Changes since 5.1.6:
The key features of PHP 5.2.0 include:
* New memory manager for the Zend Engine with improved performance and a more
accurate memory usage tracking.
* Input filtering extension was added and enabled by default.
* JSON extension was added and enabled by default.
* ZIP extension for creating and editing zip files was introduced.
* Hooks for tracking file upload progress were introduced.
* Introduced E_RECOVERABLE_ERROR error mode.
* Introduced DateTime and DateTimeZone objects with methods to manipulate
date/time information.
* Upgraded bundled SQLite, PCRE libraries.
* Upgraded OpenSSL, MySQL and PostgreSQL client libraries for Windows
installations.
* Many performance improvements.
* Over 200 bug fixes.
Security Enhancements and Fixes in PHP 5.2.0:
* Made PostgreSQL escaping functions in PostgreSQL and PDO extension keep
track of character set encoding whenever possible.
* Added allow_url_include, set to Off by default to disallow use of URLs
for include and require.
* Disable realpath cache when open_basedir and safe_mode are being used.
* Improved safe_mode enforcement for error_log() function.
* Fixed a possible buffer overflow in the underlying code responsible
for htmlspecialchars() and htmlentities() functions.
* Added missing safe_mode and open_basedir checks for the cURL extension.
* Fixed overflow is str_repeat() & wordwrap() functions on 64bit machines.
* Fixed handling of long paths inside the tempnam() function.
* Fixed safe_mode/open_basedir checks for session.save_path, allowing them
to account for extra parameters.
* Fixed ini setting overload in the ini_restore() function.
For a full list of changes in PHP 5.2.0, see the ChangeLog:
http://www.php.net/ChangeLog-5.php#5.2.0
Also other notable extensions changes:
* filePRO extension removed (not in PECL yet, php-filepro disabled for PHP5)
* JSON added (not enabled by default, packaged in php-json)
* filter added (enabled by default)
* wddx rewritten to native libxml2, fixing several encoding bugs
Changes since 5.1.6:
The key features of PHP 5.2.0 include:
* New memory manager for the Zend Engine with improved performance and a more
accurate memory usage tracking.
* Input filtering extension was added and enabled by default.
* JSON extension was added and enabled by default.
* ZIP extension for creating and editing zip files was introduced.
* Hooks for tracking file upload progress were introduced.
* Introduced E_RECOVERABLE_ERROR error mode.
* Introduced DateTime and DateTimeZone objects with methods to manipulate
date/time information.
* Upgraded bundled SQLite, PCRE libraries.
* Upgraded OpenSSL, MySQL and PostgreSQL client libraries for Windows
installations.
* Many performance improvements.
* Over 200 bug fixes.
Security Enhancements and Fixes in PHP 5.2.0:
* Made PostgreSQL escaping functions in PostgreSQL and PDO extension keep
track of character set encoding whenever possible.
* Added allow_url_include, set to Off by default to disallow use of URLs
for include and require.
* Disable realpath cache when open_basedir and safe_mode are being used.
* Improved safe_mode enforcement for error_log() function.
* Fixed a possible buffer overflow in the underlying code responsible
for htmlspecialchars() and htmlentities() functions.
* Added missing safe_mode and open_basedir checks for the cURL extension.
* Fixed overflow is str_repeat() & wordwrap() functions on 64bit machines.
* Fixed handling of long paths inside the tempnam() function.
* Fixed safe_mode/open_basedir checks for session.save_path, allowing them
to account for extra parameters.
* Fixed ini setting overload in the ini_restore() function.
For a full list of changes in PHP 5.2.0, see the ChangeLog:
http://www.php.net/ChangeLog-5.php#5.2.0
Also other notable extensions changes:
* filePRO extension removed (not in PECL yet, php-filepro disabled for PHP5)
* JSON added (not enabled by default, packaged in php-json)
* filter added (enabled by default)
* wddx rewritten to native libxml2, fixing several encoding bugs
duplicates process resource limits, which already provide necessary
"safety net" protection against rogue scripts
bump PKGREVISION for this
adressess PR pkg/32007 by "pancake"
also remove --enable-track-vars, since that configure argument
is long gone from PHP
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
24 Aug 2006, PHP 5.1.6
- Fixed memory_limit on 64bit systems. (Stefan E.)
- Fixed bug #38488 (Access to "php://stdin" and family crashes PHP on win32).
(Dmitry)
and add a new helper target and script, "show-buildlink3", that outputs
a listing of the buildlink3.mk files included as well as the depth at
which they are included.
For example, "make show-buildlink3" in fonts/Xft2 displays:
zlib
fontconfig
iconv
zlib
freetype2
expat
freetype2
Xrender
renderproto
Some of the key changes include:
* Disallow certain characters in session names.
* Fixed a buffer overflow inside the wordwrap() function.
* Prevent jumps to parent directory via the 2nd parameter of the
tempnam() function.
* Enforce safe_mode for the source parameter of the copy() function.
* Fixed cross-site scripting inside the phpinfo() function.
* Fixed offset/length parameter validation inside the substr_compare()
function.
* Fixed a heap corruption inside the session extension.
* Fixed a bug that would allow variable to survive unset().
* Fixed a number of crashes in the DOM, SOAP and PDO extensions.
* Upgraded bundled PCRE library to version 6.6
* The use of the var keyword to declare properties no longer raises
a deprecation E_STRICT.
* FastCGI interface was completely reimplemented.
* Multitude of improvements to the SPL, SimpleXML, GD, CURL and
Reflection extensions.
* Over 120 various bug fixes.
See release annoucement on:
http://www.php.net/release_5_1_3.php
And ChangeLog:
http://www.php.net/ChangeLog-5.php#5.1.3
them between "not critical" and "less critical".
Fix CVE-2006-0996, CVE-2006-1494, CVE-2006-1608, CVE-2006-1490.
See:
http://secunia.com/advisories/19383/http://secunia.com/advisories/19599/
Patches were extracted from CVS. I had to translate the one for
CVE-2006-1608 on php4 because it has not made its way to the php4.4 branch
(I don't know why; I can confirm it fixes the issue).
While here, add PATCHDIR to the list of variables php5's Makefile.php
defines. That way, ap-php gets patched too...
RECOMMENDED is removed. It becomes ABI_DEPENDS.
BUILDLINK_RECOMMENDED.foo becomes BUILDLINK_ABI_DEPENDS.foo.
BUILDLINK_DEPENDS.foo becomes BUILDLINK_API_DEPENDS.foo.
BUILDLINK_DEPENDS does not change.
IGNORE_RECOMMENDED (which defaulted to "no") becomes USE_ABI_DEPENDS
which defaults to "yes".
Added to obsolete.mk checking for IGNORE_RECOMMENDED.
I did not manually go through and fix any aesthetic tab/spacing issues.
I have tested the above patch on DragonFly building and packaging
subversion and pkglint and their many dependencies.
I have also tested USE_ABI_DEPENDS=no on my NetBSD workstation (where I
have used IGNORE_RECOMMENDED for a long time). I have been an active user
of IGNORE_RECOMMENDED since it was available.
As suggested, I removed the documentation sentences suggesting bumping for
"security" issues.
As discussed on tech-pkg.
I will commit to revbump, pkglint, pkg_install, createbuildlink separately.
Note that if you use wip, it will fail! I will commit to pkgsrc-wip
later (within day).
* HTTP Response Splitting has been addressed in ext/session and in
the header() function.
* Fixed format string vulnerability in ext/mysqli.
* Fixed possible cross-site scripting problems in certain error conditions.
* Hash & XMLWriter extensions added and enabled by default.
* Upgraded OCI8 extension.
* Over 85 various bug fixes.
(I haven't heard anything from the MAINTAINER but since this works fine
on my servers and as this fixes security issues I checked in this)
and to uncomment and explicitly set upload_tmp_dir, so that this works
out of box (patches adapted from www/php4)
pointed out by Martti Kuparinen on tech-pkg@
patch framework, the file is part of binary .phar archive and is
created during installation
this has been submitted as PHP bug #35544, so this may be adressed
upstream hopefully
* A complete rewrite of date handling code, with improved timezone support.
* Significant performance improvements compared to PHP 5.0.X.
* PDO extension is now enabled by default (separate pkg for pkgsrc)
* Over 30 new functions in various extensions and built-in functionality.
* Bundled libraries, PCRE and SQLite upgraded to latest versions.
* Over 400 various bug fixes.
* PEAR upgraded to version 1.4.5
This release also fixes various security problems discovered in 5.0.X.
This is done via an option group, default is CGI. Note that the
FastCGI interpreter can still be used for normal CGI, but there
might be security issues involved in doing so.
when the base PHP is compiled with openssl extension (e.g. ssl://, tls://
stream support, and couple others). These don't work when SSL support
is loaded via extension.
For this reason, make openssl extension unconditionally built-in
into the main PHP package, and g/c security/php-openssl.
serious security issues, as well as bunch of non-critical bug fixes.
All PHP5 users are strongly encouraged to upgrade to this version.
Detailed change list at:
http://www.php.net/ChangeLog-5.php#5.0.3
g/c no longer needed Makefile.module
add support for building extensions off PECL; version for PECL packages
is built as ${PHP_BASE_VERS}.${PECL_VERSION}, i.e. PECL pkg version 1.0
would become php-pkg-4.3.9.1.0 or php-pkg-5.0.2.1.0 respectively
to ${PREFIX}/libexec/cgi-bin; install also couple more files same way
as PHP4
Of particular note is that CLI ignores setting of register_argc_argv
(treats as if it would be On), so it's no longer necessary to do anything
special for Pear packages to work. g/c MESSAGE warning about the Pear issue.
