Ubuntu
php5 package

lp:ubuntu/precise-security/php5

  1. Precise (12.04)
  2. precise-security
Created by Ubuntu Package Importer and last modified
Get this branch:
bzr branch lp:ubuntu/precise-security/php5
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Mature

Recent revisions

107. By Marc Deslauriers

* SECURITY UPDATE: arbitrary file disclosure via XML External Entity
  - debian/patches/CVE-2013-1643.patch: disable the entity loader in
    ext/libxml/libxml.c, ext/libxml/php_libxml.h, ext/soap/php_xml.c.
  - CVE-2013-1643

106. By Marc Deslauriers

* SECURITY UPDATE: arbitrary memory disclosure (LP: #1099793)
  - debian/patches/CVE-2012-6113.patch: properly initialize length in
    ext/openssl/openssl.c.
  - CVE-2012-6113

105. By Marc Deslauriers

* SECURITY UPDATE: HTTP response-splitting issue with %0D sequences
  - debian/patches/CVE-2011-1398.patch: properly handle %0D and NUL in
    main/SAPI.c, added tests to ext/standard/tests/*, fix test suite
    failures in ext/phar/phar_object.c.
  - CVE-2011-1398
  - CVE-2012-4388
* SECURITY UPDATE: denial of service and possible code execution via
  _php_stream_scandir function (LP: #1028064)
  - debian/patches/CVE-2012-2688.patch: prevent overflow in
    main/streams/streams.c.
  - CVE-2012-2688
* SECURITY UPDATE: denial of service via PDO extension crafted parameter
  - debian/patches/CVE-2012-3450.patch: improve logic in
    ext/pdo/pdo_sql_parser.re, regenerate ext/pdo/pdo_sql_parser.c, add
    test to ext/pdo_mysql/tests/bug_61755.phpt.
  - CVE-2012-3450

104. By Marc Deslauriers

* SECURITY UPDATE: denial of service via invalid tidy objects
  - debian/patches/CVE-2012-0781.patch: track initialization in
    ext/tidy/tidy.c, added tests to ext/tidy/tests/004.phpt,
    ext/tidy/tests/bug54682.phpt.
  - CVE-2012-0781
* SECURITY UPDATE: denial of service or possible directory traversal via
  invalid filename.
  - debian/patches/CVE-2012-1172.patch: ensure brackets get closed in
    main/rfc1867.c, add test to tests/basic/bug55500.phpt.
  - CVE-2012-1172
* SECURITY UPDATE: password truncation via invalid byte
  - debian/patches/CVE-2012-2143.patch: improve logic in
    ext/standard/crypt_freesec.c, add test to
    ext/standard/tests/strings/crypt_chars.phpt.
  - CVE-2012-2143
* SECURITY UPDATE: improve php5-cgi query string parameter parsing
  - debian/patches/CVE-2012-233x.patch: improve parsing in
    sapi/cgi/cgi_main.c.
  - CVE-2012-2335
  - CVE-2012-2336
* SECURITY UPDATE: phar extension heap overflow
  - debian/patches/CVE-2012-2386.patch: check for overflow in
    ext/phar/tar.c.
  - CVE-2012-2386

103. By Steve Beattie

* SECURITY UPDATE: php5-cgi query string parameters parsing
  vulnerability
  - debian/patches/php5-CVE-2012-1823.patch: filter query strings that
    are prefixed with '-'
  - CVE-2012-1823
  - CVE-2012-2311

102. By James Page

* Cherry picked fixes from Debian testing:
  - d/maxlifetime: Improve maxlifetime script to scan for more SAPIs and
    scan all *.ini in conf.d directory.
    (LP: #916065).
  - d/libapache2-mod-php5.postinst,libapache2-mod-php5filter.postinst:
    Restart apache on first install to ensure module is fully enabled.
    (LP: #953081).

101. By Colin Watson

Pre-Depend on a new enough version of dpkg for dpkg-maintscript-helper
rather than checking whether it exists at run-time, leading to more
predictable behaviour on upgrades.

100. By Clint Byrum

* Merge from Debian testing. Remaining changes:
  - d/control: build-depend on mysql 5.5 instead of 5.1 for running tests.
  - d/setup-mysql.sh: modify to work with mysql 5.5 differences
  - debian/rules: export DEB_HOST_MULTIARCH properly.
  - Only build php5-sqlite for sqlite3, dropping the obsolete sqlite2.
  - Add build-dependency on lemon, which we now need.
  - Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe.
  - Dropped libcurl-dev not in the archive.
  - debian/control: replace build-depends on mysql-server with
    mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and
    mysql-server-5.5 postinst confusion with starting up multiple
    mysqlds listening on the same port.
  - Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions
    already in universe.
  - Suggest php5-suhosin rather than recommends.
  - Dropped libonig-dev and libqgdbm since its in universe. (libonig MIR
    has been declined due to an inactive upstream. So this is probably
    a permanent change).
  - modulelist: Drop imap, interbase, sybase, and mcrypt.
  - debian/rules:
    * Dropped building of mcrypt, imap, and interbase.
    * Install apport hook for php5.
    * stop mysql instance on clean just in case we failed in tests
  - debian/control: Recommend php5-dev for php-pear.
* Dropped Changes:
  - d/patches/CVE-2011-4566.patch: Applied upstream
  - debian/rules: --enable-pcntl for cgi as well. (Applied in Debian)
* d/rules: enable Suhosin patch with PHP5_SUHOSIN=yes
* d/NEWS: add note explaining that SUHOSIN *is* enabled in the Ubuntu
  package.
* d/rules: Simplify apache config settings since we never build
  interbase or firebird.

99. By Marc Deslauriers

* SECURITY UPDATE: Denial of service and possible information disclosure
  via exif integer overflow
  - debian/patches/CVE-2011-4566.patch: fix count checks in
    ext/exif/exif.c.
  - CVE-2011-4566

98. By Clint Byrum

* d/control: build-depend on mysql 5.5 instead of 5.1 for running tests.
* d/setup-mysql.sh: modify to work with mysql 5.5 differences

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:ubuntu/quantal/php5
This branch contains Public information 
Everyone can see this information.

Subscribers