php5 packages for testing

To: debian-lts@lists.debian.org
Subject: php5 packages for testing
From: Thorsten Alteholz <debian@alteholz.de>
Date: Sun, 26 Apr 2015 15:41:33 +0200 (CEST)
Message-id: <[🔎] alpine.DEB.2.02.1504261533350.29161@jupiter.server.alteholz.net>

Hi,

I prepared a new php5 package for Squeeze LTS and would like to ask fortests. The packages for amd64 and i386 are available at:


  https://people.debian.org/~alteholz/packages/squeeze-lts/php5/

Please give it a try and tell me about any problems you met.

Thanks!
 Thorsten



php5 (5.3.3.1-7+squeeze26) squeeze-lts; urgency=high

  * Non-maintainer upload by the Squeeze LTS Team.
  * CVE-2014-9705.patch
    Heap-based buffer overflow in the enchant_broker_request_dict
    function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x
    before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers
    to execute arbitrary code via vectors that trigger creation of
    multiple dictionaries.
  * CVE-2015-0232.patch
    The exif_process_unicode function in ext/exif/exif.c in PHP
    before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5
    allows remote attackers to execute arbitrary code or cause a
    denial of service (uninitialized pointer free and application
    crash) via crafted EXIF data in a JPEG image.
  * CVE-2015-2301.patch
    Use-after-free vulnerability in the phar_rename_archive function
    in phar_object.c in PHP before 5.5.22 and 5.6.x before 5.6.6
    allows remote attackers to cause a denial of service or possibly
    have unspecified other impact via vectors that trigger an attempted
    renaming of a Phar archive to the name of an existing file.
  * CVE-2015-2331.patch
    Integer overflow in the _zip_cdir_new function in zip_dirent.c
    in libzip 0.11.2 and earlier, as used in the ZIP extension in PHP
    before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 and
    other products, allows remote attackers to cause a denial of
    service (application crash) or possibly execute arbitrary code
    via a ZIP archive that contains many entries, leading to a
    heap-based buffer overflow.
  * CVE-2015-2348.patch
    The move_uploaded_file implementation in
    ext/standard/basic_functions.c in PHP before 5.4.39, 5.5.x
    before 5.5.23, and 5.6.x before 5.6.7 truncates a pathname upon
    encountering a \x00 character, which allows remote attackers to
    bypass intended extension restrictions and create files with
    unexpected names via a crafted second argument.
    NOTE: this vulnerability exists because of an incomplete fix
          for CVE-2006-7243.
  * CVE-2015-2783.patch
    Buffer Over-read in unserialize when parsing Phar
  * CVE-2015-2787.patch
    Use-after-free vulnerability in the process_nested_data function
    in ext/standard/var_unserializer.re in PHP before 5.4.39, 5.5.x
    before 5.5.23, and 5.6.x before 5.6.7 allows remote attackers to
    execute arbitrary code via a crafted unserialize call that
    leverages use of the unset function within an __wakeup function,
    a related issue to CVE-2015-0231.
  * CVE-2015-3329.patch
    Buffer Overflow when parsing tar/zip/phar in phar_set_inode)
  * CVE-2015-3330.patch
    PHP potential remote code execution with apache 2.4 apache2handler
  * CVE-2015-temp-68819.patch
    denial of service when processing a crafted file with Fileinfo

 -- Thorsten Alteholz <debian@alteholz.de>  Sat, 25 Apr 2015 18:17:00 +0200

Reply to:

Follow-Ups:
- Re: php5 packages for testing
  - From: Jan Ingvoldstad <jan-debian-lts-2014@oyet.no>

Prev by Date: no public key available for ID 7638D0442B90D010
Next by Date: Re: Problem with signatures on LTS Release file
Previous by thread: no public key available for ID 7638D0442B90D010
Next by thread: Re: php5 packages for testing
Index(es):
- Date
- Thread