lp:ubuntu/oneiric-updates/php5

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

102. By Marc Deslauriers on 2013-03-08

* SECURITY UPDATE: arbitrary file disclosure via XML External Entity
  - debian/patches/CVE-2013-1643.patch: disable the entity loader in
    ext/libxml/libxml.c, ext/libxml/php_libxml.h, ext/soap/php_xml.c.
  - CVE-2013-1643

101. By Marc Deslauriers on 2012-09-12

* SECURITY UPDATE: HTTP response-splitting issue with %0D sequences
  - debian/patches/CVE-2011-1398.patch: properly handle %0D and NUL in
    main/SAPI.c, added tests to ext/standard/tests/*, fix test suite
    failures in ext/phar/phar_object.c.
  - CVE-2011-1398
  - CVE-2012-4388
* SECURITY UPDATE: denial of service and possible code execution via
  _php_stream_scandir function (LP: #1028064)
  - debian/patches/CVE-2012-2688.patch: prevent overflow in
    main/streams/streams.c.
  - CVE-2012-2688
* SECURITY UPDATE: denial of service via PDO extension crafted parameter
  - debian/patches/CVE-2012-3450.patch: improve logic in
    ext/pdo/pdo_sql_parser.re, regenerate ext/pdo/pdo_sql_parser.c, add
    test to ext/pdo_mysql/tests/bug_61755.phpt.
  - CVE-2012-3450

100. By Marc Deslauriers on 2012-06-12

* SECURITY UPDATE: denial of service via invalid tidy objects
  - debian/patches/CVE-2012-0781.patch: track initialization in
    ext/tidy/tidy.c, added tests to ext/tidy/tests/004.phpt,
    ext/tidy/tests/bug54682.phpt.
  - CVE-2012-0781
* SECURITY UPDATE: denial of service or possible directory traversal via
  invalid filename.
  - debian/patches/CVE-2012-1172.patch: ensure brackets get closed in
    main/rfc1867.c, add test to tests/basic/bug55500.phpt.
  - CVE-2012-1172
* SECURITY UPDATE: password truncation via invalid byte
  - debian/patches/CVE-2012-2143.patch: improve logic in
    ext/standard/crypt_freesec.c, add test to
    ext/standard/tests/strings/crypt_chars.phpt.
  - CVE-2012-2143
* SECURITY UPDATE: improve php5-cgi query string parameter parsing
  - debian/patches/CVE-2012-233x.patch: improve parsing in
    sapi/cgi/cgi_main.c.
  - CVE-2012-2335
  - CVE-2012-2336
* SECURITY UPDATE: phar extension heap overflow
  - debian/patches/CVE-2012-2386.patch: check for overflow in
    ext/phar/tar.c.
  - CVE-2012-2386

99. By Steve Beattie on 2012-05-03

* SECURITY UPDATE: php5-cgi query string parameters parsing
  vulnerability
  - debian/patches/php5-CVE-2012-1823.patch: filter query strings that
    are prefixed with '-'
  - CVE-2012-1823
  - CVE-2012-2311

98. By Steve Beattie on 2012-02-10

debian/patches/php5-CVE-2012-0831-regression.patch: fix
magic_quotes_gpc ini setting regression introduced by patch for
CVE-2012-0831. Thanks to Ondřej Surý for the patch. (LP: #930115)

97. By Steve Beattie on 2012-02-08

* SECURITY UPDATE: memory allocation failure denial of service
  - debian/patches/php5-CVE-2011-4153.patch: check result of
    zend_strdup() and calloc() for failed allocations
  - CVE-2011-4153
* SECURITY UPDATE: predictable hash collision denial of service
  (LP: #910296)
  - debian/patches/php5-CVE-2011-4885.patch: add max_input_vars
    directive with default limit of 1000
  - ATTENTION: this update changes previous php5 behavior by
    limiting the number of external input variables to 1000.
    This may be increased by adding a "max_input_vars"
    directive to the php.ini configuration file. See
    http://www.php.net/manual/en/info.configuration.php#ini.max-input-vars
    for more information.
  - CVE-2011-4885
* SECURITY UPDATE: remote code execution vulnerability introduced by
  the fix for CVE-2011-4885 (LP: #925772)
  - debian/patches/php5-CVE-2012-0830.patch: return rather than
    continuing if max_input_vars limit is reached
  - CVE-2012-0830
* SECURITY UPDATE: XSLT arbitrary file overwrite attack
  - debian/patches/php5-CVE-2012-0057.patch: add xsl.security_prefs
    ini option to define forbidden operations within XSLT stylesheets
  - CVE-2012-0057
* SECURITY UPDATE: PDORow session denial of service
  - debian/patches/php5-CVE-2012-0788.patch: fail gracefully when
    attempting to serialize PDORow instances
  - CVE-2012-0788
* SECURITY UPDATE: magic_quotes_gpc remote disable vulnerability
  - debian/patches/php5-CVE-2012-0831.patch: always restore
    magic_quote_gpc on request shutdown
  - CVE-2012-0831

96. By Marc Deslauriers on 2011-12-12

* SECURITY UPDATE: Denial of service and possible information disclosure
  via exif integer overflow
  - debian/patches/php5-CVE-2011-4566.patch: fix count checks in
    ext/exif/exif.c.
  - CVE-2011-4566

95. By Steve Beattie on 2011-10-13

* SECURITY UPDATE: DoS in zip handling due to addGlob() crashing
  on invalid flags
  - debian/patches/php5-CVE-2011-1657.patch: check for valid flags
  - CVE-2011-1657
* SECURITY UPDATE: DoS due to failure to check for memory allocation errors
  - debian/patches/php5-CVE-2011-3182.patch: check the return values
    of the malloc, calloc, and realloc functions
  - CVE-2011-3182
* SECURITY UPDATE: DoS in errorlog() when passed NULL
  - debian/patches/php5-CVE-2011-3267.patch: fix NULL pointer crash in
    errorlog()
  - CVE-2011-3267
* debian/control: enforce timestamp difference large enough for make
  to detect before editing configure.in, so that aclocal.m4 will be
  regenerated.
* debian/patches/php5-CVE-2011-1938_fix.patch: fix the fix for
  CVE-2011-1938 to remove the extra argument.

94. By Matthias Klose on 2011-08-25

Test

93. By Steve Langasek on 2011-08-24

* debian/rules: export DEB_HOST_MULTIARCH properly, so that I don't spend
  an hour scratching my head at './debian/rules configure' not working
  right.
* Only build php5-sqlite for sqlite3, dropping the obsolete sqlite2.
* Add build-dependency on lemon, which we now need.