All Ubuntu package versions

AllTrustySaucyRaringPreciseLucidAll PPAs
DashboardRecent Search QueriesSearch Statistics
Alphabetical listSearchBugs

Package "php5-cgi"

Name: php5-cgi


server-side, HTML-embedded scripting language (CGI binary)
This package provides the /usr/lib/cgi-bin/php5 CGI interpreter built
for use in Apache 2 with mod_actions, or any other CGI httpd that
supports a similar mechanism. Note that MOST Apache users probably
want the libapache2-mod-php5 package.
The following extensions are built in: bcmath bz2 calendar Core ctype date
dba dom ereg exif fileinfo filter ftp gettext hash iconv json libxml
mbstring mhash openssl pcre Phar posix Reflection session shmop SimpleXML
soap sockets SPL standard sysvmsg sysvsem sysvshm tokenizer wddx xml
xmlreader xmlwriter zip zlib.

PHP5 is an HTML-embedded scripting language. Much of its syntax is borrowed
from C, Java and Perl with a couple of unique PHP-specific features thrown
in. The goal of the language is to allow web developers to write dynamically
generated pages quickly. This version of PHP5 was built with the Suhosin patch.

Latest version: 5.3.2-1ubuntu4.26
Release: lucid (10.04)
Level: security
Repository: main
Head package: php5


Save this URL for the latest version of "php5-cgi":

All versions of this package Bug fixes
List of files in package Repository home page for package

Download "php5-cgi"

32-bit deb package 64-bit deb package APT INSTALL

Other versions of "php5-cgi" in Lucid

base main 5.3.2-1ubuntu4
updates main 5.3.2-1ubuntu4.26
PPA: nathan-renniewaldock ppa 5.4.26-1~ppa1~lucid

Change Log

Version: 5.3.2-1ubuntu4.21 2013-09-05 19:08:31 UTC

  php5 (5.3.2-1ubuntu4.21) lucid-security; urgency=low

  * SECURITY UPDATE: SSL cert validation spoofing via NULL character in
    - debian/patches/CVE-2013-4248.patch: validate subjectAltName in
      ext/openssl/openssl.c, added test to ext/openssl/tests/cve2013_4073*.
    - CVE-2013-4248
 -- Marc Deslauriers <email address hidden> Wed, 04 Sep 2013 12:56:49 -0400

Source diff to previous version
CVE-2013-4248 The openssl_x509_parse function in openssl.c in the OpenSSL module in ...

Version: 5.3.2-1ubuntu4.20 2013-07-16 13:07:21 UTC

  php5 (5.3.2-1ubuntu4.20) lucid-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via xml
    parser heap overflow
    - debian/patches/CVE-2013-4113.patch: check against XML_MAXLEVEL in
      ext/xml/xml.c, add test to ext/xml/tests/bug65236.phpt.
    - CVE-2013-4113
  * SECURITY UPDATE: denial of service via overflow in SdnToJewish
    - debian/patches/CVE-2013-4635.patch: check value in
      ext/calendar/jewish.c, add test to
    - CVE-2013-4635
 -- Marc Deslauriers <email address hidden> Mon, 15 Jul 2013 09:50:48 -0400

Source diff to previous version
CVE-2013-4113 ext/xml/xml.c in PHP before 5.3.27 does not properly consider parsing ...
CVE-2013-4635 Integer overflow in the SdnToJewish function in jewish.c in the ...

Version: 5.3.2-1ubuntu4.19 2013-03-13 19:07:09 UTC

  php5 (5.3.2-1ubuntu4.19) lucid-security; urgency=low

  * SECURITY UPDATE: arbitrary file disclosure via XML External Entity
    - debian/patches/CVE-2013-1643.patch: disable the entity loader in
      ext/libxml/libxml.c, ext/libxml/php_libxml.h, ext/soap/php_xml.c.
    - CVE-2013-1643
 -- Marc Deslauriers <email address hidden> Mon, 11 Mar 2013 07:49:54 -0400

Source diff to previous version
CVE-2013-1643 The SOAP parser in PHP before 5.3.22 and 5.4.x before 5.4.13 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML e

Version: 5.3.2-1ubuntu4.18 2012-09-17 13:07:02 UTC

  php5 (5.3.2-1ubuntu4.18) lucid-security; urgency=low

  * SECURITY UPDATE: HTTP response-splitting issue with %0D sequences
    - debian/patches/CVE-2011-1398.patch: properly handle %0D and NUL in
      main/SAPI.c, added tests to ext/standard/tests/*, fix test suite
      failures in ext/phar/phar_object.c.
    - CVE-2011-1398
    - CVE-2012-4388
  * SECURITY UPDATE: denial of service and possible code execution via
    _php_stream_scandir function (LP: #1028064)
    - debian/patches/CVE-2012-2688.patch: prevent overflow in
    - CVE-2012-2688
  * SECURITY UPDATE: denial of service via PDO extension crafted parameter
    - debian/patches/CVE-2012-3450.patch: improve logic in
      ext/pdo/, regenerate ext/pdo/pdo_sql_parser.c, add
      test to ext/pdo_mysql/tests/bug_61755.phpt.
    - CVE-2012-3450
 -- Marc Deslauriers <email address hidden> Wed, 12 Sep 2012 11:33:30 -0400

Source diff to previous version
1028064 potential overflow in _php_stream_scandir
CVE-2011-1398 The sapi_header_op function in main/SAPI.c in PHP before 5.3.11 and 5.4.x before 5.4.0RC2 does not check for %0D sequences (aka carriage return charac
CVE-2012-4388 The sapi_header_op function in main/SAPI.c in PHP 5.4.0RC2 through 5.4.0 does not properly determine a pointer during checks for %0D sequences (aka ca
CVE-2012-2688 Unspecified vulnerability in the _php_stream_scandir function in the stream implementation in PHP before 5.3.15 and 5.4.x before 5.4.5 has unknown imp
CVE-2012-3450 in the PDO extension in PHP before 5.3.14 and 5.4.x before 5.4.4 does not properly determine the end of the query string during pars

Version: 5.3.2-1ubuntu4.17 2012-06-19 16:06:45 UTC

  php5 (5.3.2-1ubuntu4.17) lucid-security; urgency=low

  * SECURITY UPDATE: denial of service via invalid tidy objects
    - debian/patches/CVE-2012-0781.patch: track initialization in
      ext/tidy/tidy.c, added tests to ext/tidy/tests/004.phpt,
    - CVE-2012-0781
  * SECURITY UPDATE: denial of service or possible directory traversal via
    invalid filename.
    - debian/patches/CVE-2012-1172.patch: ensure brackets get closed in
      main/rfc1867.c, add test to tests/basic/bug55500.phpt.
    - CVE-2012-1172
  * SECURITY UPDATE: password truncation via invalid byte
    - debian/patches/CVE-2012-2143.patch: improve logic in
      ext/standard/crypt_freesec.c, add test to
    - CVE-2012-2143
  * SECURITY UPDATE: crypto() empty salt string issue
    - debian/patches/php_crypt_revamped.patch: Return fail string on
      invalid Blowfish salt rounds, fix regression when the salt is empty.
    - CVE-2012-2317
  * SECURITY UPDATE: improve php5-cgi query string parameter parsing
    - debian/patches/CVE-2012-233x.patch: improve parsing in
    - CVE-2012-2335
    - CVE-2012-2336
  * SECURITY UPDATE: phar extension heap overflow
    - debian/patches/CVE-2012-2386.patch: check for overflow in
    - CVE-2012-2386
 -- Marc Deslauriers <email address hidden> Tue, 12 Jun 2012 15:51:23 -0400

CVE-2012-0781 The tidy_diagnose function in PHP 5.3.8 might allow remote attackers to cause a denial of service (NULL pointer dereference and application crash) via
CVE-2012-1172 The file-upload implementation in rfc1867.c in PHP before 5.4.0 does not properly handle invalid [ (open square bracket) characters in name values, wh
CVE-2012-2317 php5 crypt() empty salt issue
CVE-2012-2335 php-wrapper.fcgi does not properly handle command-line arguments, which allows remote attackers to bypass a protection mechanism in PHP 5.3.12 and 5.4
CVE-2012-2336 sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings
CVE-2012-2386 phar integer overfow

About   -   Changelog   -   Send Feedback