[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#991253: unblock: php7.4/7.4.21-1+deb11u1

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: carnil@debian.org,ondrej@debian.org

Hi release team,

Please unblock package php7.4

As we do for stable, php7.4 will follow the upstream versions usually
in DSAs (as long supported upstream). I noticed that there is not yet
an unblock request for php7.4/7.4.21-1+deb11u1 accordingly and it
would be good to start bullseye accordingly with the most current
php7.4 iteration.

Cc'ing Ondrej in case he want's to comment.

I'm not attaching the debdiff in this case, but just a filtered one on
the debian/* changes.

unblock php7.4/7.4.21-1+deb11u1

Regards,
Salvatore

diff -Nru php7.4-7.4.15/debian/changelog php7.4-7.4.21/debian/changelog
--- php7.4-7.4.15/debian/changelog	2021-02-20 10:45:56.000000000 +0100
+++ php7.4-7.4.21/debian/changelog	2021-07-02 05:59:48.000000000 +0200
@@ -1,3 +1,16 @@
+php7.4 (7.4.21-1+deb11u1) unstable; urgency=medium
+
+  * New upstream version 7.4.21
+   + CVE-2021-21705: SSRF bypass in FILTER_VALIDATE_URL
+   + CVE-2021-21704: Stack buffer overflow in firebird_info_cb
+   + CVE-2021-21704: SIGSEGV in firebird_handle_doer
+   + CVE-2021-21704: SIGSEGV in firebird_stmt_execute
+   + CVE-2021-21704: Crash while parsing blob data in firebird_fetch_blob
+  * Add example configuration to not pass URLs for missing files to
+    PHP-FPM
+
+ -- Ondřej Surý <ondrej@debian.org>  Fri, 02 Jul 2021 05:59:48 +0200
+
 php7.4 (7.4.15-5+deb11u1) unstable; urgency=medium
 
   * Add debian/bullseye/7.4 branch
diff -Nru php7.4-7.4.15/debian/patches/0001-libtool_fixes.patch php7.4-7.4.21/debian/patches/0001-libtool_fixes.patch
--- php7.4-7.4.15/debian/patches/0001-libtool_fixes.patch	2021-02-20 10:45:56.000000000 +0100
+++ php7.4-7.4.21/debian/patches/0001-libtool_fixes.patch	2021-07-02 05:59:48.000000000 +0200
@@ -7,7 +7,7 @@
  1 file changed, 2 deletions(-)
 
 diff --git a/configure.ac b/configure.ac
-index 5cc8c7c..80bc606 100644
+index f03e8ba..2995fb1 100644
 --- a/configure.ac
 +++ b/configure.ac
 @@ -1435,8 +1435,6 @@ AC_PROVIDE_IFELSE([PHP_REQUIRE_CXX], [], [
diff -Nru php7.4-7.4.15/debian/patches/0002-debian_quirks.patch php7.4-7.4.21/debian/patches/0002-debian_quirks.patch
--- php7.4-7.4.15/debian/patches/0002-debian_quirks.patch	2021-02-20 10:45:56.000000000 +0100
+++ php7.4-7.4.21/debian/patches/0002-debian_quirks.patch	2021-07-02 05:59:48.000000000 +0200
@@ -13,7 +13,7 @@
  7 files changed, 21 insertions(+), 16 deletions(-)
 
 diff --git a/configure.ac b/configure.ac
-index 80bc606..6dda0c8 100644
+index 2995fb1..3ba7ba1 100644
 --- a/configure.ac
 +++ b/configure.ac
 @@ -1133,7 +1133,7 @@ fi
@@ -70,7 +70,7 @@
  ; Windows: "\path1;\path2"
  ;include_path = ".;c:\php\includes"
 diff --git a/sapi/cli/php.1.in b/sapi/cli/php.1.in
-index 400f7b0..882f640 100644
+index 1f9d92f..9179a3b 100644
 --- a/sapi/cli/php.1.in
 +++ b/sapi/cli/php.1.in
 @@ -365,13 +365,14 @@ Shows configuration for extension
diff -Nru php7.4-7.4.15/debian/patches/0003-php-5.4.9-phpinfo.patch php7.4-7.4.21/debian/patches/0003-php-5.4.9-phpinfo.patch
--- php7.4-7.4.15/debian/patches/0003-php-5.4.9-phpinfo.patch	2021-02-20 10:45:56.000000000 +0100
+++ php7.4-7.4.21/debian/patches/0003-php-5.4.9-phpinfo.patch	2021-07-02 05:59:48.000000000 +0200
@@ -11,10 +11,10 @@
  2 files changed, 4 deletions(-)
 
 diff --git a/ext/standard/info.c b/ext/standard/info.c
-index 1e58b31..c330d00 100644
+index 120d442..3c9b7e2 100644
 --- a/ext/standard/info.c
 +++ b/ext/standard/info.c
-@@ -809,9 +809,6 @@ PHPAPI ZEND_COLD void php_print_info(int flag)
+@@ -810,9 +810,6 @@ PHPAPI ZEND_COLD void php_print_info(int flag)
  #ifdef ARCHITECTURE
  		php_info_print_table_row(2, "Architecture", ARCHITECTURE);
  #endif
diff -Nru php7.4-7.4.15/debian/patches/0004-extension_api.patch php7.4-7.4.21/debian/patches/0004-extension_api.patch
--- php7.4-7.4.15/debian/patches/0004-extension_api.patch	2021-02-20 10:45:56.000000000 +0100
+++ php7.4-7.4.21/debian/patches/0004-extension_api.patch	2021-07-02 05:59:48.000000000 +0200
@@ -8,7 +8,7 @@
  2 files changed, 8 insertions(+), 1 deletion(-)
 
 diff --git a/configure.ac b/configure.ac
-index 6dda0c8..f7383aa 100644
+index 3ba7ba1..3e47a91 100644
 --- a/configure.ac
 +++ b/configure.ac
 @@ -1239,8 +1239,10 @@ ZEND_MODULE_API_NO=`$EGREP '#define ZEND_MODULE_API_NO ' $srcdir/Zend/zend_modul
diff -Nru php7.4-7.4.15/debian/patches/0007-php-5.4.7-libdb.patch php7.4-7.4.21/debian/patches/0007-php-5.4.7-libdb.patch
--- php7.4-7.4.15/debian/patches/0007-php-5.4.7-libdb.patch	2021-02-20 10:45:56.000000000 +0100
+++ php7.4-7.4.21/debian/patches/0007-php-5.4.7-libdb.patch	2021-07-02 05:59:48.000000000 +0200
@@ -76,7 +76,7 @@
  PHP_DBA_STD_RESULT(db4,Berkeley DB4)
  
 diff --git a/ext/dba/dba.c b/ext/dba/dba.c
-index 9529935..0203917 100644
+index 9581a57..21d3f11 100644
 --- a/ext/dba/dba.c
 +++ b/ext/dba/dba.c
 @@ -51,6 +51,10 @@
diff -Nru php7.4-7.4.15/debian/patches/0011-session_save_path.patch php7.4-7.4.21/debian/patches/0011-session_save_path.patch
--- php7.4-7.4.15/debian/patches/0011-session_save_path.patch	2021-02-20 10:45:56.000000000 +0100
+++ php7.4-7.4.21/debian/patches/0011-session_save_path.patch	2021-07-02 05:59:48.000000000 +0200
@@ -9,7 +9,7 @@
  3 files changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/ext/session/session.c b/ext/session/session.c
-index 1efe220..b485436 100644
+index 8fb6dd2..72f0fed 100644
 --- a/ext/session/session.c
 +++ b/ext/session/session.c
 @@ -789,7 +789,7 @@ static PHP_INI_MH(OnUpdateRfc1867Freq) /* {{{ */
diff -Nru php7.4-7.4.15/debian/patches/0012-php-fpm-man-section-and-cleanup.patch php7.4-7.4.21/debian/patches/0012-php-fpm-man-section-and-cleanup.patch
--- php7.4-7.4.15/debian/patches/0012-php-fpm-man-section-and-cleanup.patch	2021-02-20 10:45:56.000000000 +0100
+++ php7.4-7.4.21/debian/patches/0012-php-fpm-man-section-and-cleanup.patch	2021-07-02 05:59:48.000000000 +0200
@@ -7,7 +7,7 @@
  1 file changed, 2 insertions(+), 20 deletions(-)
 
 diff --git a/sapi/fpm/php-fpm.8.in b/sapi/fpm/php-fpm.8.in
-index edff796..66dedf3 100644
+index 972c242..002c44b 100644
 --- a/sapi/fpm/php-fpm.8.in
 +++ b/sapi/fpm/php-fpm.8.in
 @@ -139,22 +139,8 @@ The configuration file for the php-fpm daemon.
diff -Nru php7.4-7.4.15/debian/patches/0015-lp564920-fix-big-files.patch php7.4-7.4.21/debian/patches/0015-lp564920-fix-big-files.patch
--- php7.4-7.4.15/debian/patches/0015-lp564920-fix-big-files.patch	2021-02-20 10:45:56.000000000 +0100
+++ php7.4-7.4.21/debian/patches/0015-lp564920-fix-big-files.patch	2021-07-02 05:59:48.000000000 +0200
@@ -7,7 +7,7 @@
  1 file changed, 7 insertions(+), 1 deletion(-)
 
 diff --git a/main/streams/plain_wrapper.c b/main/streams/plain_wrapper.c
-index 8bd2096..97b34a4 100644
+index d187c23..b8a35d8 100644
 --- a/main/streams/plain_wrapper.c
 +++ b/main/streams/plain_wrapper.c
 @@ -713,7 +713,13 @@ static int php_stdiop_set_option(php_stream *stream, int option, int value, void
diff -Nru php7.4-7.4.15/debian/patches/0019-php-5.3.9-gnusrc.patch php7.4-7.4.21/debian/patches/0019-php-5.3.9-gnusrc.patch
--- php7.4-7.4.15/debian/patches/0019-php-5.3.9-gnusrc.patch	2021-02-20 10:45:56.000000000 +0100
+++ php7.4-7.4.21/debian/patches/0019-php-5.3.9-gnusrc.patch	2021-07-02 05:59:48.000000000 +0200
@@ -28,7 +28,7 @@
  /*
     +----------------------------------------------------------------------+
 diff --git a/configure.ac b/configure.ac
-index f7383aa..c240a2d 100644
+index 3e47a91..08c99ba 100644
 --- a/configure.ac
 +++ b/configure.ac
 @@ -130,6 +130,8 @@ AC_DEFUN([PHP_EXT_DIR],[$config_m4_dir])dnl
@@ -41,7 +41,7 @@
  dnl ----------------------------------------------------------------------------
  
 diff --git a/ext/pdo_firebird/firebird_driver.c b/ext/pdo_firebird/firebird_driver.c
-index b1869f2..7a28fd5 100644
+index 3e403af..f16fdbc 100644
 --- a/ext/pdo_firebird/firebird_driver.c
 +++ b/ext/pdo_firebird/firebird_driver.c
 @@ -20,7 +20,6 @@
@@ -53,7 +53,7 @@
  #include "php.h"
  #include "zend_exceptions.h"
 diff --git a/ext/standard/file.c b/ext/standard/file.c
-index 12c21c9..5e5c785 100644
+index 3bd3421..9c0007e 100644
 --- a/ext/standard/file.c
 +++ b/ext/standard/file.c
 @@ -105,9 +105,6 @@ php_file_globals file_globals;
@@ -80,7 +80,7 @@
  #include "php_zlib.h"
  #include "fopen_wrappers.h"
 diff --git a/main/php.h b/main/php.h
-index dbd7673..dad168c 100644
+index c135a35..2ec51ac 100644
 --- a/main/php.h
 +++ b/main/php.h
 @@ -29,6 +29,7 @@
@@ -116,7 +116,7 @@
  #include "ext/standard/base64.h"
  
 diff --git a/main/streams/streams.c b/main/streams/streams.c
-index 5f6bf88..435c5d8 100644
+index c1ecf34..4b3335f 100644
 --- a/main/streams/streams.c
 +++ b/main/streams/streams.c
 @@ -19,7 +19,6 @@
diff -Nru php7.4-7.4.15/debian/patches/0020-php-5.3.3-macropen.patch php7.4-7.4.21/debian/patches/0020-php-5.3.3-macropen.patch
--- php7.4-7.4.15/debian/patches/0020-php-5.3.3-macropen.patch	2021-02-20 10:45:56.000000000 +0100
+++ php7.4-7.4.21/debian/patches/0020-php-5.3.3-macropen.patch	2021-07-02 05:59:48.000000000 +0200
@@ -9,7 +9,7 @@
  3 files changed, 5 insertions(+), 5 deletions(-)
 
 diff --git a/ext/dba/dba.c b/ext/dba/dba.c
-index 0203917..def10c6 100644
+index 21d3f11..ac2d212 100644
 --- a/ext/dba/dba.c
 +++ b/ext/dba/dba.c
 @@ -999,7 +999,7 @@ restart:
diff -Nru php7.4-7.4.15/debian/patches/0022-php-fpm-m68k.patch php7.4-7.4.21/debian/patches/0022-php-fpm-m68k.patch
--- php7.4-7.4.15/debian/patches/0022-php-fpm-m68k.patch	2021-02-20 10:45:56.000000000 +0100
+++ php7.4-7.4.21/debian/patches/0022-php-fpm-m68k.patch	2021-07-02 05:59:48.000000000 +0200
@@ -7,7 +7,7 @@
  1 file changed, 34 insertions(+)
 
 diff --git a/sapi/fpm/fpm/fpm_atomic.h b/sapi/fpm/fpm/fpm_atomic.h
-index ec9e4f1..39dedc7 100644
+index 6039b13..e3b0769 100644
 --- a/sapi/fpm/fpm/fpm_atomic.h
 +++ b/sapi/fpm/fpm/fpm_atomic.h
 @@ -3,6 +3,12 @@
diff -Nru php7.4-7.4.15/debian/patches/0023-expose_all_built_and_installed_apis.patch php7.4-7.4.21/debian/patches/0023-expose_all_built_and_installed_apis.patch
--- php7.4-7.4.15/debian/patches/0023-expose_all_built_and_installed_apis.patch	2021-02-20 10:45:56.000000000 +0100
+++ php7.4-7.4.21/debian/patches/0023-expose_all_built_and_installed_apis.patch	2021-07-02 05:59:48.000000000 +0200
@@ -8,7 +8,7 @@
  2 files changed, 5 insertions(+), 2 deletions(-)
 
 diff --git a/scripts/man1/php-config.1.in b/scripts/man1/php-config.1.in
-index 23aef10..18b06db 100644
+index dc1317b..57c5be3 100644
 --- a/scripts/man1/php-config.1.in
 +++ b/scripts/man1/php-config.1.in
 @@ -44,7 +44,7 @@ Full path to php CLI or CGI binary
diff -Nru php7.4-7.4.15/debian/patches/0026-php-fpm-do-reload-on-SIGHUP.patch php7.4-7.4.21/debian/patches/0026-php-fpm-do-reload-on-SIGHUP.patch
--- php7.4-7.4.15/debian/patches/0026-php-fpm-do-reload-on-SIGHUP.patch	2021-02-20 10:45:56.000000000 +0100
+++ php7.4-7.4.21/debian/patches/0026-php-fpm-do-reload-on-SIGHUP.patch	2021-07-02 05:59:48.000000000 +0200
@@ -53,7 +53,7 @@
  	    0 > sigaction(SIGQUIT,  &act,      0)) {
  
 diff --git a/sapi/fpm/php-fpm.8.in b/sapi/fpm/php-fpm.8.in
-index 66dedf3..c5649dc 100644
+index 002c44b..d0b5978 100644
 --- a/sapi/fpm/php-fpm.8.in
 +++ b/sapi/fpm/php-fpm.8.in
 @@ -150,7 +150,7 @@ Once started, php-fpm then responds to several POSIX signals:
diff -Nru php7.4-7.4.15/debian/patches/0028-php-5.4.9-fixheader.patch php7.4-7.4.21/debian/patches/0028-php-5.4.9-fixheader.patch
--- php7.4-7.4.15/debian/patches/0028-php-5.4.9-fixheader.patch	2021-02-20 10:45:56.000000000 +0100
+++ php7.4-7.4.21/debian/patches/0028-php-5.4.9-fixheader.patch	2021-07-02 05:59:48.000000000 +0200
@@ -8,7 +8,7 @@
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/configure.ac b/configure.ac
-index c240a2d..3b96345 100644
+index 08c99ba..9ba8c4f 100644
 --- a/configure.ac
 +++ b/configure.ac
 @@ -1332,7 +1332,7 @@ PHP_BUILD_DATE=`date -u +%Y-%m-%d`
diff -Nru php7.4-7.4.15/debian/patches/0037-Really-expand-libdir-datadir-into-EXPANDED_LIBDIR-DA.patch php7.4-7.4.21/debian/patches/0037-Really-expand-libdir-datadir-into-EXPANDED_LIBDIR-DA.patch
--- php7.4-7.4.15/debian/patches/0037-Really-expand-libdir-datadir-into-EXPANDED_LIBDIR-DA.patch	2021-02-20 10:45:56.000000000 +0100
+++ php7.4-7.4.21/debian/patches/0037-Really-expand-libdir-datadir-into-EXPANDED_LIBDIR-DA.patch	2021-07-02 05:59:48.000000000 +0200
@@ -7,7 +7,7 @@
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/configure.ac b/configure.ac
-index 3b96345..0c50d2a 100644
+index 9ba8c4f..1ca0e7f 100644
 --- a/configure.ac
 +++ b/configure.ac
 @@ -1286,9 +1286,9 @@ EXPANDED_LOCALSTATEDIR=`eval echo $localstatedir`
diff -Nru php7.4-7.4.15/debian/php-fpm.conf php7.4-7.4.21/debian/php-fpm.conf
--- php7.4-7.4.15/debian/php-fpm.conf	2021-02-20 10:45:56.000000000 +0100
+++ php7.4-7.4.21/debian/php-fpm.conf	2021-07-02 05:59:48.000000000 +0200
@@ -9,6 +9,15 @@
     <FilesMatch ".+\.ph(ar|p|tml)$">
         SetHandler "proxy:unix:/run/php/php@PHP_VERSION@-fpm.sock|fcgi://localhost"
     </FilesMatch>
+# The default configuration works for most of the installation, however it could
+# be improved in various ways. One simple improvement is to not pass files that
+# doesn't exist to the handler as shown below, for more configuration examples
+# see https://wiki.apache.org/httpd/PHP-FPM
+#    <FilesMatch ".+\.ph(ar|p|tml)$">
+#        <If "-f %{REQUEST_FILENAME}">
+#            SetHandler "proxy:unix:/run/php/php@PHP_VERSION@-fpm.sock|fcgi://localhost"
+#        </If>
+#    </FilesMatch>
     <FilesMatch ".+\.phps$">
         # Deny access to raw php sources by default
         # To re-enable it's recommended to enable access to the files
Reply to: