon, 9 May 2005 02:13:19 -0600 php4 (4:4.3.10-14) unstable; urgency=high * Revert the directory->symlink magic to work how it used to, since the new behaviour broke hideously on upgrades from Woody, causing certain files (like the changelog) to mysteriously go missing (closes: #307591) * Move our template php.ini to /usr/share/php4, so we stop violating policy by using files from /usr/share/doc (as seen in #307591) * Remove 'readline' from the php4-cli package description, since we don't actually build with readline support enabled anymore (closes: #306571) -- Adam Conrad Wed, 4 May 2005 01:48:19 -0600 php4 (4:4.3.10-13) unstable; urgency=low * Update email address for Andres Salomon * Add Portuguese translation from Miguel Figueiredo (closes: #305038) * Include 051-gcc-4.0.patch, which resolves a build failure in libxmlrpc (from the xmlrpc extension) with gcc-4.0 (closes: #287956) -- Adam Conrad Mon, 18 Apr 2005 00:29:54 -0600 php4 (4:4.3.10-12) unstable; urgency=low * Add 050-4.3.11_file_copy_fix.patch, which reverts a broken 'fix' made to the copy() function, causing it to fail in particularly spectacular ways when used on remote files (closes: #304601) * Use -g instead of -gstabs on powerpc64-linux (closes: #301571) -- Adam Conrad Thu, 14 Apr 2005 03:53:27 -0600 php4 (4:4.3.10-11) unstable; urgency=medium * Address an FTBFS waiting to happen in the php4-dev package: - Remove Win32 and Netware specific headers. - Stop shipping php4-pgsql headers. - Stop shipping the expat headers, since we don't even use the bundled expat library. - Make php4-dev depend on libssl-dev, since it wants to include ssl.h when you use it to build network-using extensions. * Stop building extensions twice; we don't need two copies. -- Adam Conrad Tue, 12 Apr 2005 03:14:03 -0600 php4 (4:4.3.10-10) unstable; urgency=low * Update to 200503131325 CVS (AKA: 4.3.11RC1), fixing several bugs including a segfault in mysql_fetch_field() (closes: #299608) * Remove 042-remove_windows_paths.patch, incorporated upstream. * Add 048-x509_multiple_orgUnits.patch to bring the openssl extension in line with the upcoming 4.3.11 behaviour of listing multiple Organisational Units in an x509 cert as an array, rather than only listing the last in the list. * After much talk with upstream, revert the ZTS changes. We are no longer building a thread-safe PHP. (closes: #299820, #297223, #297679) * ZTS was breaking file search paths, leading to errors loading files from the cwd (closes: #298282, #298518, #299089, #299356) * Stop building caudium-php4 (closes: #294718, #297702, #295100) - We can't link against the GPL pike7.2, which we've been doing. Oops. - Even if the above weren't true, upstream has insisted that ZTS is a horribly broken solution, slated for eventual removal, and should never, ever be used. In light of that, caudium users should instead use php4-cgi, either as a plain CGI, or as a FastCGI backend. - Not even attempting to provide an upgrade path, as it would be needlessly complex, and caudium-php4 in previous stable releases was nothing more than a useless toy, given that it had nearly no useful extensions built-in or supported. * Rewrite 041-shut_up_snmp.patch to take a different approach, this time regrettably reverting a fix for a memory leak, in the name of making things work properly, including squashing the putenv() intecaction bug between PHP and other apache modules (closes: #298511, #300628) * On sidegrades from distributions where different modules may be built from their own source, and thus have their own doc directories, bad things happen when we try to replace those with symlinks, so now we check for this in preinst, and fix stuff up magically to Just Work. * Add Jeroen van Wolffelaar to Uploaders. * Fix up modules regexes to use "\.so" instead of ".so" (cf: #300998) -- Adam Conrad Wed, 16 Mar 2005 22:46:05 -0700 php4 (4:4.3.10-9) unstable; urgency=low * Update 040-curl_open_basedir.patch once more to make sure it doesn't segfault when fed a null or uninitialised URL (closes: #295447) * Add 047-zts_with_dl.patch, courtesy of Steve Langasek to re-enable the dl() function in our builds, despite upstream's claim that it "might not be threadsafe on all platforms"; it is on ours (closes: #297839) * Make the php4-dev binaries versioned with alternatives (closes: #295903) * Update build-deps to libmysqlclient12-dev (closes: #290989, #227549) -- Adam Conrad Sun, 6 Mar 2005 07:30:35 -0700 php4 (4:4.3.10-8) unstable; urgency=high * Add 046-zend_plist_buggery.patch which unrolls the changes made to zend.c in CVS post-4.3.10. The memory leaks fixed by these changes seem to not have been hurting us terribly so far, while the "fix" (breaking persistent lists) was, uhm, bad (closes: #295998, #296694) * Revise 041-shut_up_snmp.patch to call init_snmp with 'snmpapp' as the appname, rather than 'php', to maintain backward compatibility, and to wrap our setenv/unsetenv magic only around snmp_shutdown, which seems to solve a segfault when php4-snmp is loaded with mod_perl (closes: #296282) * Fix 042-remove_windows_paths.patch to catch both cases where windows path stripping should occur (closes: #296406) -- Adam Conrad Tue, 22 Feb 2005 07:49:32 -0700 php4 (4:4.3.10-7) unstable; urgency=high * Rewrite 040-curl_open_basedir.patch, so it now does what it's supposed to (addressing CAN-2004-1392) and no longer segfaults (closes: #295447) -- Adam Conrad Thu, 17 Feb 2005 00:06:36 -0700 php4 (4:4.3.10-6) unstable; urgency=high * Add 044-strtod_arm_fix.patch to fix the FPU confusion FTBFS on arm. * Add 045-exif_nesting_level.patch to bump the exif header parsing max nesting level to something that actually works with most JPEG images. -- Adam Conrad Mon, 14 Feb 2005 16:04:28 -0700 php4 (4:4.3.10-5) unstable; urgency=low * Add 043-recode_size_t.patch to fix 32/64-bit issues causing the recode extension to segfault on alpha/amd64/ia64 (closes: #294986) * Move the ./buildconf stuff in the unpatch target inside the test for patch-stamp, as it's uselss unless we're unpatching. -- Adam Conrad Sun, 13 Feb 2005 19:09:39 -0700 php4 (4:4.3.10-4) unstable; urgency=medium * Make php4-dev arch:any, as it contains some arch-specific defines. * Add 042-remove_windows_paths.patch, a patch to rfc1867.c to strip Windows paths from uploaded filenames, like it used to. (closes: #294305) * Fix up caudium description to reflect the fact that caudium it is no longer restricted from sharing extensions with other SAPIs. * Build-dep on apache2-threaded-dev (>= 2.0.53-3) to make sure we get a version with non-broken headers. -- Adam Conrad Wed, 9 Feb 2005 11:52:10 -0700 php4 (4:4.3.10-3) unstable; urgency=medium * Update to CVS, as of 200502060530 (closes: #288672) - Fixes two vulnerabilities in exif.c, CAN-2005-1042 and CAN-2005-1043 - Fixes two vulnerabilities in image.c, CAN-2005-0524 and CAN-2005-0525 - File uploads with "'" in them aren't cut off anymore (closes: #288679) - unserialize() is no longer ridiculously slow (closes: #291392) - Add 000-200502060530_CVS.patch - Adapt debian/rules to the realities of upstream's new buildconf - Add 033-we_WANT_libtool.patch, to force relibtoolizing with Debian's libtool, rather than using upstream's broken bundled libtool - Drop 031_zend_strtod_1.1.2.10.patch and 032_zend_strtod_debian.patch - Adjust patches for offsets and fuzz - Force --with-pic, as policy demands it, and the build system doesn't * Added several patches, yanked from the Fedora PHP sources: - 034-apache2_umask_fix.patch, fixes umask not being properly reset after each request (closes: #286225) - 036-fd_setsize_fix.patch, fixes misuse of FD_SET() - 038-round_test_fix.patch, makes the rounding test work on gcc-3.3 * Removed --with-libedit, as being able to background php is more useful, in my opinion, than using readline functions (see #286356) * Include zip support in all SAPIs (closes: #288534, #288909) * Enable Zend Thread Safety for all SAPIs, meaning that our modules are now compiled for ZTS APIs as well. (closes: #278212, #264015) - Make sure caudium-php4 now provides phpapi-$(ver), and modules can be configured with the caudium SAPI. - Add 039-reentrant_libs.patch to link to the reentrant versions of libldap and libmysqlclient * Stop suggesting phpdoc, as it's undistributable anyway. * Add 040-curl_open_basedir.patch, to make php4-curl respect the value of open_basedir, thanks to Martin Pitt (closes: #291410) * Add 041-shut_up_snmp.patch, to prevent libsnmp5 from attempting (and failing) to write persistent data every time it shuts down. Ugh. -- Adam Conrad Sun, 6 Feb 2005 05:32:11 -0700 php4 (4:4.3.10-2) unstable; urgency=high * Patch Zend/zend_strtod.c twice: - Patch from upstream CVS to fix FTBFS on Sparc/Linux systems - Patch from me to fix FTBFS on __mc68000__, __ia64__, and __s390__ -- Adam Conrad Sat, 18 Dec 2004 19:35:30 -0700 php4 (4:4.3.10-1) unstable; urgency=high * New upstream release, including the following security fixes: - CAN-2004-1018 - shmop_write() out of bounds memory write access. - CAN-2004-1018 - integer overflow/underflow in pack() and unpack() functions. - CAN-2004-1019 - possible information disclosure, double free and negative reference index array underflow in deserialization code. - CAN-2004-1020 - addslashes() not escaping \0 correctly. - CAN-2004-1063 - safe_mode execution directory bypass. - CAN-2004-1064 - arbitrary file access through path truncation. - CAN-2004-1065 - exif_read_data() overflow on long sectionname. - magic_quotes_gpc could lead to one level directory traversal with file uploads. * Adjust patch offsets for new upstream, fix 013-force_getaddrinfo.patch to match with new configure.in and drop 026-4.3.10_session_fixes.patch which is included in 4.3.10. -- Adam Conrad Wed, 15 Dec 2004 17:17:40 -0700 php4 (4:4.3.9-2) unstable; urgency=low * Adam Conrad : - Add -fno-strict-aliasing to CFLAGS, as the (several thousand) warnings I'm getting from GCC are frightening me a tad. - Remove the php-cgi alternative in php4-cgi's prerm, to avoid leaving dangling symlinks (closes: #275962, #282315) - Include 030-imap_getacl.patch, adding the imap_getacl() function required by the GOsa project (closes: #282484) - Include php.ini-paranoid in doc/examples, provided and maintained by Javier Fernández-Sanguino Peña (closes: #274374) - Make /cgi-bin/php4 an alternative for /cgi-bin/php (closes: #282464) - Remove obsolete info from README.Debian relating to session_mm, since we stopped building with libmm a while back. - Reintroduce /usr/lib/php4/libexec that went missing in a previous upload, since the build uses it as the default safe_mode exec dir. * Andres Salomon : - Add patch to include gd headers in php4-dev, as some PECL modules (notably, pdflib) expect it; 028-export_gd_headers.patch. - Lintian fix: Add missing #DEBHELPER# token to php4-common.postrm. -- Adam Conrad Wed, 01 Dec 2004 18:48:13 -0700 php4 (4:4.3.9-1) unstable; urgency=high * New upstream release, removed the following patches fixed upstream: 014-apache2handler_CVS_fixes.patch, 015-gdNewDynamicCtx_Add_Ex.patch, 018-unix_socket_fd_leak.patch, 020-4.3.9_overflow_fixes.patch, 021-4.3.9_sybase_ct_fixes.patch, 022-4.3.9_sprintf_fixes.patch, 023-4.3.9_array_fixes.patch, 024-4.3.9_glob_fix.patch, and 025-4.3.9_domxml_segfaults.patch * Resolves undiscolsed vulnerabilities in GPC processing and rfc1867 handling of file uploads via the $_FILES array; these have since been assigned CVE CAN-2004-0958 and CAN-2004-0959 (closes: #274206) * After some fairly heavy testing from several users and developers, finally update php4-snmp to use libsnmp5 (closes: #195929) * Add 026-4.3.10_session_fixes.patch from CVS, which prevents PHP from segfaulting when a nonexistant or unsupported save_handler or serialize_handler is specified in php.ini. * Add /etc/apache/conf.d/php4.conf, setting up our mime-types, on the off chance that the user's /etc/mime.types is broken (closes: #271171) * Reintroduce a CGI binary at /usr/bin/php4-cgi, so people who can't make use of the --force-cgi-redirect CGI binary in /usr/lib/cgi-bin can instead use #!/usr/bin/php4-cgi scripts (closes: #273143) * Enable FastCGI for both CGI binaries, now that it no longer conflicts with, but rather complements, the CGI SAPI (closes: #233849) * Bump libgd2 build-dep a notch to make sure we build against a version that actually has XPM support built in (closes: #270435) * Finally drop the bogus libapache-mod-ssl dependency from the apache1.3 php4 module, as glibc (>= 2.3.2.ds1-17) has fixed the dlopen refcount bug that we were hacking around (closes: #205553, #230956, #271000) * Remove the mm session handler from the apache1.3 build. Since the files handler now works on all arches, and is configured to be secure by default, mm seems to have outlived its usefulness. (closes: #119902, #149430, #166811, #272463, #232840) * Rename sapi/apache2handler/sapi_apache2.c to mod_php4.c so that directives aren't ambiguous between php4 and php5. * Add Czech translation, thanks to Miroslav Kure (closes: #274038) * Configure CLI with --with-libedit for readline support, and add 027-readline_is_editline.patch, since Debian's libedit headers are not installed in /usr/include/readline (closes: #274031) * libcurl grew a new SONAME somewhere along the way, and upgrading doesn't seem to cause regressions in php4-curl, so upgrade we shall, changing build-deps accordingly (closes: #260389) -- Adam Conrad Mon, 4 Oct 2004 22:57:37 -0600 php4 (4:4.3.8-12) unstable; urgency=high * On new php4-cli installations, if php4-cgi is installed, we copy its php.ini as a starting reference, so that command line scripts that used to work don't start mysteriously failing (closes: #270153) * php4-common has grown a postrm script to make sure we completely clean out and remove /var/lib/php4 during the purge phase. * Optimize garbage collection cronjob to use 'xargs -r -0 rm', so we aren't forking for every session file we delete (closes: #268918) -- Adam Conrad Sun, 5 Sep 2004 19:17:42 -0600 php4 (4:4.3.8-11) unstable; urgency=high * Andres Salomon : - Fix bashism in maxlifetime script (closes: #270015) * Adam Conrad : - Clarify setup instructions in README.Debian for using php4-cgi with the apache and apache2 packages (closes: #228342, #228343) -- Adam Conrad Sat, 04 Sep 2004 23:21:21 -0600 php4 (4:4.3.8-10) unstable; urgency=high * Andres Salomon : - Change frequency of session file cleansing, based on the maximum value of session.gc_maxlifetime from all php.ini files (closes: #269688). - Update README.Debian to mention session cleaning cron job. * Adam Conrad : - Drop php4-cgi from the list of alternate dependencies for the php4 metpackage to smooth upgrades for woody users who have both php4 and php4-cgi installed (closes: #269628, #269348, #269377) - Fix cut-n-paste issue in php4-cli postinst (closes: #269466) - Add 023-4.3.9_array_fixes.patch, which fixes problems with the extract() function misbehaving with multiple element references. - Add 024-4.3.9_glob_fix.patch to fix broken return values from glob() when it succeeds with no matches (closes: #269287) - Add 025-4.3.9_domxml_segfaults.patch, fixing segfaults in the domxml extension when it shares memory space with other libxml2-using libs. - Update the comments in php.ini to point out that, due to dilinger's changes above, session.gc_maxlifetime is honoured by the gc cronjob. -- Adam Conrad Fri, 03 Sep 2004 20:42:56 -0600 php4 (4:4.3.8-9) unstable; urgency=high * Re-introduce the changelog.Debian that went missing in the last upload due to the php4-common move from arch:all to arch:any * Clean up lintian warnings regarding scripts that weren't executable and executables that weren't scripts. * Add a lintian override for the non-standard-dir-perm of /var/lib/php4 * Update to Standards-Version 3.6.1 (no changes, other than the above) -- Adam Conrad Thu, 26 Aug 2004 21:53:27 -0600 php4 (4:4.3.8-8) unstable; urgency=low * Default session.save_path is now compiled in to php4, allowing us to, again, comment out the value in php.ini. * Comment out session.gc_probability in the default php.ini, as we've now compiled in a default of 0, allowing the cronjob to do the garbage collection for us instead. (closes: #267720) * Make the 5 SAPI postinsts smarter, allowing them to poke around in people's configs and make sure that sessions won't be broken after we upgraded them from a perfectly functional system. * Add 022-4.3.9_sprintf_fixes.patch, fixing incorrect formatting of floats with padding by sprintf(). * Make php4-common arch:any, and loosen up some of the other any->all package dependencies to make sure binNMUs won't break. -- Adam Conrad Tue, 24 Aug 2004 03:09:43 -0600 php4 (4:4.3.8-7) unstable; urgency=high * Back out LFS support AGAIN, as we're disabling LFS in apache2 for the Sarge release. (closes: #266869) * Add 021-4.3.9_sybase_ct_fixes.patch, backporting several fixes for the sybase_ct extension from 4.3.9rc1. * Tidy up descriptions a fair bit: - Disambiguate short descriptions of SAPIs. (closes: #244571) - Refresh the (now much longer) lists of built-in modules for each SAPI. - Explain why caudium-php4 can't use any loadable extensions. - Remove silly advertising blurb for Zend, since very few people are still using php3, and those who are can't be convinced to upgrade just by telling them "Hey, it's faster!". - Add Homepage URI to each SAPI description. - Fix typo in php4-domxml description. (closes: #146124) * Make caudium-php4 provide php4-mysql and php4-pgsql, so it can be used with packages that depend on something like "php4, php4-mysql". * Enable --with-mime-magic and make sure all SAPIs depend on libmagic1 to pull in /usr/share/misc/file/magic.mime (closes: #175136) -- Adam Conrad Thu, 19 Aug 2004 18:27:17 -0600 php4 (4:4.3.8-6) unstable; urgency=high * Add libgcrypt11-dev to the build-depends, as something seems to be pulling it in and causing an FTBFS (closes: #265952) * Add 020-4.3.9_overflow_fixes, backporting fix for integer overflows in array_slice(), array_splice(), substr(), substr_replace(), strspn() and strcspn(). * Bump the apache2 build-dep to (>= 2.0.50-9) to ensure we're building against the new ABI-incompatble libapr0, which brings in proper large file support. Bump the apache2 binary dependency as well. (closes: #266210, #266192) * Enable large file support on all SAPIs except for caudium, as I'm not sure how caudium will react to the change, and I don't want to destabilise anything just before release. This change has been heavily tested with apache2/apache/cgi/cli, and all is well there. * Re-enable 019-z_off_t_as_long.patch, which is needed to make sure that LFS-enabled SAPIs can still use zlib file functions correctly. * Rework the apache2 restarting logic to only restart apache2 if apache2ctl configtest succeeds, otherwise kick out a warning to the user. Even then, we run force-reload with ||true, in case apache2 fails to start for other reasons (closes: #264958) * Make php4-gd Provide php4-gd2, so packages which still depend on php4-gd2 are installable (and so packaging frontends can take the provides/conflicts/replaces hint and DTRT with it) * Split php4-cgi to php4-cgi and php4-cli (closes: #227915) - Add php4-cli to debian/control, replaces older php4-cgi versions - php4-cgi depends on php4-cli for smooth transitions - php4-pear now depends on php4-cli (closes: #243214, #221434) - Add php4-cli to list of SAPIs configurable for modules - Munge php.1 manpage to include -cli info - Enable pcntl and ncurses in -cli (closes: #135861, #190947, #241806) * Move all of php4's files to libapache-mod-php4, and make php4 a metapackage that depends on libapache-mod-php4 | libapache2-mod-php4 | php4-cgi | caudium-php4 (closes: #244573, #246654, #244571, #266517) * Include skeleton directory in php4-dev (closes: #95832, #211338) * Include php.ini-recommended in php4-common's examples (closes: #181396) * Move /var/lib/php4 to php4-common and install a cronjob that cleans out old sessions every 30 minutes (closes: #256831, #257111) * Move the libapache-mod-ssl dependency from php4-imap to libapache-mod-php4 to stop irritating users of other SAPIs (closes: #240003, #246887, #263381) * Compile pgsql and mysql support into the caudium SAPI, so it's slightly less useless (closes: #181175) -- Adam Conrad Sun, 15 Aug 2004 19:56:14 -0600 php4 (4:4.3.8-5) unstable; urgency=low * Build-depend on chrpath and use it to nuke rpath from modules during the install target of debian/rules. * Add 018-unix_socket_fd_leak.patch to get rid of UNIX socket file descriptor leak on failed fsockopen() calls. (closes: #257269) * It would seem that if we want LFS support, all SAPIs and all extensions that do file access need to be built with LFS support, and since apache2 currently doesn't have LFS, this presents a problem. As such, I'm disabling LFS accross the board until apache2 supports it. (closes: #263962) * Add 019-z_off_t_as_long.patch, including local headers for zlib, forcing off_t = long for gzip file functions, however disable it for now, as we'll only need it if we reenable LFS (closes: #208608) * Add the Debian package revision as EXTRAVERSION to PHP, so one can more easily tell what version is currently running (for instance, if a user fails to restart Apache after an upgrade of php4, this would become obvious to them in the version banner and in phpinfo() * Fixed up debian/patches, adjusting offsets and adding newlines, so patch stops complaining and applies them cleanly. * libapache2-mod-php4 postinst now forces a reload of apache2, which should get the module properly working in all cases where people previously thought 'apachectl graceful' would cut it. (closes: #241352, #263424, #228343) * debian/rules explicitly sets PROG_SENDMAIL during configure so that builds on buildds with no sendmail installed don't get the mail() function disabled. (closes: #180734) * Enable XMLRPC-EPI support for all SAPIs (closes: #228825, #249368) * Enable sysvmsg support for all SAPIs (closes: #236190) * Enable dbx support for all SAPIs (closes: #229508, #249797) * Nuke aclocal.m4 before we run ./buildconf to ensure we get it regenerated correctly, and we get an up-to-date libtoolization. -- Adam Conrad Mon, 9 Aug 2004 07:47:46 -0600 php4 (4:4.3.8-4) unstable; urgency=low * Drop 016-pread_pwrite_XOPEN_SOURCE_500.patch, as it didn't seem to solve anything, really, and add 017-pread_pwrite_disable.patch, wich completely disables pread/pwrite usage, fixing session support on sparc, and pread/pwrite usage on amd64. (closes: #261311) -- Adam Conrad Mon, 26 Jul 2004 06:15:59 -0600 php4 (4:4.3.8-3) unstable; urgency=low * Steve Langasek : - Give php4-pear a versioned dependency on php4-cgi, due to backwards-compatibility issues (closes: #260924). * Adam Conrad : - Added a debian/watch file for the curious, or people running automated uscan scripts over the entire archive. - Bump libgd2 build-dep to 2.0.28 to buy us guaranteed GIF support in php4-gd (closes: #66293) - Add 015-gdNewDynamicCtx_Add_Ex.patch, which fixes three double-free errors in php4-gd. This, in concert with the librrd0 update (see #261323) should clear up all known segfaults in php4-gd (closes: #220196, #234571, #241270, #246833, #251220, #260790) Thanks to Klaus Reimer for the tip. - Add 016-pread_pwrite_XOPEN_SOURCE_500.patch, which fixes use of pread/pwrite in conjunction with LFS64. This should fix the files session handler on sparc, as well as the amd64 build failure. (closes: #234766, #239420, #261311, #248765) - Clean up debian/rules to remove a bunch of obsolete cruft, as well as introducing an LFSFLAGS, allowing us to easily turn LFS support on and off for each SAPI. - Re-enable LFS for apache 1.3, as it was enable in Woody and we should remain backward compatible. -- Adam Conrad Sun, 25 Jul 2004 18:49:31 -0600 php4 (4:4.3.8-2) unstable; urgency=high * Urgency "high" to make up for the last upload which contained security fixes but was uploaded urgency "low". * Adam Conrad : - Bump debhelper build-dep to >= 3, as we were using DH_COMPAT=3 in debian/rules. Not sure how this was missed for so long. - Add 014-apache2handler_CVS_fixes.patch, which fixes a memory leak in the apache2handler SAPI, as well as a logical mishandling of fatal errors during activation. * Steve Langasek : - Revert large file support, which appears to cause ABI-incompatibilities (and therefore segfaults) for apache2 (closes: #259659). -- Adam Conrad Mon, 19 Jul 2004 20:44:00 -0600 php4 (4:4.3.8-1) unstable; urgency=low * Adam Conrad : - New upstream release (4.3.8). Fixes several security issues: + Fixed strip_tags() to correctly handle '\0' characters. + Improved stability during startup when memory_limit is used. + Replace alloca() with emalloc() for better stack protection. + Added missing safe_mode checks inside ftok and itpc. + Fixed address allocation routine in IMAP extension. + Prevent open_basedir bypass via MySQL's LOAD DATA LOCAL. + Fixes DoS in readfile() function, see CAN-2005-0596. - php4-pear now includes PEAR::Mail 1.1.3 (closes: #257688) - debian/control: change libpng3-dev build-dep to libpng12-dev - Add Turkish debconf translation, thanks to Osman Yuksel. (closes: #252940) * Andres Salomon : - New upstream release (4.3.7). The following patches are dropped: 007-dba_fix.patch 008-xbithack.patch 011-curl_api_update.patch 012-curl_deprecated_opts.patch. - Add 013-force_getaddrinfo.patch, so that getaddrinfo support is always enabled (instead of doing check during build). * Steve Langasek : - Enumerate supported SAPIs in both the module postinst and the module config script, to avoid "question not found" errors from debconf. This doesn't give us automatic support for new SAPIs as they're added, but it avoids trying to configure SAPIs that we don't support (e.g., caudium), and it also sidesteps shell syntax errors caused by strangely-named subdirectories. - Remove apache2 from the TODO list, because it's done (closes: #243793). - Add /var/lib/php4 to the list of directories for the apache2 module, so we don't end up with a missing session dir (closes: #240962). - s/modules-config/apache-modconf/, now that the canonical name of the apache-common tool has changed - Drop references to php3 in README.Debian, and document the simplified process for enabling php4 in apache 1.3 (closes: #244564). - Enable large files support for all SAPIs (closes: #249500). - Fix commented-out default include path in php.ini (closes: #250274). -- Adam Conrad Wed, 14 Jul 2004 18:06:42 -0600 php4 (4:4.3.4-4) unstable; urgency=low * Drop apache2 work-around patch and add build-dep on apache2 2.0.48-8, now that #228840 is fixed. * Fix FTBFS problem caused by curl api changes, adding patches 011 and 012 (closes: #239159). * Add phpapi Provides for libapache2-mod-php4 (closes: #240386). * Add versioned build-dep for pcre, as apache2 has proven that pcre-3.9 and older won't work (closes: #215069). * Tighten build-dep versions to match upstream's autoconf version checks (closes: #214060). -- Andres Salomon Fri, 26 Mar 2004 23:27:27 -0500 php4 (4:4.3.4-3) unstable; urgency=low * Andres Salomon : - Fix incorrect php.ini path in CLI manpage (closes: #233757). - Add libapache2-mod-php4 module (closes: #214611). * Updated Japanese debconf translation; thanks to Kenshi Muto (closes: #222424). * Build php4-gd against libgd2-xpm, removing the need for a separate php4-gd2 package (closes: #235390, #206045, #135664). * Add new Catalan debconf translation; thanks to Aleix Badia i Bosch (closes: #236630). * Add new Spanish debconf translation; thanks to Carlos Valdivia Yagüe (closes: #235052). -- Steve Langasek Sat, 28 Feb 2004 12:11:57 -0600 php4 (4:4.3.4-2) unstable; urgency=low * Add build-depends on autoconf, missed earlier (closes: #235012). * Minor updates to README.Debian list of supported extensions. * Fix integer size mismatch in snmp extension affecting 64-bit platforms -- Steve Langasek Thu, 26 Feb 2004 22:25:27 -0600 php4 (4:4.3.4-1) unstable; urgency=low * New upstream version. Update local patch set accordingly, with help from Andres Salomon . - includes fix for snmpget() not closing its socket (closes: #207363). * Update build-depends to libdb4.2-dev, to match apache-dev (closes: #231692). * Drop translations of stale templates, and add new German debconf translation; thanks to Alwin Meschede (closes: #232270). * Add new Danish debconf translation; thanks to Claus Hindsgaul (closes: #233887). * Move local patches into debian/patches/ for easier management, and add debian/rules targets for build-time application of patches. * Fix a problem with PHP "xbithack" causing ini scope leakage (closes: #230047). * Re-enable the openssl extension statically, since we now know for sure that the php4-imap problems are a glibc bug (closes: #197450). * Fix pear to set /usr/bin/php4 instead of /usr/bin/php for the value of php_bin, so PEAR-managed scripts work correctly (closes: #228381). In addition, use alternatives for /usr/bin/php for the benefit of user scripts (closes: #185283). * Set the default session save_path to /var/lib/php4 instead of to /tmp, and create this directory such that all users (for php4-cgi) can create files there and access their own files once created, but not see the names of other files in the directory (closes: #139810). * Drop our override of upstream's register_globals default (closes: #230878). -- Steve Langasek Sat, 14 Feb 2004 10:23:24 -0600 php4 (4:4.3.3-5) unstable; urgency=low * Have php4-pear Suggest: php4-dev, for PECL extensions (closes: #225969). * Recompiled against the new version of libxslt, to get rid of the dependency on libxsltbreakpoint (closes: #224806). * Also recompiled against the new version of libc-client (closes: #227347). * Fix pear to not expect to be able to twiddle locks when running as non-root, which also seems to fix a memory utilization problem (closes: #225026). * Make php4-imap depend on libapache-mod-ssl, since this seems to be the only reliable way of getting apache to stop segfaulting. * Build-depend on libt1-dev, which replaces t1lib-dev. -- Steve Langasek Mon, 5 Jan 2004 22:53:18 -0600 php4 (4:4.3.3-4) unstable; urgency=low * Fix prerm script to remove mod_php4, *not* mod_perl, from the config (Closes: #216889). * Use /etc/$i/httpd.conf instead of /etc/$i to decide whether to call modules-config. * Don't invoke debconf unless we have to in the postinst, to reduce the risk of interactions between modules-config and our questions. * Add Dutch debconf translation; thanks to Tim Dijkstra (closes: #221439). * Sync dba lock handling against upstream CVS HEAD, to fix a bug with truncating db4 files when opening with 'c' (create). (Closes: #221559). -- Steve Langasek Tue, 21 Oct 2003 16:49:03 -0500 php4 (4:4.3.3-3) unstable; urgency=low * Disable -gstabs on ia64, since this debugging symbol type is apparently unknown there; we should now have clean builds (with appropriate debugging symbols) on all archs. -- Steve Langasek Mon, 20 Oct 2003 19:07:40 -0500 php4 (4:4.3.3-2) unstable; urgency=low * Don't call db_stop in the postinst, as this seems to cause problems for modules-config (closes: #215663, #215584). * Remove duplicate -prefer-pic flag on caudium build, in hope of making libtool do something sensible on ia64,hppa (closes: #216020). * Always build with debugging symbols, per current policy. * Unconditionally call dh_strip, which knows about DEB_BUILD_OPTIONS; and call install -s when installing shared extensions by hand. * Fix upstream build rules to not call libtool --silent. -- Steve Langasek Wed, 15 Oct 2003 23:19:55 -0500 php4 (4:4.3.3-1) unstable; urgency=low * New upstream release. * Add Japanese debconf translation; thanks to Kenshi Muto (closes: #211961). * Fix caudium handling to always grab the current pike version from dpkg when constructing include paths (closes: #212585). * Bump the c-client build dependencies to use the new -dev package name. * Convert php4 postinst/prerm scripts to use the new apache modules-config interface. -- Steve Langasek Sun, 21 Sep 2003 17:26:31 -0500 php4 (4:4.3.2+rc3-6) unstable; urgency=low * Add Brazilian Portuguese debconf translation; thanks to André Luís Lopes (closes: #207078). * Catch debian/control up with debian/rules for the zendapi -> phpapi transition. -- Steve Langasek Sun, 31 Aug 2003 20:35:57 -0500 php4 (4:4.3.2+rc3-5) unstable; urgency=low * Kill the lintian warning on the grammar in the copyright file. * Redirect apacheconfig I/O to /dev/tty, to work around debconf behavior (for real this time). Closes: #207468, #206404. * Replace 'zendapi' with 'phpapi', since the former does not accurately describe the ABI changes that affect modules and can leave some packages installable but broken (closes: #208020). Also, remove the versioned conflicts with php4-{mysql,pgsql}, since this now supersedes. * Add French debconf translation; thanks to Michel Grentzinger (closes: #207662). -- Steve Langasek Sat, 23 Aug 2003 21:43:24 -0500 php4 (4:4.3.2+rc3-4) unstable; urgency=low * Have all php extensions automatically detect and configure for any installed SAPIs (closes: #143436). * Remove spurious dependencies from php4-dev, and replace autoconf2.13 with autoconf (closes: #180497). * Conflict with old php4-pgsql as we do with php4-mysql, as it manifests the same bug. * Add preliminary rules for building apache2 SAPI, but don't enable. * Call db_stop before trying to run apacheconfig (closes: #206404). * Check for the existence of /etc/php4 before trying to rmdir it, since there are apparently those who remove such directories prematurely (closes: #206120). -- Steve Langasek Sun, 17 Aug 2003 00:19:38 -0500 php4 (4:4.3.2+rc3-3) unstable; urgency=low * Fixes for spurious package dependencies * Fix the paths emitted by php-config, so we can build php4-pgsql et al. -- Steve Langasek Fri, 15 Aug 2003 23:44:55 -0500 php4 (4:4.3.2+rc3-2) unstable; urgency=low * Make sure pear.conf is properly marked as a conffile, by bumping DH_COMPAT to 3. * Generate all per-extension postinsts/prerms at build time, instead of managing them by hand. * Get rid of bogus, non-FHS directories from the caudium build. * Install the upstream php manpage in the php4-cgi package (closes: #175836). * Prevent null dereferencing in ldap_explode_dn() (closes: #205405). * Hard-code /usr/share/pear at the end of the include path, for backwards compatibility. * Debconf support for PHP extension registration, including po-debconf support (closes: #122353). * Fix interpreter path in /usr/bin/pear. * Make php4-pear depends: php4-cgi (closes: #182393). -- Steve Langasek Wed, 13 Aug 2003 22:39:08 -0500 php4 (4:4.3.2+rc3-1) unstable; urgency=low * New upstream version. - includes fix for buffer overflow crashes in imap module (closes: #191640) - includes fix for dysfunctional open_basedir directive (closes: #197803) - include fix for various XSS vulnerabilities (closes: #200736) * Recompile against newest libc-client libs, following another soname change (closes: #199049) * Replace db2 with db4. * Trim down the cgi sapi rules, since it will now build both cli and cgi for us by default. * Kludge the caudium sapi, by hard-coding the include path we need for pike headers. * Copy the lex/yacc-generated .c and .h files into the build directories, since generating them at build time gives wildly different, and undisputably broken, results. * Update the install rules so they're compatible with current upstream handling of pear and the various SAPIs. * Add '=shared' to the --enable-xslt option, to get the right results for that extension. * Move PEAR extensions from /usr/share/pear to /usr/share/php. * Conflict with php4-mysql=4:4.2.3-14, due to bizarre Zend errors. -- Steve Langasek Wed, 6 Aug 2003 22:43:28 -0500 php4 (4:4.2.3-14) unstable; urgency=low * Disable openssl extensions AGAIN. It appears that this double-linking mess is still causing nasty segfaults. (closes: #188014, #188025, #188058, #189202, #189653) -- Adam Conrad Sun, 20 Apr 2003 17:31:59 -0600 php4 (4:4.2.3-13) unstable; urgency=low * Revert NET-SNMP patch and build php4-snmp against UCD-SNMP again (closes: #185534) * Build against libmm13, as libmm12 no longer exists (closes: #187401) * Rebuild caudium-php4 against latest caudium-dev * Re-enable openssl linking and functions, now that our glibc 2.3 problems appear to be ironed out. * Enable xslt and exslt support in php4-domxml (closes: #172881) -- Adam Conrad Thu, 3 Apr 2003 05:53:24 -0700 php4 (4:4.2.3-12) unstable; urgency=low * Rebuild php4-sybase against libct1 (closes: #184461) -- Steve Langasek Sat, 8 Mar 2003 20:03:33 -0600 php4 (4:4.2.3-11) unstable; urgency=low * Remove pike header location detection from debian/rules and do it properly in sapi/caudium/config.m4, using pike7.2-config --version -- Adam Conrad Mon, 3 Mar 2003 23:33:26 -0700 php4 (4:4.2.3-10) unstable; urgency=low * Added patch to build with NET-SNMP 5.x * Updated build-dep for libc-client to 2003debian (closes: #181565, #182854, #169886) * Updated build-dep for libcurl to libcurl2-dev (closes: #179722) * Added -mieee to alpha build to solve FPE errors (closes: #180656) * Removed arch-specific logic to build with gcc-3.2 on arm, since gcc-3.2 is now the default compiler on all architectures. * Add libwrap0-dev to the end of the build-depends to work around #183041. Someone remember to remove this later when the bug is fixed. :) * Build against newer libsablot0-dev (closes: #179886, #181550) * Introduce ugly hack in debian/rules to get the pike includes directory right for the caudium SAPI. -- Adam Conrad Sun, 2 Mar 2003 12:49:07 -0700 php4 (4:4.2.3-9) unstable; urgency=low * Fix caudium-php4 to not conflict with php4-pear (closes: #175415). -- Steve Langasek Sun, 5 Jan 2003 16:40:20 -0600 php4 (4:4.2.3-8) unstable; urgency=low * Fix typo in debian/rules * Rebuild to bring in sync with latest caudium packages -- Adam Conrad Wed, 25 Dec 2002 20:00:59 -0700 php4 (4:4.2.3-7) unstable; urgency=low * Set a sane default for safe_mode_exec_dir (closes: #122920). * Rebuild against libmm-dev on i386, instead of against the no-longer-available libmm11-dev which Provides: the same (closes: #173509). -- Steve Langasek Mon, 16 Dec 2002 22:48:40 -0600 php4 (4:4.2.3-6) unstable; urgency=low * Build with PEAR for all SAPIs, so that the built-in include_path is set correctly (overkill?). Closes: #169786, #172321 * Change section of php4-dev package to devel. * Add libkrb5-dev to build-depends, since libc-client2002-dev doesn't pull it in (closes: #173313). * Depend on coreutils instead of fileutils, since the latter is now an empty package (closes: #171265). -- Steve Langasek Sun, 15 Dec 2002 23:20:30 -0600 php4 (4:4.2.3-5) unstable; urgency=low * Fix (snip, snip) the upstream build scripts, so that libphp4.so isn't worthlessly linked against the problematic openssl libs (closes: #165699, #165718, #165719, #166414). * Update config.{sub,guess} so that the package builds on mips platforms (closes #173218) * Replace libc-client-ssl2001-dev with libc-client2002-dev in build dependencies, fixing various php4-imap segfaults (closes: #169610, #169769). -- Steve Langasek Sun, 15 Dec 2002 19:42:43 -0600 php4 (4:4.2.3-4) unstable; urgency=low * Remove build dependency on non-extant libmagick5-dev, which is no longer used anyway (closes: #169829, #172402). * Add myself to the Uploaders: field of the control file. -- Steve Langasek Sat, 14 Dec 2002 12:52:06 -0600 php4 (4:4.2.3-3) unstable; urgency=low * Backport a patch from CVS to sanitize control characters in php_url_parse() to prevent ASCII control injection in fopen() calls. -- Adam Conrad Thu, 12 Sep 2002 16:29:46 -0600 php4 (4:4.2.3-2) unstable; urgency=low * I'm a moron (thanks to James Troup for pointing this out). * Change gcc-3.1 references in debian/rules to gcc-3.2. * Change GD build-dep to libgd-xpm-dev until GD package mess is worked out. -- Adam Conrad Tue, 10 Sep 2002 12:18:21 -0600 php4 (4:4.2.3-1) unstable; urgency=low * New upstream version * Added a patch from Ginger Alliance to eliminate warnings in xslt compile * Messed with the php4-imap build: - compiling with SSL support (closes: #122700) - commented out the static-on-i386 hack, libc-client is now linked dynamically * Sessions should finally be fixed, however I won't tag the bugs "woody" until I know for sure. (if you were affected, please test and send followups to me) * Updated arm build-dep to use gcc-3.2 since gcc-3.1 is gone now. -- Adam Conrad Tue, 10 Sep 2002 09:02:51 -0600 php4 (4:4.2.2-3) unstable; urgency=low * Fix typo resulting in php4-odbc not having a postinst (closes: #157116, #157927) * Build against latest caudium-dev to made caudium-php4 installable again. (closes: #158247) * Update build-deps to swap libpng3 for libpng2. (closes: #158908) -- Adam Conrad Sat, 7 Sep 2002 01:22:57 -0600 php4 (4:4.2.2-2) unstable; urgency=low * Pulled --with-ndbm out of ./configure, as libc6 no longer ships with headers or the library for db1 (closes: #156141, #155889) * Update build deps to build against libmm12 (closes: #155042) * php4-curl no longer depends on libcurl2-ssl (closes: #155015) -- Adam Conrad Sat, 10 Aug 2002 01:12:47 -0600 php4 (4:4.2.2-1) unstable; urgency=medium * New upstream * Fixes input validation vulnerability in rfc1867.c (closes: #153850) * Added missing prerm/postinst for php4-xslt (oops) -- Adam Conrad Mon, 22 Jul 2002 11:58:53 -0600 php4 (4:4.2.1-3) unstable; urgency=low * Yet more build fixes. This time, bump the arm build-dep from gcc-3.0 to gcc-3.1 to avoid compiler errors. I love the arm toolchain. No, really. -- Adam Conrad Wed, 29 May 2002 17:40:30 -0600 php4 (4:4.2.1-2) unstable; urgency=low * Applied small patch to fix building on non-32-bit architectures (closes: #148231) * Added still /more/ documentation about the unserializer, sessions, and the session.save_handler php.ini option. -- Adam Conrad Sun, 26 May 2002 14:43:55 -0600 php4 (4:4.2.1-1) unstable; urgency=low * The "When is Debian going to have new software like XF^H^HPHP 4.2?" release. * Probably the last update (barring huge packaging bugs or plain broken binaries) before starting on a complete reorg of the PHP packages. * Deserializer now works on big-endian architectures (addresses bug #121391 and probably others) * This release probably fixes a whole bunch of bugs. Will be going through the bug list and playing the reproducibility game after the upload. * Default include_path in php.ini now set to include pear. * Upstream default for register_globals HAS CHANGED. In the Debian php.ini we are still using "register_globals = On" for compatibility reasons, however our packages will change too. This is a warning for anyone packaging PHP scripts and applications to make sure you'll be compatible with the new default once it's set. -- Adam Conrad Sun, 26 May 2002 06:24:21 -0600 php4 (4:4.1.2-4) unstable; urgency=high * No binaries were harmed in the making up this upload. * Updated README.Debian and changelog. All other files untouched, as the binaries were merely unpacked and repacked. - Added a note to README.Debian about how to properly set up Apache for use with php4, if the installation didn't (and it usually doesn't ) get it right. - Added a note to README.Debian about the unserializer (and sessions) being messed up on big endian architectures. It's too late to try to get a proper fix in for this, so we're just going to have to cope. -- Adam Conrad Fri, 26 Apr 2002 12:27:40 -0600 php4 (4:4.1.2-3.1) unstable; urgency=low * The 'I broke it, I have to take credit for it' release. * Rebuild the package to get proper binary dependencies on alpha. -- Steve Langasek Sun, 31 Mar 2002 17:13:09 -0600 php4 (4:4.1.2-3) unstable; urgency=low * Switched to --with-regex=php (from =system). This fixes all the problems with eregi/parse_url/fopen/etc on Alpha. * Cleaned up long descriptions (closes: #130977, #130954) -- Adam Conrad Wed, 27 Mar 2002 15:11:43 -0700 php4 (4:4.1.2-2) unstable; urgency=low * New maintainer (closes: #132980) * Enabling unixodbc support (closes: #107201) * Changed the install-modules target in build/rules_pear.mk so that it will error out in the case of an empty modules directory or failure to install modules (closes: #135304) -- Adam Conrad Tue, 12 Mar 2002 00:25:41 -0700 php4 (4:4.1.2-1) unstable; urgency=high * New upstream version with a security fix. This supercedes 4.1.1-2.2 from Steve Langasek: * Fix an error in the handling of MIME file upload headers, which left open a potential security hole. (Closes: #136063) * Fixed gcc-3.0 fix :-) * Thanks for fixing apache-common fix * This version should fix session bugs with upstream fix (closes: #133877) * With a brutal change to main/SAPI.c try to fix(?) authorize bugs -- Petr Cech Thu, 28 Feb 2002 11:14:26 +0100 php4 (4:4.1.1-2.1) unstable; urgency=low * Non-maintainer upload. * loosen apache-common dependency to make us forwards-compatible, as recommended by the apache maintainer. * use gcc-3.0 when building on arm, because the default toolchain on that arch has Issues (closes: #135906, #135913). -- Steve Langasek Tue, 26 Feb 2002 09:59:49 -0600 php4 (4:4.1.1-2) unstable; urgency=medium * Rebuild with apache 1.3.23. * This package is in maintainer change mode. Though I orphaned it I'm not going to change maintainer to QA, because we already have fresh blood. * ext/gd/gd.c: s/HAVE_GD_GIF/HAVE_GD_GIF_CREATE/ to build correctly with libgd which has GIF support (fixed included upstream) * debian/control: - Build-Depends: s/libgd1g-dev/libgd-dev/ also libc-client at least version 4:2001adebian-6 to fix some segfaults * ext/standard/head.c: make the setcookie() thingie test more simple -- Petr Cech Mon, 11 Feb 2002 20:07:22 +0100 php4 (4:4.1.1-1) unstable; urgency=high * New upstream bugfix release. * debian/control: php4-gd - Conflicts/Replaces: php4-gd2 if I ever get to upload it * debian/rules: Correctly supply modified CFLAGS to build process -- Petr Cech Fri, 28 Dec 2001 23:23:47 +0100 php4 (4:4.1.0-2) unstable; urgency=low * debian/php4-cgi.README.Debian: fix typo (closes: #123866) * debian/rules: remove --enable-mbstr-enc-trans as it breaks parametr parsing (closes: #121403) * debian/README.Debian: document shmmax increase (closes: #119688) -- Petr Cech Fri, 14 Dec 2001 09:59:59 +0100 php4 (4:4.1.0-1) unstable; urgency=high * Finally final 4.1.0 * Urgency to reflect previous version * debian/control: php4-pear depends on php4-cgi -- Petr Cech Thu, 13 Dec 2001 23:09:54 +0100 php4 (3:4.1-2) unstable; urgency=high * FIxes from CSV 4.1.0RC5. Looks like it was not the release after all. * ext/exif/exif.c: MFH * ext/ldap/ldap.c: small crash fix from HEAD * and misc tiny changes. Really :-) * ext/imap/php_imap.c: HIGH. fix from CVS (imap_rfc822_parse_adrlist) changing the argument -- Petr Cech Sun, 9 Dec 2001 00:01:37 +0100 php4 (3:4.1-1) unstable; urgency=medium * Final 4.1.0 (not released) * NEWS: s/4.0/4.1/ * Build with GD1. It should fix some GD bugs, as gd 2.0.1 is supposed to be a beta version with known bugs. How should I know. * sablot extension removed upstream. So use XSLT (C/R in place) * Apply fix for file_exists() from tilo (closes: #114409) * "Cannot redeclare" were fixed in previous RCs (closes: #112341) * previous version is build in hppa and ia64, so I assume it (closes: #115391) * Add note to sybase_ct, that it conflicts with mod_gzip folowing a user report. * This should fix the "final HTML> stripped" bug that was introduced in 4.0.6-3. (closes: #110415). * add --enable-ucd-snmp-hack to try to fix segfaults with ucd-snmp -- Petr Cech Mon, 26 Nov 2001 14:56:50 +0100 php4 (3:4.0.100-1) unstable; urgency=low * Really a 4.1.0RC2 * Remove hack for apache 1.3.14, as we build-depends on 1.3.22 anyway * Build-depends: libexpat1 (>= 1.95.2-2.1) for the .1 * Added Provides: zendapi-$version to php4 and php4-cgi * Made modules depend on zendapi-$version instead of php4|php4-cgi. Please use this in your php4-$module packages * Apply c-client hack only to i386 most architectures don't support linking both PIC and non-PIC code. I'm still affrai to do this on i386, as it crashes a lot more :( * Apply some CVS patches -- Petr Cech Wed, 14 Nov 2001 20:50:19 +0100 php4 (3:4.0.99-4) unstable; urgency=medium * Recompile because of new version of caudium. (I really hope this gets into testing soon as php in testing now doesn't do apache 1.3.22) -- Petr Cech Fri, 9 Nov 2001 11:11:46 +0100 php4 (3:4.0.99-3) unstable; urgency=medium * Recompile for new libexpat1 (closes: #116623 and others) * upstream: ext/gd/gd.c, ext/iconv/iconv.c * crypt(): defalt to using DES crypt() (closes: #117092) * debian/rules: disable libmm in -cgi build. Will lesser the impact of the infamous /tmp/session_mm.reg * apply patch to Zend, which should fix the "cannot redeclare" error. It's still a bug in your code though (use include_once). More changes to this are comming (upstream). * Add some documentation to sybase -- Petr Cech Mon, 22 Oct 2001 11:20:46 +0200 php4 (3:4.0.99-2) unstable; urgency=low * "Some days are just no good" release. * Recompile with apache 1.3.22 from Incoming * Deal with automake going to 1:1.4 and automake1.5 -- Petr Cech Fri, 19 Oct 2001 15:02:00 +0200 php4 (3:4.0.99-1) unstable; urgency=low * This is really 4.1.0RC1, but ... * Applied setcookie(), which is not in upstream yet -- Petr Cech Fri, 19 Oct 2001 12:05:20 +0200 php4 (3:4.0.6.7rc3-3) unstable; urgency=medium * Fix dependency in caudium-php4. Sorry for this -- Petr Cech Fri, 19 Oct 2001 11:28:07 +0200 php4 (3:4.0.6.7rc3-2) unstable; urgency=medium * Recompile with recent caudium/pike. Please, no new version so it can get into testing :) * debian/control: move php4-pear to suggests * Fix setcookie() again. I really hate this bug * Build-Depends: re2c - it's usually not needed, but if you make some strange changes to the parser ... * FIx automake 1.5 build problems (I hope) -- Petr Cech Thu, 18 Oct 2001 12:03:39 +0200 php4 (3:4.0.6.7rc3-1) unstable; urgency=low * New upstream test release. -- Petr Cech Fri, 5 Oct 2001 09:23:35 +0000 php4 (3:4.0.6.7rc2-3) unstable; urgency=low * "Let's try to fix some bugs" release. * Add some patches: ldap (does this fix things?), pgsql, domxml * Build-Conflicts: automake (>= 1.5) for now -- Petr Cech Tue, 2 Oct 2001 10:55:23 +0200 php4 (3:4.0.6.7rc2-2) unstable; urgency=low * Enable recode extension (the library is LGPL) - shared * Enable iconv extension - in main php4. Experimental * Build-Depends: s/libgd-dev/libgd2-dev/ * Build-Depends: libxml2-dev (>= 2.4.2) (Closes: #112304) and fix autoconf macros (Closes: #113980) * Improve?? description of PEAR (Closes: #112432) -- Petr Cech Sat, 22 Sep 2001 10:37:42 +0200 php4 (3:4.0.6.7rc2-1) unstable; urgency=medium * 2nd release candidate * ext/mbstring: fix compile (cp1252) * ext/standard/url_scanner_ex: off by one * WARNING: caudium builds with Zend Threading enabled, but other modules don't. So you cannot safely use DSO with caudium * Added some Build-Conflicts - with broken libmysqlclient - with libtool 1.4b -- Petr Cech Mon, 10 Sep 2001 18:04:27 +0200 php4 (3:4.0.6-6) unstable; urgency=medium * The "Paul Hampson fixes release". * Closed those atexit() bugs. Now to find out, how to make libtool link with gcc instead of ld :(( * ext/standard/head.c: Fix setcookie("bla) (closes: #109524, #109697) Thanks to Paul Hampson for finding the cause, though I've used another fix - fixed changes in CVS made in -3 I think. Silly me to think, that all "small" changes are fixes. * libc-client2001 was fixed in -5, so add a (closes: #109202) here * Conflicts: only with libtool 1.4b-{1,2,3}. libtool 1.4.1 is OK -- Petr Cech Sat, 1 Sep 2001 20:59:40 +0200 php4 (3:4.0.6-5) unstable; urgency=low * Recompile for libc-client2001 (I hope it doesn't break anything else) And many other libraries. * ATTENTION. php4 still doesn't work with autoconf 2.52 and thus libtool 1.4b!! You have to get libtool 1.4 to be able to use phpize. -- Petr Cech Wed, 22 Aug 2001 23:26:08 +0200 php4 (3:4.0.6-4) unstable; urgency=high * Add pear/CODING_STANDARDS into php4-pear (fixes 105574. closed too early. sorry) * Fix the nasty segfaults with mail(). That'll teach me taking upstream changes without looking. Thanks Cvetan Ivanov for the correct fix (also upstream now) (closes: #105686, #105878). -- Petr Cech Fri, 20 Jul 2001 23:07:30 +0200 php4 (3:4.0.6-3) unstable; urgency=high * ext/standard/mail.c: security fix * debian/control: Build-Depends: libtool (>= 1.4) * ext/curl/curl.c: fix typo * ext/gd/config.m4: fix typo * ext/mcrypt/mcrypt.c: upstream buffer overflow fix * ext/mhash/mhash.c: upstream buffer overflow fix * ext/pgsql/pgsql.c: fix * ext/posix/config.m4: check for getpgid * ext/sablot/sablot.c: fix leaks * ext/standard/url* : fixes * ext/sysvshm/sysvshm.c: fixes * Zend/*: small fixes -- Petr Cech Fri, 13 Jul 2001 16:21:04 +0200 php4 (3:4.0.6-2) unstable; urgency=low * pear/Makefile.in: add IT_Error.php to installed files (closes: #103087) * debian/control: - allow also libcurl-ssl-dev as Build-Depends (closes: #103618) - libfreetype6-dev to Build-Depends - add auto* suite to php4-dev depends (closes: #104199) * debian/rules: - build gd module with freetype2 support - move common ./configure flags to COMMON_CONFIG - build with mbstring support -- Petr Cech Fri, 13 Jul 2001 08:22:02 +0200 php4 (3:4.0.6-1) unstable; urgency=medium * New upstream release. * NOTE: new extension will probably be in another upload, to get this into testing ... -- Petr Cech Mon, 25 Jun 2001 20:43:24 +0200 php4 (3:4.0.5.6rc3-3) unstable; urgency=low * The "I hate sablot release". Recompile with 0.60 * debian/php4-domxml.postrm: also fix the :: (closes: #101306) * debian/rules: --enable-ctype - still EXPERIMENTAL!!! Bug upstream -- Petr Cech Mon, 18 Jun 2001 09:46:17 +0200 php4 (3:4.0.5.6rc3-2) unstable; urgency=low * ext/sablot/config.m4: link sablot.so with -lsablot, not main php4 * build/ ... : upstream fix for building with automake 1.4-pX * don't fail, when libssl-dev is not installed. sigh -- Petr Cech Thu, 14 Jun 2001 23:36:34 +0200 php4 (3:4.0.5.6rc3-1) unstable; urgency=low * New upstream test release. * Recompile with apache 1.3.20 * debian/control: - php4-dev: Depends: bison, flex (closes: #100634) - Build-Depends: libcurl-dev (>=7.8) * debian/rules: - add --enable-bcmath to all rules (closes: #100491) * Zend/zend.c: apply upstream fix to allow building of caudium -- Petr Cech Tue, 12 Jun 2001 22:27:26 +0200 php4 (3:4.0.5.6rc2-1) unstable; urgency=low * New upstream test release. * FIx regex/regex.h (int regoff_t) * fix php4-cgi build with pcre - don't use supplied pcre * Fix wddx support (closes: #99468) * Add missing $(INSTALL_ROOT) to sapi/caudium/config.m4 -- Petr Cech Fri, 8 Jun 2001 11:37:07 +0200 php4 (3:4.0.5.6rc1-1) unstable; urgency=low * New upstream test release with new bugs :)) * moved pear from /usr/lib/php4 to /usr/share/php4 * Whups. Sorry about the epoch 3: . It somehow slipped in, so I'll have to live with it -- Petr Cech Wed, 16 May 2001 14:14:04 +0200 php4 (3:4.0.5-2) unstable; urgency=low * Build-Depend on newer libmhash-dev, as it supposedly doesn't compile on current woody (closes: #96555) * Build-Depends: s/freetype2/libttf-dev/ * Stop building php4-pgsql - move to non-US * Build-Deps on new libsablot0 -- Petr Cech Thu, 10 May 2001 10:43:02 +0200 php4 (3:4.0.5-1) unstable; urgency=medium * New upstream release. * recompile with new sablot - how I hate this (closes: #95401) * Merge XML into main php4 * Reword README.Debian (closes: #89667) * Enable wddx * debian/*.postinst: * only ask upon first install, not upgrade (closes: #93452) * fix typos (closes: #94118) * Added support for Sybase/MS SQL Server (using FreeTDS) using patch from: http://rpms.arvin.dk/php/source/patches/php-sybase_ct.patch thanks to Bradley Bell for the patch * ext/pcre : two upstream fixes * ext/sablot/sablot.c: small upstream fix * build/buildcheck.sh : fixes to allow compile with libtool 1.4 * ext/standard/exec.c: upstream fixes * sapi/apache/mod_php4.c: off by one fix * sapi/cgi/cgi_main.c: fix POST bug * main/snprintf.c: upstream fix -- Petr Cech Wed, 3 May 2001 22:17:10 +0200 php4 (4.0.4.5rc6-2) unstable; urgency=low * Build-depends: libcurl-dev will pull libcurl2 (closes: #92994) * TSRM/TSRM.c: upstream fix * ext/pgsql: upstream fix -- Petr Cech Thu, 5 Apr 2001 17:51:09 +0200 php4 (4.0.4.5rc6-1) unstable; urgency=low * New upstream test release. * Don't mention CGI support, as it's not so for a long time. -- Petr Cech Wed, 4 Apr 2001 13:47:45 +0200 php4 (4.0.4.5rc5-1) unstable; urgency=low * New upstream test release. * ask about /etc/php4/cgi/php.ini also * It's really recompiled for 1.3.19 (closes: #91901, #91822) * problems with modules documented (closes: #81141, #82611) -- Petr Cech Mon, 2 Apr 2001 09:38:16 +0200 php4 (4.0.4.5rc3-1) unstable; urgency=low * New upstream RC release * debian/rules: s/with-yp/enable-yp/ to really enable YP support. Discovered on broken potato upload. -0potato2 is fixed * Looks like there was a bug in latest build, this should fix it (closes: #92018) * remove libmcal0 workaround -- Petr Cech Wed, 28 Mar 2001 21:15:36 +0200 php4 (4.0.4.5rc2-1) unstable; urgency=low * New upstream release test release 4.0.5RC2. * debian/rules: Add lintian overrides * debian/control: * add libexpat1-dev to Build-Depends * add libmcal0 to Build-Depends since libmcal0-dev is missing this dependancy :(( Bug filled * ext/socket/socket.c: minor upstream patch -- Petr Cech Mon, 26 Mar 2001 20:43:49 +0200 php4 (4.0.4pl1-6) unstable; urgency=low * NEVER RELEASED * Build-depends on libcurl1-dev (>= 7.6.1-5), which fixes the libcurl1 or libcurl1-ssl problem. * remove dh_testversion and use versioned Build-depends instead -- Petr Cech Tue, 13 Mar 2001 23:20:58 +0100 php4 (4.0.4pl1-5) unstable; urgency=low * Add lintian overrides * Rebuild with correct libgd-dev installed. Sorry (closes: #88490, #88255, #88371, #88619, #88635) * Closed by fixed libjpeg (closes: #85865, #88141) -- Petr Cech Tue, 6 Mar 2001 17:26:41 +0100 php4 (4.0.4pl1-4) unstable; urgency=low * The "Enable what you can" release. * Enable sablot extension (many files) (closes: #84073) * Enable mcal extension (finaly closes: #65688, #85925) * Build-Conflicts: bind-dev - this supposedly causes unresolved symbols. Why? * ext/pgsql/pgsql.c: apply tiny patch, which should fix postgres problems. There is a better patch in CVS, but it needs changes to Zend * pear/pear.in: binary is php4 no php (closes: #87848) * ext/domxml/config.m4: link with -lxml2 (closes: #87457) * debian/README.Debian: add notes about ldap, imap and mhash extensions * debian/{control,rules}: activate bz2 extension * php4.ini-dist: comment out include_path so php will use compiled in path (closes 2nd part of 87848) -- Petr Cech Wed, 28 Feb 2001 10:18:11 +0100 php4 (4.0.4pl1-3) unstable; urgency=medium * Fixed postrm issues. Sorry -- Petr Cech Sun, 4 Feb 2001 06:13:00 +0100 php4 (4.0.4pl1-2) unstable; urgency=medium * debian/control: Build-depends: xlibs-dev (seems it's missing and causes failed builds for arm, m68k and powerpc) s/libsnmp4.1/libsnmp4.2/ (closes: #84139) * debian/php4.*: make LoadModule matching case insensitive (fixes 83641 for unstable) -- Petr Cech Wed, 31 Jan 2001 10:14:29 +0100 php4 (4.0.4pl1-1) unstable; urgency=high * New upstream version. * This release fixes some security problems. * Some patches from previous versions are not here. * debian/control: Build-depends on newer libcurl1-dev, remove librecode-dev * debian/control: add libjpeg62-dev to build-depends from powerpc buildlog (hmm. Where ir Roman?) * debian/php4{,-cgi}.postinst: don't mark php.ini as conffile and install it when it doesn't already exist. I should find a way to check, that the default php.ini changed and user should update it. * debian/php4{,-cgi}.postrm: cleanup the /etc/php4 dir after purge * fix xml.so not working with php4-cgi -- Petr Cech Thu, 23 Jan 2001 11:12:59 +0100 php4 (4.0.4final-6) unstable; urgency=medium * OK. Now also fix the prerm issues (closes: #81418) and to ease that thanks for submiting bugs (closes: #81818, #81819) * some upstream updates: browsercap, php-config -- Petr Cech Wed, 10 Jan 2001 14:04:19 +0100 php4 (4.0.4final-5) unstable; urgency=medium * OK. Take a deep breath and fix those bloody postinst bugs - fix it and rewrite from ed -> sed, because ed is not essential :( closes: #80801. * apply some upstream fixes. * disable ctype extension - not yet ready -- Petr Cech Tue, 2 Jan 2001 13:40:35 +0100 php4 (4.0.4final-4) unstable; urgency=low * debian/libc-client.la: add -lpam -ldl -lcrypt * fix php4-cgi.postinst bugs (closes: #80817, #80805, #80801) -- Petr Cech Fri, 29 Dec 2000 11:40:43 +0100 php4 (4.0.4final-3) unstable; urgency=low * Brown Xmas Sock Release * Grr. correctly fix the php4 postinst error (closes: #80303, #80324, #80326, #80359) NMU by Wichert Akkerman (closes: #80381) * also fix php4-cgi. NMU by Marcelo E. Magallon (closes: #80406). * fix fix for php4-cgi postinst s/apache/cgi/ * apply some upstream fixes to ext/session/ * domxml/config.m4: fix my -Lshared,/usr/lib error * debian/rules: * add --enable-ctype to both targets * --diable-pear to CGI target * generate Depends: php4 (=ver) | php4-cgi (=ver) -- Petr Cech Wed, 27 Dec 2000 15:29:56 +0100 php4 (4.0.4final-2) unstable; urgency=low * Run apacheconfig with --force-modules. * Fix stupid bug in php4 and php4-cgi postinst. * ext/sysvshm/sysvshm.c : upstream fix -- Petr Cech Thu, 21 Dec 2000 22:58:27 +0100 php4 (4.0.4final-1) unstable; urgency=low * New upstream version. * Sorry for the version, but da-katie doesn't allow overwriting of files, notably .orig.tar.gz. It's my fault I know, but it worked till now. -- Petr Cech Wed, 20 Dec 2000 01:32:34 +0100 php4 (4.0.4-0RC6.1) unstable; urgency=low * OK. Final final RC for 4.0.4. * Build-depends on libxml2-dev (>= 2.2.7) because php needs this. * Activate ndbm dba driver. -- Petr Cech Sun, 17 Dec 2000 19:43:51 +0100 php4 (4.0.4-0RC5.1) unstable; urgency=low * UNRELEASED. * Final RC for 4.0.4. * Some mods to README.Debian and TODO -- Petr Cech Wed, 13 Dec 2000 00:01:08 +0100 php4 (4.0.4-0RC4.1) unstable; urgency=low * New upstream beta release. Let's stabilize things now and add new modules after final release of 4.0.4. -- Petr Cech Thu, 7 Dec 2000 10:12:11 +0100 php4 (4.0.4-0RC3.2) unstable; urgency=low * recompile with new libc-client200-dev. * fix source recompile * depend on fixed apache 1.3.14-2 -- Petr Cech Thu, 7 Dec 2000 00:49:14 +0100 php4 (4.0.4-0RC3.1) unstable; urgency=low * New upstream beta release. * Add libxml2-dev to build-depends (closes: #78479). * implement DEB_BUILD_OPTIONS * fix apache build wrt. apxs * fix typo in description of curl modules (closes: #78828) -- Petr Cech Tue, 5 Dec 2000 14:22:30 +0100 php4 (4.0.3pl1-7) unstable; urgency=low * Rebuild with apache 1.3.14-1 -- Petr Cech Fri, 1 Dec 2000 01:41:41 +0100 php4 (4.0.3pl1-6) unstable; urgency=low * add --enable-memory-limit * add --enable-exif per request from William Ono. * Add Suggests: phpdoc (yes. it's here). * ext/standard/crypt.c - fix from CVS. * ext/ftp/ftp.{c,h} - fix mkdir() and RETR, STOR * ext/gd/gd.c - add format string - add XBM to phpinfo() * ext/imap/php_imap.{c,h} - CVS fixes * main/main.c - fix CGI crash - add HTTP_SERVER_VARS in CGI mode * and many more. Taken from php4.srpm (thanks :)) * recompile with apache 1.3.12-2.2 * and hack large files support into DSO module. php4 doesn't use it now :(( -- Petr Cech Thu, 30 Nov 2000 00:01:39 +0100 php4 (4.0.3pl1-5) unstable; urgency=low * Back out changes about --enable-versioning * ext/domxml/php_domxml.c : fix compilation with recent libxml2 (>=2.2.7) -- Petr Cech Tue, 21 Nov 2000 18:03:56 +0100 php4 (4.0.3pl1-4) unstable; urgency=low * Clarify README.Debian about the DB change a bit (dbm_ -> dba_*) * Remove aliasing hack - deprecated upstream. (closes: #76558) * Compile with libgd-dev again (Write 100x always reinstall libgd-dev). * --enable-versioning and tweak debian/control a bit, let's see, what breaks -- Petr Cech Tue, 14 Nov 2000 10:00:54 +0100 php4 (4.0.3pl1-3) unstable; urgency=low * Activate curl module. * Really enable shmop module. * Fix include paths in phpize. Now everyone should be able to easilly build php4 extension modules (php4-dbase anyone?). -- Petr Cech Mon, 6 Nov 2000 23:17:41 +0100 php4 (4.0.3pl1-2) unstable; urgency=low * Build with libgd-dev installed (NOT libgd-gif). -- Petr Cech Tue, 17 Oct 2000 02:08:36 +0200 php4 (4.0.3pl1-1) unstable; urgency=medium * New upstream bugfix release. * Depend on libopenldap1 as with the newer ldap module crashes php&apache. -- Petr Cech Mon, 16 Oct 2000 15:30:55 +0200 php4 (4.0.3-2) unstable; urgency=high * Urgency=high because last upload didn't have it ad it fixes some security holes. * ext/domxml/config.m4: don't try to build then --without-domxml -- Petr Cech Thu, 12 Oct 2000 12:50:17 +0200 php4 (4.0.3-1) unstable; urgency=low * New upstream release. - fixes also some string format bugs * Build with fixed libmysqlclient10-dev. -- Petr Cech Thu, 12 Oct 2000 00:00:07 +0200 php4 (4.0.2-7) unstable; urgency=low * Really, really install libldap2-dev. * Workaround broken libmysqlclient9-dev. It has broken (again) .so symlink. -- Petr Cech Tue, 10 Oct 2000 22:28:48 +0200 php4 (4.0.2-6) unstable; urgency=low * Again fix description a little bit. * Correct build-depends. * Sic. Recompile, because I've busted (libopenldap-dev instead of libldap2-dev was installed). * While at it install also new apache glibc NMU and recompile with it. * Move PEAR from php4-dev to php4 and install ALL of PEAR. * add --prefix=/usr * debhelper v2 * prepare for CURL module * Updated README.Debian * updated XML module from php4 CVS to close: #72360 -- Petr Cech Mon, 2 Oct 2000 14:36:35 +0200 php4 (4.0.2-5) unstable; urgency=low * Correct build-depends (libgd1-dev -> libgd-dev). Where is Roman? :) * Add libdb2-dev (>= 2:2.7.7-2.1) to build-depends for glibc 2.1.94. * and recompile with glibc 2.1.94 to fix it. -- Petr Cech Wed, 27 Sep 2000 09:00:27 +0200 php4 (4.0.2-4) unstable; urgency=low * Tweak description a little bit more. -- Petr Cech Sun, 24 Sep 2000 23:58:15 +0200 php4 (4.0.2-3) unstable; urgency=low * Add info about what modules and why are enabled/disabled into README.Debian. * Install not so many docs (only in -dev now). * Enable calendar and sockets modules. * Rearange package descriptions so module-specific comments go first. * Create domxml module aka xmlv2. * Fix spelling wan't -> want (closes: #70544). * Add libraries for gd module only when linking this one and not globaly (closes: #71623). * Say that we wait for ENTER (closes: #71769). * Fix logic in prerm script (closes: #71770). -- Petr Cech Sun, 24 Sep 2000 17:54:52 +0000 php4 (4.0.2-2) unstable; urgency=low * Add info about what modules and why are enabled/disabled into README.Debian. * Install not so many docs (only in -dev now). * Enable calendar and sockets modules. * Rearange package descriptions so module-specific comments go first. * Create domxml module aka xmlv2. * Fix building (small typo). * Compile with libmysqlclient9-dev installed. -- Petr Cech Mon, 18 Sep 2000 23:46:40 +0200 php4 (4.0.2-1) unstable; urgency=low * The "Back from vacation" release. * New upstream fixed (and bugs). * Correct postm script (only cosmetic) closes: #67350, #68541 * build with libpcre3, libldap2 * Use modified patch from -3 (remove #define XML_... php_XML_...) -- Petr Cech Thu, 7 Sep 2000 23:17:59 +0200 php4 (4.0.1pl2-3) unstable; urgency=low * UNRELEASED * Fixed the XML packages. -- Norman Jordan Thu, 10 Aug 2000 21:45:15 +0000 php4 (4.0.1pl2-2) unstable; urgency=low * Fix source archive. -- Petr Cech Tue, 11 Jul 2000 11:04:48 +0000 php4 (4.0.1pl2-1) unstable; urgency=low * New upstream bug fix release (variation of the patches in -2) * Build with new libgd1 library (maybe still in Incoming) * Move PEAR stuff to php4 package (closes: #66897). -- Petr Cech Sun, 9 Jul 2000 09:01:06 +0000 php4 (4.0.1-2) unstable; urgency=low * Apply some CVS diffs in an attempt to fix opendir() problems. -- Petr Cech Fri, 30 Jun 2000 09:04:24 +0000 php4 (4.0.1-1) unstable; urgency=low * New upstream release (taken from CVS tag php_4_0_1). * --with-regex=system else it plays havoc. Dunno why ... * remove autoconf,automake,aclocal from configure rules. * Fix description of XML --help message (no, it's not MySQL). -- Petr Cech Wed, 28 Jun 2000 22:55:16 +0200 php4 (4.0.0-4) unstable; urgency=low * Add -dev package (closes: #65907). * Add -cgi and -cgi-* packages (closes: #51097, #52855). * --enable-filepro * Tweak copyright file a bit. * Generate mhash module (closes part of 63186). * Ask to remove libphp4 from httpd.conf upon remove/purge. * Fixed build-depends, thanks to Roman Hodek (closes: #65938). (I told you the first time it won't work :)) * Mark /etc/php4/cgi/php.ini as conffile. * Every module now ask if it should be enabled on install (if it's not already) and disabled on remove/purge. -- Petr Cech Tue, 20 Jun 2000 14:29:01 +0200 php4 (4.0.0-3) unstable; urgency=low * Ship correct php.ini (extension_dir=/usr/lib/php4/apache). * Don't use included libmysqlclient and use system one (fixes wrong location of mysqld.sock) * link XML module dynamicly with system xmlparse and xmltok. -- Petr Cech Wed, 14 Jun 2000 22:30:07 +0000 php4 (4.0.0-2) unstable; urgency=low * fix the IS_SLASH bug (closes: #65625 and probably others as well). * Really change the maintainer field. -- Petr Cech Wed, 14 Jun 2000 07:44:05 +0000 php4 (4.0.0-1) unstable; urgency=low * New maintainer. * New upstream release. * Fix dynamic module loading. * Added Build-Depends (I wonder, if I got them right) * Standards-Version: 3.1.1 -- Petr Cech Tue, 13 Jun 2000 13:40:56 +0000 php4 (4.0rc1-2) unstable; urgency=low * Compile with latest apache and libraries from woody (Closes: #62631, #62640) -- Gergely Madarasz Wed, 19 Apr 2000 14:39:25 +0200 php4 (4.0rc1-1) unstable; urgency=low * New upstream version * Fix db2 support (Closes: #61709) * Fix gd support (Closes: #61708) * Remove ucd-snmp-hack from config options -- Gergely Madarasz Sun, 16 Apr 2000 17:04:05 +0200 php4 (4.0b4pl1-2) unstable; urgency=low * Build with --disable-debug so it should work with the zend optimizer (Closes: #60265) * Build with --enable-trans-sid (Closes: #60430) * Write some more about php4/php3 differences in the description (Closes: #60155) -- Gergely Madarasz Fri, 17 Mar 2000 17:35:29 +0100 php4 (4.0b4pl1-1) unstable; urgency=low * New upstream version * Upstream reorganized the build system quite a bit, lots of patches removed -- Gergely Madarasz Wed, 23 Feb 2000 17:16:00 +0100 php4 (4.0b3-4) unstable; urgency=low * Add /etc/php4/apache/php.ini to conffiles (Closes: #54194) * Add info file for apacheconfig * Offer to run apacheconfig and/or apache-sslconfig in postinst * Comment out sendmail_path from php.ini so the default sendmail path should work (Closes: #51355) -- Gergely Madarasz Thu, 6 Jan 2000 14:38:20 +0100 php4 (4.0b3-3) unstable; urgency=low * Compile with libgd instead of libgd-gif -- Gergely Madarasz Tue, 4 Jan 2000 18:07:56 +0100 php4 (4.0b3-2) unstable; urgency=low * Build imap and ldap modules * Fix rm -f in rules file (Closes: #51623) -- Gergely Madarasz Mon, 3 Jan 2000 16:54:19 +0100 php4 (4.0b3-1) unstable; urgency=low * Initial Release. -- Gergely Madarasz Tue, 16 Nov 1999 19:33:42 +0100