| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
* Fixed CVE-2007-1001, GD wbmp used with invalid image size (by Ivan Fratric)
* Fixed asciiz byte truncation inside mail() (MOPB-33 by Stefan Esser)
* Fixed a bug in mb_parse_str() that can be used to activate register_globals
(MOPB-26 by Stefan Esser)
* Fixed unallocated memory access/double free in in array_user_key_compare()
(MOPB-24 by Stefan Esser)
* Fixed a double free inside session_regenerate_id() (MOPB-22 by Stefan Esser)
* Added missing open_basedir & safe_mode checks to zip:// and bzip:// wrappers.
(MOPB-21 by Stefan Esser).
* Limit nesting level of input variables with max_input_nesting_level as fix for
(MOPB-03 by Stefan Esser)
* Fixed CRLF injection inside ftp_putcmd(). (by loveshell[at]Bug.Center.Team)
* Fixed a possible super-global overwrite inside import_request_variables().
(by Stefano Di Paola, Stefan Esser)
* Fixed a remotely trigger-able buffer overflow inside bundled libxmlrpc
library. (by Stanislav Malyshev)
* XSS in phpinfo() (MOPB-8 by Stefan Esser)
|
|
Bump package revision.
|
|
|
|
libraries. no PKGREVISION bump as the module is not built by default.
needed for upcoming new php-oracle package.
|
|
* Updated PCRE to version 7.0.
* Fixed segfault in ext/session when register_globals=On.
* Fixed (segfault in cURL extension).
* Fixed (possible cURL memory error).
* Fixed (imagettftext() multithreading issue).
* Fixed (ext/interbase compile failure).
* Fixed (PHP fastcgi with PHP_FCGI_CHILDREN don't kill children when parent is killed).
4.4.5
# Upgraded PEAR to 1.5.0.
# Updated PCRE to version 6.7.
# Moved extensions to PECL: ext/ovrimos
# Added a meta tag to phpinfo() output to prevent search engines from indexing the page.
# Backported a fix in the configure tests to detect the "rounding fuzz".
# Backported fix for ext/imap compilation failure with recent c-client versions.
# Fixed missing open_basedir check inside chdir() function.
# Fixed (Compile fails when using GCC 4.1.1/binutils 2.17).
# Fixed (pg_insert/pg_update do not allow now() to be used for timestamp fields).
# Fixed (using autoconf 2.6x and --with-layout=GNU breaks PEAR install path).
# Fixed (Using $this not in object context can cause segfaults).
# Fixed (ext/dba doesn't check for db-4.5 and db-4.4 when db4 support is enabled).
# Fixed (ftp_put() does not change transfer mode to ASCII).
# Fixed (ftp_nlist() returns false on empty dirs).
# Fixed (Allow building of curl extension against libcurl 7.16.0).
# Fixed (curl_exec() with return transfer returns TRUE on empty files).
# Fixed (Fixed a possible open_basedir bypass in tempnam()).
# Fixed (ldap_connect causes segfault with newer versions of OpenLDAP).
# Fixed (parse_url() fails if passing '@' in passwd).
# Fixed (Calling undefined method prints insufficient error message).
# Fixed (segfault when calling setlocale() in userspace session handler).
# Fixed (constructor is not called for classes used in userspace stream wrappers).
# Fixed (wddx_serialize_value() generates no wellformed xml).
# Fixed (aggregate_methods_by_list fails to take certain methods).
# Fixed (natcasesort() causes array_pop() to misbehave).
# Fixed (CURLOPT_HEADERFUNCTION, couldn't set the function in the class).
# Fixed (recursive array_walk causes segfault).
|
|
INSTALLATION_DIRS, as well as all occurrences of ${PREFIX}/man with
${PREFIX}/${PKGMANDIR}.
Fixes PR 35265, although I did not use the patch provided therein.
|
|
http://www.hardened-php.net/advisory_132006.138.html
|
|
|
|
Bump nb
|
|
duplicates process resource limits, which already provide necessary
"safety net" protection against rogue scripts
bump PKGREVISION for this
adressess PR pkg/32007 by "pancake"
also remove --enable-track-vars, since that configure argument
is long gone from PHP
|
|
This release address a series of locally exploitable security problems
discovered since PHP 4.4.3. All PHP users are encouraged to upgrade to this
release as soon as possible.
This release provides the following security fixes:
* Added missing safe_mode/open_basedir checks inside the error_log(),
file_exists(), imap_open() and imap_reopen() functions.
* Fixed overflows inside str_repeat() and wordwrap() functions on 64bit systems.
* Fixed possible open_basedir/safe_mode bypass in cURL extension.
* Fixed overflow in GD extension on invalid GIF images.
* Fixed a buffer overflow inside sscanf() function.
* Fixed memory_limit restriction on 64 bit system.
|
|
|
|
All PHP 4.x users are encouraged to upgrade to this release as soon as possible.
The security issues resolved include the following:
* Disallow certain characters in session names.
* Fixed a buffer overflow inside the wordwrap() function.
* Prevent jumps to parent directory via the 2nd parameter of the tempnam()
function.
* Improved safe_mode check for the error_log() function.
* Fixed cross-site scripting inside the phpinfo() function.
The release also includes about 20 bug fixes and an upgraded PCRE library
(version 6.6).
For a full list of changes in PHP 4.4.3, see the ChangeLog:
http://www.php.net/ChangeLog-4.php#4.4.3
This also contains a fix for CVE-2006-4020 (SA21403)
|
|
Ride the previous nb bump
|
|
Fix for CVE-2006-3011
Include our own pear.sh from the tarball but slightly hacked to get around
memory isses on installation.
|
|
and add a new helper target and script, "show-buildlink3", that outputs
a listing of the buildlink3.mk files included as well as the depth at
which they are included.
For example, "make show-buildlink3" in fonts/Xft2 displays:
zlib
fontconfig
iconv
zlib
freetype2
expat
freetype2
Xrender
renderproto
|
|
of the order in which buildlink3.mk files are (recursively) included
by a package Makefile.
|
|
set OVERRIDE_DIRDEPTH to find any libtool scripts deeper in the WRKSRC
tree unless they're named something other than "libtool".
SHLIBTOOL_OVERRIDE generally doesn't need to be specified either -- just
define it to the empty list and shlibtool-override will look for libtool
scripts.
|
|
|
|
|
|
php-* modules failed on Darwin because gcc was used to link them.
Thanks to John Klos for testing.
Bump PKGREVISION.
|
|
it produced empty *.so and the module couldn't be actually used
|
|
|
|
them between "not critical" and "less critical".
Fix CVE-2006-0996, CVE-2006-1494, CVE-2006-1608, CVE-2006-1490.
See:
http://secunia.com/advisories/19383/
http://secunia.com/advisories/19599/
Patches were extracted from CVS. I had to translate the one for
CVE-2006-1608 on php4 because it has not made its way to the php4.4 branch
(I don't know why; I can confirm it fixes the issue).
While here, add PATCHDIR to the list of variables php5's Makefile.php
defines. That way, ap-php gets patched too...
|
|
that they look nicer.
|
|
RECOMMENDED is removed. It becomes ABI_DEPENDS.
BUILDLINK_RECOMMENDED.foo becomes BUILDLINK_ABI_DEPENDS.foo.
BUILDLINK_DEPENDS.foo becomes BUILDLINK_API_DEPENDS.foo.
BUILDLINK_DEPENDS does not change.
IGNORE_RECOMMENDED (which defaulted to "no") becomes USE_ABI_DEPENDS
which defaults to "yes".
Added to obsolete.mk checking for IGNORE_RECOMMENDED.
I did not manually go through and fix any aesthetic tab/spacing issues.
I have tested the above patch on DragonFly building and packaging
subversion and pkglint and their many dependencies.
I have also tested USE_ABI_DEPENDS=no on my NetBSD workstation (where I
have used IGNORE_RECOMMENDED for a long time). I have been an active user
of IGNORE_RECOMMENDED since it was available.
As suggested, I removed the documentation sentences suggesting bumping for
"security" issues.
As discussed on tech-pkg.
I will commit to revbump, pkglint, pkg_install, createbuildlink separately.
Note that if you use wip, it will fail! I will commit to pkgsrc-wip
later (within day).
|
|
installation to go through on NetBSD/sparc64 (well, at least mine).
Failure reported by Joel Carnat.
|
|
This is a bug fix release, which addresses some security problems too.
The major points that this release corrects are:
* Prevent header injection by limiting each header to a single line.
* Possible XSS inside error reporting functionality.
* Missing safe_mode/open_basedir checks into cURL extension.
* Apache 2 regression with sub-request handling on non-Linux systems.
* key() and current() regression related to references.
This release also fixes about 30 other defects.
|
|
|
|
automatically detects whether we want the pkginstall machinery to be
used by the package Makefile.
|
|
CONFIGURE_ARGS.
|
|
example MAKE_ENV+=FOO=${BAR} is changed to MAKE_ENV+=FOO=${BAR:Q}. Some
other changes are outlined in
http://mail-index.netbsd.org/tech-pkg/2005/12/02/0034.html
|
|
This is done via an option group, default is CGI. Note that the
FastCGI interpreter can still be used for normal CGI, but there
might be security issues involved in doing so.
|
|
|
|
(endless loop):
http://bugs.php.net/bug.php?id=35067
Pull in a patch from the php CVS repository to fix this, as suggested a
squirrelmail mailing list:
http://cvs.php.net/diff.php/php-src/ext/standard/basic_functions.c?r1=1.543.2.51.2.3&r2=1.543.2.51.2.4&ty=u
OK'd by Jaromir Dolecek, tested on apache-1 and apache-2 servers.
Bump pkgrevision.
|
|
|
|
so that configure won't try to run the (possibly not installed) pkg-config.
|
|
bump revision.
|
|
longer downloaded manually.
|
|
security fix, this fixes serious security problems regarding overwriting
of the GLOBALS array.
All users of PHP 4.3 and 4.4 sare encouradged to update to this version.
The --with-regex=system bug with re_magic has been fixed too, so re-enabling
use of --with-regex=system for all operating systems again
|
|
in private e-mail
|
|
turn it off. It's still on by default (in PKG_SUGGESTED_OPTIONS), so
no PKGREVISION bump required.
|
|
misinterpreted some Japanese characters as ASCII.
PR: 31223 by Takahiro Kambe
|
|
there
PR: 31047 by Gilles Dauphin
|
|
similarily how this is done in lang/php5/Makefile.php; default depends
in USE_INET6 setting, i.e. enabled iff OS supports it
|
|
|
|
|
|
when the base PHP is compiled with openssl extension (e.g. ssl://, tls://
stream support, and couple others). These don't work when SSL support
is loaded via extension.
For this reason, make openssl extension unconditionally built-in
into the main PHP package, and g/c security/php-openssl.
|
|
such as TLS support.
Patch provided by Stoned Elipot in private e-mail.
|
