UbuntuUpdates.org

Package "php5"

Name: php5

Description:

server-side, HTML-embedded scripting language (metapackage)

Latest version: 5.5.9+dfsg-1ubuntu4.29
Release: trusty (14.04)
Level: updates
Repository: main
Homepage: http://www.php.net/

Links

Save this URL for the latest version of "php5": https://www.ubuntuupdates.org/php5


Download "php5"


Other versions of "php5" in Trusty

Repository Area Version
base main 5.5.9+dfsg-1ubuntu4
base universe 5.5.9+dfsg-1ubuntu4
security universe 5.5.9+dfsg-1ubuntu4.29
security main 5.5.9+dfsg-1ubuntu4.29
updates universe 5.5.9+dfsg-1ubuntu4.29

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 5.5.9+dfsg-1ubuntu4.29 2019-04-23 15:07:07 UTC

  php5 (5.5.9+dfsg-1ubuntu4.29) trusty-security; urgency=medium

  * SECURITY UPDATE: Unauthorized users access
    - debian/patches/CVE-2019-9637.patch: fix in
      main/streams/plain_wrapper.c.
    - CVE-2019-9637
  * SECURITY UPDATE: Invalid read in exif_process_IFD_MAKERNOTE
    - debian/patches/CVE-2019-9638-and-CVE-2019-9639-*.patch: fix in
      ext/exif/exif.c, added tests in ext/exif/tests/bug77563.jpg,
      ext/exif/tests/bug77563.phpt.
    - CVE-2019-9638
    - CVE-2019-9639
  * SECURITY UPDATE: Invalid read
    - debian/patches/CVE-2019-9640.patch: fix in
      ext/exif/exif.c, added tests in ext/exif/tests/bug77540.jpg,
      ext/exif/tests/bug77540.phpt.
    - CVE-2019-9640
  * SECURITY UPDATE: Unitialized read
    - debian/patches/CVE-2019-9641.patch: fix in ext/exif/exif.c.
    - CVE-2019-9641
  * SECURITY UPDATE: Buffer overflow
    - debian/patches/CVE-2019-9675.patch: fix in
      ext/phar/tar.c, added tests, ext/phar/tests/bug77586,phpt,
      ext/phar/tests/bug77586/files/*.
    - CVE-2019-9675
  * Changed the way MAKERNOTE is handled in case we do not have a matching
    signature, in order to support tests CVE-2019-9638 and CVE-2019-9639.
    - debian/patches/Changed-the-way-MAKERNOTE-is-handled-in-case.patch: fix
      it changing the behavior in order to continue the parse in
      ext/exif/exif.c
  * SECURITY UPDATE: buffer over-read in dns_get_record
    - debian/patches/CVE-2019-9022.patch: check length in
      ext/standard/dns.c.
    - CVE-2019-9022

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 22 Apr 2019 14:39:52 -0300

Source diff to previous version
CVE-2019-9637 An issue was discovered in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. Due to the way rename() across filesystems is implemented,
CVE-2019-9638 An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in ex
CVE-2019-9639 An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in ex
CVE-2019-9640 An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an Invalid Read in exif_pro
CVE-2019-9641 An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in ex
CVE-2019-9675 ** DISPUTED ** An issue was discovered in PHP 7.x before 7.1.27 and 7.3.x before 7.3.3. phar_tar_writeheaders_int in ext/phar/tar.c has a buffer over
CVE-2019-9022 An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dns_get_record misparses a DNS response, which can all

Version: 5.5.9+dfsg-1ubuntu4.27 2019-03-06 17:06:59 UTC

  php5 (5.5.9+dfsg-1ubuntu4.27) trusty-security; urgency=medium

  * SECURITY UPDATE: invalid memory access in xmlrpc_decode()
    - debian/patches/CVE-2019-9020.patch: check length in
      ext/xmlrpc/libxmlrpc/xml_element.c, added test to
      ext/xmlrpc/tests/bug77242.phpt.
    - CVE-2019-9020
  * SECURITY UPDATE: buffer over-read in PHAR extension
    - debian/patches/CVE-2019-9021.patch: properly calculate position in
      ext/phar/phar.c, added test to ext/phar/tests/bug77247.phpt.
    - CVE-2019-9021
  * SECURITY UPDATE: buffer over-reads in mbstring regex functions
    - debian/patches/CVE-2019-9023-1.patch: don't read past buffer in
      ext/mbstring/oniguruma/regparse.c, added test to
      ext/mbstring/tests/bug77370.phpt.
    - debian/patches/CVE-2019-9023-2.patch: check bounds in
      ext/mbstring/oniguruma/regcomp.c, added test to
      ext/mbstring/tests/bug77371.phpt.
    - debian/patches/CVE-2019-9023-3.patch: add length checks to
      ext/mbstring/oniguruma/enc/unicode.c,
      ext/mbstring/oniguruma/regcomp.c, ext/mbstring/oniguruma/regparse.c,
      ext/mbstring/oniguruma/regparse.h, added test to
      ext/mbstring/tests/bug77371.phpt, ext/mbstring/tests/bug77381.phpt.
    - debian/patches/CVE-2019-9023-4.patch: add new bounds checks to
      ext/mbstring/oniguruma/enc/utf16_be.c,
      ext/mbstring/oniguruma/enc/utf16_le.c,
      ext/mbstring/oniguruma/enc/utf32_be.c,
      ext/mbstring/oniguruma/enc/utf32_le.c, added test to
      ext/mbstring/tests/bug77418.phpt.
    - CVE-2019-9023
  * SECURITY UPDATE: buffer over-read in xmlrpc_decode()
    - debian/patches/CVE-2019-9024.patch: fix variable size in
      ext/xmlrpc/libxmlrpc/base64.c, added test to
      ext/xmlrpc/tests/bug77380.phpt.
    - CVE-2019-9024

 -- Marc Deslauriers <email address hidden> Tue, 05 Mar 2019 08:12:08 -0500

Source diff to previous version
CVE-2019-9020 An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_de
CVE-2019-9021 An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR r
CVE-2019-9023 An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read
CVE-2019-9024 An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. xmlrpc_decode() can allow a hostile XML

Version: 5.5.9+dfsg-1ubuntu4.26 2018-09-18 09:07:01 UTC

  php5 (5.5.9+dfsg-1ubuntu4.26) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service in exif parsing
    - debian/patches/CVE-2018-14851.patch: check length in ext/exif/exif.c.
    - CVE-2018-14851
  * SECURITY UPDATE: denial of service in exif parsing
    - debian/patches/CVE-2018-14883.patch: check length in ext/exif/exif.c.
    - CVE-2018-14883
  * SECURITY UPDATE: XSS due to the header Transfer-Encoding: chunked
    - debian/patches/bug76582.patch: clean up brigade in
      sapi/apache2handler/sapi_apache2.c.
    - No CVE number

 -- Marc Deslauriers <email address hidden> Mon, 17 Sep 2018 03:45:24 -0400

Source diff to previous version
CVE-2018-14851 exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8 allows remote
CVE-2018-14883 An issue was discovered in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8. An Integer Overflow leads to a heap-b

Version: 5.5.9+dfsg-1ubuntu4.25 2018-05-14 17:07:00 UTC

  php5 (5.5.9+dfsg-1ubuntu4.25) trusty-security; urgency=medium

  * SECURITY UPDATE: opcache access controls bypass
    - debian/patches/CVE-2018-10545.patch: do not set PR_SET_DUMPABLE by
      default in sapi/fpm/fpm/fpm_conf.c, sapi/fpm/fpm/fpm_conf.h,
      sapi/fpm/fpm/fpm_unix.c, sapi/fpm/php-fpm.conf.in.
    - CVE-2018-10545
  * SECURITY UPDATE: infinite loop in iconv stream filter
    - debian/patches/CVE-2018-10546-1.patch: fail on invalid sequences in
      ext/iconv/iconv.c, ext/iconv/tests/bug76249.phpt.
    - debian/patches/CVE-2018-10546-2.patch: fix tsrm_ls in
      ext/iconv/iconv.c.
    - CVE-2018-10546
  * SECURITY UPDATE: XSS on PHAR error pages
    - debian/patches/CVE-2018-10547.patch: remove potential unfiltered
      outputs in ext/phar/phar_object.c, fix tests in ext/phar/tests/*.
    - CVE-2018-10547
  * SECURITY UPDATE: DoS via ldap_get_dn return value mishandling
    - debian/patches/CVE-2018-10548.patch: check dn in ext/ldap/ldap.c,
      add test to ext/ldap/tests/bug76248.phpt.
    - CVE-2018-10548

 -- Marc Deslauriers <email address hidden> Thu, 10 May 2018 08:10:41 -0400

Source diff to previous version
CVE-2018-10545 An issue was discovered in PHP before 5.6.35, 7.0.x before 7.0.29, 7.1.x before 7.1.16, and 7.2.x before 7.2.4. Dumpable FPM child processes allow by
CVE-2018-10546 An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. An infinite loop exists in ext/iconv/
CVE-2018-10547 An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. There is Re
CVE-2018-10548 An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. ext/ldap/ldap.c allows remote LDAP se

Version: 5.5.9+dfsg-1ubuntu4.24 2018-03-19 15:06:42 UTC

  php5 (5.5.9+dfsg-1ubuntu4.24) trusty-security; urgency=medium

  * SECURITY UPDATE: stream_get_meta_data issue
    - debian/patches/CVE-2016-10712.patch: properly handle metadata in
      ext/standard/streamsfuncs.c, ext/standard/tests/*,
      main/streams/memory.c.
    - debian/patches/CVE-2016-10712-2.patch: fix various tests.
    - CVE-2016-10712
  * SECURITY UPDATE: stack-based under-read in HTTP response parsing
    - debian/patches/CVE-2018-7584.patch: prevent reading beyond buffer
      start in ext/standard/http_fopen_wrapper.c,
      ext/standard/tests/http/bug75981.phpt.
    - CVE-2018-7584

 -- Marc Deslauriers <email address hidden> Thu, 15 Mar 2018 10:11:53 -0400

CVE-2016-10712 In PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3, all of the return values of stream_get_meta_data can be controlled if the input can
CVE-2018-7584 In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x through 7.2.2, there is a stack-based buffer under-read while parsing an



About   -   Send Feedback to @ubuntu_updates