php7.0 (7.0.8-0ubuntu0.16.04.2) xenial-security; urgency=medium

  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5385.patch: only use HTTP_PROXY from the
      local environment in ext/standard/basic_functions.c, main/SAPI.c,
      main/php_variables.c.
    - CVE-2016-5385
  * SECURITY UPDATE: inadequate error handling in bzread()
    - debian/patches/CVE-2016-5399.patch: do not allow reading past error
      read in ext/bz2/bz2.c.
    - CVE-2016-5399
  * SECURITY UPDATE: integer overflow in the virtual_file_ex function
    - debian/patches/CVE-2016-6289.patch: properly check path_length in
      Zend/zend_virtual_cwd.c.
    - CVE-2016-6289
  * SECURITY UPDATE: use after free in unserialize() with unexpected
    session deserialization
    - debian/patches/CVE-2016-6290.patch: destroy var_hash properly in
      ext/session/session.c, added test to ext/session/tests/bug72562.phpt.
    - CVE-2016-6290
  * SECURITY UPDATE: out of bounds read in exif_process_IFD_in_MAKERNOTE
    - debian/patches/CVE-2016-6291.patch: add more bounds checks to
      ext/exif/exif.c. 
    - CVE-2016-6291
  * SECURITY UPDATE: NULL pointer dereference in exif_process_user_comment
    - debian/patches/CVE-2016-6292.patch: properly handle encoding in
      ext/exif/exif.c.
    - CVE-2016-6292
  * SECURITY UPDATE: locale_accept_from_http out-of-bounds access
    - debian/patches/CVE-2016-6294.patch: check length in
      ext/intl/locale/locale_methods.c, added test to
      ext/intl/tests/bug72533.phpt.
    - CVE-2016-6294
  * SECURITY UPDATE: use after free vulnerability in SNMP with GC and
    unserialize()
    - debian/patches/CVE-2016-6295.patch: add new handler to
      ext/snmp/snmp.c, add test to ext/snmp/tests/bug72479.phpt.
    - CVE-2016-6295
  * SECURITY UPDATE: heap buffer overflow in simplestring_addn
    - debian/patches/CVE-2016-6296.patch: prevent overflows in
      ext/xmlrpc/libxmlrpc/simplestring.*.
    - CVE-2016-6296
  * SECURITY UPDATE: integer overflow in php_stream_zip_opener
    - debian/patches/CVE-2016-6297.patch: use size_t in
      ext/zip/zip_stream.c.
    - CVE-2016-6297
  * debian/patches/fix_exif_tests.patch: fix exif test results after
    security changes.

php7.0 (7.0.8-0ubuntu0.16.04.1) xenial; urgency=medium

  * New upstream release
    - Closes LP: #1596578
      + Fixed in upstream 7.0.6.
    - Drop the following patches:
      + 0035-Fixed-bug-63171-script-hangs-if-odbc-call-during-tim.patch
        [ Fixed in upstream 7.0.6 ]
      + 0046-Fix-ODBC-bug-for-varchars-returning-with-length-zero.patch
        [ Fixed in upstream 7.0.6 ]
      + 0047-make-opcache-lockfile-path-configurable.patch
        [ Fixed in upstream 7.0.6 ]
      + 0048-Fix-bug-71659.patch
        [ Fixed in upstream 7.0.5 ]
      + 0050-Fix-use-of-UNDEF-instead-of-NULL-in-read_dimension.patch
        [ Fixed in upstream 7.0.6 ]
      + 0051-backport-89a43425.patch
        [ Fixed in upstream 7.0.5 ]
      + 0052-backport-186844be.patch
        [ Fixed in upstream 7.0.5 ]
      + CVE-2015-8865-1.patch
        [ Fixed in upstream 7.0.5 ]
      + CVE-2015-8865-2.patch
        [ Fixed in upstream 7.0.5 ]
      + CVE-2016-3078.patch
        [ Fixed in upstream 7.0.6 ]
      + CVE-2016-3132.patch
        [ Fixed in upstream 7.0.6 ]
      + CVE-2016-4070.patch
        [ Fixed in upstream 7.0.5 ]
      + CVE-2016-4071.patch
        [ Fixed in upstream 7.0.5 ]
      + CVE-2016-4072.patch
        [ Fixed in upstream 7.0.5 ]
      + CVE-2016-4073.patch
        [ Fixed in upstream 7.0.5 ]
      + CVE-2016-4537.patch
        [ Fixed in upstream 7.0.7 ]
      + CVE-2016-4539.patch
        [ Fixed in upstream 7.0.7 ]
      + CVE-2016-4540.patch     
        [ Fixed in upstream 7.0.7 ]
      + CVE-2016-4542.patch
        [ Fixed in upstream 7.0.7 ]
  * Backport from Debian 7.0.6-7: 'Remove php-gettext from phpX.Y-common
    provides as it clashes with existing package (Closes #823815)'
    (LP: #1569128).
  * Backport from Debian 7.0.6-8: 'Restore dba extension package'
    (LP: #1595215).
  * Regenerate d/control.

Date: 2016-07-27 17:59:23.919239+00:00
Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com>
https://launchpad.net/ubuntu/+source/php7.0/7.0.8-0ubuntu0.16.04.2
Sorry, changesfile not available.
-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

Reply via email to