[ubuntu/xenial-security] php7.0 7.0.8-0ubuntu0.16.04.2 (Accepted)
Marc Deslauriers
marc.deslauriers at canonical.com
Tue Aug 2 14:57:29 UTC 2016
php7.0 (7.0.8-0ubuntu0.16.04.2) xenial-security; urgency=medium
* SECURITY UPDATE: proxy request header vulnerability (httpoxy)
- debian/patches/CVE-2016-5385.patch: only use HTTP_PROXY from the
local environment in ext/standard/basic_functions.c, main/SAPI.c,
main/php_variables.c.
- CVE-2016-5385
* SECURITY UPDATE: inadequate error handling in bzread()
- debian/patches/CVE-2016-5399.patch: do not allow reading past error
read in ext/bz2/bz2.c.
- CVE-2016-5399
* SECURITY UPDATE: integer overflow in the virtual_file_ex function
- debian/patches/CVE-2016-6289.patch: properly check path_length in
Zend/zend_virtual_cwd.c.
- CVE-2016-6289
* SECURITY UPDATE: use after free in unserialize() with unexpected
session deserialization
- debian/patches/CVE-2016-6290.patch: destroy var_hash properly in
ext/session/session.c, added test to ext/session/tests/bug72562.phpt.
- CVE-2016-6290
* SECURITY UPDATE: out of bounds read in exif_process_IFD_in_MAKERNOTE
- debian/patches/CVE-2016-6291.patch: add more bounds checks to
ext/exif/exif.c.
- CVE-2016-6291
* SECURITY UPDATE: NULL pointer dereference in exif_process_user_comment
- debian/patches/CVE-2016-6292.patch: properly handle encoding in
ext/exif/exif.c.
- CVE-2016-6292
* SECURITY UPDATE: locale_accept_from_http out-of-bounds access
- debian/patches/CVE-2016-6294.patch: check length in
ext/intl/locale/locale_methods.c, added test to
ext/intl/tests/bug72533.phpt.
- CVE-2016-6294
* SECURITY UPDATE: use after free vulnerability in SNMP with GC and
unserialize()
- debian/patches/CVE-2016-6295.patch: add new handler to
ext/snmp/snmp.c, add test to ext/snmp/tests/bug72479.phpt.
- CVE-2016-6295
* SECURITY UPDATE: heap buffer overflow in simplestring_addn
- debian/patches/CVE-2016-6296.patch: prevent overflows in
ext/xmlrpc/libxmlrpc/simplestring.*.
- CVE-2016-6296
* SECURITY UPDATE: integer overflow in php_stream_zip_opener
- debian/patches/CVE-2016-6297.patch: use size_t in
ext/zip/zip_stream.c.
- CVE-2016-6297
* debian/patches/fix_exif_tests.patch: fix exif test results after
security changes.
php7.0 (7.0.8-0ubuntu0.16.04.1) xenial; urgency=medium
* New upstream release
- Closes LP: #1596578
+ Fixed in upstream 7.0.6.
- Drop the following patches:
+ 0035-Fixed-bug-63171-script-hangs-if-odbc-call-during-tim.patch
[ Fixed in upstream 7.0.6 ]
+ 0046-Fix-ODBC-bug-for-varchars-returning-with-length-zero.patch
[ Fixed in upstream 7.0.6 ]
+ 0047-make-opcache-lockfile-path-configurable.patch
[ Fixed in upstream 7.0.6 ]
+ 0048-Fix-bug-71659.patch
[ Fixed in upstream 7.0.5 ]
+ 0050-Fix-use-of-UNDEF-instead-of-NULL-in-read_dimension.patch
[ Fixed in upstream 7.0.6 ]
+ 0051-backport-89a43425.patch
[ Fixed in upstream 7.0.5 ]
+ 0052-backport-186844be.patch
[ Fixed in upstream 7.0.5 ]
+ CVE-2015-8865-1.patch
[ Fixed in upstream 7.0.5 ]
+ CVE-2015-8865-2.patch
[ Fixed in upstream 7.0.5 ]
+ CVE-2016-3078.patch
[ Fixed in upstream 7.0.6 ]
+ CVE-2016-3132.patch
[ Fixed in upstream 7.0.6 ]
+ CVE-2016-4070.patch
[ Fixed in upstream 7.0.5 ]
+ CVE-2016-4071.patch
[ Fixed in upstream 7.0.5 ]
+ CVE-2016-4072.patch
[ Fixed in upstream 7.0.5 ]
+ CVE-2016-4073.patch
[ Fixed in upstream 7.0.5 ]
+ CVE-2016-4537.patch
[ Fixed in upstream 7.0.7 ]
+ CVE-2016-4539.patch
[ Fixed in upstream 7.0.7 ]
+ CVE-2016-4540.patch
[ Fixed in upstream 7.0.7 ]
+ CVE-2016-4542.patch
[ Fixed in upstream 7.0.7 ]
* Backport from Debian 7.0.6-7: 'Remove php-gettext from phpX.Y-common
provides as it clashes with existing package (Closes #823815)'
(LP: #1569128).
* Backport from Debian 7.0.6-8: 'Restore dba extension package'
(LP: #1595215).
* Regenerate d/control.
Date: 2016-07-27 17:59:23.919239+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/php7.0/7.0.8-0ubuntu0.16.04.2
-------------- next part --------------
Sorry, changesfile not available.
More information about the Xenial-changes
mailing list