| Age | Commit message (Collapse) | Author |
|---|
|
0006-Fix-php-fpm.service.in.patch already included:
https://github.com/php/php-src/commit/bb19125781c0794da9a63fee62e263ff4efff661
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
Fixed CVEs:
- CVE-2016-9933 (imagefilltoborder stackoverflow on truecolor images)
http://bugs.php.net/72696
- CVE-2016-9934 (NULL Pointer Dereference in WDDX Packet
Deserialization with PDORow)
http://bugs.php.net/73331
Full ChangeLog:
http://php.net/ChangeLog-7.php#7.1.0
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
Release notes: http://php.net/ChangeLog-7.php#7.0.13
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
See http://www.php.net/ChangeLog-7.php#7.0.12 since there are no CVEs
out yet.
And drop upstream patch.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Signed-off-by: Tatsuyuki Ishi <ishitatsuyuki@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Changelog is available here: http://php.net/ChangeLog-7.php#7.0.8
Fixes CVE-2015-8874 http://bugs.php.net/66387
Fixes CVE-2016-5766 http://bugs.php.net/72339
Fixes CVE-2016-5767 http://bugs.php.net/72446
Fixes CVE-2016-5768 http://bugs.php.net/72402
Fixes CVE-2016-5769 http://bugs.php.net/72455
Fixes CVE-2016-5772 http://bugs.php.net/72340
Fixes CVE-2016-5773 http://bugs.php.net/72434
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Fixes CVE-2013-7456 https://bugs.php.net/bug.php?id=72227
Fixes CVE-2016-5093 https://bugs.php.net/bug.php?id=72241
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Remove MySQL legacy extension.
Remove incompatible external modules:
- php-gnupg
- php-memcached
- php-ssh2
- php-yaml
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Fixes (CVEs not assigned yet):
bug #72094 - Out of bounds heap read access in exif header processing
bug #71912 - libgd: signedness vulnerability
bug #72061 - Out-of-bounds reads in zif_grapheme_stripos with negative offset
bug #71843 - null ptr deref ZEND_RETURN_SPEC_CONST_HANDLER
bug #71952 - Corruption inside imageaffinematrixget
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
Fixes (no CVEs yet):
Buffer over-write in finfo_open with malformed magic file.
Invalid memory write in phar on filename with \0 in name.
Parsing of tar file with duplicate filenames causes memory leak.
php_snmp_error() Format String Vulnerability.
Integer Overflow in php_raw_url_encode.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
Changelog: http://www.php.net/ChangeLog-5.php#5.6.18
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Acked-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Bug #70976 (Memory Read via gdImageRotateInterpolated Array Index Out of
Bounds).
Bug #70755 (fpm_log.c memory leak and buffer overflow).
Bug #70661 (Use After Free Vulnerability in WDDX Packet
Deserialization).
Bug #70741 (Session WDDX Packet Deserialization Type Confusion
Vulnerability).
Bug #70728 (Type Confusion Vulnerability in PHP_to_XMLRPC_worker()).
No CVEs assigned yet.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
Link to release announcement:
http://php.net/archive/2015.php#id2015-09-04-2
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
http://www.php.net/ChangeLog-5.php#5.6.12
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Fixes:
CVE-2015-3152 - mysqlnd is vulnerable to BACKRONYM
And other security bugs with no CVE assigned yet:
Bug #69972 - Use-after-free vulnerability in
sqlite3SafetyCheckSickOrOk()
Bug # 69970 - Use-after-free vulnerability in
spl_recursive_it_move_forward_ex()
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Fixes:
CVE-2015-3414, CVE-2015-3415, CVE-2015-3416 (via bundled sqlite
upgrade).
CVE-2015-2325, CVE-2015-2326 (via bundled pcre upgrade).
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Signed-off-by: Floris Bos <bos@je-eigen-domein.nl>
Acked-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
Fixes:
CVE-2015-1351 - OPCache: Use After Free
CVE-2015-1352 - Postgres: Null pointer dereference
And others with no CVE assigned yet.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Fixes:
CVE-2015-0231 - Use After Free Vulnerability in unserialize()
CVE-2015-2305 - heap overflow vulnerability in regcomp.c
CVE-2015-2331 - ZIP Integer Overflow leads to writing past heap boundary
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Fixes:
CVE-2015-0273 - Use after free vulnerability in unserialize() with
DateTimeZone.
CVE-2015-0235 - Mitigation for GHOST: glibc gethostbyname buffer
overflow.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Fixes:
CVE-2015-0231 - Use After Free Vulnerability in PHP's unserialize()
CVE-2014-9427 - Out of bounds read crashes php-cgi
CVE-2015-0232 - Free called on unitialized pointer
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
Fixes:
CVE-2014-8142 - Use after free vulnerability in unserialize()
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
Fixes:
CVE-2014-3710 - fileinfo: out-of-bounds read in elf note headers.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Reviewed-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Tested-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
Fixes:
CVE-2014-3669 - Integer overflow in unserialize() (32-bits only)
CVE-2014-3670 - Heap corruption in exif_thumbnail()
CVE-2014-3668 - Global buffer overflow in mkgmtime() function
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Acked-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Add hash and switch to xz download for space savings.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
