Ubuntu
php5 package

lp:ubuntu/feisty-security/php5

  1. Feisty (7.04)
  2. feisty-security
Created by James Westby and last modified
Get this branch:
bzr branch lp:ubuntu/feisty-security/php5
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Development

Recent revisions

21. By Jamie Strandboge

* debian/patches/209-CVE-2008-2050.patch: possible stack overflow and
  sending of unitialized paddings
* debian/patches/210-CVE-2008-2051.patch: properly address incomplete
  multibyte chars inside escapeshellcmd()
* debian/patches/211-CVE-2007-4850.patch: fixed a safe_mode bypass in cURL
* debian/patches/212-CVE-2008-2829.patch: unsafe usage of deprecated imap
  functions (patch from Debian)
* debian/patches/213-CVE-2008-1384.patch: integer overflow in printf()
  (patch from Debian)
* debian/patches/214-CVE-2008-2107+2108.patch: weak random number seed
* debian/patches/215-CVE-2007-4782.patch: DoS via long string in the fnmatch
  functions
* debian/patches/216-pcre-compile.patch: avoid stack overflow (fix from
  pcre 7.6)
* Update debian/patches/207-htmlentity-utf8-fix.patch: fail on improperly
  finished UTF sequence
* References
  CVE-2008-2050
  CVE-2008-2051
  CVE-2007-4850
  CVE-2008-2829
  CVE-2008-1384
  CVE-2008-2107
  CVE-2008-2108
  CVE-2007-4782
  CVE-2007-5898
  LP: #227464

20. By Kees Cook

* SECURITY UPDATE: multiple vulnerabilities. Thanks to Sean Finney for
  help locating upstream fixes.
* Add 200-string-wordwrap.patch: wordwrap function can be made to crash.
  Backported upstream fixes (CVE-2007-3998).
* Add 201-strspn-oob-read.patch: memory reading, possible crash via strspn.
  chunk_split. Backported upstream fixes (CVE-2007-4657).
* Add 202-money-format-abuse.patch: money_format format string vulnerable.
  Backported upstream fixes (CVE-2007-4658).
* Add 203-openssl_make_REQ-overflow.patch: overflow in openssl_make_REQ.
  Applied and corrected upstream fixes (CVE-2007-4662).
* Add 204-start-session-cookies.patch: overwrite cookie values.
  Applied upstream fixes (CVE-2007-3799).
* Add 206-chunk_split-fixes.patch: memory reading, possible crash via
  chunk_split. Merged various upstream fixes (CVE-2007-2872, CVE-2007-4660,
  CVE-2007-4661).
* Add 206-cookie-nesting-fix.patch: corruption/crashes via deeply nested
  variables. Backported upstream fixes (CVE-2007-1285, CVE-2007-4670).
* Add 207-htmlentity-utf8-fix.patch: don't accept partial utf8 sequences.
  Backported upstream fixes (CVE-2007-5898).
* Add 208-session-id-leak.patch: don't send session id to remote forms.
  Backported upstream fixes (CVE-2007-5899).
* References
  http://www.php.net/releases/5_2_4.php
  http://www.php.net/releases/5_2_5.php

19. By Kees Cook

* SECURITY UPDATE: arbitrary code execution via heap overflow, uninitialized
  random seed in SOAP.
* Add debian/patches/122-CVE-2007-1864-xmlrpc.patch: upstream fix
  (CVE-2007-1864).
* Add debian/patches/122-CVE-2007-2728_soap-seed.patch: upstream fix
  (CVE-2007-2728).

18. By Kees Cook

* SECURITY UPDATE: FTP command injection, code execution in SOAP requests,
  PEAR installer path traversal.
* 121-CVE-2007-2509_ftp.patch: ported from upstream and Debian
  (CVE-2007-2509)
* 121-CVE-2007-2510_soap.patch: ported from upstream and Debian
  (CVE-2007-2510)
* pear/121-pear-installer.patch: extracted from upstream changes
  (CVE-2007-2519)

17. By Kees Cook

* SECURITY UPDATE: multiple security vulnerabilities fixed. Thanks to
  Moritz Muehlenhoff and Sean Finney.
* 120-MOPB-10.patch: php_binary Session Deserialization Information Leak
  (CVE-2007-1380)
* 120-MOPB-14.patch: substr_compare() Information Leak (CVE-2007-1375)
* 120-MOPB-22.patch: session_regenerate_id() Double Free (CVE-2007-1521)
* 120-MOPB-24.patch: array_user_key_compare() Double DTOR (CVE-2007-1484)
* 120-MOPB-26.patch: mb_parse_str() register_globals Activation
  (CVE-2007-1583)
* 120-MOPB-29.patch: unserialize() Information Leak
* 120-MOPB-34.patch: mail() Header Injection (CVE-2007-1718)
* 120-MOPB-41.patch: sqlite_udf_decode_binary() Buffer Overflow
  (CVE-2007-1887 CVE-2007-1888)
* 120-MOPB-45.patch: ext/filter Email Validation (CVE-2007-1900)

16. By Martin Pitt

* New upstream security/bugfix release:
  - safe_mode & open_basedir bypasses inside the session extension
    [CVE-2007-0905]
  - multiple buffer overflows in various extensions and functions
    [CVE-2007-0906]
  - underflow in the internal sapi_header_op() function [CVE-2007-0907]
  - information disclosure in the wddx extension [CVE-2007-0908]
  - string format vulnerability in *print() functions on 64 bit systems
    [CVE-2007-0909]
  - possible clobbering of super-globals in several code paths
    [CVE-2007-0910]
* Adapted patches to new upstream release:
  - 006-debian_quirks.patch
  - 034-apache2_umask_fix.patch
  - 044-strtod_arm_fix.patch
* Drop 109-libdb4.4.patch: Obsolete, upstream now checks for db 4.5 and 4.4.
* Drop 114-zend_alloc.c_m68k_alignment.patch and
  115-zend_alloc.c_memleak.patch: Applied upstream.
* Add debian/patches/000upstream-str_ireplace_offbyone.patch:
  - Fix off-by-one in str_ireplace(), a regression introduced in 5.2.1.
  - Patch taken from upstream CVS:
    http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.630&r2=1.631
  - CVE-2007-0911
* debian/control: Set Ubuntu maintainer.

15. By Martin Pitt

No-change upload for the libpq4->libpq5 transition.

14. By Martin Pitt

* Merge to Debian unstable.
* Build against libapr1-dev and depend against apache2.2-common again, now
  that we have it in Feisty.
* Build against db 4.4 (like Debian), since Apache 2.2 now uses it, too.
* Remaining Ubuntu changes:
  - debian/control, debian/rules: Disable apache-dev build dependency and
    remove libapache-mod-php5 package, since we do not support apache 1.3.
  - debian/changelog: Add some missing CVEs.
  - Remove firebird2-dev build dependency and php5-interbase package, since
    we don't support Firebird and keep the separate php-interbase source.
  - Remove libc-client-dev build dependency and php5-imap package, since
    uw-imapd is in universe and we keep the separate php-imap source.
  - Remove libmcrypt-dev build dependency and php5-mcrypt package, since
    it is in universe and we keep the separate php-mcrypt source.
  - Add missing libsqlite3-dev build dependency.

13. By Martin Pitt

debian/control: Add missing build dependency libsqlite3-dev to fix FTBFS.

12. By Martin Pitt

* Merge to Debian unstable; remaining Ubuntu changes:
  - debian/control, debian/rules: Disable apache-dev build dependency and
    remove libapache-mod-php5 package, since we do not support apache 1.3.
  - debian/control: Build with db4.3, as long as our apache needs it.
  - debian/changelog: Add some missing CVEs.
* debian/control:
  - Remove firebird2-dev build dependency and php5-interbase package, since
    we don't support Firebird and keep the separate php-interbase source.
  - Remove libc-client-dev build dependency and php5-imap package, since
    uw-imapd is in universe and we keep the separate php-imap source.
  - Remove libmcrypt-dev build dependency and php5-mcrypt package, since
    it is in universe and we keep the separate php-mcrypt source.
  - libapr1-dev -> libapr0-dev, as long as we still have Apache 2.0.
* debian/rules: Disable above modules, and fix up dependency generation for
  Apache 2.0 instead of 2.2.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:ubuntu/karmic/php5
This branch contains Public information 
Everyone can see this information.

Subscribers