lp:ubuntu/oneiric-updates/php5
- Get this branch:
- bzr branch lp:ubuntu/oneiric-updates/php5
Branch merges
Branch information
Recent revisions
- 102. By Marc Deslauriers
-
* SECURITY UPDATE: arbitrary file disclosure via XML External Entity
- debian/patches/ CVE-2013- 1643.patch: disable the entity loader in
ext/libxml/ libxml. c, ext/libxml/ php_libxml. h, ext/soap/php_xml.c.
- CVE-2013-1643 - 101. By Marc Deslauriers
-
* SECURITY UPDATE: HTTP response-splitting issue with %0D sequences
- debian/patches/ CVE-2011- 1398.patch: properly handle %0D and NUL in
main/SAPI.c, added tests to ext/standard/tests/* , fix test suite
failures in ext/phar/phar_object. c.
- CVE-2011-1398
- CVE-2012-4388
* SECURITY UPDATE: denial of service and possible code execution via
_php_stream_ scandir function (LP: #1028064)
- debian/patches/ CVE-2012- 2688.patch: prevent overflow in
main/streams/ streams. c.
- CVE-2012-2688
* SECURITY UPDATE: denial of service via PDO extension crafted parameter
- debian/patches/ CVE-2012- 3450.patch: improve logic in
ext/pdo/pdo_ sql_parser. re, regenerate ext/pdo/ pdo_sql_ parser. c, add
test to ext/pdo_mysql/tests/ bug_61755. phpt.
- CVE-2012-3450 - 100. By Marc Deslauriers
-
* SECURITY UPDATE: denial of service via invalid tidy objects
- debian/patches/ CVE-2012- 0781.patch: track initialization in
ext/tidy/tidy. c, added tests to ext/tidy/ tests/004. phpt,
ext/tidy/tests/bug54682.phpt.
- CVE-2012-0781
* SECURITY UPDATE: denial of service or possible directory traversal via
invalid filename.
- debian/patches/ CVE-2012- 1172.patch: ensure brackets get closed in
main/rfc1867.c, add test to tests/basic/bug55500.phpt.
- CVE-2012-1172
* SECURITY UPDATE: password truncation via invalid byte
- debian/patches/ CVE-2012- 2143.patch: improve logic in
ext/standard/ crypt_freesec. c, add test to
ext/standard/ tests/strings/ crypt_chars. phpt.
- CVE-2012-2143
* SECURITY UPDATE: improve php5-cgi query string parameter parsing
- debian/patches/ CVE-2012- 233x.patch: improve parsing in
sapi/cgi/cgi_ main.c.
- CVE-2012-2335
- CVE-2012-2336
* SECURITY UPDATE: phar extension heap overflow
- debian/patches/ CVE-2012- 2386.patch: check for overflow in
ext/phar/tar.c.
- CVE-2012-2386 - 99. By Steve Beattie
-
* SECURITY UPDATE: php5-cgi query string parameters parsing
vulnerability
- debian/patches/ php5-CVE- 2012-1823. patch: filter query strings that
are prefixed with '-'
- CVE-2012-1823
- CVE-2012-2311 - 98. By Steve Beattie
-
debian/
patches/ php5-CVE- 2012-0831- regression. patch: fix
magic_quotes_gpc ini setting regression introduced by patch for
CVE-2012-0831. Thanks to Ondřej Surý for the patch. (LP: #930115) - 97. By Steve Beattie
-
* SECURITY UPDATE: memory allocation failure denial of service
- debian/patches/ php5-CVE- 2011-4153. patch: check result of
zend_strdup() and calloc() for failed allocations
- CVE-2011-4153
* SECURITY UPDATE: predictable hash collision denial of service
(LP: #910296)
- debian/patches/ php5-CVE- 2011-4885. patch: add max_input_vars
directive with default limit of 1000
- ATTENTION: this update changes previous php5 behavior by
limiting the number of external input variables to 1000.
This may be increased by adding a "max_input_vars"
directive to the php.ini configuration file. See
http://www.php. net/manual/ en/info. configuration. php#ini. max-input- vars
for more information.
- CVE-2011-4885
* SECURITY UPDATE: remote code execution vulnerability introduced by
the fix for CVE-2011-4885 (LP: #925772)
- debian/patches/ php5-CVE- 2012-0830. patch: return rather than
continuing if max_input_vars limit is reached
- CVE-2012-0830
* SECURITY UPDATE: XSLT arbitrary file overwrite attack
- debian/patches/ php5-CVE- 2012-0057. patch: add xsl.security_prefs
ini option to define forbidden operations within XSLT stylesheets
- CVE-2012-0057
* SECURITY UPDATE: PDORow session denial of service
- debian/patches/ php5-CVE- 2012-0788. patch: fail gracefully when
attempting to serialize PDORow instances
- CVE-2012-0788
* SECURITY UPDATE: magic_quotes_gpc remote disable vulnerability
- debian/patches/ php5-CVE- 2012-0831. patch: always restore
magic_quote_gpc on request shutdown
- CVE-2012-0831 - 96. By Marc Deslauriers
-
* SECURITY UPDATE: Denial of service and possible information disclosure
via exif integer overflow
- debian/patches/ php5-CVE- 2011-4566. patch: fix count checks in
ext/exif/exif. c.
- CVE-2011-4566 - 95. By Steve Beattie
-
* SECURITY UPDATE: DoS in zip handling due to addGlob() crashing
on invalid flags
- debian/patches/ php5-CVE- 2011-1657. patch: check for valid flags
- CVE-2011-1657
* SECURITY UPDATE: DoS due to failure to check for memory allocation errors
- debian/patches/ php5-CVE- 2011-3182. patch: check the return values
of the malloc, calloc, and realloc functions
- CVE-2011-3182
* SECURITY UPDATE: DoS in errorlog() when passed NULL
- debian/patches/ php5-CVE- 2011-3267. patch: fix NULL pointer crash in
errorlog()
- CVE-2011-3267
* debian/control: enforce timestamp difference large enough for make
to detect before editing configure.in, so that aclocal.m4 will be
regenerated.
* debian/patches/ php5-CVE- 2011-1938_ fix.patch: fix the fix for
CVE-2011-1938 to remove the extra argument. - 93. By Steve Langasek
-
* debian/rules: export DEB_HOST_MULTIARCH properly, so that I don't spend
an hour scratching my head at './debian/rules configure' not working
right.
* Only build php5-sqlite for sqlite3, dropping the obsolete sqlite2.
* Add build-dependency on lemon, which we now need.
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:ubuntu/precise/php5