subject:"\[Group.of.nepali.translators\] \[Bug 1645431\] Re\: \[SRU\] microrelease exception for src\:php7.0 \(7.0.13\)"

[Group.of.nepali.translators] [Bug 1645431] Re: [SRU] microrelease exception for src:php7.0 (7.0.13)

2017-01-11 Thread Launchpad Bug Tracker

This bug was fixed in the package php7.0 - 7.0.13-0ubuntu0.16.10.1

---
php7.0 (7.0.13-0ubuntu0.16.10.1) yakkety; urgency=medium

  * New upstream release
- LP: #1645431
- Refresh patches for new upstream release.
  * Drop:
- SECURITY UPDATE: proxy request header vulnerability (httpoxy)
  + debian/patches/CVE-2016-5385.patch: only use HTTP_PROXY from the
local environment in ext/standard/basic_functions.c, main/SAPI.c,
main/php_variables.c.
  + CVE-2016-5385
  [ Fixed in 7.0.9 ]
- SECURITY UPDATE: inadequate error handling in bzread()
  + debian/patches/CVE-2016-5399.patch: do not allow reading past error
read in ext/bz2/bz2.c.
  + CVE-2016-5399
  [ Fixed in 7.0.9 ]
- SECURITY UPDATE: integer overflow in the virtual_file_ex function
  + debian/patches/CVE-2016-6289.patch: properly check path_length in
Zend/zend_virtual_cwd.c.
  + CVE-2016-6289
  [ Fixed in 7.0.9 ]
- SECURITY UPDATE: use after free in unserialize() with unexpected
  session deserialization
  + debian/patches/CVE-2016-6290.patch: destroy var_hash properly in
ext/session/session.c, added test to ext/session/tests/bug72562.phpt.
  + CVE-2016-6290
  [ Fixed in 7.0.9 ]
- SECURITY UPDATE: out of bounds read in exif_process_IFD_in_MAKERNOTE
  + debian/patches/CVE-2016-6291.patch: add more bounds checks to
ext/exif/exif.c.
  + CVE-2016-6291
  [ Fixed in 7.0.9 ]
- SECURITY UPDATE: NULL pointer dereference in exif_process_user_comment
  + debian/patches/CVE-2016-6292.patch: properly handle encoding in
ext/exif/exif.c.
  + CVE-2016-6292
  [ Fixed in 7.0.9 ]
- SECURITY UPDATE: locale_accept_from_http out-of-bounds access
  + debian/patches/CVE-2016-6294.patch: check length in
ext/intl/locale/locale_methods.c, added test to
ext/intl/tests/bug72533.phpt.
  + CVE-2016-6294
  [ Fixed in 7.0.9 ]
- SECURITY UPDATE: use after free vulnerability in SNMP with GC and
  unserialize()
  + debian/patches/CVE-2016-6295.patch: add new handler to
ext/snmp/snmp.c, add test to ext/snmp/tests/bug72479.phpt.
  + CVE-2016-6295
  [ Fixed in 7.0.9 ]
- SECURITY UPDATE: heap buffer overflow in simplestring_addn
  + debian/patches/CVE-2016-6296.patch: prevent overflows in
ext/xmlrpc/libxmlrpc/simplestring.*.
  + CVE-2016-6296
  [ Fixed in 7.0.9 ]
- SECURITY UPDATE: integer overflow in php_stream_zip_opener
  + debian/patches/CVE-2016-6297.patch: use size_t in
ext/zip/zip_stream.c.
  + CVE-2016-6297
  [ Fixed in 7.0.9 ]
- debian/patches/fix_exif_tests.patch: fix exif test results after
  security changes.
  [ Fixed in 7.0.9 ]
- SECURITY UPDATE: denial of service or code execution via crafted
  serialized data
  + debian/patches/CVE-2016-7124.patch: fix unserializing logic in
ext/session/session.c, ext/standard/var_unserializer.c*,
ext/wddx/wddx.c, added tests to
ext/standard/tests/serialize/bug72663.phpt,
ext/standard/tests/serialize/bug72663_2.phpt,
ext/standard/tests/serialize/bug72663_3.phpt.
  + CVE-2016-7124
  [ Fixed in 7.0.10 ]
- SECURITY UPDATE: arbitrary-type session data injection
  + debian/patches/CVE-2016-7125.patch: consume data even if not storing
in ext/session/session.c, added test to
ext/session/tests/bug72681.phpt.
  + CVE-2016-7125
  [ Fixed in 7.0.10 ]
- SECURITY UPDATE: denial of service and possible code execution in
  imagegammacorrect function
  + debian/patches/CVE-2016-7127.patch: check gamma values in
ext/gd/gd.c, added test to ext/gd/tests/bug72730.phpt.
  + CVE-2016-7127
  [ Fixed in 7.0.10 ]
- SECURITY UPDATE: information disclosure via exif_process_IFD_in_TIFF
  + debian/patches/CVE-2016-7128.patch: properly handle thumbnails in
ext/exif/exif.c.
  + CVE-2016-7128
  [ Fixed in 7.0.10 ]
- SECURITY UPDATE: denial of service and possible code execution via
  invalid ISO 8601 time value
  + debian/patches/CVE-2016-7129.patch: properly handle strings in
ext/wddx/wddx.c, added test to ext/wddx/tests/bug72749.phpt.
  + CVE-2016-7129
  [ Fixed in 7.0.10 ]
- SECURITY UPDATE: denial of service and possible code execution via
  invalid base64 binary value
  + debian/patches/CVE-2016-7130.patch: properly handle string in
ext/wddx/wddx.c, added test to ext/wddx/tests/bug72750.phpt.
  + CVE-2016-7130
  [ Fixed in 7.0.10 ]
- SECURITY UPDATE: denial of service and possible code execution via
  malformed wddxPacket XML document
  + debian/patches/CVE-2016-7131.patch: added checks to ext/wddx/wddx.c,
added tests to ext/wddx/tests/bug72790.phpt,
ext/wddx/tests/bug72799.phpt.
  + CVE-2016-7131
  + CVE-2016-7132
  [ Fixed in 7.0.10 ]
-

[Group.of.nepali.translators] [Bug 1645431] Re: [SRU] microrelease exception for src:php7.0 (7.0.13)

2017-01-11 Thread Launchpad Bug Tracker

This bug was fixed in the package php7.0 - 7.0.13-0ubuntu0.16.04.1

---
php7.0 (7.0.13-0ubuntu0.16.04.1) xenial; urgency=medium

  * New upstream release
- LP: #1645431
- Refresh patches for new upstream release.
  * Drop:
- SECURITY UPDATE: proxy request header vulnerability (httpoxy)
  + debian/patches/CVE-2016-5385.patch: only use HTTP_PROXY from the
local environment in ext/standard/basic_functions.c, main/SAPI.c,
main/php_variables.c.
  + CVE-2016-5385
  [ Fixed in 7.0.9 ]
- SECURITY UPDATE: inadequate error handling in bzread()
  + debian/patches/CVE-2016-5399.patch: do not allow reading past error
read in ext/bz2/bz2.c.
  + CVE-2016-5399
  [ Fixed in 7.0.9 ]
- SECURITY UPDATE: integer overflow in the virtual_file_ex function
  + debian/patches/CVE-2016-6289.patch: properly check path_length in
Zend/zend_virtual_cwd.c.
  + CVE-2016-6289
  [ Fixed in 7.0.9 ]
- SECURITY UPDATE: use after free in unserialize() with unexpected
  session deserialization
  + debian/patches/CVE-2016-6290.patch: destroy var_hash properly in
ext/session/session.c, added test to ext/session/tests/bug72562.phpt.
  + CVE-2016-6290
  [ Fixed in 7.0.9 ]
- SECURITY UPDATE: out of bounds read in exif_process_IFD_in_MAKERNOTE
  + debian/patches/CVE-2016-6291.patch: add more bounds checks to
ext/exif/exif.c.
  + CVE-2016-6291
  [ Fixed in 7.0.9 ]
- SECURITY UPDATE: NULL pointer dereference in exif_process_user_comment
  + debian/patches/CVE-2016-6292.patch: properly handle encoding in
ext/exif/exif.c.
  + CVE-2016-6292
  [ Fixed in 7.0.9 ]
- SECURITY UPDATE: locale_accept_from_http out-of-bounds access
  + debian/patches/CVE-2016-6294.patch: check length in
ext/intl/locale/locale_methods.c, added test to
ext/intl/tests/bug72533.phpt.
  + CVE-2016-6294
  [ Fixed in 7.0.9 ]
- SECURITY UPDATE: use after free vulnerability in SNMP with GC and
  unserialize()
  + debian/patches/CVE-2016-6295.patch: add new handler to
ext/snmp/snmp.c, add test to ext/snmp/tests/bug72479.phpt.
  + CVE-2016-6295
  [ Fixed in 7.0.9 ]
- SECURITY UPDATE: heap buffer overflow in simplestring_addn
  + debian/patches/CVE-2016-6296.patch: prevent overflows in
ext/xmlrpc/libxmlrpc/simplestring.*.
  + CVE-2016-6296
  [ Fixed in 7.0.9 ]
- SECURITY UPDATE: integer overflow in php_stream_zip_opener
  + debian/patches/CVE-2016-6297.patch: use size_t in
ext/zip/zip_stream.c.
  + CVE-2016-6297
  [ Fixed in 7.0.9 ]
- debian/patches/fix_exif_tests.patch: fix exif test results after
  security changes.
  [ Fixed in 7.0.9 ]
- SECURITY UPDATE: denial of service or code execution via crafted
  serialized data
  + debian/patches/CVE-2016-7124.patch: fix unserializing logic in
ext/session/session.c, ext/standard/var_unserializer.c*,
ext/wddx/wddx.c, added tests to
ext/standard/tests/serialize/bug72663.phpt,
ext/standard/tests/serialize/bug72663_2.phpt,
ext/standard/tests/serialize/bug72663_3.phpt.
  + CVE-2016-7124
  [ Fixed in 7.0.10 ]
- SECURITY UPDATE: arbitrary-type session data injection
  + debian/patches/CVE-2016-7125.patch: consume data even if not storing
in ext/session/session.c, added test to
ext/session/tests/bug72681.phpt.
  + CVE-2016-7125
  [ Fixed in 7.0.10 ]
- SECURITY UPDATE: denial of service and possible code execution in
  imagegammacorrect function
  + debian/patches/CVE-2016-7127.patch: check gamma values in
ext/gd/gd.c, added test to ext/gd/tests/bug72730.phpt.
  + CVE-2016-7127
  [ Fixed in 7.0.10 ]
- SECURITY UPDATE: information disclosure via exif_process_IFD_in_TIFF
  + debian/patches/CVE-2016-7128.patch: properly handle thumbnails in
ext/exif/exif.c.
  + CVE-2016-7128
  [ Fixed in 7.0.10 ]
- SECURITY UPDATE: denial of service and possible code execution via
  invalid ISO 8601 time value
  + debian/patches/CVE-2016-7129.patch: properly handle strings in
ext/wddx/wddx.c, added test to ext/wddx/tests/bug72749.phpt.
  + CVE-2016-7129
  [ Fixed in 7.0.10 ]
- SECURITY UPDATE: denial of service and possible code execution via
  invalid base64 binary value
  + debian/patches/CVE-2016-7130.patch: properly handle string in
ext/wddx/wddx.c, added test to ext/wddx/tests/bug72750.phpt.
  + CVE-2016-7130
  [ Fixed in 7.0.10 ]
- SECURITY UPDATE: denial of service and possible code execution via
  malformed wddxPacket XML document
  + debian/patches/CVE-2016-7131.patch: added checks to ext/wddx/wddx.c,
added tests to ext/wddx/tests/bug72790.phpt,
ext/wddx/tests/bug72799.phpt.
  + CVE-2016-7131
  + CVE-2016-7132
  [ Fixed in 7.0.10 ]
-

[Group.of.nepali.translators] [Bug 1645431] Re: [SRU] microrelease exception for src:php7.0 (7.0.13)

2016-11-30 Thread Nish Aravamudan

7.0.13-2ubuntu1 has migrated to zesty release.

** Changed in: php7.0 (Ubuntu)
   Status: In Progress => Fix Released

** Changed in: php7.0 (Ubuntu)
 Assignee: Nish Aravamudan (nacc) => (unassigned)

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1645431

Title:
  [SRU] microrelease exception for src:php7.0 (7.0.13)

Status in php7.0 package in Ubuntu:
  Fix Released
Status in php7.0 source package in Xenial:
  In Progress
Status in php7.0 source package in Yakkety:
  In Progress

Bug description:
  There have been a number of microreleases of PHP 7.0 upstream since
  the last update to Xenial (which corresponded to the merge in
  Yakkety). Ase we have re-merged again in Zesty, it feels appropriate
  to provide another MRE update to php7.0. A number of critical security
  and bug-fixes are present in each 7.0.x. Rather than backporting
  individual patches (e.g., Bug # 1569509), I believe it makes
  significantly more sense to follow the upstream 7.0.x. Upstream PHP is
  demonstrating an improved approach of bugfixes only in 7.0.x:

   - 7.0.13: http://php.net/ChangeLog-7.php

  The upstream CI is at: https://travis-ci.org/php/php-src and is run
  regularly.

  Our php7.0 source package has autopkgtests for the 4 SAPIs, mod-php,
  cgi, fpm and cli. We have also updated the packing to run the source
  tests during the build itself.

  I do not believe there is a firm statement from upstream on API/ABI
  stability, but the general approach seems to be a BC-break would
  result in 7.1.0.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/php7.0/+bug/1645431/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1645431] Re: [SRU] microrelease exception for src:php7.0 (7.0.13)

[Group.of.nepali.translators] [Bug 1645431] Re: [SRU] microrelease exception for src:php7.0 (7.0.13)

[Group.of.nepali.translators] [Bug 1645431] Re: [SRU] microrelease exception for src:php7.0 (7.0.13)

3 matches

Site Navigation

Mail list logo

Footer information