Please merge php7.0 7.0.12-2 from Debian unstable
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
php7.0 (Ubuntu) |
Fix Released
|
Undecided
|
Nish Aravamudan |
Bug Description
php7.0 (7.0.12-2ubuntu1) zesty; urgency=medium
* Merge with Debian unstable (LP: #). Remaining changes:
- Drop dh-php from Recommends to Suggests so it can be demoted to
universe (LP #1590623).
+ dh-php has gained a dependency on xml2 which is in universe.
* Drop:
- SECURITY UPDATE: proxy request header vulnerability (httpoxy)
+ debian/
local environment in ext/standard/
+ CVE-2016-5385
[ Fixed upstream in 7.0.9 ]
- SECURITY UPDATE: inadequate error handling in bzread()
+ debian/
read in ext/bz2/bz2.c.
+ CVE-2016-5399
[ Fixed upstream in 7.0.10 ]
- SECURITY UPDATE: integer overflow in the virtual_file_ex function
+ debian/
+ CVE-2016-6289
[ Fixed upstream in 7.0.10 ]
- SECURITY UPDATE: use after free in unserialize() with unexpected
session deserialization
+ debian/
+ CVE-2016-6290
[ Fixed upstream in 7.0.10 ]
- SECURITY UPDATE: out of bounds read in exif_process_
+ debian/
+ CVE-2016-6291
[ Fixed upstream in 7.0.10 ]
- SECURITY UPDATE: NULL pointer dereference in exif_process_
+ debian/
+ CVE-2016-6292
[ Fixed upstream in 7.0.10 ]
- SECURITY UPDATE: locale_
+ debian/
+ CVE-2016-6294
[ Fixed upstream in 7.0.10 ]
- SECURITY UPDATE: use after free vulnerability in SNMP with GC and
unserialize()
+ debian/
+ CVE-2016-6295
[ Fixed upstream in 7.0.10 ]
- SECURITY UPDATE: heap buffer overflow in simplestring_addn
+ debian/
+ CVE-2016-6296
- SECURITY UPDATE: integer overflow in php_stream_
+ debian/
+ CVE-2016-6297
[ Fixed upstream in 7.0.10 ]
- debian/
security changes.
[ Fixed upstream in 7.0.10 ]
- SECURITY UPDATE: denial of service or code execution via crafted
serialized data
+ debian/
+ CVE-2016-7124
[ Fixed upstream in 7.0.10 ]
- SECURITY UPDATE: arbitrary-type session data injection
+ debian/
in ext/session/
+ CVE-2016-7125
[ Fixed upstream in 7.0.10 ]
- SECURITY UPDATE: denial of service and possible code execution in
imagegamm
+ debian/
+ CVE-2016-7127
[ Fixed upstream in 7.0.10 ]
- SECURITY UPDATE: information disclosure via exif_process_
+ debian/
+ CVE-2016-7128
[ Fixed upstream in 7.0.10 ]
- SECURITY UPDATE: denial of service and possible code execution via
invalid ISO 8601 time value
+ debian/
+ CVE-2016-7129
[ Fixed upstream in 7.0.10 ]
- SECURITY UPDATE: denial of service and possible code execution via
invalid base64 binary value
+ debian/
+ CVE-2016-7130
[ Fixed upstream in 7.0.10 ]
- SECURITY UPDATE: denial of service and possible code execution via
malformed wddxPacket XML document
+ debian/
added tests to ext/wddx/tests/bug72790.phpt,
+ CVE-2016-7131
+ CVE-2016-7132
[ Fixed upstream in 7.0.10 ]
- SECURITY UPDATE: denial of service and possible code execution via
long pathname
+ debian/
+ CVE-2016-7133
[ Fixed upstream in 7.0.10 ]
- SECURITY UPDATE: denial of service and possible code execution via
long string and curl_escape call
+ debian/
+ CVE-2016-7134
[ Fixed upstream in 7.0.10 ]
- SECURITY UPDATE: denial of service and possible code execution via
crafted field metadata in MySQL driver
+ debian/
+ CVE-2016-7412
[ Fixed upstream in 7.0.11 ]
- SECURITY UPDATE: denial of service and possible code execution via
malformed wddxPacket XML document
+ debian/
+ CVE-2016-7413
[ Fixed upstream in 7.0.11 ]
- SECURITY UPDATE: denial of service and possible code execution via
crafted PHAR archive
+ debian/
+ CVE-2016-7414
[ Fixed upstream in 7.0.11 ]
- SECURITY UPDATE: denial of service and possible code execution via
MessageFo
+ debian/
+ CVE-2016-7416
[ Fixed upstream in 7.0.11 ]
- SECURITY UPDATE: denial of service or code execution via crafted
serialized data
+ debian/
test in ext/spl/tests/bug70068.phpt.
+ CVE-2016-7417
[ Fixed upstream in 7.0.11 ]
- SECURITY UPDATE: denial of service and possible code execution via
malformed wddxPacket XML document
+ debian/
+ CVE-2016-7418
[ Fixed upstream in 7.0.11 ]
Changed in php7.0 (Ubuntu): | |
status: | New → In Progress |
assignee: | nobody → Nish Aravamudan (nacc) |
This bug was fixed in the package php7.0 - 7.0.12-2ubuntu1
---------------
php7.0 (7.0.12-2ubuntu1) zesty; urgency=medium
* Merge with Debian unstable (LP: #1641211). Remaining changes: patches/ CVE-2016- 5385.patch: only use HTTP_PROXY from the basic_functions .c, main/SAPI.c,
main/php_ variables. c. patches/ CVE-2016- 5399.patch: do not allow reading past error patches/ CVE-2016- 6289.patch: properly check path_length in
Zend/zend_ virtual_ cwd.c. patches/ CVE-2016- 6290.patch: destroy var_hash properly in
ext/session/ session. c, added test to ext/session/tests/bug72562.phpt. IFD_in_ MAKERNOTE patches/ CVE-2016- 6291.patch: add more bounds checks to
ext/exif/ exif.c. user_comment patches/ CVE-2016- 6292.patch: properly handle encoding in
ext/exif/ exif.c. accept_ from_http out-of-bounds access patches/ CVE-2016- 6294.patch: check length in
ext/intl/ locale/ locale_ methods. c, added test to
ext/intl/ tests/bug72533.phpt. patches/ CVE-2016- 6295.patch: add new handler to
ext/snmp/ snmp.c, add test to ext/snmp/tests/bug72479.phpt. patches/ CVE-2016- 6296.patch: prevent overflows in
ext/xmlrpc/ libxmlrpc/ simplestring. *. zip_opener patches/ CVE-2016- 6297.patch: use size_t in
ext/zip/ zip_stream. c. patches/ fix_exif_ tests.patch: fix exif test results after patches/ CVE-2016- 7124.patch: fix unserializing logic in
- Drop dh-php from Recommends to Suggests so it can be demoted to
universe (LP #1590623).
+ dh-php has gained a dependency on xml2 which is in universe.
* Drop:
- SECURITY UPDATE: proxy request header vulnerability (httpoxy)
+ debian/
local environment in ext/standard/
+ CVE-2016-5385
[ Fixed upstream in 7.0.9 ]
- SECURITY UPDATE: inadequate error handling in bzread()
+ debian/
read in ext/bz2/bz2.c.
+ CVE-2016-5399
[ Fixed upstream in 7.0.10 ]
- SECURITY UPDATE: integer overflow in the virtual_file_ex function
+ debian/
+ CVE-2016-6289
[ Fixed upstream in 7.0.10 ]
- SECURITY UPDATE: use after free in unserialize() with unexpected
session deserialization
+ debian/
+ CVE-2016-6290
[ Fixed upstream in 7.0.10 ]
- SECURITY UPDATE: out of bounds read in exif_process_
+ debian/
+ CVE-2016-6291
[ Fixed upstream in 7.0.10 ]
- SECURITY UPDATE: NULL pointer dereference in exif_process_
+ debian/
+ CVE-2016-6292
[ Fixed upstream in 7.0.10 ]
- SECURITY UPDATE: locale_
+ debian/
+ CVE-2016-6294
[ Fixed upstream in 7.0.10 ]
- SECURITY UPDATE: use after free vulnerability in SNMP with GC and
unserialize()
+ debian/
+ CVE-2016-6295
[ Fixed upstream in 7.0.10 ]
- SECURITY UPDATE: heap buffer overflow in simplestring_addn
+ debian/
+ CVE-2016-6296
[ Fixed upstream in 7.0.10 ]
- SECURITY UPDATE: integer overflow in php_stream_
+ debian/
+ CVE-2016-6297
[ Fixed upstream in 7.0.10 ]
- debian/
security changes.
[ Fixed upstream in 7.0.10 ]
- SECURITY UPDATE: denial of service or code execution via crafted
serialized data
+ debian/
...