php7.3 (7.3.31-1~deb10u7) buster-security; urgency=high * Non-maintainer upload by the LTS team. * Fix CVE-2024-5458: Due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly. The problem is related to CVE-2020-7071, but affects IPv6 host parts. -- Markus Koschany Mon, 17 Jun 2024 23:48:38 +0200 php7.3 (7.3.31-1~deb10u6) buster-security; urgency=high * Non-maintainer upload by the LTS Security Team. * Fix CVE-2024-2756: Due to an incomplete fix to CVE-2022-31629, network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applications. * Fix CVE-2024-3096: If a password stored with password_hash starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true. * d/p/CVE-2023-3823.patch: Also backport upstream commit 62228a25685 (a no-op on Linux.) -- Guilhem Moulin Tue, 07 May 2024 02:47:26 +0200 php7.3 (7.3.31-1~deb10u5) buster-security; urgency=high * Non-maintainer upload by the LTS Security Team. * Fix CVE-2023-3823: Security issue with external entity loading in XML without enabling it. * Fix CVE-2023-3824: Buffer overflow and overread in phar_dir_read(). -- Guilhem Moulin Mon, 04 Sep 2023 23:49:25 +0200 php7.3 (7.3.31-1~deb10u4) buster-security; urgency=high * Non-maintainer upload by the LTS Security Team. * CVE-2023-3247: Missing error check and insufficient random bytes in HTTP Digest authentication for SOAP. -- Guilhem Moulin Mon, 19 Jun 2023 21:10:11 +0200 php7.3 (7.3.31-1~deb10u3) buster-security; urgency=high * Non-maintainer upload by the LTS Security Team. * CVE-2022-31631: Uncaught integer overflow. * CVE-2023-0567: Malformatted BCrypt hashes that include a `$` within their salt part trigger a buffer overread and may erroneously validate any password as valid (closes: #1031368). * CVE-2023-0568: 1-byte array overrun in common path resolve code (closes: #1031368). * CVE-2023-0662: DoS vulnerability when parsing multipart request body (closes: #1031368). -- Guilhem Moulin Sun, 26 Feb 2023 14:00:55 +0100 php7.3 (7.3.31-1~deb10u2) buster-security; urgency=medium * Non-maintainer upload by the LTS Team. * CVE-2021-21707: invalid parsing of encoded null character. * CVE-2022-31625: invalid free in posgresql extension. * CVE-2022-31626: buffer overflow in mysqlnd driver. * CVE-2022-31628: infinite loop in the phar uncompressor. * CVE-2022-31629: secure cookie poisoning. * CVE-2022-37454: buffer overflow in Keccak XKCP SHA-3. -- Emilio Pozuelo Monfort Thu, 15 Dec 2022 10:39:10 +0100 php7.3 (7.3.31-1~deb10u1) buster-security; urgency=medium * New upstream version 7.3.31 + CVE-2021-21706: ZipArchive::extractTo extracts outside of destination. * Backported from 7.4.25 + CVE-2021-21703: PHP-FPM oob R/W in root process leading to privilege escalation. -- Ondřej Surý Sun, 24 Oct 2021 17:18:08 +0200 php7.3 (7.3.29-1~deb10u1) buster-security; urgency=medium * New upstream version 7.3.29 + CVE-2021-21705: SSRF bypass in FILTER_VALIDATE_URL + CVE-2021-21704: Stack buffer overflow in firebird_info_cb + CVE-2021-21704: SIGSEGV in firebird_handle_doer + CVE-2021-21704: SIGSEGV in firebird_stmt_execute + CVE-2021-21704: Crash while parsing blob data in firebird_fetch_blob -- Ondřej Surý Fri, 02 Jul 2021 06:04:33 +0200 php7.3 (7.3.27-1~deb10u1) buster-security; urgency=medium [ Ondřej Surý ] * New upstream version 7.3.27 + Fixed bug #80672 (Null Dereference in SoapClient). (CVE-2021-21702) * New upstream version 7.3.26 + Fixed bug #77423 (FILTER_VALIDATE_URL accepts URLs with invalid userinfo). (CVE-2020-7071) * New upstream version 7.3.23 + Fixed bug #79699 (PHP parses encoded cookie names so malicious `__Host-` cookies can be sent). (CVE-2020-7070) + Fixed bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV). (CVE-2020-7069) * New upstream version 7.3.21 + Fixed bug #79797 (Use of freed hash key in the phar_parse_zipfile function). (CVE-2020-7068) * Disable the MySQL extension testing as it's too complicated and prone to breakages * In phpize, copy the foreign files from their respective packages (libtool, pkg-config, shtool, pkg.m4) instead of having a built-time copy in the package [ Pino Toscano ] * Disable AppArmor support on non-Linux archs (Closes: #951857) * Enable systemd integration only on Linux archs (Closes: #951834) -- Ondřej Surý Sat, 13 Feb 2021 17:31:40 +0100 php7.3 (7.3.19-1~deb10u1) buster-security; urgency=high * New upstream version 7.3.15 + Fixed bug #79082 (Files added to tar with Phar::buildFromIterator have all-access permissions). (CVE-2020-7063) + Fixed bug #79171 (heap-buffer-overflow in phar_extract_file). (CVE-2020-7061) + Fixed bug #79221 (Null Pointer Dereference in PHP Session Upload Progress). (CVE-2020-7062) * New upstream version 7.3.16 + Fixed bug #79371 (mb_strtolower (UTF-32LE): stack-buffer-overflow at php_unicode_tolower_full). (CVE-2020-7065) + Fixed bug #79329 (get_headers() silently truncates after a null byte). (CVE-2020-7066) * New upstream version 7.3.17 + Fixed bug #79465 (OOB Read in urldecode()). (CVE-2020-7067) * New upstream version 7.3.18 + Fixed bug #78875 (Long filenames cause OOM and temp files are not cleaned). (CVE-2019-11048) + Fixed bug #78876 (Long variables in multipart/form-data cause OOM and temp files are not cleaned). (CVE-2019-11048) * New upstream version 7.3.19 * php-fpm has to depend on procps due kill usage in systemd service file (Closes: #861855) -- Ondřej Surý Sun, 05 Jul 2020 08:46:45 +0200 php7.3 (7.3.14-1~deb10u1) buster-security; urgency=medium * New upstream version 7.3.14 * Disable MySQL X Plugin in the tests * Use mysqld --initialize-insecure for MySQL 8.0 (for Ubuntu 19.10) * Remove --skip-grant-tables to fix FTBFS with MySQL 8.0 * Remove --without-mysqlx from MySQL 5.7 -- Ondřej Surý Sun, 16 Feb 2020 16:07:23 +0100 php7.3 (7.3.11-1~deb10u1) buster-security; urgency=medium * New upstream version 7.3.11 -- Ondřej Surý Sat, 26 Oct 2019 16:14:18 +0200 php7.3 (7.3.9-1~deb10u1) buster-security; urgency=high * New upstream version 7.3.9 * php7.3-curl: Add Breaks against php7.0-curl for smoother upgrades from stretch. (Closes: #929689) -- Ondřej Surý Wed, 18 Sep 2019 12:33:23 +0200 php7.3 (7.3.4-2) unstable; urgency=medium [Andreas Beckmann] * php7.3-common: Add Breaks against php7.0-curl for smoother upgrades from stretch. (Closes: #925106) * php7.3-common: Add Breaks against gforge-common from jessie which uses a deprecated constructor syntax. * Deterministically generate debian/control by sorting the extension packages. -- Ondřej Surý Sat, 13 Apr 2019 19:05:48 +0000 php7.3 (7.3.4-1) unstable; urgency=medium * Update d/watch for new php.net pages * New upstream version 7.3.4 * Enforce C++11 for intl compilation on older distributions -- Ondřej Surý Wed, 10 Apr 2019 06:55:43 +0000 php7.3 (7.3.3-1) unstable; urgency=medium * New upstream version 7.3.3 * Update systzdata patch to v18 (Courtesy of RemiRepo) * Add patch for OpenSSL 1.1.1b (Courtesy of RemiRepo) -- Ondřej Surý Thu, 07 Mar 2019 19:43:34 +0000 php7.3 (7.3.2-3) unstable; urgency=medium * Update systzdata patch to v17 (Courtesy of remirepo) -- Ondřej Surý Fri, 08 Feb 2019 15:05:54 +0000 php7.3 (7.3.2-2) unstable; urgency=medium * Fix the icu patch condition for icu >= 60 -- Ondřej Surý Fri, 08 Feb 2019 10:49:26 +0000 php7.3 (7.3.2-1) unstable; urgency=medium * New upstream version 7.3.2 -- Ondřej Surý Thu, 07 Feb 2019 17:58:05 +0000 php7.3 (7.3.1-3) unstable; urgency=medium * Always build spoofchecker, because we are enforcing icu >= 50.1 (Closes: #921199) -- Ondřej Surý Tue, 05 Feb 2019 10:25:33 +0000 php7.3 (7.3.1-2) unstable; urgency=high * Add patch to use pkg-config instead of icu-config to detect icu libraries (Closes: #916110) -- Ondřej Surý Mon, 21 Jan 2019 09:09:55 +0000 php7.3 (7.3.1-1) unstable; urgency=medium * New upstream version 7.3.1 -- Ondřej Surý Sun, 13 Jan 2019 10:13:20 +0000 php7.3 (7.3.0-2) unstable; urgency=medium * Add upstream patch to fix OPcache optimization problem for ArrayAccess->offsetGet * Add upstream patch to fix infinite loop in preg_replace_callback * Fix check for rl_completion_matches in readline extension -- Ondřej Surý Mon, 17 Dec 2018 09:51:53 +0000 php7.3 (7.3.0-1) unstable; urgency=medium * Update d/watch for the final PHP 7.3.0 release * New upstream version 7.3.0 -- Ondřej Surý Thu, 06 Dec 2018 20:22:15 +0000 php7.3 (7.3.0~rc6-1) unstable; urgency=medium * New upstream version 7.3.0~rc6 -- Ondřej Surý Sun, 25 Nov 2018 10:01:25 +0000 php7.3 (7.3.0~rc5-2) unstable; urgency=medium * Don't use sed found by configure, use the sed command as available in the host system (Closes: #913620) -- Ondřej Surý Tue, 13 Nov 2018 09:10:56 +0000 php7.3 (7.3.0~rc5-1) unstable; urgency=medium * New upstream version 7.3.0~rc5 * Enable lmdb support in dba extension -- Ondřej Surý Mon, 12 Nov 2018 09:54:24 +0000 php7.3 (7.3.0~rc4-2) unstable; urgency=medium * Restore correct patch name for 0040-Add-patch-to-install-php7-module-directly-to-APXS_LI.patch -- Ondřej Surý Sun, 04 Nov 2018 04:54:20 +0000 php7.3 (7.3.0~rc4-1) unstable; urgency=medium * New upstream version 7.3.0~rc4 * Rebase patches for PHP 7.4.0~rc4 -- Ondřej Surý Thu, 25 Oct 2018 08:57:33 +0000 php7.3 (7.3.0~rc3-3) unstable; urgency=medium * Add patch to use pkg-config for FreeType2 library detection (Closes: #911460) * Remove libmcrypt-dev from Build-Depends -- Ondřej Surý Thu, 25 Oct 2018 06:39:32 +0000 php7.3 (7.3.0~rc3-2) unstable; urgency=medium * Disable the enabled modules in prerm, because in postrm the phpquery script is not aware of already removed sapi (Closes: #911018) -- Ondřej Surý Mon, 15 Oct 2018 09:53:04 +0000 php7.3 (7.3.0~rc3-1) unstable; urgency=medium * New upstream version 7.3.0~rc3 * Rebase patches for PHP 7.3.0~rc3 -- Ondřej Surý Sat, 13 Oct 2018 13:47:36 +0000 php7.3 (7.3.0~rc2-3) unstable; urgency=medium * Remove ancient mv_conffile (from php5) * Remove spurious L from phpize script (Closes: #909110) * Downgrade dh-php from Recommends to Suggests (Closes: #910620) -- Ondřej Surý Tue, 09 Oct 2018 13:22:52 +0000 php7.3 (7.3.0~rc2-2) unstable; urgency=medium * Fix the Vcs-* links * Apply upstream patch to allow disabling pcre jit and disable it on mips and s390x archs * Extra 'L' is gone (Closes: #909110) -- Ondřej Surý Thu, 04 Oct 2018 14:25:15 +0000 php7.3 (7.3.0~rc2-1) unstable; urgency=medium * New upstream version 7.3.0~rc2 * Rebase patches for PHP 7.3.0~rc2 -- Ondřej Surý Mon, 01 Oct 2018 11:42:35 +0000 php7.3 (7.3.0~beta2-3) unstable; urgency=medium * Disable assembly code with gcc 4.8 on i386 -- Ondřej Surý Mon, 20 Aug 2018 08:07:58 +0000 php7.3 (7.3.0~beta2-2) unstable; urgency=medium * Remove dependency on pcre3 and add libpcre2-dev to phpX.Y-dev -- Ondřej Surý Sun, 19 Aug 2018 16:12:50 +0000 php7.3 (7.3.0~beta2-1) unstable; urgency=medium * New upstream version 7.3.0~beta2 * Rebase patches for PHP 7.3.0~beta2 * Fix phpdbg.1 installation path from srcdir to builddir * Bump d/phpapi to 20180731 -- Ondřej Surý Sun, 19 Aug 2018 07:49:10 +0000 php7.3 (7.3.0~beta1-1) unstable; urgency=medium [ Lior Kaplan ] * Fix syntax typo [ Ondřej Surý ] * New upstream version 7.3.0~beta1 * Rebase patches for PHP 7.3.0beta1 -- Ondřej Surý Fri, 03 Aug 2018 13:52:09 +0000 php7.3 (7.3.0~alpha4-1) unstable; urgency=medium * Use cpuid.h instead of custom assembler * New upstream version 7.3.0~alpha4 * Rebase patches for PHP 7.3.0~alpha4 -- Ondřej Surý Wed, 25 Jul 2018 11:11:09 +0000 php7.3 (7.3.0~alpha3-2) unstable; urgency=medium * Remove traces of ext_skel modifications * Add profile to all default-mysql-server alternatives * Bump d/phpapi for PHP 7.3 * Add libargon2-dev as new alternative build-dependency to libargon2-0-dev -- Ondřej Surý Sat, 14 Jul 2018 13:57:34 +0000 php7.3 (7.3.0~alpha3-1) unstable; urgency=medium * Update upstream signing-key.asc for PHP 7.3 * New upstream version 7.3.0~alpha3 * Build-Depend on libpcre2-dev * Rebase patches for PHP 7.3.0~alpha3 -- Ondřej Surý Mon, 09 Jul 2018 13:49:59 +0000 php7.2 (7.2.7-2) unstable; urgency=medium * Update the maintainer email to team+pkg-php@tracker.debian.org * Update the Vcs-* links to salsa.d.o -- Ondřej Surý Mon, 09 Jul 2018 12:28:45 +0000 php7.2 (7.2.7-1) unstable; urgency=medium * New upstream version 7.2.7 * Refresh patches for PHP 7.2.7 -- Ondřej Surý Fri, 22 Jun 2018 07:35:11 +0000 php7.2 (7.2.6-1) unstable; urgency=medium * New upstream version 7.2.6 * Rebase patches for PHP version 7.2.6 -- Ondřej Surý Mon, 11 Jun 2018 14:54:56 +0000 php7.2 (7.2.5-1) unstable; urgency=medium * New upstream version 7.2.5 * Rebase patches for PHP 7.2.5 -- Ondřej Surý Sat, 05 May 2018 04:56:32 +0000 php7.2 (7.2.4-1) unstable; urgency=medium * New upstream version 7.2.4 * Rebase patches on top of new upstream release. -- Ondřej Surý Thu, 05 Apr 2018 08:50:27 +0000 php7.2 (7.2.3-1) unstable; urgency=medium * New upstream version 7.2.3 * Rebase patches on top of new upstream release. -- Ondřej Surý Tue, 06 Mar 2018 11:15:04 +0000 php7.2 (7.2.2-3) unstable; urgency=medium * Add explicit libpcre3 >= 2:8.35 dependency as dh_genshlibs is failing to add versioned dependency for some reason. -- Ondřej Surý Tue, 06 Feb 2018 16:07:40 +0000 php7.2 (7.2.2-2) unstable; urgency=medium * Remove explicit libpcre3 dependency and let dh_genshlibs do its magic -- Ondřej Surý Tue, 06 Feb 2018 13:00:04 +0000 php7.2 (7.2.2-1) unstable; urgency=medium * New upstream version 7.2.2 * Rebase patches on top of new upstream release * Regenerate d/control to finish php7.2-sodium removal -- Ondřej Surý Thu, 01 Feb 2018 15:19:04 +0000 php7.2 (7.2.1-1) unstable; urgency=medium * Update the Vcs-* to salsa.d.o * Slightly update debian/copyright (most changes were already in) * New upstream version 7.2.1 * Rebase patches on top of new upstream release -- Ondřej Surý Fri, 05 Jan 2018 11:21:04 +0000 php7.2 (7.2.0-2) unstable; urgency=medium * Get rid of extra php7.2-sodium module -- Ondřej Surý Wed, 06 Dec 2017 14:15:47 +0000 php7.2 (7.2.0-1) unstable; urgency=low * Update PHP 7.2 signing keys * New upstream version 7.2.0 * Rebase patches for new upstream release. -- Ondřej Surý Thu, 30 Nov 2017 13:55:57 +0000 php7.2 (7.2.0~rc6-1) unstable; urgency=medium * New upstream version 7.2.0~rc6 * Rebase patches for new upstream version. -- Ondřej Surý Sun, 12 Nov 2017 03:30:05 +0000 php7.2 (7.2.0~rc5-1) unstable; urgency=medium * New upstream version 7.2.0~rc5 * Rebase patches for new upstream release -- Ondřej Surý Fri, 27 Oct 2017 13:33:55 +0000 php7.2 (7.2.0~rc4-2) unstable; urgency=medium * Fix the usage of internal allocator in xmlrpc extension -- Ondřej Surý Tue, 24 Oct 2017 18:54:46 +0000 php7.2 (7.2.0~rc4-1) unstable; urgency=medium * New upstream version 7.2.0~rc4 * Rebase patches on top of new upstream version 7.2.0~rc4 -- Ondřej Surý Sun, 22 Oct 2017 13:07:11 +0000 php7.2 (7.2.0~rc3-1) unstable; urgency=medium * New upstream version 7.2.0~rc3 * Refresh patches for PHP 7.2.0~rc3 -- Ondřej Surý Thu, 28 Sep 2017 18:26:49 +0200 php7.2 (7.2.0~rc2-1) unstable; urgency=medium * New upstream version 7.2.0~rc2 * Rebase patches on top of PHP 7.2.0~rc2 -- Ondřej Surý Mon, 18 Sep 2017 11:24:14 +0200 php7.2 (7.2.0~rc1-1) unstable; urgency=medium * New upstream version 7.2.0~rc1 * Rebase patches on top of PHP 7.2.0~rc1 * Update d/copyright (License check courtesy of Luca Falavigna) * Rewrap the files in d/ with wrap-and-sort -a -- Ondřej Surý Thu, 31 Aug 2017 14:00:16 +0200 php7.2 (7.2.0~beta3-2) unstable; urgency=medium * Enable Argon2 support for password hashing functions * Enable shared libsodium extension -- Ondřej Surý Fri, 25 Aug 2017 11:35:23 +0200 php7.2 (7.2.0~beta3-1) unstable; urgency=medium * Allow libgcrypt11-dev when it's not a transitional package * New upstream version 7.2.0~beta3 * Refresh patches on top of PHP 7.2.0~beta3 -- Ondřej Surý Fri, 18 Aug 2017 15:00:36 +0200 php7.2 (7.2.0~beta2-2) experimental; urgency=medium * Update Vcs-* links to https://gitlab.com/deb.sury.org/... * Stop depending on obsolete automake1.11 * Switch build-depends to libgcrypt20-dev -- Ondřej Surý Fri, 04 Aug 2017 11:56:09 +0200 php7.2 (7.2.0~beta2-1) experimental; urgency=medium * Update d/watch for PHP 7.2 * New upstream version 7.2.0~beta2 * Rebase patches for PHP 7.2.0~beta2 -- Ondřej Surý Thu, 03 Aug 2017 20:42:38 +0200 php7.2 (7.2.0~beta1-1) experimental; urgency=medium * New upstream version 7.2.0~beta1 * Enable support for libsodium crypto * Rebase patches on top of PHP 7.2.0~beta1 * Update phpapi for PHP 7.2 to 20170718 -- Ondřej Surý Thu, 27 Jul 2017 13:29:34 +0200 php7.2 (7.2.0~alpha3-1) experimental; urgency=medium * New upstream version 7.2.0~alpha3 * Rebase patches on top of PHP 7.2.0~alpha3 * Update d/rules with configure.in -> configure.ac rename * Remove mcrypt extension that has been removed upstream * Update phpapi to 20160731 -- Ondřej Surý Thu, 06 Jul 2017 13:50:44 +0200