of bugs discovered since the 4.3.11 release which could e.g. lead to
memory corruption.
Furthermore integrate version 1.4.0 of PEAR XML_RPC which contains a fix
for the "PEAR XML_RPC Remote PHP Code Injection Vulnerability" security
problem reported by the Hardened-PHP Project.
This is a maintenance release that in addition to over 70 non-critical
bug fixes addresses several security issues inside the exif and
fbsql extensions as well as the unserialize(), swf_definepoly()
and getimagesize() functions. All Users of PHP are strongly
encouraged to upgrade to this release.
Bugfix release
* Crash in bzopen() if supplied path to non-existent file.
* DOM crashing when attribute appended to Document.
* unserialize() float problem on non-English locales.
* Crash in msg_send() when non-string is stored without being serialized.
* Possible infinite loop in imap_mail_compose().
* Fixed crash in chunk_split(), when chunklen > strlen.
* session_set_save_handler crashes PHP when supplied non-existent object ref.
* Memory leak in zend_language_scanner.c.
* Compile failures of zend_strtod.c.
* Fixed crash in overloaded objects & overload() function.
* cURL functions bypass open_basedir.
PHP4 also doesn't bundle PEAR Net_Socket and Net_SMTP anymore now.
- Added the %F modifier to *printf to render a non-locale-aware representation
of a float with the . as decimal separator. (Derick)
- Fixed a bug in addslashes() handling of the '\0' character. (Ilia)
- Backported Marcus' foreach() speedup patch from PHP 5.x. (Derick)
- Fixed potential problems with unserializing invalid serialize data. (Marcus)
- Fixed bug #31034 (Problem with non-existing iconv header file). (Derick)
- Fixed bug #31024 (Crash in fgetcsv() with negative length). (Ilia)
- Fixed bug #31019 (Logic error mssql library checking). (Frank)
- Fixed bug #30995 (snmp extension does not build with net-snmp 5.2). (Ilia)
- Fixed bug #30990 (allow popen() on *NIX to accept 'b' flag). (Ilia)
- Fixed bug #30826 (Certain reference relations cannot be unserialized
properly). (Ilia)
- Fixed bug #30750 (Meaningful error message when upload directory is not
accessible). (Ilia)
- Fixed bug #30739 (imagefill does not set back alphablending mode). (Pierre)
- Fixed bug #30672 (Problem handling exif data in jpeg images at unusual
places). (Marcus)
- Fixed bug #30658 (Ensure that temporary files created by GD are removed).
(Ilia)
- Fixed bug #30654 (oci8 persistent connection is deleted from hash
if there was exclusive connection with the same credentials). (Tony)
- Fixed bug #30613 (Prevent infinite recursion in url redirection). (Ilia)
- Fixed bug #30587 (array_multisort doesn't separate zvals before
changing them). (Tony)
- Fixed bug #30475 (curl_getinfo() may crash in some situations). (Ilia)
- Fixed bug #30442 (segfault when parsing ?getvariable[][ ). (Tony)
- Fixed bug #30388 (rename across filesystems loses ownership and
permission info). (Tony)
- Fixed bug #30282 (segfault when using unknown/unsupported
session.save_handler and/or session.serialize_handler). (Tony)
- Fixed bug #30281 (Prevent non-wbmp images from being detected as such).
(Ilia)
- Fixed bug #30276 (Possible crash in ctype_digit on large numbers). (Ilia)
- Fixed bug #30229 (imagerectangle and imagefilledrectangle do work well
with alpha channel, corners are drawn twice). (Pierre)
- Fixed bug #30224 (Sybase date strings are sometimes not null terminated).
(Ilia)
- Fixed bug #30133 (get_current_user() crashes on Windows). (Edin)
- Fixed bug #30057 (did not detect IPV6 on FreeBSD 4.1). (Wez)
- Fixed bug #30027 (Possible crash inside ftp_get()).
(cfield at affinitysolutions dot com)
- Fixed bug #29805 (HTTP Authentication Issues). (Uwe Schindler)
- Fixed bug #29418 (double free when openssl_csr_new fails).
(Kamesh Jayachandran).
- Fixed bug #28598 (Lost support for MS Symbol fonts). (Pierre)
- Fixed bug #28325 (Circular references not properly serialized). (Moriyoshi)
- Fixed bug #28228 (NULL decimal separator is not being handled correctly).
(Ilia)
- Fixed bug #27469 (serialize() objects of incomplete class). (Dmitry)
creates its own compiler wrapper script. This "meta_ccld" script
isn't recognized by the installed libtool script as a compiler, and
libtool gets confused as to which compiler tag to use. Rather than
inserting "--tag=CC" into the Makefiles, we patch the configure script
to not make the wrapper script, and instead, to simply append the
appropriate pthreads CFLAGS to the normal CFLAGS variable subsituted
into Makefiles. This fixes PR pkg/28485.
g/c no longer needed Makefile.module
add support for building extensions off PECL; version for PECL packages
is built as ${PHP_BASE_VERS}.${PECL_VERSION}, i.e. PECL pkg version 1.0
would become php-pkg-4.3.9.1.0 or php-pkg-5.0.2.1.0 respectively
in the process. (More information on tech-pkg.)
Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and
installing .la files.
Bump PKGREVISION (only) of all packages depending directly on the above
via a buildlink3 include.
Changes since 4.3.8:
* fixes to GPC input processing
* bundled GD extension synced with 2.0.28, re-introducing write support
for GIF (patent expiration worldwide)
* Implemented periodic PCRE compiled regexp cache cleanup, to avoid memory
exhaustion
* Fixed strip_tags() to correctly handle '\0' characters.
* Rewritten UNIX and Windows install help files.
* Fixed a file-descriptor leak with phpinfo() and other 'special' URLs.
* Fixed possible crash inside php_shutdown_config().
* Fixed isset crashes on arrays.
* Fixed imagecreatefromstring() crashes with external GD library.
* Fixed fgetcsv() parsing of strings ending with escaped enclosures.
* Fixed overflow in array_slice(), array_splice(), substr(), substr_replace(),
strspn(), strcspn().
* Fixed '\0' in Authenticate header passed via safe_mode.
* Allow bundled GD to compile against freetype 2.1.2.
All in all this release fixes over 50 bugs that have been discovered
and resolved since the 4.3.8 release.
into the bsd.options.mk framework. Instead of appending to
${PKG_OPTIONS_VAR}, it appends to PKG_DEFAULT_OPTIONS. This causes
the default options to be the union of PKG_DEFAULT_OPTIONS and any
old USE_* and FOO_USE_* settings.
This fixes PR pkg/26590.
for each package can be determined by invoking:
make show-var VARNAME=PKG_OPTIONS_VAR
The old options are still supported unless the variable named in
PKG_OPTIONS_VAR is set within make(1) (usually via /etc/mk.conf).
This is security fix release, fixing several important security
issues. From the ChangeLog:
* Fixed strip_tags() to correctly handle '\0' characters.
* Improved stability during startup when memory_limit is used.
* Replace alloca() with emalloc() for better stack protection.
* Added missing safe_mode checks inside ftok and itpc.
* Fixed bug #28963 Fixed address allocation routine in IMAP extension.
* Fixed bug #28632 Prevent open_basedir bypass via MySQL's LOAD DATA LOCAL.
Note: package update also includes extra patches from PHP CVS not
present in stock PHP 4.3.8 release - compilation fix for
mssql extension and Zend engine memory-use-after-free fix.
Change list from release notes:
* Synchronized bundled GD library with GD 2.0.23.
* Fixed a bug that prevented compilation of GD extensions against
FreeType 2.1.0-2.1.2.
* Fixed thread safety issue with informix connection id.
* Fixed incorrect resolving of relative paths by glob() in windows.
* Fixed mapping of Greek letters to html entities.
* Fixed a bug that caused an on shutdown crash when using PHP with Apache
2.0.49.
* Fixed a number of crashes inside pgsql, cpdf and gd extensions.
All in all this release fixes over 30 bugs that have been discovered
and resolved since the 4.3.6 release.
(ports/lang/php4/files/patch-ext::pcre::php_pcre.c). Fixes a bug
(described at http://bugs.php.net/bug.php?id=27810) which causes
apache2 to dump core on receiving SIGHUP.
This is supposedly fixed in the next release of PHP.
