[Bug 1593024] Re: Unblacklist and sync zendframework 1.12.18+dfsg-1 (universe) from Debian unstable (main)
Nish Aravamudan
nish.aravamudan at canonical.com
Sun Jun 19 17:13:16 UTC 2016
Hi Jeremy!
Thank you very much for bringing this to my attention! I am attaching
the debdiff I have now which seems to work for 16.04 -> 16.10 (ensuring
zend-framework gets replaced by zendframework). Note that zend-framework
itself is *also* a transitional package, which refers to libzend-
framework-php, which is replaced by zendframework as well. Any feedback
is greatly appreciated! I especially am not sure if we should try to
provide compatibility symlinks for any directories from zend-framework.
Finally, there is libzend-framework-zendx-php, which does not have a
corresponding package in Debian. I am not sure what to do with this
package, as since Ubuntu and Debian have been using different upstream
tarball sources, there are no ZendX files in the Debian tarballs.
I have reviewed the following bugs as well, my comments follow:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688033
- Debian stating they are not going to take the Ubuntu version, and they view the Ubuntu version to be unmaintained (and full of potential security issues), as 1.11.11 was released in 2011 with 23 (!!) upstream releases in ZF1 (ZendFramework v1) since that version.
https://bugs.launchpad.net/ubuntu/+source/zend-framework/+bug/1066406
- The path used by zend-framework is non-standard. zendframework uses the expected path(s).
https://bugs.launchpad.net/ubuntu/+source/zend-framework/+bug/1450308
- We probably can fix this in zend-framework with backports for Trusty/Precise, but indicates another problem with having this differing packaging and lack of maintainership.
https://bugs.launchpad.net/ubuntu/+source/zendframework/+bug/580507
- The original blacklist bug. While it mentions "more goodies" in the bug description, no comment is made as to what they are and why they are necessary, better, etc. From what I can tell, the primary benefit of zend-framework is the inclusion of the "extras" library from upstream. But these are unsupported upstream, and seem like they should not be actually depended on.
https://bugs.launchpad.net/ubuntu/+source/zend-framework/+bug/1052423
- A prior request to sync. The discussion didn't seem to go anywhere, beyond there having been at some time an active Ubuntu maintainer. But now there is not and I believe those arguments are no longer valid.
Note also that the debian/watch file for zend-framework leads `uscan` to
want to update to ZF2, while the zendframework debian/watch file stays
on ZF1.
-Nish
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1593024
Title:
Unblacklist and sync zendframework 1.12.18+dfsg-1 (universe) from
Debian unstable (main)
Status in icingaweb2 package in Ubuntu:
New
Status in zend-framework package in Ubuntu:
New
Bug description:
Please sync zendframework 1.12.18+dfsg-1 (universe) from Debian
unstable (main)
This will eventually be used to replace zend-framework in Ubuntu, which
seems to have been packaged before zendframework was packaged in Debian.
All changelog entries:
zendframework (1.12.18+dfsg-1) unstable; urgency=medium
[ Matthew Weier O'Phinney ]
* 1.12.18 preparations
[ Enrico Zimuel ]
* Fixed the rand usage
[ Frank Brückner ]
* Removes Zend_Gdata_YouTube which is based on Data API v2
[ David Prévot ]
* Update Standards-Version to 3.9.8
-- David Prévot <taffit at debian.org> Wed, 13 Apr 2016 16:57:00 -0400
zendframework (1.12.17+dfsg-2) unstable; urgency=medium
* PHP 7.0 transition:
- Update php5-* dependencies to php-*
- Suggest other php- extensions no longer builtin
- Rebuild with latest pkg-php-tools
* Drop ownCloud for Debian maintainers from uploaders
* Update Standards-Version to 3.9.7
-- David Prévot <taffit at debian.org> Sat, 05 Mar 2016 10:32:52 -0400
zendframework (1.12.17+dfsg-1) unstable; urgency=medium
[ Martin Hujer ]
* Zend_Validate_Hostname - updated TLD list to the version 2015102801
[ Enrico Zimuel ]
* Fixed the null byte test for Zend_Db_Adapter_Pdo
* ZF2015-09: Fixed entropy issue in word CAPTCHA
-- David Prévot <taffit at debian.org> Mon, 23 Nov 2015 21:57:00 -0400
zendframework (1.12.16+dfsg-1) unstable; urgency=medium
[ Matthew Weier O'Phinney ]
* [ZF2015-07] Use umask of 0002 [CVE-2015-5723]
* [1.12.16] release readiness
[ Enrico Zimuel ]
* [ZF2015-08] Fix null byte injection for PDO MsSql [CVE-2014-8089]
-- David Prévot <taffit at debian.org> Wed, 16 Sep 2015 08:08:40 -0400
zendframework (1.12.15+dfsg-1) unstable; urgency=medium
[ Matthew Weier O'Phinney ]
* [1.12.15] Release readinesss
-- David Prévot <taffit at debian.org> Sat, 29 Aug 2015 15:58:10 -0400
zendframework (1.12.14+dfsg-1) unstable; urgency=medium
[ Frank Brückner ]
* Classes for Technorati removed
[ Matthew Weier O'Phinney ]
* [ZF2015-06] Fix potential XXE vector via BOM detection [CVE-2015-5161]
[ Martin Hujer ]
* Drop DeveloperGarden API implementation as it shuts down on 30th June 2015
-- David Prévot <taffit at debian.org> Tue, 11 Aug 2015 09:34:58 +0200
zendframework (1.12.13+dfsg-1) unstable; urgency=medium
[ Matthew Weier O'Phinney ]
* Cast int and float to string when creating headers
* [1.12.13] Release readiness
-- David Prévot <taffit at debian.org> Wed, 20 May 2015 12:09:09 -0400
zendframework (1.12.12+dfsg-1) unstable; urgency=high
* Upload to unstable, with high urgency because of the security fix
[ Matthew Weier O'Phinney ]
* [ZF2015-04] Fix CRLF injections in HTTP and Mail [CVE-2015-3154]
* [1.12.12] Release readiness
-- David Prévot <taffit at debian.org> Tue, 19 May 2015 14:56:04 -0400
zendframework (1.12.11+dfsg-1) experimental; urgency=medium
[ Matthew Weier O'Phinney ]
* Promoted to stable version 1.12.11
[ Frank Brückner ]
* Adds condition in ViewRenderer action helper
-- David Prévot <taffit at debian.org> Tue, 17 Feb 2015 19:53:26 -0400
zendframework (1.12.10+dfsg-1) experimental; urgency=medium
[ Matthew Weier O'Phinney ]
* [1.12.10] release preparation
[ Rob Allen ]
* Update copyright to 2015.
[ David Prévot ]
* Update copyright
* Simplify rules
* Add upstream changelog
* Upload to experimental to respect the freeze
-- David Prévot <taffit at debian.org> Fri, 23 Jan 2015 15:18:20 -0400
zendframework (1.12.9+dfsg-2) unstable; urgency=medium
* Revert tests during package build (Closes: #765155)
* Use repacksuffix feature of uscan
-- David Prévot <taffit at debian.org> Mon, 13 Oct 2014 22:40:34 -0400
zendframework (1.12.9+dfsg-1) unstable; urgency=medium
[ Matthew Weier O'Phinney ]
* [ZF2014-05] Fix for null-byte binding
* [#372] Quote null byte characters
* [1.12.9] Release readiness
[ David Prévot ]
* Bump standards version to 3.9.6
-- David Prévot <taffit at debian.org> Thu, 18 Sep 2014 20:28:35 -0400
zendframework (1.12.8+dfsg-1) unstable; urgency=medium
* Imported Upstream version 1.12.8+dfsg (Closes: #759575)
* Exclude sourceless and non-free files from source
* Add watch file and get-orig-source target
* debian/patches:
- Handle with gbp pq
- Add patches to run tests
* debian/rules:
- Use php for section
- Maintain package in the PHP PEAR Maintainers team
- Declare Vcs-* entries
- Bump standards version to 3.9.5
* Use format 3.0 (quilt) instead of quilt
* Update copyright in format 1.0
* Use pkg-php-tools Composer helper
* Run tests during package build
* Use fonts from ttf-bitstream-vera for tests
-- David Prévot <taffit at debian.org> Wed, 03 Sep 2014 17:02:50 -0400
zendframework (1.12.7-0.1) unstable; urgency=medium
* Non-maintainer upload
* New upstream release, fixes a security issue (Closes: #754201):
- ZF2014-04: Potential SQL injection in the ORDER implementation of
Zend_Db_Select
http://framework.zend.com/security/advisory/ZF2014-04
-- David Prévot <taffit at debian.org> Tue, 08 Jul 2014 12:33:40 -0400
zendframework (1.12.5-0.1) unstable; urgency=medium
* Non-maintainer upload
* New upstream release, fixes several security issues (Closes: #743175):
- ZF2014-01: Potential XXE/XEE attacks using PHP functions:
simplexml_load_*, DOMDocument::loadXML, and xml_parse
http://framework.zend.com/security/advisory/ZF2014-01
[CVE-2014-2681] [CVE-2014-2682] [CVE-2014-2683]
- F2014-02: Potential security issue in login mechanism of ZendOpenId and
Zend_OpenId consumer
http://framework.zend.com/security/advisory/ZF2014-02
[CVE-2014-2684] [CVE-2014-2685]
* Update copyright years
-- David Prévot <taffit at debian.org> Mon, 14 Apr 2014 14:48:35 -0400
zendframework (1.12.3-1) unstable; urgency=low
* new upstream release
* removed windows azure stuff for windows platform from library path
-- Frank Habermann <lordlamer at lordlamer.de> Wed, 24 May 2013
22:17:00 +0200
zendframework (1.11.12-1) unstable; urgency=high
* new upstream release
- fixes Local file disclosure via XXE injection (Closes: #679215)
* changed Standards-Version to 3.9.3
* added DM-Upload-Allowed to control
-- Frank Habermann <lordlamer at lordlamer.de> Wed, 27 Jun 2012
21:36:00 +0200
zendframework (1.11.11-1) unstable; urgency=low
* new upstream release
* changed Standards-Version to 3.9.2
-- Frank Habermann <lordlamer at lordlamer.de> Sat, 11 Feb 2012
21:53:00 +0200
zendframework (1.11.10-1) unstable; urgency=low
* new upstream release
-- Frank Habermann <lordlamer at lordlamer.de> Sun, 07 Aug 2011
20:24:00 +0200
zendframework (1.11.9-1) unstable; urgency=low
* new upstream release
-- Frank Habermann <lordlamer at lordlamer.de> Fri, 15 Jul 2011
19:15:00 +0200
zendframework (1.11.8-1) unstable; urgency=low
* new upstream release
-- Frank Habermann <lordlamer at lordlamer.de> Sat, 9 Jul 2011 22:28:00
+0200
zendframework (1.11.6-1) unstable; urgency=low
* new upstream release
-- Frank Habermann <lordlamer at lordlamer.de> Sat, 21 May 2011
21:04:00 +0200
zendframework (1.11.4-1) unstable; urgency=low
* new upstream release
-- Frank Habermann <lordlamer at lordlamer.de> Sun, 06 Mar 2011
22:38:00 +0200
zendframework (1.11.3-1) unstable; urgency=low
* new upstream release
-- Frank Habermann <lordlamer at lordlamer.de> Tue, 08 Feb 2011
22:10:00 +0200
zendframework (1.11.2-2) experimental; urgency=low
* Remove Suggests on php5-sqlite3 for debcheck since the package
is php5-sqlite and is no longer built by php5 under that name
(Closes: #603515)
-- Frank Habermann <lordlamer at lordlamer.de> Wed, 19 Jan 2011
21:20:00 +0200
zendframework (1.11.2-1) experimental; urgency=low
* new upstream release
-- Frank Habermann <lordlamer at lordlamer.de> Thu, 30 Dec 2010
20:59:00 +0200
zendframework (1.11.0-1) experimental; urgency=low
* new upstream release
* fixing wrong rights on resources/languages/pt_BR/Zend_Validate.php
* using php5 or php5-cli for zendframework dependencies (Closes: #598378)
-- Frank Habermann <lordlamer at lordlamer.de> Thu, 18 Nov 2010
23:29:00 +0200
zendframework (1.10.8-1) experimental; urgency=low
* new upstream release
* created new package zendframework-resources that contains pre-translated
error messages (Closes: #592385)
-- Frank Habermann <lordlamer at lordlamer.de> Fri, 27 Aug 2010
20:54:00 +0200
zendframework (1.10.7-1) unstable; urgency=low
* new upstream release
* changed Standards-Version to 3.9.1
-- Frank Habermann <lordlamer at lordlamer.de> Sun, 08 Aug 2010
22:01:00 +0200
zendframework (1.10.6-1) unstable; urgency=low
* new upstream release
-- Frank Habermann <lordlamer at lordlamer.de> Tue, 22 Jun 2010
20:42:00 +0200
zendframework (1.10.5-1) unstable; urgency=low
* new upstream release
-- Frank Habermann <lordlamer at lordlamer.de> Mon, 31 May 2010
21:21:00 +0200
zendframework (1.10.4-1) unstable; urgency=low
* new upstream release
-- Frank Habermann <lordlamer at lordlamer.de> Wed, 28 Apr 2010
20:10:00 +0200
zendframework (1.10.3-1) unstable; urgency=low
* new upstream release
* set debian source format
-- Frank Habermann <lordlamer at lordlamer.de> Mon, 5 Apr 2010 18:55:00
+0200
zendframework (1.10.2-1) unstable; urgency=low
* new upstream release
-- Frank Habermann <lordlamer at lordlamer.de> Sun, 28 Feb 2010
20:00:00 +0200
zendframework (1.10.1-2) unstable; urgency=low
* added manpage for zf command
* changed Standards-Version to 3.8.4
-- Frank Habermann <lordlamer at lordlamer.de> Tue, 16 Feb 2010
21:00:00 +0200
zendframework (1.10.1-1) unstable; urgency=low
* new upstream release
-- Frank Habermann <lordlamer at lordlamer.de> Fri, 12 Feb 2010
21:40:00 +0200
zendframework (1.10.0-1) unstable; urgency=low
* new upstream release
-- Frank Habermann <lordlamer at lordlamer.de> Wed, 27 Jan 2010
20:50:00 +0200
zendframework (1.9.7-1) unstable; urgency=low
* new upstream release
-- Frank Habermann <lordlamer at lordlamer.de> Tue, 12 Jan 2010
22:00:00 +0200
zendframework (1.9.6-2) unstable; urgency=low
* use quillt to set paths for shell scripts
-- Frank Habermann <lordlamer at lordlamer.de> Mon, 28 Dec 2009
22:00:00 +0200
zendframework (1.9.6-1) unstable; urgency=low
* new upstream release
-- Frank Habermann <lordlamer at lordlamer.de> Sun, 06 Dec 2009
20:40:00 +0200
zendframework (1.9.5-1) unstable; urgency=low
* new upstream release
-- Frank Habermann <lordlamer at lordlamer.de> Sun, 28 Oct 2009
10:02:00 +0200
zendframework (1.9.4-1) unstable; urgency=low
* new upstream release
-- Frank Habermann <lordlamer at lordlamer.de> Sun, 17 Oct 2009
14:40:00 +0200
zendframework (1.9.3pl1-1) unstable; urgency=low
* new upstream release
- corrects a BC break found in the 1.9.3 release
-- Frank Habermann <lordlamer at lordlamer.de> Sun, 27 Sep 2009
20:20:00 +0200
zendframework (1.9.3-1) unstable; urgency=low
* new upstream release
- fixed more than 100 bugs in over 40 components
-- Frank Habermann <lordlamer at lordlamer.de> Tue, 22 Sep 2009
21:10:00 +0200
zendframework (1.9.2-2) unstable; urgency=low
* Fixed spelling (Closes: #547125)
* Created bin package with that you can creat a default
MVC environment (Closes: #544793)
-- Frank Habermann <lordlamer at lordlamer.de> Sun, 20 Sep 2009
13:45:00 +0200
zendframework (1.9.2-1) unstable; urgency=low
* Initial release.
-- Frank Habermann <lordlamer at lordlamer.de> Wed, 26 Aug 2009
21:15:00 +0200
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/icingaweb2/+bug/1593024/+subscriptions
More information about the Ubuntu-sponsors
mailing list