php8.3 (8.3.6-0ubuntu0.24.04.5) noble-security; urgency=medium
* SECURITY UPDATE: Null byte termination in hostnames
- debian/patches/CVE-2025-1220.patch: check hostnames in
ext/standard/fsock.c,
ext/standard/tests/network/ghsa-3cr5-j632-f35r.phpt,
ext/standard/tests/streams/ghsa-3cr5-j632-f35r.phpt,
main/streams/xp_socket.c.
- CVE-2025-1220
* SECURITY UPDATE: pgsql extension does not check for errors during
escaping
- debian/patches/CVE-2025-1735.patch: add error checks in
ext/pdo_pgsql/pgsql_driver.c,
ext/pdo_pgsql/tests/ghsa-hrwm-9436-5mv3.phpt,
ext/pgsql/pgsql.c, ext/pgsql/tests/ghsa-hrwm-9436-5mv3.phpt.
- CVE-2025-1735
* SECURITY UPDATE: NULL Pointer Dereference in PHP SOAP Extension via
Large XML Namespace Prefix
- debian/patches/CVE-2025-6491.patch: handle large names in
ext/soap/soap.c, ext/soap/tests/soap_qname_crash.phpt.
- CVE-2025-6491
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 14 Jul 2025 14:30:55 -0400
php8.3 (8.3.6-0ubuntu0.24.04.4) noble-security; urgency=medium
* SECURITY UPDATE: Use after free
- debian/patches/CVE-2024-11235.patch: fix incorrect live-range
calculation in Zend/zend_opcode.c and add tests in
Zend/tests/ghsa-rwp7-7vc6-8477_001.phpt,
Zend/tests/ghsa-rwp7-7vc6-8477_002.phpt,
Zend/tests/ghsa-rwp7-7vc6-8477_003.phpt.
- CVE-2024-11235
* SECURITY UPDATE: Incorrect MIME type
- debian/patches/CVE-2025-1217.patch: adds HTTP header folding
support for HTTP wrapper response headers in
ext/standard/http_fopen_wrapper.c and add tests in
ests/http/ghsa-v8xr-gpvj-cx9g-001.phpt,
tests/http/ghsa-v8xr-gpvj-cx9g-002.phpt,
tests/http/ghsa-v8xr-gpvj-cx9g-003.phpt,
tests/http/ghsa-v8xr-gpvj-cx9g-004.phpt,
tests/http/ghsa-v8xr-gpvj-cx9g-005.phpt,
tests/http/http_response_header_05.phpt.
- CVE-2025-1217
* SECURITY UPDATE: Wrong content-type requesting a redirected resource
- debian/patches/CVE-2025-1219.patch: fix in ext/libxml/mime_sniff.c.
- CVE-2025-1219
* SECURITY UPDATE: Invalid header
- debian/patches/CVE-2025-1734.patch: fix in ext/standard/http_fopen_wrapper.c
and add tests in
ext/standard/tests/http/bug47021.phpt,
ext/standard/tests/http/bug75535.phpt,
tests/http/ghsa-pcmh-g36c-qc44-001.phpt,
tests/http/ghsa-pcmh-g36c-qc44-002.phpt.
- CVE-2025-1734
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2025-1736.patch: httu user header check
of crlf in ext/standard/http_fopen_wrapper.c and add tests
in tests/http/ghsa-hgf5-96fm-v528-001.phpt,
tests/http/ghsa-hgf5-96fm-v528-002.phpt,
tests/http/ghsa-hgf5-96fm-v528-003.phpt.
- CVE-2025-1736
* SECURITY UPDATE: Location truncation
- debian/patches/CVE-2025-1861.patch: converts the
allocation of location to be on heap instead of stack
in ext/standard/http_fopen_wrapper.c and add tests in
tests/http/ghsa-52jp-hrpf-2jff-001.phpt,
tests/http/ghsa-52jp-hrpf-2jff-002.phpt.
- CVE-2025-1861
* debian/patches/0001-Fix-GH-16955-Use-empheral-ports-for-OpenSSL-server-c.patch
added in order to fix all the tests added in the CVE above.
-- Leonidas Da Silva Barbosa <leo.barbosa@canonical.com> Wed, 19 Mar 2025 07:08:38 -0300
php8.3 (8.3.6-0ubuntu0.24.04.3) noble-security; urgency=medium
* SECURITY UPDATE: Buffer over read
- debian/patches/CVE-2024-11233.patch: re arrange
bound check code in ext/standard/filters.c,
ext/standard/tests/filters/ghsa-r977-prxv-hc43.phpt.
- CVE-2024-11233
* SECURITY UPDATE: HTTP request smuggling
- debian/patches/CVE-2024-11234.patch: avoiding
fulluri CRLF injection in ext/standard/http_fopen_wrapper.c.
.../tests/http/ghsa-c5f2-jwm7-mmq2.phpt.
- CVE-2024-11234
* SECURITY UPDATE: Integer overflow
- debian/patches/CVE-2024-11236-1.patch: adding an extralen check
to avoid integer overflow in ext/pdo_dblib/dblib_driver.c,
ext/pdo_dblib/tests/GHSA-5hqh-c84r-qjcv.phpt.
- debian/patches/CVE-2024-11236-2.patch: change qcount to size_t in
order to avoid integer overflow and adding checks in
ext/pdo_firebird/firebird_driver.c.
- CVE-2024-11236
* SECURITY UPDATE: Heap buffer over-reads
- debian/patches/CVE-2024-8929.patch: fix buffer over-reads in
ext/mysqlnd/mysqlnd_ps_codec.c,
ext/mysqlnd/mysqlnd_wireprotocol.c, and create some phpt tests.
- CVE-2024-8929
* SECURITY UPDATE: Integer overflow
- debian/patches/CVE-2024-8932.patch: fix OOB in access in
ldap_escape in ext/ldap/ldap.c,
ext/ldap/tests/GHSA-g665-fm4p-vhff-1.phpt,
ext/ldap/tests/GHSA-g665-fm4p-vhff-2.phpt.
- CVE-2024-8932
-- Leonidas Da Silva Barbosa <leo.barbosa@canonical.com> Mon, 02 Dec 2024 09:36:18 -0300
php8.3 (8.3.6-0ubuntu0.24.04.2) noble-security; urgency=medium
* SECURITY UPDATE: Erroneous parsing of multipart form data
- debian/patches/CVE-2024-8925.patch: limit bounday size in
main/rfc1867.c, tests/basic/*.
- CVE-2024-8925
* SECURITY UPDATE: cgi.force_redirect configuration can be bypassed due
to environment variable collision
- debian/patches/CVE-2024-8927.patch: check for REDIRECT_STATUS in
sapi/cgi/cgi_main.c.
- CVE-2024-8927
* SECURITY UPDATE: Logs from childrens may be altered
- debian/patches/CVE-2024-9026.patch: properly calculate size in
sapi/fpm/fpm/fpm_stdio.c, sapi/fpm/tests/*.
- CVE-2024-9026
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 30 Sep 2024 11:17:17 -0400
php8.3 (8.3.6-0ubuntu0.24.04.1) noble-security; urgency=medium
* SECURITY UPDATE: Invalid user information
- debian/patches/CVE-2024-5458.patch: improves filters validation
in ext/filter/logical_filters.c and adds test
in ext/filter/tests/ghsa-w8qr-v226-r27w.phpt.
- CVE-2024-5458
-- Leonidas Da Silva Barbosa <leo.barbosa@canonical.com> Thu, 13 Jun 2024 12:23:20 -0300
php8.3 (8.3.6-0maysync1) noble; urgency=medium
* Merge with Debian's VCS. No remaining changes. (LP: #2061147)
-- Athos Ribeiro <athos.ribeiro@canonical.com> Mon, 15 Apr 2024 16:21:47 -0300
php8.3 (8.3.6-1) experimental; urgency=medium
* New upstream version 8.3.6
-- Ondřej Surý <ondrej@debian.org> Thu, 11 Apr 2024 22:16:27 +0200
php8.3 (8.3.4-1build1) noble; urgency=medium
* No-change rebuild for CVE-2024-3094
-- Steve Langasek <steve.langasek@ubuntu.com> Sun, 31 Mar 2024 08:14:14 +0000
php8.3 (8.3.4-1) experimental; urgency=medium
[ Ondřej Surý ]
* New upstream version 8.3.4
* Just don't set PHP extra version at all - it makes a little
sense when we are just updating upstream versions
* Remove hardcoded dependency on libmagic1 (Closes: #1065985)
[ Andrey Rakhmatullin ]
* Fix FTBFS with -Werror=implicit-function-declaration (Closes: #1066234).
-- Ondřej Surý <ondrej@debian.org> Sat, 16 Mar 2024 09:31:56 +0100
php8.3 (8.3.3-1) experimental; urgency=medium
* New upstream version 8.3.3
-- Ondřej Surý <ondrej@debian.org> Thu, 15 Feb 2024 19:30:31 +0100
php8.3 (8.3.2-1) experimental; urgency=medium
[ Ondřej Surý ]
* New upstream version 8.3.2
[ Athos Ribeiro ]
* Fix PHP_EXTRA_VERSION setting
* Test the PHP_EXTRA_VERSION setting
* Move disabling the upstream GC routine to a patch (Closes: #831752)
-- Ondřej Surý <ondrej@debian.org> Sat, 20 Jan 2024 14:05:31 +0100
php8.3 (8.3.1-1) experimental; urgency=medium
* New upstream version 8.3.1
-- Ondřej Surý <ondrej@debian.org> Thu, 21 Dec 2023 21:05:27 +0100
php8.3 (8.3.0-5) experimental; urgency=medium
* Disable avx512vbmi detection with gcc < 6
-- Ondřej Surý <ondrej@debian.org> Tue, 05 Dec 2023 08:12:00 +0100
php8.3 (8.3.0-4) experimental; urgency=medium
* Disable AVX detection with GCC < 6
-- Ondřej Surý <ondrej@debian.org> Mon, 04 Dec 2023 19:54:57 +0100
php8.3 (8.3.0-3) experimental; urgency=medium
* Also disable avx detection with older compilers
-- Ondřej Surý <ondrej@debian.org> Sun, 03 Dec 2023 08:59:08 +0100
php8.3 (8.3.0-2) experimental; urgency=medium
* We also have to disable assembly code with gcc 4.9 on i386.
-- Ondřej Surý <ondrej@debian.org> Sat, 02 Dec 2023 22:10:03 +0100
php8.3 (8.3.0-1) experimental; urgency=medium
* New upstream version 8.3.0
-- Ondřej Surý <ondrej@debian.org> Fri, 24 Nov 2023 09:03:44 +0100
php8.3 (8.3.0~rc5-1) experimental; urgency=medium
* New upstream version 8.3.0~rc5
-- Ondřej Surý <ondrej@debian.org> Thu, 26 Oct 2023 08:55:54 +0200
php8.3 (8.3.0~rc3-1) experimental; urgency=medium
* Reintroduce patch to copy config.guess, config.sub, and ltmain.sh
* New upstream version 8.3.0~rc3
-- Ondřej Surý <ondrej@debian.org> Fri, 06 Oct 2023 11:18:21 +0200
php8.3 (8.3.0~rc1-1) experimental; urgency=medium
* New upstream version 8.3.0~rc1
* Bump PHPAPI to 20230831
-- Ondřej Surý <ondrej@debian.org> Sat, 02 Sep 2023 08:28:02 +0200
php8.3 (8.3.0~beta3-2) experimental; urgency=medium
* Disable DTrace as it still FTBFS
-- Ondřej Surý <ondrej@debian.org> Tue, 29 Aug 2023 11:19:05 +0200
php8.3 (8.3.0~beta3-1) experimental; urgency=medium
* New upstream version 8.3.0~beta3
-- Ondřej Surý <ondrej@debian.org> Tue, 29 Aug 2023 09:27:19 +0200
php8.3 (8.3.0~beta2-1) experimental; urgency=medium
* New upstream version 8.3.0~beta2
* Remove DTrace build patch, fixed upstream
* Enable DTrace on all architectures
* Pull patch to fix DTrace enabled build
-- Ondřej Surý <ondrej@debian.org> Sun, 20 Aug 2023 13:28:13 +0200
php8.3 (8.3.0~alpha3-1) experimental; urgency=medium
* New upstream version 8.3.0~alpha3
* Bump PHPAPI to 20220830
-- Ondřej Surý <ondrej@debian.org> Mon, 10 Jul 2023 09:57:19 +0200
php8.3 (8.3.0~alpha1-1) experimental; urgency=low
* New upstream version 8.3.0~alpha1
-- Ondřej Surý <ondrej@debian.org> Fri, 09 Jun 2023 19:15:41 +0200
php8.2 (8.2.6-1) unstable; urgency=medium
* New upstream version 8.2.6
-- Ondřej Surý <ondrej@debian.org> Fri, 12 May 2023 08:08:36 +0200
php8.2 (8.2.5-2) unstable; urgency=medium
* Hard code sed path to /bin/sed (Closes: #1034423)
* Remove timestamps from phar (Closes: #1034892)
-- Ondřej Surý <ondrej@debian.org> Thu, 27 Apr 2023 10:13:47 +0200
php8.2 (8.2.5-1) unstable; urgency=medium
* New upstream version 8.2.5
-- Ondřej Surý <ondrej@debian.org> Fri, 14 Apr 2023 06:07:56 +0200
php8.2 (8.2.4-1) unstable; urgency=medium
* New upstream version 8.2.4
-- Ondřej Surý <ondrej@debian.org> Thu, 16 Mar 2023 15:24:40 +0100
php8.2 (8.2.3-1) unstable; urgency=medium
* New upstream version 8.2.3 (Closes: #1031368)
+ CVE-2023-0567: Fixed bug #81744 (Password_verify() always return true
with some hash).
+ CVE-2023-0568: Fixed bug #81746 (1-byte array overrun in common path
resolve code).
+ CVE-2023-0662: Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when
parsing multipart request body).
-- Ondřej Surý <ondrej@debian.org> Tue, 14 Feb 2023 17:51:54 +0100
php8.2 (8.2.2-3) unstable; urgency=medium
* Disable OPcache JIT by default (fixup)
-- Ondřej Surý <ondrej@debian.org> Tue, 07 Feb 2023 12:27:52 +0100
php8.2 (8.2.2-2) unstable; urgency=medium
* Disable OPcache JIT by default (can be re-enabled at runtime)
-- Ondřej Surý <ondrej@debian.org> Tue, 07 Feb 2023 11:54:06 +0100
php8.2 (8.2.2-1) unstable; urgency=medium
* New upstream version 8.2.2
-- Ondřej Surý <ondrej@debian.org> Fri, 03 Feb 2023 10:34:17 +0100
php8.2 (8.2.1-2) unstable; urgency=medium
* Fix GH-10187: Segfault in stripslashes() with arm64
-- Ondřej Surý <ondrej@debian.org> Fri, 13 Jan 2023 11:35:02 +0100
php8.2 (8.2.1-1) unstable; urgency=medium
* New upstream version 8.2.1
-- Ondřej Surý <ondrej@debian.org> Fri, 06 Jan 2023 16:12:40 +0100
php8.2 (8.2.0-4) unstable; urgency=medium
* Upload to unstable
-- Ondřej Surý <ondrej@debian.org> Thu, 05 Jan 2023 13:39:04 +0100
php8.2 (8.2.0-3) experimental; urgency=medium
* Revert "Disable xxHash vectorization on ppc64el"
* Pull xxHash ppc64el fix from xxHash upstream
-- Ondřej Surý <ondrej@debian.org> Sat, 10 Dec 2022 11:52:05 +0100
php8.2 (8.2.0-2) experimental; urgency=medium
* Disable xxHash vectorization on ppc64el
-- Ondřej Surý <ondrej@debian.org> Sat, 10 Dec 2022 11:40:36 +0100
php8.2 (8.2.0-1) experimental; urgency=medium
* Update d/watch for PHP 8.2.0
* New upstream version 8.2.0
-- Ondřej Surý <ondrej@debian.org> Thu, 08 Dec 2022 14:09:11 +0100
php8.2 (8.2.0~rc7-1) experimental; urgency=medium
* New upstream version 8.2.0~rc7
-- Ondřej Surý <ondrej@debian.org> Sat, 26 Nov 2022 15:11:52 +0100
php8.2 (8.2.0~rc5-1) experimental; urgency=medium
* New upstream version 8.2.0~rc5
+ CVE-2022-31630: OOB read due to insufficient input validation in
imageloadfont()
+ CVE-2022-37454: buffer overflow in hash_update() on long parameter
-- Ondřej Surý <ondrej@debian.org> Fri, 28 Oct 2022 19:55:40 +0200
php8.2 (8.2.0~rc4-1) experimental; urgency=medium
* New upstream version 8.2.0~rc4
-- Ondřej Surý <ondrej@debian.org> Mon, 24 Oct 2022 12:09:06 +0200
php8.2 (8.2.0~rc3-1) experimental; urgency=medium
* New upstream version 8.2.0~rc3
+ CVE-2022-31628: phar wrapper: DOS when using quine gzip file.
+ CVE-2022-31629: Don't mangle HTTP variable names that clash with
ones that have a specific semantic meaning.
-- Ondřej Surý <ondrej@debian.org> Mon, 24 Oct 2022 12:08:58 +0200
php8.2 (8.2.0~rc1-2) experimental; urgency=medium
* Use media-types instead of mime-support (Closes: #1010155)
* Make the build (mostly) reproducible (Closes: #1001648)
* Export SED := /bin/sed in d/rules (Closes: #1015188)
-- Ondřej Surý <ondrej@debian.org> Sun, 18 Sep 2022 12:02:59 +0200
php8.2 (8.2.0~rc1-1) experimental; urgency=medium
* New upstream version 8.2.0~rc1
* Bump d/phpapi to 20220829
-- Ondřej Surý <ondrej@debian.org> Wed, 14 Sep 2022 12:20:18 +0200
php8.2 (8.2.0~beta2-1) experimental; urgency=medium
[ Simon Deziel ]
* debian: use non-capturing group with FilesMatch
* Add a brief comment explaning non-capturing group regexes
[ Ondřej Surý ]
* New upstream version 8.2.0~beta2
-- Ondřej Surý <ondrej@debian.org> Mon, 15 Aug 2022 11:37:56 +0200
php8.2 (8.2.0~alpha3-1) experimental; urgency=medium
* d/watch: Switch upstream location, add alpha/beta/rc version mangling
* Add Sergey Panteleev signing key
* New upstream version 8.2.0~alpha3
-- Ondřej Surý <ondrej@debian.org> Thu, 07 Jul 2022 18:18:07 +0200
php8.2 (8.2.0~alpha2-1) experimental; urgency=medium
* New upstream version 8.2.0~alpha2
* Refresh patches for PHP 8.2
* Update phpapi for PHP 8.2
-- Ondřej Surý <ondrej@debian.org> Wed, 06 Jul 2022 16:06:45 +0200
php8.1 (8.1.7-2) unstable; urgency=medium
* Add Provides: php-json to PHP SAPIS
-- Ondřej Surý <ondrej@debian.org> Sat, 25 Jun 2022 09:57:04 +0200
php8.1 (8.1.7-1) unstable; urgency=medium
* New upstream version 8.1.7
-- Ondřej Surý <ondrej@debian.org> Fri, 10 Jun 2022 14:16:47 +0200
php8.1 (8.1.6-1) unstable; urgency=medium
* New upstream version 8.1.6
-- Ondřej Surý <ondrej@debian.org> Tue, 17 May 2022 18:42:21 +0200
php8.1 (8.1.5-1) unstable; urgency=medium
* New upstream version 8.1.5
-- Ondřej Surý <ondrej@debian.org> Thu, 21 Apr 2022 11:51:30 +0200
php8.1 (8.1.4-1) unstable; urgency=medium
* New upstream version 8.1.4
-- Ondřej Surý <ondrej@debian.org> Sun, 20 Mar 2022 17:43:51 +0100
php8.1 (8.1.3-1) unstable; urgency=medium
* New upstream version 8.1.3
+ CVE-2021-21708: Fix use-after-free due to php_filter_float() failing
for ints (Closes: #1006672)
-- Ondřej Surý <ondrej@debian.org> Mon, 21 Feb 2022 15:47:42 +0100
php8.1 (8.1.2-1) unstable; urgency=medium
* New upstream version 8.1.2
-- Ondřej Surý <ondrej@debian.org> Mon, 24 Jan 2022 11:36:08 +0100
php8.1 (8.1.1-4) unstable; urgency=medium
* Override result of AC_PROG_LN_S to fix FTBFS on ppc64el
-- Ondřej Surý <ondrej@debian.org> Mon, 03 Jan 2022 15:34:56 +0100
php8.1 (8.1.1-3) unstable; urgency=medium
* Fail the build when the dtrace call fails (Closes: #1000784)
-- Ondřej Surý <ondrej@debian.org> Fri, 31 Dec 2021 10:25:19 +0100
php8.1 (8.1.1-2) unstable; urgency=medium
* Lower the OpenSSL requirement to 1.0.1
-- Ondřej Surý <ondrej@debian.org> Fri, 31 Dec 2021 08:25:33 +0100
php8.1 (8.1.1-1) unstable; urgency=medium
* New upstream version 8.1.1
-- Ondřej Surý <ondrej@debian.org> Mon, 20 Dec 2021 22:13:08 +0100
php8.1 (8.1.0-1) unstable; urgency=medium
* Update d/watch for final PHP 8.1
* New upstream version 8.1.0
-- Ondřej Surý <ondrej@debian.org> Thu, 25 Nov 2021 20:57:29 +0100
php8.1 (8.1.0~rc6-3) unstable; urgency=medium
* Backported from 7.3.33
- XML:
. Fix #79971: special character is breaking the path in xml function.
(CVE-2021-21707)
-- Ondřej Surý <ondrej@debian.org> Fri, 19 Nov 2021 07:45:31 +0100
php8.1 (8.1.0~rc6-2) unstable; urgency=medium
[ Pino Toscano ]
* Enable AppArmor (--with-fpm-apparmor) only on Linux archs
(Closes: #999495)
* Fix Vcs-* fields
-- Ondřej Surý <ondrej@debian.org> Sat, 13 Nov 2021 12:54:26 +0100
php8.1 (8.1.0~rc6-1) unstable; urgency=medium
* Update d/watch for updated location
* New upstream version 8.1.0~rc6
-- Ondřej Surý <ondrej@debian.org> Thu, 11 Nov 2021 20:50:27 +0100
php8.1 (8.1.0~rc5-2) unstable; urgency=medium
* d/rules: Fix FTBFS on armhf. Use -mfpu=vfpv3-d16 in CFLAGS
(Pulled from Ubuntu.)
* Revert "Disable Zend fiber asm on armhf (FTBFS)"
-- Ondřej Surý <ondrej@debian.org> Wed, 10 Nov 2021 12:05:30 +0100
php8.1 (8.1.0~rc5-1) unstable; urgency=medium
* New upstream version 8.1.0~rc5
* Disable Zend fiber asm on armhf (FTBFS)
-- Ondřej Surý <ondrej@debian.org> Thu, 04 Nov 2021 15:57:08 +0100
php8.1 (8.1.0~rc4-1+u1) unstable; urgency=low
* Upload to unstable
-- Ondřej Surý <ondrej@debian.org> Mon, 25 Oct 2021 13:35:13 +0200
php8.1 (8.1.0~rc4-1) experimental; urgency=medium
* New upstream version 8.1.0~rc4
-- Ondřej Surý <ondrej@debian.org> Thu, 14 Oct 2021 18:09:23 +0200
php8.1 (8.1.0~rc2-1) experimental; urgency=medium
* New upstream version 8.1.0~rc2
-- Ondřej Surý <ondrej@debian.org> Thu, 23 Sep 2021 22:52:45 +0200
php8.1 (8.1.0~rc1-1) experimental; urgency=medium
* New upstream version 8.1.0~rc1
* Update the systz patch to v21
* Add Patrick Allaert GPG key as upstream signing key
* Bump PHPAPI to 20210902
-- Ondřej Surý <ondrej@debian.org> Mon, 13 Sep 2021 18:23:41 +0200
php8.1 (8.1.0~beta3-1) experimental; urgency=medium
* New upstream version 8.1.0~beta3
* Check for symlink before removing directory in the postrm scripts
* Update packaging and patches for PHP 8.1.0 beta3
-- Ondřej Surý <ondrej@debian.org> Wed, 25 Aug 2021 15:12:26 +0200
php8.0 (8.0.9-1) unstable; urgency=medium
* New upstream version 8.0.9
-- Ondřej Surý <ondrej@debian.org> Fri, 30 Jul 2021 15:01:13 +0200
php8.0 (8.0.8-1) unstable; urgency=medium
* New upstream version 8.0.8 (Closes: #990575)
+ CVE-2021-21705: SSRF bypass in FILTER_VALIDATE_URL
+ CVE-2021-21704: Stack buffer overflow in firebird_info_cb
+ CVE-2021-21704: SIGSEGV in firebird_handle_doer
+ CVE-2021-21704: SIGSEGV in firebird_stmt_execute
+ CVE-2021-21704: Crash while parsing blob data in firebird_fetch_blob
-- Ondřej Surý <ondrej@debian.org> Thu, 01 Jul 2021 17:25:46 +0200
php8.0 (8.0.7-1) unstable; urgency=medium
* Disable LTO (needed for Ubuntu Hirsute) - now for real
* New upstream version 8.0.7
-- Ondřej Surý <ondrej@debian.org> Fri, 04 Jun 2021 12:03:18 +0200
php8.0 (8.0.5-2) unstable; urgency=medium
* Disable LTO (needed for Ubuntu Hirsute)
* Revert: Fix bug #80892 PDO::PARAM_INT on pdo_pgsql
-- Ondřej Surý <ondrej@debian.org> Mon, 03 May 2021 13:29:29 +0200
php8.0 (8.0.5-1) unstable; urgency=medium
* New upstream version 8.0.5
-- Ondřej Surý <ondrej@debian.org> Sat, 01 May 2021 10:38:31 +0200
php8.0 (8.0.3-3) unstable; urgency=medium
* Allow printing credits buffer larger than 4k
-- Ondřej Surý <ondrej@debian.org> Sat, 03 Apr 2021 16:19:27 +0200
php8.0 (8.0.3-2) unstable; urgency=medium
* Update the packaging credits
-- Ondřej Surý <ondrej@debian.org> Thu, 18 Mar 2021 10:40:39 +0100
php8.0 (8.0.3-1) unstable; urgency=medium
* New upstream version 8.0.3
-- Ondřej Surý <ondrej@debian.org> Fri, 05 Mar 2021 08:50:54 +0100
php8.0 (8.0.2-7) unstable; urgency=medium
* Bump php-common depends to 1:81~
-- Ondřej Surý <ondrej@debian.org> Tue, 23 Feb 2021 15:58:27 +0100
php8.0 (8.0.2-6) unstable; urgency=medium
* Add example configuration to not pass URLs for missing files to
PHP-FPM
-- Ondřej Surý <ondrej@debian.org> Sat, 20 Feb 2021 17:48:30 +0100
php8.0 (8.0.2-5) unstable; urgency=medium
* Revert "Don't pass URLs for missing files to PHP-FPM"
-- Ondřej Surý <ondrej@debian.org> Fri, 19 Feb 2021 16:33:16 +0100
php8.0 (8.0.2-4) unstable; urgency=medium
[ Svante Signell ]
* Add patch to disable HR Timers on GNU Hurd (Closes: #951834)
* Add --without build-stamp to dh invocation
-- Ondřej Surý <ondrej@debian.org> Tue, 16 Feb 2021 19:42:14 +0100
php8.0 (8.0.2-3) unstable; urgency=medium
[ Sylvain Beucler ]
* Update obsolete/non-free FPM configuration procedure
[ Kevin Locke ]
* Don't pass URLs for missing files to PHP-FPM
[ Ondřej Surý ]
* Check if the logrotate script exists (GH #1534)
-- Ondřej Surý <ondrej@debian.org> Sun, 14 Feb 2021 15:02:37 +0100
php8.0 (8.0.2-2) unstable; urgency=medium
* Enable AppArmor support in FPM
* Enable FPM ACL support
-- Ondřej Surý <ondrej@debian.org> Fri, 12 Feb 2021 11:14:38 +0100
php8.0 (8.0.2-1) unstable; urgency=medium
* New upstream version 8.0.2
* Force hardcoded path to be /bin/sed (Closes: #960786)
-- Ondřej Surý <ondrej@debian.org> Sun, 07 Feb 2021 12:39:18 +0100
php8.0 (8.0.1-1) unstable; urgency=medium
* New upstream version 8.0.1
-- Ondřej Surý <ondrej@debian.org> Tue, 12 Jan 2021 11:05:21 +0100
php8.0 (8.0.0-1) unstable; urgency=medium
* Update d/watch for production PHP 8.0 release
* New upstream version 8.0.0
-- Ondřej Surý <ondrej@debian.org> Fri, 27 Nov 2020 12:28:33 +0100
php8.0 (8.0.0~rc3-4) unstable; urgency=medium
* Copy the files from auxdir in a separate variable to sync with PHP 7.3
and lower
-- Ondřej Surý <ondrej@debian.org> Sat, 31 Oct 2020 18:05:42 +0100
php8.0 (8.0.0~rc3-3) unstable; urgency=medium
* Move the non-m4 files from LIBTOOL_FILES to FILES_BUILD
-- Ondřej Surý <ondrej@debian.org> Sat, 31 Oct 2020 11:06:16 +0100
php8.0 (8.0.0~rc3-2) unstable; urgency=medium
* Move the system wide phpize files to LIBTOOL_FILES
-- Ondřej Surý <ondrej@debian.org> Sat, 31 Oct 2020 11:05:46 +0100
php8.0 (8.0.0~rc3-1) unstable; urgency=medium
* New upstream version 8.0.0~rc3
-- Ondřej Surý <ondrej@debian.org> Fri, 30 Oct 2020 20:32:59 +0100
php8.0 (8.0.0~rc1-6) unstable; urgency=medium
* In phpize, copy the foreign files from their respective packages
(libtool, pkg-config, shtool)
-- Ondřej Surý <ondrej@debian.org> Sun, 18 Oct 2020 21:42:45 +0200
php8.0 (8.0.0~rc1-5) unstable; urgency=medium
* Include all libtool files from phpize.m4
-- Ondřej Surý <ondrej@debian.org> Sun, 18 Oct 2020 13:38:45 +0200
php8.0 (8.0.0~rc1-4) unstable; urgency=medium
* Use system-wide pkg.m4 from pkg-config package in phpize
* Restore the patch to use system-wide libtool and pkg-config m4 files
-- Ondřej Surý <ondrej@debian.org> Sat, 17 Oct 2020 08:33:56 +0200
php8.0 (8.0.0~rc1-3) unstable; urgency=medium
[ Chris Hofstaedtler ]
* Use netcat-openbsd to build instead of netcat-traditional (Closes: #963261)
[ Pino Toscano ]
* Disable AppArmor support on non-Linux archs (Closes: #951857)
* Enable systemd integration only on Linux archs (Closes: #951834)
[ Ondřej Surý ]
* Use just php_module in the apache2 .load file
-- Ondřej Surý <ondrej@debian.org> Sun, 11 Oct 2020 16:01:02 +0200
php8.0 (8.0.0~rc1-2) unstable; urgency=medium
* Disable the MySQL extension testing as it's too complicated
-- Ondřej Surý <ondrej@debian.org> Sat, 10 Oct 2020 21:45:35 +0200
php8.0 (8.0.0~rc1-1) unstable; urgency=medium
* Regenerate d/control for PHP 8.0
* New upstream version 8.0.0~rc1
* Specify the socket via ./configure option rather than patch
* XMLRPC extension is no longer bundled
* The JSON extension is always available
* Fix syntax-error-in-dep5-copyright
* Update lintian overrides
* Remove obsolete d/NEWS
-- Ondřej Surý <ondrej@debian.org> Wed, 07 Oct 2020 20:11:17 +0200
php7.4 (7.4.11-1) unstable; urgency=medium
* New upstream version 7.4.11
-- Ondřej Surý <ondrej@debian.org> Tue, 06 Oct 2020 12:34:39 +0200
php7.4 (7.4.10-1) unstable; urgency=medium
* New upstream version 7.4.10
* Lower the minimal debhelper dependency to >= 9.20150101~
* Use libenchant-dev as Build-Depends alternative to libenchant-2-dev
* Remove deprecated calls from enchant-2 (Closes: #954855)
-- Ondřej Surý <ondrej@debian.org> Tue, 08 Sep 2020 12:22:27 +0200
php7.4 (7.4.9-2) unstable; urgency=medium
* Pull upstream patch for enchant-2 and change build-dep (Closes: #954855)
-- Ondřej Surý <ondrej@debian.org> Thu, 27 Aug 2020 15:37:23 +0200
php7.4 (7.4.9-1) unstable; urgency=medium
* New upstream version 7.4.9
-- Ondřej Surý <ondrej@debian.org> Fri, 07 Aug 2020 16:27:40 +0200
php7.4 (7.4.8-1) unstable; urgency=medium
* Finish updating the packaging to dh compat level 10
* New upstream version 7.4.8
* Adjust for upstream phar.phar -> phar7.4.phar binary rename
-- Ondřej Surý <ondrej@debian.org> Mon, 13 Jul 2020 18:35:53 +0200
php7.4 (7.4.7-1) unstable; urgency=medium
* New upstream version 7.4.7
-- Ondřej Surý <ondrej@debian.org> Fri, 12 Jun 2020 09:42:27 +0200
php7.4 (7.4.6-1) unstable; urgency=medium
* Properly detect CRC32 APIs on aarch64 from configure
* New upstream version 7.4.6
-- Ondřej Surý <ondrej@debian.org> Thu, 14 May 2020 11:59:59 +0200
php7.4 (7.4.5-1) unstable; urgency=medium
* New upstream version 7.4.5
-- Ondřej Surý <ondrej@debian.org> Sun, 19 Apr 2020 09:35:13 +0200
php7.4 (7.4.4-1) unstable; urgency=medium
* Add (non-existent yet) systemd-tmpfiles package as alternative to systemd
* php-fpm has to depend on procps due kill usage in systemd service file
(Closes: #861855)
* New upstream version 7.4.4
-- Ondřej Surý <ondrej@debian.org> Fri, 20 Mar 2020 14:45:16 +0100
php7.4 (7.4.3-4) unstable; urgency=medium
* Remove /etc/init/php@PHP_VERSION@-fpm.conf, not
/etc/init/php@PHP_VERSION@.conf (Closes: #951745)
-- Ondřej Surý <ondrej@debian.org> Sun, 23 Feb 2020 08:07:28 +0100
php7.4 (7.4.3-3) unstable; urgency=medium
* Fixup upstart removal (missing prepare-files update) (Closes: #951745)
-- Ondřej Surý <ondrej@debian.org> Fri, 21 Feb 2020 18:01:35 +0100
php7.4 (7.4.3-2) unstable; urgency=medium
* Remove the PIDFile= setting from systemd unit file (it should not be
needed with Type=notify)
* Use php-fpm-socket-helper from php-common >= 1:73 to update the
default socket
-- Ondřej Surý <ondrej@debian.org> Fri, 21 Feb 2020 09:59:48 +0100
php7.4 (7.4.3-1) unstable; urgency=medium
* Remove upstart support, use systemd-tmpfiles to create tmpfiles
(Closes: #923032)
* New upstream version 7.4.3
-- Ondřej Surý <ondrej@debian.org> Thu, 20 Feb 2020 13:12:06 +0100
php7.4 (7.4.2-7) unstable; urgency=medium
* Add a note about PIDFile= and pid= match in php-fpm.conf
* Silently ignore errors from update-alternatives in php-fpm.service
-- Ondřej Surý <ondrej@debian.org> Sat, 08 Feb 2020 13:04:50 +0100
php7.4 (7.4.2-6) unstable; urgency=medium
* Use absolute path to update-alternatives
-- Ondřej Surý <ondrej@debian.org> Wed, 05 Feb 2020 17:47:54 +0100
php7.4 (7.4.2-5) unstable; urgency=medium
* Move the update-alternatives call from postinst/prerm to systemd startup script
-- Ondřej Surý <ondrej@debian.org> Sat, 01 Feb 2020 18:44:05 +0100
php7.4 (7.4.2-4) unstable; urgency=medium
* Make the creation of the default socket work on new installs
-- Ondřej Surý <ondrej@debian.org> Sat, 01 Feb 2020 14:11:48 +0100
php7.4 (7.4.2-3) unstable; urgency=medium
* Use a mock socket file for setting up FPM socket alternatives
-- Ondřej Surý <ondrej@debian.org> Sat, 01 Feb 2020 13:09:39 +0100
php7.4 (7.4.2-2) unstable; urgency=medium
* Create a generic /run/php/php-fpm.sock socket using update-alternatives
-- Ondřej Surý <ondrej@debian.org> Sat, 01 Feb 2020 10:17:27 +0100
php7.4 (7.4.2-1) unstable; urgency=medium
* New upstream version 7.4.2
* Disable dh_autoreconf for PHP, it breaks the build
-- Ondřej Surý <ondrej@debian.org> Thu, 23 Jan 2020 12:20:45 +0100
php7.4 (7.4.1-1) unstable; urgency=medium
* Update d/watch for final release
* New upstream version 7.4.1
* Bump the debhelper compat to 10
* Bump the Standards Version (no change)
-- Ondřej Surý <ondrej@debian.org> Tue, 21 Jan 2020 09:23:37 +0100
php7.4 (7.4.0-1) unstable; urgency=medium
* New upstream version 7.4.0
-- Ondřej Surý <ondrej@debian.org> Thu, 28 Nov 2019 08:25:29 +0100
php7.4 (7.4.0~rc6-1) experimental; urgency=medium
* Fix the FTBFS with MySQL 8.0
* New upstream version 7.4.0~rc6
-- Ondřej Surý <ondrej@debian.org> Tue, 19 Nov 2019 18:49:28 +0100
php7.4 (7.4.0~rc4-1) experimental; urgency=medium
* Bump d/phpapi to 20190902
* New upstream version 7.4.0~rc4
-- Ondřej Surý <ondrej@debian.org> Sat, 26 Oct 2019 11:10:04 +0200
php7.4 (7.4.0~rc3-1) experimental; urgency=medium
* New upstream version 7.4.0~rc3
* GMP now uses autodetection (don't pass /usr to configure)
* Bump d/phpapi to 20190902
-- Ondřej Surý <ondrej@sury.org> Tue, 08 Oct 2019 08:08:28 +0200
php7.4 (7.4.0~beta4-2) experimental; urgency=medium
* Enable FFI experimental extension
* Add libffi to B-D
-- Ondřej Surý <ondrej@sury.org> Wed, 28 Aug 2019 10:50:48 +0200
php7.4 (7.4.0~beta4-1) experimental; urgency=medium
* Remove 0003-libtool2.2.patch, it's no longer needed [GL #1236]
* New upstream version 7.4.0~beta4
-- Ondřej Surý <ondrej@sury.org> Tue, 27 Aug 2019 15:22:26 +0200
php7.4 (7.4.0~beta2-1) experimental; urgency=medium
* New upstream version 7.4.0~beta2
* Rebase patches for PHP 7.4.0~beta2
-- Ondřej Surý <ondrej@sury.org> Thu, 08 Aug 2019 13:41:59 +0200
php7.4 (7.4.0~beta1-1) experimental; urgency=medium
* New upstream version 7.4.0~beta1
* Rebase patches for PHP 7.4.0~beta1
* Configure option --with-libxml-dir is now named --with-libxml
* The recode extension has been moved to PECL.
* The interbase extension has been moved to PECL.
* The configure option for zip extension has changed from --enable-zip to --with-zlib
* The WDDX extension has been deprecated and moved to PECL.
* The configure options to enable GD extension has changed to --enable-gd and --with-external-gd
* Regenerated d/control
* Update the configure options according to UPGRADING file (mostly pkg-config related changes)
* Cleanup the missing documentation
* Update phpapi to 20190529
-- Ondřej Surý <ondrej@sury.org> Wed, 07 Aug 2019 17:47:41 +0200
php7.4 (7.4.0~alpha2-1) experimental; urgency=low
* New upstream version 7.4.0~alpha2
-- Ondřej Surý <ondrej@sury.org> Wed, 10 Jul 2019 09:36:25 +0200
php7.3 (7.3.7-1) unstable; urgency=medium
* New upstream version 7.3.7
-- Ondřej Surý <ondrej@sury.org> Wed, 10 Jul 2019 08:52:54 +0200
# Older entries have been removed from this changelog.
# To read the complete changelog use `apt changelog php8.3-common`.
Generated by dwww version 1.16 on Mon Dec 15 20:49:53 CET 2025.