summaryrefslogtreecommitdiff
path: root/lang/php5
AgeCommit message (Collapse)AuthorFilesLines
2008-05-04Security Enhancements and Fixes in PHP 5.2.6:adrianp3-8/+7
Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. Upgraded bundled PCRE to version 7.6 Key enhancements in PHP 5.2.6 include: * Fixed two possible crashes inside the posix extension. * Fixed bug 44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug 44141 (private parent constructor callable through static function). * Fixed bug 43589 (a possible infinite loop in bz2_filter.c). * Fixed bug 43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug 43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug 42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug 42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug 42736 (xmlrpc_server_call_method() crashes). * Fixed bug 42369 (Implicit conversion to string leaks memory). * Fixed bug 41562 (SimpleXML memory issue). * Over 120 bug fixes. See http://www.php.net/ChangeLog-5.php#5.2.6 for all the details
2008-03-04Accidentally missed from last commitsborrill1-2/+2
2008-03-04Patch around imap_header() dying with SIGABRT if recipient lists are toosborrill1-5/+145
long. Patch appended to PHP bug 42862, so the fix may be incorporated in later PHP releases and thus this patch can be reverted. http://bugs.php.net/bug.php?id=42862 Bump PKGREVISION of php-imap
2008-01-18Per the process outlined in revbump(1), perform a recursive revbumptnn1-1/+2
on packages that are affected by the switch from the openssl 0.9.7 branch to the 0.9.8 branch. ok jlam@
2007-11-23Update to 5.2.5adrianp5-36/+7
* Security Enhancements and Fixes in PHP 5.2.5: Fixed dl() to only accept filenames. Reported by Laurent Gaffie. Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). Reported by Laurent Gaffie. Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. Reported by Rasmus Lerdorf Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications. Reported by SecurityReason. Fixed bug 42869 (automatic session id insertion adds sessions id to non-local forms). Fixed bug 41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Key enhancements in PHP 5.2.5 include: Upgraded PCRE to version 7.3 Updated timezone database to version 2007.9 Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc() functions Fixed bug 43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()) Fixed bug 42785 (json_encode() formats doubles according to locale rather then following standard syntax) Fixed bug 42549 (ext/mysql failed to compile with libmysql 3.23) Over 60 bug fixes. For all the details see: http://www.php.net/ChangeLog-5.php#5.2.5
2007-10-09Remove trailing spaces.martti1-3/+3
2007-09-25add test target, as suggested by Chris Ross on pkgsrc-users@n.o.jdolecek1-1/+2
2007-09-11add a patch to also adjust the Mac OS X-specific NSLinkModule()-basedjdolecek2-1/+15
extension loading code to export all symbols (i.e. do equivalent of dlopen(..., RTLD_GLOBAL)), so that older Mac OS X without dlopen() (before 10.4) also load extensions properly patch also submitted as PHP bug# 42629
2007-09-07Convert packages that test and use USE_INET6 to use the options frameworkjlam1-3/+1
and to support the "inet6" option instead. Remaining usage of USE_INET6 was solely for the benefit of the scripts that generate the README.html files. Replace: BUILD_DEFS+= USE_INET6 with BUILD_DEFS+= IPV6_READY and teach the README-generation tools to look for that instead. This nukes USE_INET6 from pkgsrc proper. We leave a tiny bit of code to continue to support USE_INET6 for pkgsrc-wip until it has been nuked from there as well.
2007-09-04load extensions via dlopen(), in preference to using NsLinkModule() et.al. ↵jdolecek4-3/+66
on Mac OS X, so that symbols of loaded modules are available for other, dependant modules; dlopen() is native function since 10.4, so actually apparently preferable interface now this is necessary for PDO family of modules (pdo_* depends on symbols of PDO module), and for XSL module (which depends on symbols of DOM module); doing it this way allows for PDO and DOM modules to be also shared and dynamically loaded, this avoids need to compile them into main PHP binary bump PKGREVISION, this is functionality change for Mac OS X (no change for other platforms)
2007-09-04install PHP unstripped on Darwin/Mac OS X, so that modules load properly; bumpjdolecek1-2/+7
PKGREVISION PR: 36869 by Louis Guillaume
2007-09-03Stop the path to the wrapper "sed" script from ending up in "php-config".tron1-1/+3
Bump package revision.
2007-09-02fix build of php-bz2 on Mac OS Xjdolecek2-1/+15
2007-09-02Update lang/php5 to 5.2.4 - miscellaneous security fixes and over 120 otherjdolecek7-64/+17
bug fixes
2007-08-01- Add patches to fix CVE-2007-3806 referring CVS repository.taca4-3/+37
- Fix compile problem on NetBSD with mremap(2). Bump PKGREVISION.
2007-06-11Added support for installation to DESTDIR. patch-an had removed correctheinz3-14/+22
support for this before, probably unintentionally.
2007-06-08Fix the install path for the CGI binary so it ends up where we want it.adrianp3-4/+26
Pointed out by schmonz@ and taca@ Bump PKGREVISION
2007-06-07Add in the correct patch to fix CVE-2007-2872adrianp3-2/+32
Spotted by Takahiro Kambe
2007-06-06Update to php-5.2.3adrianp3-8/+8
Security Fixes * Fixed an integer overflow inside chunk_split() (by Gerhard Wagner, CVE-2007-2872) * Fixed possible infinite loop in imagecreatefrompng. (by Xavier Roche, CVE-2007-2756) * Fixed ext/filter Email Validation Vulnerability (MOPB-45 by Stefan Esser, CVE-2007-1900) * Fixed bug #41492 (open_basedir/safe_mode bypass inside realpath()) (by bugs dot php dot net at chsc dot dk) * Improved fix for CVE-2007-1887 to work with non-bundled sqlite2 lib. * Added mysql_set_charset() to allow runtime altering of connection encoding. * Upgraded bundled SQLite 3 to version 3.3.17. (Ilia) * Fixed gd build when used with freetype 1.x (Pierre, Tony) And a fair few bugs fixed, see: http://www.php.net/ChangeLog-5.php#5.2.3 for all the details.
2007-05-06Update 5.2.2adrianp5-262/+7
* Fixed CVE-2007-1001, GD wbmp used with invalid image size (by Ivan Fratric) * Fixed asciiz byte truncation inside mail() (MOPB-33 by Stefan Esser) * Fixed a bug in mb_parse_str() that can be used to activate register_globals (MOPB-26 by Stefan Esser) * Fixed unallocated memory access/double free in in array_user_key_compare() (MOPB-24 by Stefan Esser) * Fixed a double free inside session_regenerate_id() (MOPB-22 by Stefan Esser) * Added missing open_basedir & safe_mode checks to zip:// and bzip:// wrappers. (MOPB-21 by Stefan Esser). * Limit nesting level of input variables with max_input_nesting_level as fix for (MOPB-03 by Stefan Esser) * Fixed CRLF injection inside ftp_putcmd(). (by loveshell[at]Bug.Center.Team) * Fixed a possible super-global overwrite inside import_request_variables(). (by Stefano Di Paola, Stefan Esser) * Fixed a remotely trigger-able buffer overflow inside bundled libxmlrpc library. (by Stanislav Malyshev) * Fixed a header injection via Subject and To parameters to the mail() function (MOPB-34 by Stefan Esser) * Fixed wrong length calculation in unserialize S type (MOPB-29 by Stefan Esser) * Fixed substr_compare and substr_count information leak (MOPB-14 by Stefan Esser) (Stas, Ilia) * Fixed a remotely trigger-able buffer overflow inside make_http_soap_request() (by Ilia Alshanetsky) * Fixed a buffer overflow inside user_filter_factory_create(). (by Ilia Alshanetsky)
2007-05-06Add security fix for CVE-2007-1001 to "php4-gd" and "php5-gd" packages.tron2-1/+42
Bump package revision.
2007-05-05Remove PEAR from the default PHP installadrianp4-149/+10
2007-04-29Remove first hunk which contains RCS Id only from patch-ab.taca2-12/+3
2007-04-28Patch to fix PHP bug #40326 (cannot open file from cwd if parent folder notsborrill3-3/+225
readable). Patch will be in 5.2.2, so this patch can be removed once it has been released.
2007-04-08Fix reference to ap-php package, from PR#35927.ghen1-2/+2
2007-02-25put back openssl extension, mistakely commented out in PHP 5.2.1 upgradejdolecek2-7/+8
noted by Manuel Bouyer
2007-02-22pkglint USE_LANGUAGES cleanup. Patch from Sergey Svishchev.wiz1-2/+2
2007-02-22pkglint cleanup; update HOMEPAGE/MASTER_SITES.wiz1-2/+2
From Sergey Svishchev in private mail.
2007-02-20Update PHP5 to 5.2.1. Includes several important security fixes andjdolecek6-54/+59
large number of other fixes. Update for all users is strongly advised.
2006-11-07Make "php-5.2.0" build with "curl-7.16.0".tron2-6/+24
2006-11-07Fix non-portable "configure" shell script.tron2-1/+15
2006-11-07Remove non-existing master site "ftp.php.net".tron1-3/+2
2006-11-06Update lang/php5 to 5.2.0.jdolecek1-1/+3
Changes since 5.1.6: The key features of PHP 5.2.0 include: * New memory manager for the Zend Engine with improved performance and a more accurate memory usage tracking. * Input filtering extension was added and enabled by default. * JSON extension was added and enabled by default. * ZIP extension for creating and editing zip files was introduced. * Hooks for tracking file upload progress were introduced. * Introduced E_RECOVERABLE_ERROR error mode. * Introduced DateTime and DateTimeZone objects with methods to manipulate date/time information. * Upgraded bundled SQLite, PCRE libraries. * Upgraded OpenSSL, MySQL and PostgreSQL client libraries for Windows installations. * Many performance improvements. * Over 200 bug fixes. Security Enhancements and Fixes in PHP 5.2.0: * Made PostgreSQL escaping functions in PostgreSQL and PDO extension keep track of character set encoding whenever possible. * Added allow_url_include, set to Off by default to disallow use of URLs for include and require. * Disable realpath cache when open_basedir and safe_mode are being used. * Improved safe_mode enforcement for error_log() function. * Fixed a possible buffer overflow in the underlying code responsible for htmlspecialchars() and htmlentities() functions. * Added missing safe_mode and open_basedir checks for the cURL extension. * Fixed overflow is str_repeat() & wordwrap() functions on 64bit machines. * Fixed handling of long paths inside the tempnam() function. * Fixed safe_mode/open_basedir checks for session.save_path, allowing them to account for extra parameters. * Fixed ini setting overload in the ini_restore() function. For a full list of changes in PHP 5.2.0, see the ChangeLog: http://www.php.net/ChangeLog-5.php#5.2.0 Also other notable extensions changes: * filePRO extension removed (not in PECL yet, php-filepro disabled for PHP5) * JSON added (not enabled by default, packaged in php-json) * filter added (enabled by default) * wddx rewritten to native libxml2, fixing several encoding bugs
2006-11-06Update lang/php5 to 5.2.0.jdolecek9-130/+15
Changes since 5.1.6: The key features of PHP 5.2.0 include: * New memory manager for the Zend Engine with improved performance and a more accurate memory usage tracking. * Input filtering extension was added and enabled by default. * JSON extension was added and enabled by default. * ZIP extension for creating and editing zip files was introduced. * Hooks for tracking file upload progress were introduced. * Introduced E_RECOVERABLE_ERROR error mode. * Introduced DateTime and DateTimeZone objects with methods to manipulate date/time information. * Upgraded bundled SQLite, PCRE libraries. * Upgraded OpenSSL, MySQL and PostgreSQL client libraries for Windows installations. * Many performance improvements. * Over 200 bug fixes. Security Enhancements and Fixes in PHP 5.2.0: * Made PostgreSQL escaping functions in PostgreSQL and PDO extension keep track of character set encoding whenever possible. * Added allow_url_include, set to Off by default to disallow use of URLs for include and require. * Disable realpath cache when open_basedir and safe_mode are being used. * Improved safe_mode enforcement for error_log() function. * Fixed a possible buffer overflow in the underlying code responsible for htmlspecialchars() and htmlentities() functions. * Added missing safe_mode and open_basedir checks for the cURL extension. * Fixed overflow is str_repeat() & wordwrap() functions on 64bit machines. * Fixed handling of long paths inside the tempnam() function. * Fixed safe_mode/open_basedir checks for session.save_path, allowing them to account for extra parameters. * Fixed ini setting overload in the ini_restore() function. For a full list of changes in PHP 5.2.0, see the ChangeLog: http://www.php.net/ChangeLog-5.php#5.2.0 Also other notable extensions changes: * filePRO extension removed (not in PECL yet, php-filepro disabled for PHP5) * JSON added (not enabled by default, packaged in php-json) * filter added (enabled by default) * wddx rewritten to native libxml2, fixing several encoding bugs
2006-11-04Fix for CVE-2006-5465 from PHP CVSadrianp3-3/+36
http://www.hardened-php.net/advisory_132006.138.html
2006-11-01Add patch to make the "php-curl" package build with version 7.16.0tron2-1/+21
and newer of the "curl" package.
2006-10-22Fixes for CVE-2006-4812 and CVE-2006-4625adrianp4-3/+43
Bump nb
2006-10-20remove --enable-memory-limit - 8MB is too low, and this justjdolecek2-5/+3
duplicates process resource limits, which already provide necessary "safety net" protection against rogue scripts bump PKGREVISION for this adressess PR pkg/32007 by "pancake" also remove --enable-track-vars, since that configure argument is long gone from PHP
2006-08-28Update php5 to 5.1.5.taca2-6/+6
PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| 24 Aug 2006, PHP 5.1.6 - Fixed memory_limit on 64bit systems. (Stefan E.) - Fixed bug #38488 (Access to "php://stdin" and family crashes PHP on win32). (Dmitry)
2006-08-19Remove special DIST_SUBDIR processing from Makefile.taca2-8/+5
2006-08-19Update php5 package to 5.1.5:taca8-140/+23
17 Aug 2006, PHP 5.1.5 - Fixed memory_limit on 64bit systems. (Stefan E.) - Fixed overflow on 64bit systems in str_repeat() and wordwrap(). (Stefan E.) - Disabled CURLOPT_FOLLOWLOCATION in curl when open_basedir or safe_mode are enabled. (Stefan E., Ilia) - Fixed bug #38322 (reading past array in sscanf() leads to arbitrary code execution). (Tony) - Fixed bug #38125 (undefined reference to spl_dual_it_free_storage). (Marcus) - Fixed bug #38112 (corrupted gif segfaults) (Pierre) - Fixed bug #37587 (var without attribute causes segfault). (Marcus) - Fixed bug #37576 (FastCGI env (cgi vars) table overflow). (Piotr) - Fixed bug #37496 (FastCGI output buffer overrun). (Piotr, Dmitry) - Fixed bug #37487 (oci_fetch_array() array-type should always default to OCI_BOTH). (Tony) - Fixed bug #37416 (iterator_to_array() hides exceptions thrown in rewind() method). (Tony) - Fixed bug #37392 (Unnecessary call to OCITransRollback() at the end of request). (Tony) - Fixed bug #37341 ($_SERVER in included file is shortened to two entries, if $_ENV gets used). (Dmitry) - Fixed bug #37313 (sigemptyset() used without including <signal.h>). (jdolecek) - Fixed bug #37346 (invalid colormap format) (Pierre) - Fixed bug #37360 (invalid gif size) (Pierre) - Fixed bug #37306 (max_execution_time = max_input_time). (Dmitry) - Fixed Bug #37278 (SOAP not respecting uri in __soapCall). (Dmitry) - Fixed bug #37265 (Added missing safe_mode & open_basedir checks to imap_body()). (Ilia) - Fixed bug #37256 (php-fastcgi dosen't handle connection abort). (Dmitry)
2006-08-19More fix of PLIST, now pkg_delete should always succeed.taca2-3/+5
2006-08-17Correct PLIST to fix a binary package:taca2-4/+5
- remove an extra directory. - handle empty directories.
2006-08-10Add security fix for Secunia Advisory SA21403 from PHP's CVS repository.taca3-3/+85
Bump PKGREVISION.
2006-07-18Fix for CVE-2006-3011adrianp3-3/+19
Bump to nb2
2006-07-08Change the format of BUILDLINK_ORDER to contain depth information as well,jlam1-2/+2
and add a new helper target and script, "show-buildlink3", that outputs a listing of the buildlink3.mk files included as well as the depth at which they are included. For example, "make show-buildlink3" in fonts/Xft2 displays: zlib fontconfig iconv zlib freetype2 expat freetype2 Xrender renderproto
2006-07-08Track information in a new variable BUILDLINK_ORDER that informs usjlam1-1/+2
of the order in which buildlink3.mk files are (recursively) included by a package Makefile.
2006-07-08Sync DIST_SUBDIR for PHP modules with DIST_SUBDIR in Makefile.minskim1-2/+2
2006-07-08Change DIST_SUBDIR because the current distfile path was already used beforeminskim2-6/+6
for a different tarball.
2006-06-06Note in the MESSAGE file the path to the PHP CGI binary to answer an FAQ.jlam2-4/+12