PHP 5.4.16 (RHEL/CentOS 7)
RHEL/CentOS 7.x の yum 標準リポジトリーでインストールされる PHP 5.4.16 へのバックポートの ChangeLog の一覧。
PHP本体の ChangeLog とは異なる。
| リリース日 | リリース | チェンジログ |
|---|---|---|
| 2018/01/23 | 43.1 | - gd: fix buffer over-read into uninitialized memory CVE-2017-7890 |
| 2017/10/04 | 43 | - gd: fix DoS vulnerability in gdImageCreateFromGd2Ctx() CVE-2016-10167- gd: Signed Integer Overflow gd_io.c CVE-2016-10168
|
| 2016/08/05 | 42 | - bz2: fix improper error handling in bzread() CVE-2016-5399
|
| 2016/08/01 | 41 | - gd: fix integer overflow in _gd2GetHeader() resulting in heap overflow CVE-2016-5766- gd: fix integer overflow in gdImagePaletteToTrueColor() resulting in heap overflow CVE-2016-5767- mbstring: fix double free in _php_mb_regex_ereg_replace_exec CVE-2016-5768
|
| 2016/07/22 | 40 | - don't set environmental variable based on user supplied Proxy request header CVE-2016-5385 |
| 2016/06/15 | 39 | - fix segmentation fault in header_register_callback #1344578
|
| 2016/05/30 | 38 | - curl: add options to enable TLS #1291667 - mysqli: fix segfault in mysqli_stmt::bind_result() when link is closed #1096800- fpm: fix incorrectly defined SCRIPT_NAME variable when using Apache #1138563- core: fix segfault when a zend_extension is loaded twice #1289457- openssl: change default_md algo from MD5 to SHA1 #1073388- wddx: fix segfault in php_wddx_serialize_var #1131979
|
| 2016/04/04 | 37 | - session: fix segfault in session with rfc1867 #1297179 |
| 2015/06/10 | 36 | - fix more functions accept paths with NUL character #1213407 |
| 2015/06/05 | 35 | - core: fix multipart/form-data request can use excessive amount of CPU usage CVE-2015-4024 - fix various functions accept paths with NUL character CVE-2015-4025, CVE-2015-4026, #1213407 - fileinfo: fix denial of service when processing a crafted file #1213442 - ftp: fix integer overflow leading to heap overflow when reading FTP file listing CVE-2015-4022 - phar: fix buffer over-read in metadata parsing CVE-2015-2783 - phar: invalid pointer free() in phar_tar_process_metadata() CVE-2015-3307- phar: fix buffer overflow in phar_set_inode() CVE-2015-3329- phar: fix memory corruption in phar_parse_tarfile caused by empty entry file name CVE-2015-4021- soap: fix type confusion through unserialize #1222538 - apache2handler: fix pipelined request executed in deinitialized interpreter under httpd 2.4 CVE-2015-3330 |
| 2015/04/16 | 34 | - fix memory corruption in fileinfo module on big endian machines #1082624 - fix segfault in pdo_odbc on x86_64 #1159892- fix segfault in gmp allocator #1154760 |
| 2015/04/10 | 33 | - core: use after free vulnerability in unserialize() CVE-2014-8142 and CVE-2015-0231- core: fix use-after-free in unserialize CVE-2015-2787 - core: fix NUL byte injection in file name argument of move_uploaded_file() CVE-2015-2348- date: use after free vulnerability in unserialize CVE-2015-0273 - enchant: fix heap buffer overflow in enchant_broker_request_dict CVE-2014-9705- exif: free called on unitialized pointer CVE-2015-0232 - fileinfo: fix out of bounds read in mconvert CVE-2014-9652 - gd: fix buffer read overflow in gd_gif_in.c CVE-2014-9709- phar: use after free in phar_object.c CVE-2015-2301- soap: fix type confusion through unserialize |
| 2014/10/23 | 31 | - fileinfo: fix out-of-bounds read in elf note headers. CVE-2014-3710 |
| 2014/10/21 | 29 | - xmlrpc: fix out-of-bounds read flaw in mkgmtime() CVE-2014-3668- core: fix integer overflow in unserialize() CVE-2014-3669- exif: fix heap corruption issue in exif_thumbnail() CVE-2014-3670
|
| 2014/09/12 | 27 | - gd: fix NULL pointer dereference in gdImageCreateFromXpm(). CVE-2014-2497- gd: fix NUL byte injection in file names. CVE-2014-5120 - fileinfo: fix extensive backtracking in regular expression (incomplete fix for CVE-2013-7345). CVE-2014-3538 - fileinfo: fix mconvert incorrect handling of truncated pascal string size. CVE-2014-3478 - fileinfo: fix cdf_read_property_info (incomplete fix for CVE-2012-1571). CVE-2014-3587- spl: fix use-after-free in ArrayIterator due to object change during sorting. CVE-2014-4698 - spl: fix use-after-free in SPL Iterators. CVE-2014-4670 - network: fix segfault in dns_get_record (incomplete fix for CVE-2014-4049). CVE-2014-3597
|
| 2014/08/21 | 25 | - fix segfault after startup on aarch64 (#1107567) - compile php with -O3 on ppc64le (#1123499) |
| 2014/06/13 | 23 | - fileinfo: cdf_unpack_summary_info() excessive looping DoS. CVE-2014-0237- fileinfo: CDF property info parsing nelements infinite loop. CVE-2014-0238 - fileinfo: cdf_check_stream_offset insufficient boundary check. CVE-2014-3479- fileinfo: cdf_count_chain insufficient boundary check CVE-2014-3480- fileinfo: cdf_read_short_sector insufficient boundary check. CVE-2014-0207- fileinfo: cdf_read_property_info insufficient boundary check. CVE-2014-3487- fileinfo: fix extensive backtracking CVE-2013-7345 - core: type confusion issue in phpinfo(). CVE-2014-4721- core: fix heap-based buffer overflow in DNS TXT record parsing. CVE-2014-4049 - core: unserialize() SPL ArrayObject / SPLObjectStorage type confusion flaw. CVE-2014-3515
|
| 2014/03/07 | 21 | - fix out-of-bounds memory access in fileinfo CVE-2014-2270 |
| 2014/02/21 | 19 | - fix memory leak introduce in patch for CVE-2014-1943 - fix heap-based buffer over-read in DateInterval CVE-2013-6712 |
| 2014/02/19 | 17 | - fix infinite recursion in fileinfo CVE-2014-1943 |
| 2014/01/24 | 15 | - Mass rebuild 2014-01-24 |
| 2014/01/15 | 14 | - Rebuild for mariadb-libs Related: #1045013 |
| 2014/01/10 | 13 | - build with -O3 on ppc64 #1051073 |
| 2014/01/09 | 11 | - use correct config.{guess,sub} for ppc64p7 #1048892 |
| 2013/12/27 | 10 | - Mass rebuild 2013-12-27 |
| 2013/12/06 | 9 | - add security fix for CVE-2013-6420 |
| 2013/11/04 | 7 | - fix for non x86 build #1023796 |
| 2013/08/19 | 5 | - fix enchant package summary and description - add security fix for CVE-2013-4248 |
| 2013/07/18 | 4 | - improve mod_php, pgsql and ldap description- add provides php(pdo-abi) for consistency with php(api) and php(zend-abi) - use %__isa_bits instead of %__isa in ABI suffix |
| 2013/07/12 | 3 | - add security fix for CVE-2013-4113 - add missing ASL 1.0 license - rebuild for net-snmp |
| 2013/07/02 | 2 | - add missing man pages (phar, php-cgi) #948873 |
| 2013/06/06 | 1 | - update to 5.4.16 - switch systemd unit to Type=notify- patch for upstream Bug #64915 error_log ignored when daemonize=0- patch for upstream Bug #64949 Buffer overflow in _pdo_pgsql_error- patch for upstream bug #64960 Segfault in gc_zval_possible_root- add version to "Obsoletes" - own /usr/share/fpm
|
PHP 5.3.3 (RHEL/CentOS 6)
RHEL/CentOS 6.x の yum 標準リポジトリーでインストールされる PHP 5.3.3 へのバックポートの ChangeLog の一覧。
PHP本体の ChangeLog とは異なる。
| リリース日 | リリース | チェンジログ |
|---|---|---|
| 2016/11/07 | 49 | - fix php-soap fails to connect to HTTPS web service sporadically as stream_socket_enable_crypto() uses NONBLOCK #1283153 |
| 2016/07/25 | 48 | - don't set environmental variable based on user supplied Proxy request header CVE-2016-5385 |
| 2015/12/09 | 47 | - fix wrong warning in openssl_encrypt() for missing IV when IV is not required #1260315- fix segfault's when you try and allocate an SplFixedArray with size >= 9999 #1071344- segfault in php_pgsql_meta_data CVE-2015-4644 #1234434- add options to enable TLS in curl #1255920 - fix segfault in gc_collect_cycles #1122681
|
| 2015/07/03 | 46 | - fix gzfile accept paths with NUL character #1213407 - fix patch for CVE-2015-4024 |
| 2015/06/10 | 45 | - fix more functions accept paths with NUL character #1213407 |
| 2015/06/08 | 44 | - soap: missing fix for #1222538 and #1204868 |
| 2015/06/05 | 43 | - core: fix multipart/form-data request can use excessive amount of CPU usage CVE-2015-4024 - fix various functions accept paths with NUL character CVE-2015-4026, #1213407 - ftp: fix integer overflow leading to heap overflow when reading FTP file listing CVE-2015-4022 - phar: fix buffer over-read in metadata parsing CVE-2015-2783 - phar: invalid pointer free() in phar_tar_process_metadata() CVE-2015-3307- phar: fix buffer overflow in phar_set_inode() CVE-2015-3329- phar: fix memory corruption in phar_parse_tarfile caused by empty entry file name CVE-2015-4021- soap: more fix type confusion through unserialize #1222538 |
| 2015/04/13 | 42 | - soap: more fix type confusion through unserialize #1204868 |
| 2015/04/09 | 41 | - core: fix double in zend_ts_hash_graceful_destroy CVE-2014-9425- core: fix use-after-free in unserialize CVE-2015-2787 - exif: fix free on unitialized pointer CVE-2015-0232 - gd: fix buffer read overflow in gd_gif.c CVE-2014-9709- date: fix use after free vulnerability in unserialize CVE-2015-0273 - enchant: fix heap buffer overflow in enchant_broker_request_dict CVE-2014-9705- phar: use after free in phar_object.c CVE-2015-2301- soap: fix type confusion through unserialize |
| 2014/10/23 | 40 | - fileinfo: fix out-of-bounds read in elf note headers. CVE-2014-3710 |
| 2014/10/21 | 39 | - xmlrpc: fix out-of-bounds read flaw in mkgmtime() CVE-2014-3668- core: fix integer overflow in unserialize() CVE-2014-3669- exif: fix heap corruption issue in exif_thumbnail() CVE-2014-3670
|
| 2014/09/10 | 38 | - spl: fix use-after-free in ArrayIterator due to object change during sorting. CVE-2014-4698 - spl: fix use-after-free in SPL Iterators. CVE-2014-4670 |
| 2014/08/14 | 37 | - gd: fix NULL pointer dereference in gdImageCreateFromXpm. CVE-2014-2497 - fileinfo: fix incomplete fix for CVE-2012-1571 in cdf_read_property_info. CVE-2014-3587- core: fix incomplete fix for CVE-2014-4049 DNS TXT record parsing. CVE-2014-3597 |
| 2014/07/15 | 36 | - core: type confusion issue in phpinfo(). CVE-2014-4721- date: fix heap-based buffer over-read in DateInterval. CVE-2013-6712 - core: fix heap-based buffer overflow in DNS TXT record parsing. CVE-2014-4049 - core: unserialize() SPL ArrayObject / SPLObjectStorage type confusion flaw. CVE-2014-3515
|
| 2014/07/01 | 35 | - fileinfo: out-of-bounds memory access in fileinfo. CVE-2014-2270 - fileinfo: unrestricted recursion in handling of indirect type rules. CVE-2014-1943 - fileinfo: out of bounds read in CDF parser. CVE-2012-1571 - fileinfo: cdf_check_stream_offset boundary check. CVE-2014-3479- fileinfo: cdf_count_chain insufficient boundary check. CVE-2014-3480
|
| 2014/06/13 | 34 | - fileinfo: cdf_unpack_summary_info() excessive looping DoS. CVE-2014-0237- fileinfo: CDF property info parsing nelements infinite loop. CVE-2014-0238 |
| 2014/06/04 | 33 | - add php_get_module_initialized internal function (#1053301) |
| 2014/05/27 | 31 | - soap: fixRFC2616 transgression (#1045019) - fix static calling in non-static method (#953786) - fix autoload called from closing session (#954027) |
| 2014/05/12 | 29 | - drop unneeded part of CVE-2006-724.patch and fileinfo.patch extension not provided or git binary patches (#1064027) - odbc: fix incompatible pointer type (#1053982) - mysqli: fix possible segfault in mysqli_stmt::bind_result php bug 66762 (#1069167)- mysql: fix php_mysql_fetch_hash writes long value into int php bug 52636 (#1054953) |
| 2013/12/05 | 27 | - add security fix for CVE-2013-6420 |
| 2013/08/19 | 26 | - add security fix for CVE-2013-4248 |
| 2013/07/26 | 25 | - rename patch to math CVE-2010-3709 name - add security fixes for CVE-2006-7243, CVE-2013-1643 |
| 2013/07/22 | 24 | - fix buffer overflow in _pdo_pgsql_error (#969110)- fix double free when destroy_zend_class fails (#910466)- fix segfault in error_handler with allow_call_time_pass_reference = Off (#892158)- fix copy doesn't report failure on partial copy (#947428) - add rpm macros for packagers: %php_inidir, %php_incldir and %__php (#953814) |
| 2013/07/12 | 23 | - add security fix for CVE-2013-4113 |
| 2012/11/29 | 22 | - php-xml provides php-xmlreader and php-xmlwriter (#874987) - fix possible NULL derefence and buffer overflow (#879179) - fix zend garbage collector (#848186, #868375) |
| 2012/10/23 | 21 | - fix CVE reference in previous changelog entry |
| 2012/10/19 | 20 | - remove reproducer from security fix for CVE-2012-0781 |
| 2012/10/18 | 19 | - add FastCGI Process Manager (php-fpm) SAPI (#806132, #824293) |
| 2012/10/17 | 18 | - php script hangs when it exceeds max_execution_time when inside an ODBC call (#864951) |
| 2012/10/16 | 17 | - add security fixes for CVE-2012-2688, CVE-2012-0831, CVE-2011-1398 |
| 2012/10/09 | 16 | - fix stream support in fileinfo (#858653) - fix imap_open DISABLE_AUTHENTICATOR param ignores array (#859371) |
| 2012/10/04 | 15 | - fix permission on source files (#676364) - fix negative keys with var_export (#771738)- fix setDate when DateTime created from timestamp (#812819) - add php(language) and missing provides (#837042) - use arch-specific requires (#833545) - fix possible buffer overflow in pdo_odbc (#836264)- fix possible segfault in pdo_mysql (#824199) |
| 2012/06/25 | 14 | - add security fix for CVE-2010-2950 |
| 2012/06/13 | 13 | - fix tests for CVE-2012-2143, CVE-2012-0789 |
| 2012/06/12 | 12 | - add fix for CVE-2012-2336 |
| 2012/06/11 | 11 | - add security fixes for CVE-2012-0781, CVE-2011-4153, CVE-2012-0057, CVE-2012-0789, CVE-2012-1172, CVE-2012-2143, CVE-2012-2386 |
| 2012/05/03 | 9 | - correct detection of = in CVE-2012-1823 fix (#818607) |
| 2012/05/03 | 8 | - add security fix for CVE-2012-1823 (#818607) |
| 2012/02/02 | 7 | - add security fix for CVE-2012-0830 (#786744) |
| 2012/01/05 | 6 | - merge Joe's changes: - improve CVE-2011-1466 fix to cover CAL_GREGORIAN, CAL_JEWISH- add security fixes for CVE-2011-2483, CVE-2011-0708, CVE-2011-1148, CVE-2011-1466, CVE-2011-1468, CVE-2011-1469, CVE-2011-1470, CVE-2011-1471, CVE-2011-1938, and CVE-2011-2202 (#740732) |
| 2012/01/04 | 5 | - remove extra php.ini-prod/devel files caused by %patch -b
|
| 2012/01/02 | 4 | - add security fixes for CVE-2011-4885, CVE-2011-4566 (#769755) |
| 2011/01/21 | 3 | - add security fixes for CVE-2010-4645, CVE-2010-4156 (#670439) |
| 2011/01/14 | 2 | - fix transposed memset arguments in libzip |
| 2011/01/12 | 1 | - update to 5.3.3 (#645591) - add security fixes for CVE-2010-3709, CVE-2010-3710, CVE-2010-3870, CVE-2009-5016 (#651953) - prevent extract() cloberring $GLOBALS (#655118)- ensure correct mysql_config is used in biarch builds |