1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
|
php5 (5.6.0~rc3+dfsg-2) unstable; urgency=medium
* The default session.save_path has been changed from /var/lib/php5
to /var/lib/php5/sessions.
-- Ondřej Surý <ondrej@debian.org> Thu, 14 Aug 2014 10:20:59 +0200
php5 (5.6.0~beta4+dfsg-2) unstable; urgency=medium
* Full upstream upgrade notes are available at:
/usr/share/doc/php5-common/UPGRADING.gz
* The backwards incompatible changes introduced in PHP 5.6:
- Core:
By fixing bug #66015 it is no longer possible to overwrite keys in static scalar
arrays. Quick example to illustrate:
class Test {
const FIRST = 1;
public $array = array(
self::FIRST => 'first',
'second',
'third'
);
}
Test::$array will have as expected three array keys (1, 2, 3) and no longer
two (0, 1). self::FIRST will no longer overwrite 'third' having key 1 then,
but will mark the beginning of indexing.
- JSON:
json_decode() no longer accepts non-lowercase variants of lone JSON true,
false or null values. For example, True or FALSE will now cause json_decode to
return NULL and set an error value you can fetch with json_last_error().
This affects JSON texts consisting solely of true, false or null. Text
containing non-lowercase values inside JSON arrays or objects has never been
accepted.
- OpenSSL:
To prevent man-in-the-middle attacks against encrypted transfers client
streams now verify peer certificates by default. Previous versions
required users to manually enable peer verification. As a result of this
change, existing code using ssl:// or tls:// stream wrappers (e.g.
file_get_contents(), fsockopen(), stream_socket_client()) may no longer
connect successfully without manually disabling peer verification via the
stream context's "verify_peer" setting. Encrypted transfers delegate to
operating system certificate stores by default if not overridden via the
new openssl.cafile and openssl.cafile ini directives or via call-time SSL
context options, so most users should be unaffected by this transparent
security enhancement. (https://wiki.php.net/rfc/tls-peer-verification)
- Mcrypt:
The mcrypt_encrypt(), mcrypt_decrypt() and mcrypt_{MODE}() functions no
longer accept keys or IVs with incorrect sizes. Furthermore an IV is now
required if the used block cipher mode requires it.
-- Ondřej Surý <ondrej@debian.org> Mon, 23 Jun 2014 14:09:53 +0200
php5 (5.5.0~rc1+dfsg-1) experimental; urgency=low
* Starting from this version, the JSON module is no longer compiled in
due to licensing problems, and you need to install the JSON extension
as external php5-json package that is using json-c library.
-- Ondřej Surý <ondrej@debian.org> Fri, 17 May 2013 14:43:04 +0200
php5 (5.5.0~beta4-2) experimental; urgency=low
* short_open_tag configuration option now defaults to Off. This means
that your PHP applications have to use '<?php' instead of just '<?'.
Please check and fix your applications (this is preferred solution) or
you can re-enable short_open_tag in /etc/php5/<sapi>/php.ini again.
-- Ondřej Surý <ondrej@debian.org> Sun, 05 May 2013 23:37:54 +0200
php5 (5.4.4-7) unstable; urgency=low
* As a side effect of the MIME-Type changes in the mime-support package,
the default Apache 2 configuration will no longer perform HTTP content
negotiation on the PHP file extensions, which was very questionable
anyway. If you really want to re-enable this support then please read
/usr/share/doc/php5-common/README.Debian file for further
instructions.
-- Ondřej Surý <ondrej@debian.org> Wed, 29 Aug 2012 09:18:41 +0200
php5 (5.4.4-5) unstable; urgency=low
* As a security measure the default configuration for Apache 2 has been
changed to a stricter model. Only files which have the correct
rightmost extension, and at least one character in the filename before
that extension, are now interpreted by PHP. For a full list of
handled extensions please see the Apache 2 configuration. At the time
of writing this paragraph, the list includes the following regular
expressions:
1. .+\.ph(p[345]?|t|tml)$ for PHP files (application/x-httpd-php)
2. .+\.phps$ for PHP source files (application/x-httpd-php-source)
Previously, as a side effect of system MIME type definitions, the
default configuration would allow the interpreting of files with a
double extension, where the second extension was either unrecognised
or a language or content encoding to be interpreted; e.g. an uploaded
file named blackhat.php.foobar or index.php.cs would be interpreted by
PHP. These non-standard definitions have been removed from the
mime-support packages and all configuration of PHP handlers is now
defined in the Apache 2 configuration files.
The standard configuration now also denies access to files with names
which consist of an extension and nothing more; e.g. accessing '/.php'
will now return Access Denied instead of the output of the PHP script.
You can use the following command to find whether there are any files
on your system which would be affected by this change (change <base>
to the directory name where you store PHP files on your system):
# find <base> -name '*.ph[pt].*' -o -name '*.php[345s].*' -o \
-name '*.phtml.*' -o -name '.ph[pt]' -o \
-name '.php[345s]' -o -name '.phtml'
-- Ondřej Surý <ondrej@debian.org> Tue, 21 Aug 2012 09:14:47 +0200
php5 (5.4.0~rc8-1) unstable; urgency=low
php5-fpm default www spool now listens on unix socket located
in /var/run/php5-fpm.sock instead of localhost:9000. If you
have configured your webserver to use localhost:9000, you will
have to change your settings.
-- Ondřej Surý <ondrej@debian.org> Wed, 08 Feb 2012 08:25:30 +0100
php5 (5.4.0~rc6-2) unstable; urgency=low
t1lib support was removed from PHP 5.4. t1lib has many security
issues and is unmaintained by upstream for a very long time (3 years).
For more information see:
+ http://bugs.debian.org/637488
+ http://bugs.debian.org/638755
This unfortunately also means that following functions are not
available in PHP5 from now:
- imagepsloadfont
- imagepsfreefont
- imagepsencodefont
- imagepsextendfont
- imagepsslantfont
- imagepstext
- imagepsbbox
If you really need those functions you will need to install t1lib from
sources. You will need to install php5-dev and recompile GD extension
(roughly) using following commands:
cd <path_to_php5_sources>/ext/gd/
phpize
configure --with-gd=shared,/usr --enable-gd-native-ttf \
--with-t1lib=<location_of_your_t1lib>
make
make install
-- Ondřej Surý <ondrej@debian.org> Wed, 01 Feb 2012 18:19:45 +0100
php5 (5.3.9-4) unstable; urgency=low
* The Suhosin patch is now disabled in the default build.
If you want to re-enable it again for your installation, you can
set the option PHP5_SUHOSIN=yes in debian/rules and recompile PHP.
-- Ondřej Surý <ondrej@debian.org> Sat, 28 Jan 2012 08:39:36 +0100
php5 (5.3.6-13) unstable; urgency=low
* Updated blowfish crypt() algorithm fixes the 8-bit character handling
vulnerability (CVE-2011-2483) and adds more self-tests. Unfortunately
this change is incompatible with some old (wrong) generated hashes for
passwords containing 8-bit characters.
It is recommended that any passwords containing characters with
the 8th bit set be changed after this upgrade. In order to allow users
to log in after the upgrade even if they have a potentially affected
password, the newly introduced backwards compatibility hash encoding
prefix of "$2x$" may be used (in place of the usual "$2a$"). Such
password hashes should only be used during a transition period; when
passwords are changed, the usual "$2a$" prefix is used, denoting the
correct algorithm.
-- Ondřej Surý <ondrej@debian.org> Mon, 04 Jul 2011 10:31:16 +0200
php5 (5.3.1-3) unstable; urgency=low
* mod_php disabled in userdirs.
The default Debian libapache2-mod-php5 package now disables the PHP
engine on ~/public_html directories when mod_userdir is enabled, for
security reasons. Although discouraged, it can be re-enabled by
commenting the <IfModule mod_userdir.c> block in
/etc/apache2/mods-available/php5.conf
* PHP 5.2 compatibility settings
Given the short time to the Squeeze release freeze, the
short_open_tag setting has been turned On again (upstream now
defaults to Off on the php.ini files.) However, the request_order and
auto_globals_jit settings continue to be the default from upstream
("GP" and On, respectively.)
-- Raphael Geissert <geissert@debian.org> Mon, 11 Jan 2010 16:49:28 -0600
php5 (5.2.11.dfsg.1-2) unstable; urgency=high
* Maximum number of file uploads per request limited
To prevent Denial of Service attacks by exhausting the number of
available temporary file names, upstream introduced the max_file_uploads
option in 5.3.1 and 5.2.12.
Due to the nature of this new option a default limit has been set
to 50, hoping it is sensible enough to not to cause disruptions on
existing services.
The value of this new limit can be changed in the php.ini file.
If you installed the php5-suhosin extension there was a limiting
mechanism in place already. In this case you may want to make sure
the new limit imposed by PHP itself is not smaller than suhosin's.
-- Raphael Geissert <geissert@debian.org> Sat, 21 Nov 2009 13:37:51 -0600
php5 (5.2.6-1) unstable; urgency=medium
* Now uses system timezone database.
Debian PHP now makes use of the system wide timezone database from the
tzdata package, making sure any updates there are automatically used
by PHP aswell. Note that this requires that the PHP process has access
to /etc/localtime and /usr/share/zoneinfo (this is usually the case).
* New php5-dbg package.
We are now shipping a php5-dgb package which will greatly aid in finding
the cause of many crashes that you may experience. So if you are going to
report a bug for a reproducible crash, please install this package before
sending a backtrace.
* New libapache2-mod-php5filter package.
We are now also shipping a new libapache2-mod-php5filter package which
uses the "Apache 2.0 filter-module support via DSO through APXS".
-- Thijs Kinkhorst <thijs@debian.org> Wed, 23 Jul 2008 17:42:06 +0200
php5 (5.2.3-2) unstable; urgency=low
The Suhosin patch is now enabled by default!
For more information, see
<http://www.hardened-php.net/suhosin/index.html>.
Special thanks to Blars Blarson for providing a sparc machine for testing
that the patch seems to work okay on that architecture. If you experience
otherwise let us know!
Suggestions are welcome for default configuration options, examples,
documentation, etc.
In any event please report successes and/or failures to us at
pkg-php-maint@lists.alioth.debian.org.
-- sean finney <seanius@debian.org> Thu, 12 Jul 2007 23:38:43 +0200
|
