php7.3 (7.3.31-1~deb10u7) buster-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * Fix CVE-2024-5458:
    Due to a code logic error, filtering functions such as filter_var when
    validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the
    function will result in invalid user information (username + password part
    of URLs) being treated as valid user information. This may lead to the
    downstream code accepting invalid URLs as valid and parsing them
    incorrectly. The problem is related to CVE-2020-7071, but affects IPv6 host
    parts.

 -- Markus Koschany <apo@debian.org>  Mon, 17 Jun 2024 23:48:38 +0200

php7.3 (7.3.31-1~deb10u6) buster-security; urgency=high

  * Non-maintainer upload by the LTS Security Team.
  * Fix CVE-2024-2756: Due to an incomplete fix to CVE-2022-31629, network and
    same-site attackers can set a standard insecure cookie in the victim's
    browser which is treated as a __Host- or __Secure- cookie by PHP
    applications.
  * Fix CVE-2024-3096: If a password stored with password_hash starts with a
    null byte (\x00), testing a blank string as the password via
    password_verify() will incorrectly return true.
  * d/p/CVE-2023-3823.patch: Also backport upstream commit 62228a25685 (a
    no-op on Linux.)

 -- Guilhem Moulin <guilhem@debian.org>  Tue, 07 May 2024 02:47:26 +0200

php7.3 (7.3.31-1~deb10u5) buster-security; urgency=high

  * Non-maintainer upload by the LTS Security Team.
  * Fix CVE-2023-3823: Security issue with external entity loading in XML
    without enabling it.
  * Fix CVE-2023-3824: Buffer overflow and overread in phar_dir_read().

 -- Guilhem Moulin <guilhem@debian.org>  Mon, 04 Sep 2023 23:49:25 +0200

php7.3 (7.3.31-1~deb10u4) buster-security; urgency=high

  * Non-maintainer upload by the LTS Security Team.
  * CVE-2023-3247: Missing error check and insufficient random bytes in HTTP
    Digest authentication for SOAP.

 -- Guilhem Moulin <guilhem@debian.org>  Mon, 19 Jun 2023 21:10:11 +0200

php7.3 (7.3.31-1~deb10u3) buster-security; urgency=high

  * Non-maintainer upload by the LTS Security Team.
  * CVE-2022-31631: Uncaught integer overflow.
  * CVE-2023-0567: Malformatted BCrypt hashes that include a `$` within their
    salt part trigger a buffer overread and may erroneously validate any
    password as valid (closes: #1031368).
  * CVE-2023-0568: 1-byte array overrun in common path resolve code (closes:
    #1031368).
  * CVE-2023-0662: DoS vulnerability when parsing multipart request body
    (closes: #1031368).

 -- Guilhem Moulin <guilhem@debian.org>  Sun, 26 Feb 2023 14:00:55 +0100

php7.3 (7.3.31-1~deb10u2) buster-security; urgency=medium

  * Non-maintainer upload by the LTS Team.
  * CVE-2021-21707: invalid parsing of encoded null character.
  * CVE-2022-31625: invalid free in posgresql extension.
  * CVE-2022-31626: buffer overflow in mysqlnd driver.
  * CVE-2022-31628: infinite loop in the phar uncompressor.
  * CVE-2022-31629: secure cookie poisoning.
  * CVE-2022-37454: buffer overflow in Keccak XKCP SHA-3.

 -- Emilio Pozuelo Monfort <pochu@debian.org>  Thu, 15 Dec 2022 10:39:10 +0100

php7.3 (7.3.31-1~deb10u1) buster-security; urgency=medium

  * New upstream version 7.3.31
   + CVE-2021-21706: ZipArchive::extractTo extracts outside of
     destination.
  * Backported from 7.4.25
   + CVE-2021-21703: PHP-FPM oob R/W in root process leading to privilege
     escalation.

 -- Ondřej Surý <ondrej@debian.org>  Sun, 24 Oct 2021 17:18:08 +0200

php7.3 (7.3.29-1~deb10u1) buster-security; urgency=medium

  * New upstream version 7.3.29
   + CVE-2021-21705: SSRF bypass in FILTER_VALIDATE_URL
   + CVE-2021-21704: Stack buffer overflow in firebird_info_cb
   + CVE-2021-21704: SIGSEGV in firebird_handle_doer
   + CVE-2021-21704: SIGSEGV in firebird_stmt_execute
   + CVE-2021-21704: Crash while parsing blob data in firebird_fetch_blob

 -- Ondřej Surý <ondrej@debian.org>  Fri, 02 Jul 2021 06:04:33 +0200

php7.3 (7.3.27-1~deb10u1) buster-security; urgency=medium

  [ Ondřej Surý ]
  * New upstream version 7.3.27
   + Fixed bug #80672 (Null Dereference in SoapClient). (CVE-2021-21702)
  * New upstream version 7.3.26
   + Fixed bug #77423 (FILTER_VALIDATE_URL accepts URLs with invalid
     userinfo). (CVE-2020-7071)
  * New upstream version 7.3.23
   + Fixed bug #79699 (PHP parses encoded cookie names so malicious
     `__Host-` cookies can be sent). (CVE-2020-7070)
   + Fixed bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12
     bytes IV). (CVE-2020-7069)
  * New upstream version 7.3.21
   + Fixed bug #79797 (Use of freed hash key in the phar_parse_zipfile
     function). (CVE-2020-7068)
  * Disable the MySQL extension testing as it's too complicated and prone
    to breakages
  * In phpize, copy the foreign files from their respective packages
    (libtool, pkg-config, shtool, pkg.m4) instead of having a built-time
    copy in the package

  [ Pino Toscano ]
  * Disable AppArmor support on non-Linux archs (Closes: #951857)
  * Enable systemd integration only on Linux archs (Closes: #951834)

 -- Ondřej Surý <ondrej@debian.org>  Sat, 13 Feb 2021 17:31:40 +0100


php7.3 (7.3.19-1~deb10u1) buster-security; urgency=high

  * New upstream version 7.3.15
   + Fixed bug #79082 (Files added to tar with Phar::buildFromIterator
     have all-access permissions). (CVE-2020-7063)
   + Fixed bug #79171 (heap-buffer-overflow in phar_extract_file).
     (CVE-2020-7061)
   + Fixed bug #79221 (Null Pointer Dereference in PHP Session Upload Progress).
     (CVE-2020-7062)
  * New upstream version 7.3.16
   + Fixed bug #79371 (mb_strtolower (UTF-32LE): stack-buffer-overflow at
     php_unicode_tolower_full). (CVE-2020-7065)
   + Fixed bug #79329 (get_headers() silently truncates after a null byte).
     (CVE-2020-7066)
  * New upstream version 7.3.17
   + Fixed bug #79465 (OOB Read in urldecode()). (CVE-2020-7067)
  * New upstream version 7.3.18
   + Fixed bug #78875 (Long filenames cause OOM and temp files are not
     cleaned). (CVE-2019-11048)
   + Fixed bug #78876 (Long variables in multipart/form-data cause OOM and
     temp files are not cleaned). (CVE-2019-11048)
  * New upstream version 7.3.19
  * php-fpm has to depend on procps due kill usage in systemd service file
    (Closes: #861855)

 -- Ondřej Surý <ondrej@debian.org>  Sun, 05 Jul 2020 08:46:45 +0200

php7.3 (7.3.14-1~deb10u1) buster-security; urgency=medium

  * New upstream version 7.3.14
  * Disable MySQL X Plugin in the tests
  * Use mysqld --initialize-insecure for MySQL 8.0 (for Ubuntu 19.10)
  * Remove --skip-grant-tables to fix FTBFS with MySQL 8.0
  * Remove --without-mysqlx from MySQL 5.7

 -- Ondřej Surý <ondrej@debian.org>  Sun, 16 Feb 2020 16:07:23 +0100

php7.3 (7.3.11-1~deb10u1) buster-security; urgency=medium

  * New upstream version 7.3.11

 -- Ondřej Surý <ondrej@debian.org>  Sat, 26 Oct 2019 16:14:18 +0200

php7.3 (7.3.9-1~deb10u1) buster-security; urgency=high

  * New upstream version 7.3.9
  * php7.3-curl: Add Breaks against php7.0-curl for smoother upgrades from
    stretch.  (Closes: #929689)

 -- Ondřej Surý <ondrej@sury.org>  Wed, 18 Sep 2019 12:33:23 +0200

php7.3 (7.3.4-2) unstable; urgency=medium

  [Andreas Beckmann]
  * php7.3-common: Add Breaks against php7.0-curl for smoother upgrades from
    stretch.  (Closes: #925106)
  * php7.3-common: Add Breaks against gforge-common from jessie which uses a
    deprecated constructor syntax.
  * Deterministically generate debian/control by sorting the extension
    packages.

 -- Ondřej Surý <ondrej@debian.org>  Sat, 13 Apr 2019 19:05:48 +0000

php7.3 (7.3.4-1) unstable; urgency=medium

  * Update d/watch for new php.net pages
  * New upstream version 7.3.4
  * Enforce C++11 for intl compilation on older distributions

 -- Ondřej Surý <ondrej@debian.org>  Wed, 10 Apr 2019 06:55:43 +0000

php7.3 (7.3.3-1) unstable; urgency=medium

  * New upstream version 7.3.3
  * Update systzdata patch to v18 (Courtesy of RemiRepo)
  * Add patch for OpenSSL 1.1.1b (Courtesy of RemiRepo)

 -- Ondřej Surý <ondrej@debian.org>  Thu, 07 Mar 2019 19:43:34 +0000

php7.3 (7.3.2-3) unstable; urgency=medium

  * Update systzdata patch to v17 (Courtesy of remirepo)

 -- Ondřej Surý <ondrej@debian.org>  Fri, 08 Feb 2019 15:05:54 +0000

php7.3 (7.3.2-2) unstable; urgency=medium

  * Fix the icu patch condition for icu >= 60

 -- Ondřej Surý <ondrej@debian.org>  Fri, 08 Feb 2019 10:49:26 +0000

php7.3 (7.3.2-1) unstable; urgency=medium

  * New upstream version 7.3.2

 -- Ondřej Surý <ondrej@debian.org>  Thu, 07 Feb 2019 17:58:05 +0000

php7.3 (7.3.1-3) unstable; urgency=medium

  * Always build spoofchecker, because we are enforcing icu >= 50.1
    (Closes: #921199)

 -- Ondřej Surý <ondrej@debian.org>  Tue, 05 Feb 2019 10:25:33 +0000

php7.3 (7.3.1-2) unstable; urgency=high

  * Add patch to use pkg-config instead of icu-config to detect icu
    libraries (Closes: #916110)

 -- Ondřej Surý <ondrej@debian.org>  Mon, 21 Jan 2019 09:09:55 +0000

php7.3 (7.3.1-1) unstable; urgency=medium

  * New upstream version 7.3.1

 -- Ondřej Surý <ondrej@debian.org>  Sun, 13 Jan 2019 10:13:20 +0000

php7.3 (7.3.0-2) unstable; urgency=medium

  * Add upstream patch to fix OPcache optimization problem for
    ArrayAccess->offsetGet
  * Add upstream patch to fix infinite loop in preg_replace_callback
  * Fix check for rl_completion_matches in readline extension

 -- Ondřej Surý <ondrej@debian.org>  Mon, 17 Dec 2018 09:51:53 +0000

php7.3 (7.3.0-1) unstable; urgency=medium

  * Update d/watch for the final PHP 7.3.0 release
  * New upstream version 7.3.0

 -- Ondřej Surý <ondrej@debian.org>  Thu, 06 Dec 2018 20:22:15 +0000

php7.3 (7.3.0~rc6-1) unstable; urgency=medium

  * New upstream version 7.3.0~rc6

 -- Ondřej Surý <ondrej@debian.org>  Sun, 25 Nov 2018 10:01:25 +0000

php7.3 (7.3.0~rc5-2) unstable; urgency=medium

  * Don't use sed found by configure, use the sed command as available in
    the host system (Closes: #913620)

 -- Ondřej Surý <ondrej@debian.org>  Tue, 13 Nov 2018 09:10:56 +0000

php7.3 (7.3.0~rc5-1) unstable; urgency=medium

  * New upstream version 7.3.0~rc5
  * Enable lmdb support in dba extension

 -- Ondřej Surý <ondrej@debian.org>  Mon, 12 Nov 2018 09:54:24 +0000

php7.3 (7.3.0~rc4-2) unstable; urgency=medium

  * Restore correct patch name for
    0040-Add-patch-to-install-php7-module-directly-to-APXS_LI.patch

 -- Ondřej Surý <ondrej@debian.org>  Sun, 04 Nov 2018 04:54:20 +0000

php7.3 (7.3.0~rc4-1) unstable; urgency=medium

  * New upstream version 7.3.0~rc4
  * Rebase patches for PHP 7.4.0~rc4

 -- Ondřej Surý <ondrej@debian.org>  Thu, 25 Oct 2018 08:57:33 +0000

php7.3 (7.3.0~rc3-3) unstable; urgency=medium

  * Add patch to use pkg-config for FreeType2 library detection
    (Closes: #911460)
  * Remove libmcrypt-dev from Build-Depends

 -- Ondřej Surý <ondrej@debian.org>  Thu, 25 Oct 2018 06:39:32 +0000

php7.3 (7.3.0~rc3-2) unstable; urgency=medium

  * Disable the enabled modules in prerm, because in postrm the phpquery
    script is not aware of already removed sapi (Closes: #911018)

 -- Ondřej Surý <ondrej@debian.org>  Mon, 15 Oct 2018 09:53:04 +0000

php7.3 (7.3.0~rc3-1) unstable; urgency=medium

  * New upstream version 7.3.0~rc3
  * Rebase patches for PHP 7.3.0~rc3

 -- Ondřej Surý <ondrej@debian.org>  Sat, 13 Oct 2018 13:47:36 +0000

php7.3 (7.3.0~rc2-3) unstable; urgency=medium

  * Remove ancient mv_conffile (from php5)
  * Remove spurious L from phpize script (Closes: #909110)
  * Downgrade dh-php from Recommends to Suggests (Closes: #910620)

 -- Ondřej Surý <ondrej@debian.org>  Tue, 09 Oct 2018 13:22:52 +0000

php7.3 (7.3.0~rc2-2) unstable; urgency=medium

  * Fix the Vcs-* links
  * Apply upstream patch to allow disabling pcre jit and disable it on
    mips and s390x archs
  * Extra 'L' is gone (Closes: #909110)

 -- Ondřej Surý <ondrej@debian.org>  Thu, 04 Oct 2018 14:25:15 +0000

php7.3 (7.3.0~rc2-1) unstable; urgency=medium

  * New upstream version 7.3.0~rc2
  * Rebase patches for PHP 7.3.0~rc2

 -- Ondřej Surý <ondrej@debian.org>  Mon, 01 Oct 2018 11:42:35 +0000

php7.3 (7.3.0~beta2-3) unstable; urgency=medium

  * Disable assembly code with gcc 4.8 on i386

 -- Ondřej Surý <ondrej@debian.org>  Mon, 20 Aug 2018 08:07:58 +0000

php7.3 (7.3.0~beta2-2) unstable; urgency=medium

  * Remove dependency on pcre3 and add libpcre2-dev to phpX.Y-dev

 -- Ondřej Surý <ondrej@debian.org>  Sun, 19 Aug 2018 16:12:50 +0000

php7.3 (7.3.0~beta2-1) unstable; urgency=medium

  * New upstream version 7.3.0~beta2
  * Rebase patches for PHP 7.3.0~beta2
  * Fix phpdbg.1 installation path from srcdir to builddir
  * Bump d/phpapi to 20180731

 -- Ondřej Surý <ondrej@debian.org>  Sun, 19 Aug 2018 07:49:10 +0000

php7.3 (7.3.0~beta1-1) unstable; urgency=medium

  [ Lior Kaplan ]
  * Fix syntax typo

  [ Ondřej Surý ]
  * New upstream version 7.3.0~beta1
  * Rebase patches for PHP 7.3.0beta1

 -- Ondřej Surý <ondrej@debian.org>  Fri, 03 Aug 2018 13:52:09 +0000

php7.3 (7.3.0~alpha4-1) unstable; urgency=medium

  * Use cpuid.h instead of custom assembler
  * New upstream version 7.3.0~alpha4
  * Rebase patches for PHP 7.3.0~alpha4

 -- Ondřej Surý <ondrej@debian.org>  Wed, 25 Jul 2018 11:11:09 +0000

php7.3 (7.3.0~alpha3-2) unstable; urgency=medium

  * Remove traces of ext_skel modifications
  * Add <!nocheck> profile to all default-mysql-server alternatives
  * Bump d/phpapi for PHP 7.3
  * Add libargon2-dev as new alternative build-dependency to
    libargon2-0-dev

 -- Ondřej Surý <ondrej@debian.org>  Sat, 14 Jul 2018 13:57:34 +0000

php7.3 (7.3.0~alpha3-1) unstable; urgency=medium

  * Update upstream signing-key.asc for PHP 7.3
  * New upstream version 7.3.0~alpha3
  * Build-Depend on libpcre2-dev
  * Rebase patches for PHP 7.3.0~alpha3

 -- Ondřej Surý <ondrej@debian.org>  Mon, 09 Jul 2018 13:49:59 +0000

php7.2 (7.2.7-2) unstable; urgency=medium

  * Update the maintainer email to team+pkg-php@tracker.debian.org
  * Update the Vcs-* links to salsa.d.o

 -- Ondřej Surý <ondrej@debian.org>  Mon, 09 Jul 2018 12:28:45 +0000

php7.2 (7.2.7-1) unstable; urgency=medium

  * New upstream version 7.2.7
  * Refresh patches for PHP 7.2.7

 -- Ondřej Surý <ondrej@debian.org>  Fri, 22 Jun 2018 07:35:11 +0000

php7.2 (7.2.6-1) unstable; urgency=medium

  * New upstream version 7.2.6
  * Rebase patches for PHP version 7.2.6

 -- Ondřej Surý <ondrej@debian.org>  Mon, 11 Jun 2018 14:54:56 +0000

php7.2 (7.2.5-1) unstable; urgency=medium

  * New upstream version 7.2.5
  * Rebase patches for PHP 7.2.5

 -- Ondřej Surý <ondrej@debian.org>  Sat, 05 May 2018 04:56:32 +0000

php7.2 (7.2.4-1) unstable; urgency=medium

  * New upstream version 7.2.4
  * Rebase patches on top of new upstream release.

 -- Ondřej Surý <ondrej@debian.org>  Thu, 05 Apr 2018 08:50:27 +0000

php7.2 (7.2.3-1) unstable; urgency=medium

  * New upstream version 7.2.3
  * Rebase patches on top of new upstream release.

 -- Ondřej Surý <ondrej@debian.org>  Tue, 06 Mar 2018 11:15:04 +0000

php7.2 (7.2.2-3) unstable; urgency=medium

  * Add explicit libpcre3 >= 2:8.35 dependency as dh_genshlibs is failing
    to add versioned dependency for some reason.

 -- Ondřej Surý <ondrej@debian.org>  Tue, 06 Feb 2018 16:07:40 +0000

php7.2 (7.2.2-2) unstable; urgency=medium

  * Remove explicit libpcre3 dependency and let dh_genshlibs do its magic

 -- Ondřej Surý <ondrej@debian.org>  Tue, 06 Feb 2018 13:00:04 +0000

php7.2 (7.2.2-1) unstable; urgency=medium

  * New upstream version 7.2.2
  * Rebase patches on top of new upstream release
  * Regenerate d/control to finish php7.2-sodium removal

 -- Ondřej Surý <ondrej@debian.org>  Thu, 01 Feb 2018 15:19:04 +0000

php7.2 (7.2.1-1) unstable; urgency=medium

  * Update the Vcs-* to salsa.d.o
  * Slightly update debian/copyright (most changes were already in)
  * New upstream version 7.2.1
  * Rebase patches on top of new upstream release

 -- Ondřej Surý <ondrej@debian.org>  Fri, 05 Jan 2018 11:21:04 +0000

php7.2 (7.2.0-2) unstable; urgency=medium

  * Get rid of extra php7.2-sodium module

 -- Ondřej Surý <ondrej@debian.org>  Wed, 06 Dec 2017 14:15:47 +0000

php7.2 (7.2.0-1) unstable; urgency=low

  * Update PHP 7.2 signing keys
  * New upstream version 7.2.0
  * Rebase patches for new upstream release.

 -- Ondřej Surý <ondrej@debian.org>  Thu, 30 Nov 2017 13:55:57 +0000

php7.2 (7.2.0~rc6-1) unstable; urgency=medium

  * New upstream version 7.2.0~rc6
  * Rebase patches for new upstream version.

 -- Ondřej Surý <ondrej@debian.org>  Sun, 12 Nov 2017 03:30:05 +0000

php7.2 (7.2.0~rc5-1) unstable; urgency=medium

  * New upstream version 7.2.0~rc5
  * Rebase patches for new upstream release

 -- Ondřej Surý <ondrej@debian.org>  Fri, 27 Oct 2017 13:33:55 +0000

php7.2 (7.2.0~rc4-2) unstable; urgency=medium

  * Fix the usage of internal allocator in xmlrpc extension

 -- Ondřej Surý <ondrej@debian.org>  Tue, 24 Oct 2017 18:54:46 +0000

php7.2 (7.2.0~rc4-1) unstable; urgency=medium

  * New upstream version 7.2.0~rc4
  * Rebase patches on top of new upstream version 7.2.0~rc4

 -- Ondřej Surý <ondrej@debian.org>  Sun, 22 Oct 2017 13:07:11 +0000

php7.2 (7.2.0~rc3-1) unstable; urgency=medium

  * New upstream version 7.2.0~rc3
  * Refresh patches for PHP 7.2.0~rc3

 -- Ondřej Surý <ondrej@debian.org>  Thu, 28 Sep 2017 18:26:49 +0200

php7.2 (7.2.0~rc2-1) unstable; urgency=medium

  * New upstream version 7.2.0~rc2
  * Rebase patches on top of PHP 7.2.0~rc2

 -- Ondřej Surý <ondrej@debian.org>  Mon, 18 Sep 2017 11:24:14 +0200

php7.2 (7.2.0~rc1-1) unstable; urgency=medium

  * New upstream version 7.2.0~rc1
  * Rebase patches on top of PHP 7.2.0~rc1
  * Update d/copyright (License check courtesy of Luca Falavigna)
  * Rewrap the files in d/ with wrap-and-sort -a

 -- Ondřej Surý <ondrej@debian.org>  Thu, 31 Aug 2017 14:00:16 +0200

php7.2 (7.2.0~beta3-2) unstable; urgency=medium

  * Enable Argon2 support for password hashing functions
  * Enable shared libsodium extension

 -- Ondřej Surý <ondrej@debian.org>  Fri, 25 Aug 2017 11:35:23 +0200

php7.2 (7.2.0~beta3-1) unstable; urgency=medium

  * Allow libgcrypt11-dev when it's not a transitional package
  * New upstream version 7.2.0~beta3
  * Refresh patches on top of PHP 7.2.0~beta3

 -- Ondřej Surý <ondrej@debian.org>  Fri, 18 Aug 2017 15:00:36 +0200

php7.2 (7.2.0~beta2-2) experimental; urgency=medium

  * Update Vcs-* links to https://gitlab.com/deb.sury.org/...
  * Stop depending on obsolete automake1.11
  * Switch build-depends to libgcrypt20-dev

 -- Ondřej Surý <ondrej@debian.org>  Fri, 04 Aug 2017 11:56:09 +0200

php7.2 (7.2.0~beta2-1) experimental; urgency=medium

  * Update d/watch for PHP 7.2
  * New upstream version 7.2.0~beta2
  * Rebase patches for PHP 7.2.0~beta2

 -- Ondřej Surý <ondrej@debian.org>  Thu, 03 Aug 2017 20:42:38 +0200

php7.2 (7.2.0~beta1-1) experimental; urgency=medium

  * New upstream version 7.2.0~beta1
  * Enable support for libsodium crypto
  * Rebase patches on top of PHP 7.2.0~beta1
  * Update phpapi for PHP 7.2 to 20170718

 -- Ondřej Surý <ondrej@debian.org>  Thu, 27 Jul 2017 13:29:34 +0200

php7.2 (7.2.0~alpha3-1) experimental; urgency=medium

  * New upstream version 7.2.0~alpha3
  * Rebase patches on top of PHP 7.2.0~alpha3
  * Update d/rules with configure.in -> configure.ac rename
  * Remove mcrypt extension that has been removed upstream
  * Update phpapi to 20160731

 -- Ondřej Surý <ondrej@debian.org>  Thu, 06 Jul 2017 13:50:44 +0200
