[ubuntu/groovy-proposed] php7.4 7.4.5-1ubuntu1 (Accepted)

[Bryce Harrington]

php7.4 (7.4.5-1ubuntu1) groovy; urgency=medium

  * Merge with Debian unstable. Remaining changes:
    - d/control, d/control.in: Conflict with mod-php from php7.2 and
      php7.3 to ensure safe upgrade path for apache2.
      (Fixes LP #1850933)
    - libapache2-mod-php.postinst.extra: Disable other mod-php versions.
      Fixes failure when upgrading from previous versions of mod-php.
      (LP 1865218)
    - SECURITY UPDATE: Denial of service through oversized memory allocated
      + debian/patches/CVE-2019-11048.patch: changes types int to size_t
        in main/rfc1867.c.
      + CVE-2019-11048
  * Fixes from upstream included in merge:
    - Content-Length missing when posting a curlFile with curl
      (LP: #1887826)
  * Dropped:
    - SECURITY UPDATE: Read one byte of uninitialized memory
      + debian/patches/CVE-2020-7064.patch: check length in
        exif_process_TIFF_in_JPEG to avoid read uninitialized memory
        ext/exif/exif.c, ext/exif/tests/bug79282.phpt.
      + CVE-2020-7064
      [Fixed in 7.4.5-1]
    - SECURITY UPDATE: Memory corruption, crash and potentially code execution
      + debian/patches/CVE-2020-7065.patch: make sure that negative values are
        properly compared in ext/mbstring/php_unicode.c,
        ext/mbstring/tests/bug70371.phpt.
      + CVE-2020-7065
      [Fixed in 7.4.5-1]
    - SECURITY UPDATE: Truncated url due \0
      + debian/patches/CVE-2020-7066.patch: check for get_headers
        not accepting \0 in ext/standard/url.c.
      + CVE-2020-7066
      [Fixed in 7.4.5-1]

Date: Thu, 16 Jul 2020 13:20:11 -0700
Changed-By: Bryce Harrington <bryce at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/php7.4/7.4.5-1ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 16 Jul 2020 13:20:11 -0700
Source: php7.4
Architecture: source
Version: 7.4.5-1ubuntu1
Distribution: groovy
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Bryce Harrington <bryce at canonical.com>
Launchpad-Bugs-Fixed: 1887826
Changes:
 php7.4 (7.4.5-1ubuntu1) groovy; urgency=medium
 .
   * Merge with Debian unstable. Remaining changes:
     - d/control, d/control.in: Conflict with mod-php from php7.2 and
       php7.3 to ensure safe upgrade path for apache2.
       (Fixes LP #1850933)
     - libapache2-mod-php.postinst.extra: Disable other mod-php versions.
       Fixes failure when upgrading from previous versions of mod-php.
       (LP 1865218)
     - SECURITY UPDATE: Denial of service through oversized memory allocated
       + debian/patches/CVE-2019-11048.patch: changes types int to size_t
         in main/rfc1867.c.
       + CVE-2019-11048
   * Fixes from upstream included in merge:
     - Content-Length missing when posting a curlFile with curl
       (LP: #1887826)
   * Dropped:
     - SECURITY UPDATE: Read one byte of uninitialized memory
       + debian/patches/CVE-2020-7064.patch: check length in
         exif_process_TIFF_in_JPEG to avoid read uninitialized memory
         ext/exif/exif.c, ext/exif/tests/bug79282.phpt.
       + CVE-2020-7064
       [Fixed in 7.4.5-1]
     - SECURITY UPDATE: Memory corruption, crash and potentially code execution
       + debian/patches/CVE-2020-7065.patch: make sure that negative values are
         properly compared in ext/mbstring/php_unicode.c,
         ext/mbstring/tests/bug70371.phpt.
       + CVE-2020-7065
       [Fixed in 7.4.5-1]
     - SECURITY UPDATE: Truncated url due \0
       + debian/patches/CVE-2020-7066.patch: check for get_headers
         not accepting \0 in ext/standard/url.c.
       + CVE-2020-7066
       [Fixed in 7.4.5-1]
Checksums-Sha1:
 13f28ceeb78e20650c0ce967d8b7ca8a6a44de7c 5604 php7.4_7.4.5-1ubuntu1.dsc
 9d5540a3e2a686884e15a106da423f557740f50f 10271296 php7.4_7.4.5.orig.tar.xz
 9feff8956982eeeab0cfd087ecd1c552b579559d 66612 php7.4_7.4.5-1ubuntu1.debian.tar.xz
 b5477879a30ef33d02dfe0dbda54d70a32590b0b 14788 php7.4_7.4.5-1ubuntu1_source.buildinfo
Checksums-Sha256:
 06bd9a9ba6a5610ffd85866899e5312b9154adb970e673b41fed5a5aca4ff33d 5604 php7.4_7.4.5-1ubuntu1.dsc
 d059fd7f55bdc4d2eada15a00a2976697010d3631ef6f83149cc5289e1f23c2c 10271296 php7.4_7.4.5.orig.tar.xz
 8efdaf734870bd124d2a69fbfd3fe630f02f83d3fe6febd51f10fbec172a9d95 66612 php7.4_7.4.5-1ubuntu1.debian.tar.xz
 ae6795aa23ab96020b5d8986af6ded98572759bd9c0f5a6ab8b238abcbdb98e8 14788 php7.4_7.4.5-1ubuntu1_source.buildinfo
Files:
 bc7873eef5c6a42be20f3ac12711eb51 5604 php optional php7.4_7.4.5-1ubuntu1.dsc
 c39377baa2d7e233432ec8e8d5d994f9 10271296 php optional php7.4_7.4.5.orig.tar.xz
 9cb266599618f0862ef58c6dcb157db8 66612 php optional php7.4_7.4.5-1ubuntu1.debian.tar.xz
 a5a098a4ef56ae33ad95ab1e65726c2f 14788 php optional php7.4_7.4.5-1ubuntu1_source.buildinfo
Original-Maintainer: Debian PHP Maintainers <team+pkg-php at tracker.debian.org>

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEpmEQCz2sHU8srYpU5gOyV4+48PsFAl8SMR8ACgkQ5gOyV4+4
8Pv1mA//WQiLinKOdT/GzC7QGCuK0G8ZqN3J7mjPd1/hWweYIV1YDVmhk92RC4E5
GWeN6SgIWMqqUHsL/AoAc/mx8bJL/Uw50j0KsQ/6LSlggOqZ2OJHvJGWQLz8bG3X
tLZo1ynQFaH723ALKlhSsy5MiGOrIZlTYcOl/fTgtxI5RJUQzM+YHGElQ7tVIS7z
io+iom80KarpGp17b9UDRkIswdqSeb6JHH2VjMfaIsi6viVAiiLvamaOkqP5QM+O
vz1kThh+KmwLC6BXZt62a8IkvOq9jIwEnGPhJUOEM5ZCOlxA49kBjGYHxcIcTzfn
nOoGNrIsoB3yM5hrNjAGWeCWqJvIE/fv6DLVm8p8UL146AdusJ9mnvL3uVCatsXe
56do91sNYKkt0wLSUX3N+XDN15zE7cIfjHguP2dnP5H/S5h3rqp0kfZ2GGizDZW4
49GL3hcHKF41YQ9NrYkSbnCZ0rT8/epdJ2b6YRWO9hEBbf7Tuu0gP4gpqd3lmaYY
J8t84lSFoqsx2mRKhggVpEeFGTLaPPL7fn1pYhSNJMJIFuXBelzYrkPuFTjOYfEw
KxnPjmxMOmmovi95b7uVe83wI+Yhztlp4b8rMXj9vTbdoh6SqLGbCTNxuiXbzoUS
plqlSIkkvOZrruotHj4zWKPfGIBnmnz+6VvRpkydqB4IzUTkNbE=
=+qFx
-----END PGP SIGNATURE-----