* SECURITY UPDATE: password_verify() accepts invalid Blowfish hashes
- debian/patches/CVE-2023-0567-1.patch: fix validation of malformed
BCrypt hashes in ext/standard/crypt_blowfish.c,
ext/standard/tests/crypt/bcrypt_salt_dollar.phpt.
- debian/patches/CVE-2023-0567-2.patch: fix possible buffer overread in
php_crypt() in ext/standard/crypt.c,
ext/standard/tests/password/password_bcrypt_short.phpt.
- CVE-2023-0567
* SECURITY UPDATE: off-by-one in core path resolution function
- debian/patches/CVE-2023-0568.patch: fix array overrun when appending
slash to paths in ext/dom/document.c, ext/xmlreader/php_xmlreader.c,
main/fopen_wrappers.c.
- CVE-2023-0568
* SECURITY UPDATE: DoS via excessive number of parts in HTTP form upload
- debian/patches/CVE-2023-0662-1.patch: introduce
max_multipart_body_parts INI in main/main.c, main/rfc1867.c.
- debian/patches/CVE-2023-0662-2.patch: fix repeated warning for file
uploads limit exceeding in main/rfc1867.c.
- CVE-2023-0662
* SECURITY UPDATE: Integer overflow
- debian/patches/CVE-2022-31631.patch: fix check
unquotedlen size in ext/pdo_sqlite/sqlite_driver.c.
- CVE-2022-31631
[ Athos Ribeiro ]
* d/rules: fix PHP_EXTRA_VERSION setting. (LP: #1989196)
* Test PHP_EXTRA_VERSION setting with autopkgtest.
[ Matthew Ruffell ]
* No longer throw an error when serializing uninitialized typed
properties with __sleep(), which makes serializing objects with
__sleep() behave the same as serializing objects without
__sleep(). (LP: #1999598)
- d/p/lp-1999598-Fix-bug-79447.patch
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2022-31628-1.patch: adding a recursion limit
in ext/phar/phar.c, ext/phar/tests/bug81726.phpt.
- debian/source/include-binaries: add ext/phar/tests/bug81726.gz.
- debian/patches/CVE-2022-31628-2.patch: avoid a second check in
ext/phar/phar.c.
- CVE-2022-31628
* SECURITY UPDATE: Cookie injection
- debian/patches/CVE-2022-31629.patch: don't mangle HTTP
variable names that clash with ones that have a specific semantic
meaning in ext/standard/test/bug81727.phpt,
main/php_variables.c.
- CVE-2022-31629
* SECURITY UPDATE: Out of bounds read
- debian/patches/CVE-2022-31630.patch: adds validation in
imageloadfont() for OOB in ext/gd/gd.c, ext/gd/tests/bug81739.phpt.
- CVE-2022-31630
* SECURITY UPDATE: Buffer overflow
- debian/patches/CVE-2022-37454.patch: fixes buffer overflow in
hash_update() on long parameter in
ext/hash/sha3/generic32lc/KeccakSponge.inc,
ext/hash/sha3/generic64lc/KeccakSponge.inc.
- CVE-2022-37454
* d/p/0047-Update-gcc-func-attr-macro.patch: fix detection of unknown gcc
function attributes. (LP: #1882279)
* SECURITY UPDATE: RCE via Uninitialized array in pg_query_params()
- debian/patches/CVE-2022-31625.patch: don't free parameters which
haven't initialized yet in ext/pgsql/pgsql.c,
ext/pgsql/tests/bug81720.phpt.
- CVE-2022-31625
* SECURITY UPDATE: RCE via mysqlnd/pdo password buffer overflow
- debian/patches/CVE-20022-31626.patch: properly calculate size in
ext/mysqlnd/mysqlnd_wireprotocol.c.
- CVE-2022-31626
* d/p/0048-Fix-bug-79603-by-retrying-on-RTD-key-collision.patch: retry on RTD
key collision. (LP: #1968228)
* SECURITY UPDATE: DoS in zend_string_extend function
- debian/patches/CVE-2017-8923.patch: fix integer Overflow when
concatenating strings in Zend/zend_vm_def.h, Zend/zend_vm_execute.h.
- CVE-2017-8923
* SECURITY UPDATE: out of bounds access in php_pcre_replace_impl
- debian/patches/CVE-2017-9118-pre1.patch: fix heap buffer overflow via
str_repeat in Zend/zend_operators.c, Zend/zend_string.h.
- debian/patches/CVE-2017-9118-pre2.patch: fix memory corruption in
preg_replace/preg_replace_callback in ext/pcre/php_pcre.c,
ext/pcre/tests/bug79188.phpt.
- debian/patches/CVE-2017-9118-pre3.patch: fix too much memory is
allocated for preg_replace() in ext/pcre/php_pcre.c,
ext/pcre/tests/bug81243.phpt.
- debian/patches/CVE-2017-9118.patch: fix out of bounds in
php_pcre_replace_impl in Zend/zend_string.h, ext/pcre/php_pcre.c.
- CVE-2017-9118
* SECURITY UPDATE: DoS via memory consumption in i_zval_ptr_dtor
- debian/patches/CVE-2017-9119.patch: handle memory limit error during
string reallocation correctly in Zend/zend_string.h.
- CVE-2017-9119
* SECURITY UPDATE: DoS via integer overflow in mysqli_real_escape_string
- debian/patches/CVE-2017-9120.patch: fix overflow in
ext/mysqli/mysqli_api.c.
- CVE-2017-9120
* SECURITY UPDATE: filename truncation issue in XML parsing functions
- debian/patches/CVE-2021-21707.patch: special character is breaking
the path in xml function in ext/dom/domimplementation.c,
ext/dom/tests/bug79971_2.phpt, ext/libxml/libxml.c,
ext/simplexml/tests/bug79971_1.phpt,
ext/simplexml/tests/bug79971_1.xml.
- CVE-2021-21707
* SECURITY UPDATE: Use after free
- debian/patches/CVE-2021-21708.patch: change the call to
zval_ptr_dtor in ext/filter/logical_filters.c to be done
after a validation is succeeded, and add a test for this
case in ext/filter/tests/bug81708.phpt
- CVE-2021-21708
* d/p/0047-fix-exception-infinite-loop.patch: Fix ErrorException infinite
loop (LP: #1951031)
* SECURITY UPDATE: Out of bounds read/write
- debian/patches/CVE-2021-21703.patch: The main change is to
store scoreboard procs directly to the variable sized
array rather than indirectly through the pointer in
sapi/fpm/fpm/fpm_children.c, sapi/fpm/fpm/fpm_request.c,
sapi/fpm/fpm/fpm_scoreboard.c, sapi/fpm/fpm/fpm_scoreboard.h,
sapi/fpm/fpm/fpm_status.c, sapi/fpm/fpm/fpm_worker_pool.c.
- CVE-2021-21703
* Fix a segmentation fault and implement support for using cursors
on prepared statements in the mysqli database driver. (LP: #1939853)
- d/p/lp-1939853-1-Fix-Segfault-with-get_result-and-PS-cursors.patch
- d/p/lp-1939853-2-MySQLnd-Support-cursors-in-store-get-result.patch
* SECURITY UPDATE: crash or info disclosure via PHAR zip file
- debian/patches/CVE-2020-7068.patch: fix use after free in
ext/phar/zip.c.
- CVE-2020-7068
* SECURITY UPDATE: incorrect URL validation
- debian/patches/CVE-2020-7071-1.patch: make sure userinfo is valid
according to RFC 3986 in ext/filter/tests/bug77423.phpt,
ext/standard/url.c.
- debian/patches/CVE-2020-7071-2.patch: revert previous fix and use a
better one in ext/filter/logical_filters.c,
ext/filter/tests/bug77423.phpt, ext/standard/url.c.
- debian/patches/CVE-2020-7071-3.patch: remove unneeded function in
ext/standard/url.c.
- CVE-2020-7071
* SECURITY UPDATE: crash via malformed XML data in SOAP extension
- debian/patches/CVE-2021-21702-1.patch: check strings in
ext/soap/php_sdl.c, ext/soap/php_xml.c, ext/soap/tests/bug80672.phpt,
ext/soap/tests/bug80672.xml.
- debian/patches/CVE-2021-21702-2.patch: fix compiler warning in
ext/soap/php_sdl.c.
- CVE-2021-21702
* SECURITY UPDATE: multiple issues in the pdo_firebase module
- debian/patches/CVE-2021-21704-1.patch: prevent overflow in
ext/pdo_firebird/firebird_statement.c.
- debian/patches/CVE-2021-21704-2.patch: verify result_size in
ext/pdo_firebird/firebird_statement.c.
- debian/patches/CVE-2021-21704-3.patch: verify result_size in
ext/pdo_firebird/firebird_driver.c.
- debian/patches/CVE-2021-21704-4.patch: don't overflow stack in
ext/pdo_firebird/firebird_driver.c.
- CVE-2021-21704
* SECURITY UPDATE: SSRF bypass
- debian/patches/CVE-2021-21705.patch: check password in
ext/filter/logical_filters.c, ext/filter/tests/bug81122.phpt.
- debian/patches/CVE-2021-21705-2.patch: fix compiler warning in
ext/filter/logical_filters.c.
- CVE-2021-21705
* SECURITY UPDATE: Incorrect encryption data
- debian/patches/CVE-2020-7069.patch: fix wrong ciphertext/tag
in AES-CCM encryption for a 12 bytes IV in ext/openssl/openssl.c,
ext/openssl/tests/cipher_tests.inc, ext/openssl/openssl_*_ccm.phpt.
- CVE-2020-7069
* SECURITY UPDATE: Possibly forge cookie
- debian/patches/CVE-2020-7070.patch: do not decode cookie names anymore
in main/php_variables.c, tests/basic/022.phpt, tests/basic/023.phpt,
tests/basic/bug79699.phpt.
- CVE-2020-7070
* d/p/0041-Fix-79019-Copied-cURL-handles-upload-empty-file.patch,
d/p/0042-Fix-79013-Content-Length-missing-when-posting-a-curl.patch:
Fix issue with cURL causing chunked mode for file transfers.
(LP: #1887826)
* SECURITY UPDATE: Denial of service through oversized memory allocated
- debian/patches/CVE-2019-11048.patch: changes types int to size_t
in main/rfc1867.c.
- CVE-2019-11048
* libapache2-mod-php.postinst.extra: Disable other mod-php versions.
Fixes failure when upgrading from previous versions of mod-php.
(LP: #1865218)
* SECURITY UPDATE: Read one byte of uninitialized memory
- debian/patches/CVE-2020-7064.patch: check length in
exif_process_TIFF_in_JPEG to avoid read uninitialized memory
ext/exif/exif.c, ext/exif/tests/bug79282.phpt.
- CVE-2020-7064
* SECURITY UPDATE: Memory corruption, crash and potentially code execution
- debian/patches/CVE-2020-7065.patch: make sure that negative values are
properly compared in ext/mbstring/php_unicode.c,
ext/mbstring/tests/bug70371.phpt.
- CVE-2020-7065
* SECURITY UPDATE: Truncated url due \0
- debian/patches/CVE-2020-7066.patch: check for get_headers
not accepting \0 in ext/standard/url.c.
- CVE-2020-7066
* d/control, d/control.in: Conflict with mod-php from php7.2 and
php7.3 to ensure safe upgrade path for apache2.
(Fixes LP: #1850933)
* No-change rebuild for icu soname change.
* No-change rebuild to enable build for i386
* Remove /etc/init/php@PHP_VERSION@-fpm.conf, not
/etc/init/php@PHP_VERSION@.conf (Closes: #951745)
* Fixup upstart removal (missing prepare-files update) (Closes: #951745)
* Remove the PIDFile= setting from systemd unit file (it should not be
needed with Type=notify)
* Use php-fpm-socket-helper from php-common >= 1:73 to update the
default socket
* Remove upstart support, use systemd-tmpfiles to create tmpfiles
(Closes: #923032)
* New upstream version 7.4.3
* Add a note about PIDFile= and pid= match in php-fpm.conf
* Silently ignore errors from update-alternatives in php-fpm.service
* Use absolute path to update-alternatives
* Move the update-alternatives call from postinst/prerm to systemd startup script
* Make the creation of the default socket work on new installs
* Use a mock socket file for setting up FPM socket alternatives
* Create a generic /run/php/php-fpm.sock socket using update-alternatives
* New upstream version 7.4.2
* Disable dh_autoreconf for PHP, it breaks the build
* Update d/watch for final release
* New upstream version 7.4.1
* Bump the debhelper compat to 10
* Bump the Standards Version (no change)
* New upstream version 7.4.0
* Fix the FTBFS with MySQL 8.0
* New upstream version 7.4.0~rc6
* Bump d/phpapi to 20190902
* New upstream version 7.4.0~rc4
* New upstream version 7.4.0~rc3
* GMP now uses autodetection (don't pass /usr to configure)
* Bump d/phpapi to 20190902
* Enable FFI experimental extension
* Add libffi to B-D
* Remove 0003-libtool2.2.patch, it's no longer needed [GL #1236]
* New upstream version 7.4.0~beta4
* New upstream version 7.4.0~beta2
* Rebase patches for PHP 7.4.0~beta2
* New upstream version 7.4.0~beta1
* Rebase patches for PHP 7.4.0~beta1
* Configure option --with-libxml-dir is now named --with-libxml
* The recode extension has been moved to PECL.
* The interbase extension has been moved to PECL.
* The configure option for zip extension has changed from --enable-zip to --with-zlib
* The WDDX extension has been deprecated and moved to PECL.
* The configure options to enable GD extension has changed to --enable-gd and --with-external-gd
* Regenerated d/control
* Update the configure options according to UPGRADING file (mostly pkg-config related changes)
* Cleanup the missing documentation
* Update phpapi to 20190529
* New upstream version 7.4.0~alpha2
* New upstream version 7.3.7
[ Ondřej Surý ]
* New upstream version 7.3.6
[ Andreas Beckmann ]
* php7.3-curl: Add Breaks against php7.0-curl for smoother upgrades from stretch. (Closes: #929689)
* New upstream version 7.3.5
[Andreas Beckmann]
* php7.3-common: Add Breaks against php7.0-curl for smoother upgrades from
stretch. (Closes: #925106)
* php7.3-common: Add Breaks against gforge-common from jessie which uses a
deprecated constructor syntax.
* Deterministically generate debian/control by sorting the extension
packages.
* Update d/watch for new php.net pages
* New upstream version 7.3.4
* Enforce C++11 for intl compilation on older distributions
* New upstream version 7.3.3
* Update systzdata patch to v18 (Courtesy of RemiRepo)
* Add patch for OpenSSL 1.1.1b (Courtesy of RemiRepo)
* Update systzdata patch to v17 (Courtesy of remirepo)
* Fix the icu patch condition for icu >= 60
* New upstream version 7.3.2
* Always build spoofchecker, because we are enforcing icu >= 50.1
(Closes: #921199)
* Add patch to use pkg-config instead of icu-config to detect icu
libraries (Closes: #916110)
* New upstream version 7.3.1
* Add upstream patch to fix OPcache optimization problem for
ArrayAccess->offsetGet
* Add upstream patch to fix infinite loop in preg_replace_callback
* Fix check for rl_completion_matches in readline extension
* Update d/watch for the final PHP 7.3.0 release
* New upstream version 7.3.0
* New upstream version 7.3.0~rc6
* Don't use sed found by configure, use the sed command as available in
the host system (Closes: #913620)
* New upstream version 7.3.0~rc5
* Enable lmdb support in dba extension
* Restore correct patch name for
0040-Add-patch-to-install-php7-module-directly-to-APXS_LI.patch
* New upstream version 7.3.0~rc4
* Rebase patches for PHP 7.4.0~rc4
* Add patch to use pkg-config for FreeType2 library detection
(Closes: #911460)
* Remove libmcrypt-dev from Build-Depends
* Disable the enabled modules in prerm, because in postrm the phpquery
script is not aware of already removed sapi (Closes: #911018)
* New upstream version 7.3.0~rc3
* Rebase patches for PHP 7.3.0~rc3
* Remove ancient mv_conffile (from php5)
* Remove spurious L from phpize script (Closes: #909110)
* Downgrade dh-php from Recommends to Suggests (Closes: #910620)
* Fix the Vcs-* links
* Apply upstream patch to allow disabling pcre jit and disable it on
mips and s390x archs
* Extra 'L' is gone (Closes: #909110)
* New upstream version 7.3.0~rc2
* Rebase patches for PHP 7.3.0~rc2
* Disable assembly code with gcc 4.8 on i386
* Remove dependency on pcre3 and add libpcre2-dev to phpX.Y-dev
* New upstream version 7.3.0~beta2
* Rebase patches for PHP 7.3.0~beta2
* Fix phpdbg.1 installation path from srcdir to builddir
* Bump d/phpapi to 20180731
[ Lior Kaplan ]
* Fix syntax typo
[ Ondřej Surý ]
* New upstream version 7.3.0~beta1
* Rebase patches for PHP 7.3.0beta1
* Use cpuid.h instead of custom assembler
* New upstream version 7.3.0~alpha4
* Rebase patches for PHP 7.3.0~alpha4
* Remove traces of ext_skel modifications
* Add <!nocheck> profile to all default-mysql-server alternatives
* Bump d/phpapi for PHP 7.3
* Add libargon2-dev as new alternative build-dependency to
libargon2-0-dev
* Update upstream signing-key.asc for PHP 7.3
* New upstream version 7.3.0~alpha3
* Build-Depend on libpcre2-dev
* Rebase patches for PHP 7.3.0~alpha3
* Update the maintainer email to team+pkg-php@tracker.debian.org
* Update the Vcs-* links to salsa.d.o
* New upstream version 7.2.7
* Refresh patches for PHP 7.2.7
* New upstream version 7.2.6
* Rebase patches for PHP version 7.2.6
* New upstream version 7.2.5
* Rebase patches for PHP 7.2.5
* New upstream version 7.2.4
* Rebase patches on top of new upstream release.
* New upstream version 7.2.3
* Rebase patches on top of new upstream release.
* Add explicit libpcre3 >= 2:8.35 dependency as dh_genshlibs is failing
to add versioned dependency for some reason.
* Remove explicit libpcre3 dependency and let dh_genshlibs do its magic
* New upstream version 7.2.2
* Rebase patches on top of new upstream release
* Regenerate d/control to finish php7.2-sodium removal
* Update the Vcs-* to salsa.d.o
* Slightly update debian/copyright (most changes were already in)
* New upstream version 7.2.1
* Rebase patches on top of new upstream release
* Get rid of extra php7.2-sodium module
* Update PHP 7.2 signing keys
* New upstream version 7.2.0
* Rebase patches for new upstream release.
* New upstream version 7.2.0~rc6
* Rebase patches for new upstream version.
* New upstream version 7.2.0~rc5
* Rebase patches for new upstream release
* Fix the usage of internal allocator in xmlrpc extension
* New upstream version 7.2.0~rc4
* Rebase patches on top of new upstream version 7.2.0~rc4
* New upstream version 7.2.0~rc3
* Refresh patches for PHP 7.2.0~rc3
* New upstream version 7.2.0~rc2
* Rebase patches on top of PHP 7.2.0~rc2
* New upstream version 7.2.0~rc1
* Rebase patches on top of PHP 7.2.0~rc1
* Update d/copyright (License check courtesy of Luca Falavigna)
* Rewrap the files in d/ with wrap-and-sort -a
* Enable Argon2 support for password hashing functions
* Enable shared libsodium extension
* Allow libgcrypt11-dev when it's not a transitional package
* New upstream version 7.2.0~beta3
* Refresh patches on top of PHP 7.2.0~beta3
* Update Vcs-* links to https://gitlab.com/deb.sury.org/...
* Stop depending on obsolete automake1.11
* Switch build-depends to libgcrypt20-dev
* Update d/watch for PHP 7.2
* New upstream version 7.2.0~beta2
* Rebase patches for PHP 7.2.0~beta2
* New upstream version 7.2.0~beta1
* Enable support for libsodium crypto
* Rebase patches on top of PHP 7.2.0~beta1
* Update phpapi for PHP 7.2 to 20170718
* New upstream version 7.2.0~alpha3
* Rebase patches on top of PHP 7.2.0~alpha3
* Update d/rules with configure.in -> configure.ac rename
* Remove mcrypt extension that has been removed upstream
* Update phpapi to 20160731