--- php5-5.3.2.orig/debian/libapache2-mod-php5.conf
+++ php5-5.3.2/debian/libapache2-mod-php5.conf
@@ -0,0 +1,16 @@
+
+
+ SetHandler application/x-httpd-php
+
+
+ SetHandler application/x-httpd-php-source
+
+ # To re-enable php in user directories comment the following lines
+ # (from to .) Do NOT set it to On as it
+ # prevents .htaccess files from disabling it.
+
+
+ php_admin_value engine Off
+
+
+
--- php5-5.3.2.orig/debian/control
+++ php5-5.3.2/debian/control
@@ -0,0 +1,430 @@
+Source: php5
+Section: php
+Priority: optional
+Maintainer: Ubuntu Developers
+XSBC-Original-Maintainer: Debian PHP Maintainers
+Uploaders: Ondřej Surý ,
+ Sean Finney ,
+ Thijs Kinkhorst ,
+ Raphael Geissert
+Build-Depends: apache2-prefork-dev,
+ autoconf (>= 2.63),
+ automake (>= 1.11) | automake1.11,
+ bison,
+ chrpath,
+ debhelper (>= 5),
+ flex,
+ freetds-dev,
+ hardening-wrapper,
+ libapr1-dev (>= 1.2.7-8),
+ libbz2-dev,
+ libcurl4-openssl-dev,
+ libdb-dev (>= 4.7) | libdb4.8-dev | libdb4.6-dev,
+ libenchant-dev,
+ libexpat1-dev (>= 1.95.2-2.1),
+ libfreetype6-dev,
+ libgcrypt11-dev,
+ libgd2-xpm-dev,
+ libglib2.0-dev,
+ libgmp3-dev,
+ libicu-dev,
+ libjpeg-dev | libjpeg62-dev,
+ libkrb5-dev,
+ libldap2-dev,
+ libmhash-dev (>= 0.8.8),
+ libmysqlclient-dev,
+ libpam0g-dev,
+ libpcre3-dev (>= 6.6),
+ libpng12-dev,
+ libpq-dev,
+ libpspell-dev,
+ librecode-dev,
+ libsasl2-dev,
+ libsnmp-dev,
+ libsqlite0-dev,
+ libsqlite3-dev,
+ libssl-dev,
+ libt1-dev,
+ libtidy-dev,
+ libtool (>= 2.2),
+ libwrap0-dev,
+ libxmltok1-dev,
+ libxml2-dev,
+ libxslt1-dev (>= 1.0.18),
+ netbase,
+ quilt,
+ re2c,
+ unixodbc-dev,
+ zlib1g-dev,
+ libedit-dev,
+ tzdata
+Build-Conflicts: bind-dev
+Standards-Version: 3.8.2
+Vcs-Git: git://git.debian.org/pkg-php/php.git
+Vcs-Browser: http://git.debian.org/?p=pkg-php/php.git
+Homepage: http://www.php.net/
+
+Package: php5
+Architecture: all
+Depends: ${misc:Depends}, libapache2-mod-php5 (>= ${source:Version}) | libapache2-mod-php5filter (>= ${source:Version}) | php5-cgi (>= ${source:Version}), php5-common (>= ${source:Version})
+Description: server-side, HTML-embedded scripting language (metapackage)
+ This package is a metapackage that, when installed, guarantees that you
+ have at least one of the three server-side versions of the PHP5 interpreter
+ installed. Removing this package won't remove PHP5 from your system, however
+ it may remove other packages that depend on this one.
+ .
+ PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed
+ from C, Java and Perl with a couple of unique PHP-specific features thrown
+ in. The goal of the language is to allow web developers to write dynamically
+ generated pages quickly. This version of PHP5 was built with the Suhosin patch.
+
+Package: php5-common
+Architecture: any
+Depends: ${misc:Depends}, sed (>= 4.1.1-1), ${shlibs:Depends}
+Suggests: php5-suhosin
+Provides: php5-json, php5-mhash
+Conflicts: php5-json, php5-mhash
+Description: Common files for packages built from the php5 source
+ This package contains the documentation and example files relevant to all
+ the other packages built from the php5 source.
+ .
+ PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed
+ from C, Java and Perl with a couple of unique PHP-specific features thrown
+ in. The goal of the language is to allow web developers to write dynamically
+ generated pages quickly. This version of PHP5 was built with the Suhosin patch.
+
+Package: libapache2-mod-php5
+Section: httpd
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, mime-support, ${apache2:Depends}, php5-common (= ${binary:Version}), libmagic1, ucf, tzdata
+Conflicts: libapache2-mod-php4, libapache2-mod-php5filter
+Provides: ${php:Provides}
+Suggests: php-pear
+Description: server-side, HTML-embedded scripting language (Apache 2 module)
+ This package provides the PHP5 module for the Apache 2 webserver (as
+ found in the apache2-mpm-prefork package). Please note that this package
+ ONLY works with Apache's prefork MPM, as it is not compiled thread-safe.
+ .
+ ${php:Extensions}
+ .
+ PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed
+ from C, Java and Perl with a couple of unique PHP-specific features thrown
+ in. The goal of the language is to allow web developers to write dynamically
+ generated pages quickly. This version of PHP5 was built with the Suhosin patch.
+
+Package: libapache2-mod-php5filter
+Section: httpd
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, mime-support, ${apache2:Depends}, php5-common (= ${binary:Version}), libmagic1, ucf, tzdata
+Conflicts: libapache2-mod-php4, libapache2-mod-php5
+Provides: ${php:Provides}
+Suggests: php-pear
+Description: server-side, HTML-embedded scripting language (apache 2 filter module)
+ This package provides the PHP5 Filter module for the Apache 2 webserver (as
+ found in the apache2-mpm-prefork package). Please note that this package
+ ONLY works with Apache's prefork MPM, as it is not compiled thread-safe.
+ .
+ Unless you specifically need filter-module support, you most likely
+ should instead install libapache2-mod-php5.
+ .
+ ${php:Extensions}
+ .
+ PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed
+ from C, Java and Perl with a couple of unique PHP-specific features thrown
+ in. The goal of the language is to allow web developers to write dynamically
+ generated pages quickly. This version of PHP5 was built with the Suhosin patch.
+
+Package: php5-cgi
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, mime-support, php5-common (= ${binary:Version}), libmagic1, ucf, tzdata
+Provides: ${php:Provides}
+Suggests: php-pear
+Description: server-side, HTML-embedded scripting language (CGI binary)
+ This package provides the /usr/lib/cgi-bin/php5 CGI interpreter built
+ for use in Apache 2 with mod_actions, or any other CGI httpd that
+ supports a similar mechanism. Note that MOST Apache users probably
+ want the libapache2-mod-php5 package.
+ .
+ ${php:Extensions}
+ .
+ PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed
+ from C, Java and Perl with a couple of unique PHP-specific features thrown
+ in. The goal of the language is to allow web developers to write dynamically
+ generated pages quickly. This version of PHP5 was built with the Suhosin patch.
+
+Package: php5-cli
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, mime-support, php5-common (= ${binary:Version}), libmagic1, ucf, tzdata
+Provides: ${php:Provides}
+Suggests: php-pear
+Description: command-line interpreter for the php5 scripting language
+ This package provides the /usr/bin/php5 command interpreter, useful for
+ testing PHP scripts from a shell or performing general shell scripting tasks.
+ .
+ ${php:Extensions}
+ .
+ PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed
+ from C, Java and Perl with a couple of unique PHP-specific features thrown
+ in. The goal of the language is to allow web developers to write dynamically
+ generated pages quickly. This version of PHP5 was built with the Suhosin patch.
+
+Package: php5-dev
+Depends: ${misc:Depends}, autoconf (>= 2.63), automake (>= 1.11), libssl-dev, libtool (>= 2.2), shtool, php5-common (>= ${binary:Version})
+Conflicts: ${libtool:Conflicts}
+Architecture: any
+Description: Files for PHP5 module development
+ This package provides the files from the PHP5 source needed for compiling
+ additional modules.
+ .
+ PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed
+ from C, Java and Perl with a couple of unique PHP-specific features thrown
+ in. The goal of the language is to allow web developers to write dynamically
+ generated pages quickly. This version of PHP5 was built with the Suhosin patch.
+
+Package: php5-dbg
+Depends: ${misc:Depends}, php5-common (= ${binary:Version}), libapache2-mod-php5 (= ${binary:Version}) | libapache2-mod-php5filter (= ${binary:Version}) | php5-cgi (= ${binary:Version}) | php5-cli (= ${binary:Version}) | php5-curl (= ${binary:Version}) | php5-enchant (= ${binary:Version}) | php5-gd (= ${binary:Version}) | php5-gmp (= ${binary:Version}) | php5-intl (= ${binary:Version}) | php5-ldap (= ${binary:Version}) | php5-mcrypt (= ${binary:Version}) | php5-mysql (= ${binary:Version}) | php5-odbc (= ${binary:Version}) | php5-pgsql (= ${binary:Version}) | php5-pspell (= ${binary:Version}) | php5-recode (= ${binary:Version}) | php5-snmp (= ${binary:Version}) | php5-sqlite (= ${binary:Version}) | php5-sybase (= ${binary:Version}) | php5-tidy (= ${binary:Version}) | php5-xmlrpc (= ${binary:Version}) | php5-xsl (= ${binary:Version})
+Recommends: gdb
+Section: debug
+Priority: extra
+Architecture: any
+Description: Debug symbols for PHP5
+ This package provides the debug symbols for PHP5 needed for properly
+ debugging errors in PHP5 with gdb.
+ .
+ PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed
+ from C, Java and Perl with a couple of unique PHP-specific features thrown
+ in. The goal of the language is to allow web developers to write dynamically
+ generated pages quickly. This version of PHP5 was built with the Suhosin patch.
+
+Package: php-pear
+Architecture: all
+Depends: ${misc:Depends}, php5-common (>= ${source:Version}), php5-cli
+Recommends: gnupg
+Conflicts: php-xml-util
+Suggests: php5-dev
+Replaces: php4-pear (<< 4:4.4.0-0), php-xml-util
+Provides: php-xml-util
+Description: PEAR - PHP Extension and Application Repository
+ This package contains the base PEAR classes for PHP, as well as the PEAR
+ installer. Many PEAR classes are already packaged for Debian, and can be
+ easily identified by names beginning with "php-", such as php-db and
+ php-auth. Note: to build and install precompiled PECL extensions, you
+ will need one of the php development packages installed.
+ .
+ PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed
+ from C, Java and Perl with a couple of unique PHP-specific features thrown
+ in. The goal of the language is to allow web developers to write dynamically
+ generated pages quickly. This version of PHP5 was built with the Suhosin patch.
+
+Package: php5-curl
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, ${php:Depends}, php5-common (= ${binary:Version})
+Description: CURL module for php5
+ CURL is a library for getting files from FTP, GOPHER, HTTP server.
+ .
+ PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed
+ from C, Java and Perl with a couple of unique PHP-specific features thrown
+ in. The goal of the language is to allow web developers to write dynamically
+ generated pages quickly. This version of PHP5 was built with the Suhosin patch.
+
+Package: php5-enchant
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, ${php:Depends}, php5-common (= ${binary:Version})
+Description: Enchant module for php5
+ This package provides a module for the generic spell checking library
+ Enchant, which can use engines such as ispell, aspell and myspells.
+ .
+ PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed
+ from C, Java and Perl with a couple of unique PHP-specific features thrown
+ in. The goal of the language is to allow web developers to write dynamically
+ generated pages quickly. This version of PHP5 was built with the Suhosin patch.
+
+Package: php5-gd
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, ${php:Depends}, php5-common (= ${binary:Version})
+Description: GD module for php5
+ This package provides a module for handling graphics directly from PHP
+ scripts. It supports the PNG, JPEG, XPM formats as well as Freetype/ttf fonts.
+ .
+ PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed
+ from C, Java and Perl with a couple of unique PHP-specific features thrown
+ in. The goal of the language is to allow web developers to write dynamically
+ generated pages quickly. This version of PHP5 was built with the Suhosin patch.
+
+Package: php5-gmp
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, ${php:Depends}, php5-common (= ${binary:Version})
+Description: GMP module for php5
+ This package provides a module for arbitrary precision arithmetic via the
+ GNU Multiple Precision (GMP) Arithmetic Library.
+ .
+ PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed
+ from C, Java and Perl with a couple of unique PHP-specific features thrown
+ in. The goal of the language is to allow web developers to write dynamically
+ generated pages quickly. This version of PHP5 was built with the Suhosin patch.
+
+Package: php5-intl
+Architecture: any
+Depends: ${shlibs:Depends}, ${php:Depends}, ${misc:Depends}, php5-common (= ${binary:Version})
+Description: internationalisation module for php5
+ This package provides a module to ease internationalisation of PHP scripts.
+ .
+ PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed
+ from C, Java and Perl with a couple of unique PHP-specific features thrown
+ in. The goal of the language is to allow web developers to write dynamically
+ generated pages quickly. This version of PHP5 was built with the Suhosin patch.
+
+Package: php5-ldap
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, ${php:Depends}, php5-common (= ${binary:Version})
+Replaces: libapache2-mod-php5 (<< 5.3.1-1~)
+Conflicts: libapache2-mod-php5 (<< 5.3.1-1~)
+Description: LDAP module for php5
+ This package provides a module for LDAP functions in PHP scripts.
+ .
+ PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed
+ from C, Java and Perl with a couple of unique PHP-specific features thrown
+ in. The goal of the language is to allow web developers to write dynamically
+ generated pages quickly. This version of PHP5 was built with the Suhosin patch.
+
+Package: php5-mysql
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, ${php:Depends}, php5-common (= ${binary:Version})
+Conflicts: php5-mysqli
+Replaces: php5-mysqli
+Description: MySQL module for php5
+ This package provides modules for MySQL database connections directly from
+ PHP scripts. It includes the generic "mysql" module which can be used
+ to connect to all versions of MySQL, an improved "mysqli" module for
+ MySQL version 4.1 or later, and the pdo_mysql module for use with
+ the PHP Data Object extension.
+ .
+ PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed
+ from C, Java and Perl with a couple of unique PHP-specific features thrown
+ in. The goal of the language is to allow web developers to write dynamically
+ generated pages quickly. This version of PHP5 was built with the Suhosin patch.
+
+Package: php5-odbc
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, ${php:Depends}, php5-common (= ${binary:Version})
+Description: ODBC module for php5
+ This package provides a module for database access through ODBC drivers.
+ It uses the unixODBC library as an ODBC provider. It also contains the
+ pdo_odbc module, for use with the PHP Data Object extension.
+ .
+ PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed
+ from C, Java and Perl with a couple of unique PHP-specific features thrown
+ in. The goal of the language is to allow web developers to write dynamically
+ generated pages quickly. This version of PHP5 was built with the Suhosin patch.
+
+Package: php5-pgsql
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, ${php:Depends}, php5-common (= ${binary:Version})
+Description: PostgreSQL module for php5
+ This package provides a module for PostgreSQL database connections
+ directly from PHP scripts. It also includes the pdo_pgsql module for
+ use with the PHP Data Object extension.
+ .
+ PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed
+ from C, Java and Perl with a couple of unique PHP-specific features thrown
+ in. The goal of the language is to allow web developers to write dynamically
+ generated pages quickly. This version of PHP5 was built with the Suhosin patch.
+
+Package: php5-pspell
+Architecture: any
+Depends: ${shlibs:Depends}, ${php:Depends}, ${misc:Depends}, php5-common (= ${binary:Version})
+Description: pspell module for php5
+ This package provides a module for pspell functions in PHP scripts.
+ .
+ PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed
+ from C, Java and Perl with a couple of unique PHP-specific features thrown
+ in. The goal of the language is to allow web developers to write dynamically
+ generated pages quickly. This version of PHP5 was built with the Suhosin patch.
+
+Package: php5-recode
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, ${php:Depends}, php5-common (= ${binary:Version})
+Description: recode module for php5
+ This package provides a module for recode - character set recoding.
+ .
+ PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed
+ from C, Java and Perl with a couple of unique PHP-specific features thrown
+ in. The goal of the language is to allow web developers to write dynamically
+ generated pages quickly. This version of PHP5 was built with the Suhosin patch.
+
+Package: php5-snmp
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, ${php:Depends}, php5-common (= ${binary:Version})
+Description: SNMP module for php5
+ This package provides a module for SNMP functions in PHP scripts.
+ .
+ PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed
+ from C, Java and Perl with a couple of unique PHP-specific features thrown
+ in. The goal of the language is to allow web developers to write dynamically
+ generated pages quickly. This version of PHP5 was built with the Suhosin patch.
+
+Package: php5-sqlite
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, ${php:Depends}, php5-common (= ${binary:Version})
+Description: SQLite module for php5
+ This package provides a module allowing you to use the SQLite self-contained
+ database engine from within your PHP scripts, eliminating the need for a full
+ SQL server installation like MySQL or PostgreSQL. It also includes the
+ pdo_sqlite module, for use with the PHP Data Object extension.
+ .
+ PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed
+ from C, Java and Perl with a couple of unique PHP-specific features thrown
+ in. The goal of the language is to allow web developers to write dynamically
+ generated pages quickly. This version of PHP5 was built with the Suhosin patch.
+
+Package: php5-sybase
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, ${php:Depends}, php5-common (= ${binary:Version})
+Provides: php5-mssql
+Description: Sybase / MS SQL Server module for php5
+ This package provides a module for Sybase and Microsoft SQL Server
+ database connections directly from PHP scripts. It also includes the
+ pdo_dblib module for use with the PHP Data Object extension.
+ .
+ PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed
+ from C, Java and Perl with a couple of unique PHP-specific features thrown
+ in. The goal of the language is to allow web developers to write dynamically
+ generated pages quickly. This version of PHP5 was built with the Suhosin patch.
+
+Package: php5-tidy
+Architecture: any
+Depends: ${shlibs:Depends}, ${php:Depends}, ${misc:Depends}, php5-common (= ${binary:Version})
+Description: tidy module for php5
+ This package provides a module for tidy functions in PHP scripts.
+ .
+ Tidy is an extension based on Libtidy (http://tidy.sf.net/) and allows
+ a PHP developer to clean, repair, and traverse HTML, XHTML, and XML
+ documents -- including ones with embedded scripting languages such as PHP
+ or ASP within them using OO constructs.
+ .
+ PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed
+ from C, Java and Perl with a couple of unique PHP-specific features thrown
+ in. The goal of the language is to allow web developers to write dynamically
+ generated pages quickly. This version of PHP5 was built with the Suhosin patch.
+
+Package: php5-xmlrpc
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, ${php:Depends}, php5-common (= ${binary:Version})
+Description: XML-RPC module for php5
+ This package provides a module for XML-RPC functions in PHP scripts.
+ .
+ PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed
+ from C, Java and Perl with a couple of unique PHP-specific features thrown
+ in. The goal of the language is to allow web developers to write dynamically
+ generated pages quickly. This version of PHP5 was built with the Suhosin patch.
+
+Package: php5-xsl
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, ${php:Depends}, php5-common (= ${binary:Version})
+Description: XSL module for php5
+ This package provides a module for XSL using the libxslt XSL parser.
+ .
+ PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed
+ from C, Java and Perl with a couple of unique PHP-specific features thrown
+ in. The goal of the language is to allow web developers to write dynamically
+ generated pages quickly. This version of PHP5 was built with the Suhosin patch.
--- php5-5.3.2.orig/debian/php5.lintian-overrides
+++ php5-5.3.2/debian/php5.lintian-overrides
@@ -0,0 +1,2 @@
+php5-common: non-standard-dir-perm var/lib/php5/ 1733 != 0755
+php5-common: package-contains-empty-directory usr/lib/php5/libexec/
--- php5-5.3.2.orig/debian/php5-common.README.Debian
+++ php5-5.3.2/debian/php5-common.README.Debian
@@ -0,0 +1,148 @@
+Table of Contents:
+---------------------------------------------------------------------
+* Using php5 with threaded webservers (eg. apache2-mpm-worker, caudium)
+* Problems starting apache2 with php5
+* Session storage
+* Other caveats
+* php5-cgi and apache2
+* Restarting your web server after installing modules
+* Configuration layout
+* Timezone data from system timezone database
+* Further documentation, errata, etc
+
+
+Using php5 with threaded webservers (eg. apache2-mpm-worker, caudium)
+---------------------------------------------------------------------
+
+ After much back-and-forth with upstream (and even building our
+ packages thread-safe for a while), we're currently admitting defeat
+ on that front, and are NOT building any thread-safe versions of
+ PHP for any webservers. Our recommendation is that, if you need
+ to use a threaded webserver, you should use php5-cgi in either
+ 'normal' CGI mode, or in FastCGI mode.
+
+Adam Conrad Sun, 06 Feb 2005 08:24:56 -0700
+
+
+Problems starting apache2 with php5
+----------------------------------
+
+ At the time of writing, there are no *known* incompatibilities
+ between any of the php5 modules we ship. However, there have been
+ many bug reports in the past due to dynamically-loaded extensions,
+ and it's possible there are still bugs in the released packages. If
+ Apache fails to start after you install php5, check your list of
+ enabled extensions at the bottom of /etc/php5/apache2/php.ini (and in
+ the per-sapi configuration directory), and try commenting out or
+ reordering the extensions until you find a combination that works.
+
+ For example, in the past the mhash extension was incompatible with
+ some other common extensions. To work around this, you could list
+ the mhash extension first in php.ini.
+
+ If you find an extension-related bug in the Debian packages, and you
+ are willing to help debug the problem, please send us a bug report
+ that lists all enabled PHP5 extensions (extension=), in the order
+ in which they appear in php.ini, as well as all enabled Apache modules
+ (LoadModule), with version numbers where possible.
+
+Steve Langasek Fri, 26 Apr 2002 13:39:00 -0500
+
+
+Session storage
+---------------
+
+ Session files are stored in /var/lib/php5. For security purposes, this
+ directory is unreadable by non-root users. This means that php5 running
+ from apache2, for example, will not be able to clean up stale session
+ files. Instead, we have a cron job run every 30 mins that cleans up
+ stale session files; /etc/cron.d/php5. You may need to modify how
+ often this runs, if you've modified session.gc_maxlifetime in your
+ php.ini; otherwise, it may be too lax or overly aggressive in cleaning
+ out stale session files.
+
+Andres Salomon Fri, 03 Sep 2004 03:12:54 -0400
+
+
+Other caveats
+-------------
+
+ * extension_dir and include_path should be commented out, if you don't need
+ special settings for them so php will look in compiled-in paths. If you set
+ them, you should also add appropriate php install directories there.
+
+php5-cgi and apache2
+---------------------------
+
+In 99% of cases, what you probably want isn't php5-cgi at all, but rather
+the libapache2-mod-php5 package, which will configure itself on
+installation and Just Work(tm). If, however, you have a need to use
+the CGI version of php5 with apache2, the following should help
+get you going, though there are dozens of different ways to do this.
+
+Please note that this process will never be made automatic, as php5-cgi
+is meant to be a webserver-agnostic package that can be used with any
+httpd, and we don't want it to conflict with the httpd-specific packages
+such as libapache2-mod-php5. If both were installed side-by-side and both
+were automatically enabled, the results would be a bit confusing, obviously.
+
+To use php5-cgi with apache2
+ 1) activate CGI (it's on by default in default debian setups)
+ a) If using the prefork MPM, use 'a2enmod cgi'
+ b) If using a threaded MPM, use 'a2enmod cgid'
+ 2) activate mod_actions (a2enmod actions)
+ 3) Add the following to a config snippet in /etc/apache2/conf.d
+
+ Action application/x-httpd-php /cgi-bin/php5
+
+
+Adam Conrad Sat, 04 Sep 2004 23:04:26 -0600
+
+Configuration Layout
+---------------------------------------------------------------------
+
+Each of the 3 SAPI's (apache2/cgi/cli) have a different
+central configuration file /etc/php5/$SAPI/php.ini.
+
+Additionally, each SAPI is configured with the compile-time option
+
+ --with-config-file-scan-dir=/etc/php5/$SAPI/conf.d
+
+which for all SAPI's is actually a symlink pointing to a central
+directory /etc/php5/conf.d. Any file found in this directory ending
+in .ini will be treated as a configuration file by the php SAPI.
+
+The rationale with this method is that each SAPI can thus be
+identically configured with a minimal amount of conffile handling,
+but at the same time if you want to have SAPI-specific configuration,
+you can just remove the symlink.
+
+sean finney Thu, 19 Oct 2006 23:33:05 +0200
+
+Timezone data from system timezone database
+---------------------------------------------------------------------
+
+Debian PHP has been patched to use of the system wide timezone database
+from the tzdata package, making sure any updates there are automatically
+used by PHP aswell.
+
+Note that this requires that the PHP process has access to /etc/localtime
+and /usr/share/zoneinfo. For any regular installation this should be the
+case, but in specific secured environments when reading the timezone
+database is impossible PHP will give a "Timezone database is corrupt -
+this should *never* happen!" error.
+
+Thijs Kinkhorst Wed, 23 Jul 2008 17:42:06 +0200
+
+Further documentation, errata, etc
+---------------------------------------------------------------------
+
+Errata and other general information about PHP in Debian can be found
+in the debian wiki at:
+
+ http://wiki.debian.org/PHP
+
+If after reading the documentation in this file you still have unanswered
+questions, that's a good next place to go.
+
+sean finney Thu, 19 Oct 2006 22:57:52 +0200
--- php5-5.3.2.orig/debian/README.source
+++ php5-5.3.2/debian/README.source
@@ -0,0 +1,51 @@
+ == Generation of the php5-dbg package Depends ==
+
+The following command can be used to generate a heuristic list of
+packages the php5-dbg package probably needs to Depend on:
+
+dh_testdir && egrep '^Package' debian/control | cut '-d ' -f2 | \
+ egrep -v '(^php5|dbg|dev|common|pear)$' | tr "\n" "|" | sed 's/|$//' |\
+ sed -r 's/([^|]+)(\||$)/ \1 (= ${binary:Version}) \2/g'; echo
+
+ == Used patch system ==
+
+This package uses quilt to manage all modifications to the upstream
+source. Changes are stored in the source package as diffs in
+debian/patches and applied during the build.
+
+See /usr/share/doc/quilt/README.source for a detailed explanation.
+
+ == Making some sense out of the configure options ==
+
+The COMMON_CONFIG variable contains the configure options that are to
+be used on all the SAPIs. Built-in extensions and other general options
+should be set here.
+The shared extensions are built when building the apache2 SAPI and as
+such they need to be specified there.
+The calls to configure for the other SAPIs usually only need
+--without-foo when the extension or feature is otherwise enabled by
+default.
+
+ == The *modulelist files ==
+
+When building a new module (or extension) on an individual binary
+package, it must be added to the debian/modulelist file. However, if
+the extension is to be included in an existing binary package, it
+must be added to the debian/extramodulelist file.
+
+The format of these files is:
+" "
+
+E.g. for, if we want the mysql extension to be shipped in the
+php5-mysql package we use:
+"mysql MySQL mysql"
+But we also want mysqli and the PDO in the same package, so we add the
+following lines to extramoduleslist:
+"mysql MySQLi mysqli
+mysql MySQL_PDO pdo_mysql"
+
+ == More debian/rules foo ==
+
+* The shared extensions are built under the apache2 target (see above).
+* The CLI SAPI is built on the build-cli-stamp AND build-cgi-stamp, with
+ different configure options.
--- php5-5.3.2.orig/debian/modulelist
+++ php5-5.3.2/debian/modulelist
@@ -0,0 +1,17 @@
+curl CURL
+enchant Enchant
+gd GD
+gmp GMP
+intl Internationalisation
+ldap LDAP
+mysql MySQL
+odbc ODBC
+pgsql PostgreSQL
+pspell pspell
+recode recode
+snmp SNMP
+sqlite SQLite
+sybase Sybase mssql
+tidy tidy
+xmlrpc XML-RPC
+xsl XSL
--- php5-5.3.2.orig/debian/libapache2-mod-php5.load
+++ php5-5.3.2/debian/libapache2-mod-php5.load
@@ -0,0 +1 @@
+LoadModule php5_module /usr/lib/apache2/modules/libphp5.so
--- php5-5.3.2.orig/debian/extramodulelist
+++ php5-5.3.2/debian/extramodulelist
@@ -0,0 +1,9 @@
+mysql MySQL mysqli
+mysql MySQL pdo_mysql
+interbase InterBase/Firebird pdo_firebird
+common PDO pdo
+odbc ODBC pdo_odbc
+pgsql PostgreSQL pdo_pgsql
+sqlite SQLite pdo_sqlite
+sqlite SQLite3 sqlite3
+sybase Sybase pdo_dblib
--- php5-5.3.2.orig/debian/libapache2-mod-php5filter.dirs
+++ php5-5.3.2/debian/libapache2-mod-php5filter.dirs
@@ -0,0 +1,3 @@
+/etc/apache2/mods-available
+/etc/php5/apache2filter
+/usr/lib/apache2/modules
--- php5-5.3.2.orig/debian/php5-cgi.dirs
+++ php5-5.3.2/debian/php5-cgi.dirs
@@ -0,0 +1,4 @@
+/etc/php5/cgi
+/usr/lib/cgi-bin
+/usr/bin
+/usr/share/man/man1
--- php5-5.3.2.orig/debian/libapache2-mod-php5filter.triggers
+++ php5-5.3.2/debian/libapache2-mod-php5filter.triggers
@@ -0,0 +1 @@
+interest /etc/php5/conf.d
--- php5-5.3.2.orig/debian/source_php5.py
+++ php5-5.3.2/debian/source_php5.py
@@ -0,0 +1,57 @@
+#!/usr/bin/python
+
+'''PHP5 Apport interface
+
+Copyright (C) 2010 Canonical Ltd.
+Author: Chuck Short
+
+This program is free software; you can redistribute it and/or modify it
+under the terms of the GNU General Public License as published by the
+Free Software Foundation; either version 2 of the License, or (at your
+option) any later version. See http://www.gnu.org/copyleft/gpl.html for
+the full text of the license.
+'''
+
+import os
+import subprocess
+from apport.hookutils import *
+
+def _add_my_conf_files(report, filename):
+ if not os.path.exists(filename):
+ return
+
+ key = 'PHPConf' + path_to_key(filename)
+ report[key] = ""
+ for line in read_file(filename).split('\n'):
+ try:
+ if 'mysql.default_password ' in line.split('=')[0]:
+ line = "%s = @@APPORTREPLACED@@" % (line.split('=')[0])
+ if 'mysqli.default_pw ' in line.split('=')[0]:
+ line = "%s = @@APPORTREPLACED@@" % (line.split('=')[0])
+ if 'ifx.default_password ' in line.split('=')[0]:
+ line = "%s = @@APPORTREPLACED@@" % (line.split('=')[0])
+ report[key] += line + '\n'
+ except IndexError:
+ continue
+
+def add_info(report):
+ _add_my_conf_files(report, '/etc/php5/apache2/php.ini')
+ _add_my_conf_files(report, '/etc/php5/cli/php5.ini')
+
+ # packages in main
+ packages=['php5', 'php-common', 'libapache2-mod-php5', 'libapache2-mod-php5filter'
+ 'php5-cgi', 'php5-cli', 'php5-dev', 'php5-dbg', 'php-pear', 'php5-curl', 'php5-gd'
+ 'php5-gmp', 'php5-ldap', 'php5-mhash', 'php5-mysql', 'php5-odbc', 'php5-pgsql',
+ 'php5-pspell', 'php5-recode', 'php5-snmp', 'php5-sqlite', 'php5-sybase', 'php5-tidy',
+ 'php5-xmlrpc', 'php5-xsl']
+
+ versions = ''
+ for package in packages:
+ try:
+ version = packaging.get_version(package)
+ except ValueError:
+ version = 'N/A'
+ if version is None:
+ version = 'N/A'
+ versions += '%s %s\n' %(package, version)
+ report['PHPInstalledModules'] = versions
--- php5-5.3.2.orig/debian/changelog
+++ php5-5.3.2/debian/changelog
@@ -0,0 +1,3840 @@
+php5 (5.3.2-1ubuntu4.29) lucid-security; urgency=medium
+
+ * SECURITY UPDATE: denial of service via recursion
+ - debian/patches/CVE-2014-8117.patch: lower recursion limit in
+ ext/fileinfo/libmagic/softmagic.c.
+ - CVE-2014-8117
+ * SECURITY UPDATE: denial of service or possible code execution in
+ enchant
+ - debian/patches/CVE-2014-9705.patch: handle position better in
+ ext/enchant/enchant.c.
+ - CVE-2014-9705
+ * SECURITY UPDATE: arbitrary code execution via use after free in
+ unserialize() with DateTime
+ - debian/patches/CVE-2015-0273.patch: fix use after free in
+ ext/date/php_date.c, added tests to ext/date/tests/*.phpt.
+ - CVE-2015-0273
+ * SECURITY UPDATE: denial of service or possible code execution in phar
+ - debian/patches/CVE-2015-2301.patch: fix use after free in
+ ext/phar/phar_object.c.
+ - CVE-2015-2301
+
+ -- Marc Deslauriers Mon, 16 Mar 2015 15:00:32 -0400
+
+php5 (5.3.2-1ubuntu4.28) lucid-security; urgency=medium
+
+ * SECURITY UPDATE: denial of service via buffer overflow in mkgmtime()
+ - debian/patches/CVE-2014-3668.patch: properly handle sizes in
+ ext/xmlrpc/libxmlrpc/xmlrpc.c, added test to
+ ext/xmlrpc/tests/bug68027.phpt.
+ - CVE-2014-3668
+ * SECURITY UPDATE: integer overflow in unserialize()
+ - debian/patches/CVE-2014-3669.patch: fix overflow in
+ ext/standard/var_unserializer.{c,re}, added test to
+ ext/standard/tests/serialize/bug68044.phpt.
+ - CVE-2014-3669
+ * SECURITY UPDATE: Heap corruption in exif_thumbnail()
+ - debian/patches/CVE-2014-3670.patch: fix sizes in ext/exif/exif.c.
+ - CVE-2014-3670
+ * SECURITY UPDATE: out of bounds read in elf note headers in fileinfo()
+ - debian/patches/CVE-2014-3710.patch: validate note headers in
+ ext/fileinfo/libmagic/readelf.c.
+ - CVE-2014-3710
+ * SECURITY UPDATE: local file disclosure via curl NULL byte injection
+ - debian/patches/curl_embedded_null.patch: don't accept curl options
+ with embedded NULLs in ext/curl/interface.c, added test to
+ ext/curl/tests/bug68089.phpt.
+ - No CVE number
+
+ -- Marc Deslauriers Tue, 28 Oct 2014 15:17:04 -0400
+
+php5 (5.3.2-1ubuntu4.27) lucid-security; urgency=medium
+
+ * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
+ - debian/patches/CVE-2014-3587.patch: check for array under-runs as well
+ as over-runs in ext/fileinfo/libmagic/cdf.c
+ - CVE-2014-3587
+ * SECURITY UPDATE: denial of service in dns_get_record
+ - debian/patches/CVE-2014-3597.patch: check for DNS overflows in
+ ext/standard/dns.c
+ - CVE-2014-3587
+
+ -- Seth Arnold Wed, 03 Sep 2014 23:27:31 -0700
+
+php5 (5.3.2-1ubuntu4.26) lucid-security; urgency=medium
+
+ * SECURITY UPDATE: denial of service in FileInfo cdf_read_short_sector
+ - debian/patches/CVE-2014-0207.patch: properly calculate sizes in
+ ext/fileinfo/libmagic/cdf.c.
+ - CVE-2014-0207
+ * SECURITY UPDATE: denial of service in FileInfo cdf_count_chain
+ - debian/patches/CVE-2014-3480.patch: properly calculate sizes in
+ ext/fileinfo/libmagic/cdf.c.
+ - CVE-2014-3480
+ * SECURITY UPDATE: denial of service and possible code execution via
+ unserialize() SPL type confusion
+ - debian/patches/CVE-2014-3515.patch: properly check types in
+ ext/spl/spl_array.c, ext/spl/spl_observer.c, added test to
+ ext/spl/tests/SplObjectStorage_unserialize_bad.phpt.
+ - CVE-2014-3515
+ * SECURITY UPDATE: denial of service via SPL Iterators use-after-free
+ - debian/patches/CVE-2014-4670.patch: fix use-after-free in
+ ext/spl/spl_dllist.c, added test to ext/spl/tests/bug67538.phpt.
+ - CVE-2014-4670
+ * SECURITY UPDATE: denial of service via ArrayIterator use-after-free
+ - debian/patches/CVE-2014-4698.patch: don't allow modifying ArrayObject
+ during sorting in ext/spl/spl_array.c, added test to
+ ext/spl/tests/bug67539.phpt.
+ - CVE-2014-4698
+ * SECURITY UPDATE: information leak via phpinfo (LP: #1338170)
+ - debian/patches/CVE-2014-4721.patch: fix type confusion in
+ ext/standard/info.c, added test to
+ ext/standard/tests/general_functions/bug67498.phpt.
+ - CVE-2014-4721
+
+ -- Marc Deslauriers Tue, 08 Jul 2014 21:22:42 -0400
+
+php5 (5.3.2-1ubuntu4.25) lucid-security; urgency=medium
+
+ * SECURITY UPDATE: denial of service in FileInfo cdf_unpack_summary_info
+ - debian/patches/CVE-2014-0237.patch: remove file_printf calls in
+ ext/fileinfo/libmagic/cdf.c.
+ - CVE-2014-0237
+ * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
+ - debian/patches/CVE-2014-0238.patch: fix infinite loop in
+ ext/fileinfo/libmagic/cdf.c.
+ - CVE-2014-0238
+ * SECURITY UPDATE: code execution via buffer overflow in DNS TXT record
+ parsing
+ - debian/patches/CVE-2014-4049.patch: check length in
+ ext/standard/dns.c.
+ - CVE-2014-4049
+
+ -- Marc Deslauriers Thu, 19 Jun 2014 13:48:46 -0400
+
+php5 (5.3.2-1ubuntu4.24) lucid-security; urgency=medium
+
+ * SECURITY UPDATE: denial of service in fileinfo via crafted offset in
+ PE executable
+ - debian/patches/CVE-2014-2270.patch: check bounds in
+ ext/fileinfo/libmagic/softmagic.c.
+ - CVE-2014-2270
+
+ -- Marc Deslauriers Thu, 03 Apr 2014 15:23:04 -0400
+
+php5 (5.3.2-1ubuntu4.23) lucid-security; urgency=medium
+
+ * SECURITY UPDATE: denial of service via crafted indirect offset value
+ in fileinfo
+ - debian/patches/CVE-2013-1943.patch: properly handle recursion in
+ ext/fileinfo/libmagic/{ascmagic.c,file.h,funcs.c,softmagic.c}, added
+ test to ext/fileinfo/tests/cve-2014-1943.phpt.
+ - CVE-2013-1943
+
+ -- Marc Deslauriers Fri, 28 Feb 2014 17:40:15 -0500
+
+php5 (5.3.2-1ubuntu4.22) lucid-security; urgency=low
+
+ * SECURITY UPDATE: denial of service and possible code execution via
+ malicious certificate
+ - debian/patches/CVE-2013-6420.patch: properly validate timestr in
+ ext/openssl/openssl.c, added ext/openssl/tests/cve-2013-6420.*.
+ - CVE-2013-6420
+ * SECURITY UPDATE: denial of service via crafted interval specification
+ - debian/patches/CVE-2013-6712.patch: check error_count in
+ ext/date/lib/parse_iso_intervals.*.
+ - CVE-2013-6712
+
+ -- Marc Deslauriers Wed, 11 Dec 2013 19:23:24 -0500
+
+php5 (5.3.2-1ubuntu4.21) lucid-security; urgency=low
+
+ * SECURITY UPDATE: SSL cert validation spoofing via NULL character in
+ subjectAltName.
+ - debian/patches/CVE-2013-4248.patch: validate subjectAltName in
+ ext/openssl/openssl.c, added test to ext/openssl/tests/cve2013_4073*.
+ - CVE-2013-4248
+
+ -- Marc Deslauriers Wed, 04 Sep 2013 12:56:49 -0400
+
+php5 (5.3.2-1ubuntu4.20) lucid-security; urgency=low
+
+ * SECURITY UPDATE: denial of service and possible code execution via xml
+ parser heap overflow
+ - debian/patches/CVE-2013-4113.patch: check against XML_MAXLEVEL in
+ ext/xml/xml.c, add test to ext/xml/tests/bug65236.phpt.
+ - CVE-2013-4113
+ * SECURITY UPDATE: denial of service via overflow in SdnToJewish
+ - debian/patches/CVE-2013-4635.patch: check value in
+ ext/calendar/jewish.c, add test to
+ ext/calendar/tests/jdtojewish64.phpt.
+ - CVE-2013-4635
+
+ -- Marc Deslauriers Mon, 15 Jul 2013 09:50:48 -0400
+
+php5 (5.3.2-1ubuntu4.19) lucid-security; urgency=low
+
+ * SECURITY UPDATE: arbitrary file disclosure via XML External Entity
+ - debian/patches/CVE-2013-1643.patch: disable the entity loader in
+ ext/libxml/libxml.c, ext/libxml/php_libxml.h, ext/soap/php_xml.c.
+ - CVE-2013-1643
+
+ -- Marc Deslauriers Mon, 11 Mar 2013 07:49:54 -0400
+
+php5 (5.3.2-1ubuntu4.18) lucid-security; urgency=low
+
+ * SECURITY UPDATE: HTTP response-splitting issue with %0D sequences
+ - debian/patches/CVE-2011-1398.patch: properly handle %0D and NUL in
+ main/SAPI.c, added tests to ext/standard/tests/*, fix test suite
+ failures in ext/phar/phar_object.c.
+ - CVE-2011-1398
+ - CVE-2012-4388
+ * SECURITY UPDATE: denial of service and possible code execution via
+ _php_stream_scandir function (LP: #1028064)
+ - debian/patches/CVE-2012-2688.patch: prevent overflow in
+ main/streams/streams.c.
+ - CVE-2012-2688
+ * SECURITY UPDATE: denial of service via PDO extension crafted parameter
+ - debian/patches/CVE-2012-3450.patch: improve logic in
+ ext/pdo/pdo_sql_parser.re, regenerate ext/pdo/pdo_sql_parser.c, add
+ test to ext/pdo_mysql/tests/bug_61755.phpt.
+ - CVE-2012-3450
+
+ -- Marc Deslauriers Wed, 12 Sep 2012 11:33:30 -0400
+
+php5 (5.3.2-1ubuntu4.17) lucid-security; urgency=low
+
+ * SECURITY UPDATE: denial of service via invalid tidy objects
+ - debian/patches/CVE-2012-0781.patch: track initialization in
+ ext/tidy/tidy.c, added tests to ext/tidy/tests/004.phpt,
+ ext/tidy/tests/bug54682.phpt.
+ - CVE-2012-0781
+ * SECURITY UPDATE: denial of service or possible directory traversal via
+ invalid filename.
+ - debian/patches/CVE-2012-1172.patch: ensure brackets get closed in
+ main/rfc1867.c, add test to tests/basic/bug55500.phpt.
+ - CVE-2012-1172
+ * SECURITY UPDATE: password truncation via invalid byte
+ - debian/patches/CVE-2012-2143.patch: improve logic in
+ ext/standard/crypt_freesec.c, add test to
+ ext/standard/tests/strings/crypt_chars.phpt.
+ - CVE-2012-2143
+ * SECURITY UPDATE: crypto() empty salt string issue
+ - debian/patches/php_crypt_revamped.patch: Return fail string on
+ invalid Blowfish salt rounds, fix regression when the salt is empty.
+ - CVE-2012-2317
+ * SECURITY UPDATE: improve php5-cgi query string parameter parsing
+ - debian/patches/CVE-2012-233x.patch: improve parsing in
+ sapi/cgi/cgi_main.c.
+ - CVE-2012-2335
+ - CVE-2012-2336
+ * SECURITY UPDATE: phar extension heap overflow
+ - debian/patches/CVE-2012-2386.patch: check for overflow in
+ ext/phar/tar.c.
+ - CVE-2012-2386
+
+ -- Marc Deslauriers Tue, 12 Jun 2012 15:51:23 -0400
+
+php5 (5.3.2-1ubuntu4.15) lucid-security; urgency=low
+
+ * SECURITY UPDATE: php5-cgi query string parameters parsing
+ vulnerability
+ - debian/patches/php5-CVE-2012-1823.patch: filter query strings that
+ are prefixed with '-'
+ - CVE-2012-1823
+ - CVE-2012-2311
+
+ -- Steve Beattie Thu, 03 May 2012 15:13:14 -0700
+
+php5 (5.3.2-1ubuntu4.14) lucid-security; urgency=low
+
+ * debian/patches/php5-CVE-2012-0831-regression.patch: fix
+ magic_quotes_gpc ini setting regression introduced by patch for
+ CVE-2012-0831. Thanks to Ondřej Surý for the patch. (LP: #930115)
+
+ -- Steve Beattie Fri, 10 Feb 2012 15:07:08 -0800
+
+php5 (5.3.2-1ubuntu4.13) lucid-security; urgency=low
+
+ * SECURITY UPDATE: memory allocation failure denial of service
+ - debian/patches/php5-CVE-2011-4153.patch: check result of
+ zend_strdup() and calloc() for failed allocations
+ - CVE-2011-4153
+ * SECURITY UPDATE: predictable hash collision denial of service
+ (LP: #910296)
+ - debian/patches/php5-CVE-2011-4885.patch: add max_input_vars
+ directive with default limit of 1000
+ - ATTENTION: this update changes previous php5 behavior by
+ limiting the number of external input variables to 1000.
+ This may be increased by adding a "max_input_vars"
+ directive to the php.ini configuration file. See
+ http://www.php.net/manual/en/info.configuration.php#ini.max-input-vars
+ for more information.
+ - CVE-2011-4885
+ * SECURITY UPDATE: remote code execution vulnerability introduced by
+ the fix for CVE-2011-4885 (LP: #925772)
+ - debian/patches/php5-CVE-2012-0830.patch: return rather than
+ continuing if max_input_vars limit is reached
+ - CVE-2012-0830
+ * SECURITY UPDATE: XSLT arbitrary file overwrite attack
+ - debian/patches/php5-CVE-2012-0057.patch: add xsl.security_prefs
+ ini option to define forbidden operations within XSLT stylesheets
+ - CVE-2012-0057
+ * SECURITY UPDATE: PDORow session denial of service
+ - debian/patches/php5-CVE-2012-0788.patch: fail gracefully when
+ attempting to serialize PDORow instances
+ - CVE-2012-0788
+ * SECURITY UPDATE: magic_quotes_gpc remote disable vulnerability
+ - debian/patches/php5-CVE-2012-0831.patch: always restore
+ magic_quote_gpc on request shutdown
+ - CVE-2012-0831
+ * SECURITY UPDATE: arbitrary files removal via cronjob
+ - debian/php5-common.php5.cron.d: take greater care when removing
+ session files (overlooked in a previous update).
+ - http://git.debian.org/?p=pkg-php%2Fphp.git;a=commitdiff_plain;h=d09fd04ed7bfcf7f008360c6a42025108925df09
+ - CVE-2011-0441
+
+ -- Steve Beattie Wed, 08 Feb 2012 20:55:57 -0800
+
+php5 (5.3.2-1ubuntu4.11) lucid-security; urgency=low
+
+ * SECURITY UPDATE: Denial of service and possible information disclosure
+ via exif integer overflow
+ - debian/patches/php5-CVE-2011-4566.patch: fix count checks in
+ ext/exif/exif.c.
+ - CVE-2011-4566
+
+ -- Marc Deslauriers Tue, 13 Dec 2011 09:16:21 -0500
+
+php5 (5.3.2-1ubuntu4.10) lucid-security; urgency=low
+
+ [ Angel Abad ]
+ * SECURITY UPDATE: File path injection vulnerability in RFC1867 File
+ upload filename (LP: #813115)
+ - debian/patches/php5-CVE-2011-2202.patch:
+ - CVE-2011-2202
+ * SECURITY UPDATE: Fixed stack buffer overflow in socket_connect()
+ (LP: #813110)
+ - debian/patches/php5-CVE-2011-1938.patch:
+ - CVE-2011-1938
+
+ [ Steve Beattie ]
+ * SECURITY UPDATE: DoS in zip handling due to addGlob() crashing
+ on invalid flags
+ - debian/patches/php5-CVE-2011-1657.patch: check for valid flags
+ - CVE-2011-1657
+ * SECURITY UPDATE: crypt_blowfish doesn't properly handle 8-bit
+ (non-ascii) passwords leading to a smaller collision space
+ - debian/patches/php5-CVE-2011-2483.patch: update crypt_blowfish
+ to 1.2 to correct handling of passwords containing 8-bit
+ (non-ascii) characters.
+ CVE-2011-2483
+ * SECURITY UPDATE: DoS due to failure to check for memory allocation errors
+ - debian/patches/php5-CVE-2011-3182.patch: check the return values
+ of the malloc, calloc, and realloc functions
+ - CVE-2011-3182
+ * SECURITY UPDATE: DoS in errorlog() when passed NULL
+ - debian/patches/php5-CVE-2011-3267.patch: fix NULL pointer crash in
+ errorlog()
+ - CVE-2011-3267
+ * SECURITY UPDATE: information leak via handler interrupt (LP: #852871)
+ - debian/patches/php5-CVE-2010-1914.patch: grab references before
+ calling zendi_convert_to_long()
+ - CVE-2010-1914
+
+ -- Steve Beattie Fri, 14 Oct 2011 14:24:59 -0700
+
+php5 (5.3.2-1ubuntu4.9) lucid-security; urgency=low
+
+ * debian/patches/php5-pear-CVE-2011-1144-regression.patch: fix
+ mkdir parenthesis issue and PEAR::raiseErro typo (LP: #774452)
+
+ -- Steve Beattie Mon, 02 May 2011 09:21:53 -0700
+
+php5 (5.3.2-1ubuntu4.8) lucid-security; urgency=low
+
+ * SECURITY UPDATE: arbitrary files removal via cronjob
+ - debian/php5-common.php5.cron.d: take greater care when removing
+ session files.
+ - http://git.debian.org/?p=pkg-php%2Fphp.git;a=commitdiff_plain;h=d09fd04ed7bfcf7f008360c6a42025108925df09
+ - CVE-2011-0441
+ * SECURITY UPDATE: symlink tmp races in pear install
+ - debian/patches/php5-pear-CVE-2011-1072.patch: improved
+ tempfile handling.
+ - debian/rules: apply patch manually after unpacking PEAR phar
+ archive.
+ - CVE-2011-1072
+ * SECURITY UPDATE: more symlink races in pear install
+ - debian/patches/php5-pear-CVE-2011-1144.patch: add TOCTOU save
+ file handler.
+ - debian/rules: apply patch manually after unpacking PEAR phar
+ archive.
+ - CVE-2011-1144
+ * SECURITY UPDATE: pathname restriction bypass vulnerability
+ - debian/patches/php5-CVE-2006-7243.patch: check for passed
+ filenames containing NULL bytes.
+ - CVE-2006-7243
+ * SECURITY UPDATE: use-after-free vulnerability
+ - debian/patches/php5-CVE-2010-4697.patch: retain reference to
+ object until getter/setter are done.
+ - CVE-2010-4697
+ * SECURITY UPDATE: denial of service through application crash with
+ invalid images
+ - debian/patches/php5-CVE-2010-4698.patch: verify anti-aliasing
+ steps are either 4 or 16.
+ - CVE-2010-4698
+ * SECURITY UPDATE: denial of service through application crash
+ - debian/patches/php5-CVE-2011-0420.patch: improve grapheme_extract()
+ argument validation.
+ - CVE-2011-0420
+ * SECURITY UPDATE: denial of service through application crash
+ - debian/patches/php5-CVE-2011-0421.patch: fail operation gracefully
+ when handling zero sized zipfile with the FL_UNCHANGED argument
+ - CVE-2011-0421
+ * SECURITY UPDATE: denial of service through application crash when
+ handling images with invalid exif tags
+ - debian/patches/php5-CVE-2011-0708.patch: stricter exif checking
+ - CVE-2011-0708
+ * SECURITY UPDATE: denial of service and possible data disclosure
+ through integer overflow
+ - debian/patches/php5-CVE-2011-1092.patch: better boundary
+ condition checks in shmop_read()
+ - CVE-2011-1092
+ * SECURITY UPDATE: use-after-free vulnerability
+ - debian/patches/php5-CVE-2011-1148.patch: improve reference
+ counting
+ - CVE-2011-1148
+ * SECURITY UPDATE: format string vulnerability
+ - debian/patches/php5-CVE-2011-1153.patch: correctly quote format
+ strings
+ - CVE-2011-1153
+ * SECURITY UPDATE: denial of service through buffer overflow crash
+ (code execution mitigated by compilation with Fortify Source)
+ - debian/patches/php5-CVE-2011-1464.patch: limit amount of precision
+ to ensure fitting within MAX_BUF_SIZE
+ - CVE-2011-1464
+ * SECURITY UPDATE: denial of service through application crash via
+ integer overflow.
+ - debian/patches/php5-CVE-2011-1466.patch: improve boundary
+ condition checking in SdnToJulian()
+ - CVE-2011-1466
+ * SECURITY UPDATE: denial of service through application crash
+ - debian/patches/php5-CVE-2011-1467.patch: check for invalid
+ attribute symbols in NumberFormatter::setSymbol()
+ - CVE-2011-1467
+ * SECURITY UPDATE: denial of service through memory leak
+ - debian/patches/php5-CVE-2011-1468.patch: fix memory leak of
+ openssl contexts
+ - CVE-2011-1468
+ * SECURITY UPDATE: denial of service through application crash
+ when using HTTP proxy with the FTP wrapper
+ - debian/patches/php5-CVE-2011-1469.patch: improve pointer handling
+ - CVE-2011-1469
+ * SECURITY UPDATE: denial of service through application crash when
+ handling ziparchive streams
+ - debian/patches/php5-CVE-2011-1470.patch: set necessary elements of
+ the meta data structure
+ - CVE-2011-1470
+ * SECURITY UPDATE: denial of service through application crash when
+ handling malformed zip files
+ - debian/patches/php5-CVE-2011-1471.patch: correct integer
+ signedness error when handling zip_fread() return value.
+ - CVE-2011-1471
+
+ -- Steve Beattie Thu, 21 Apr 2011 11:07:40 -0700
+
+php5 (5.3.2-1ubuntu4.7) lucid-security; urgency=low
+
+ * debian/patches/php5-CVE-2010-3436-regression.patch: update
+ main/fopen_wrappers.c to include fix for open_basedir restriction
+ regression (LP: #701896)
+
+ -- Steve Beattie Wed, 12 Jan 2011 07:28:55 -0800
+
+php5 (5.3.2-1ubuntu4.6) lucid-security; urgency=low
+
+ * SECURITY UPDATE: open_basedir bypass
+ - debian/patches/php5-CVE-2010-3436.patch: more strict checking in
+ php_check_specific_open_basedir()
+ - CVE-2010-3436
+ * SECURITY UPDATE: NULL pointer dereference crash
+ - debian/patches/php5-CVE-2010-3709.patch: check for NULL when
+ getting zip comment
+ - CVE-2010-3709
+ * SECURITY UPDATE: memory consumption denial of service
+ - debian/patches/php5-CVE-2010-3710.patch: check for email address
+ longer than RFC 2821 allows
+ - CVE-2010-3710
+ * SECURITY UPDATE: xml decode bypass
+ - debian/patches/php5-CVE-2010-3870.patch: improve utf8 decoding
+ - CVE-2010-3870
+ * SECURITY UPDATE: integer overflow can cause an application crash
+ - debian/patches/php5-CVE-2010-4409.patch: fix invalid args in
+ NumberFormatter::getSymbol()
+ - CVE-2010-4409
+ * SECURITY UPDATE: infinite loop/denial of service when dealing with
+ certain textual forms of MAX_FLOAT (LP: #697181)
+ - debian/patches/php5-CVE-2010-4645.patch: treat local doubles
+ as volatile to avoid x87 registers in zend_strtod()
+ - CVE-2010-4645
+
+ -- Steve Beattie Fri, 07 Jan 2011 10:56:23 -0800
+
+php5 (5.3.2-1ubuntu4.5) lucid-security; urgency=low
+
+ * SECURITY UPDATE: denial of service and possible memory corruption via
+ negative size in HTTP chunked encoding stream
+ - debian/patches/CVE-2010-1866.patch: prevent chunk_size from
+ overflowing in ext/standard/filters.c.
+ - CVE-2010-1866
+ * SECURITY UPDATE: arbitrary code execution via empty SQL query
+ - debian/patches/CVE-2010-1868.patch: use ecalloc instead of emalloc in
+ ext/sqlite/sqlite.c.
+ - CVE-2010-1868
+ * SECURITY UPDATE: denial of service via fnmatch stack consumption
+ - debian/patches/CVE-2010-1917.patch: limit size of pattern in
+ ext/standard/file.c.
+ - CVE-2010-1917
+ * SECURITY UPDATE: arbitrary memory disclosure and possible code
+ execution via phar extension
+ - debian/patches/CVE-2010-2094.patch: use correct format string in
+ ext/phar/dirstream.c, ext/phar/stream.c.
+ - CVE-2010-2094
+ - CVE-2010-2950
+ * SECURITY UPDATE: sensitive information disclosure or arbitrary code
+ execution via use-after-free in SplObjectStorage unserializer
+ - debian/patches/CVE-2010-2225.patch: fix logic in
+ ext/spl/spl_observer.c, ext/standard/{php_var.h,var_unserializer.*},
+ add tests to ext/spl/tests.
+ - CVE-2010-2225
+ * SECURITY UPDATE: sensitive information disclosure via error messages
+ - debian/patches/CVE-2010-2531.patch: don't display data when flushing
+ output buffer in ext/standard/{var.c,php_var.h}, fix tests in
+ ext/standard/tests/general_functions.
+ - CVE-2010-2531
+ * SECURITY UPDATE: arbitrary session variable modification via crafted
+ session variable name
+ - debian/patches/CVE-2010-3065.patch: handle PS_UNDEF_MARKER marker in
+ ext/session/session.c.
+ - CVE-2010-3065
+ * debian/patches/lp564920-fix-big-files.patch: Fix downloading of large
+ files (LP: #564920)
+
+ -- Marc Deslauriers Fri, 17 Sep 2010 08:14:26 -0400
+
+php5 (5.3.2-1ubuntu4.2) lucid-proposed; urgency=low
+
+ * debian/patches/session_save_path.patch: Save PHP sessions to
+ /var/lib/php rather than /tmp (LP: #573222)
+
+ -- Chuck Short Mon, 10 May 2010 04:00:03 -0400
+
+php5 (5.3.2-1ubuntu4.1) lucid-proposed; urgency=low
+
+ * debian/patches/fix-mysql-badmem.patch: Fix mysql crash when using php5-cgi. (LP: #567043)
+
+ -- Chuck Short Mon, 03 May 2010 11:23:43 -0400
+
+php5 (5.3.2-1ubuntu4) lucid; urgency=low
+
+ * debian/control, debian/rules: Re-enable libedit-dev. (LP: #548823)
+
+ -- Chuck Short Mon, 05 Apr 2010 15:33:21 -0400
+
+php5 (5.3.2-1ubuntu3) lucid; urgency=low
+
+ * debian/control: Fix upgrade of php5-ldap from 5.3.1. (LP: #)
+
+ -- Chuck Short Sun, 28 Mar 2010 15:41:34 -0400
+
+php5 (5.3.2-1ubuntu2) lucid; urgency=low
+
+ * debian/control: Dont build with libmcrypt-dev.
+
+ -- Chuck Short Fri, 26 Mar 2010 14:39:36 -0400
+
+php5 (5.3.2-1ubuntu1) lucid; urgency=low
+
+ * Merge from debian unstable:
+ - debian/control:
+ * Dropped firebird2.1-dev, libc-client-dev, libmcrypt-dev as it is in universe.
+ * Dropped libmysqlclient15-dev, build against mysql 5.1.
+ * Dropped libcurl-dev not in the archive.
+ * Suggest php5-suhosin rather than recommends.
+ * Dropped php5-imap, php5-interbase, php5-mcrypt since we have versions already in
+ universe.
+ * Dropped libonig-dev and libqgdbm since its in universe. (will be re-added in lucid+1)
+ * Dropped locales-all.
+ - modulelist: Drop imap, interbase, and mcrypt.
+ - debian/rules:
+ * Dropped building of mcrypt, imap, and interbase.
+ * Install apport hook for php5.
+ - Dropped debian/patches/libedit_is_editline.patch.
+
+ -- Chuck Short Tue, 16 Mar 2010 09:09:50 -0400
+
+php5 (5.3.2-1) unstable; urgency=high
+
+ [ Sean Finney ]
+ * Fix improper signed overflow detection in filter extension
+ (Closes: #570287)
+ * Another integer overflow/underflow logic fix. (Closes: #570144)
+ * new debian patch fix_filter_var_email_test.patch (Closes: #571764)
+ * New debian patch fix_var_dump_64bit.phpt.patch (Closes: #571772)
+ * New debian patch use_embedded_timezonedb_fixes.patch (Closes: #571762)
+
+ [ Raphael Geissert ]
+ * Build with qdbm support
+ * Really run extensions' tests
+ * Add a note about user_dirs in apache conf file (Closes: #571714)
+ * Fix typo in debian/NEWS
+ * Don't install a(nother) useless Structures_Graph sh script
+ * Re-enable short_open_tag for CLI too (Closes: #573367)
+ * Disable memory limit in CLI, letting ulimit do its job (Closes: #407425)
+ * Fix the locale name in some tests (Closes: #573511)
+ * Fix some gd tests that need the bundled library
+ * Fix a null pointer dereference when processing invalid XML-RPC
+ requests (CVE-2010-0397, Closes: #573573)
+ * Fix an unaligned memory access in enchant_dict_suggest()
+ * Fix another unaligned memory access in enchant
+ * Test that the list of extensions to test is never empty
+ * Update the list of alternative dependencies of php5-dbg
+ * debian/rules cleanup
+ * debian/control cleanup
+ * Build against the system oniguruma library
+ * Add libjpeg-dev as an alternative to libjpeg62-dev for future
+ transitions
+
+ [ Ondřej Surý ]
+ * Imported Upstream version 5.3.2
+ * Updated suhosin patch to 0.9.9.1 version.
+ * Removed debian/patches/suhosin_page_size_fixes.patch. (Closes: #571974)
+ * Refreshed debian/patches/001-libtool_fixes.patch
+ * Refreshed debian/patches/006-debian_quirks.patch
+ * Adapt debian patches to 5.3.2.
+ * Remove "binary" contents from
+ debian/patches/fix_var_dump_64bit.phpt.patch
+ * New debian patch fix_broken_sha2_test.patch
+ * New debian patch always_use_system_crypt.patch (Closes: #572601)
+ * New debian patch php_crypt_revamped.patch (Closes: #572601)
+
+ -- Raphael Geissert Sat, 13 Mar 2010 15:11:48 -0600
+
+php5 (5.3.1-5) unstable; urgency=low
+
+ [ Sean Finney ]
+ * Pass full path to php cli executable for unit tests
+ * dont-gitclean-in-build.patch: Don't run git-clean via buildconf
+ * update debian patch page_size_fixes.patch with upstream bug ref
+ * new debian patch broken_5.3_test-posix_uname.patch (Closes: #570286)
+
+ [ Raphael Geissert ]
+ * Add build-dependency on netbase to fix a test (Closes: #570291)
+ * Suhosin PAGE_SIZE fixes have been already forwarded
+ * Fix a race condition on shtool's mkdir -p (Closes: #570111)
+ * Actually test the binary that is to be shipped in the -cli package
+ * Add some more documentation about the build system
+ * Documentation updates
+ * Update the suhosin patch version information
+ * Build-dep on locales-all to enable multiple tests
+ * Don't ship empty maintainer scripts
+ * Add patch to allow building with qdbm
+ * Test the extensions that don't require a special setup
+ * Get the correct list of built-in extensions of apache2filter
+
+ -- Raphael Geissert Mon, 22 Feb 2010 10:41:51 -0600
+
+php5 (5.3.1-4) unstable; urgency=low
+
+ [ Raphael Geissert ]
+ * Pass -O0 when using 'noopt' to actually disable any optimization
+ * Add patch to use sysconf() to determine the page size
+ * Add patch to remove PAGE_SIZE assumptions in suhosin code
+ * Fix an unaligned memory access in the phar extension
+ * Fix another unaligned memory access
+ * Print the expected/actual output of failed test
+ * Add missing PEAR directory (Closes: #542483)
+ * Build sqlite3 as shared (Closes: #568956)
+ * Add some more documentation about the source package
+
+ [ Sean Finney ]
+ * New debian patch fix_broken_5.3_tests.patch
+
+ -- Raphael Geissert Thu, 11 Feb 2010 02:22:47 -0600
+
+php5 (5.3.1-3) unstable; urgency=low
+
+ [ Ondřej Surý ]
+ * get rid of php4 dependencies
+ * Enable short_open_tag again (Closes: #537099)
+ * fix dependency on automake1.4 in php5-dev package
+ * fix typo s/firefox/firebird/ in changelog
+ * Removed long inactive Adam Conrad and Jeroen van Wolffelaar from uploaders
+
+ [ Raphael Geissert ]
+ * Fix maintainer scripts to use php.ini-production (Closes: #565130)
+ * Revert b22a350: Turn the phpapi dependencies into php5 | phpapi
+ * Allow parallel building via parallel=n
+ * Build with the hardening wrapper
+ * Remove no-longer-needed dfsg-repack script
+ * Add DEP-3-format metadata to some of the patches
+ * Build the intl extension
+ * Drop exif_read_data-segfault patch, merged upstream
+ * Build the enchant extension
+ * Add ${misc:Depends} where missing
+ * Disable mod_php in user directories (Closes: #555606)
+ * Add missing comment character to php.ini-paranoid (Closes: #564622)
+ * Build the interbase extension on all the supported architectures
+
+ [ Sean Finney ]
+ * 5.3 upload for unstable.
+ - Includes backported fix for "ref converted to value" (Closes: #556237).
+
+ -- Raphael Geissert Sun, 07 Feb 2010 23:31:51 -0600
+
+php5 (5.3.1-2) experimental; urgency=low
+
+ * Merged changes from 5.2.x sid branch.
+ * Adapt mssql-null-exception.patch and sybase-alias.patch to 5.3.1
+ * Update strcmp_null-OnUpdateErrorLog.patch; merged upstream, leave a
+ patch with a test case
+ * Removed check_ini_on_modify_status.patch and gentoo/117-
+ 4_digit_year_big_endian.patch; merged upstream
+ * Removed max_file_uploads.patch; no need for backwards compatibility
+ between major releases
+ * Refreshed 112-proc_open.patch,exif_read_data-segfault.patch
+ * Fix duplicate Provides: in debian/control introduced by cherry-
+ picking 94f0ec3
+ * Update sybase aliases to include correct arguments, needed for 5.3.x
+ * Update Build-Depends: to include firebird2.1-dev as preferred
+ alternative (Closes: #564691)
+ * Reformat Build-Depends: to one-dependency-per-line
+ * Reduce number of libdb*-dev to include only version in
+ stable/testing/unstable
+ * Switch to automake (>= 1.11) | automake1.11, depend on autoconf >=
+ 2.63 (Closes: #549148)
+
+ -- Ondřej Surý Mon, 11 Jan 2010 16:56:01 +0100
+
+php5 (5.3.1-1) experimental; urgency=low
+
+ * Imported Upstream version 5.3.1
+ * Change dependcy to libdb-dev instead on arbitrary version of
+ libdb4.x-dev
+ * Refreshed 006-debian_quirks patch to apply cleanly.
+ * Removed 114-php_gd_segfault.patch, merged upstream.
+ * Refreshed 115-autoconf_ftbfs.patch to apply cleanly
+ * Updated suhosin.patch to 0.9.8 version for php-5.3.1
+ * Refreshed 001-libtool_fixes.patch
+ * Refreshed 004-ldap_fix.patch
+ * Refreshed 013-force_getaddrinfo.patch
+ * Refreshed 036-fd_setsize_fix.patch
+ * Refreshed 052-phpinfo_no_configure.patch
+ * Refreshed 053-extension_api.patch
+ * Refreshed 108-64_bit_datetime.patch
+ * Refreshed 113-php.ini_securitynotes.patch
+ * Refreshed 116-posixness_fix.patch
+ * Refreshed gentoo/006_ext-curl-set_opt-crash.patch
+ * Refreshed gentoo/009_ob-memory-leaks.patch
+ * Refreshed libedit_is_editline.patch
+ * Refreshed suhosin.patch
+ * Add .gitignore file to ignore .pc/ directory
+ * Removed README.CVS-RULES from debian/php5-common.docs, file is no
+ longer shipped by upstream.
+
+ -- Ondřej Surý Thu, 07 Jan 2010 17:21:47 +0100
+
+php5 (5.3.0-3) experimental; urgency=low
+
+ * Fix segmentation fault in php-gd (Closes: #543496)
+ * Update suhosin patch to 0.9.8 *BETA* and enable it again
+ * Fix FTBFS with current autoconf/automake (Closes: #542906, #542088)
+ * Add avr32-linux-gnu to no -gstabs toolchains (Closes: #543278)
+ * Fix FTBFS on Debian Hurd (Closes: #530281)
+ * Use updated (v7) version of use_embedded_timezonedb.patch (Closes: #535770)
+
+ -- Ondřej Surý Tue, 25 Aug 2009 16:12:13 +0200
+
+php5 (5.2.12.dfsg.1-2) unstable; urgency=low
+
+ * Update Build-Depends: to include firebird2.1-dev as preferred
+ alternative (Closes: #564691)
+ * Reformat Build-Depends: to one-dependency-per-line
+ * Reduce number of firebird*-dev to include only version in
+ stable/testing/unstable
+ * Reduce number of libdb*-dev to include only version in
+ stable/testing/unstable
+ * Switch to automake (>= 1.11) | automake1.11, depend on autoconf
+ (>= 2.63) (Closes: #549148)
+
+ -- Ondřej Surý Mon, 11 Jan 2010 17:31:33 +0100
+
+php5 (5.2.12.dfsg.1-1) unstable; urgency=low
+
+ [ Thijs Kinkhorst ]
+ * Change comment in module .ini snippets from # to ; to avoid deprecation
+ warnings with PHP 5.3.0.
+
+ [ Ondřej Surý ]
+ * Imported Upstream version 5.2.12.dfsg.1
+ * Removed manpage_spelling.patch, merged upstream.
+ * Removed libedit_is_editline.patch, merged upstream.
+ * Refreshed max_file_uploads.patch, patch can be removed, it's kept to
+ raise max_file_uploads to 50.
+ * Refreshed and updated suhosin.patch
+ * Refreshed 001-libtool_fixes.patch, 004-ldap_fix.patch,
+ 006-debian_quirks.patch, 013-force_getaddrinfo.patch,
+ 034-apache2_umask_fix.patch, 053-extension_api.patch,
+ 056-mime_magic_liberal.patch, 115-autoconf_ftbfs.patch,
+ gentoo/009_ob-memory-leaks.patch, mssql-null-exception.patch,
+ use_embedded_timezonedb.patch
+ * Removed autogenerated main/php_config.h.in from suhosin.patch
+ (Ubuntu: #493761)
+ * Short open tags are On again in php.ini-dist (Closes: #537099)
+ * Don't leave .start if we are purging (Closes: #561739)
+ * Add README.Debian file to /usr/share/doc/php-pear/PEAR, so the
+ directory is not deleted (Closes: #563437, #542483)
+
+ [ Upstream ]
+ * Fix default pear.php.net channel definitions (Closes: #559029)
+
+ -- Ondřej Surý Fri, 08 Jan 2010 18:18:43 +0100
+
+php5 (5.2.11.dfsg.1-2) unstable; urgency=high
+
+ * max_file_uploads: limit the maximum number of file uploads to 50
+ + Reduces the chances of a temporary file exhaustion DoS
+ * Add libdb4.8-dev as an alternative dependency (Closes: #555945)
+ * Add libdb-dev as another alternative, hopefully the last one
+ (Closes: #548486)
+ * Add a versioned dependency on libtool 2.2 (Closes: #548015)
+ * Use FilesMatch and SetHandler on apache setups (Closes: #491928)
+ * Gentoo patch ext-curl-set_opt-crash has already been merged upstream
+ * Drop unused lintian override
+
+ -- Raphael Geissert Sat, 21 Nov 2009 13:37:51 -0600
+
+php5 (5.2.11.dfsg.1-1) unstable; urgency=low
+
+ * New upstream release
+
+ [ Fixes incorporated upstream ]
+ * Fix 4-year digit year on big-endian platforms (Closes: #542301)
+ * patch curl_streams_sleep.patch
+ * patch strcmp_null-OnUpdateErrorLog.patch (partially addresses #540605)
+ * patch check_ini_on_modify_status.patch
+
+ [ Raphael Geissert ]
+ * Add aliases to the mssql functions on the sybase extension (Closes: #523073)
+ * Fix the rows_affected alias, it should be affected_rows
+ * Avoid possible memory dumps via PG on restored ini values (Closes: #540605)
+
+ [ Ondrej Sury ]
+ * Fix FTBFS with current autoconf/automake (Closes: #542906, #542088)
+ * Add avr32-linux-gnu to no -gstabs toolchains (Closes: #543278)
+ * Fix FTBFS on Debian Hurd (Closes: #530281)
+ * fix whitespace in libapache2-mod-php5.postinst
+
+ [ Sean Finney ]
+ * incorporate/ack previous NMU's, thanks Andreas.
+ * update debian patch 115-autoconf_ftbfs.patch for new upstream version
+ * update debian patch fix_broken_upstream_tests.patch
+ * update debian patch mssql-null-exception.patch
+ * refresh various quilt patches against new upstream version
+ * remove no longer needed "legacy" support for conffile migration
+ * add dpkg trigger in the apache2 and apache2filter sapis for reloading
+ apache2 on extension updates (Closes: #490023, #524206)
+ * let libmysqlclient15-dev be a fallback alternative for libmysqlclient-dev
+ in case someone wants to backport the package.
+ * update list of installed documentation
+
+ -- Sean Finney Sun, 20 Sep 2009 11:05:35 +0200
+
+php5 (5.2.10.dfsg.1-2.2) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Drop hand-crafted dependency on libmysqlclient15.
+
+ -- Andreas Barth Mon, 31 Aug 2009 09:22:16 +0200
+
+php5 (5.2.10.dfsg.1-2.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix FTBFS with new autoconf. Thanks to Russ Allbery for the patch.
+ Closes: #542906
+
+ -- Andreas Barth Sun, 30 Aug 2009 13:49:40 +0200
+
+php5 (5.2.10.dfsg.1-2) unstable; urgency=low
+
+ * Declare that PEAR replaces XML_UTIL (Closes: #534621)
+ * Bump standards-version, no change needed
+ * Fix an unconditional limit on dblib_driver.c (Closes: #534881)
+ * Fix a segfault on exif_data_read with corrupted jpg files (Closes: #535888)
+ * Recommend php5-suhosin, as suggested by Thijs (Closes: #529760)
+ * Set sysconfig to /etc, to avoid getting /usr/etc in PHP_SYSCONFDIR
+ * Add myself to uploaders
+ * Fix the path to PEAR's config, directly in rules (Closes: #507762)
+
+ -- Raphael Geissert Thu, 09 Jul 2009 18:25:48 -0500
+
+php5 (5.3.0-2) experimental; urgency=low
+
+ * update configuration file names to new upstream naming convention
+
+ -- Sean Finney Wed, 01 Jul 2009 09:12:10 +0200
+
+php5 (5.3.0-1) experimental; urgency=low
+
+ * New Upstream Version
+
+ [ Sean Finney ]
+ * use ';' instead of '#' as comments in module ini files
+ * remove binary package for php5-mhash which is now built-in
+ * update removed windows modules in 006-debian_quirks.patch
+ * quilt refresh for new upstream release
+
+ -- Sean Finney Tue, 30 Jun 2009 20:09:07 +0200
+
+php5 (5.3.0~RC4-1) UNRELEASED; urgency=low
+
+ * New Upstream Version
+
+ [ Sean Finney ]
+ * (temporarily) disable suhosin patch while it does not apply to 5.3
+ * refresh various debian patches, fixing whitespace and offsets
+ * copy the gbp.conf from debian-sid and adapt it for experimental
+ * cherry-pick relevant gentoo patches from unstable
+ * cherry-pick debian fixes in libtool2.2.patch from unstable
+ * Update package sections to match override.
+
+ [ Raphael Geissert ]
+ * Detect the path to ltmain.sh at build time and set conflicts
+ appropriately
+ * Add libdb4.7-dev as an ORed build dependency to fix FTBFS
+ * Update the Vcs-* fields to reflect the move from svn to git
+ * Turn the phpapi dependencies into php5 | phpapi to fix
+ installability issues
+ * Bump Standards-Version to 3.8.1, no change needed
+ * Add a set of lintian overrides for some FP spelling-error-in-binary
+
+ [ Thijs Kinkhorst ]
+ * Update php5-cli package description to make it more neutral
+
+ -- Sean Finney Mon, 29 Jun 2009 07:54:51 +0200
+
+php5 (5.3.0~RC1-1) unstable; urgency=low
+
+ * New Upstream Version
+
+ -- Mark A. Hershberger Wed, 25 Mar 2009 19:39:48 -0400
+
+php5 (5.2.9.dfsg.1-1) unstable; urgency=low
+
+ * New upstream release (closes: #520538).
+ - fixes regressions with parsing via libxml2 (closes: #520246, #520423).
+
+ [ Sean Finney ]
+ * Refresh all patches.
+ * Update suhosin patch to 5.2.9, remove autotools-generated files (configure,
+ php_config.h.in) and .dsp files from patch.
+ * remove obsolete configure options from ./configure: --enable-memory-limit,
+ --enable-track-vars, --enable-trans-sid, --enable-filepro and --enable-dbx.
+ * Remove obsoleted patches which have been incorporated upstream:
+ - snmp_leaks.patch
+ - BG-initializing-fix.patch
+ - CVE-2008-2829.patch
+ - CVE-2008-3658.patch
+ - CVE-2008-3659.patch
+ - CVE-2008-3660.patch
+ - CVE-2008-5557.patch
+ - CVE-2008-5658.patch
+ - pdo-fetchobject-prototype-error.patch
+ - zend_object_handlers-invalid-write.patch
+ - dba-inifile-truncation.patch
+ - gentoo/freetds-compat.patch
+ - gentoo/010_ticks-zts-crashes.patch
+ - gentoo/019_new-memory-corruption.patch
+ - gentoo/009_array-function-crashes.patch
+ - gentoo/015_CVE-2008-2665-wrapper-safemode-bypass.patch
+ - gentoo/017_xmlrpc-invalid-callback-crash.patch
+ - gentoo/007_dom-setAttributeNode-crash.patch
+ - gentoo/006_PDORow-crash.patch
+ - gentoo/005_stream_context_set_params-crash.patch
+ * Update fix_broken_upstream_tests.patch, one of the tests is fixed.
+
+ -- Sean Finney Tue, 24 Mar 2009 19:05:09 +0100
+
+php5 (5.2.6.dfsg.1-3) unstable; urgency=low
+
+ [ Sean Finney ]
+ * Do not add -O2 to CFLAGS if DEB_BUILD_OPTIONS contains noopt.
+ * Security related fixes:
+ - php: inifile handler for the dba functions can be used to truncate a file
+ Patch: dba-inifile-truncation.patch (closes: #507101).
+ - CVE-2008-5658.patch: ZipArchive::extractTo directory traversal
+ Patch: CVE-2008-5658.patch (closes: #507857).
+ Thanks to Pierre Joye for help with the patch.
+
+ [ Raphael Geissert ]
+ * Picked up some patches from Gentoo (most included in PHP 5.2.7 and later):
+ + patches/gentoo/005_stream_context_set_params-crash.patch
+ + patches/gentoo/006_PDORow-crash.patch
+ + patches/gentoo/007_dom-setAttributeNode-crash.patch
+ + patches/gentoo/009_array-function-crashes.patch
+ + patches/gentoo/010_ticks-zts-crashes.patch
+ + patches/gentoo/015_CVE-2008-2665-wrapper-safemode-bypass.patch
+ + patches/gentoo/017_xmlrpc-invalid-callback-crash.patch
+ + patches/gentoo/019_new-memory-corruption.patch
+ + patches/gentoo/freetds-compat.patch
+ - was deprecated_freetds_check.patch
+
+ -- Sean Finney Sat, 24 Jan 2009 21:17:13 +0100
+
+php5 (5.2.6.dfsg.1-2) unstable; urgency=low
+
+ [ Sean Finney ]
+ * Make sure a file used to track state is properly removed in the
+ postinst, thanks Raphael (closes: #511049).
+
+ [ Thijs Kinkhorst ]
+ * Fix watch file to mangle version.
+
+ [ Raphael Geissert ]
+ * Ship script used to take an upstream tarball and remove the non
+ DFSG-free stuff, update watch file accordingly.
+
+ -- Sean Finney Tue, 13 Jan 2009 08:24:36 +0100
+
+php5 (5.2.6.dfsg.1-1) unstable; urgency=high
+
+ [ Sean Finney ]
+ * Incorporate previous NMU.
+ * Updated system tzdata patch from Joe Orton.
+ * Removed tzdb-nofree_ents_ifnotzdata.patch, which is now incorporated
+ into Joe's patch.
+ * Two backported fixes from 5.2.8, thanks to Olivier Bonvalet for looking
+ them up.
+ - Upstream bug #46157 (PDOStatement::fetchObject prototype error)
+ Patch: pdo-fetchobject-prototype-error.patch
+ - Upstream bug #46308 (Invalid write in zend object handler / getter)
+ Patch: zend_object_handlers-invalid-write.patch
+ * Security related fixes:
+ - CVE-2008-5624: Incorporate fix from 5.3 for proper initialization of
+ uid/gid for apache2 sapi.
+ Patch: BG-initializing-fix.patch
+ - CVE-2008-5557: heap overflows in the mbstring extension.
+ Patch: CVE-2008-5557.patch (closes: #511493).
+
+ [ Thijs Kinkhorst ]
+ * Correct description typo, thanks Mathias Brodala (Closes: #508989).
+
+ -- Sean Finney Mon, 12 Jan 2009 12:12:36 +0100
+
+php5 (5.2.6.dfsg.1-0.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Remove exts/dbase from orig tarball (Closes: #341420)
+
+ -- Ben Hutchings Sat, 29 Nov 2008 19:19:28 +0000
+
+php5 (5.2.6-5) unstable; urgency=high
+
+ * Update debian/copyright to document that the DFSG-unfree email
+ requirement in ext/standard/rand.c has been rescinded by the
+ copyrightholder (Closes: #498621).
+
+ -- Thijs Kinkhorst Sun, 05 Oct 2008 11:32:35 +0200
+
+php5 (5.2.6-4) unstable; urgency=high
+
+ [ Sean Finney ]
+ * Take three unreleased fixes from upstream CVS:
+ - CVE-2008-3658: Buffer overflow in the imageloadfont function.
+ Patch: CVE-2008-3658.patch (closes: #499989)
+ - CVE-2008-3659: Buffer overflow in the memnstr function.
+ Patch: CVE-2008-3659.patch (closes: #499988)
+ - CVE-2008-3660: Remote DoS in fastcgi module
+ Patch: CVE-2008-3660.patch (closes: #499987)
+
+ [ Raphael Geissert ]
+ * snmp_leaks.patch: fixes memory leaks in the snmp extension (Closes: #423296)
+ - Thanks to Rodrigo Campos for the follow up
+ - Thanks to Federico Cuello for the original patch
+ * php5-dev.lintian-override: fix it so it actually works
+
+ -- Sean Finney Sun, 14 Sep 2008 14:25:11 +0200
+
+php5 (5.2.6-3) unstable; urgency=high
+
+ [ Thijs Kinkhorst ]
+ * Drop unneeded php5-timezonedb Suggests and obsolete php3 Conflicts.
+ * Add documentation about the timezonedb change (Closes: #492025).
+
+ [ Adam Conrad ]
+ * Modify 033-we_WANT_libtool.patch to cope with newer versions of
+ libtool that only copy auxilliary files when --install is used,
+ while still working with older versions that DTRT without.
+
+ [ Raphael Geissert ]
+ * debian/rules:
+ + Avoid installing useless test suites in php-pear (Closes: #478995)
+ + Remove any empty directory in php-pear
+ + Also get rid of usr/share/php/data/Structures_Graph/*
+ - Those were meant to be used by upstream maintainer
+ * debian/php5-dev.lintian-overrides:
+ - usr/lib/php5/build/run-tests.php is not meant to be used directly
+ * debian/control: bumped Standards Version to 3.8.0, no changes needed
+ * bad_whatis_entries.patch: fixes the whatis entries of all the manpages
+ * deprecated_freetds_check.patch: fixes the freetds detection routine
+ + Closes: #494230
+ - Thanks to jklowden@freetds.org and the Gentoo folks for the patch
+ (RC bugfix, upload urgency bumped)
+ * debian/libapache2-mod-php5*-{prerm,postinst}:
+ - Create a status file when removing the package (but not purging)
+ while having the mod enabled so reinstallation of the package
+ does not end up disabling the module (Closes: #471548)
+
+ [ Sean Finney ]
+ * Bump dependency on libmysqlclient15off to require the version from
+ lenny or later, in order to avoid subtle problems not previously detected
+ with libmysqlclient_r on mixed etch/lenny/sid systems (closes: #495575).
+
+ -- Sean Finney Wed, 20 Aug 2008 19:32:02 +0200
+
+php5 (5.2.6-2) unstable; urgency=high
+
+ [ Raphael Geissert ]
+ * Lintian-based changes:
+ - also install a lintian override for libapache2-mod-php5filter
+ - fixed the generic lintian overrides so they are meaningful
+ - dropping linda overrides, linda is gone now
+ - s/meta-package/metapackage
+ * debian/control:
+ - Updated php5's description so it mentions three instead of
+ only two server-side SAPIs
+ - Depend on php5-cli in php-pear (Closes: #482517)
+ + Previous change reverted because of PEAR packages FTBFS
+ - {B-,}Depend on tzdata to avoid crashes caused by the tz ext patch
+ - Dropped some versioned {b-,}dependencies that are satisified
+ even on sarge
+ * php.ini-*: state that when using a custom save_path,
+ gc_probability should also be set (Closes: #388808, #321460)
+ * tzdb-nofree_ents_ifnotzdata.patch: avoid free'ing ents when the tz dir does
+ not exist (Closes: #483461)
+
+ [ Sean Finney ]
+ * Fix for CVE-2008-2829: unsafe usage of deprecated imap functions
+ Patch: CVE-2008-2829.patch
+ * Modifications to suhosin.patch due to alignment problems on some
+ architectures. Thanks to Stefan Esser for the initial suggestion.
+ (Closes: #481737).
+ * Rename the apache2 filter module to libphp5filter.so, to prevent
+ conflicting filenames for symbols in the debug package.
+
+ -- Sean Finney Thu, 03 Jul 2008 08:14:45 +0200
+
+php5 (5.2.6-1) unstable; urgency=medium
+
+ * New upstream release. Fixes several security issues of unknown impact:
+ + possible stack buffer overflow in the FastCGI SAPI
+ + integer overflow in printf()
+ + unknown issue CVE-2008-0599
+ + a safe_mode bypass in cURL
+ + incomplete multibyte chars inside escapeshellcmd()
+
+ [ Sean Finney ]
+ * New patch (use_embedded_timezonedb.patch) allows us to default to
+ using the system provided timezone database instead of the one bundled
+ with PHP. Many thanks to Joe Orten from Red Hat for the patch!
+ (closes: #447174, #471104).
+ * Updated the Suhosin patch to v0.9.6 (5.2.6).
+ * New patch: force_libmysqlclient_r.patch, forcing the build system
+ to link against the threadsafe libmysqlclient without having to enable
+ the other zts features in php. This is required since the apr libraries
+ are now linking against this as well and mysql exports the same symbols
+ from both libraries. Thanks to Stefan Fritsch (closes: #469081).
+ * Massaged/updated various other patches in debian/patches
+ * Update copyright information to have information about non-trivial
+ patches worthy of copyright attributions, and update information about
+ current debian maintainers.
+ * Add some useful quilt settings in debian/rules to lower the amount of
+ noise in future quilt updates.
+ * Now building a php5 apache2 module with filter-module support in a new
+ libapache2-mod-php5filter package (closes: #438120).
+
+ [ Thijs Kinkhorst ]
+ * Checked for policy 3.7.3, no changes.
+
+ [ Raphael Geissert ]
+ * Build a php5-dbg package with the debug symbols of the SAPIs & extensions
+ + Bump debhelper dependency to >= 5 as dh_strip behaves differently.
+ * debian/watch: refactored so it can actually be used to download the tarball
+ * debian/rules: removed bashisms (Closes: #478613)
+ * debian/control: add a notice about Suhosin being applied (Closes: #471324)
+ + Additionally make sure the PHP boilerplate is the same for each package
+ * debian/patches/manpage_spelling.patch:
+ - fix spelling mistakes in man page (Closes: #413712)
+ * debian/NEWS: s/suhosin/Suhosin (Closes: #434351)
+ * debian/control: removed ORed postgresql-dev build-dep (Closes: #429981)
+ + postgresql-dev is a transitional package since etch
+ * Override the following lintian messages:
+ + SAPI packages package-contains-empty-directory usr/lib/php5/20060613+lfs/
+ + php5-common package-contains-empty-directory usr/lib/php5/libexec/
+ * Set our custom PHP_PEAR_DOWNLOAD_DIR when building the pear stuff
+ + Avoids the creation of /tmp/pear (Closes: #463979)
+ * Replaced all 'make' with '$(MAKE)' so any extra flag is preserved
+ * debian/rules: s/DEB_BUILD_ARCH/DEB_HOST_ARCH
+ + HOST is the machine the package is built for.
+ * Recommend php5-cli instead of depending on it in php-pear (Closes: #243214)
+ + php5-cli is only needed by the, rearely used, pear installer
+ * debian/README.source: inform how to generate php5-dbg's Depends
+ * debian/patches/029-php.ini_paranoid.patch: updated (Closes: #459814)
+ + Thanks to Javier Fernández-Sanguino Peña
+ Changes:
+ - includes some variables which were no present in the first version and
+ removes modules not available in PHP5. Also fixes typos in comments which
+ have since been fixed in php.ini-dist
+ - adds notes (Debian-specific) of which security features applications
+ should not rely on
+ - add more information of why some variables were enabled
+ - reorder the description of changes to suit the location in the config file
+ - add notes of deprecated features in PHP6
+ - add more (suggested) changes to the session module to make a more secure
+ use and storage of session IDs.
+ - remove the 'include' function from the list of disabled functions as it
+ is quite common for most applications
+ - modify the valid 'include_path' to make it really paranoid ('.' is not
+ allowed anymore)
+ - adjust locations of directories, including the upload dir and session dir
+ - proper definition for sql.safe_mode and description (missing in
+ php.ini-dist of what it is really for)
+ - added session configuration variables which are not available in
+ php.ini-dist together with recommended paranoid values
+ (session.referer_check, session.entropy_file, session.entropy_length)
+ - added more information to session configuration (not available in php.ini)
+ based on the information at php.net
+ * Lintian-based changes:
+ - debian/php5-common.dirs: do NOT create usr/share/doc/php5-common/PEAR/
+ - fixed a hyphen-used-as-minus-sign in php5(1):319
+ - get rid of usr/share/php/data/Structures_Graph/LICENSE in php-pear
+ * Move /usr/share/php/docs to /usr/share/doc/pear-php/PEAR (Closes: #331034)
+
+ [ Steve Langasek ]
+ * Step down from the PHP maintenance team, removing myself from uploaders.
+ So long, and thanks for all the fish!
+
+ -- Sean Finney Sun, 04 May 2008 21:15:47 +0200
+
+php5 (5.2.5-3) unstable; urgency=high
+
+ * zend_parse_parameters does not handle size_t's, causing issues with
+ 043-recode_size_t.patch and segmentation faults for recode-using pages.
+ changed problematic parameters back to "int" and added an overflow check.
+ thanks to Thomas Stegbauer, Tim Dijkstra, Bart Cortooms, Sebastian Göbel,
+ and Vincent Tondellier for their reports. closes: #459020.
+
+ -- Sean Finney Thu, 21 Feb 2008 00:59:21 +0100
+
+php5 (5.2.5-2) unstable; urgency=low
+
+ * debian/patches/libdb_is_-ldb: reorder the search for db4 instances to
+ give precedence to -ldb, so that we always get the version that matches
+ the installed -dev package instead of whichever most recent version php
+ upstream currently knows about. Closes: #463397.
+ * Update suhosin patch to not patch .dsp files (and config.w32), which
+ are irrelevant to Unix builds and seem to cause problems for clean
+ patching/unpatching.
+
+ -- Steve Langasek Fri, 01 Feb 2008 18:46:15 +0000
+
+php5 (5.2.5-1) unstable; urgency=low
+
+ [ Sean Finney ]
+ * New upstream release
+ * Updated suhosin patch for 5.2.5 minus ./configure as before.
+ * Workaround for xargs not handling extra long cmdlines in session
+ cleanup script (Closes: #461755).
+ * Remove unneccesary DEB_BUILD_GNU_TYPE fudging (Closes: #429066). Thanks
+ to Riku Voipio for the report/patch.
+
+ [ Raphael Geissert ]
+ * debian/rules: now DEB_BUILD_OPTIONS=nocheck aware
+ * Updated description of the php5 meta-package to reflect removal of apache
+ (Closes: #418038)
+ * Capitalise apache where needed (Closes: #439575)
+ * Homepage is now a control entry (moved from Description), Closes: #439578
+ * Fixed test-results.txt target so parallel package building doesn't fail
+ * Added Suggests: php5-timezonedb to all the SAPIs
+
+ [ Steve Langasek ]
+ * Add ${shlibs:Depends} to php5-common, since it does build ELF objects now
+ (pdo.so)
+ * Update build-deps to libdb4.6-dev now that libaprutil1-dev has switched.
+ Closes: #461192.
+
+ -- Steve Langasek Thu, 17 Jan 2008 13:39:17 -0800
+
+php5 (5.2.4-2) unstable; urgency=low
+
+ [ sean finney ]
+ * for posterity revised previous changelog to reference the CVE id's
+ of security issues resolved by the latest upstream release.
+ * lintian: use debian/compat instead of DH_COMPAT in debian/rules.
+ * lintian: use source:Version and binary:Version where appropriate,
+ instead of Source-Version
+ * lintian: remove a couple pieces of cruft in the changelog that were causing
+ false-postive wrong-bug-number-in-closes, but were generally useless
+ anyway.
+
+ [ Raphael Geissert ]
+ * Using test-results.txt as a target
+ * cronjob now checks for existance of /usr/lib/php5/maxlifetime (Closes: #439286)
+ * Fixed memory limit of 1232M in php.ini for cli (Closes: #440624)
+ * Build the interbase extension using firebird2.0-dev (Closes: #433736)
+ * Unapply patches with debian/rules clean
+
+ [ Steve Langasek ]
+ * Don't patch configure or php_config.h.in in suhosin.patch, as these are
+ auto-generated and including them in the patch results in a race
+ condition for the necessary build-time regeneration. Thanks to Daniel
+ Schepler for reporting, and to Damyan Ivanov for helping to sort out the
+ fix. Closes: #443637.
+ * Also remove the modified auto-generated files in the clean target,
+ which triggers a warning about disappearing files when building the
+ source package but avoids carrying irrelevant diffs to these files
+ in the Debian diff.
+ * Now that the testsuite is being run at build time, test failures cause
+ a bunch of junk files to be left around in the Debian diff. So clean up
+ several false-positive failures:
+ - 052-phpinfo_no_configure.patch: we're patching the output of phpinfo(),
+ so patch the test as well
+ - fix_broken_upstream_tests.patch: use a local directory for tests that
+ use sessions, skip the phpinfo test after all because it doesn't appear
+ to be compatible with current testsuite behavior, and disable the
+ moneyformat test if en_US locale is not available.
+ There are still several other failing tests, but these are not false
+ positives and remain enabled pending investigation.
+
+ -- sean finney Wed, 24 Oct 2007 21:51:14 +0200
+
+php5 (5.2.4-1) unstable; urgency=low
+
+ * New upstream release.
+ * Security issues resolved in the latest release:
+ - CVE-2007-2519 - Directory traversal vulnerability in PEAR
+
+
+ [ sean finney ]
+ * patch from Jan Wagner to be able to conditionally disable any
+ patches that break binary-compatibility with official php
+ binary-only extensions. see debian/rules for more information.
+ * now incorporate the php unit tests into the build process. for
+ those interested the output is stored in the file
+ /usr/share/doc/php5-common/test-results.txt .
+ * by default we now ship with enable_dl = Off, as there are some
+ fairly significant ramifications security-wise to having it on.
+ * we shipping with the suhosin patch enabled by default.
+ special thanks to Blars Blarson for providing a sparc machine for
+ testing purposes with 5.2.3 (closes: #397179).
+ * new binary package php5-gmp, with the newly enabled gmp extension,
+ since whatever reason for not doing so either never existed or no
+ no longer exists (closes: #344137). Build-Depends added for libgmp3-dev.
+
+ [ Steve Langasek ]
+ * php5-module.postinst: don't assume that the postinst is only relevant
+ when called with 'configure' as an argument, some future debhelper code
+ could apply in the case of other methods of invocation.
+ * Clean up build dependencies for recent library transitions:
+ - libsnmp-dev is now the real package name, and is supported as a virtual
+ package for backports.
+ - re-add firebird2-dev as an alternative to firebird1.5-dev, to support
+ backports.
+ - the curl -dev package name has changed from libcurl3-openssl-dev to
+ libcurl4-openssl-dev; update to the proper name, with libcurl-dev as
+ an alternative.
+ * Switch php5-sybase to use the mssql extension instead of the sybase_ct
+ extension. Closes: #418734, #329065.
+
+ -- sean finney Sun, 16 Sep 2007 14:46:06 +0200
+
+php5 (5.2.3-1) unstable; urgency=low
+
+ * new upstream release.
+ * upstream has incorporated the last of the recent CVE fixes, so
+ the patches have been removed.
+ * change build dependencies for firebird2-dev -> firebird1.5-dev,
+ as the firebird maintainer has changed names in order to provide
+ more clarity since there's also a firebird2.0 now (closes: #427181).
+ * now include, but do not apply by default, the suhosin patch. see
+ NEWS.Debian for more information.
+
+ -- sean finney Mon, 04 Jun 2007 22:02:10 +0200
+
+php5 (5.2.2-2) unstable; urgency=low
+
+ [sean finney]
+ - build with --with-ldap-sasl and modify build-depends to include
+ libsasl2-dev in order to get the ldap_sasl_bind function (closes: #422490).
+ - the json extension is now on by default in php builds, so there's
+ no need for the php5-json package. added a Provides/Conflicts to
+ help set an upgrade path.
+ - apache 1.x support is soon disappearing. as a consequence we are
+ no longer building the libapache-mod-php5 module. the php5 metapackage
+ should as a result bring in libapache2-mod-php5 by default for those who
+ already have it installed.
+
+ -- sean finney Sun, 20 May 2007 21:59:56 +0200
+
+php5 (5.2.2-1) unstable; urgency=low
+
+ [ sean finney ]
+ * new upstream release (closes: #422405).
+ * /most/ of the previous CVE patches have been committed upstream, though:
+ - the patch for MOPB-41 was fixed in a different way and we'll be keeping
+ our fix for the time being.
+ - it doesn't seem like MOPB-45 has been fixed yet.
+ * remove build-dependency option on libmysqlclient12-dev, since the mysqli
+ option requires it, and 15 is in stable now anyway. thanks to
+ Henk van de kamer for finding this (closes: #422224).
+ * now includes requested fix for mysql row counts (closes: #418471).
+ * needle/haystack issues are reported fixed (closes: #399924).
+ * oh yeah, because we're using quilt now: (closes: #338315).
+ * update build-deps to libdb4.5-dev | libdb4.4-dev (closes: #421929).
+ note that the resulting php packages won't actually build against
+ libdb4.5 until all of our build-dependant packages do too.
+
+ -- sean finney Sat, 05 May 2007 19:56:30 +0200
+
+php5 (5.2.0-12) unstable; urgency=high
+
+ [ sean finney ]
+ * modify the build-depends to play more nicely when the net-snmp
+ maintainers decide to change their package names (closes: #421061).
+
+ -- sean finney Tue, 01 May 2007 14:24:01 +0200
+
+php5 (5.2.0-11) unstable; urgency=high
+
+ [ sean finney ]
+ * The following security issues are addressed with this update:
+ - CVE-2007-0910/MOPB-32 session_decode() Double Free Vulnerability
+ * note that this is an update to the previous version of the upstream
+ fix for CVE-2007-0910, which introduced a seperate exploit path.
+ - CVE-2007-1286/MOPB-04 unserialize() ZVAL Reference Counter Overflow
+ - CVE-2007-1380/MOPB-10 php_binary Session Deserialization Information Leak
+ - CVE-2007-1375/MOPB-14 substr_compare() Information Leak Vulnerability
+ - CVE-2007-1376/MOPB-15 shmop Functions Resource Verification Vulnerability
+ - CVE-2007-1453/MOPB-18 ext/filter HTML Tag Stripping Bypass Vulnerability
+ - CVE-2007-1453/MOPB-19 ext/filter Space Trimming Buffer Underflow Vuln.
+ - CVE-2007-1521/MOPB-22 session_regenerate_id() Double Free Vulnerability
+ - CVE-2007-1583/MOPB-26 mb_parse_str() register_globals Activation Vuln.
+ - CVE-2007-1700/MOPB-30 _SESSION unset() Vulnerability
+ - CVE-2007-1718/MOPB-34 mail() Header Injection
+ - CVE-2007-1777/MOPB-35 zip_entry_read() Integer Overflow Vulnerability
+ - CVE-2007-1887-1888/MOPB-41 sqlite_udf_decode_binary() Buffer Overflow
+ - CVE-2007-1824/MOPB-42 php_stream_filter_create() Off By One Vulnerablity
+ - CVE-2007-1889/MOPB-44 Memory Manager Signed Comparision Vulnerability
+ - CVE-2007-1900/MOPB-45 ext/filter Email Validation Vulnerability
+ * The other security issues resulting from the "Month of PHP bugs" either
+ did not affect the version of php5 shipped in unstable, or did not merit
+ a security update according to the established security policy for php
+ in debian. You are encouraged to verify that your configuration is not
+ affected by any of the other vulnerabilities by visiting:
+ http://www.php-security.org/
+ * other, less interesting changes:
+ - now use quilt for managing local patches.
+ - massage all of the patches, eliminating fuzz and offsets.
+
+ -- sean finney Mon, 23 Apr 2007 19:02:51 +0200
+
+php5 (5.2.0-10) unstable; urgency=high
+
+ [ sean finney ]
+ * The php security update contained a regression in the streams
+ module. this version contains an updated version of the patch
+ for CVE-2007-0906 (116-CVE-2007-0906_streams.patch), which should
+ fix the regression. Thanks to Martin Pitt for noticing this.
+ * Fix the patch names in the previous changelog entry, and fix a factual
+ inaccuracy that was accidentally pasted from the php4 changelog.
+ * The previous update was missing two fixes from CVE-2007-0906:
+ * interbase: (116-CVE-2007-0906_interbase.patch)
+ * zip: (116-CVE-2007-0906_zip.patch)
+
+ -- sean finney Wed, 07 Mar 2007 23:11:29 +0100
+
+php5 (5.2.0-9) unstable; urgency=high
+
+ [ sean finney ]
+ * The following security issues are addressed with this update:
+ - CVE-2007-0906: Multiple buffer overflows in various code:
+ * session (116-CVE-2007-0906_session.patch)
+ * imap (116-CVE-2007-0906_imap.patch)
+ * str_replace: (116-CVE-2007-0906_string.patch)
+ * the sqlite and mail related vulnerabilities in this CVE do not
+ affect the php5 source packages.
+ - CVE-2007-0907: sapi_header_op buffer underflow (116-CVE-2007-0907.patch)
+ - CVE-2007-0908: wddx information disclosure (116-CVE-2007-0908.patch)
+ - CVE-2007-0909: More buffer overflows:
+ * the odbc_result_all function (116-CVE-2007-0909_odbc.patch)
+ * various formatted print functions (116-CVE-2007-0909_print.patch)
+ - CVE-2007-0910: Clobbering of super-globals (116-CVE-2007-0910.patch)
+ - CVE-2007-0988: 64bit unserialize DoS (116-CVE-2007-0988.patch)
+ Closes: #410995.
+ * The package maintainers would like to thank Joe Orton from redhat and
+ Martin Pitt from ubuntu for their help in preparation of this update.
+ * backport upstream fix for AUTH PLAIN support in imap extension
+ Closes: #401712.
+
+ -- sean finney Sat, 03 Mar 2007 11:13:33 +0100
+
+php5 (5.2.0-8) unstable; urgency=high
+
+ [ sean finney ]
+ * Update package information to say simply "Apache 2" instead
+ of "Apache 2.0" (ref: #400306).
+ * Update package description for php-pear to mention needing
+ phpN-dev for building PECL extensions (closes: #401825).
+ * Add mention of Freetype fonts to php5-gd package description,
+ thanks to Ole Laursen for the suggestion (closes: #387881).
+ * Include a backported version of upstream's fix for
+ alignment calculatations which cause FTBFS problems for
+ some arches. Thanks to Roman Zippel for finding this (closes: #401129).
+ patch: 114-zend_alloc.c_m68k_alignment.patch
+ * Remove --enable-yp, as it's no longer used and seperately
+ packaged. Thanks to Martijn Grendelman for mentioning this
+ (closes: #402161).
+ * Add mention to README.Debian of needing to restart apache when
+ installing modules (closes: #392249).
+ * Don't strip the DSO modules if building with DEB_BUILD_OPTIONS
+ containing nostrip
+ * Backported a patch from upstream CVS to fix a rather nasty
+ memory leak in zend_alloc (closes: #402506).
+ patch: 115-zend_alloc.c_memleak.patch
+ * The memleak and FTBFS are targeted at etch, and there aren't
+ any other significant changes, so priority=high.
+
+ -- sean finney Sun, 17 Dec 2006 16:49:35 +0100
+
+php5 (5.2.0-7) unstable; urgency=high
+
+ [ Steve Langasek ]
+ * Also disable firebird in the PDO config for archs other than
+ i386/amd64.
+
+ -- sean finney Fri, 24 Nov 2006 15:20:53 +0100
+
+php5 (5.2.0-6) unstable; urgency=high
+
+ [ sean finney ]
+ * firebird2-dev (and thus php5-interbase) is only available on
+ i386/amd64, so update the control/rules information accordingly.
+ thanks to Bastian Blank for reporting this (closes: #399558).
+
+ -- sean finney Wed, 22 Nov 2006 19:04:04 +0100
+
+php5 (5.2.0-5) unstable; urgency=high
+
+ [ sean finney ]
+ * bring some of the mainline php4 modules back into the php source
+ package instead of distributing them in independant source packages:
+ - php5-imap
+ - php5-interbase
+ - php5-mcrypt
+ - php5-pspell
+ - php5-tidy
+ these modules are still provided in the same binary packages as
+ before, but will now be built in tandem with the core php packages.
+ * fix for pdo.so duplicate loading warnings, thanks to Jan Wagner
+ (closes: #398367, #399248).
+
+ -- sean finney Mon, 20 Nov 2006 12:41:37 +0100
+
+php5 (5.2.0-4) unstable; urgency=high
+
+ * Re-re-enable LFS support, forward-porting vorlon's fixes in
+ the php4 tree.
+ * Add a bit of support in upgrade scripts to avoid unnecessary
+ ucf prompting during upgrades (closes: #398363).
+ * Update build-dependencies to reflect that libpcre3-dev >= 6.6
+ is required. Thanks to Jan Wagner for pointing this out.
+ * loosen dependencys for libapache2-mod-php5 to allow usage with
+ apache2-mpm-itk as an alternative to prefork.
+ Closes: #398580, #398481.
+
+ -- sean finney Wed, 15 Nov 2006 08:33:28 +0100
+
+php5 (5.2.0-3) unstable; urgency=high
+
+ * Unify PHP options for pear binaries to:
+ -d output_buffering=1 -d open_basedir="" -d safe_mode=0 -d memory_limit="-1"
+ (Closes: #397625)
+ * [debian/rules]: Enable PDO building only in apache2 build.
+
+ -- Ondřej Surý Fri, 10 Nov 2006 14:09:00 +0100
+
+php5 (5.2.0-2) unstable; urgency=high
+
+ [ Ondřej Surý ]
+ * Revert Large File Support for this moment. We will try to found
+ root of the problem for etch, but we do not promise anything.
+ (Closes: #397465)
+
+ -- Ondřej Surý Wed, 8 Nov 2006 01:13:48 +0100
+
+php5 (5.2.0-1) unstable; urgency=high
+
+ [ sean finney ]
+ * new upstream release. since this means the 5.1 series is deadware
+ in the eyes of its developers, we better get on this train before
+ it's too late. Note: this also fixes the htmlentities() exploit.
+ Reference: CVE-2006-5465.
+ Closes: #396766.
+ * s/postinst/postrm/ on one critical line in debian/rules. whoops.
+ Thanks to Bart Martens for finding this (closes: #396873).
+ * as a pennance i've enabled LFS support (closes: #359686).
+ * new version now includes all mbstring headers (closes: #391368).
+ * enable new built-in zip support.
+ * enable pdo support for currently supported db types, and place the
+ extensions in the respective extension packages. future db
+ types will be added, but probably post-etch as they will probably
+ introduce new packages/dependencies (closes: #348882).
+ * move the mysqli module into the mysql module's package, and remove
+ the no longer necessary mysqli package.
+ * massaging/removal of various patches to upstream changes:
+ D patches/106-strptime_xopen.patch
+ D patches/110-CVE-2006-4812_zend_alloc.patch
+ M patches/006-debian_quirks.patch
+ D patches/111-mbstring-headers.patch
+ M patches/053-extension_api.patch
+
+ [ Ondřej Surý ]
+ * Package checked, upload to unstable.
+
+ -- Ondřej Surý Tue, 7 Nov 2006 09:26:51 +0100
+
+php5 (5.1.6-6) unstable; urgency=high
+
+ [ sean finney ]
+ * add notes to php.ini(-dist) about "unsupported" security features.
+ patch: 113-php.ini_securitynotes.patch
+
+ [ Ondřej Surý ]
+ * SECURITY: include patch for html buffer overflows in ext/standard/html.c
+ Reference: CVE-2006-5465
+ Patch: 114-CVE-2006-5465_htmlentities.patch
+ Closes: #396766
+
+ -- Ondřej Surý Fri, 3 Nov 2006 12:32:50 +0100
+
+php5 (5.1.6-5) unstable; urgency=high
+
+ [sean finney]
+ * add a README.Debian.security to clarify how we handle/respond
+ to security problems in stable releases.
+ * SECURITY: include patch for integer overflow in zend_alloc.c.
+ Reference: CVE-2006-04812 (closes: #391586).
+ patch: 110-CVE-2006-4812_zend_alloc.patch
+ * bump the debhelper compatibility level to 4.
+ * remove cyclic depends for mysql/mysqli.
+ * the long overdue rework of configuration file handling. this also
+ removes the need for debconf and template translations
+ (closes: #361211, #393788, #388697).
+ * start using ucf to manage the the various SAPI php.ini files.
+ * cleanup and consolidation of a few things in the ./debian dir
+ * bump the memory limit to 32M for the cli API (closes: #375070, #340586).
+ * include a fix for missing mbstring headers reported by Jan Wagner
+ (closes: #391368).
+ patch: 111-mbstring-headers.patch.
+ * include support for PTY's in proc_open, as reported by Eike Dehling.
+ according to php's BTS (http://bugs.php.net/bug.php?id=39224) the
+ feature was disabled only because the configure script couldn't
+ accurately determine whether the feature was available, and we know
+ it is :) (closes: #381438).
+ patch: 112-proc_open.patch.
+ * update standards-version to 3.7.2
+
+ -- sean finney Sat, 28 Oct 2006 14:29:44 +0200
+
+php5 (5.1.6-4) unstable; urgency=high
+
+ [sean finney]
+ * no longer build against GPL'd gdbm library (closes: #390452).
+ * updated apache2 module dependencies to build against and coexist
+ with apache2.2 (closes: #390455).
+
+ -- sean finney Sat, 07 Oct 2006 12:06:09 +0200
+
+php5 (5.1.6-3) unstable; urgency=low
+
+ [ sean finney ]
+ * php5 was building against db4.3 even though db4.4 headers were
+ installed. fix applied to ./ext/dba/config.m4 while we wait
+ for a real fix from upstream (closes: #388601).
+
+ -- sean finney Mon, 02 Oct 2006 17:42:50 +0200
+
+php5 (5.1.6-2) unstable; urgency=low
+
+ [ sean finney ]
+ * enable the mysqli extension (closes: #320835).
+
+ -- sean finney Tue, 19 Sep 2006 19:31:27 +0200
+
+php5 (5.1.6-1) unstable; urgency=high
+
+ [ Adam Conrad ]
+ * Drop 041-shut_up_snmp.patch, which was no longer needed as of 5.1.0.
+
+ [ Ondřej Surý ]
+ * Acknowledge NMU.
+ * New upstream release (Closes: #383596)
+ - Added missing safe_mode/open_basedir checks inside the error_log(),
+ file_exists(), imap_open() and imap_reopen() functions.
+ - Fixed overflows inside str_repeat() and wordwrap() functions on 64bit
+ systems.
+ - Fixed possible open_basedir/safe_mode bypass in cURL extension and
+ with realpath cache. (CVE-2006-2563) (Closes: #370165)
+ - Fixed overflow in GD extension on invalid GIF images.
+ - Fixed a buffer overflow inside sscanf() function. (CVE-2006-4020)
+ (Closes: #382256)
+ - Fixed an out of bounds read inside stripos() function.
+ - Fixed memory_limit restriction on 64 bit system (really with 5.1.6).
+ * Bump libdb build-dep from libdb4.3 to libdb4.4, to match with apache.
+
+ -- Ondřej Surý Sat, 19 Aug 2006 14:41:43 +0200
+
+php5 (5.1.4-0.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * New upstream release. (Closes: #366109)
+ * Fixes information leak in html_entity_decode() (CVE-2006-1490).
+ (Closes: #359907)
+ * Fixes phpinfo() XSS (CVE-2006-0996). (Closes: #361914)
+ * Fixes copy() safe mode bypass (CVE-2006-1608). (Closes: #361915)
+ * Fixes tempnam() open_basedir bypass (CVE-2006-1494). (Closes: #361916)
+ * Fixes wordwrap() buffer overflow (CVE-2006-1990). (Closes: #365312)
+ * Fixes substr_compare() DoS condition (CVE-2006-1991).
+ * Fixes crash during too deep recursion (CVE-2006-1549). (Closes: #361917)
+ * Fixes injection in mb_send_mail() (CVE-2006-1014, CVE-2006-1015); not
+ mentioned in upstream changelog. (Closes: #368595)
+ * 044-strtod_arm_fix.patch: Adapted for new upstream; pulled in from
+ Piotr Roszatycki's packages.
+ * 108-64bit_datetime.patch: Patch to fix possible segfault on systems where
+ sizeof(void*) > sizeof(int); patch from David Mosberger-Tang.
+
+ -- Steinar H. Gunderson Tue, 13 Jun 2006 22:38:33 +0200
+
+php5 (5.1.2-1) unstable; urgency=low
+
+ * New upstream bugfix and security update release (closes: #347894)
+ - Fixes multiple cross-site-scripting vulnerabilities; CVE-2006-0208
+ - Resolves multiple HTTP response splitting vulnerabilities, allowing
+ arbitrary header injection via Set-Cookie headers; see CVE-2006-0207
+ - While we don't currently build it, this release also fixes a format
+ string vulnerability in the mysqli extension; see CVE-2006-0200
+ - Includes a new version of the PEAR installer that seems to have a
+ slightly better clue about the difference between INSTALL_ROOT and
+ PHP_PEAR_INSTALL_DIR, fixing pear.conf (closes: #346479, #346501)
+ * While the above is partially true, the PEAR installer is still a bit
+ broken (it won't install correctly under fakeroot anymore, YAY), so
+ shuffle debian/rules to have a build-pear-stamp target, as a stopgap.
+ * Add 106-strptime_xopen.patch, moving the _XOPEN_SOURCE definition down
+ in ext/standard/datetime.c, below the php.h include (closes: #346550)
+ * Add 107-reflection_is_ext.patch, munging ext/reflection/config.m4 to
+ properly call the PHP_ARG_ENABLE macro for an extension, not built-in.
+ * Stop php-pear from Replacing and Conflicting with php-html-template-it,
+ as we only now ship the bare essential to make the pear installer go.
+
+ -- Adam Conrad Mon, 16 Jan 2006 16:12:31 +1100
+
+php5 (5.1.1-1) unstable; urgency=low
+
+ * New upstream bugfix release, skipping the problematic 5.1.0 release:
+ - Fixes a zend.ze1_compatibility_mode segfault (closes: #333374)
+ - Remove libtool patch from acinclude.m4, now integrated upstream.
+ - Remove 038-round_test_fix.patch, now integrated upstream.
+ - Remove 049-exported-headers.patch, as upstream's build system has
+ gotten more clever about what they should and shouldn't export.
+ - Remove 054-open_basedir_slash.patch, now integrated upstream.
+ - Remove 055-gd_safe_mode_checks.patch, fixed differently upstream.
+ - Mangle 101-sqlite_is_shared.patch, to deal with upstream changes.
+ - Remove 104-64_bit_serialize.patch, now integrated upstream.
+ - Remove 105-64_bit_imagettftext.patch, now integrated upstream.
+ * Many security vulnerabilities fixed (closes: #341368, #336005, #336654):
+ - Resolves a local denial of service in the apache2 SAPI, which can
+ be triggered by using session.save_path in .htaccess; CVE-2005-3319
+ - Resolves an infinite loop in the exif_read_data function which can
+ be triggered with a specially-crafted JPEG image; CVE-2005-3353
+ - Resolves a vulnerability in the parse_str function whereby a remote
+ attacker can fool PHP into turning on register_globals, thus making
+ applications vulnerable to global variable injections; CVE-2005-3389
+ - Resolves a vulnerability in the RFC1867 file upload feature where, if
+ register_globals is enabled, a remote attacker can modify the GLOBALS
+ array with a multipart/form-data POST request; see CVE-2005-3390
+ - Resolves numerous safe_mode and open_basedir bypasses; CVE-2005-3391
+ - Resolves INI settings leaks in the apache2 SAPI, leading to safe_mode
+ and open_basedir bypasses between virtual hosts; CVE-2005-3392
+ - Resolves a CRLF injection vulnerability in the mb_send_mail function,
+ allowing injection of arbitrary mail headers; see CVE-2005-3883
+ - Includes PEAR 1.4.5, resolving a vulnerability in the pear installer
+ which could lead to arbitrary code execution; see CVE-2005-4154
+ * Bump libdb build-dep from libdb4.2 to libdb4.3, to match with apache.
+ * Bump our MySQL build-dep to 5.0's libmysqlclient15-dev (closes: #343793)
+ * Automate the process of getting the list of built-in modules into the
+ package descriptions, so it stays fresh in the future (closes: #341867)
+ * Intentionally disable PDO support until I've sorted out the best way to
+ deal with shipping this shiny new feature that won't break the world.
+ * The new PEAR happens to fix the Command.php greedy match bug filed in
+ Debian as part of the fix for the wider security issue (closes: #334969)
+ * Create 056-mime_magic_strings.patch, making the mime_magic extension
+ more liberal about what mime-types is accepts, as well as making it skip
+ over ones it dislikes, rather than disabling itself (closes: #335674)
+ * Add 057-no_apache_installed.patch, to stop spewing a mess of errors in
+ configure because we don't have the apache binaries in the build chroot.
+ * Fix small typo in the php5-xsl package description (closes: #344816)
+
+ -- Adam Conrad Thu, 15 Dec 2005 14:46:56 +1100
+
+php5 (5.0.5-3) unstable; urgency=low
+
+ * Build-Depend on libcurl3-openssl-dev, since libcurl3-dev is going away
+ soon. Keep libcurl3-dev as an alternate for backporting (see: #334367)
+ * Switch from libmysqlclient12 to libmysqlclient14; this puts us on the
+ *other* side of the line regarding which combinations of DSOs cause
+ segfaults, so hopefully the others catch up with us soon (closes: #332453)
+ * Look for magic.mime in /usr/share/file now instead of /usr/share/misc/file,
+ as the path has been changed to comply with the FHS (see: #334510)
+ * Make the above backportable as well, by searching for both files, and
+ picking the one that's currently installed on the user's system.
+ * Include swedish debconf translation from Daniel Nylander (closes: #330763)
+ * Make pear use '/usr/bin/php' instead of just 'php' to make sure we don't
+ get some random binary on $PATH that won't work right (closes: #329415)
+ * Set PHP_PEAR_SIG_BIN to /usr/bin/gpg, and have php-pear Recommends: gnupg
+
+ -- Adam Conrad Fri, 21 Oct 2005 02:30:19 +1000
+
+php5 (5.0.5-2) unstable; urgency=medium
+
+ * Remove Andres Salomon from the Uploaders field, at his request. Thanks
+ for all your work on the PHP packages, Andres, now fix our kernel bugs.
+ * Add 054-open_basedir_slash.patch, which fixes a bug where if open_basedir
+ is set to "/foo/", users can access files in "/foobar/", which is not the
+ documented behaviour; this addresses CAN-2005-3054 (see: #323585)
+ * Add 104-64_bit_serialize.patch from Joe Orton, resolving a segfault when
+ serializing objects on all 64-bit architectures (closes: #329768)
+ * Add 105-64_bit_imagettftext.patch, fixing a type mismatch in the GD
+ extension, causing memory corruption on 64-bit arches (closes: #331001)
+ * Add 055-gd_safe_mode_checks.patch from PHP CVS, adding missing safe_mode
+ checks to the _php_image_output and _php_image_output_ctx GD functions.
+ * Make php-pear Provide, Replace, and Conflict php-html-template-it, which
+ we appear to have absorbed into the main PEAR packaging (closes: #332393)
+
+ -- Adam Conrad Tue, 27 Sep 2005 16:09:29 +1000
+
+php5 (5.0.5-1) unstable; urgency=low
+
+ * New upstream release, adjust patch offsets and fuzz, and drop patches:
+ - Drop 009-snmp-int-sizes.patch, finally fixed upstream.
+ - Drop 051-gcc-4.0.patch, fixed differently upstream.
+ - Drop 102-php_streams.patch, fixed upstream.
+ - Drop 103-catch_segv.patch, also fixed upstream.
+ - Includes PEAR XML_RPC fix for CAN-2005-2498.
+ - Includes phpinfo() XSS fix for CVE-2005-3388.
+ * Distribute the shiny new manpages for php-config and phpize.
+
+ -- Adam Conrad Mon, 12 Sep 2005 02:29:24 +1000
+
+php5 (5.0.4-4) unstable; urgency=low
+
+ * Ondřej Surý :
+ - Add patch from CVS to fix regression in PHP 5.0.4, where file related
+ functions all stop reading at 2,000,000 bytes (closes: #321930)
+ * Adam Conrad :
+ - Enable support for gdbm files in the dba handler; half the base system
+ already appears to depend on libgdm, so we can't make things worse.
+ - Add another patch from CVS to fix a segfault in the catch/throw
+ handler under interesting nesting cases (closes: #322507)
+ - Rebuild against libsnmp9-dev for new libsnmp SOVER (closes: #327107)
+
+ -- Adam Conrad Thu, 8 Sep 2005 00:36:36 +1000
+
+php5 (5.0.4-3) unstable; urgency=low
+
+ * And fix the module/extension API situation one last time, this time
+ we read ZEND_EXTENSION_API_NO, ZEND_MODULE_API_NO, and PHP_API_VERSION,
+ pick the most recent of the three, assume things broke in ways we're
+ not willing to cope with, and both change the extension directory to
+ use that value, as well as setting it to the provides/depends for the
+ various SAPI and extension packages.
+ * Add a new option to php-config, 'php-config --phpapi', which extension
+ packagers should now be using to get the current phpapi they're building
+ against and set their dependencies accordingly.
+ * Strip the -gnu off the end of the DEB_*_* variables and drop the
+ versioned dpkg-dev build-dep to ease backporting to sarge and hoary;
+ doing so in such a way as to still allow for easy cross-compiling.
+ * Add postgresql-dev build-dep alternate for easy hoary/sarge backports.
+ * Make libapache2-mod-php5 the default alternate dependency for the php5
+ metapackage, since we really do want to encourage the apache upgrade.
+ * Make php5-dev stop shipping copies of files from autotools-dev, shtool,
+ and libtool, and instead symlink to them and depend on those packages,
+ thus avoiding the shtool issues from CAN-2005-1751 and CAN-2005-1759.
+
+ -- Adam Conrad Sun, 31 Jul 2005 03:05:08 +1000
+
+php5 (5.0.4-2) unstable; urgency=low
+
+ * We now have a mailing list. Set the maintainer to the list, and move
+ myself to Uploaders where, apparently, I belong.
+ * Use ZEND_MODULE_API_NO rather than PHP_API_VERSION for extension deps,
+ as recent upstream ABI breakage in 4.4.0 leads me to believe this is
+ the only constant they actually bother to update on ABI changes.
+ * Bring back some concflicts that went missing (libapache-mod-php5 needs
+ to conflict with libapache-mod-php4 and older versions of php4, while
+ the two libapache2-mod-php[45] modules also need to conflict).
+ * Adjust debian/watch to not match on upstream's alpha/beta/rc releases.
+
+ -- Adam Conrad Wed, 27 Jul 2005 22:30:42 +1000
+
+php5 (5.0.4-1) unstable; urgency=low
+
+ * Initial PHP5 release; packaging forked from php4 4:4.3.11-1.
+ - Closes: #262977, #293832
+ * Ondrej Sury :
+ - Removed some obsolete cruft, since there wasn't any previous php5
+ packages there is no need, to check /usr/share/doc/*, etc.
+ - Removed apache2 IfModule hack, it's been fixed in php5.
+ - Updated patches to php5, removing those which are obsolete.
+ - Changes xslt extension to xsl (using libxslt).
+ - Updated debian/* including changelog.
+ - Raised update-alternatives priority to 50.
+ * Adam Conrad :
+ - Merged with php4 4:4.4.0-1 packaging.
+ - Re-roll upstream tarball to include PEAR::XML_RPC 1.3.3, which
+ includes a security fix for CVE CAN-2005-1921.
+ - Bump to Standards-Version 3.6.2, with no source changes.
+ - Stop distributing the phpextdist binary, as upstream has stopped.
+ - Drop the ext_skel binary and skeleton dir from php5-dev, as it has
+ been deemed obsolete upstream and the version in the tarball is not
+ considered useful anymore. PEAR::PECL_Gen upstream will replace it.
+ - Fix longstanding broken shebang lines in debconf config scripts.
+ - Remove lintian overrides for modules; lintian no longer complains
+ about missing shlibs for libraries outside the linker path.
+ - Add a linda override for the non-standard directory permissions on
+ /var/lib/php5 in php5-common.
+ - Rename php5-pear to php-pear, have it replace php4-pear, and depend
+ on php5-cli OR php4-cli; make sure it works with both.
+ - Compile in SOAP extension (closes: #307580)
+ - Enable SQLite extension as shared, make the xmlrpc extension shared.
+ - Enabled the pgsql extension, and disabled the imap extension (which
+ will be moving to another source package and become the example
+ package for out-of-tree builds).
+
+ -- Adam Conrad Sat, 16 Jul 2005 23:42:36 +1000
+
+php4 (4:4.3.11-1) unstable; urgency=low
+
+ * New upstream release (closes: #304052)
+ - Drop CVS patches, we're back in step with upstream versions.
+ - Remove 048-x509_multiple_orgUnits.patch, incorporated in 4.3.11.
+ - Remove 050-4.3.11_file_copy_fix.patch, incorporated in 4.3.11.
+ - Remove 040-curl_open_basedir.patch, as upstream has solved this
+ in a different fashion.
+ - Adjust patches for offset and fuzz.
+ - Remove bits from debian/rules dealing with the DB PEAR extension,
+ since it's no longer shipped in the php4-pear package.
+ * Rebuild against newer version of freetds library (closes: #317369)
+ * Add 052-phpinfo_no_configure.patch, which disables the display of our
+ "Configure Command" in phpinfo(), which was the source of many bogus
+ bug reports over the years, due to people misinterpreting its meaning.
+ * New translations to Vietnamese and Russian (closes: #316821, #310199)
+ - vi.po contributed by Clytie Siddall
+ - ru.po contributed by Yuriy Talakan'
+ * Mention FastCGI in the description of php4-cgi (closes: #310810)
+
+ -- Adam Conrad Mon, 4 Jul 2005 17:47:32 +1000
+
+php4 (4:4.3.10-15) unstable; urgency=low
+
+ * Bring back the shipping of /usr/share/doc symlinks in our packages,
+ as this, in concert with moving the migration detection from preinst
+ to postinst (which was done in the last upload), seems to give us the
+ sanest upgrade path. Thanks to Steve Langasek for smacking me around
+ with unpack/upgrade scenarios for a while to convince me of this.
+
+ -- Adam Conrad Mon, 9 May 2005 02:13:19 -0600
+
+php4 (4:4.3.10-14) unstable; urgency=high
+
+ * Revert the directory->symlink magic to work how it used to, since the
+ new behaviour broke hideously on upgrades from Woody, causing certain
+ files (like the changelog) to mysteriously go missing (closes: #307591)
+ * Move our template php.ini to /usr/share/php4, so we stop violating
+ policy by using files from /usr/share/doc (as seen in #307591)
+ * Remove 'readline' from the php4-cli package description, since we don't
+ actually build with readline support enabled anymore (closes: #306571)
+
+ -- Adam Conrad Wed, 4 May 2005 01:48:19 -0600
+
+php4 (4:4.3.10-13) unstable; urgency=low
+
+ * Update email address for Andres Salomon
+ * Add Portuguese translation from Miguel Figueiredo (closes: #305038)
+ * Include 051-gcc-4.0.patch, which resolves a build failure in
+ libxmlrpc (from the xmlrpc extension) with gcc-4.0 (closes: #287956)
+
+ -- Adam Conrad Mon, 18 Apr 2005 00:29:54 -0600
+
+php4 (4:4.3.10-12) unstable; urgency=low
+
+ * Add 050-4.3.11_file_copy_fix.patch, which reverts a broken 'fix'
+ made to the copy() function, causing it to fail in particularly
+ spectacular ways when used on remote files (closes: #304601)
+ * Use -g instead of -gstabs on powerpc64-linux (closes: #301571)
+
+ -- Adam Conrad Thu, 14 Apr 2005 03:53:27 -0600
+
+php4 (4:4.3.10-11) unstable; urgency=medium
+
+ * Address an FTBFS waiting to happen in the php4-dev package:
+ - Remove Win32 and Netware specific headers.
+ - Stop shipping php4-pgsql headers.
+ - Stop shipping the expat headers, since we don't even
+ use the bundled expat library.
+ - Make php4-dev depend on libssl-dev, since it wants to include
+ ssl.h when you use it to build network-using extensions.
+ * Stop building extensions twice; we don't need two copies.
+
+ -- Adam Conrad Tue, 12 Apr 2005 03:14:03 -0600
+
+php4 (4:4.3.10-10) unstable; urgency=low
+
+ * Update to 200503131325 CVS (AKA: 4.3.11RC1), fixing several bugs
+ including a segfault in mysql_fetch_field() (closes: #299608)
+ * Remove 042-remove_windows_paths.patch, incorporated upstream.
+ * Add 048-x509_multiple_orgUnits.patch to bring the openssl extension
+ in line with the upcoming 4.3.11 behaviour of listing multiple
+ Organisational Units in an x509 cert as an array, rather than only
+ listing the last in the list.
+ * After much talk with upstream, revert the ZTS changes. We are no
+ longer building a thread-safe PHP. (closes: #299820, #297223, #297679)
+ * ZTS was breaking file search paths, leading to errors loading files
+ from the cwd (closes: #298282, #298518, #299089, #299356)
+ * Stop building caudium-php4 (closes: #294718, #297702, #295100)
+ - We can't link against the GPL pike7.2, which we've been doing. Oops.
+ - Even if the above weren't true, upstream has insisted that ZTS is a
+ horribly broken solution, slated for eventual removal, and should
+ never, ever be used. In light of that, caudium users should instead
+ use php4-cgi, either as a plain CGI, or as a FastCGI backend.
+ - Not even attempting to provide an upgrade path, as it would be
+ needlessly complex, and caudium-php4 in previous stable releases
+ was nothing more than a useless toy, given that it had nearly no
+ useful extensions built-in or supported.
+ * Rewrite 041-shut_up_snmp.patch to take a different approach, this time
+ regrettably reverting a fix for a memory leak, in the name of making
+ things work properly, including squashing the putenv() intecaction
+ bug between PHP and other apache modules (closes: #298511, #300628)
+ * On sidegrades from distributions where different modules may be built
+ from their own source, and thus have their own doc directories, bad
+ things happen when we try to replace those with symlinks, so now we
+ check for this in preinst, and fix stuff up magically to Just Work.
+ * Add Jeroen van Wolffelaar to Uploaders.
+ * Fix up modules regexes to use "\.so" instead of ".so" (cf: #300998)
+
+ -- Adam Conrad Wed, 16 Mar 2005 22:46:05 -0700
+
+php4 (4:4.3.10-9) unstable; urgency=low
+
+ * Update 040-curl_open_basedir.patch once more to make sure it doesn't
+ segfault when fed a null or uninitialised URL (closes: #295447)
+ * Add 047-zts_with_dl.patch, courtesy of Steve Langasek to re-enable the
+ dl() function in our builds, despite upstream's claim that it "might
+ not be threadsafe on all platforms"; it is on ours (closes: #297839)
+ * Make the php4-dev binaries versioned with alternatives (closes: #295903)
+ * Update build-deps to libmysqlclient12-dev (closes: #290989, #227549)
+
+ -- Adam Conrad Sun, 6 Mar 2005 07:30:35 -0700
+
+php4 (4:4.3.10-8) unstable; urgency=high
+
+ * Add 046-zend_plist_buggery.patch which unrolls the changes made to
+ zend.c in CVS post-4.3.10. The memory leaks fixed by these changes
+ seem to not have been hurting us terribly so far, while the "fix"
+ (breaking persistent lists) was, uhm, bad (closes: #295998, #296694)
+ * Revise 041-shut_up_snmp.patch to call init_snmp with 'snmpapp' as the
+ appname, rather than 'php', to maintain backward compatibility, and to
+ wrap our setenv/unsetenv magic only around snmp_shutdown, which seems to
+ solve a segfault when php4-snmp is loaded with mod_perl (closes: #296282)
+ * Fix 042-remove_windows_paths.patch to catch both cases where windows
+ path stripping should occur (closes: #296406)
+
+ -- Adam Conrad Tue, 22 Feb 2005 07:49:32 -0700
+
+php4 (4:4.3.10-7) unstable; urgency=high
+
+ * Rewrite 040-curl_open_basedir.patch, so it now does what it's supposed
+ to (addressing CAN-2004-1392) and no longer segfaults (closes: #295447)
+
+ -- Adam Conrad Thu, 17 Feb 2005 00:06:36 -0700
+
+php4 (4:4.3.10-6) unstable; urgency=high
+
+ * Add 044-strtod_arm_fix.patch to fix the FPU confusion FTBFS on arm.
+ * Add 045-exif_nesting_level.patch to bump the exif header parsing max
+ nesting level to something that actually works with most JPEG images.
+
+ -- Adam Conrad Mon, 14 Feb 2005 16:04:28 -0700
+
+php4 (4:4.3.10-5) unstable; urgency=low
+
+ * Add 043-recode_size_t.patch to fix 32/64-bit issues causing the recode
+ extension to segfault on alpha/amd64/ia64 (closes: #294986)
+ * Move the ./buildconf stuff in the unpatch target inside the test
+ for patch-stamp, as it's uselss unless we're unpatching.
+
+ -- Adam Conrad Sun, 13 Feb 2005 19:09:39 -0700
+
+php4 (4:4.3.10-4) unstable; urgency=medium
+
+ * Make php4-dev arch:any, as it contains some arch-specific defines.
+ * Add 042-remove_windows_paths.patch, a patch to rfc1867.c to strip Windows
+ paths from uploaded filenames, like it used to. (closes: #294305)
+ * Fix up caudium description to reflect the fact that caudium it is no
+ longer restricted from sharing extensions with other SAPIs.
+ * Build-dep on apache2-threaded-dev (>= 2.0.53-3) to make sure we
+ get a version with non-broken headers.
+
+ -- Adam Conrad Wed, 9 Feb 2005 11:52:10 -0700
+
+php4 (4:4.3.10-3) unstable; urgency=medium
+
+ * Update to CVS, as of 200502060530 (closes: #288672)
+ - Fixes two vulnerabilities in exif.c, CAN-2005-1042 and CAN-2005-1043
+ - Fixes two vulnerabilities in image.c, CAN-2005-0524 and CAN-2005-0525
+ - File uploads with "'" in them aren't cut off anymore (closes: #288679)
+ - unserialize() is no longer ridiculously slow (closes: #291392)
+ - Add 000-200502060530_CVS.patch
+ - Adapt debian/rules to the realities of upstream's new buildconf
+ - Add 033-we_WANT_libtool.patch, to force relibtoolizing with Debian's
+ libtool, rather than using upstream's broken bundled libtool
+ - Drop 031_zend_strtod_1.1.2.10.patch and 032_zend_strtod_debian.patch
+ - Adjust patches for offsets and fuzz
+ - Force --with-pic, as policy demands it, and the build system doesn't
+ * Added several patches, yanked from the Fedora PHP sources:
+ - 034-apache2_umask_fix.patch, fixes umask not being properly reset
+ after each request (closes: #286225)
+ - 036-fd_setsize_fix.patch, fixes misuse of FD_SET()
+ - 038-round_test_fix.patch, makes the rounding test work on gcc-3.3
+ * Removed --with-libedit, as being able to background php is more useful,
+ in my opinion, than using readline functions (see #286356)
+ * Include zip support in all SAPIs (closes: #288534, #288909)
+ * Enable Zend Thread Safety for all SAPIs, meaning that our modules
+ are now compiled for ZTS APIs as well. (closes: #278212, #264015)
+ - Make sure caudium-php4 now provides phpapi-$(ver), and modules can
+ be configured with the caudium SAPI.
+ - Add 039-reentrant_libs.patch to link to the reentrant versions of
+ libldap and libmysqlclient
+ * Stop suggesting phpdoc, as it's undistributable anyway.
+ * Add 040-curl_open_basedir.patch, to make php4-curl respect the value
+ of open_basedir, thanks to Martin Pitt (closes: #291410)
+ * Add 041-shut_up_snmp.patch, to prevent libsnmp5 from attempting (and
+ failing) to write persistent data every time it shuts down. Ugh.
+
+ -- Adam Conrad Sun, 6 Feb 2005 05:32:11 -0700
+
+php4 (4:4.3.10-2) unstable; urgency=high
+
+ * Patch Zend/zend_strtod.c twice:
+ - Patch from upstream CVS to fix FTBFS on Sparc/Linux systems
+ - Patch from me to fix FTBFS on __mc68000__, __ia64__, and __s390__
+
+ -- Adam Conrad Sat, 18 Dec 2004 19:35:30 -0700
+
+php4 (4:4.3.10-1) unstable; urgency=high
+
+ * New upstream release, including the following security fixes:
+ - CAN-2004-1018 - shmop_write() out of bounds memory write access.
+ - CAN-2004-1018 - integer overflow/underflow in pack() and unpack()
+ functions.
+ - CAN-2004-1019 - possible information disclosure, double free and
+ negative reference index array underflow in deserialization code.
+ - CAN-2004-1020 - addslashes() not escaping \0 correctly.
+ - CAN-2004-1063 - safe_mode execution directory bypass.
+ - CAN-2004-1064 - arbitrary file access through path truncation.
+ - CAN-2004-1065 - exif_read_data() overflow on long sectionname.
+ - magic_quotes_gpc could lead to one level directory traversal with
+ file uploads.
+ * Adjust patch offsets for new upstream, fix 013-force_getaddrinfo.patch
+ to match with new configure.in and drop 026-4.3.10_session_fixes.patch
+ which is included in 4.3.10.
+
+ -- Adam Conrad Wed, 15 Dec 2004 17:17:40 -0700
+
+php4 (4:4.3.9-2) unstable; urgency=low
+
+ * Adam Conrad :
+ - Add -fno-strict-aliasing to CFLAGS, as the (several thousand)
+ warnings I'm getting from GCC are frightening me a tad.
+ - Remove the php-cgi alternative in php4-cgi's prerm, to avoid
+ leaving dangling symlinks (closes: #275962, #282315)
+ - Include 030-imap_getacl.patch, adding the imap_getacl() function
+ required by the GOsa project (closes: #282484)
+ - Include php.ini-paranoid in doc/examples, provided and maintained
+ by Javier Fernández-Sanguino Peña (closes: #274374)
+ - Make /cgi-bin/php4 an alternative for /cgi-bin/php (closes: #282464)
+ - Remove obsolete info from README.Debian relating to session_mm,
+ since we stopped building with libmm a while back.
+ - Reintroduce /usr/lib/php4/libexec that went missing in a previous
+ upload, since the build uses it as the default safe_mode exec dir.
+ * Andres Salomon :
+ - Add patch to include gd headers in php4-dev, as some PECL modules
+ (notably, pdflib) expect it; 028-export_gd_headers.patch.
+ - Lintian fix: Add missing #DEBHELPER# token to php4-common.postrm.
+
+ -- Adam Conrad Wed, 01 Dec 2004 18:48:13 -0700
+
+php4 (4:4.3.9-1) unstable; urgency=high
+
+ * New upstream release, removed the following patches fixed upstream:
+ 014-apache2handler_CVS_fixes.patch, 015-gdNewDynamicCtx_Add_Ex.patch,
+ 018-unix_socket_fd_leak.patch, 020-4.3.9_overflow_fixes.patch,
+ 021-4.3.9_sybase_ct_fixes.patch, 022-4.3.9_sprintf_fixes.patch,
+ 023-4.3.9_array_fixes.patch, 024-4.3.9_glob_fix.patch,
+ and 025-4.3.9_domxml_segfaults.patch
+ * Resolves undiscolsed vulnerabilities in GPC processing and rfc1867
+ handling of file uploads via the $_FILES array; these have since
+ been assigned CVE CAN-2004-0958 and CAN-2004-0959 (closes: #274206)
+ * After some fairly heavy testing from several users and developers,
+ finally update php4-snmp to use libsnmp5 (closes: #195929)
+ * Add 026-4.3.10_session_fixes.patch from CVS, which prevents PHP
+ from segfaulting when a nonexistant or unsupported save_handler or
+ serialize_handler is specified in php.ini.
+ * Add /etc/apache/conf.d/php4.conf, setting up our mime-types, on the
+ off chance that the user's /etc/mime.types is broken (closes: #271171)
+ * Reintroduce a CGI binary at /usr/bin/php4-cgi, so people who can't
+ make use of the --force-cgi-redirect CGI binary in /usr/lib/cgi-bin
+ can instead use #!/usr/bin/php4-cgi scripts (closes: #273143)
+ * Enable FastCGI for both CGI binaries, now that it no longer conflicts
+ with, but rather complements, the CGI SAPI (closes: #233849)
+ * Bump libgd2 build-dep a notch to make sure we build against a version
+ that actually has XPM support built in (closes: #270435)
+ * Finally drop the bogus libapache-mod-ssl dependency from the apache1.3
+ php4 module, as glibc (>= 2.3.2.ds1-17) has fixed the dlopen refcount
+ bug that we were hacking around (closes: #205553, #230956, #271000)
+ * Remove the mm session handler from the apache1.3 build. Since the
+ files handler now works on all arches, and is configured to be secure
+ by default, mm seems to have outlived its usefulness.
+ (closes: #119902, #149430, #166811, #272463, #232840)
+ * Rename sapi/apache2handler/sapi_apache2.c to mod_php4.c so that
+ directives aren't ambiguous between php4 and php5.
+ * Add Czech translation, thanks to Miroslav Kure (closes: #274038)
+ * Configure CLI with --with-libedit for readline support, and add
+ 027-readline_is_editline.patch, since Debian's libedit headers are
+ not installed in /usr/include/readline (closes: #274031)
+ * libcurl grew a new SONAME somewhere along the way, and upgrading
+ doesn't seem to cause regressions in php4-curl, so upgrade we shall,
+ changing build-deps accordingly (closes: #260389)
+
+ -- Adam Conrad Mon, 4 Oct 2004 22:57:37 -0600
+
+php4 (4:4.3.8-12) unstable; urgency=high
+
+ * On new php4-cli installations, if php4-cgi is installed, we copy its
+ php.ini as a starting reference, so that command line scripts that
+ used to work don't start mysteriously failing (closes: #270153)
+ * php4-common has grown a postrm script to make sure we completely
+ clean out and remove /var/lib/php4 during the purge phase.
+ * Optimize garbage collection cronjob to use 'xargs -r -0 rm', so we
+ aren't forking for every session file we delete (closes: #268918)
+
+ -- Adam Conrad Sun, 5 Sep 2004 19:17:42 -0600
+
+php4 (4:4.3.8-11) unstable; urgency=high
+
+ * Andres Salomon :
+ - Fix bashism in maxlifetime script (closes: #270015)
+ * Adam Conrad :
+ - Clarify setup instructions in README.Debian for using php4-cgi
+ with the apache and apache2 packages (closes: #228342, #228343)
+
+ -- Adam Conrad Sat, 04 Sep 2004 23:21:21 -0600
+
+php4 (4:4.3.8-10) unstable; urgency=high
+
+ * Andres Salomon :
+ - Change frequency of session file cleansing, based on the maximum value
+ of session.gc_maxlifetime from all php.ini files (closes: #269688).
+ - Update README.Debian to mention session cleaning cron job.
+ * Adam Conrad :
+ - Drop php4-cgi from the list of alternate dependencies for the php4
+ metpackage to smooth upgrades for woody users who have both php4 and
+ php4-cgi installed (closes: #269628, #269348, #269377)
+ - Fix cut-n-paste issue in php4-cli postinst (closes: #269466)
+ - Add 023-4.3.9_array_fixes.patch, which fixes problems with the
+ extract() function misbehaving with multiple element references.
+ - Add 024-4.3.9_glob_fix.patch to fix broken return values from glob()
+ when it succeeds with no matches (closes: #269287)
+ - Add 025-4.3.9_domxml_segfaults.patch, fixing segfaults in the domxml
+ extension when it shares memory space with other libxml2-using libs.
+ - Update the comments in php.ini to point out that, due to dilinger's
+ changes above, session.gc_maxlifetime is honoured by the gc cronjob.
+
+ -- Adam Conrad Fri, 03 Sep 2004 20:42:56 -0600
+
+php4 (4:4.3.8-9) unstable; urgency=high
+
+ * Re-introduce the changelog.Debian that went missing in the last
+ upload due to the php4-common move from arch:all to arch:any
+ * Clean up lintian warnings regarding scripts that weren't executable
+ and executables that weren't scripts.
+ * Add a lintian override for the non-standard-dir-perm of /var/lib/php4
+ * Update to Standards-Version 3.6.1 (no changes, other than the above)
+
+ -- Adam Conrad Thu, 26 Aug 2004 21:53:27 -0600
+
+php4 (4:4.3.8-8) unstable; urgency=low
+
+ * Default session.save_path is now compiled in to php4, allowing
+ us to, again, comment out the value in php.ini.
+ * Comment out session.gc_probability in the default php.ini, as we've
+ now compiled in a default of 0, allowing the cronjob to do the
+ garbage collection for us instead. (closes: #267720)
+ * Make the 5 SAPI postinsts smarter, allowing them to poke around in
+ people's configs and make sure that sessions won't be broken
+ after we upgraded them from a perfectly functional system.
+ * Add 022-4.3.9_sprintf_fixes.patch, fixing incorrect formatting of
+ floats with padding by sprintf().
+ * Make php4-common arch:any, and loosen up some of the other any->all
+ package dependencies to make sure binNMUs won't break.
+
+ -- Adam Conrad Tue, 24 Aug 2004 03:09:43 -0600
+
+php4 (4:4.3.8-7) unstable; urgency=high
+
+ * Back out LFS support AGAIN, as we're disabling LFS in apache2 for
+ the Sarge release. (closes: #266869)
+ * Add 021-4.3.9_sybase_ct_fixes.patch, backporting several fixes
+ for the sybase_ct extension from 4.3.9rc1.
+ * Tidy up descriptions a fair bit:
+ - Disambiguate short descriptions of SAPIs. (closes: #244571)
+ - Refresh the (now much longer) lists of built-in modules for each SAPI.
+ - Explain why caudium-php4 can't use any loadable extensions.
+ - Remove silly advertising blurb for Zend, since very few people are
+ still using php3, and those who are can't be convinced to upgrade
+ just by telling them "Hey, it's faster!".
+ - Add Homepage URI to each SAPI description.
+ - Fix typo in php4-domxml description. (closes: #146124)
+ * Make caudium-php4 provide php4-mysql and php4-pgsql, so it can be used
+ with packages that depend on something like "php4, php4-mysql".
+ * Enable --with-mime-magic and make sure all SAPIs depend on libmagic1
+ to pull in /usr/share/misc/file/magic.mime (closes: #175136)
+
+ -- Adam Conrad Thu, 19 Aug 2004 18:27:17 -0600
+
+php4 (4:4.3.8-6) unstable; urgency=high
+
+ * Add libgcrypt11-dev to the build-depends, as something seems to be
+ pulling it in and causing an FTBFS (closes: #265952)
+ * Add 020-4.3.9_overflow_fixes, backporting fix for integer overflows
+ in array_slice(), array_splice(), substr(), substr_replace(),
+ strspn() and strcspn().
+ * Bump the apache2 build-dep to (>= 2.0.50-9) to ensure we're building
+ against the new ABI-incompatble libapr0, which brings in proper
+ large file support. Bump the apache2 binary dependency as well.
+ (closes: #266210, #266192)
+ * Enable large file support on all SAPIs except for caudium, as I'm not
+ sure how caudium will react to the change, and I don't want to
+ destabilise anything just before release. This change has been
+ heavily tested with apache2/apache/cgi/cli, and all is well there.
+ * Re-enable 019-z_off_t_as_long.patch, which is needed to make sure
+ that LFS-enabled SAPIs can still use zlib file functions correctly.
+ * Rework the apache2 restarting logic to only restart apache2 if
+ apache2ctl configtest succeeds, otherwise kick out a warning to
+ the user. Even then, we run force-reload with ||true, in case
+ apache2 fails to start for other reasons (closes: #264958)
+ * Make php4-gd Provide php4-gd2, so packages which still depend on
+ php4-gd2 are installable (and so packaging frontends can take the
+ provides/conflicts/replaces hint and DTRT with it)
+ * Split php4-cgi to php4-cgi and php4-cli (closes: #227915)
+ - Add php4-cli to debian/control, replaces older php4-cgi versions
+ - php4-cgi depends on php4-cli for smooth transitions
+ - php4-pear now depends on php4-cli (closes: #243214, #221434)
+ - Add php4-cli to list of SAPIs configurable for modules
+ - Munge php.1 manpage to include -cli info
+ - Enable pcntl and ncurses in -cli (closes: #135861, #190947, #241806)
+ * Move all of php4's files to libapache-mod-php4, and make php4 a
+ metapackage that depends on libapache-mod-php4 | libapache2-mod-php4 |
+ php4-cgi | caudium-php4 (closes: #244573, #246654, #244571, #266517)
+ * Include skeleton directory in php4-dev (closes: #95832, #211338)
+ * Include php.ini-recommended in php4-common's examples (closes: #181396)
+ * Move /var/lib/php4 to php4-common and install a cronjob that cleans
+ out old sessions every 30 minutes (closes: #256831, #257111)
+ * Move the libapache-mod-ssl dependency from php4-imap to
+ libapache-mod-php4 to stop irritating users of other SAPIs
+ (closes: #240003, #246887, #263381)
+ * Compile pgsql and mysql support into the caudium SAPI, so it's
+ slightly less useless (closes: #181175)
+
+ -- Adam Conrad Sun, 15 Aug 2004 19:56:14 -0600
+
+php4 (4:4.3.8-5) unstable; urgency=low
+
+ * Build-depend on chrpath and use it to nuke rpath from modules
+ during the install target of debian/rules.
+ * Add 018-unix_socket_fd_leak.patch to get rid of UNIX socket file
+ descriptor leak on failed fsockopen() calls. (closes: #257269)
+ * It would seem that if we want LFS support, all SAPIs and all extensions
+ that do file access need to be built with LFS support, and since
+ apache2 currently doesn't have LFS, this presents a problem. As
+ such, I'm disabling LFS accross the board until apache2 supports it.
+ (closes: #263962)
+ * Add 019-z_off_t_as_long.patch, including local headers for zlib,
+ forcing off_t = long for gzip file functions, however disable it
+ for now, as we'll only need it if we reenable LFS (closes: #208608)
+ * Add the Debian package revision as EXTRAVERSION to PHP, so one can
+ more easily tell what version is currently running (for instance,
+ if a user fails to restart Apache after an upgrade of php4, this
+ would become obvious to them in the version banner and in phpinfo()
+ * Fixed up debian/patches, adjusting offsets and adding newlines,
+ so patch stops complaining and applies them cleanly.
+ * libapache2-mod-php4 postinst now forces a reload of apache2, which
+ should get the module properly working in all cases where people
+ previously thought 'apachectl graceful' would cut it.
+ (closes: #241352, #263424, #228343)
+ * debian/rules explicitly sets PROG_SENDMAIL during configure so
+ that builds on buildds with no sendmail installed don't get the
+ mail() function disabled. (closes: #180734)
+ * Enable XMLRPC-EPI support for all SAPIs (closes: #228825, #249368)
+ * Enable sysvmsg support for all SAPIs (closes: #236190)
+ * Enable dbx support for all SAPIs (closes: #229508, #249797)
+ * Nuke aclocal.m4 before we run ./buildconf to ensure we get it
+ regenerated correctly, and we get an up-to-date libtoolization.
+
+ -- Adam Conrad Mon, 9 Aug 2004 07:47:46 -0600
+
+php4 (4:4.3.8-4) unstable; urgency=low
+
+ * Drop 016-pread_pwrite_XOPEN_SOURCE_500.patch, as it didn't seem to
+ solve anything, really, and add 017-pread_pwrite_disable.patch,
+ wich completely disables pread/pwrite usage, fixing session support
+ on sparc, and pread/pwrite usage on amd64. (closes: #261311)
+
+ -- Adam Conrad Mon, 26 Jul 2004 06:15:59 -0600
+
+php4 (4:4.3.8-3) unstable; urgency=low
+
+ * Steve Langasek :
+ - Give php4-pear a versioned dependency on php4-cgi, due to
+ backwards-compatibility issues (closes: #260924).
+
+ * Adam Conrad :
+ - Added a debian/watch file for the curious, or people running
+ automated uscan scripts over the entire archive.
+ - Bump libgd2 build-dep to 2.0.28 to buy us guaranteed GIF
+ support in php4-gd (closes: #66293)
+ - Add 015-gdNewDynamicCtx_Add_Ex.patch, which fixes three double-free
+ errors in php4-gd. This, in concert with the librrd0 update
+ (see #261323) should clear up all known segfaults in php4-gd
+ (closes: #220196, #234571, #241270, #246833, #251220, #260790)
+ Thanks to Klaus Reimer for the tip.
+ - Add 016-pread_pwrite_XOPEN_SOURCE_500.patch, which fixes use of
+ pread/pwrite in conjunction with LFS64. This should fix the files
+ session handler on sparc, as well as the amd64 build failure.
+ (closes: #234766, #239420, #261311, #248765)
+ - Clean up debian/rules to remove a bunch of obsolete cruft, as well
+ as introducing an LFSFLAGS, allowing us to easily turn LFS support
+ on and off for each SAPI.
+ - Re-enable LFS for apache 1.3, as it was enable in Woody and we should
+ remain backward compatible.
+
+ -- Adam Conrad Sun, 25 Jul 2004 18:49:31 -0600
+
+php4 (4:4.3.8-2) unstable; urgency=high
+
+ * Urgency "high" to make up for the last upload which contained
+ security fixes but was uploaded urgency "low".
+
+ * Adam Conrad :
+ - Bump debhelper build-dep to >= 3, as we were using DH_COMPAT=3
+ in debian/rules. Not sure how this was missed for so long.
+ - Add 014-apache2handler_CVS_fixes.patch, which fixes a memory
+ leak in the apache2handler SAPI, as well as a logical mishandling
+ of fatal errors during activation.
+
+ * Steve Langasek :
+ - Revert large file support, which appears to cause
+ ABI-incompatibilities (and therefore segfaults) for apache2
+ (closes: #259659).
+
+ -- Adam Conrad Mon, 19 Jul 2004 20:44:00 -0600
+
+php4 (4:4.3.8-1) unstable; urgency=low
+
+ * Adam Conrad :
+ - New upstream release (4.3.8). Fixes several security issues:
+ + Fixed strip_tags() to correctly handle '\0' characters.
+ + Improved stability during startup when memory_limit is used.
+ + Replace alloca() with emalloc() for better stack protection.
+ + Added missing safe_mode checks inside ftok and itpc.
+ + Fixed address allocation routine in IMAP extension.
+ + Prevent open_basedir bypass via MySQL's LOAD DATA LOCAL.
+ + Fixes DoS in readfile() function, see CAN-2005-0596.
+ - php4-pear now includes PEAR::Mail 1.1.3 (closes: #257688)
+ - debian/control: change libpng3-dev build-dep to libpng12-dev
+ - Add Turkish debconf translation, thanks to Osman Yuksel.
+ (closes: #252940)
+
+ * Andres Salomon :
+ - New upstream release (4.3.7). The following patches are dropped:
+ 007-dba_fix.patch
+ 008-xbithack.patch
+ 011-curl_api_update.patch
+ 012-curl_deprecated_opts.patch.
+ - Add 013-force_getaddrinfo.patch, so that getaddrinfo support is
+ always enabled (instead of doing check during build).
+
+ * Steve Langasek :
+ - Enumerate supported SAPIs in both the module postinst and the module
+ config script, to avoid "question not found" errors from debconf.
+ This doesn't give us automatic support for new SAPIs as they're
+ added, but it avoids trying to configure SAPIs that we don't support
+ (e.g., caudium), and it also sidesteps shell syntax errors caused by
+ strangely-named subdirectories.
+ - Remove apache2 from the TODO list, because it's done
+ (closes: #243793).
+ - Add /var/lib/php4 to the list of directories for the apache2 module,
+ so we don't end up with a missing session dir (closes: #240962).
+ - s/modules-config/apache-modconf/, now that the canonical name of the
+ apache-common tool has changed
+ - Drop references to php3 in README.Debian, and document the
+ simplified process for enabling php4 in apache 1.3 (closes: #244564).
+ - Enable large files support for all SAPIs (closes: #249500).
+ - Fix commented-out default include path in php.ini (closes: #250274).
+
+ -- Adam Conrad Wed, 14 Jul 2004 18:06:42 -0600
+
+php4 (4:4.3.4-4) unstable; urgency=low
+
+ * Drop apache2 work-around patch and add build-dep on apache2 2.0.48-8,
+ now that #228840 is fixed.
+ * Fix FTBFS problem caused by curl api changes, adding patches 011 and
+ 012 (closes: #239159).
+ * Add phpapi Provides for libapache2-mod-php4 (closes: #240386).
+ * Add versioned build-dep for pcre, as apache2 has proven that pcre-3.9
+ and older won't work (closes: #215069).
+ * Tighten build-dep versions to match upstream's autoconf version checks
+ (closes: #214060).
+
+ -- Andres Salomon Fri, 26 Mar 2004 23:27:27 -0500
+
+php4 (4:4.3.4-3) unstable; urgency=low
+
+ * Andres Salomon :
+ - Fix incorrect php.ini path in CLI manpage (closes: #233757).
+ - Add libapache2-mod-php4 module (closes: #214611).
+ * Updated Japanese debconf translation; thanks to Kenshi Muto
+ (closes: #222424).
+ * Build php4-gd against libgd2-xpm, removing the need for a separate
+ php4-gd2 package (closes: #235390, #206045, #135664).
+ * Add new Catalan debconf translation; thanks to Aleix Badia i Bosch
+ (closes: #236630).
+ * Add new Spanish debconf translation; thanks to Carlos Valdivia
+ Yagüe (closes: #235052).
+
+ -- Steve Langasek Sat, 28 Feb 2004 12:11:57 -0600
+
+php4 (4:4.3.4-2) unstable; urgency=low
+
+ * Add build-depends on autoconf, missed earlier (closes: #235012).
+ * Minor updates to README.Debian list of supported extensions.
+ * Fix integer size mismatch in snmp extension affecting 64-bit
+ platforms
+
+ -- Steve Langasek Thu, 26 Feb 2004 22:25:27 -0600
+
+php4 (4:4.3.4-1) unstable; urgency=low
+
+ * New upstream version. Update local patch set accordingly, with help
+ from Andres Salomon .
+ - includes fix for snmpget() not closing its socket
+ (closes: #207363).
+ * Update build-depends to libdb4.2-dev, to match apache-dev
+ (closes: #231692).
+ * Drop translations of stale templates, and add new German debconf
+ translation; thanks to Alwin Meschede
+ (closes: #232270).
+ * Add new Danish debconf translation; thanks to Claus Hindsgaul
+ (closes: #233887).
+ * Move local patches into debian/patches/ for easier management, and
+ add debian/rules targets for build-time application of patches.
+ * Fix a problem with PHP "xbithack" causing ini scope leakage
+ (closes: #230047).
+ * Re-enable the openssl extension statically, since we now know for
+ sure that the php4-imap problems are a glibc bug (closes: #197450).
+ * Fix pear to set /usr/bin/php4 instead of /usr/bin/php for the value
+ of php_bin, so PEAR-managed scripts work correctly
+ (closes: #228381). In addition, use alternatives for /usr/bin/php
+ for the benefit of user scripts (closes: #185283).
+ * Set the default session save_path to /var/lib/php4 instead of to
+ /tmp, and create this directory such that all users (for php4-cgi)
+ can create files there and access their own files once created, but
+ not see the names of other files in the directory (closes: #139810).
+ * Drop our override of upstream's register_globals default
+ (closes: #230878).
+
+ -- Steve Langasek Sat, 14 Feb 2004 10:23:24 -0600
+
+php4 (4:4.3.3-5) unstable; urgency=low
+
+ * Have php4-pear Suggest: php4-dev, for PECL extensions
+ (closes: #225969).
+ * Recompiled against the new version of libxslt, to get rid of the
+ dependency on libxsltbreakpoint (closes: #224806).
+ * Also recompiled against the new version of libc-client (closes: #227347).
+ * Fix pear to not expect to be able to twiddle locks when running as
+ non-root, which also seems to fix a memory utilization problem
+ (closes: #225026).
+ * Make php4-imap depend on libapache-mod-ssl, since this seems to be
+ the only reliable way of getting apache to stop segfaulting.
+ * Build-depend on libt1-dev, which replaces t1lib-dev.
+
+ -- Steve Langasek Mon, 5 Jan 2004 22:53:18 -0600
+
+php4 (4:4.3.3-4) unstable; urgency=low
+
+ * Fix prerm script to remove mod_php4, *not* mod_perl, from the
+ config (Closes: #216889).
+ * Use /etc/$i/httpd.conf instead of /etc/$i to decide whether to
+ call modules-config.
+ * Don't invoke debconf unless we have to in the postinst, to reduce
+ the risk of interactions between modules-config and our questions.
+ * Add Dutch debconf translation; thanks to Tim Dijkstra
+ (closes: #221439).
+ * Sync dba lock handling against upstream CVS HEAD, to fix a bug with
+ truncating db4 files when opening with 'c' (create).
+ (Closes: #221559).
+
+ -- Steve Langasek Tue, 21 Oct 2003 16:49:03 -0500
+
+php4 (4:4.3.3-3) unstable; urgency=low
+
+ * Disable -gstabs on ia64, since this debugging symbol type is
+ apparently unknown there; we should now have clean builds (with
+ appropriate debugging symbols) on all archs.
+
+ -- Steve Langasek Mon, 20 Oct 2003 19:07:40 -0500
+
+php4 (4:4.3.3-2) unstable; urgency=low
+
+ * Don't call db_stop in the postinst, as this seems to cause problems
+ for modules-config (closes: #215663, #215584).
+ * Remove duplicate -prefer-pic flag on caudium build, in hope of
+ making libtool do something sensible on ia64,hppa (closes: #216020).
+ * Always build with debugging symbols, per current policy.
+ * Unconditionally call dh_strip, which knows about DEB_BUILD_OPTIONS;
+ and call install -s when installing shared extensions by hand.
+ * Fix upstream build rules to not call libtool --silent.
+
+ -- Steve Langasek Wed, 15 Oct 2003 23:19:55 -0500
+
+php4 (4:4.3.3-1) unstable; urgency=low
+
+ * New upstream release.
+ * Add Japanese debconf translation; thanks to Kenshi Muto
+ (closes: #211961).
+ * Fix caudium handling to always grab the current pike version from
+ dpkg when constructing include paths (closes: #212585).
+ * Bump the c-client build dependencies to use the new -dev package
+ name.
+ * Convert php4 postinst/prerm scripts to use the new apache
+ modules-config interface.
+
+ -- Steve Langasek Sun, 21 Sep 2003 17:26:31 -0500
+
+php4 (4:4.3.2+rc3-6) unstable; urgency=low
+
+ * Add Brazilian Portuguese debconf translation; thanks to André LuÃs
+ Lopes (closes: #207078).
+ * Catch debian/control up with debian/rules for the zendapi -> phpapi
+ transition.
+
+ -- Steve Langasek Sun, 31 Aug 2003 20:35:57 -0500
+
+php4 (4:4.3.2+rc3-5) unstable; urgency=low
+
+ * Kill the lintian warning on the grammar in the copyright file.
+ * Redirect apacheconfig I/O to /dev/tty, to work around debconf
+ behavior (for real this time). Closes: #207468, #206404.
+ * Replace 'zendapi' with 'phpapi', since the former does not
+ accurately describe the ABI changes that affect modules and can
+ leave some packages installable but broken (closes: #208020). Also,
+ remove the versioned conflicts with php4-{mysql,pgsql}, since this
+ now supersedes.
+ * Add French debconf translation; thanks to Michel Grentzinger
+ (closes: #207662).
+
+ -- Steve Langasek Sat, 23 Aug 2003 21:43:24 -0500
+
+php4 (4:4.3.2+rc3-4) unstable; urgency=low
+
+ * Have all php extensions automatically detect and configure for any
+ installed SAPIs (closes: #143436).
+ * Remove spurious dependencies from php4-dev, and replace autoconf2.13
+ with autoconf (closes: #180497).
+ * Conflict with old php4-pgsql as we do with php4-mysql, as it
+ manifests the same bug.
+ * Add preliminary rules for building apache2 SAPI, but don't enable.
+ * Call db_stop before trying to run apacheconfig (closes: #206404).
+ * Check for the existence of /etc/php4 before trying to rmdir it,
+ since there are apparently those who remove such directories
+ prematurely (closes: #206120).
+
+ -- Steve Langasek Sun, 17 Aug 2003 00:19:38 -0500
+
+php4 (4:4.3.2+rc3-3) unstable; urgency=low
+
+ * Fixes for spurious package dependencies
+ * Fix the paths emitted by php-config, so we can build php4-pgsql et al.
+
+ -- Steve Langasek Fri, 15 Aug 2003 23:44:55 -0500
+
+php4 (4:4.3.2+rc3-2) unstable; urgency=low
+
+ * Make sure pear.conf is properly marked as a conffile, by bumping
+ DH_COMPAT to 3.
+ * Generate all per-extension postinsts/prerms at build time, instead
+ of managing them by hand.
+ * Get rid of bogus, non-FHS directories from the caudium build.
+ * Install the upstream php manpage in the php4-cgi package
+ (closes: #175836).
+ * Prevent null dereferencing in ldap_explode_dn() (closes: #205405).
+ * Hard-code /usr/share/pear at the end of the include path, for
+ backwards compatibility.
+ * Debconf support for PHP extension registration, including
+ po-debconf support (closes: #122353).
+ * Fix interpreter path in /usr/bin/pear.
+ * Make php4-pear depends: php4-cgi (closes: #182393).
+
+ -- Steve Langasek Wed, 13 Aug 2003 22:39:08 -0500
+
+php4 (4:4.3.2+rc3-1) unstable; urgency=low
+
+ * New upstream version.
+ - includes fix for buffer overflow crashes in imap module
+ (closes: #191640)
+ - includes fix for dysfunctional open_basedir directive
+ (closes: #197803)
+ - include fix for various XSS vulnerabilities (closes: #200736)
+ * Recompile against newest libc-client libs, following another soname
+ change (closes: #199049)
+ * Replace db2 with db4.
+ * Trim down the cgi sapi rules, since it will now build both cli and
+ cgi for us by default.
+ * Kludge the caudium sapi, by hard-coding the include path we need for
+ pike headers.
+ * Copy the lex/yacc-generated .c and .h files into the build
+ directories, since generating them at build time gives wildly
+ different, and undisputably broken, results.
+ * Update the install rules so they're compatible with current upstream
+ handling of pear and the various SAPIs.
+ * Add '=shared' to the --enable-xslt option, to get the right results
+ for that extension.
+ * Move PEAR extensions from /usr/share/pear to /usr/share/php.
+ * Conflict with php4-mysql=4:4.2.3-14, due to bizarre Zend errors.
+
+ -- Steve Langasek Wed, 6 Aug 2003 22:43:28 -0500
+
+php4 (4:4.2.3-14) unstable; urgency=low
+
+ * Disable openssl extensions AGAIN. It appears that this double-linking mess
+ is still causing nasty segfaults.
+ (closes: #188014, #188025, #188058, #189202, #189653)
+
+ -- Adam Conrad Sun, 20 Apr 2003 17:31:59 -0600
+
+php4 (4:4.2.3-13) unstable; urgency=low
+
+ * Revert NET-SNMP patch and build php4-snmp against UCD-SNMP again
+ (closes: #185534)
+ * Build against libmm13, as libmm12 no longer exists (closes: #187401)
+ * Rebuild caudium-php4 against latest caudium-dev
+ * Re-enable openssl linking and functions, now that our glibc 2.3
+ problems appear to be ironed out.
+ * Enable xslt and exslt support in php4-domxml (closes: #172881)
+
+ -- Adam Conrad Thu, 3 Apr 2003 05:53:24 -0700
+
+php4 (4:4.2.3-12) unstable; urgency=low
+
+ * Rebuild php4-sybase against libct1 (closes: #184461)
+
+ -- Steve Langasek Sat, 8 Mar 2003 20:03:33 -0600
+
+php4 (4:4.2.3-11) unstable; urgency=low
+
+ * Remove pike header location detection from debian/rules and do it
+ properly in sapi/caudium/config.m4, using pike7.2-config --version
+
+ -- Adam Conrad Mon, 3 Mar 2003 23:33:26 -0700
+
+php4 (4:4.2.3-10) unstable; urgency=low
+
+ * Added patch to build with NET-SNMP 5.x
+ * Updated build-dep for libc-client to 2003debian
+ (closes: #181565, #182854, #169886)
+ * Updated build-dep for libcurl to libcurl2-dev (closes: #179722)
+ * Added -mieee to alpha build to solve FPE errors (closes: #180656)
+ * Removed arch-specific logic to build with gcc-3.2 on arm, since gcc-3.2
+ is now the default compiler on all architectures.
+ * Add libwrap0-dev to the end of the build-depends to work around #183041.
+ Someone remember to remove this later when the bug is fixed. :)
+ * Build against newer libsablot0-dev (closes: #179886, #181550)
+ * Introduce ugly hack in debian/rules to get the pike includes
+ directory right for the caudium SAPI.
+
+ -- Adam Conrad Sun, 2 Mar 2003 12:49:07 -0700
+
+php4 (4:4.2.3-9) unstable; urgency=low
+
+ * Fix caudium-php4 to not conflict with php4-pear (closes: #175415).
+
+ -- Steve Langasek Sun, 5 Jan 2003 16:40:20 -0600
+
+php4 (4:4.2.3-8) unstable; urgency=low
+
+ * Fix typo in debian/rules
+ * Rebuild to bring in sync with latest caudium packages
+
+ -- Adam Conrad Wed, 25 Dec 2002 20:00:59 -0700
+
+php4 (4:4.2.3-7) unstable; urgency=low
+
+ * Set a sane default for safe_mode_exec_dir (closes: #122920).
+ * Rebuild against libmm-dev on i386, instead of against the
+ no-longer-available libmm11-dev which Provides: the same
+ (closes: #173509).
+
+ -- Steve Langasek Mon, 16 Dec 2002 22:48:40 -0600
+
+php4 (4:4.2.3-6) unstable; urgency=low
+
+ * Build with PEAR for all SAPIs, so that the built-in include_path is
+ set correctly (overkill?). Closes: #169786, #172321
+ * Change section of php4-dev package to devel.
+ * Add libkrb5-dev to build-depends, since libc-client2002-dev doesn't
+ pull it in (closes: #173313).
+ * Depend on coreutils instead of fileutils, since the latter is now an
+ empty package (closes: #171265).
+
+ -- Steve Langasek Sun, 15 Dec 2002 23:20:30 -0600
+
+php4 (4:4.2.3-5) unstable; urgency=low
+
+ * Fix (snip, snip) the upstream build scripts, so that libphp4.so
+ isn't worthlessly linked against the problematic openssl libs
+ (closes: #165699, #165718, #165719, #166414).
+ * Update config.{sub,guess} so that the package builds on mips
+ platforms (closes #173218)
+ * Replace libc-client-ssl2001-dev with libc-client2002-dev in build
+ dependencies, fixing various php4-imap segfaults (closes: #169610,
+ #169769).
+
+ -- Steve Langasek Sun, 15 Dec 2002 19:42:43 -0600
+
+php4 (4:4.2.3-4) unstable; urgency=low
+
+ * Remove build dependency on non-extant libmagick5-dev, which is no
+ longer used anyway (closes: #169829, #172402).
+ * Add myself to the Uploaders: field of the control file.
+
+ -- Steve Langasek Sat, 14 Dec 2002 12:52:06 -0600
+
+php4 (4:4.2.3-3) unstable; urgency=low
+
+ * Backport a patch from CVS to sanitize control characters in php_url_parse()
+ to prevent ASCII control injection in fopen() calls.
+
+ -- Adam Conrad Thu, 12 Sep 2002 16:29:46 -0600
+
+php4 (4:4.2.3-2) unstable; urgency=low
+
+ * I'm a moron (thanks to James Troup for pointing this out).
+ * Change gcc-3.1 references in debian/rules to gcc-3.2.
+ * Change GD build-dep to libgd-xpm-dev until GD package mess is worked out.
+
+ -- Adam Conrad Tue, 10 Sep 2002 12:18:21 -0600
+
+php4 (4:4.2.3-1) unstable; urgency=low
+
+ * New upstream version
+ * Added a patch from Ginger Alliance to eliminate warnings in xslt compile
+ * Messed with the php4-imap build:
+ - compiling with SSL support (closes: #122700)
+ - commented out the static-on-i386 hack, libc-client is now linked dynamically
+ * Sessions should finally be fixed, however I won't tag the bugs "woody"
+ until I know for sure. (if you were affected, please test and send
+ followups to me)
+ * Updated arm build-dep to use gcc-3.2 since gcc-3.1 is gone now.
+
+ -- Adam Conrad Tue, 10 Sep 2002 09:02:51 -0600
+
+php4 (4:4.2.2-3) unstable; urgency=low
+
+ * Fix typo resulting in php4-odbc not having a postinst
+ (closes: #157116, #157927)
+ * Build against latest caudium-dev to made caudium-php4 installable
+ again. (closes: #158247)
+ * Update build-deps to swap libpng3 for libpng2. (closes: #158908)
+
+ -- Adam Conrad Sat, 7 Sep 2002 01:22:57 -0600
+
+php4 (4:4.2.2-2) unstable; urgency=low
+
+ * Pulled --with-ndbm out of ./configure, as libc6 no longer ships with
+ headers or the library for db1 (closes: #156141, #155889)
+ * Update build deps to build against libmm12 (closes: #155042)
+ * php4-curl no longer depends on libcurl2-ssl (closes: #155015)
+
+ -- Adam Conrad Sat, 10 Aug 2002 01:12:47 -0600
+
+php4 (4:4.2.2-1) unstable; urgency=medium
+
+ * New upstream
+ * Fixes input validation vulnerability in rfc1867.c (closes: #153850)
+ * Added missing prerm/postinst for php4-xslt (oops)
+
+ -- Adam Conrad Mon, 22 Jul 2002 11:58:53 -0600
+
+php4 (4:4.2.1-3) unstable; urgency=low
+
+ * Yet more build fixes. This time, bump the arm build-dep from gcc-3.0 to
+ gcc-3.1 to avoid compiler errors. I love the arm toolchain. No, really.
+
+ -- Adam Conrad Wed, 29 May 2002 17:40:30 -0600
+
+php4 (4:4.2.1-2) unstable; urgency=low
+
+ * Applied small patch to fix building on non-32-bit architectures
+ (closes: #148231)
+ * Added still /more/ documentation about the unserializer, sessions,
+ and the session.save_handler php.ini option.
+
+ -- Adam Conrad Sun, 26 May 2002 14:43:55 -0600
+
+php4 (4:4.2.1-1) unstable; urgency=low
+
+ * The "When is Debian going to have new software like XF^H^HPHP 4.2?" release.
+ * Probably the last update (barring huge packaging bugs or plain broken
+ binaries) before starting on a complete reorg of the PHP packages.
+ * Deserializer now works on big-endian architectures (addresses bug #121391
+ and probably others)
+ * This release probably fixes a whole bunch of bugs. Will be going through
+ the bug list and playing the reproducibility game after the upload.
+ * Default include_path in php.ini now set to include pear.
+ * Upstream default for register_globals HAS CHANGED. In the Debian php.ini
+ we are still using "register_globals = On" for compatibility reasons,
+ however our packages will change too. This is a warning for anyone
+ packaging PHP scripts and applications to make sure you'll be compatible
+ with the new default once it's set.
+
+ -- Adam Conrad Sun, 26 May 2002 06:24:21 -0600
+
+php4 (4:4.1.2-4) unstable; urgency=high
+
+ * No binaries were harmed in the making up this upload.
+ * Updated README.Debian and changelog. All other files untouched,
+ as the binaries were merely unpacked and repacked.
+ - Added a note to README.Debian about how to properly set up
+ Apache for use with php4, if the installation didn't (and it usually
+ doesn't ) get it right.
+ - Added a note to README.Debian about the unserializer (and sessions)
+ being messed up on big endian architectures. It's too late to try
+ to get a proper fix in for this, so we're just going to have to cope.
+
+ -- Adam Conrad Fri, 26 Apr 2002 12:27:40 -0600
+
+php4 (4:4.1.2-3.1) unstable; urgency=low
+
+ * The 'I broke it, I have to take credit for it' release.
+ * Rebuild the package to get proper binary dependencies on alpha.
+
+ -- Steve Langasek Sun, 31 Mar 2002 17:13:09 -0600
+
+php4 (4:4.1.2-3) unstable; urgency=low
+
+ * Switched to --with-regex=php (from =system). This fixes all the
+ problems with eregi/parse_url/fopen/etc on Alpha.
+ * Cleaned up long descriptions (closes: #130977, #130954)
+
+ -- Adam Conrad Wed, 27 Mar 2002 15:11:43 -0700
+
+php4 (4:4.1.2-2) unstable; urgency=low
+
+ * New maintainer (closes: #132980)
+ * Enabling unixodbc support (closes: #107201)
+ * Changed the install-modules target in build/rules_pear.mk so that
+ it will error out in the case of an empty modules directory or
+ failure to install modules (closes: #135304)
+
+ -- Adam Conrad Tue, 12 Mar 2002 00:25:41 -0700
+
+php4 (4:4.1.2-1) unstable; urgency=high
+
+ * New upstream version with a security fix. This
+ supercedes 4.1.1-2.2 from Steve Langasek:
+ * Fix an error in the handling of MIME file upload headers, which left
+ open a potential security hole. (Closes: #136063)
+ * Fixed gcc-3.0 fix :-)
+ * Thanks for fixing apache-common fix
+ * This version should fix session bugs with upstream fix (closes: #133877)
+ * With a brutal change to main/SAPI.c try to fix(?) authorize bugs
+
+ -- Petr Cech Thu, 28 Feb 2002 11:14:26 +0100
+
+php4 (4:4.1.1-2.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * loosen apache-common dependency to make us forwards-compatible, as
+ recommended by the apache maintainer.
+ * use gcc-3.0 when building on arm, because the default toolchain on
+ that arch has Issues (closes: #135906, #135913).
+
+ -- Steve Langasek Tue, 26 Feb 2002 09:59:49 -0600
+
+php4 (4:4.1.1-2) unstable; urgency=medium
+
+ * Rebuild with apache 1.3.23.
+ * This package is in maintainer change mode. Though I orphaned it I'm not
+ going to change maintainer to QA, because we already have fresh blood.
+ * ext/gd/gd.c: s/HAVE_GD_GIF/HAVE_GD_GIF_CREATE/ to build correctly with
+ libgd which has GIF support (fixed included upstream)
+ * debian/control:
+ - Build-Depends: s/libgd1g-dev/libgd-dev/
+ also libc-client at least version 4:2001adebian-6 to fix some segfaults
+ * ext/standard/head.c: make the setcookie() thingie test more simple
+
+ -- Petr Cech Mon, 11 Feb 2002 20:07:22 +0100
+
+php4 (4:4.1.1-1) unstable; urgency=high
+
+ * New upstream bugfix release.
+ * debian/control: php4-gd - Conflicts/Replaces: php4-gd2 if I ever get
+ to upload it
+ * debian/rules: Correctly supply modified CFLAGS to build process
+
+ -- Petr Cech Fri, 28 Dec 2001 23:23:47 +0100
+
+php4 (4:4.1.0-2) unstable; urgency=low
+
+ * debian/php4-cgi.README.Debian: fix typo (closes: #123866)
+ * debian/rules: remove --enable-mbstr-enc-trans as it breaks parametr
+ parsing (closes: #121403)
+ * debian/README.Debian: document shmmax increase (closes: #119688)
+
+ -- Petr Cech Fri, 14 Dec 2001 09:59:59 +0100
+
+php4 (4:4.1.0-1) unstable; urgency=high
+
+ * Finally final 4.1.0
+ * Urgency to reflect previous version
+ * debian/control: php4-pear depends on php4-cgi
+
+ -- Petr Cech Thu, 13 Dec 2001 23:09:54 +0100
+
+php4 (3:4.1-2) unstable; urgency=high
+
+ * FIxes from CSV 4.1.0RC5. Looks like it was not the release after all.
+ * ext/exif/exif.c: MFH
+ * ext/ldap/ldap.c: small crash fix from HEAD
+ * and misc tiny changes. Really :-)
+ * ext/imap/php_imap.c: HIGH. fix from CVS (imap_rfc822_parse_adrlist) changing
+ the argument
+
+ -- Petr Cech Sun, 9 Dec 2001 00:01:37 +0100
+
+php4 (3:4.1-1) unstable; urgency=medium
+
+ * Final 4.1.0 (not released)
+ * NEWS: s/4.0/4.1/
+ * Build with GD1. It should fix some GD bugs, as gd 2.0.1 is supposed to be
+ a beta version with known bugs. How should I know.
+ * sablot extension removed upstream. So use XSLT (C/R in place)
+ * Apply fix for file_exists() from tilo (closes: #114409)
+ * "Cannot redeclare" were fixed in previous RCs (closes: #112341)
+ * previous version is build in hppa and ia64, so I assume it
+ (closes: #115391)
+ * Add note to sybase_ct, that it conflicts with mod_gzip folowing a user
+ report.
+ * This should fix the "final HTML> stripped" bug that was introduced
+ in 4.0.6-3. (closes: #110415).
+ * add --enable-ucd-snmp-hack to try to fix segfaults with ucd-snmp
+
+ -- Petr Cech Mon, 26 Nov 2001 14:56:50 +0100
+
+php4 (3:4.0.100-1) unstable; urgency=low
+
+ * Really a 4.1.0RC2
+ * Remove hack for apache 1.3.14, as we build-depends on 1.3.22 anyway
+ * Build-depends: libexpat1 (>= 1.95.2-2.1) for the .1
+ * Added Provides: zendapi-$version to php4 and php4-cgi
+ * Made modules depend on zendapi-$version instead of php4|php4-cgi.
+ Please use this in your php4-$module packages
+ * Apply c-client hack only to i386 most architectures don't support linking
+ both PIC and non-PIC code. I'm still affrai to do this on i386, as it
+ crashes a lot more :(
+ * Apply some CVS patches
+
+ -- Petr Cech Wed, 14 Nov 2001 20:50:19 +0100
+
+php4 (3:4.0.99-4) unstable; urgency=medium
+
+ * Recompile because of new version of caudium.
+ (I really hope this gets into testing soon as php in testing
+ now doesn't do apache 1.3.22)
+
+ -- Petr Cech Fri, 9 Nov 2001 11:11:46 +0100
+
+php4 (3:4.0.99-3) unstable; urgency=medium
+
+ * Recompile for new libexpat1 (closes: #116623 and others)
+ * upstream: ext/gd/gd.c, ext/iconv/iconv.c
+ * crypt(): defalt to using DES crypt() (closes: #117092)
+ * debian/rules: disable libmm in -cgi build. Will lesser the impact
+ of the infamous /tmp/session_mm.reg
+ * apply patch to Zend, which should fix the "cannot redeclare" error.
+ It's still a bug in your code though (use include_once). More changes
+ to this are comming (upstream).
+ * Add some documentation to sybase
+
+ -- Petr Cech Mon, 22 Oct 2001 11:20:46 +0200
+
+php4 (3:4.0.99-2) unstable; urgency=low
+
+ * "Some days are just no good" release.
+ * Recompile with apache 1.3.22 from Incoming
+ * Deal with automake going to 1:1.4 and automake1.5
+
+ -- Petr Cech Fri, 19 Oct 2001 15:02:00 +0200
+
+php4 (3:4.0.99-1) unstable; urgency=low
+
+ * This is really 4.1.0RC1, but ...
+ * Applied setcookie(), which is not in upstream yet
+
+ -- Petr Cech Fri, 19 Oct 2001 12:05:20 +0200
+
+php4 (3:4.0.6.7rc3-3) unstable; urgency=medium
+
+ * Fix dependency in caudium-php4. Sorry for this
+
+ -- Petr Cech Fri, 19 Oct 2001 11:28:07 +0200
+
+php4 (3:4.0.6.7rc3-2) unstable; urgency=medium
+
+ * Recompile with recent caudium/pike. Please, no new version so it can get
+ into testing :)
+ * debian/control: move php4-pear to suggests
+ * Fix setcookie() again. I really hate this bug
+ * Build-Depends: re2c - it's usually not needed, but if you make some
+ strange changes to the parser ...
+ * FIx automake 1.5 build problems (I hope)
+
+ -- Petr Cech Thu, 18 Oct 2001 12:03:39 +0200
+
+php4 (3:4.0.6.7rc3-1) unstable; urgency=low
+
+ * New upstream test release.
+
+ -- Petr Cech Fri, 5 Oct 2001 09:23:35 +0000
+
+php4 (3:4.0.6.7rc2-3) unstable; urgency=low
+
+ * "Let's try to fix some bugs" release.
+ * Add some patches: ldap (does this fix things?), pgsql,
+ domxml
+ * Build-Conflicts: automake (>= 1.5) for now
+
+ -- Petr Cech Tue, 2 Oct 2001 10:55:23 +0200
+
+php4 (3:4.0.6.7rc2-2) unstable; urgency=low
+
+ * Enable recode extension (the library is LGPL) - shared
+ * Enable iconv extension - in main php4. Experimental
+ * Build-Depends: s/libgd-dev/libgd2-dev/
+ * Build-Depends: libxml2-dev (>= 2.4.2) (Closes: #112304)
+ and fix autoconf macros (Closes: #113980)
+ * Improve?? description of PEAR (Closes: #112432)
+
+ -- Petr Cech Sat, 22 Sep 2001 10:37:42 +0200
+
+php4 (3:4.0.6.7rc2-1) unstable; urgency=medium
+
+ * 2nd release candidate
+ * ext/mbstring: fix compile (cp1252)
+ * ext/standard/url_scanner_ex: off by one
+ * WARNING: caudium builds with Zend Threading enabled, but other
+ modules don't. So you cannot safely use DSO with caudium
+ * Added some Build-Conflicts - with broken libmysqlclient
+ - with libtool 1.4b
+
+ -- Petr Cech Mon, 10 Sep 2001 18:04:27 +0200
+
+php4 (3:4.0.6-6) unstable; urgency=medium
+
+ * The "Paul Hampson fixes release".
+ * Closed those atexit() bugs. Now to find out, how to make libtool link with
+ gcc instead of ld :((
+ * ext/standard/head.c: Fix setcookie("bla) (closes: #109524, #109697)
+ Thanks to Paul Hampson for finding the cause, though I've used another
+ fix - fixed changes in CVS made in -3 I think. Silly me to think, that
+ all "small" changes are fixes.
+ * libc-client2001 was fixed in -5, so add a (closes: #109202) here
+ * Conflicts: only with libtool 1.4b-{1,2,3}. libtool 1.4.1 is OK
+
+ -- Petr Cech Sat, 1 Sep 2001 20:59:40 +0200
+
+php4 (3:4.0.6-5) unstable; urgency=low
+
+ * Recompile for libc-client2001 (I hope it doesn't break anything else)
+ And many other libraries.
+ * ATTENTION. php4 still doesn't work with autoconf 2.52 and thus libtool 1.4b!!
+ You have to get libtool 1.4 to be able to use phpize.
+
+ -- Petr Cech Wed, 22 Aug 2001 23:26:08 +0200
+
+php4 (3:4.0.6-4) unstable; urgency=high
+
+ * Add pear/CODING_STANDARDS into php4-pear (fixes 105574. closed too early. sorry)
+ * Fix the nasty segfaults with mail(). That'll teach me taking upstream
+ changes without looking. Thanks Cvetan Ivanov for the correct fix (also upstream now)
+ (closes: #105686, #105878).
+
+ -- Petr Cech Fri, 20 Jul 2001 23:07:30 +0200
+
+php4 (3:4.0.6-3) unstable; urgency=high
+
+ * ext/standard/mail.c: security fix
+ * debian/control: Build-Depends: libtool (>= 1.4)
+ * ext/curl/curl.c: fix typo
+ * ext/gd/config.m4: fix typo
+ * ext/mcrypt/mcrypt.c: upstream buffer overflow fix
+ * ext/mhash/mhash.c: upstream buffer overflow fix
+ * ext/pgsql/pgsql.c: fix
+ * ext/posix/config.m4: check for getpgid
+ * ext/sablot/sablot.c: fix leaks
+ * ext/standard/url* : fixes
+ * ext/sysvshm/sysvshm.c: fixes
+ * Zend/*: small fixes
+
+ -- Petr Cech Fri, 13 Jul 2001 16:21:04 +0200
+
+php4 (3:4.0.6-2) unstable; urgency=low
+
+ * pear/Makefile.in: add IT_Error.php to installed files (closes: #103087)
+ * debian/control: - allow also libcurl-ssl-dev as Build-Depends (closes: #103618)
+ - libfreetype6-dev to Build-Depends
+ - add auto* suite to php4-dev depends (closes: #104199)
+ * debian/rules: - build gd module with freetype2 support
+ - move common ./configure flags to COMMON_CONFIG
+ - build with mbstring support
+
+ -- Petr Cech Fri, 13 Jul 2001 08:22:02 +0200
+
+php4 (3:4.0.6-1) unstable; urgency=medium
+
+ * New upstream release.
+ * NOTE: new extension will probably be in another upload, to get this
+ into testing ...
+
+ -- Petr Cech Mon, 25 Jun 2001 20:43:24 +0200
+
+php4 (3:4.0.5.6rc3-3) unstable; urgency=low
+
+ * The "I hate sablot release". Recompile with 0.60
+ * debian/php4-domxml.postrm: also fix the :: (closes: #101306)
+ * debian/rules: --enable-ctype - still EXPERIMENTAL!!! Bug upstream
+
+ -- Petr Cech Mon, 18 Jun 2001 09:46:17 +0200
+
+php4 (3:4.0.5.6rc3-2) unstable; urgency=low
+
+ * ext/sablot/config.m4: link sablot.so with -lsablot, not main php4
+ * build/ ... : upstream fix for building with automake 1.4-pX
+ * don't fail, when libssl-dev is not installed. sigh
+
+ -- Petr Cech Thu, 14 Jun 2001 23:36:34 +0200
+
+php4 (3:4.0.5.6rc3-1) unstable; urgency=low
+
+ * New upstream test release.
+ * Recompile with apache 1.3.20
+ * debian/control:
+ - php4-dev: Depends: bison, flex (closes: #100634)
+ - Build-Depends: libcurl-dev (>=7.8)
+ * debian/rules:
+ - add --enable-bcmath to all rules (closes: #100491)
+ * Zend/zend.c: apply upstream fix to allow building of caudium
+
+ -- Petr Cech Tue, 12 Jun 2001 22:27:26 +0200
+
+php4 (3:4.0.5.6rc2-1) unstable; urgency=low
+
+ * New upstream test release.
+ * FIx regex/regex.h (int regoff_t)
+ * fix php4-cgi build with pcre - don't use supplied pcre
+ * Fix wddx support (closes: #99468)
+ * Add missing $(INSTALL_ROOT) to sapi/caudium/config.m4
+
+ -- Petr Cech Fri, 8 Jun 2001 11:37:07 +0200
+
+php4 (3:4.0.5.6rc1-1) unstable; urgency=low
+
+ * New upstream test release with new bugs :))
+ * moved pear from /usr/lib/php4 to /usr/share/php4
+ * Whups. Sorry about the epoch 3: . It somehow slipped in, so I'll
+ have to live with it
+
+ -- Petr Cech Wed, 16 May 2001 14:14:04 +0200
+
+php4 (3:4.0.5-2) unstable; urgency=low
+
+ * Build-Depend on newer libmhash-dev, as it supposedly doesn't
+ compile on current woody (closes: #96555)
+ * Build-Depends: s/freetype2/libttf-dev/
+ * Stop building php4-pgsql - move to non-US
+ * Build-Deps on new libsablot0
+
+ -- Petr Cech Thu, 10 May 2001 10:43:02 +0200
+
+php4 (3:4.0.5-1) unstable; urgency=medium
+
+ * New upstream release.
+ * recompile with new sablot - how I hate this (closes: #95401)
+ * Merge XML into main php4
+ * Reword README.Debian (closes: #89667)
+ * Enable wddx
+ * debian/*.postinst: * only ask upon first install, not upgrade (closes: #93452)
+ * fix typos (closes: #94118)
+ * Added support for Sybase/MS SQL Server (using FreeTDS)
+ using patch from:
+ http://rpms.arvin.dk/php/source/patches/php-sybase_ct.patch
+ thanks to Bradley Bell for the patch
+ * ext/pcre : two upstream fixes
+ * ext/sablot/sablot.c: small upstream fix
+ * build/buildcheck.sh : fixes to allow compile with libtool 1.4
+ * ext/standard/exec.c: upstream fixes
+ * sapi/apache/mod_php4.c: off by one fix
+ * sapi/cgi/cgi_main.c: fix POST bug
+ * main/snprintf.c: upstream fix
+
+ -- Petr Cech Wed, 3 May 2001 22:17:10 +0200
+
+php4 (4.0.4.5rc6-2) unstable; urgency=low
+
+ * Build-depends: libcurl-dev will pull libcurl2 (closes: #92994)
+ * TSRM/TSRM.c: upstream fix
+ * ext/pgsql: upstream fix
+
+ -- Petr Cech Thu, 5 Apr 2001 17:51:09 +0200
+
+php4 (4.0.4.5rc6-1) unstable; urgency=low
+
+ * New upstream test release.
+ * Don't mention CGI support, as it's not so for a long time.
+
+ -- Petr Cech Wed, 4 Apr 2001 13:47:45 +0200
+
+php4 (4.0.4.5rc5-1) unstable; urgency=low
+
+ * New upstream test release.
+ * ask about /etc/php4/cgi/php.ini also
+ * It's really recompiled for 1.3.19 (closes: #91901, #91822)
+ * problems with modules documented (closes: #81141, #82611)
+
+ -- Petr Cech Mon, 2 Apr 2001 09:38:16 +0200
+
+php4 (4.0.4.5rc3-1) unstable; urgency=low
+
+ * New upstream RC release
+ * debian/rules: s/with-yp/enable-yp/ to really enable YP support. Discovered
+ on broken potato upload. -0potato2 is fixed
+ * Looks like there was a bug in latest build, this should fix it (closes: #92018)
+ * remove libmcal0 workaround
+
+ -- Petr Cech Wed, 28 Mar 2001 21:15:36 +0200
+
+php4 (4.0.4.5rc2-1) unstable; urgency=low
+
+ * New upstream release test release 4.0.5RC2.
+ * debian/rules: Add lintian overrides
+ * debian/control: * add libexpat1-dev to Build-Depends
+ * add libmcal0 to Build-Depends since libmcal0-dev is
+ missing this dependancy :(( Bug filled
+ * ext/socket/socket.c: minor upstream patch
+
+ -- Petr Cech Mon, 26 Mar 2001 20:43:49 +0200
+
+php4 (4.0.4pl1-6) unstable; urgency=low
+
+ * NEVER RELEASED
+ * Build-depends on libcurl1-dev (>= 7.6.1-5), which fixes the libcurl1 or
+ libcurl1-ssl problem.
+ * remove dh_testversion and use versioned Build-depends instead
+
+ -- Petr Cech