Age | Commit message (Collapse) | Author | Files | Lines |
|
lang/php70: security fix
Revisions pulled up:
- lang/php/phpversion.mk 1.141
- lang/php70/Makefile 1.4
- lang/php70/Makefile.php 1.2
- lang/php70/distinfo 1.14
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Jun 24 15:27:57 UTC 2016
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php70: Makefile Makefile.php distinfo
Log Message:
Update php70 to 7.0.8 (PHP 7.0.8), including security fixes.
pkgsrc change:
* remove confiugre from SUBST_FILES.path.
* Remove --with-regex=3Dsystem and --without-mysql from CONFIGURE_ARGS.=
* Add --without-mysqli to CONFIGURE_ARGS.
23 Jun 2016 PHP 7.0.8
- Core:
. Fixed bug #72218 (If host name cannot be resolved then PHP 7 crashe=
s).
(Esminis at esminis dot lt)
. Fixed bug #72221 (segfault, past-the-end access). (Lauri Kentt=E4)
. Fixed bug #72268 (Integer Overflow in nl2br()). (Stas)
. Fixed bug #72275 (Integer Overflow in json_encode()/json_decode()/
json_utf8_to_utf16()). (Stas)
. Fixed bug #72400 (Integer Overflow in addcslashes/addslashes). (Sta=
s)
. Fixed bug #72403 (Integer Overflow in Length of String-typed ZVAL).=
(Stas)
- FPM:
. Fixed bug #72308 (fastcgi_finish_request and logging environment
variables). (Laruence)
- GD:
. Fixed bug #72298 (pass2_no_dither out-of-bounds access). (Stas)
. Fixed bug #72337 (invalid dimensions can lead to crash) (Pierre)
. Fixed bug #72339 (Integer Overflow in _gd2GetHeader() resulting in
heap overflow). (Pierre)
. Fixed bug #72407 (NULL Pointer Dereference at _gdScaleVert). (Stas)=
- Intl:
. Fixed bug #64524 (Add intl.use_exceptions to php.ini-*). (Anatol)
- mbstring:
. Fixed bug #72402 (_php_mb_regex_ereg_replace_exec - double free). (=
Stas)
- mcrypt:
. Fixed bug #72455 (Heap Overflow due to integer overflows). (Stas)
- PCRE:
. Fixed bug #72143 (preg_replace uses int instead of size_t). (Joe)
- PDO_pgsql:
. Fixed bug #71573 (Segfault (core dumped) if paramno beyond bound).
(Laruence)
. Fixed bug #72294 (Segmentation fault/invalid pointer in connection
with pgsql_stmt_dtor). (Anatol)
- Phpdbg:
. Fixed bug #72284 (phpdbg fatal errors with coverage). (Bob)
- Postgres:
. Fixed bug #72195 (pg_pconnect/pg_connect cause use-after-free). (La=
ruence)
. Fixed bug #72197 (pg_lo_create arbitrary read). (Anatol)
- SPL:
. Fixed bug #72262 (int/size_t confusion in SplFileObject::fread). (S=
tas)
. Fixed bug #72433 (Use After Free Vulnerability in PHP's GC algorith=
m and
unserialize). (Dmitry)
- Standard:
. Fixed bug #72017 (range() with float step produces unexpected resul=
t).
(Thomas Punt)
. Fixed bug #72193 (dns_get_record returns array containing elements =
of
type 'unknown'). (Laruence)
. Fixed bug #72229 (Wrong reference when serialize/unserialize an obj=
ect).
(Laruence)
. Fixed bug #72300 (ignore_user_abort(false) has no effect). (Laruenc=
e)
- XML:
. Fixed bug #72206 (xml_parser_create/xml_parser_free leaks mem). (Jo=
e)
- XMLRPC:
. Fixed bug #72155 (use-after-free caused by get_zval_xmlrpc_type).
(Joe, Laruence)
- WDDX:
. Fixed bug #72340 (Double Free Courruption in wddx_deserialize). (St=
as)
- Zip:
. Fixed ug #72258 (ZipArchive converts filenames to unrecoverable for=
m).
(Anatol)
. Fixed bug #72434 (ZipArchive class Use After Free Vulnerability in =
PHP's GC
algorithm and unserialize). (Dmitry)
|
|
lang/php56: security fix
Revisions pulled up:
- lang/php/phpversion.mk 1.140
- lang/php56/Makefile 1.12
- lang/php56/distinfo 1.28
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Jun 24 15:25:21 UTC 2016
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php56: Makefile distinfo
Log Message:
Update php56 to 5.6.23 (PHP 5.6.23), including security fixes.
pkgsrc change: remove confiugre from SUBST_FILES.path.
23 Jun 2016, PHP 5.6.23
- Core:
. Fixed bug #72275 (Integer Overflow in json_encode()/json_decode()/
json_utf8_to_utf16()). (Stas)
. Fixed bug #72400 (Integer Overflow in addcslashes/addslashes). (Stas)
. Fixed bug #72403 (Integer Overflow in Length of String-typed ZVAL). (Stas)
- GD:
. Fixed bug #72298 (pass2_no_dither out-of-bounds access). (Stas)
. Fixed bug #72337 (invalid dimensions can lead to crash) (Pierre)
. Fixed bug #72339 (Integer Overflow in _gd2GetHeader() resulting in
heap overflow). (Pierre)
. Fixed bug #72407 (NULL Pointer Dereference at _gdScaleVert). (Stas)
. Fixed bug #72446 (Integer Overflow in gdImagePaletteToTrueColor() resulting
in heap overflow). (Pierre)
- Intl:
. Fixed bug #70484 (selectordinal doesn't work with named parameters).
(Anatol)
- mbstring:
. Fixed bug #72402 (_php_mb_regex_ereg_replace_exec - double free). (Stas)
- mcrypt:
. Fixed bug #72455 (Heap Overflow due to integer overflows). (Stas)
- Phar:
. Fixed bug #72321 (invalid free in phar_extract_file()).
(hji at dyntopia dot com)
- SPL:
. Fixed bug #72262 (int/size_t confusion in SplFileObject::fread). (Stas)
. Fixed bug #72433 (Use After Free Vulnerability in PHP's GC algorithm and
unserialize). (Dmitry)
- OpenSSL:
. Fixed bug #72140 (segfault after calling ERR_free_strings()).
(Jakub Zelenka)
- WDDX:
. Fixed bug #72340 (Double Free Courruption in wddx_deserialize). (Stas)
- zip:
. Fixed bug #72434 (ZipArchive class Use After Free Vulnerability in PHP's GC
algorithm and unserialize). (Dmitry)
|
|
lang/php55: security fix
Revisions pulled up:
- lang/php/phpversion.mk 1.139
- lang/php55/Makefile 1.27
- lang/php55/distinfo 1.54
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Jun 24 15:23:00 UTC 2016
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php55: Makefile distinfo
Log Message:
Update php55 to 5.5.37 (PHP 5.5.37), including security fixes.
pkgsrc change: remove confiugre from SUBST_FILES.path.
23 Jun 2016, PHP 5.5.37
- Core:
. Fixed bug #72268 (Integer Overflow in nl2br()). (Stas)
. Fixed bug #72275 (Integer Overflow in json_encode()/json_decode()/
json_utf8_to_utf16()). (Stas)
. Fixed bug #72400 (Integer Overflow in addcslashes/addslashes). (Stas)
. Fixed bug #72403 (Integer Overflow in Length of String-typed ZVAL). (Stas)
- GD:
. Fixed bug #66387 (Stack overflow with imagefilltoborder) (CVE-2015-8874).
(cmb)
. Fixed bug #72298 (pass2_no_dither out-of-bounds access). (Stas)
. Fixed bug #72339 (Integer Overflow in _gd2GetHeader() resulting in
heap overflow). (Pierre)
. Fixed bug #72407 (NULL Pointer Dereference at _gdScaleVert). (Stas)
. Fixed bug #72446 (Integer Overflow in gdImagePaletteToTrueColor() resulting
in heap overflow). (Pierre)
- mbstring:
. Fixed bug #72402 (_php_mb_regex_ereg_replace_exec - double free). (Stas)
- mcrypt:
. Fixed bug #72455 (Heap Overflow due to integer overflows). (Stas)
- SPL:
. Fixed bug #72262 (int/size_t confusion in SplFileObject::fread). (Stas)
. Fixed bug #72433 (Use After Free Vulnerability in PHP's GC algorithm and
unserialize). (Dmitry)
- WDDX:
. Fixed bug #72340 (Double Free Courruption in wddx_deserialize). (Stas)
- zip:
. Fixed bug #72434 (ZipArchive class Use After Free Vulnerability in PHP's GC
algorithm and unserialize). (Dmitry)
|
|
lang/php70: build fix
Revisions pulled up:
- lang/php70/distinfo 1.13
- lang/php70/patches/patch-sapi_cli_Makefile.frag 1.3
---
Module Name: pkgsrc
Committed By: joerg
Date: Tue Jun 7 19:23:50 UTC 2016
Modified Files:
pkgsrc/lang/php70: distinfo
pkgsrc/lang/php70/patches: patch-sapi_cli_Makefile.frag
Log Message:
Unbreak unprivileged build. Actually test for executable.
|
|
lang/php70: security fix
Revisions pulled up:
- lang/php/phpversion.mk 1.138
- lang/php70/distinfo 1.10-1.12
- lang/php70/patches/patch-sapi_cli_Makefile.frag 1.1-1.2
---
Module Name: pkgsrc
Committed By: taca
Date: Fri May 27 13:29:58 UTC 2016
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php70: distinfo
Log Message:
Update php70 to 7.0.7 (PHP 7.0.7), including security fix.
26 May 2016 PHP 7.0.7
- Core:
. Fixed bug #72162 (use-after-free - error_reporting). (Laruence)
. Add compiler option to disable special case function calls. (Joe)
. Fixed bug #72101 (crash on complex code). (Dmitry)
. Fixed bug #72100 (implode() inserts garbage into resulting string when
joins very big integer). (Mikhail Galanin)
. Fixed bug #72057 (PHP Hangs when using custom error handler and typehint).
(Nikita Nefedov)
. Fixed bug #72038 (Function calls with values to a by-ref parameter don't
always throw a notice). (Bob)
. Fixed bug #71737 (Memory leak in closure with parameter named $this).
(Nikita)
. Fixed bug #72059 (?? is not allowed on constant expressions). (Bob, Marcio)
. Fixed bug #72159 (Imported Class Overrides Local Class Name). (Nikita)
- Curl:
. Fixed bug #68658 (Define CURLE_SSL_CACERT_BADFILE). (Pierrick)
- DBA:
. Fixed bug #72157 (use-after-free caused by dba_open). (Shm, Laruence)
- GD:
. Fixed bug #72227 (imagescale out-of-bounds read). (Stas)
- Intl:
. Fixed #72241 (get_icu_value_internal out-of-bounds read). (Stas)
- JSON:
. Fixed bug #72069 (Behavior \JsonSerializable different from json_encode).
(Laruence)
- Mbstring:
. Fixed bug #72164 (Null Pointer Dereference - mb_ereg_replace). (Laruence)
- OCI8:
. Fixed bug #71600 (oci_fetch_all segfaults when selecting more than eight
columns). (Tian Yang)
- Opcache:
. Fixed bug #72014 (Including a file with anonymous classes multiple times
leads to fatal error). (Laruence)
- OpenSSL:
. Fixed bug #72165 (Null pointer dereference - openssl_csr_new). (Anatol)
- PCNTL:
. Fixed bug #72154 (pcntl_wait/pcntl_waitpid array internal structure
overwrite). (Laruence)
- POSIX:
. Fixed bug #72133 (php_posix_group_to_array crashes if gr_passwd is NULL).
(esminis at esminis dot lt)
- Postgres:
. Fixed bug #72028 (pg_query_params(): NULL converts to empty string).
(Laruence)
. Fixed bug #71062 (pg_convert() doesn't accept ISO 8601 for datatype
timestamp). (denver at timothy dot io)
. Fixed bug #72151 (mysqli_fetch_object changed behaviour). (Anatol)
- Reflection:
. Fixed bug #72174 (ReflectionProperty#getValue() causes __isset call).
(Nikita)
- Session:
. Fixed bug #71972 (Cyclic references causing session_start(): Failed to
decode session object). (Laruence)
- Sockets:
. Added socket_export_stream() function for getting a stream compatible
resource from a socket resource. (Chris Wright, Bob)
- SPL:
. Fixed bug #72051 (The reference in CallbackFilterIterator doesn't work as
expected). (Laruence)
- SQLite3:
. Fixed bug #68849 (bindValue is not using the right data type). (Anatol)
- Standard:
. Fixed bug #72075 (Referencing socket resources breaks stream_select).
(Laruence)
. Fixed bug #72031 (array_column() against an array of objects discards all
values matching null). (Nikita)
---
Module Name: pkgsrc
Committed By: wiz
Date: Sat May 28 08:02:26 UTC 2016
Modified Files:
pkgsrc/lang/php70: distinfo
Added Files:
pkgsrc/lang/php70/patches: patch-sapi_cli_Makefile.frag
Log Message:
Mark php binary with paxctl +m because of JIT code.
Needed on NetBSD-current with PaX MPROTECT.
---
Module Name: pkgsrc
Committed By: wiz
Date: Sat May 28 08:13:15 UTC 2016
Modified Files:
pkgsrc/lang/php70: distinfo
pkgsrc/lang/php70/patches: patch-sapi_cli_Makefile.frag
Log Message:
Add upstream bug report URL.
|
|
lang/php56: security fix
Revisions pulled up:
- lang/php/phpversion.mk 1.137
- lang/php56/DESCR 1.2
- lang/php56/distinfo 1.27
---
Module Name: pkgsrc
Committed By: taca
Date: Mon May 16 04:13:59 UTC 2016
Modified Files:
pkgsrc/lang/php56: DESCR
Log Message:
This package is not for PHP 5.5.x but 5.6.x. Noted by Edgar Fu_ via
privaet E-mail.
---
Module Name: pkgsrc
Committed By: taca
Date: Fri May 27 13:28:07 UTC 2016
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php56: distinfo
Log Message:
Update php56 to 5.6.22 (PHP 5.6.22), including security fix.
26 May 2016, PHP 5.6.22
- Core:
. Fixed bug #72172 (zend_hex_strtod should not use strlen).
(bwitz at hotmail dot com )
. Fixed bug #72114 (Integer underflow / arbitrary null write in
fread/gzread). (Stas)
. Fixed bug #72135 (Integer Overflow in php_html_entities). (Stas)
- GD:
. Fixed bug #72227 (imagescale out-of-bounds read). (Stas)
- Intl
. Fixed bug #64524 (Add intl.use_exceptions to php.ini-*). (Anatol)
. Fixed bug #72241 (get_icu_value_internal out-of-bounds read). (Stas)
- Postgres:
. Fixed bug #72151 (mysqli_fetch_object changed behaviour). (Anatol)
|
|
lang/php55: security fix
Revisions pulled up:
- lang/php/phpversion.mk 1.136
- lang/php55/distinfo 1.53
---
Module Name: pkgsrc
Committed By: taca
Date: Fri May 27 13:25:44 UTC 2016
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php55: distinfo
Log Message:
Update php55 to 5.5.36 (PHP 5.5.36), including security fix.
26 May 2016, PHP 5.5.36
- Core:
. Fixed bug #72114 (Integer underflow / arbitrary null write in
fread/gzread). (Stas)
. Fixed bug #72135 (Integer Overflow in php_html_entities). (Stas)
- GD:
. Fixed bug #72227 (imagescale out-of-bounds read). (Stas)
- Intl:
. Fixed bug #72241 (get_icu_value_internal out-of-bounds read). (Stas)
- Phar:
. Fixed bug #71331 (Uninitialized pointer in phar_make_dirstream()).
(CVE-2016-4343) (Stas)
|
|
lang/ghc7: build fix
Revisions pulled up:
- lang/ghc7/Makefile 1.25
- lang/ghc7/distinfo 1.14
- lang/ghc7/patches/patch-libffi_ghc.mk 1.1
- lang/ghc7/patches/patch-rts_ghc.mk 1.6
---
Module Name: pkgsrc
Committed By: joerg
Date: Sat May 7 10:02:06 UTC 2016
Modified Files:
pkgsrc/lang/ghc7: Makefile distinfo
pkgsrc/lang/ghc7/patches: patch-rts_ghc.mk
Added Files:
pkgsrc/lang/ghc7/patches: patch-libffi_ghc.mk
Log Message:
Fix libffi linkage, so that it actually picks up the right version and
includes the rpath. Seen by a not so happy devel/happy. Bump revision.
|
|
lang/php70: security fix
Revisions pulled up:
- lang/php/phpversion.mk 1.135
- lang/php70/distinfo 1.9
- lang/php70/patches/patch-configure 1.3
- lang/php70/patches/patch-ext_opcache_config.m4 deleted
- lang/php70/patches/patch-ext_standard_php__dns.h 1.2
---
Module Name: pkgsrc
Committed By: taca
Date: Mon May 2 13:09:49 UTC 2016
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php70: distinfo
pkgsrc/lang/php70/patches: patch-configure
patch-ext_standard_php__dns.h
Removed Files:
pkgsrc/lang/php70/patches: patch-ext_opcache_config.m4
Log Message:
Update php70 to 7.0.6.
pkgsrc change: Fix build problem on Linux noted by Matthias Ferdinand on
pkgsrc-users@.
28 Apr 2016 PHP 7.0.6
- Core:
. Fixed bug #71930 (_zval_dtor_func: Assertion `(arr)->gc.refcount <= 1'
failed). (Laruence)
. Fixed bug #71922 (Crash on assert(new class{})). (Nikita)
. Fixed bug #71914 (Reference is lost in "switch"). (Laruence)
. Fixed bug #71871 (Interfaces allow final and abstract functions). (Nikita)
. Fixed Bug #71859 (zend_objects_store_call_destructors operates on realloced
memory, crashing). (Laruence)
. Fixed bug #71841 (EG(error_zval) is not handled well). (Laruence)
. Fixed bug #71750 (Multiple Heap Overflows in php_raw_url_encode/
php_url_encode). (Stas)
. Fixed bug #71731 (Null coalescing operator and ArrayAccess). (Nikita)
. Fixed bug #71609 (Segmentation fault on ZTS with gethostbyname). (krakjoe)
. Fixed bug #71428 (inheritance and allow_null). (krakjoe)
. Fixed bug #71414 (Inheritance, traits and interfaces). (krakjoe)
. Fixed bug #71359 (Null coalescing operator and magic). (krakjoe)
. Fixed bug #71334 (Cannot access array keys while uksort()). (Nikita)
. Fixed bug #69659 (ArrayAccess, isset() and the offsetExists method).
(Nikita)
. Fixed bug #69537 (__debugInfo with empty string for key gives error).
(krakjoe)
. Fixed bug #62059 (ArrayObject and isset are not friends). (Nikita)
. Fixed bug #71980 (Decorated/Nested Generator is Uncloseable in Finally).
(Nikita)
- BCmath:
. Fixed bug #72093 (bcpowmod accepts negative scale and corrupts
_one_ definition). (Stas)
- Curl:
. Fixed bug #71831 (CURLOPT_NOPROXY applied as long instead of string).
(Michael Sierks)
- Date:
. Fixed bug #71889 (DateInterval::format Segmentation fault). (Thomas Punt)
- EXIF:
. Fixed bug #72094 (Out of bounds heap read access in exif header processing). (Stas)
- GD:
. Fixed bug #71912 (libgd: signedness vulnerability). (Stas)
- Intl:
. Fixed bug #71516 (IntlDateFormatter looses locale if pattern is set via
constructor). (Anatol)
. Fixed bug #70455 (Missing constant: IntlChar::NO_NUMERIC_VALUE). (Anatol)
. Fixed bug #70451, #70452 (Inconsistencies in return values of IntlChar
methods). (Daniel Persson)
. Fixed bug #68893 (Stackoverflow in datefmt_create). (Anatol)
. Fixed bug #66289 (Locale::lookup incorrectly returns en or en_US if locale
is empty). (Anatol)
. Fixed bug #70484 (selectordinal doesn't work with named parameters).
(Anatol)
. Fixed bug #72061 (Out-of-bounds reads in zif_grapheme_stripos with negative
offset). (Stas)
- ODBC:
. Fixed bug #63171 (Script hangs after max_execution_time). (Remi)
- Opcache:
. Fixed bug #71843 (null ptr deref ZEND_RETURN_SPEC_CONST_HANDLER).
(Laruence)
- PDO:
. Fixed bug #52098 (Own PDOStatement implementation ignore __call()).
(Daniel kalaspuffar, Julien)
. Fixed bug #71447 (Quotes inside comments not properly handled). (Matteo)
- PDO_DBlib:
. Fixed bug #71943 (dblib_handle_quoter needs to allocate an extra byte).
(Adam Baratz)
. Add DBLIB-specific attributes for controlling timeouts. (Adam Baratz)
- PDO_pgsql:
. Fixed bug #62498 (pdo_pgsql inefficient when getColumnMeta() is used).
(Joseph Bylund)
- Postgres:
. Fixed bug #71820 (pg_fetch_object binds parameters before call
constructor). (Anatol)
. Fixed bug #71998 (Function pg_insert does not insert when column
type = inet). (Anatol)
- SOAP:
. Fixed bug #71986 (Nested foreach assign-by-reference creates broken
variables). (Laruence)
- SPL:
. Fixed bug #71838 (Deserializing serialized SPLObjectStorage-Object can't
access properties in PHP). (Nikita)
. Fixed bug #71735 (Double-free in SplDoublyLinkedList::offsetSet). (Stas)
. Fixed bug #67582 (Cloned SplObjectStorage with overwritten getHash fails
offsetExists()). (Nikita)
. Fixed bug #52339 (SPL autoloader breaks class_exists()). (Nikita)
- Standard:
. Fixed bug #71995 (Returning the same var twice from __sleep() produces
broken serialized data). (Laruence)
. Fixed bug #71940 (Unserialize crushes on restore object reference).
(Laruence)
. Fixed bug #71969 (str_replace returns an incorrect resulting array after
a foreach by reference). (Laruence)
. Fixed bug #71891 (header_register_callback() and
register_shutdown_function()). (Laruence)
. Fixed bug #71884 (Null pointer deref (segfault) in
stream_context_get_default). (Laruence)
. Fixed bug #71840 (Unserialize accepts wrongly data). (Ryat, Laruence)
. Fixed bug #71837 (Wrong arrays behaviour). (Laruence)
. Fixed bug #71827 (substr_replace bug, string length). (krakjoe)
. Fixed bug #67512 (php_crypt() crashes if crypt_r() does not exist or
_REENTRANT is not defined). (Nikita)
. Fixed bug #72116 (array_fill optimization breaks implementation). (Bob)
- XML:
. Fixed bug #72099 (xml_parse_into_struct segmentation fault). (Stas)
- Zip:
. Fixed bug #71923 (integer overflow in ZipArchive::getFrom*). (Stas)
|
|
lang/php56: security fix
Revisions pulled up:
- lang/php/phpversion.mk 1.134
- lang/php56/distinfo 1.26
- lang/php56/patches/patch-configure 1.3
- lang/php56/patches/patch-ext_opcache_config.m4 deleted
- lang/php56/patches/patch-ext_standard_php__dns.h 1.2
---
Module Name: pkgsrc
Committed By: taca
Date: Mon May 2 13:08:00 UTC 2016
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php56: distinfo
pkgsrc/lang/php56/patches: patch-configure
patch-ext_standard_php__dns.h
Removed Files:
pkgsrc/lang/php56/patches: patch-ext_opcache_config.m4
Log Message:
Update php56 to 5.6.21.
pkgsrc change: Fix build problem on Linux noted by Matthias Ferdinand on
pkgsrc-users@.
28 Apr 2016, PHP 5.6.21
- Core:
. Fixed bug #69537 (__debugInfo with empty string for key gives error).
(krakjoe)
. Fixed bug #71841 (EG(error_zval) is not handled well). (Laruence)
- BCmath:
. Fixed bug #72093 (bcpowmod accepts negative scale and corrupts
_one_ definition). (Stas)
- Curl:
. Fixed bug #71831 (CURLOPT_NOPROXY applied as long instead of string).
(Michael Sierks)
- Date:
. Fixed bug #71889 (DateInterval::format Segmentation fault). (Thomas Punt)
- EXIF:
. Fixed bug #72094 (Out of bounds heap read access in exif header processing). (Stas)
- GD:
. Fixed bug #71952 (Corruption inside imageaffinematrixget). (Stas)
. Fixed bug #71912 (libgd: signedness vulnerability). (Stas)
- Intl:
. Fixed bug #72061 (Out-of-bounds reads in zif_grapheme_stripos with negative
offset). (Stas)
- OCI8:
. Fixed bug #71422 (Fix ORA-01438: value larger than specified precision
allowed for this column). (Chris Jones)
- ODBC:
. Fixed bug #63171 (Script hangs after max_execution_time). (Remi)
- Opcache:
. Fixed bug #71843 (null ptr deref ZEND_RETURN_SPEC_CONST_HANDLER).
(Laruence)
- PDO:
. Fixed bug #52098 (Own PDOStatement implementation ignore __call()).
(Daniel Kalaspuffar, Julien)
. Fixed bug #71447 (Quotes inside comments not properly handled). (Matteo)
- Postgres:
. Fixed bug #71820 (pg_fetch_object binds parameters before call
constructor). (Anatol)
- SPL:
. Fixed bug #67582 (Cloned SplObjectStorage with overwritten getHash fails
offsetExists()). (Nikita)
- Standard:
. Fixed bug #71840 (Unserialize accepts wrongly data). (Ryat, Laruence)
. Fixed bug #67512 (php_crypt() crashes if crypt_r() does not exist or
_REENTRANT is not defined). (Nikita)
- XML:
. Fixed bug #72099 (xml_parse_into_struct segmentation fault). (Stas)
|
|
lang/php55: security fix
Revisions pulled up:
- lang/php/phpversion.mk 1.132-1.133
- lang/php55/distinfo 1.52
- lang/php55/patches/patch-ext_standard_php__dns.h 1.2
---
Module Name: pkgsrc
Committed By: wiz
Date: Fri Apr 22 09:46:50 UTC 2016
Modified Files:
pkgsrc/lang/php: phpversion.mk
Log Message:
Detect php-7.0 (define _PHP_VERSION_70_INSTALLED).
Addresses PR 50957.
---
Module Name: pkgsrc
Committed By: taca
Date: Mon May 2 13:06:21 UTC 2016
Modified Files:
pkgsrc/lang/php: phpversion.mk
pkgsrc/lang/php55: distinfo
pkgsrc/lang/php55/patches: patch-ext_standard_php__dns.h
Log Message:
Update php55 to 5.5.35.
pkgsrc change: Fix build problem on Linux noted by Matthias Ferdinand on
pkgsrc-users@.
28 Apr 2016, PHP 5.5.35
- BCMath:
. Fix bug #72093 (bcpowmod accepts negative scale and corrupts _one_
definition). (Stas)
- Exif:
. Fix bug #72094 (Out of bounds heap read access in exif header
processing). (Stas)
- GD:
. Fix bug #71912 (libgd: signedness vulnerability). (Stas)
- Intl:
. Fix bug #72061 (Out-of-bounds reads in zif_grapheme_stripos with negative
offset). (Stas)
- XML:
. Fix bug #72099 (xml_parse_into_struct segmentation fault). (Stas)
|
|
lang/perl5: security fix
Revisions pulled up:
- lang/perl5/Makefile 1.237
- lang/perl5/distinfo 1.134
- lang/perl5/patches/patch-perl.c 1.1
---
Module Name: pkgsrc
Committed By: sevan
Date: Tue Apr 19 22:14:39 UTC 2016
Modified Files:
pkgsrc/lang/perl5: Makefile distinfo
Added Files:
pkgsrc/lang/perl5/patches: patch-perl.c
Log Message:
Add patch to address CVE-2016-2381
Bump pkgrev
Reviewed by wiz@
|
|
builds.
|
|
|
|
Add add an patch to fix memory leak noted from Zafer Aydoğan via
private mail.
31 Mar 2016 PHP 7.0.5
- Core:
. Huge pages disabled by default. (Rasmus)
. Added ability to enable huge pages in Zend Memory Manager through
the environment variable USE_ZEND_ALLOC_HUGE_PAGES=1. (Dmitry)
. Fixed bug #71756 (Call-by-reference widens scope to uninvolved functions
when used in switch). (Laruence)
. Fixed bug #71729 (Possible crash in zend_bin_strtod, zend_oct_strtod,
zend_hex_strtod). (Laruence)
. Fixed bug #71695 (Global variables are reserved before execution).
(Laruence)
. Fixed bug #71629 (Out-of-bounds access in php_url_decode in context
php_stream_url_wrap_rfc2397). (mt at debian dot org)
. Fixed bug #71622 (Strings used in pass-as-reference cannot be used to
invoke C::$callable()). (Bob)
. Fixed bug #71596 (Segmentation fault on ZTS with date function
(setlocale)). (Anatol)
. Fixed bug #71535 (Integer overflow in zend_mm_alloc_heap()). (Dmitry)
. Fixed bug #71470 (Leaked 1 hashtable iterators). (Nikita)
. Fixed bug #71575 (ISO C does not allow extra ‘;’ outside of a function).
(asgrim)
. Fixed bug #71724 (yield from does not count EOLs). (Nikita)
. Fixed bug #71767 (ReflectionMethod::getDocComment returns the wrong
comment). (Grigorii Sokolik)
. Fixed bug #71806 (php_strip_whitespace() fails on some numerical values).
(Nikita)
. Fixed bug #71624 (`php -R` (PHP_MODE_PROCESS_STDIN) is broken).
(Sean DuBois)
- CLI Server:
. Fixed bug #69953 (Support MKCALENDAR request method). (Christoph)
- Curl:
. Fixed bug #71694 (Support constant CURLM_ADDED_ALREADY). (mpyw)
- Date:
. Fixed bug #71635 (DatePeriod::getEndDate segfault). (Thomas Punt)
- Fileinfo:
. Fixed bug #71527 (Buffer over-write in finfo_open with malformed magic
file). (Anatol)
- libxml:
. Fixed bug #71536 (Access Violation crashes php-cgi.exe). (Anatol)
- mbstring:
. Fixed bug #71906 (AddressSanitizer: negative-size-param (-1) in
mbfl_strcut). (Stas)
- ODBC:
. Fixed bug #47803, #69526 (Executing prepared statements is succesfull only
for the first two statements). (einavitamar at gmail dot com, Anatol)
- PCRE:
. Fixed bug #71659 (segmentation fault in pcre running twig tests).
(nish dot aravamudan at canonical dot com)
- PDO_DBlib:
. Bug #54648 (PDO::MSSQL forces format of datetime fields).
(steven dot lambeth at gmx dot de, Anatol)
- Phar:
. Fixed bug #71625 (Crash in php7.dll with bad phar filename).
(Anatol)
. Fixed bug #71317 (PharData fails to open specific file). (Jos Elstgeest)
. Fixed bug #71860 (Invalid memory write in phar on filename with \0 in
name). (Stas)
- phpdbg:
. Fixed crash when advancing (except step) inside an internal function. (Bob)
- Session:
. Fixed Bug #71683 (Null pointer dereference in zend_hash_str_find_bucket).
(Yasuo)
- SNMP:
. Fixed bug #71704 (php_snmp_error() Format String Vulnerability).
(andrew at jmpesp dot org)
- SPL:
. Fixed bug #71617 (private properties lost when unserializing ArrayObject).
(Nikita)
- Standard:
. Fixed bug #71660 (array_column behaves incorrectly after foreach by
reference). (Laruence)
. Fixed bug #71798 (Integer Overflow in php_raw_url_encode).
(taoguangchen at icloud dot com, Stas)
- Zip:
. Update bundled libzip to 1.1.2. (Remi, Anatol)
|
|
Add add an patch to fix memory leak noted from Zafer Aydoan via
private mail.
31 Mar 2016, PHP 5.6.20
- CLI Server:
. Fixed bug #69953 (Support MKCALENDAR request method). (Christoph)
- Core:
. Fixed bug #71596 (Segmentation fault on ZTS with date function
(setlocale)). (Anatol)
- Curl:
. Fixed bug #71694 (Support constant CURLM_ADDED_ALREADY). (mpyw)
- Date:
. Fixed bug #71635 (DatePeriod::getEndDate segfault). (Thomas Punt)
- Fileinfo:
. Fixed bug #71527 (Buffer over-write in finfo_open with malformed magic
file). (Anatol)
- Mbstring:
. Fixed bug #71906 (AddressSanitizer: negative-size-param (-1) in
mbfl_strcut). (Stas)
- ODBC:
. Fixed bug #47803, #69526 (Executing prepared statements is succesfull only
for the first two statements). (einavitamar at gmail dot com, Anatol)
. Fixed bug #71860 (Invalid memory write in phar on filename with \0 in
name). (Stas)
- PDO_DBlib:
. Bug #54648 (PDO::MSSQL forces format of datetime fields).
(steven dot lambeth at gmx dot de, Anatol)
- Phar:
. Fixed bug #71625 (Crash in php7.dll with bad phar filename).
(Anatol)
. Fixed bug #71504 (Parsing of tar file with duplicate filenames causes
memory leak). (Jos Elstgeest)
- SNMP:
. Fixed bug #71704 (php_snmp_error() Format String Vulnerability).
(andrew at jmpesp dot org)
- Standard
. Fixed bug #71798 (Integer Overflow in php_raw_url_encode).
(taoguangchen at icloud dot com, Stas)
|
|
Add add an patch to fix memory leak noted from Zafer Aydoan via
private mail.
31 Mar 2016, PHP 5.5.34
- Fileinfo:
. Fixed bug #71527 (Buffer over-write in finfo_open with malformed magic
file). (Anatol)
- Mbstring:
. Fixed bug #71906 (AddressSanitizer: negative-size-param (-1) in
mbfl_strcut). (Stas)
- OBBC
. Fixed bug #71860 (Invalid memory write in phar on filename with \0 in
name). (Stas)
- SNMP:
. Fixed bug #71704 (php_snmp_error() Format String Vulnerability).
(andrew at jmpesp dot org)
- Standard
. Fixed bug #71798 (Integer Overflow in php_raw_url_encode).
(taoguangchen at icloud dot com, Stas)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4.4.2
* https: Under certain conditions ssl sockets may have been
causing a memory leak when keepalive is enabled. This is no
longer the case.
* lib: The way that we were internally passing arguments was
causing a potential leak. By copying the arguments into an
array we can avoid this.
* npm: Upgrade to v2.15.1. Fixes a security flaw in the use of
authentication tokens in HTTP requests that would allow an
attacker to set up a server that could collect tokens from
users of the command-line interface. Authentication tokens
have previously been sent with every request made by the
CLI for logged-in users, regardless of the destination of
the request. This update fixes this by only including those
tokens for requests made against the registry or registries
used for the current install.
* repl: Previously if you were using the repl in strict mode
the column number would be wrong in a stack trace. This is
no longer an issue.
4.4.1
* build:
- Updated Logos for the OSX + Windows installers
- New option to select your VS Version in the Windows installer
- Support Visual C++ Build Tools 2015
* tools: Gyp now works on OSX without XCode
|
|
5.10.0
* buffer:
- make byteLength work with ArrayBuffer & DataView
- backport --zero-fill-buffers command line option
- backport new buffer constructor APIs
- add swap16() and swap32() methods
* fs: add the fs.mkdtemp() function.
* net: emit host in lookup event
* node: --no-browser-globals configure flag
* npm: Upgrade to v3.8.3. Fixes a security flaw in the use of
authentication tokens in HTTP requests that would allow an
attacker to set up a server that could collect tokens from
users of the command-line interface. Authentication tokens
have previously been sent with every request made by the CLI
for logged-in users, regardless of the destination of the
request. This update fixes this by only including those
tokens for requests made against the registry or registries
used for the current install.
* repl: support standalone blocks
* src: override v8 thread defaults using cli options
5.9.0
* contextify: Fixed a memory consumption issue related to heavy
use of vm.createContext and vm.runInNewContext.
* lib: copy arguments object instead of leaking it
* src: allow both -i and -e flags to be used at the same time
* timers: Internal Node.js timeouts now use the same logic path
as those created with setTimeout()
* v8: backport fb4ccae from v8 upstream: breakout events from v8
to offer better support for external debuggers
* zlib: add support for concatenated members
|
|
|
|
LLVM libunwind
Late import approved from <pkgsrc-pmc>
|
|
Changelog:
Fix CVE-2016-0636
|
|
|
|
|
|
|
|
reported as PR pkg/50971.
|
|
|
|
64-bit build on CentOS.
|
|
I don't see a relation to relro, but the linker found out about
a missing symbol it didn't complain about before.
SVN 54139:
Thu Mar 17 11:36:27 2016 Nobuyoshi Nakada <nobu@ruby-lang.org>
* ext/socket/option.c (inspect_tcpi_msec): more accurate condition
for TCPI msec member inspection function.
[ruby-core:74388] [Bug #12185]
Bump PKGREVISION.
|
|
I don't see a relation to relro, but the linker found out about
a missing symbol it didn't complain about before.
SVN 54139:
Thu Mar 17 11:36:27 2016 Nobuyoshi Nakada <nobu@ruby-lang.org>
* ext/socket/option.c (inspect_tcpi_msec): more accurate condition
for TCPI msec member inspection function.
[ruby-core:74388] [Bug #12185]
Bump PKGREVISION.
|
|
|
|
Changes in Racket 6.4:
- We fixed a security vulnerability in the web server. The existing
web server is vulnerable to a navigation attack if it is also
enabled to serve files statically; that is, any file readable by
the web server is accessible remotely. For more information see
http://blog.racket-lang.org/2016/02/racket-web-server-security-vulnerability.html
- DrRacket's scrolling is faster.
- Incremental garbage-collection mode can eliminate long pauses in a
program. For example, incremental mode is useful for avoiding pauses
in games and animations.
Programs must specifically request incremental mode with
`(collect-garbage 'incremental)`, but libraries such as
`2htdp/universe` include the request as part of the library's
implementation.
- The default package catalog is an HTTPS address instead of HTTP, and
package operations properly validate server certificates when using
HTTPS.
- Documentation may define their own categories for the manual top-
level page by using strings, rather than only symbols that name
pre-defined categories.
- The Racket cheat sheet is included in the main distribution.
- DrRacket is available in Bulgarian, thanks to Alexander Shopov.
- The contract Typed Racket generates for the `Any` type is more
permissive, allowing more typed/untyped programs to work without
contract errors.
- Redex supports binding specifications; describe which variables bind
in which expressions and your metafunctions and reduction relations
automatically become scope-sensitive. Thanks to Paul Stansifer for
this improvement.
- All `pict` functions accept `pict-convertible`s. This allows for
transparent interoperability between `pict` and libraries like
`2htdp/image`.
- The `raco profile` and `raco contract-profile` commands provide easy
access to profiling tools, without requiring program modifications.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Changelog:
Scala 2.11.8 is now available!
March 8, 2016
We are pleased to announce the availability of Scala 2.11.8!
Significant changes since 2.11.7 include:
The Scala REPL now has robust and flexible tab-completion (details below)
An assortment of bugs have been fixed
Compared to 2.11.7, this release resolves 44 issues. We merged 175 pull requests.
As usual for minor releases, Scala 2.11.8 is binary compatible with other releases in the Scala 2.11 series.
The last planned 2.11.x release will be 2.11.9 in late 2016.
New tab-completion in the Scala REPL
The implementation of tab-completion in the Scala REPL has been rewritten and now uses the same infrastructure as for example Scala IDE and ENSIME.
There are a number of improvements:
Reliable completion, also in partial expressions and syntactically incorrect programs: try class C { def f(l: List[Int]) = l.<TAB>
CamelCase completion: try (l: List[Int]).rro<TAB>, it expands to (l: List[Int]).reduceRightOption
Show desugarings performed by the compiler by adding //print: try for (x <- 1 to 10) println(x) //print<TAB>
Complete bean getters without typing get: try (d: java.util.Date).day<TAB>
Find members by typing any CamelCased part of the name: try classOf[String].typ<TAB> to get getAnnotationsByType, getComponentType and others
Complete non-qualified names, including types: try def f(s: Str<TAB>
Press tab twice to see the method signature: try List(1,2,3).part<TAB>, which completes to List(1,2,3).partition; press tab again to display def partition(p: Int => Boolean): (List[Int], List[Int])
Thanks to @retronym and @som-snytt for their fruitful collaboration on this work!
Scala 2.11.7 is now available!
June 23, 2015
We are very pleased to announce the availability of Scala 2.11.7!
We would like to highlight the following changes:
Exhaustivity checking for pattern matching is now much snappier — thank you @gbasler! (SI-9181)
A 300x more embeddable Scala REPL, brought to you by a team effort with Apache Spark. Thank you @ScrapCodes, @retronym & co! (#4548, #4563)
Scala also <3 INDYs – experiment with all our favorite new Java 8 features as follows and get an exclusive sneak preview of 2.12.0-M2!
Oh, and the spec is now much spiffier! Thanks, @soc!
Compared to 2.11.6, this release resolves 53 issues. We merged 124 pull requests (out of 157). Before upgrading, please also check the known issues for this release.
As usual for minor releases, Scala 2.11.7 is binary compatible with other releases in the Scala 2.11 series.
|
|
|
|
Might fix "ld: fatal: library -lXrender: not found" seen in SmartOS bulk build.
|
|
Changes since 16.0.0
* API changes
- si:do-setf accepts optional parameter stores. New lambda-list:
(access-fn function &optional (stores `(,(gensym))))
This change is backward compatible.
- New MP functions:
mp:with-rwlock
mp:try-get-semaphore (non-blocking)
mp:mailbox-try-read (non-blocking)
mp:mailbox-try-send (non-blocking)
- Added back removed C interfaces
ecl_import_current_thread
ecl_release_current_thread
- When cl-truename encounters a broken symlink, it returns its path
instead of signalling a file-error
- Deprecated variables has been removed
c::*suppress-compiler-warnings*, c::*suppress-compiler-notes*
- Random state might be initialized by a random seed (truncated to
32bit value) or by a precomputed array.
Latter is designed to allow reading back the printed random state
(when printed readably), not as an array to initialize the random
state.
- C99 supporting compiler is mandatory for C backend.
- COMPILER::*cc_is_cxx*: New variable to switch the output extension of
emitted compiler code to ".cxx" when configured with "--with-c++". This
eliminates compiler warnings that compiling C++ with a ".c" extension is
deprecated; this is seen mostly with Clang++.
- Added Clang-specific pragmas to disable return type, unused value and
excessive parentheses warnings, which are fairly harmless, but annoying
and clutter user output.
- GRAY:CLOSE isn't specialized on T to preserve compatibility with some
libraries.
* Enhancements:
- Added code walker (present as *feature* :walker)
- Testing framework cleanup
- Format fallbacks to prin1 if infinity or NaN are passed to it
- Annotations are added at runtime (better integration with SLIME)
- Mersenne-Twister RNG has new 64 bit implementation for appropriate
machines
- Add sockets implementation for android platform
- Add android build target (official android support)
* Issues fixed:
- si:open-unix-socket-stream accepts both string and base-string
(automatic coercion is performed)
- Long form of DEFSETF accepts multiple-values as a store forms:
(defsetf gah (x) (y z) `(list ,x ,y ,z))
(setf (gah 3) (values 3 4))
- Building with single-threaded boehm works if ECL threads are disabled
- Using labels works with sharp-S-reader
(read-from-string
"(#1=\"Hello\" #S(sharp-s-reader.1.example-struct :A #1#))")
- Generated C code works well with IEEE 754 infinities
(regression tests created)
- User-defined heap sizes can now exceed the size of a fixnum on 32-bit
- The heap size limit was intended to be 1GB on 32-bit or 4GB on 64-bit
but inconsistency between ECL_FIXNUM_BITS and FIXNUM_BITS in the code
prevented the heap to grow for 64-bit. This now occurs, and a few
other less visible bugs were fixed by restoring consistency to
ECL_FIXNUM_BITS.
- EXT:EXTERNAL-PROCESS-WAIT potential race condition fix
- Building with object files not created by ECL works (CFFI wrappers)
- Regression regarding initialization of build by ECL libraries from
external code fixed. Static and shared libraries initialization
funcitons has predetermined name while object files has randomized
names.
- Random state initial state generation was buggy and insecure (entropy
from urandom was rejected)
- Fix `listen' on streams when FILE_CNT isn't available (use read instad
of fread)
- `FIND' compiled with C compiler didn't respect `START' nor `END'
arguments. Compiler macro is fixed now and should work as expected
- `compute-applicable-methods-using-classes` bugfix
|
|
It is a dlopened library and needs libmawt.so, but that can be provided by
either xawt/libmawt.so or headless/libmawt.so. The JVM will pick and load
the correct implementation to use so an explicit run path is neither
appropriate nor required.
|