php7.0 (7.0.13-0ubuntu0.16.04.1) xenial; urgency=medium * New upstream release - LP: #1645431 - Refresh patches for new upstream release. * Drop: - SECURITY UPDATE: proxy request header vulnerability (httpoxy) + debian/patches/CVE-2016-5385.patch: only use HTTP_PROXY from the local environment in ext/standard/basic_functions.c, main/SAPI.c, main/php_variables.c. + CVE-2016-5385 [ Fixed in 7.0.9 ] - SECURITY UPDATE: inadequate error handling in bzread() + debian/patches/CVE-2016-5399.patch: do not allow reading past error read in ext/bz2/bz2.c. + CVE-2016-5399 [ Fixed in 7.0.9 ] - SECURITY UPDATE: integer overflow in the virtual_file_ex function + debian/patches/CVE-2016-6289.patch: properly check path_length in Zend/zend_virtual_cwd.c. + CVE-2016-6289 [ Fixed in 7.0.9 ] - SECURITY UPDATE: use after free in unserialize() with unexpected session deserialization + debian/patches/CVE-2016-6290.patch: destroy var_hash properly in ext/session/session.c, added test to ext/session/tests/bug72562.phpt. + CVE-2016-6290 [ Fixed in 7.0.9 ] - SECURITY UPDATE: out of bounds read in exif_process_IFD_in_MAKERNOTE + debian/patches/CVE-2016-6291.patch: add more bounds checks to ext/exif/exif.c. + CVE-2016-6291 [ Fixed in 7.0.9 ] - SECURITY UPDATE: NULL pointer dereference in exif_process_user_comment + debian/patches/CVE-2016-6292.patch: properly handle encoding in ext/exif/exif.c. + CVE-2016-6292 [ Fixed in 7.0.9 ] - SECURITY UPDATE: locale_accept_from_http out-of-bounds access + debian/patches/CVE-2016-6294.patch: check length in ext/intl/locale/locale_methods.c, added test to ext/intl/tests/bug72533.phpt. + CVE-2016-6294 [ Fixed in 7.0.9 ] - SECURITY UPDATE: use after free vulnerability in SNMP with GC and unserialize() + debian/patches/CVE-2016-6295.patch: add new handler to ext/snmp/snmp.c, add test to ext/snmp/tests/bug72479.phpt. + CVE-2016-6295 [ Fixed in 7.0.9 ] - SECURITY UPDATE: heap buffer overflow in simplestring_addn + debian/patches/CVE-2016-6296.patch: prevent overflows in ext/xmlrpc/libxmlrpc/simplestring.*. + CVE-2016-6296 [ Fixed in 7.0.9 ] - SECURITY UPDATE: integer overflow in php_stream_zip_opener + debian/patches/CVE-2016-6297.patch: use size_t in ext/zip/zip_stream.c. + CVE-2016-6297 [ Fixed in 7.0.9 ] - debian/patches/fix_exif_tests.patch: fix exif test results after security changes. [ Fixed in 7.0.9 ] - SECURITY UPDATE: denial of service or code execution via crafted serialized data + debian/patches/CVE-2016-7124.patch: fix unserializing logic in ext/session/session.c, ext/standard/var_unserializer.c*, ext/wddx/wddx.c, added tests to ext/standard/tests/serialize/bug72663.phpt, ext/standard/tests/serialize/bug72663_2.phpt, ext/standard/tests/serialize/bug72663_3.phpt. + CVE-2016-7124 [ Fixed in 7.0.10 ] - SECURITY UPDATE: arbitrary-type session data injection + debian/patches/CVE-2016-7125.patch: consume data even if not storing in ext/session/session.c, added test to ext/session/tests/bug72681.phpt. + CVE-2016-7125 [ Fixed in 7.0.10 ] - SECURITY UPDATE: denial of service and possible code execution in imagegammacorrect function + debian/patches/CVE-2016-7127.patch: check gamma values in ext/gd/gd.c, added test to ext/gd/tests/bug72730.phpt. + CVE-2016-7127 [ Fixed in 7.0.10 ] - SECURITY UPDATE: information disclosure via exif_process_IFD_in_TIFF + debian/patches/CVE-2016-7128.patch: properly handle thumbnails in ext/exif/exif.c. + CVE-2016-7128 [ Fixed in 7.0.10 ] - SECURITY UPDATE: denial of service and possible code execution via invalid ISO 8601 time value + debian/patches/CVE-2016-7129.patch: properly handle strings in ext/wddx/wddx.c, added test to ext/wddx/tests/bug72749.phpt. + CVE-2016-7129 [ Fixed in 7.0.10 ] - SECURITY UPDATE: denial of service and possible code execution via invalid base64 binary value + debian/patches/CVE-2016-7130.patch: properly handle string in ext/wddx/wddx.c, added test to ext/wddx/tests/bug72750.phpt. + CVE-2016-7130 [ Fixed in 7.0.10 ] - SECURITY UPDATE: denial of service and possible code execution via malformed wddxPacket XML document + debian/patches/CVE-2016-7131.patch: added checks to ext/wddx/wddx.c, added tests to ext/wddx/tests/bug72790.phpt, ext/wddx/tests/bug72799.phpt. + CVE-2016-7131 + CVE-2016-7132 [ Fixed in 7.0.10 ] - SECURITY UPDATE: denial of service and possible code execution via long pathname + debian/patches/CVE-2016-7133.patch: fix memory allocator in Zend/zend_alloc.c. + CVE-2016-7133 [ Fixed in 7.0.10 ] - SECURITY UPDATE: denial of service and possible code execution via long string and curl_escape call + debian/patches/CVE-2016-7134.patch: check both curl_escape and curl_unescape in ext/curl/interface.c. + CVE-2016-7134 [ Fixed in 7.0.10 ] - SECURITY UPDATE: denial of service and possible code execution via crafted field metadata in MySQL driver + debian/patches/CVE-2016-7412.patch: validate field length in ext/mysqlnd/mysqlnd_wireprotocol.c. + CVE-2016-7412 [ Fixed in 7.0.11 ] - SECURITY UPDATE: denial of service and possible code execution via malformed wddxPacket XML document + debian/patches/CVE-2016-7413.patch: fixed use-after-free in ext/wddx/wddx.c, added test to ext/wddx/tests/bug72860.phpt. + CVE-2016-7413 [ Fixed in 7.0.11 ] - SECURITY UPDATE: denial of service and possible code execution via crafted PHAR archive + debian/patches/CVE-2016-7414.patch: validate signatures in ext/phar/util.c, ext/phar/zip.c. + CVE-2016-7414 [ Fixed in 7.0.11 ] - SECURITY UPDATE: denial of service and possible code execution via MessageFormatter::formatMessage call with a long first argument + debian/patches/CVE-2016-7416.patch: added locale length check to ext/intl/msgformat/msgformat_format.c. + CVE-2016-7416 [ Fixed in 7.0.11 ] - SECURITY UPDATE: denial of service or code execution via crafted serialized data + debian/patches/CVE-2016-7417.patch: added type check to ext/spl/spl_array.c, added test to ext/spl/tests/bug73029.phpt, fix test in ext/spl/tests/bug70068.phpt. + CVE-2016-7417 [ Fixed in 7.0.11 ] - SECURITY UPDATE: denial of service and possible code execution via malformed wddxPacket XML document + debian/patches/CVE-2016-7418.patch: fix out-of-bounds read in ext/wddx/wddx.c, added test to ext/wddx/tests/bug73065.phpt. + CVE-2016-7418 [ Fixed in 7.0.11 ] -- Nishanth Aravamudan Mon, 28 Nov 2016 12:24:57 -0800 php7.0 (7.0.8-0ubuntu0.16.04.3) xenial-security; urgency=medium * SECURITY UPDATE: denial of service or code execution via crafted serialized data - debian/patches/CVE-2016-7124.patch: fix unserializing logic in ext/session/session.c, ext/standard/var_unserializer.c*, ext/wddx/wddx.c, added tests to ext/standard/tests/serialize/bug72663.phpt, ext/standard/tests/serialize/bug72663_2.phpt, ext/standard/tests/serialize/bug72663_3.phpt. - CVE-2016-7124 * SECURITY UPDATE: arbitrary-type session data injection - debian/patches/CVE-2016-7125.patch: consume data even if not storing in ext/session/session.c, added test to ext/session/tests/bug72681.phpt. - CVE-2016-7125 * SECURITY UPDATE: denial of service and possible code execution in imagegammacorrect function - debian/patches/CVE-2016-7127.patch: check gamma values in ext/gd/gd.c, added test to ext/gd/tests/bug72730.phpt. - CVE-2016-7127 * SECURITY UPDATE: information disclosure via exif_process_IFD_in_TIFF - debian/patches/CVE-2016-7128.patch: properly handle thumbnails in ext/exif/exif.c. - CVE-2016-7128 * SECURITY UPDATE: denial of service and possible code execution via invalid ISO 8601 time value - debian/patches/CVE-2016-7129.patch: properly handle strings in ext/wddx/wddx.c, added test to ext/wddx/tests/bug72749.phpt. - CVE-2016-7129 * SECURITY UPDATE: denial of service and possible code execution via invalid base64 binary value - debian/patches/CVE-2016-7130.patch: properly handle string in ext/wddx/wddx.c, added test to ext/wddx/tests/bug72750.phpt. - CVE-2016-7130 * SECURITY UPDATE: denial of service and possible code execution via malformed wddxPacket XML document - debian/patches/CVE-2016-7131.patch: added checks to ext/wddx/wddx.c, added tests to ext/wddx/tests/bug72790.phpt, ext/wddx/tests/bug72799.phpt. - CVE-2016-7131 - CVE-2016-7132 * SECURITY UPDATE: denial of service and possible code execution via long pathname - debian/patches/CVE-2016-7133.patch: fix memory allocator in Zend/zend_alloc.c. - CVE-2016-7133 * SECURITY UPDATE: denial of service and possible code execution via long string and curl_escape call - debian/patches/CVE-2016-7134.patch: check both curl_escape and curl_unescape in ext/curl/interface.c. - CVE-2016-7134 * SECURITY UPDATE: denial of service and possible code execution via crafted field metadata in MySQL driver - debian/patches/CVE-2016-7412.patch: validate field length in ext/mysqlnd/mysqlnd_wireprotocol.c. - CVE-2016-7412 * SECURITY UPDATE: denial of service and possible code execution via malformed wddxPacket XML document - debian/patches/CVE-2016-7413.patch: fixed use-after-free in ext/wddx/wddx.c, added test to ext/wddx/tests/bug72860.phpt. - CVE-2016-7413 * SECURITY UPDATE: denial of service and possible code execution via crafted PHAR archive - debian/patches/CVE-2016-7414.patch: validate signatures in ext/phar/util.c, ext/phar/zip.c. - CVE-2016-7414 * SECURITY UPDATE: denial of service and possible code execution via MessageFormatter::formatMessage call with a long first argument - debian/patches/CVE-2016-7416.patch: added locale length check to ext/intl/msgformat/msgformat_format.c. - CVE-2016-7416 * SECURITY UPDATE: denial of service or code execution via crafted serialized data - debian/patches/CVE-2016-7417.patch: added type check to ext/spl/spl_array.c, added test to ext/spl/tests/bug73029.phpt, fix test in ext/spl/tests/bug70068.phpt. - CVE-2016-7417 * SECURITY UPDATE: denial of service and possible code execution via malformed wddxPacket XML document - debian/patches/CVE-2016-7418.patch: fix out-of-bounds read in ext/wddx/wddx.c, added test to ext/wddx/tests/bug73065.phpt. - CVE-2016-7418 -- Marc Deslauriers Mon, 03 Oct 2016 13:02:19 -0400 php7.0 (7.0.8-0ubuntu0.16.04.2) xenial-security; urgency=medium * SECURITY UPDATE: proxy request header vulnerability (httpoxy) - debian/patches/CVE-2016-5385.patch: only use HTTP_PROXY from the local environment in ext/standard/basic_functions.c, main/SAPI.c, main/php_variables.c. - CVE-2016-5385 * SECURITY UPDATE: inadequate error handling in bzread() - debian/patches/CVE-2016-5399.patch: do not allow reading past error read in ext/bz2/bz2.c. - CVE-2016-5399 * SECURITY UPDATE: integer overflow in the virtual_file_ex function - debian/patches/CVE-2016-6289.patch: properly check path_length in Zend/zend_virtual_cwd.c. - CVE-2016-6289 * SECURITY UPDATE: use after free in unserialize() with unexpected session deserialization - debian/patches/CVE-2016-6290.patch: destroy var_hash properly in ext/session/session.c, added test to ext/session/tests/bug72562.phpt. - CVE-2016-6290 * SECURITY UPDATE: out of bounds read in exif_process_IFD_in_MAKERNOTE - debian/patches/CVE-2016-6291.patch: add more bounds checks to ext/exif/exif.c. - CVE-2016-6291 * SECURITY UPDATE: NULL pointer dereference in exif_process_user_comment - debian/patches/CVE-2016-6292.patch: properly handle encoding in ext/exif/exif.c. - CVE-2016-6292 * SECURITY UPDATE: locale_accept_from_http out-of-bounds access - debian/patches/CVE-2016-6294.patch: check length in ext/intl/locale/locale_methods.c, added test to ext/intl/tests/bug72533.phpt. - CVE-2016-6294 * SECURITY UPDATE: use after free vulnerability in SNMP with GC and unserialize() - debian/patches/CVE-2016-6295.patch: add new handler to ext/snmp/snmp.c, add test to ext/snmp/tests/bug72479.phpt. - CVE-2016-6295 * SECURITY UPDATE: heap buffer overflow in simplestring_addn - debian/patches/CVE-2016-6296.patch: prevent overflows in ext/xmlrpc/libxmlrpc/simplestring.*. - CVE-2016-6296 * SECURITY UPDATE: integer overflow in php_stream_zip_opener - debian/patches/CVE-2016-6297.patch: use size_t in ext/zip/zip_stream.c. - CVE-2016-6297 * debian/patches/fix_exif_tests.patch: fix exif test results after security changes. -- Marc Deslauriers Wed, 27 Jul 2016 11:22:49 -0400 php7.0 (7.0.8-0ubuntu0.16.04.1) xenial; urgency=medium * New upstream release - Closes LP: #1596578 + Fixed in upstream 7.0.6. - Drop the following patches: + 0035-Fixed-bug-63171-script-hangs-if-odbc-call-during-tim.patch [ Fixed in upstream 7.0.6 ] + 0046-Fix-ODBC-bug-for-varchars-returning-with-length-zero.patch [ Fixed in upstream 7.0.6 ] + 0047-make-opcache-lockfile-path-configurable.patch [ Fixed in upstream 7.0.6 ] + 0048-Fix-bug-71659.patch [ Fixed in upstream 7.0.5 ] + 0050-Fix-use-of-UNDEF-instead-of-NULL-in-read_dimension.patch [ Fixed in upstream 7.0.6 ] + 0051-backport-89a43425.patch [ Fixed in upstream 7.0.5 ] + 0052-backport-186844be.patch [ Fixed in upstream 7.0.5 ] + CVE-2015-8865-1.patch [ Fixed in upstream 7.0.5 ] + CVE-2015-8865-2.patch [ Fixed in upstream 7.0.5 ] + CVE-2016-3078.patch [ Fixed in upstream 7.0.6 ] + CVE-2016-3132.patch [ Fixed in upstream 7.0.6 ] + CVE-2016-4070.patch [ Fixed in upstream 7.0.5 ] + CVE-2016-4071.patch [ Fixed in upstream 7.0.5 ] + CVE-2016-4072.patch [ Fixed in upstream 7.0.5 ] + CVE-2016-4073.patch [ Fixed in upstream 7.0.5 ] + CVE-2016-4537.patch [ Fixed in upstream 7.0.7 ] + CVE-2016-4539.patch [ Fixed in upstream 7.0.7 ] + CVE-2016-4540.patch [ Fixed in upstream 7.0.7 ] + CVE-2016-4542.patch [ Fixed in upstream 7.0.7 ] * Backport from Debian 7.0.6-7: 'Remove php-gettext from phpX.Y-common provides as it clashes with existing package (Closes #823815)' (LP: #1569128). * Backport from Debian 7.0.6-8: 'Restore dba extension package' (LP: #1595215). * Regenerate d/control. -- Nishanth Aravamudan Mon, 20 Jun 2016 15:38:14 -0700 php7.0 (7.0.4-7ubuntu2.1) xenial-security; urgency=medium * SECURITY UPDATE: buffer over-write in finfo_open with malformed magic file - debian/patches/CVE-2015-8665-1.patch: properly calculate length in ext/fileinfo/libmagic/funcs.c, added test to ext/fileinfo/tests/bug71527.*. - debian/patches/CVE-2015-8665-2.patch: fix test in ext/fileinfo/tests/bug68996.phpt. - CVE-2015-8665 * SECURITY UPDATE: integer overflow in ZipArchive::getFrom* - debian/patches/CVE-2016-3078.patch: use zend_string_safe_alloc in ext/zip/php_zip.c. - CVE-2016-3078 * SECURITY UPDATE: double-free via SplDoublyLinkedList::offsetSet and invalid index - debian/patches/CVE-2016-3132.patch: remove extra free in ext/spl/spl_dllist.c, added test to ext/spl/tests/bug71735.phpt. - CVE-2016-3132 * SECURITY UPDATE: integer overflow in php_raw_url_encode - debian/patches/CVE-2016-4070.patch: use size_t in ext/standard/url.c. - CVE-2016-4070 * SECURITY UPDATE: php_snmp_error() format string Vulnerability - debian/patches/CVE-2016-4071.patch: use format string in ext/snmp/snmp.c. - CVE-2016-4071 * SECURITY UPDATE: invalid memory write in phar on filename containing NULL - debian/patches/CVE-2016-4072.patch: require valid paths in ext/phar/phar.c, ext/phar/phar_object.c, fix tests in ext/phar/tests/badparameters.phpt, ext/phar/tests/bug64931/bug64931.phpt, ext/phar/tests/create_path_error.phpt, ext/phar/tests/phar_extract.phpt, ext/phar/tests/phar_isvalidpharfilename.phpt, ext/phar/tests/phar_unlinkarchive.phpt, ext/phar/tests/pharfileinfo_construct.phpt. - CVE-2016-4072 * SECURITY UPDATE: invalid negative size in mbfl_strcut - debian/patches/CVE-2016-4073.patch: fix length checks in ext/mbstring/libmbfl/mbfl/mbfilter.c. - CVE-2016-4073 * SECURITY UPDATE: bcpowmod accepts negative scale and corrupts _one_ definition - debian/patches/CVE-2016-4537.patch: properly detect scale in ext/bcmath/bcmath.c, add test to ext/bcmath/tests/bug72093.phpt. - CVE-2016-4537 - CVE-2016-4538 * SECURITY UPDATE: xml_parse_into_struct segmentation fault - debian/patches/CVE-2016-4539.patch: check parser->level in ext/xml/xml.c, added test to ext/xml/tests/bug72099.phpt. - CVE-2016-4539 * SECURITY UPDATE: out-of-bounds reads in zif_grapheme_stripos and zif_grapheme_strpos with negative offset - debian/patches/CVE-2016-4540.patch: check bounds in ext/intl/grapheme/grapheme_string.c, added test to ext/intl/tests/bug72061.phpt. - CVE-2016-4540 - CVE-2016-4541 * SECURITY UPDATE: out of bounds heap read access in exif header processing - debian/patches/CVE-2016-4542.patch: check sizes and length in ext/exif/exif.c. - CVE-2016-4542 - CVE-2016-4543 - CVE-2016-4544 * Re-enable test suite - debian/rules, debian/setup-mysql.sh: updated for new MySQL version and new layout. -- Marc Deslauriers Thu, 19 May 2016 11:04:26 -0400 php7.0 (7.0.4-7ubuntu2) xenial; urgency=medium * debian/patches/0052-backport-186844be.patch: Fix bug #71695: Global variables are resreved before execution. Closes LP: #1569509. -- Nishanth Aravamudan Wed, 13 Apr 2016 12:45:21 -0700 php7.0 (7.0.4-7ubuntu1) xenial; urgency=medium * Merge with Debian unstable (LP: #1567158). Remaining changes: - debian/patches/0051-backport-89a43425.patch: Fix incompatible pointers on 64-bit. Closes LP #1558201. * Drop: - Add support for independent source packages php7.0 and php7.0-universe-source (LP #1555843): - d/control{,.in}: drop Build-Depends on firebird-dev, libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev and libzip-dev. - d/control: drop binary packages php7.0-imap, php7.0-interbase, php7.0-mcrypt and php7.0-zip and their reverse dependencies. - d/control{,.in}: add Build-Depends on dctrl-tools. - d/rules.d/ext-interbase.mk: add pdo config to interbase's config, as php7.0-universe-common will not use ext-common.mk. - d/control{,.in}: switch Build-Depends of netcat-traditional to netcat-openbsd as only the latter is in main. - d/rules: do not generate debian/tests/control when building for universe. - d/rules: use grep-dctrl to remove binary packages not generated by this source package during the build (dpkg-genchanges complains otherwise). - php7.0-interbase: Do not install pdo.so, as it is provided by php7.0-common (LP #1556486). [ Xenial now supports building packages in main with universe build-deps ] - debian/patches/0048-fix-bug-71659-pcre-segfault-in-twig-tests.patch: Replace bump regex with calculate_unit_length(). Closes LP: #1548442. [ merged in Debian ] * d/t/control{,.in}: add dependency on wget -- Nishanth Aravamudan Thu, 07 Apr 2016 15:57:00 -0700 php7.0 (7.0.4-7) unstable; urgency=medium * Add upstart init script for backport reasons * Add do_tmpfiles() call to php-fpm-checkconf to get consistent behaviour in all init systems * Fix use of UNDEF instead of NULL in read_dimension (Courtesy of Nikita Popov) * libphp-embed 'update-alternatives --remove' call needs to be in prerm script * Override maintainer-script-empty prerm in PHP extension packages * apache2-module-depends-on-real-apache2-package lintian-override needs to go in php-sapi.lintian-overrides to have any effect * Move embedded library fileinfo lintian-override to php-common.lintian-overrides.extra * Add missing #EXTRA# to php-module.lintian-overrides template -- Ondřej Surý Fri, 25 Mar 2016 17:25:41 +0100 php7.0 (7.0.4-6) unstable; urgency=medium * Add patch to fix segmentation fault in pcre running twig tests * Register libphp@PHP_MAJOR@.so with update-alternatives, so there's no dangling symbol in the piuparts * Really expand $libdir and $datadir before AC_SUBST to allow passing ${prefix} as part of --with-libdir * Don't reset module provides at every dsoname, but at every module name * Set PEAR_INSTALL_DIR manually to /usr/share/php even if we are not building PEAR, so PEAR have correct paths -- Ondřej Surý Mon, 14 Mar 2016 16:11:21 +0100 php7.0 (7.0.4-5ubuntu2) xenial; urgency=medium * debian/patches/0048-fix-bug-71659-pcre-segfault-in-twig-tests.patch: Replace bump regex with calculate_unit_length(). Closes LP: #1548442. * debian/patches/0049-backport-89a43425.patch: Fix incompatible pointers on 64-bit. Closes LP: #1558201. -- Nishanth Aravamudan Wed, 16 Mar 2016 12:30:50 -0700 # For older changelog entries, run 'apt-get changelog php7.0-common'