Debian
php5 package

lp:debian/lenny/php5

Lenny (5.0)
lenny

Created by James Westby on 2009-06-27 and last modified on 2012-02-03

Get this branch:: bzr branch lp:debian/lenny/php5

Members of Ubuntu branches can upload to this branch. Log in for directions.

Related bugs

Link a bug report

Related blueprints

Branch information

Owner:: Ubuntu branches

Status:: Development

Recent revisions

8. By Ondřej Surý on 2012-02-03

Fix UMR in php_register_variable_ex (pull from upstream SVN)

7. By Ondřej Surý on 2011-07-01

Remove stray php_printf from CVE-2010-2531 (Closes: #632194)

6. By Raphael Geissert on 2010-08-03

* Fix CVE-2010-1917: stack consumption on the fnmatch() function
* Fix CVE-2010-2225: use-after-free in the SplObjectStorage
unserializer
* Fix MOPS-2010-60: arbitrary session variables injection

5. By Raphael Geissert on 2010-03-14

Fix CVE-2010-0397: null pointer dereference when processing invalid
XML-RPC requests (Closes: #573573)

4. By Raphael Geissert on 2009-11-21

* CVE-2009-2687: DoS via malformed JPEG images with invalid offset fields
    (Closes: #535888)
* CVE-2009-2626: remote memory disclosure via ini_* functions
    (Closes: #540605)
* CVE-2009-3292: multiple missing checks processing exif image data
* CVE-2009-3291: improper handling of nul character in CommonName fields
    of X509 certificates
* max_file_uploads: prevent, by limiting, temporary files exhaustion DoS
* Add an entry to debian/NEWS about the new per-request file uploads limit

3. By Sean Finney <email address hidden> on 2009-04-26

[ Sean Finney ]
* CVE-2008-5814: XSS vulnerability via display_errors (Closes: #523028)
* CVE-2009-0754.patch: mbstring.func_overload leakage between apache2
vhosts (Closes: #523049)
* CVE-2009-1271: remote DoS in json_decode()
* add note about CVE-2009-1272 in previous version's changelog entry

[ Mark A. Hershberger ]
* fix clean target to keep source in a consistant state for multiple builds

2. By Sean Finney <email address hidden> on 2009-01-25

[ Sean Finney ]
* Do not add -O2 to CFLAGS if DEB_BUILD_OPTIONS contains noopt.
* Security related fixes:
  - php: inifile handler for the dba functions can be used to truncate a file
    Patch: dba-inifile-truncation.patch (closes: #507101).
  - CVE-2008-5658.patch: ZipArchive::extractTo directory traversal
    Patch: CVE-2008-5658.patch (closes: #507857).
    Thanks to Pierre Joye for help with the patch.

[ Raphael Geissert ]
* Picked up some patches from Gentoo (most included in PHP 5.2.7 and later):
  + patches/gentoo/005_stream_context_set_params-crash.patch
  + patches/gentoo/006_PDORow-crash.patch
  + patches/gentoo/007_dom-setAttributeNode-crash.patch
  + patches/gentoo/009_array-function-crashes.patch
  + patches/gentoo/010_ticks-zts-crashes.patch
  + patches/gentoo/015_CVE-2008-2665-wrapper-safemode-bypass.patch
  + patches/gentoo/017_xmlrpc-invalid-callback-crash.patch
  + patches/gentoo/019_new-memory-corruption.patch
  + patches/gentoo/freetds-compat.patch
    - was deprecated_freetds_check.patch

1. By Sean Finney <email address hidden> on 2009-01-25

Import upstream version 5.2.6.dfsg.1

Branch metadata

Branch format:: Branch format 7

Repository format:: Bazaar repository format 2a (needs bzr 1.16 or later)

Stacked on:: lp:debian/squeeze/php5

This branch contains Public information

Everyone can see this information.

Subscribers

James Westby

Debianphp5 package