[no description] https://git.osdyson.ru/mirror/pkgsrc/atom?h=pkgsrc-2014Q2 2014-08-25T16:14:59Z 2014-08-25T16:14:59Z tron tron@pkgsrc.org 2014-08-25T16:14:59Z urn:sha1:99328f254bb4a3774bf28fb9cc7269f752ffb635 lang/php55: security update Revisions pulled up: - lang/php/phpversion.mk patch - lang/php55/Makefile 1.16 - lang/php55/distinfo 1.27-1.28 - lang/php55/patches/patch-aclocal.m4 1.2 - lang/php55/patches/patch-build_libtool.m4 1.2 - lang/php55/patches/patch-configure 1.8 - lang/php55/patches/patch-ext_gd_libgd_gdxpm.c deleted - lang/php55/patches/patch-ext_spl_spl__array.c deleted - lang/php55/patches/patch-ext_spl_spl__dllist.c deleted --- Module Name: pkgsrc Committed By: taca Date: Sat Jul 26 00:11:55 UTC 2014 Modified Files: pkgsrc/lang/php: phpversion.mk pkgsrc/lang/php55: Makefile distinfo pkgsrc/lang/php55/patches: patch-aclocal.m4 patch-build_libtool.m4 patch-configure Removed Files: pkgsrc/lang/php55/patches: patch-ext_spl_spl__array.c patch-ext_spl_spl__dllist.c Log Message: Update php55 to 5.5.15. 24 Jul 2014, PHP 5.5.15 - Core: . Fixed bug #67428 (header('Location: foo') will override a 308-399 response code). (Adam) . Fixed bug #67436 (Autoloader isn't called if two method definitions don't match). (Bob) . Fixed bug #67091 (make install fails to install libphp5.so on FreeBSD 10.0). (Ferenc) . Fixed bug #67497 (eval with parse error causes segmentation fault in generator). (Nikita) . Fixed bug #67151 (strtr with empty array crashes). (Nikita) . Fixed bug #67407 (Windows 8.1/Server 2012 R2 reported as Windows 8/Server 2012). (Christian Wenz) - CLI server: . Implemented FR #67429 (CLI server is missing some new HTTP response codes). (Adam) . Fixed bug #66830 (Empty header causes PHP built-in web server to hang). (Adam) - FPM: . Fixed bug #67530 (error_log=syslog ignored). (Remi) . Fixed bug #67531 (syslog cannot be set in pool configuration). (Remi) - Intl: . Fixed bug #66921 (Wrong argument type hint for function intltz_from_date_time_zone). (Stas) . Fixed bug #67052 (NumberFormatter::parse() resets LC_NUMERIC setting). (Stas) - OPCache: . Fixed bug #67215 (php-cgi work with opcache, may be segmentation fault happen) (Dmitry, Laruence) - pgsql: . Fixed bug #67550 (Error in code "form" instead of "from", pgsql.c, line 756), which affected builds against libpq < 7.3. (Adam) - Phar: . Fixed bug #67587 (Redirection loop on nginx with FPM). (Christian Weiske) - SPL: . Fixed bug #67539 (ArrayIterator use-after-free due to object change during sorting). (research at insighti dot org, Laruence) . Fixed bug #67538 (SPL Iterators use-after-free). (CVE-2014-4670) (Laruence) - Streams: . Fixed bug #67430 (http:// wrapper doesn't follow 308 redirects). (Adam) --- Module Name: pkgsrc Committed By: taca Date: Sat Aug 23 16:09:21 UTC 2014 Modified Files: pkgsrc/lang/php: phpversion.mk pkgsrc/lang/php55: distinfo Removed Files: pkgsrc/lang/php55/patches: patch-ext_gd_libgd_gdxpm.c Log Message: Update php55 to 5.5.16 (PHP 5.5.16). 21 Aug 2014, PHP 5.5.16 - COM: . Fixed missing type checks in com_event_sink (Yussuf Khalil, Stas). - Fileinfo: . Fixed bug #67705 (extensive backtracking in rule regular expression). (CVE-2014-3538) (Remi) . Fixed bug #67716 (Segfault in cdf.c). (CVE-2014-3587) (Remi) - FPM: . Fixed bug #67635 (php links to systemd libraries without using pkg-config). (pacho@gentoo.org, Remi) - GD: . Fixed bug #66901 (php-gd 'c_color' NULL pointer dereference). (CVE-2014-2497) (Remi) . Fixed bug #67730 (Null byte injection possible with imagexxx functions). (CVE-2014-5120) (Ryan Mauger) - Milter: . Fixed bug #67715 (php-milter does not build and crashes randomly). (Mike) - OpenSSL: . Fixed missing type checks in OpenSSL options (Yussuf Khalil, Stas). - readline: . Fixed bug #55496 (Interactive mode doesn't force a newline before the prompt). (Bob, Johannes) . Fixed bug #67496 (Save command history when exiting interactive shell with control-c). (Dmitry Saprykin, Johannes) - Sessions: . Fixed missing type checks in php_session_create_id (Yussuf Khalil, Stas). - Core: . Fixed bug #67693 (incorrect push to the empty array) (Tjerk) . Fixed bug #67717 (segfault in dns_get_record). (CVE-2014-3597) (Remi) - ODBC: . Fixed bug #60616 (odbc_fetch_into returns junk data at end of multi-byte char fields). (Keyur) 2014-07-17T18:03:59Z tron tron@pkgsrc.org 2014-07-17T18:03:59Z urn:sha1:8a767b062d388ba6fc12f5f02ff6a89e910f44ef lang/php55: security patch Revisions pulled up: - lang/php55/Makefile 1.15 - lang/php55/distinfo 1.26 - lang/php55/patches/patch-ext_spl_spl__array.c 1.1 - lang/php55/patches/patch-ext_spl_spl__dllist.c 1.1 --- Module Name: pkgsrc Committed By: taca Date: Sun Jul 13 15:23:42 UTC 2014 Modified Files: pkgsrc/lang/php55: Makefile distinfo Added Files: pkgsrc/lang/php55/patches: patch-ext_spl_spl__array.c patch-ext_spl_spl__dllist.c Log Message: Add fix for CVE-2014-4698 and CVE-2014-4670. Bump PKGREVISION. 2014-06-27T11:34:19Z taca taca@pkgsrc.org 2014-06-27T11:34:19Z urn:sha1:4b63706cae6666c21bc1aa270d28924f2a2d14b2 26 Jun 2014, PHP 5.5.14 - Core: . Fixed BC break introduced by patch for bug #67072. (Anatol, Stas) . Fixed bug #66622 (Closures do not correctly capture the late bound class (static::) in some cases). (Levi Morrison) . Fixed bug #67390 (insecure temporary file use in the configure script). (CVE-2014-3981) (Remi) . Fixed bug #67399 (putenv with empty variable may lead to crash). (Stas) . Fixed bug #67498 (phpinfo() Type Confusion Information Leak Vulnerability). (Stefan Esser) - CLI server: . Fixed Bug #67406 (built-in web-server segfaults on startup). (Remi) - Date: . Fixed bug #67308 (Serialize of DateTime truncates fractions of second). (Adam) . Fixed regression in fix for bug #67118 (constructor can't be called twice). (Remi) - Fileinfo: . Fixed bug #67326 (fileinfo: cdf_read_short_sector insufficient boundary check). (CVE-2014-0207) . Fixed bug #67410 (fileinfo: mconvert incorrect handling of truncated pascal string size). (CVE-2014-3478) (Francisco Alonso, Jan Kaluza, Remi) . Fixed bug #67411 (fileinfo: cdf_check_stream_offset insufficient boundary check). (CVE-2014-3479) (Francisco Alonso, Jan Kaluza, Remi) . Fixed bug #67412 (fileinfo: cdf_count_chain insufficient boundary check). (CVE-2014-3480) (Francisco Alonso, Jan Kaluza, Remi) . Fixed bug #67413 (fileinfo: cdf_read_property_info insufficient boundary check). (CVE-2014-3487) (Francisco Alonso, Jan Kaluza, Remi) - Intl: . Fixed bug #67349 (Locale::parseLocale Double Free). (Stas) . Fixed bug #67397 (Buffer overflow in locale_get_display_name and uloc_getDisplayName (libicu 4.8.1)). (Stas) - Network: . Fixed bug #67432 (Fix potential segfault in dns_get_record()). (CVE-2014-4049). (Sara) - OPCache: . Fixed issue #183 (TMP_VAR is not only used once). (Dmitry, Laruence) - OpenSSL: . Fixed bug #65698 (certificates validity parsing does not work past 2050). (Paul Oehler) . Fixed bug #66636 (openssl_x509_parse warning with V_ASN1_GENERALIZEDTIME). (Paul Oehler) - PDO-ODBC: . Fixed bug #50444 (PDO-ODBC changes for 64-bit). - SOAP: . Implemented FR #49898 (Add SoapClient::__getCookies()). (Boro Sitnikovski) - SPL: . Fixed bug #66127 (Segmentation fault with ArrayObject unset). (Stas) . Fixed bug #67359 (Segfault in recursiveDirectoryIterator). (Laruence) . Fixed bug #67360 (Missing element after ArrayObject::getIterator). (Adam) . Fixed bug #67492 (unserialize() SPL ArrayObject / SPLObjectStorage Type Confusion). (CVE-2014-3515) (Stefan Esser) . Fixed bug #67118 (DateTime constructor crash with invalid data). (Anatol) . Fixed bug #67251 (date_parse_from_format out-of-bounds read). (Stas) . Fixed bug #67253 (timelib_meridian_with_check out-of-bounds read). (Stas) - DOM: . Fixed bug #67081 (DOMDocumentType->internalSubset returns entire DOCTYPE tag, not only the subset). (Anatol) - Fileinfo: . Fixed bug #66307 (Fileinfo crashes with powerpoint files). (Anatol) . Fixed bug #67327 (fileinfo: CDF infinite loop in nelements DoS) (CVE-2014-0238). . Fixed bug #67328 (fileinfo: fileinfo: numerous file_printf calls resulting in performance degradation) (CVE-2014-0237). - FPM: . Fixed bug #66908 (php-fpm reload leaks epoll_create() file descriptor). (Julio Pintos) - GD: . Fixed bug #67248 (imageaffinematrixget missing check of parameters). (Stas) - PCRE: . Fixed bug #67238 (Ungreedy and min/max quantifier bug, applied patch from the upstream). (Anatol) - Phar: . Fix bug #64498 ($phar->buildFromDirectory can't compress file with an accent in its name). (PR #588) 2014-06-13T14:31:19Z fhajny fhajny@pkgsrc.org 2014-06-13T14:31:19Z urn:sha1:a330d99a924cfbd57b62340acc8bebc62c8f3ba2 Fixes the problem where thread safety was not consistent in the php, ap-php and php-* extension packages, and makes ap-php adhere to the maintainer-zts option. Bump PKGREVISION. 2014-06-13T14:13:20Z fhajny fhajny@pkgsrc.org 2014-06-13T14:13:20Z urn:sha1:53daa7f47ed8b1a0ebaaf47e967615d0b342985e Bump PKGREVISION for this and the previous commit. 2014-06-13T14:09:34Z fhajny fhajny@pkgsrc.org 2014-06-13T14:09:34Z urn:sha1:a84ae7b840232985e82198a5ff81ea91a49e72ee See https://bugs.php.net/bug.php?id=65800. 2014-05-31T04:26:39Z taca taca@pkgsrc.org 2014-05-31T04:26:39Z urn:sha1:a25138c2435d0ccc1ee10a8a6952e24a66a9ccc9 29 May 2014, PHP 5.5.13 - CLI server: . Fixed bug #67079 (Missing MIME types for XML/XSL files). (Anatol) - COM: . Fixed bug #66431 (Special Character via COM Interface (CP_UTF8)). (Anatol) - Core: . Fixed bug #65701 (copy() doesn't work when destination filename is created by tempnam()). (Boro Sitnikovski) . Fixed bug #67072 (Echoing unserialized "SplFileObject" crash). (Anatol) . Fixed bug #67245 (usage of memcpy() with overlapping src and dst in zend_exceptions.c). (Bob) . Fixed bug #67247 (spl_fixedarray_resize integer overflow). (Stas) . Fixed bug #67249 (printf out-of-bounds read). (Stas) . Fixed bug #67250 (iptcparse out-of-bounds read). (Stas) . Fixed bug #67252 (convert_uudecode out-of-bounds read). (Stas) - Curl: . Fixed bug #64247 (CURLOPT_INFILE doesn't allow reset). (Mike) - Date: . Fixed bug #67118 (DateTime constructor crash with invalid data). (Anatol) . Fixed bug #67251 (date_parse_from_format out-of-bounds read). (Stas) . Fixed bug #67253 (timelib_meridian_with_check out-of-bounds read). (Stas) - DOM: . Fixed bug #67081 (DOMDocumentType->internalSubset returns entire DOCTYPE tag, not only the subset). (Anatol) - Fileinfo: . Fixed bug #66307 (Fileinfo crashes with powerpoint files). (Anatol) . Fixed bug #67327 (fileinfo: CDF infinite loop in nelements DoS) (CVE-2014-0238). . Fixed bug #67328 (fileinfo: fileinfo: numerous file_printf calls resulting in performance degradation) (CVE-2014-0237). - FPM: . Fixed bug #66908 (php-fpm reload leaks epoll_create() file descriptor). (Julio Pintos) - GD: . Fixed bug #67248 (imageaffinematrixget missing check of parameters). (Stas) - PCRE: . Fixed bug #67238 (Ungreedy and min/max quantifier bug, applied patch from the upstream). (Anatol) - Phar: . Fix bug #64498 ($phar->buildFromDirectory can't compress file with an accent in its name). (PR #588) 2014-05-11T11:20:47Z he he@pkgsrc.org 2014-05-11T11:20:47Z urn:sha1:5ff5ac993a48ed991568b3a54a0cb359e3154661 https://bugs.php.net/patch-display.php?bug_id=66901 Bump PKGREVISION for php-gd correspondingly. 2014-05-01T15:52:33Z taca taca@pkgsrc.org 2014-05-01T15:52:33Z urn:sha1:5ec4670d5e7942a691081f4609d4865ab48f865b 01 May 2014, PHP 5.5.12 - Core: . Fixed bug #61019 (Out of memory on command stream_get_contents). (Mike) . Fixed bug #64330 (stream_socket_server() creates wrong Abstract Namespace UNIX sockets). (Mike) . Fixed bug #66182 (exit in stream filter produces segfault). (Mike) . Fixed bug #66736 (fpassthru broken). (Mike) . Fixed bug #67024 (getimagesize should recognize BMP files with negative height). (Gabor Buella) . Fixed bug #67043 (substr_compare broke by previous change) (Tjerk) - cURL: . Fixed bug #66562 (curl_exec returns differently than curl_multi_getcontent). (Freek Lijten) - Date: . Fixed bug #66721 (__wakeup of DateTime segfaults when invalid object data is supplied). (Boro Sitnikovski) - Embed: . Fixed bug #65715 (php5embed.lib isn't provided anymore). (Anatol). - Fileinfo: . Fixed bug #66987 (Memory corruption in fileinfo ext / bigendian). (Remi) - FPM: . Fixed bug #66482 (unknown entry 'priority' in php-fpm.conf). . Fixed bug #67060 (possible privilege escalation due to insecure default configuration). (CVE-2014-0185) (christian at hoffie dot info) - JSON: . Fixed bug #66021 (Blank line inside empty array/object when JSON_PRETTY_PRINT is set). (Kevin Israel) - LDAP: . Fixed issue with null bytes in LDAP bindings. (Matthew Daley) - mysqli: . Fixed problem in mysqli_commit()/mysqli_rollback() with second parameter (extra comma) and third parameters (lack of escaping). (Andrey) - OpenSSL: . Fix bug #66942 (memory leak in openssl_seal()). (Chuan Ma) . Fix bug #66952 (memory leak in openssl_open()). (Chuan Ma) - SimpleXML: . Fixed bug #66084 (simplexml_load_string() mangles empty node name) (Anatol) - SQLite: . Fixed bug #66967 (Updated bundled libsqlite to 3.8.4.3). (Anatol) - XSL: . Fixed bug #53965 (<xsl:include> cannot find files with relative paths when loaded with "file://"). (Anatol) - Apache2 Handler SAPI: . Fixed Apache log issue caused by APR's lack of support for %zu (APR issue https://issues.apache.org/bugzilla/show_bug.cgi?id=56120). (Jeff Trawick) 2014-04-14T10:17:19Z jperkin jperkin@pkgsrc.org 2014-04-14T10:17:19Z urn:sha1:512dd58bbd10c985399326b183e1eaeb2df7939d from the PHP build.