| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
archivers/php-bz2: security update
archivers/php-zip: security update
archivers/php-zlib: security update
converters/php-iconv: security update
converters/php-mbstring: security update
databases/php-dba: security update
databases/php-ldap: security update
databases/php-mssql: security update
databases/php-mysql: security update
databases/php-mysqli: security update
databases/php-pdo: security update
databases/php-pdo_dblib: security update
databases/php-pdo_mysql: security update
databases/php-pdo_pgsql: security update
databases/php-pdo_sqlite: security update
databases/php-pgsql: security update
databases/php-sqlite: security update
devel/php-gettext: security update
devel/php-gmp: security update
devel/php-pcntl: security update
devel/php-posix: security update
devel/php-shmop: security update
devel/php-sysvmsg: security update
devel/php-sysvsem: security update
devel/php-sysvshm: security update
graphics/php-exif: security update
graphics/php-gd: security update
lang/php53: security update
lang/php54: security update
mail/php-imap: security update
math/php-bcmath: security update
net/php-ftp: security update
net/php-snmp: security update
net/php-soap: security update
net/php-sockets: security update
net/php-xmlrpc: security update
security/php-mcrypt: security update
textproc/php-dom: security update
textproc/php-enchant: security update
textproc/php-intl: security update
textproc/php-json: security update
textproc/php-pspell: security update
textproc/php-wddx: security update
textproc/php-xsl: security update
time/php-calendar: security update
www/ap-php: security update
www/php-curl: security update
www/php-fpm: security update
www/php-tidy: security update
Revisions pulled up:
- archivers/php-zip/Makefile 1.15
- databases/php-dba/Makefile 1.15
- databases/php-mssql/Makefile 1.14
- databases/php-pdo_dblib/Makefile 1.15
- databases/php-pdo_sqlite/Makefile 1.12
- databases/php-sqlite/Makefile 1.16
- devel/php-gettext/Makefile 1.11
- devel/php-shmop/Makefile 1.11
- graphics/php-exif/Makefile 1.11
- graphics/php-gd/Makefile 1.28
- lang/php53/Makefile.common 1.15
- lang/php53/Makefile.php 1.19
- lang/php53/distinfo 1.46
- lang/php53/patches/patch-aj 1.2
- lang/php54/Makefile.common 1.2
- lang/php54/distinfo 1.2
- lang/php54/patches/patch-run-tests.php 1.2
- net/php-soap/Makefile 1.4
- net/php-xmlrpc/Makefile 1.15
- textproc/php-dom/Makefile 1.4
- textproc/php-intl/Makefile 1.13
- textproc/php-pspell/Makefile 1.13
- textproc/php-wddx/Makefile 1.17
- textproc/php-xsl/Makefile 1.5
- www/ap-php/Makefile 1.27
- www/php-curl/Makefile 1.18
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Jul 20 12:28:18 UTC 2012
Modified Files:
pkgsrc/lang/php53: Makefile.common Makefile.php distinfo
pkgsrc/lang/php53/patches: patch-aj
Log Message:
Update php53 pacakge to 5.3.15 (PHP 5.3.15).
19-July-2012
o Zend Engine
* Fixed bug #51094 (parse_ini_file() with INI_SCANNER_RAW cuts a value
that includes a semi-colon)
o COM
* Fixed bug #62146 com_dotnet cannot be built shared
o Core
* Fixed potential overflow in _php_stream_scandir, CVE-2012-2688
* Fixed bug #62432 (ReflectionMethod random corrupt memory on high
concurrent)
* Fixed bug #62443 (Crypt SHA256/512 Segfaults With Malformed Salt)
o Fileinfo
* Fixed magic file regex support
o FPM
* Fixed bug #61045 (fpm don't send error log to fastcgi clients)
* Fixed bug #61835 (php-fpm is not allowed to run as root)
* Fixed bug #61295 (php-fpm should not fail with commented 'user' for
non-root start)
* Fixed bug #61026 (FPM pools can listen on the same address)
* Fixed bug #62033 (php-fpm exits with status 0 on some failures to
start)
* Fixed bug #62153 (when using unix sockets, multiples FPM instances
can be launched without errors)
* Fixed bug #62160 (Add process.priority to set nice(2) priorities)
* Fixed bug #61218 (FPM drops connection while receiving some binary
values in FastCGI requests)
* Fixed bug #62205 (php-fpm segfaults (null passed to strstr))
o Intl
* Fixed bug #62083 (grapheme_extract() memory leaks)
* Fixed bug #62081 (IntlDateFormatter constructor leaks memory when
called twice)
* Fixed bug #62070 (Collator::getSortKey() returns garbage)
* Fixed bug #62017 (datefmt_create with incorrectly encoded timezone
leaks pattern)
* Fixed bug #60785 (memory leak in IntlDateFormatter constructor)
o JSON
* Reverted fix for bug #61537
o Phar
* Fixed bug #62227 (Invalid phar stream path causes crash)
o Reflection
* Fixed bug #62384 (Attempting to invoke a Closure more than once
causes segfault)
* Fixed bug #62202 (ReflectionParameter::getDefaultValue() memory
leaks with constant)
o SPL
* Fixed bug #62262 (RecursiveArrayIterator does not implement Countable)
o SQLite
* Fixed open_basedir bypass, CVE-2012-3365
o XML Write
* Fixed bug #62064 (memory leak in the XML Writer module)
o Zip
* Upgraded libzip to 0.10
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Jul 20 12:29:05 UTC 2012
Modified Files:
pkgsrc/lang/php54: Makefile.common distinfo
pkgsrc/lang/php54/patches: patch-run-tests.php
Log Message:
Update php54 package to 5.4.5 (PHP 5.4.5).
19-July-2012
o Core
* Fixed bug #62443 (Crypt SHA256/512 Segfaults With Malformed Salt)
* Fixed bug #62432 (ReflectionMethod random corrupt memory on high
concurrent)
* Fixed bug #62373 (serialize() generates wrong reference to the
object).
* Fixed bug #62357 (compile failure: (S) Arguments missing for
built-in function __memcmp)
* Fixed bug #61998 (Using traits with method aliases appears to result
in crash during execution)
* Fixed bug #51094 (parse_ini_file() with INI_SCANNER_RAW cuts a value
that includes a semi-colon)
* Fixed potential overflow in _php_stream_scandir (CVE-2012-2688)
o EXIF
* Fixed information leak in ext exi
o FPM
* Fixed bug #62205 (php-fpm segfaults (null passed to strstr)
* Fixed bug #62160 (Add process.priority to set nice(2) priorities)
* Fixed bug #62153 (when using unix sockets, multiples FPM instances)
* Fixed bug #62033 (php-fpm exits with status 0 on some failures to
start)
* Fixed bug #61839 (Unable to cross-compile PHP with --enable-fpm)
* Fixed bug #61835 (php-fpm is not allowed to run as root)
* Fixed bug #61295 (php-fpm should not fail with commented 'user'
* Fixed bug #61218 (FPM drops connection while receiving some binary
values in FastCGI requests)
* Fixed bug #61045 (fpm don't send error log to fastcgi clients).
(fat) for non-root start)
* Fixed bug #61026 (FPM pools can listen on the same address).
(fat) can be launched without errors)
o Iconv
* Fixed bug #55042 (Erealloc in iconv.c unsafe)
o Intl
* Fixed bug #62083 (grapheme_extract() memory leaks)
* Fixed bug #62081 (IntlDateFormatter constructor leaks memory when
called twice)
* Fixed bug #62070 (Collator::getSortKey() returns garbage)
* Fixed bug #62017 (datefmt_create with incorrectly encoded timezone
leaks pattern)
* Fixed bug #60785 (memory leak in IntlDateFormatter constructor)
* ResourceBundle constructor now accepts NULL for the first two arguments
o JSON
* Fixed bug #61359 (json_encode() calls too many reallocs)
o libxml
* Fixed bug #62266 (Custom extension segfaults during xmlParseFile
with FPM SAPI)
o Phar
* Fixed bug #62227 (Invalid phar stream path causes crash)
o Readline
* Fixed bug #62186 (readline fails to compile - void function should
not return a value)
o Reflection
* Fixed bug #62384 (Attempting to invoke a Closure more than once
causes segfault)
* Fixed bug #62202 (ReflectionParameter::getDefaultValue() memory
leaks with constant)
o Sockets
* Fixed bug #62025 (__ss_family was changed on AIX 5.3)
o SPL
* Fixed bug #62433 (Inconsistent behavior of
RecursiveDirectoryIterator to dot files)
* Fixed bug #62262 (RecursiveArrayIterator does not implement
Countable)
o XML Writer
* Fixed bug #62064 (memory leak in the XML Writer module)
o Zip
* Upgraded libzip to 0.10.
{
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Jul 20 12:30:38 UTC 2012
Modified Files:
pkgsrc/archivers/php-zip: Makefile
pkgsrc/databases/php-dba: Makefile
pkgsrc/databases/php-mssql: Makefile
pkgsrc/databases/php-pdo_dblib: Makefile
pkgsrc/databases/php-pdo_sqlite: Makefile
pkgsrc/databases/php-sqlite: Makefile
pkgsrc/devel/php-gettext: Makefile
pkgsrc/devel/php-shmop: Makefile
pkgsrc/graphics/php-exif: Makefile
pkgsrc/graphics/php-gd: Makefile
pkgsrc/net/php-soap: Makefile
pkgsrc/net/php-xmlrpc: Makefile
pkgsrc/textproc/php-dom: Makefile
pkgsrc/textproc/php-intl: Makefile
pkgsrc/textproc/php-pspell: Makefile
pkgsrc/textproc/php-wddx: Makefile
pkgsrc/textproc/php-xsl: Makefile
pkgsrc/www/ap-php: Makefile
pkgsrc/www/php-curl: Makefile
Log Message:
- Reset PKG_REVISION by both php53 and php54 are updated.
- Remove supporting php5 (PHP 5.2.x) supporting codes.
|
|
Version 5.3.14
06-June-2012
* CLI SAPI
- Fixed bug #61546 (functions related to current script failed when
chdir() in cli sapi)
* Core
- Fixed CVE-2012-2143
- Fixed bug #62005 (unexpected behavior when incrementally assigning to a
member of a null object)
- Fixed bug #61730 (Segfault from array_walk modifying an array passed by
reference)
- Fixed missing bound check in iptcparse()
- Fixed bug #61764 ('I' unpacks n as signed if n > 2^31-1 on LP64)
- Fixed bug #54197 ([PATH=] sections incompatibility with
user_ini.filename set to null)
- Fixed bug #61713 (Logic error in charset detection for htmlentities)
- Fixed bug #61991 (long overflow in realpath_cache_get())
- Changed php://fd to be available only for CLI.
* CURL
- Fixed bug #61948 (CURLOPT_COOKIEFILE '' raises open_basedir restriction)
* COM
- Fixed bug #62146 com_dotnet cannot be built shared
* Fileinfo
- Fixed bug #61812 (Uninitialised value used in libmagic)
* Iconv
- Fixed a bug that iconv extension fails to link to the correct library
when another extension makes use of a library that links to the iconv
library. See https://bugs.gentoo.org/show_bug.cgi?id=364139 for detail
* Intl
- Fixed bug #62082 (Memory corruption in internal function
get_icu_disp_value_src_php()
* JSON
- Fixed bug #61537 (json_encode() incorrectly truncates/discards
information)
* PDO
- Fixed bug #61755 (A parsing bug in the prepared statements can lead to
access violations)
* Phar
- Fixed bug #61065 (Secunia SA44335)
* Streams
- Fixed bug #61961 (file_get_contents leaks when access empty file with
maxlen set)
|
|
Bump PKGREVISION.
|
|
|
|
Bump PKGREVISION.
|
|
08 May 2012, PHP 5.3.13
- CGI
. Improve fix for PHP-CGI query string parameter vulnerability, CVE-2012-2311.
(Stas)
|
|
|
|
Bump PKGREVISION.
|
|
03 Mar 2012, PHP 5.3.12
- Fix PHP-CGI query string parameter vulnerability, CVE-2012-1823. (Rasmus)
|
|
For full changes, please refer <http://www.php.net/ChangeLog-5.php#5.3.11>.
Security Enhancements:
* Fixed bug #54374 (Insufficient validating of upload name leading to
corrupted $_FILES indices). (CVE-2012-1172).
* Add open_basedir checks to readline_write_history and readline_read_history.
* Fixed bug #61043 (Regression in magic_quotes_gpc fix for CVE-2012-0831).
Key enhancements in these releases include:
* Added debug info handler to DOM objects.
* Fixed bug #61172 (Add Apache 2.4 support).
|
|
from PHP 5.4.0. This is a small security fix.
Bump PKGREVISION.
|
|
in php-5.3.9nb2 package.
02 Feb 2012, PHP 5.3.10
- Core:
. Fixed arbitrary remote code execution vulnerability reported by Stefan
Esser, CVE-2012-0830. (Stas, Dmitry)
|
|
Hopefully, these 18 minutes is allowed to avoid to PKGREVISION bump.
|
|
Hashtable Collision DOS" by revision 323007 from PHP's repository.
http://thexploit.com/sec/critical-php-remote-vulnerability-introduced-in-fix-for-php-hashtable-collision-dos/
Bump PKGREVISION.
|
|
|
|
for PHP5.3.7.
Bump PKGREVISION.
|
|
|
|
suhosin-patch is provided as modified one; only copyright year.
PHP 5.3.9 Released!
[10-Jan-2012] The PHP development team would like to announce the immediate
availability of PHP 5.3.9. This release focuses on improving the stability of
the PHP 5.3.x branch with over 90 bug fixes, some of which are security
related.
Security Enhancements and Fixes in PHP 5.3.9:
* Added max_input_vars directive to prevent attacks based on hash
collisions. (CVE-2011-4885)
* Fixed bug #60150 (Integer overflow during the parsing of invalid
exif header). (CVE-2011-4566)
Key enhancements in PHP 5.3.9 include:
* Fixed bug #55475 (is_a() triggers autoloader, new optional 3rd
argument to is_a and is_subclass_of).
* Fixed bug #55609 (mysqlnd cannot be built shared)
* Many changes to the FPM SAPI module
For a full list of changes in PHP 5.3.9, see the ChangeLog. For source
downloads please visit our downloads page, Windows binaries can be found on
windows.php.net/download/.
All users are strongly encouraged to upgrade to PHP 5.3.9.
|
|
Noted by David Wetzel on netbsd-users.
|
|
from r321038 from PHP's repository.
Bump PKGREVISION.
|
|
|
|
Bump PKGREVISION.
|
|
|
|
on amd64, powerpc, i386 and alpha.
|
|
updated databases/freetds.
|
|
(crypt()'s problem was already fixed our php53-5.3.7nb1 package.)
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
23 Aug 2011, PHP 5.3.8
- Core:
. Fixed bug #55439 (crypt() returns only the salt for MD5). (Stas)
- OpenSSL:
. Reverted a change in timeout handling restoring PHP 5.3.6 behavior,
as the new behavior caused mysqlnd SSL connections to hang (#55283).
(Pierre, Andrey, Johannes)
|
|
Bump PKGREVISION.
|
|
PKGREVISION bump.
|
|
PHP 5.3.7 Released!
[18-Aug-2011] The PHP development team would like to announce the immediate
availability of PHP 5.3.7. This release focuses on improving the stability of
the PHP 5.3.x branch with over 90 bug fixes, some of which are security
related.
Security Enhancements and Fixes in PHP 5.3.7:
* Updated crypt_blowfish to 1.2. (CVE-2011-2483)
* Fixed crash in error_log(). Reported by Mateusz Kocielski
* Fixed buffer overflow on overlog salt in crypt().
* Fixed bug #54939 (File path injection vulnerability in RFC1867 File upload
filename). Reported by Krzysztof Kotowicz. (CVE-2011-2202)
* Fixed stack buffer overflow in socket_connect(). (CVE-2011-1938)
* Fixed bug #54238 (use-after-free in substr_replace()). (CVE-2011-1148)
Key enhancements in PHP 5.3.7 include:
* Upgraded bundled Sqlite3 to version 3.7.7.1
* Upgraded bundled PCRE to version 8.12
* Fixed bug #54910 (Crash when calling call_user_func with unknown function
name)
* Fixed bug #54585 (track_errors causes segfault)
* Fixed bug #54262 (Crash when assigning value to a dimension in a non-array)
* Fixed a crash inside dtor for error handling
* Fixed bug #55339 (Segfault with allow_call_time_pass_reference = Off)
* Fixed bug #54935 php_win_err can lead to crash
* Fixed bug #54332 (Crash in zend_mm_check_ptr // Heap corruption)
* Fixed bug #54305 (Crash in gc_remove_zval_from_buffer)
* Fixed bug #54580 (get_browser() segmentation fault when browscap ini
directive is set through php_admin_value)
* Fixed bug #54529 (SAPI crashes on apache_config.c:197)
* Fixed bug #54283 (new DatePeriod(NULL) causes crash).
* Fixed bug #54269 (Short exception message buffer causes crash)
* Fixed Bug #54221 (mysqli::get_warnings segfault when used in multi queries)
* Fixed bug #54395 (Phar::mount() crashes when calling with wrong parameters)
* Fixed bug #54384 (Dual iterators, GlobIterator, SplFileObject and
SplTempFileObject crash when user-space classes don't call the parent
constructor)
* Fixed bug #54292 (Wrong parameter causes crash in
SplFileObject::__construct())
* Fixed bug #54291 (Crash iterating DirectoryIterator for dir name starting
with \0)
* Fixed bug #54281 (Crash in non-initialized RecursiveIteratorIterator)
* Fixed bug #54623 (Segfault when writing to a persistent socket after closing
a copy of the socket)
* Fixed bug #54681 (addGlob() crashes on invalid flags)
* Over 80 other bug fixes.
|
|
There was incompatible result by previous fix and it should be gone away.
Beside ths security fix, ${PREFIX}/bin/phar.phar has correct shbang line.
Bump PKGREVISION.
|
|
http://www.openwall.com/lists/oss-security/2011/06/20/2
Noted by Matthias Drochner via private mail.
* Add LICENSE.
Bump PKGREVISION.
|
|
repository.
Bump PKGREVISION.
|
|
Bump PKGREVISION.
|
|
PHP 5.3.6 Released!
[17-Mar-2011]
The PHP development team would like to announce the immediate availability
of PHP 5.3.6. This release focuses on improving the stability of the PHP
5.3.x branch with over 60 bug fixes, some of which are security related.
Security Enhancements and Fixes in PHP 5.3.6:
* Enforce security in the fastcgi protocol parsing with fpm SAPI.
* Fixed bug #54247 (format-string vulnerability on Phar). (CVE-2011-1153)
* Fixed bug #54193 (Integer overflow in shmop_read()). (CVE-2011-1092)
* Fixed bug #54055 (buffer overrun with high values for precision ini setting).
* Fixed bug #54002 (crash on crafted tag in exif). (CVE-2011-0708)
* Fixed bug #53885 (ZipArchive segfault with FL_UNCHANGED on empty
archive). (CVE-2011-0421)
Key enhancements in PHP 5.3.6 include:
* Upgraded bundled Sqlite3 to version 3.7.4.
* Upgraded bundled PCRE to version 8.11.
* Added ability to connect to HTTPS sites through proxy with basic
authentication using stream_context/http/header/Proxy-Authorization.
* Added options to debug backtrace functions.
* Changed default value of ini directive serialize_precision from 100 to 17.
* Fixed Bug #53971 (isset() and empty() produce apparently spurious
runtime error).
* Fixed Bug #53958 (Closures can't 'use' shared variables by value and
by reference).
* Fixed bug #53577 (Regression introduced in 5.3.4 in open_basedir
with a trailing forward slash).
* Over 60 other bug fixes.
|
|
Add Add patches to fix SA43328.
|
|
5.3.5 was released due to a critical issue and the previous suhosin
patch still applies. Prior art of this can be seen in OpenBSD's and
FreeBSD's ports.
ok@ wiz
|
|
|
|
* Add fix for VAX floating point handling (Bug #53682), r307192 from
PHP's repositry. (It is in PHP 5.2.17 but not in 5.3.5).
06 Jan 2011, PHP 5.3.5
- Fixed Bug #53632 (infinite loop with x87 fpu). (Scott, Rasmus)
|
|
The PHP development team is proud to announce the immediate release of PHP
5.3.4. This is a maintenance release in the 5.3 series, which includes a large
number of bug fixes.
Security Enhancements and Fixes in PHP 5.3.4:
* Fixed crash in zip extract method (possible CWE-170).
* Paths with NULL in them (foo\0bar.txt) are now considered as invalid
(CVE-2006-7243).
* Fixed a possible double free in imap extension (Identified by Mateusz
Kocielski). (CVE-2010-4150).
* Fixed NULL pointer dereference in
ZipArchive::getArchiveComment. (CVE-2010-3709).
* Fixed possible flaw in open_basedir (CVE-2010-3436).
* Fixed MOPS-2010-24, fix string validation. (CVE-2010-2950).
* Fixed symbolic resolution support when the target is a DFS share.
* Fixed bug #52929 (Segfault in filter_var with FILTER_VALIDATE_EMAIL with
large amount of data) (CVE-2010-3710).
Key Bug Fixes in PHP 5.3.4 include:
* Added stat support for zip stream.
* Added follow_location (enabled by default) option for the http stream
support.
* Added a 3rd parameter to get_html_translation_table. It now takes a charset
hint, like htmlentities et al.
* Implemented FR #52348, added new constant ZEND_MULTIBYTE to detect zend
multibyte at runtime.
* Multiple improvements to the FPM SAPI.
* Over 100 other bug fixes.
For users upgrading from PHP 5.2 there is a migration guide available here,
detailing the changes between those releases and PHP 5.3.
For a full list of changes in PHP 5.3.4, see the ChangeLog. For source
downloads please visit our downloads page, Windows binaries can be found on
windows.php.net/download/.
|
|
- CVE-2010-3710 (a part of SA41724)
http://svn.php.net/viewvc?view=revision&revision=303779
- CVE-2010-3870 (a part of SA41724)
http://svn.php.net/viewvc?view=revision&revision=304959
- CVE-2010-4150 (php-imap)
http://svn.php.net/viewvc?view=revision&revision=305032
- CVE-2010-4156 (SA42135)
http://svn.php.net/viewvc?view=revision&revision=305214
Bump PKGREVISION.
|
|
- Rewrote var_export() to use smart_str rather than output buffering,
prevents data disclosure if a fatal error occurs (CVE-2010-2531).
(Scott)
- Fixed a NULL pointer dereference when processing invalid XML-RPC
requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert)
- Fixed SplObjectStorage unserialization problems (CVE-2010-2225).
(Stas)
- A large number of not security related bug fixes
|
|
Also add some patches to remove use of deprecated symbols and fix other
problems when looking for or compiling against libpng-1.4.x.
|
|
|
|
PR pkg/43170 by Nathaniel Madura. And add suhosin-patch to distinfo.
Bump PKG_REVISION.
|
|
These patch are created from r296152 and r296153 from svn from PHP.
|
|
This package and lang/php5 aren't installed at the same time.
Setting PHP_VERSION_DEFAULT as "5" or "53" to select PHP 5.2.x or 5.3.x.
PHP is an HTML-embedded scripting language. It is modular, with
some object-oriented features. Much of its syntax is borrowed from
C, Java and Perl with a couple of unique PHP-specific features
thrown in. The language is designed to allow web developers to
write dynamically generated pages quickly.
|
