lp:~ephess/ubuntu/lucid/php5/fix-for-651049

Branch merges

Propose for merging

No branches dependent on this one.

Ready for review for merging into lp:ubuntu/lucid-security/php5

Scott Moser: Needs Fixing on 2011-08-22

Diff: 62 lines (+42/-0)

3 files modified

debian/changelog (+7/-0)
debian/patches/filter_validate_url.patch (+34/-0)
debian/patches/series (+1/-0)

api

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Bug #651049: php5: FILTER_VALIDATE_URL will invalidate a hostname that includes '-'

Undecided

Won't Fix

Link a bug report

Related blueprints

65. By Jordan Hagan on 2011-08-10

debian/patches/filter_validate_url.patch: backported bugfix
to FILTER_VALIDATE_URL (LP: #651049)

64. By Marc Deslauriers on 2010-09-17

* SECURITY UPDATE: denial of service and possible memory corruption via
  negative size in HTTP chunked encoding stream
  - debian/patches/CVE-2010-1866.patch: prevent chunk_size from
    overflowing in ext/standard/filters.c.
  - CVE-2010-1866
* SECURITY UPDATE: arbitrary code execution via empty SQL query
  - debian/patches/CVE-2010-1868.patch: use ecalloc instead of emalloc in
    ext/sqlite/sqlite.c.
  - CVE-2010-1868
* SECURITY UPDATE: denial of service via fnmatch stack consumption
  - debian/patches/CVE-2010-1917.patch: limit size of pattern in
    ext/standard/file.c.
  - CVE-2010-1917
* SECURITY UPDATE: arbitrary memory disclosure and possible code
  execution via phar extension
  - debian/patches/CVE-2010-2094.patch: use correct format string in
    ext/phar/dirstream.c, ext/phar/stream.c.
  - CVE-2010-2094
  - CVE-2010-2950
* SECURITY UPDATE: sensitive information disclosure or arbitrary code
  execution via use-after-free in SplObjectStorage unserializer
  - debian/patches/CVE-2010-2225.patch: fix logic in
    ext/spl/spl_observer.c, ext/standard/{php_var.h,var_unserializer.*},
    add tests to ext/spl/tests.
  - CVE-2010-2225
* SECURITY UPDATE: sensitive information disclosure via error messages
  - debian/patches/CVE-2010-2531.patch: don't display data when flushing
    output buffer in ext/standard/{var.c,php_var.h}, fix tests in
    ext/standard/tests/general_functions.
  - CVE-2010-2531
* SECURITY UPDATE: arbitrary session variable modification via crafted
  session variable name
  - debian/patches/CVE-2010-3065.patch: handle PS_UNDEF_MARKER marker in
    ext/session/session.c.
  - CVE-2010-3065
* debian/patches/lp564920-fix-big-files.patch: Fix downloading of large
  files (LP: #564920)

63. By Chuck Short on 2010-04-05

debian/control, debian/rules: Re-enable libedit-dev. (LP: #548823)

62. By Chuck Short on 2010-03-28

debian/control: Fix upgrade of php5-ldap from 5.3.1. (LP: #)

61. By Chuck Short on 2010-03-26

debian/control: Dont build with libmcrypt-dev.

60. By Chuck Short on 2010-03-16

* Merge from debian unstable:
  - debian/control:
    * Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe.
    * Dropped libmysqlclient15-dev, build against mysql 5.1.
    * Dropped libcurl-dev not in the archive.
    * Suggest php5-suhosin rather than recommends.
    * Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions already in
      universe.
    * Dropped libonig-dev and libqgdbm since its in universe. (will be re-added in lucid+1)
    * Dropped locales-all.
  - modulelist: Drop imap, interbase, and mcrypt.
  - debian/rules:
    * Dropped building of mcrypt, imap, and interbase.
    * Install apport hook for php5.
  - Dropped debian/patches/libedit_is_editline.patch.

59. By Chuck Short on 2010-03-22

debian/patches/libedit_is_editline.patch: Updated for PHP 5.3.2 (LP: #543212)

58. By Chuck Short on 2010-02-24

* Upload to lucid:
  - debian/control:
   * Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe.
   * Dropped libmysqlclient15-dev, build against mysql 5.1.
   * Dropped libcurl-dev not in the archive
   * Suggest php5-suhosin rather than recommends.
   * Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions already in
     universe
   * Dropped locales-all.
  - modulelist: Drop imap, internabse, and mcrypt.
  - debian/rules:
    + Dropped building of mycrypt, imap, and interbase.
    + Install apport hook for php5, apart of the server-lucid-apport-hooks.
  - debian/patches/libedit_is_editline.patch: Refreshed.

57. By Chuck Short on 2010-02-04

debian/control: Fix FTBFS.

56. By Chuck Short on 2010-01-26

* Merge from debian testing. Remaining changes:
  - debian/control, debian/rules: Disable a few build dependencies and
    accompanying binary packages which we do not want to support in main:
    + firebird2-dev/php5-interbase (we have a seperate php-interbase source)
    + libc-client/php5-imap (we have a seperate php-imap source)
    + libmcrypt-dev/php5-mcrypt (seperate php-mcrypt source)
    + readline support again, now that the libedit issue is fixed.
  - debian/control: Add build dependency: libedit-dev (>= 2.9.cvs.20050518-1)
    CLI readline support.
  - debian/rules:
    + Correctly mangle PHP5_* macros for lpia
  - debian/control:
    + Rename Vcs-Browser & Vcs-Git to XS-Original-Vcs-Browser & XS-Original-Vcs-Git (LP: #323731).
  - debian/control: Move php5-suhoshin to Suggests.
  - debian/rules: Fix broken symlink for pear.
  - main/php_version.h: updated with Ubuntu version info
  - debian/patches/series: Re-enable the 033-we_WANT_libtool.patch patch
  - debian/rules, debian/source_php5.py: Install apport hook.
* Dropped patches: CVE-2009-3557.patch and CVE-2009-3558.patch, no longer needed.