* Updated PCRE to version 7.0.
* Fixed segfault in ext/session when register_globals=On.
* Fixed (segfault in cURL extension).
* Fixed (possible cURL memory error).
* Fixed (imagettftext() multithreading issue).
* Fixed (ext/interbase compile failure).
* Fixed (PHP fastcgi with PHP_FCGI_CHILDREN don't kill children when parent is killed).
4.4.5
# Upgraded PEAR to 1.5.0.
# Updated PCRE to version 6.7.
# Moved extensions to PECL: ext/ovrimos
# Added a meta tag to phpinfo() output to prevent search engines from indexing the page.
# Backported a fix in the configure tests to detect the "rounding fuzz".
# Backported fix for ext/imap compilation failure with recent c-client versions.
# Fixed missing open_basedir check inside chdir() function.
# Fixed (Compile fails when using GCC 4.1.1/binutils 2.17).
# Fixed (pg_insert/pg_update do not allow now() to be used for timestamp fields).
# Fixed (using autoconf 2.6x and --with-layout=GNU breaks PEAR install path).
# Fixed (Using $this not in object context can cause segfaults).
# Fixed (ext/dba doesn't check for db-4.5 and db-4.4 when db4 support is enabled).
# Fixed (ftp_put() does not change transfer mode to ASCII).
# Fixed (ftp_nlist() returns false on empty dirs).
# Fixed (Allow building of curl extension against libcurl 7.16.0).
# Fixed (curl_exec() with return transfer returns TRUE on empty files).
# Fixed (Fixed a possible open_basedir bypass in tempnam()).
# Fixed (ldap_connect causes segfault with newer versions of OpenLDAP).
# Fixed (parse_url() fails if passing '@' in passwd).
# Fixed (Calling undefined method prints insufficient error message).
# Fixed (segfault when calling setlocale() in userspace session handler).
# Fixed (constructor is not called for classes used in userspace stream wrappers).
# Fixed (wddx_serialize_value() generates no wellformed xml).
# Fixed (aggregate_methods_by_list fails to take certain methods).
# Fixed (natcasesort() causes array_pop() to misbehave).
# Fixed (CURLOPT_HEADERFUNCTION, couldn't set the function in the class).
# Fixed (recursive array_walk causes segfault).
INSTALLATION_DIRS, as well as all occurrences of ${PREFIX}/man with
${PREFIX}/${PKGMANDIR}.
Fixes PR 35265, although I did not use the patch provided therein.
duplicates process resource limits, which already provide necessary
"safety net" protection against rogue scripts
bump PKGREVISION for this
adressess PR pkg/32007 by "pancake"
also remove --enable-track-vars, since that configure argument
is long gone from PHP
This release address a series of locally exploitable security problems
discovered since PHP 4.4.3. All PHP users are encouraged to upgrade to this
release as soon as possible.
This release provides the following security fixes:
* Added missing safe_mode/open_basedir checks inside the error_log(),
file_exists(), imap_open() and imap_reopen() functions.
* Fixed overflows inside str_repeat() and wordwrap() functions on 64bit systems.
* Fixed possible open_basedir/safe_mode bypass in cURL extension.
* Fixed overflow in GD extension on invalid GIF images.
* Fixed a buffer overflow inside sscanf() function.
* Fixed memory_limit restriction on 64 bit system.
All PHP 4.x users are encouraged to upgrade to this release as soon as possible.
The security issues resolved include the following:
* Disallow certain characters in session names.
* Fixed a buffer overflow inside the wordwrap() function.
* Prevent jumps to parent directory via the 2nd parameter of the tempnam()
function.
* Improved safe_mode check for the error_log() function.
* Fixed cross-site scripting inside the phpinfo() function.
The release also includes about 20 bug fixes and an upgraded PCRE library
(version 6.6).
For a full list of changes in PHP 4.4.3, see the ChangeLog:
http://www.php.net/ChangeLog-4.php#4.4.3
This also contains a fix for CVE-2006-4020 (SA21403)
and add a new helper target and script, "show-buildlink3", that outputs
a listing of the buildlink3.mk files included as well as the depth at
which they are included.
For example, "make show-buildlink3" in fonts/Xft2 displays:
zlib
fontconfig
iconv
zlib
freetype2
expat
freetype2
Xrender
renderproto
set OVERRIDE_DIRDEPTH to find any libtool scripts deeper in the WRKSRC
tree unless they're named something other than "libtool".
SHLIBTOOL_OVERRIDE generally doesn't need to be specified either -- just
define it to the empty list and shlibtool-override will look for libtool
scripts.
them between "not critical" and "less critical".
Fix CVE-2006-0996, CVE-2006-1494, CVE-2006-1608, CVE-2006-1490.
See:
http://secunia.com/advisories/19383/http://secunia.com/advisories/19599/
Patches were extracted from CVS. I had to translate the one for
CVE-2006-1608 on php4 because it has not made its way to the php4.4 branch
(I don't know why; I can confirm it fixes the issue).
While here, add PATCHDIR to the list of variables php5's Makefile.php
defines. That way, ap-php gets patched too...
RECOMMENDED is removed. It becomes ABI_DEPENDS.
BUILDLINK_RECOMMENDED.foo becomes BUILDLINK_ABI_DEPENDS.foo.
BUILDLINK_DEPENDS.foo becomes BUILDLINK_API_DEPENDS.foo.
BUILDLINK_DEPENDS does not change.
IGNORE_RECOMMENDED (which defaulted to "no") becomes USE_ABI_DEPENDS
which defaults to "yes".
Added to obsolete.mk checking for IGNORE_RECOMMENDED.
I did not manually go through and fix any aesthetic tab/spacing issues.
I have tested the above patch on DragonFly building and packaging
subversion and pkglint and their many dependencies.
I have also tested USE_ABI_DEPENDS=no on my NetBSD workstation (where I
have used IGNORE_RECOMMENDED for a long time). I have been an active user
of IGNORE_RECOMMENDED since it was available.
As suggested, I removed the documentation sentences suggesting bumping for
"security" issues.
As discussed on tech-pkg.
I will commit to revbump, pkglint, pkg_install, createbuildlink separately.
Note that if you use wip, it will fail! I will commit to pkgsrc-wip
later (within day).
This is a bug fix release, which addresses some security problems too.
The major points that this release corrects are:
* Prevent header injection by limiting each header to a single line.
* Possible XSS inside error reporting functionality.
* Missing safe_mode/open_basedir checks into cURL extension.
* Apache 2 regression with sub-request handling on non-Linux systems.
* key() and current() regression related to references.
This release also fixes about 30 other defects.
This is done via an option group, default is CGI. Note that the
FastCGI interpreter can still be used for normal CGI, but there
might be security issues involved in doing so.
security fix, this fixes serious security problems regarding overwriting
of the GLOBALS array.
All users of PHP 4.3 and 4.4 sare encouradged to update to this version.
The --with-regex=system bug with re_magic has been fixed too, so re-enabling
use of --with-regex=system for all operating systems again
when the base PHP is compiled with openssl extension (e.g. ssl://, tls://
stream support, and couple others). These don't work when SSL support
is loaded via extension.
For this reason, make openssl extension unconditionally built-in
into the main PHP package, and g/c security/php-openssl.
