All Ubuntu package versions


AllTrustySaucyRaringQuantalPreciseLucidAll PPAs
DashboardRecent Search QueriesSearch Statistics
Alphabetical listSearchBugs
CommentsResqueStathatMemoryTracker

Package "php5-cgi"

Name: php5-cgi

Description:

server-side, HTML-embedded scripting language (CGI binary)
This package provides the /usr/lib/cgi-bin/php5 CGI interpreter built
for use in Apache 2 with mod_actions, or any other CGI httpd that
supports a similar mechanism. Note that MOST Apache users probably
want the libapache2-mod-php5 package.
The following extensions are built in: bcmath bz2 calendar Core ctype date
dba dom ereg exif fileinfo filter ftp gettext hash iconv json libxml
mbstring mhash openssl pcre Phar posix Reflection session shmop SimpleXML
soap sockets SPL standard sysvmsg sysvsem sysvshm tokenizer wddx xml
xmlreader xmlwriter zip zlib.

PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed
from C, Java and Perl with a couple of unique PHP-specific features thrown
in. The goal of the language is to allow web developers to write dynamically
generated pages quickly. This version of PHP5 was built with the Suhosin patch.

Latest version: 5.3.2-1ubuntu4.24
Release: lucid (10.04)
Level: security
Repository: main
Head package: php5
Homepage: http://www.php.net/

Links

Save this URL for the latest version of "php5-cgi": http://www.ubuntuupdates.org/php5-cgi

All versions of this package Bug fixes
List of files in package Repository home page for package

Download "php5-cgi"

32-bit deb package 64-bit deb package APT INSTALL

Other versions of "php5-cgi" in Lucid

RepositoryAreaVersion
base main 5.3.2-1ubuntu4
updates main 5.3.2-1ubuntu4.24
PPA: nathan-renniewaldock ppa 5.4.26-1~ppa1~lucid

Change Log

Version: 5.3.2-1ubuntu4.19 2013-03-13 19:07:09 UTC

  php5 (5.3.2-1ubuntu4.19) lucid-security; urgency=low

  * SECURITY UPDATE: arbitrary file disclosure via XML External Entity
    - debian/patches/CVE-2013-1643.patch: disable the entity loader in
      ext/libxml/libxml.c, ext/libxml/php_libxml.h, ext/soap/php_xml.c.
    - CVE-2013-1643
 -- Marc Deslauriers <email address hidden> Mon, 11 Mar 2013 07:49:54 -0400

Source diff to previous version
CVE-2013-1643 The SOAP parser in PHP before 5.3.22 and 5.4.x before 5.4.13 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML e

Version: 5.3.2-1ubuntu4.18 2012-09-17 13:07:02 UTC

  php5 (5.3.2-1ubuntu4.18) lucid-security; urgency=low

  * SECURITY UPDATE: HTTP response-splitting issue with %0D sequences
    - debian/patches/CVE-2011-1398.patch: properly handle %0D and NUL in
      main/SAPI.c, added tests to ext/standard/tests/*, fix test suite
      failures in ext/phar/phar_object.c.
    - CVE-2011-1398
    - CVE-2012-4388
  * SECURITY UPDATE: denial of service and possible code execution via
    _php_stream_scandir function (LP: #1028064)
    - debian/patches/CVE-2012-2688.patch: prevent overflow in
      main/streams/streams.c.
    - CVE-2012-2688
  * SECURITY UPDATE: denial of service via PDO extension crafted parameter
    - debian/patches/CVE-2012-3450.patch: improve logic in
      ext/pdo/pdo_sql_parser.re, regenerate ext/pdo/pdo_sql_parser.c, add
      test to ext/pdo_mysql/tests/bug_61755.phpt.
    - CVE-2012-3450
 -- Marc Deslauriers <email address hidden> Wed, 12 Sep 2012 11:33:30 -0400

Source diff to previous version
1028064 potential overflow in _php_stream_scandir
CVE-2011-1398 The sapi_header_op function in main/SAPI.c in PHP before 5.3.11 and 5.4.x before 5.4.0RC2 does not check for %0D sequences (aka carriage return charac
CVE-2012-4388 The sapi_header_op function in main/SAPI.c in PHP 5.4.0RC2 through 5.4.0 does not properly determine a pointer during checks for %0D sequences (aka ca
CVE-2012-2688 Unspecified vulnerability in the _php_stream_scandir function in the stream implementation in PHP before 5.3.15 and 5.4.x before 5.4.5 has unknown imp
CVE-2012-3450 pdo_sql_parser.re in the PDO extension in PHP before 5.3.14 and 5.4.x before 5.4.4 does not properly determine the end of the query string during pars

Version: 5.3.2-1ubuntu4.17 2012-06-19 16:06:45 UTC

  php5 (5.3.2-1ubuntu4.17) lucid-security; urgency=low

  * SECURITY UPDATE: denial of service via invalid tidy objects
    - debian/patches/CVE-2012-0781.patch: track initialization in
      ext/tidy/tidy.c, added tests to ext/tidy/tests/004.phpt,
      ext/tidy/tests/bug54682.phpt.
    - CVE-2012-0781
  * SECURITY UPDATE: denial of service or possible directory traversal via
    invalid filename.
    - debian/patches/CVE-2012-1172.patch: ensure brackets get closed in
      main/rfc1867.c, add test to tests/basic/bug55500.phpt.
    - CVE-2012-1172
  * SECURITY UPDATE: password truncation via invalid byte
    - debian/patches/CVE-2012-2143.patch: improve logic in
      ext/standard/crypt_freesec.c, add test to
      ext/standard/tests/strings/crypt_chars.phpt.
    - CVE-2012-2143
  * SECURITY UPDATE: crypto() empty salt string issue
    - debian/patches/php_crypt_revamped.patch: Return fail string on
      invalid Blowfish salt rounds, fix regression when the salt is empty.
    - CVE-2012-2317
  * SECURITY UPDATE: improve php5-cgi query string parameter parsing
    - debian/patches/CVE-2012-233x.patch: improve parsing in
      sapi/cgi/cgi_main.c.
    - CVE-2012-2335
    - CVE-2012-2336
  * SECURITY UPDATE: phar extension heap overflow
    - debian/patches/CVE-2012-2386.patch: check for overflow in
      ext/phar/tar.c.
    - CVE-2012-2386
 -- Marc Deslauriers <email address hidden> Tue, 12 Jun 2012 15:51:23 -0400

Source diff to previous version
CVE-2012-0781 The tidy_diagnose function in PHP 5.3.8 might allow remote attackers to cause a denial of service (NULL pointer dereference and application crash) via
CVE-2012-1172 The file-upload implementation in rfc1867.c in PHP before 5.4.0 does not properly handle invalid [ (open square bracket) characters in name values, wh
CVE-2012-2317 php5 crypt() empty salt issue
CVE-2012-2335 php-wrapper.fcgi does not properly handle command-line arguments, which allows remote attackers to bypass a protection mechanism in PHP 5.3.12 and 5.4
CVE-2012-2336 sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings
CVE-2012-2386 phar integer overfow

Version: 5.3.2-1ubuntu4.15 2012-05-04 14:08:23 UTC

  php5 (5.3.2-1ubuntu4.15) lucid-security; urgency=low

  * SECURITY UPDATE: php5-cgi query string parameters parsing
    vulnerability
    - debian/patches/php5-CVE-2012-1823.patch: filter query strings that
      are prefixed with '-'
    - CVE-2012-1823
    - CVE-2012-2311
 -- Steve Beattie <email address hidden> Thu, 03 May 2012 15:13:14 -0700

Source diff to previous version
CVE-2012-1823 sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings
CVE-2012-2311 sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings

Version: 5.3.2-1ubuntu4.14 2012-02-13 18:03:46 UTC

php5 (5.3.2-1ubuntu4.14) lucid-security; urgency=low

  * debian/patches/php5-CVE-2012-0831-regression.patch: fix
    magic_quotes_gpc ini setting regression introduced by patch for
    CVE-2012-0831. Thanks to Ondřej Surý for the patch. (LP: #930115)

 -- Steve Beattie Fri, 10 Feb 2012 15:07:08 -0800

930115 php5 5.3.2-1ubuntu4.13 introduced regression in magic_quotes_gpc
CVE-2012-0831 RESERVED



About   -   Changelog   -   Send Feedback