The PHP development team would like to announce the immediate availability of PHP 5.2.9. This release focuses on improving the stability of the PHP 5.2.x branch with over 50 bug fixes, several of which are security related. All users of PHP are encouraged to upgrade to this release.

Security Enhancements and Fixes in PHP 5.2.9:

    * Fixed security issue in imagerotate(), background colour isn't validated correctly with a non truecolour image. Reported by Hamid Ebadi, APA Laboratory (Fixes CVE-2008-5498). (Scott)
    * Fixed a crash on extract in zip when files or directories entry names contain a relative path. (Pierre)
    * Fixed explode() behavior with empty string to respect negative limit. (Shire)
    * Fixed a segfault when malformed string is passed to json_decode(). (Scott)

Key enhancements in PHP 5.2.9 include:

    * Added optional sorting type flag parameter to array_unique(). Default is SORT_REGULAR. (Andrei)
    * Fixed bug #45996 (libxml2 2.7 causes breakage with character data in xml_parse()). (Rob)
    * A number of fixes in the mbstring extension (Moriyoshi)
    * Fixed bug #44336 (Improve pcre UTF-8 string matching performance). (frode at coretrek dot com, Nuno)
    * Fixed bug #46699 (xml_parse crash when parser is namespace aware). (Rob)
    * Fixed bug #46748 (Segfault when an SSL error has more than one error). (Scott)
    * Fixed bug #46889 (Memory leak in strtotime()). (Derick)
    * Fixed bug #47049 (SoapClient::__soapCall causes a segmentation fault). (Dmitry)
    * Fixed bug #47165 (Possible memory corruption when passing return value by reference). (Dmitry)
    * Fixed bug #47282 (FILTER_VALIDATE_EMAIL is marking valid email addresses as invalid). (Ilia)
    * Fixed bug #47422 (modulus operator returns incorrect results on 64 bit linux). (Matt)
    * Over 50 bug fixes.

6 files changed, 27 insertions, 43 deletions

diff --git a/lang/php5/Makefile b/lang/php5/Makefile
index 57a1dbecd58..8dbe5b56983 100644
--- a/lang/php5/Makefile
+++ b/lang/php5/Makefile
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.70 2009/02/07 18:03:00 adrianp Exp $
+# $NetBSD: Makefile,v 1.71 2009/03/02 22:52:17 adrianp Exp $
 
 PKGNAME=		php-${PHP_BASE_VERS}
-PKGREVISION=		1
 CATEGORIES=		lang
 HOMEPAGE=		http://www.php.net/
 COMMENT=		PHP Hypertext Preprocessor version 5
diff --git a/lang/php5/Makefile.common b/lang/php5/Makefile.common
index e0608347f66..30a768a69a1 100644
--- a/lang/php5/Makefile.common
+++ b/lang/php5/Makefile.common
@@ -1,7 +1,16 @@
-# $NetBSD: Makefile.common,v 1.34 2009/02/25 16:16:33 tnn Exp $
+# $NetBSD: Makefile.common,v 1.35 2009/03/02 22:52:17 adrianp Exp $
 # used by lang/php5/Makefile.php
 # used by lang/php/ext.mk
 
+#
+# NOTE:
+# The suhosin option includes a patch from http://www.hardened-php.net/
+# Which tracks with the exact version number of PHP.  There may be a delay
+# in the patch which can leave the option broken until an updated patch
+# is released.  When updating PHP please don't forget to update the
+# distnfo with the details of the suhosin patch as well.
+#
+
 .if !defined(DISTNAME)
 DISTNAME=		php-${PHP_BASE_VERS}
 DIST_SUBDIR=		${DISTNAME}
@@ -17,7 +26,7 @@ EXTRACT_SUFX?=		.tar.bz2
 MAINTAINER?=		jdolecek@NetBSD.org
 HOMEPAGE?=		http://www.php.net/
 
-PHP_BASE_VERS=		5.2.8
+PHP_BASE_VERS=		5.2.9
 
 PHP_EXTENSION_DIR=	lib/php/20040412
 PLIST_SUBST+=		PHP_EXTENSION_DIR=${PHP_EXTENSION_DIR:Q}
diff --git a/lang/php5/Makefile.php b/lang/php5/Makefile.php
index 4cdc2d989ed..2b26486bd88 100644
--- a/lang/php5/Makefile.php
+++ b/lang/php5/Makefile.php
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile.php,v 1.32 2009/02/22 23:38:46 adrianp Exp $
+# $NetBSD: Makefile.php,v 1.33 2009/03/02 22:52:17 adrianp Exp $
 #
 
 .include "../../lang/php5/Makefile.common"
@@ -55,12 +55,20 @@ SUBST_MESSAGE.ini=	Fixing default ini files.
 .include "../../mk/bsd.options.mk"
 
 .if !empty(PKG_OPTIONS:Msuhosin)
+SUHOSIN_PHPVER=		5.2.8
+. if ${SUHOSIN_PHPVER} != ${PHP_BASE_VERS}
+PKG_FAIL_REASON+=	"The suhosin patch is currently not available for"
+PKG_FAIL_REASON+=	"this version of PHP.  You may have to wait until"
+PKG_FAIL_REASON+=	"an updated patch is released or temporarily"
+PKG_FAIL_REASON+=	"build this package without the suhosin option."
+. else
 PATCH_SITES=		http://download.suhosin.org/
-PATCHFILES+=		suhosin-patch-5.2.8-0.9.6.3.patch.gz
+PATCHFILES+=		suhosin-patch-${SUHOSIN_PHPVER}-0.9.6.3.patch.gz
 PATCH_DIST_STRIP=	-p1
 PLIST.suhosin=		yes
 MESSAGE_SRC=		${.CURDIR}/../../lang/php5/MESSAGE
 MESSAGE_SRC+=		${.CURDIR}/../../lang/php5/MESSAGE.suhosin
+. endif
 .endif
 
 .if !empty(PKG_OPTIONS:Minet6)
diff --git a/lang/php5/PLIST b/lang/php5/PLIST
index aaea7403790..bba0d5e5049 100644
--- a/lang/php5/PLIST
+++ b/lang/php5/PLIST
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.20 2009/02/17 23:18:55 adrianp Exp $
+@comment $NetBSD: PLIST,v 1.21 2009/03/02 22:52:17 adrianp Exp $
 bin/php
 bin/php-config
 bin/phpize
@@ -87,7 +87,6 @@ include/php/ext/pcre/pcrelib/pcre.h
 include/php/ext/pcre/pcrelib/pcre_internal.h
 include/php/ext/pcre/pcrelib/pcreposix.h
 include/php/ext/pcre/pcrelib/ucp.h
-include/php/ext/pcre/pcrelib/ucptable.h
 include/php/ext/pcre/php_pcre.h
 include/php/ext/session/mod_files.h
 include/php/ext/session/mod_user.h
diff --git a/lang/php5/distinfo b/lang/php5/distinfo
index 8b589baaaf2..4e88d62a815 100644
--- a/lang/php5/distinfo
+++ b/lang/php5/distinfo
@@ -1,11 +1,8 @@
-$NetBSD: distinfo,v 1.60 2009/02/25 08:59:47 sborrill Exp $
+$NetBSD: distinfo,v 1.61 2009/03/02 22:52:17 adrianp Exp $
 
-SHA1 (php-5.2.8/php-5.2.8.tar.bz2) = d285636144e0a4aa61195793634807e763c63dc3
-RMD160 (php-5.2.8/php-5.2.8.tar.bz2) = d38fe5d918c335089a027600a93d950f417a7e98
-Size (php-5.2.8/php-5.2.8.tar.bz2) = 9827180 bytes
-SHA1 (php-5.2.8/suhosin-patch-5.2.8-0.9.6.3.patch.gz) = b1f12dd856778e734837819114d278adaa3cfe05
-RMD160 (php-5.2.8/suhosin-patch-5.2.8-0.9.6.3.patch.gz) = 9c8a0972e75e1ad887b940f57aec4d877e9364bd
-Size (php-5.2.8/suhosin-patch-5.2.8-0.9.6.3.patch.gz) = 23125 bytes
+SHA1 (php-5.2.9/php-5.2.9.tar.bz2) = 1c738dbd7e3f8d723b6ce2e0fbc90a69e249f5f0
+RMD160 (php-5.2.9/php-5.2.9.tar.bz2) = fc2b316ff05462667704027cf2a1a4ac0a238422
+Size (php-5.2.9/php-5.2.9.tar.bz2) = 10203122 bytes
 SHA1 (patch-aa) = 20bc3831e435182d014b11ae9f1f6c537a21af20
 SHA1 (patch-ad) = b324c33b1e70adee5b89dcecdd7690dcadcc18ec
 SHA1 (patch-ag) = 4ccb67ba6f5370b1d16b087e3e714de3e5ae604e
@@ -16,4 +13,3 @@ SHA1 (patch-an) = 8f4174627b8cb5f8bfbc59413c95f71e26b9e602
 SHA1 (patch-ap) = 5eb0e0e4244a993da93e36f8fcb5553454207fce
 SHA1 (patch-aq) = 0c9d48547da2fa80aa8357d23ad8505d1c0330df
 SHA1 (patch-ar) = 2d74ec926cc00bfbb67d16210af78c33ad9ac38d
-SHA1 (patch-as) = 7612bf91fe04d980a41dbb0ea652fd50d3b5cebb
diff --git a/lang/php5/patches/patch-as b/lang/php5/patches/patch-as
deleted file mode 100644
index 00a413a933c..00000000000
--- a/lang/php5/patches/patch-as
+++ /dev/null
@@ -1,27 +0,0 @@
-$NetBSD: patch-as,v 1.4 2009/02/25 08:59:47 sborrill Exp $
-
-Fix memory leak and pullup bug fix for http://bugs.php.net/bug.php?id=46918
-
-Remove this patch when PHP >= 5.2.9 is released as it will contain these
-changes
-
---- ext/imap/php_imap.c.orig	2009-02-24 17:45:27.000000000 +0000
-+++ ext/imap/php_imap.c	2009-02-24 17:47:14.000000000 +0000
-@@ -2172,7 +2172,7 @@
- 
- 	/* rfc822_parse_adrlist() modifies passed string. Copy it. */
- 	str_copy = estrndup(Z_STRVAL_PP(str), Z_STRLEN_PP(str));
--	rfc822_parse_adrlist(&env->to, str_copy, defaulthost);
-+	rfc822_parse_adrlist(&env->to, str_copy, Z_STRVAL_PP(defaulthost));
- 	efree(str_copy);
- 
- 	array_init(return_value);
-@@ -2196,6 +2196,8 @@
- 		}
- 		add_next_index_object(return_value, tovals TSRMLS_CC);
- 	} while ((addresstmp = addresstmp->next));
-+	
-+	mail_free_envelope(&env);
- }
- /* }}} */
-