mentioned the release on their announcements list maybe we would have
had time to get the full update in but, as it is, we just found out
about it and there are too many changes to test properly at short
notice, so we are just fixing these for now.
CVE-2010-2225: fix SplObjectStorage unserialization, upstream r300843
CVE-2010-0397: null pointer dereference when processing invalid XML-RPC
requests, upstream r296152
ok espie@
Security Enhancements and Fixes in PHP 5.2.11:
* Fixed certificate validation inside php_openssl_apply_verification_policy. (Ryan Sleevi, Ilia)
* Fixed sanity check for the color index in imagecolortransparent(). (Pierre)
* Added missing sanity checks around exif processing. (Ilia)
* Fixed bug #44683 (popen crashes when an invalid mode is passed). (Pierre)
This is a SECURITY FIX that fixes:
Fixed bug #48378 (exif_read_data() segfaults on certain corrupted .jpeg files.
Update the suhosin patch to the current one while here.
to their php.ini file in a SAPI independent way. This way can easily run
more instances of httpd with different php configs.
Idea after a discussion with "L. V. Lammert" <lvl@omnitec.net>
cacti users): add a patch from the upstream repository to fix this.
Thanks Steven Surdock for reporting the problem and testing this diff
(and similar patches sent by William Yodlowsky). While there, remove
a zero-byte patch that crept in before. ok robert@
where users are supposed to create symlinks to config file fragments
in ../php5.sample, otherwise the symlinks are destroyed when someone
updates php5/core.
ok brad, seems ok to landry.
- include the suhosin extension and suhosin patch by default unless
the no_suhosin flavor is defined
- add all the suhosin configuration options to the sample config
files
the php core module and extenions.
Install a sample configuration file to /var/www/conf/modules.sample
which can be symlinked or copied over to /var/www/conf/modules
so apache is going to pick it up.
Allow php to scan /var/www/conf/php5 for php configuration
files so if the user installs or creates a symlink from the
sample configuration files from the php5.sample directory,
it is going to be picked up by php5.
Create a dummy pwd.db file in the php5-imap package in the apache
chroot because it is needed by c-client.
feedback and tests by sthen@
fixes many vulnerabilities just as usual. for more information
read http://www.php.net/releases/5_2_3.php
add a no_suhosin pseudo-flavor because horde has some problems
with the suhosin security patchset
more than one php binaries within one workdir (idea from FreeBSD)
- move pdo_sqlite support from core to extensions and also add a pdo_mysql
and a pdo_sqlite subpackage
- regen patches while here
- bump PKGNAMEs
