All Ubuntu package versions


AllVividUtopicTrustySaucyPreciseLucidAll PPAs
DashboardRecent Search QueriesSearch Statistics
Alphabetical listSearchBugs
CommentsResqueStathatMemoryTracker

Package "php5"

Name: php5

Description:

server-side, HTML-embedded scripting language (metapackage)

Latest version: 5.3.10-1ubuntu3.18
Release: precise (12.04)
Level: security
Repository: main
Homepage: http://www.php.net/

Links

Save this URL for the latest version of "php5": http://www.ubuntuupdates.org/php5

All versions of this package Bug fixes
List of files in package Repository home page for package

Download "php5"

All arch deb package APT INSTALL

Other versions of "php5" in Precise

RepositoryAreaVersion
base main 5.3.10-1ubuntu3
base universe 5.3.10-1ubuntu3
security universe 5.3.10-1ubuntu3.18
updates universe 5.3.10-1ubuntu3.18
updates main 5.3.10-1ubuntu3.18
PPA: nathan-renniewaldock ppa 5.4.35-1~ppa1~precise

Packages in group

Deleted packages are displayed in grey.

libapache2-mod-php5 php-pear php5-cgi php5-cli php5-common
php5-curl php5-dbg php5-dev php5-gd php5-gmp
php5-ldap php5-mysql php5-odbc php5-pgsql php5-pspell
php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc
php5-xsl

Change Log

Version: 5.3.10-1ubuntu3.18 2015-04-20 17:06:33 UTC

  php5 (5.3.10-1ubuntu3.18) precise-security; urgency=medium

  * SECURITY UPDATE: potential remote code execution vulnerability when
    used with the Apache 2.4 apache2handler
    - debian/patches/bug69218.patch: perform proper cleanup in
      sapi/apache2handler/sapi_apache2.c.
    - CVE number pending
  * SECURITY UPDATE: buffer overflow when parsing tar/zip/phar
    - debian/patches/bug69441.patch: check lengths in
      ext/phar/phar_internal.h.
    - CVE number pending
  * SECURITY UPDATE: heap overflow in regexp library
    - debian/patches/CVE-2015-2305.patch: check for overflow in
      ext/ereg/regex/regcomp.c.
    - CVE-2015-2305
  * SECURITY UPDATE: buffer overflow in unserialize when parsing Phar
    - debian/patches/CVE-2015-2783.patch: properly check lengths in
      ext/phar/phar.c, ext/phar/phar_internal.h.
    - CVE-2015-2783
  * SECURITY UPDATE: arbitrary code exection via process_nested_data
    use-after-free
    - debian/patches/CVE-2015-2787.patch: fix logic in
      ext/standard/var_unserializer.*.
    - CVE-2015-2787
 -- Marc Deslauriers <email address hidden> Fri, 17 Apr 2015 06:25:37 -0400

Source diff to previous version
CVE-2015-2305 Integer overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) alpha3.8.g5 on 32-bit platforms, as used in Net
CVE-2015-2783 Buffer Over-read in unserialize when parsing Phar
CVE-2015-2787 Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.39, 5.5.x before 5.5.23, and 5

Version: 5.3.10-1ubuntu3.17 2015-03-18 14:07:19 UTC

  php5 (5.3.10-1ubuntu3.17) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service via recursion
    - debian/patches/CVE-2014-8117.patch: lower recursion limit in
      ext/fileinfo/libmagic/softmagic.c.
    - CVE-2014-8117
  * SECURITY UPDATE: denial of service or possible code execution in
    enchant
    - debian/patches/CVE-2014-9705.patch: handle position better in
      ext/enchant/enchant.c.
    - CVE-2014-9705
  * SECURITY UPDATE: arbitrary code execution via use after free in
    unserialize() with DateTime
    - debian/patches/CVE-2015-0273.patch: fix use after free in
      ext/date/php_date.c, added test to ext/date/tests/*.phpt.
    - CVE-2015-0273
  * SECURITY UPDATE: denial of service or possible code execution in phar
    - debian/patches/CVE-2015-2301.patch: fix use after free in
      ext/phar/phar_object.c.
    - CVE-2015-2301
 -- Marc Deslauriers <email address hidden> Mon, 16 Mar 2015 13:59:27 -0400

Source diff to previous version
CVE-2014-8117 softmagic.c in file before 5.21 does not properly limit recursion, which allows remote attackers to cause a denial of service (CPU consumption or cra
CVE-2014-9705 heap buffer overflow in enchant_broker_request_dict()
CVE-2015-0273 use after free vulnerability in unserialize() with DateTimeZone
CVE-2015-2301 use after free in phar_object.c

Version: 5.3.10-1ubuntu3.16 2015-02-17 19:06:39 UTC

  php5 (5.3.10-1ubuntu3.16) precise-security; urgency=medium

  * SECURITY UPDATE: arbitrary code execution via improper handling of
    duplicate keys in unserializer
    - debian/patches/CVE-2014-8142.patch: fix use after free in
      ext/standard/var_unserializer.*, added test to
      ext/standard/tests/serialize/bug68594.phpt.
    - CVE-2014-8142
  * SECURITY UPDATE: arbitrary code execution via improper handling of
    duplicate keys in unserializer, additional fix
    - debian/patches/CVE-2015-0231.patch: fix use after free in
      ext/standard/var_unserializer.*, added test to
      ext/standard/tests/strings/bug68710.phpt.
    - CVE-2015-0231
  * debian/patches/remove_readelf.patch: remove readelf.c from fileinfo as
    it isn't used, and is a source of confusion when doing security
    updates.
  * debian/patches/CVE-2014-3710.patch: removed, wasn't needed.
 -- Marc Deslauriers <email address hidden> Fri, 13 Feb 2015 11:53:39 -0500

Source diff to previous version
CVE-2014-3710 out-of-bounds read in elf note headers
CVE-2014-8142 Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5
CVE-2015-0231 Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5

Version: 5.3.10-1ubuntu3.15 2014-10-30 13:06:46 UTC

  php5 (5.3.10-1ubuntu3.15) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service via buffer overflow in mkgmtime()
    - debian/patches/CVE-2014-3668.patch: properly handle sizes in
      ext/xmlrpc/libxmlrpc/xmlrpc.c, added test to
      ext/xmlrpc/tests/bug68027.phpt.
    - CVE-2014-3668
  * SECURITY UPDATE: integer overflow in unserialize()
    - debian/patches/CVE-2014-3669.patch: fix overflow in
      ext/standard/var_unserializer.{c,re}, added test to
      ext/standard/tests/serialize/bug68044.phpt.
    - CVE-2014-3669
  * SECURITY UPDATE: Heap corruption in exif_thumbnail()
    - debian/patches/CVE-2014-3670.patch: fix sizes in ext/exif/exif.c.
    - CVE-2014-3670
  * SECURITY UPDATE: out of bounds read in elf note headers in fileinfo()
    - debian/patches/CVE-2014-3710.patch: validate note headers in
      ext/fileinfo/libmagic/readelf.c.
    - CVE-2014-3710
  * SECURITY UPDATE: local file disclosure via curl NULL byte injection
    - debian/patches/curl_embedded_null.patch: don't accept curl options
      with embedded NULLs in ext/curl/interface.c, added test to
      ext/curl/tests/bug68089.phpt.
    - No CVE number
 -- Marc Deslauriers <email address hidden> Tue, 28 Oct 2014 15:06:12 -0400

Source diff to previous version
CVE-2014-3710 out-of-bounds read in elf note headers

Version: 5.3.10-1ubuntu3.14 2014-09-10 00:06:25 UTC

  php5 (5.3.10-1ubuntu3.14) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-3587.patch: check for array under-runs as well
      as over-runs in ext/fileinfo/libmagic/cdf.c
    - CVE-2014-3587
  * SECURITY UPDATE: denial of service in dns_get_record
    - debian/patches/CVE-2014-3597.patch: check for DNS overflows in
      ext/standard/dns.c
    - CVE-2014-3587
 -- Seth Arnold <email address hidden> Wed, 03 Sep 2014 23:27:39 -0700

CVE-2014-3587 Integer overflow in the cdf_read_property_info function in cdf.c in ...
CVE-2014-3597 Multiple buffer overflows in the php_parserr function in ...



About   -   Changelog   -   Send Feedback