Package "php5"
| Name: |
php5
|
Description: |
server-side, HTML-embedded scripting language (metapackage)
|
| Latest version: |
5.3.10-1ubuntu3.6 |
| Release: |
precise (12.04) |
| Level: |
security |
| Repository: |
main |
| Homepage: |
http://www.php.net/ |
Links
Save this URL for the latest version of "php5":
http://www.ubuntuupdates.org/php5
Download "php5"
Other versions of "php5" in Precise
Packages in group
Deleted packages are displayed in grey.
Change Log
| Version: 5.3.10-1ubuntu3.6
|
2013-03-13 19:07:10 UTC
|
|
php5 (5.3.10-1ubuntu3.6) precise-security; urgency=low
* SECURITY UPDATE: arbitrary file disclosure via XML External Entity
- debian/patches/CVE-2013-1643.patch: disable the entity loader in
ext/libxml/libxml.c, ext/libxml/php_libxml.h, ext/soap/php_xml.c.
- CVE-2013-1643
-- Marc Deslauriers <email address hidden> Fri, 08 Mar 2013 16:22:01 -0500
|
| Source diff to previous version |
| CVE-2013-1643 |
The SOAP parser in PHP before 5.3.22 and 5.4.x before 5.4.13 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML e |
|
| Version: 5.3.10-1ubuntu3.5
|
2013-01-22 14:06:43 UTC
|
|
php5 (5.3.10-1ubuntu3.5) precise-security; urgency=low
* SECURITY UPDATE: arbitrary memory disclosure (LP: #1099793)
- debian/patches/CVE-2012-6113.patch: properly initialize length in
ext/openssl/openssl.c.
- CVE-2012-6113
-- Marc Deslauriers <email address hidden> Fri, 18 Jan 2013 09:49:22 -0500
|
| Source diff to previous version |
| 1099793 |
php 5.3.10 openssl_encrypt empty data |
| CVE-2012-6113 |
The openssl_encrypt function in ext/openssl/openssl.c in PHP 5.3.9 through 5.3.13 does not initialize a certain variable, which allows remote attacke |
|
| Version: 5.3.10-1ubuntu3.4
|
2012-09-17 13:07:06 UTC
|
|
php5 (5.3.10-1ubuntu3.4) precise-security; urgency=low
* SECURITY UPDATE: HTTP response-splitting issue with %0D sequences
- debian/patches/CVE-2011-1398.patch: properly handle %0D and NUL in
main/SAPI.c, added tests to ext/standard/tests/*, fix test suite
failures in ext/phar/phar_object.c.
- CVE-2011-1398
- CVE-2012-4388
* SECURITY UPDATE: denial of service and possible code execution via
_php_stream_scandir function (LP: #1028064)
- debian/patches/CVE-2012-2688.patch: prevent overflow in
main/streams/streams.c.
- CVE-2012-2688
* SECURITY UPDATE: denial of service via PDO extension crafted parameter
- debian/patches/CVE-2012-3450.patch: improve logic in
ext/pdo/pdo_sql_parser.re, regenerate ext/pdo/pdo_sql_parser.c, add
test to ext/pdo_mysql/tests/bug_61755.phpt.
- CVE-2012-3450
-- Marc Deslauriers <email address hidden> Tue, 11 Sep 2012 11:28:52 -0400
|
| Source diff to previous version |
| 1028064 |
potential overflow in _php_stream_scandir |
| CVE-2011-1398 |
The sapi_header_op function in main/SAPI.c in PHP before 5.3.11 and 5.4.x before 5.4.0RC2 does not check for %0D sequences (aka carriage return charac |
| CVE-2012-4388 |
The sapi_header_op function in main/SAPI.c in PHP 5.4.0RC2 through 5.4.0 does not properly determine a pointer during checks for %0D sequences (aka ca |
| CVE-2012-2688 |
Unspecified vulnerability in the _php_stream_scandir function in the stream implementation in PHP before 5.3.15 and 5.4.x before 5.4.5 has unknown imp |
| CVE-2012-3450 |
pdo_sql_parser.re in the PDO extension in PHP before 5.3.14 and 5.4.x before 5.4.4 does not properly determine the end of the query string during pars |
|
| Version: 5.3.10-1ubuntu3.2
|
2012-06-19 16:06:47 UTC
|
|
php5 (5.3.10-1ubuntu3.2) precise-security; urgency=low
* SECURITY UPDATE: denial of service via invalid tidy objects
- debian/patches/CVE-2012-0781.patch: track initialization in
ext/tidy/tidy.c, added tests to ext/tidy/tests/004.phpt,
ext/tidy/tests/bug54682.phpt.
- CVE-2012-0781
* SECURITY UPDATE: denial of service or possible directory traversal via
invalid filename.
- debian/patches/CVE-2012-1172.patch: ensure brackets get closed in
main/rfc1867.c, add test to tests/basic/bug55500.phpt.
- CVE-2012-1172
* SECURITY UPDATE: password truncation via invalid byte
- debian/patches/CVE-2012-2143.patch: improve logic in
ext/standard/crypt_freesec.c, add test to
ext/standard/tests/strings/crypt_chars.phpt.
- CVE-2012-2143
* SECURITY UPDATE: improve php5-cgi query string parameter parsing
- debian/patches/CVE-2012-233x.patch: improve parsing in
sapi/cgi/cgi_main.c.
- CVE-2012-2335
- CVE-2012-2336
* SECURITY UPDATE: phar extension heap overflow
- debian/patches/CVE-2012-2386.patch: check for overflow in
ext/phar/tar.c.
- CVE-2012-2386
-- Marc Deslauriers <email address hidden> Tue, 12 Jun 2012 13:40:37 -0400
|
| Source diff to previous version |
| CVE-2012-0781 |
The tidy_diagnose function in PHP 5.3.8 might allow remote attackers to cause a denial of service (NULL pointer dereference and application crash) via |
| CVE-2012-1172 |
The file-upload implementation in rfc1867.c in PHP before 5.4.0 does not properly handle invalid [ (open square bracket) characters in name values, wh |
| CVE-2012-2335 |
php-wrapper.fcgi does not properly handle command-line arguments, which allows remote attackers to bypass a protection mechanism in PHP 5.3.12 and 5.4 |
| CVE-2012-2336 |
sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings |
| CVE-2012-2386 |
phar integer overfow |
|
| Version: 5.3.10-1ubuntu3.1
|
2012-05-04 14:09:01 UTC
|
|
php5 (5.3.10-1ubuntu3.1) precise-security; urgency=low
* SECURITY UPDATE: php5-cgi query string parameters parsing
vulnerability
- debian/patches/php5-CVE-2012-1823.patch: filter query strings that
are prefixed with '-'
- CVE-2012-1823
- CVE-2012-2311
-- Steve Beattie <email address hidden> Thu, 03 May 2012 15:42:08 -0700
|
| CVE-2012-1823 |
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings |
| CVE-2012-2311 |
sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings |
|
