- added a cache to speedup cloning of software (bnc#391770) - 2.16.19 - fix for cloning the software section (bnc#391770) - 2.16.18 - UI endless loop fixed - 2.16.17 - added categories Settings and System into desktop file (bnc #382778) - moved the execution of the pxe section far to the end of stage1 (bnc#390107) - 2.16.16 - ask_on_error for add-on documented - forceboot option added to general section - 2.16.15 - Export for <mode> fixed - add autoyast2-installation to the package list - 2.16.14 - 2.16.13 - adapted to the new callback registration scheme (fate#302296) - "encryption switch" fixed when opening an encrypted profile - merged texts from proofread - XML profile on USB devices can make yast to hang when the profile can not be found by autoyast (bnc#366550) - back button for ask dialogs added (fate #303397) - logging of "ask" changed to y2debug - 2.16.12 - outdated migration chapter dropped - desktop files updated - 2.16.11 - added 'StartupNotify=true' to the desktop file (bnc #304964) - Adjusted to new API for disabled modules in ProductControl. - Adjusted RPM dependencies. - 2.16.10 - <device> autodetection for RAID added (bnc#367734) - 2.16.9 - <kernel> was not handled correctly (bnc#366553) - 2.16.8 - an ask script can influence the next dialog that is shown (fate #303398) - 2.16.7 - shell escape code fixed (#354671) - ShellEscape Code added - 2.16.6 - the "path" for an ask-question can be in a list now to change multiple elements in the profile - default for missing <element ..> fixed - Documentation update - 2.16.5 - rerun_on_error added to scripts execution to keep <ask> dialogs open until the answers passes the parsing of a script - added command line option to jump into a module (fate #5997) - experimental interactive scripts code added - Buildrequires fixed - 2.16.4 - endless loop in pre-script fixed (#351103) - 2.16.3 - profiles can be stored encrypted - documentation and UI enhancement for feature #301256 added - halt/reboot option added to general section (feature #301256) - reuse EVMS fixed (#335763) - "mountby" documentation fixed (#307124) - reset module in the autoyast UI did not work (#340517) - complete iSCSI support added (feature #302973) - relative path for autoyast scripts in the location element (second part of feature #302973) - relative path for autoyast profile (first part of feature #302973) - copy modified profile to the installed system too (#328837) - some hardware information for rules was not probed (#336339) - Some variables were moved from AutoinstStorage, AutoinstGeneral, and AutoinstSoftware to AutoinstData (yast2.rpm) to break cyclic dependencies. - Adjusted RPM dependencies. - 2.16.2 - API Call to Storage fixed (#335582) - 2.16.1 - partitioning documentation fixed - fetching profile from NFS fixed (#329791) - 2.16.0 - RNC file fixed (empty ask section allowed) - 2.15.17 - added LanUdevAuto::Import for networking udev configuration (#303916) - 2.15.16 - commandline options fixed (#269887) - 2.15.15 - Require nfs-kernel-server.rpm because nfs-utils.rpm got split (#286300). - suppress a warning - fix for the support of the new "keep install network" feature of 10.3 - 2.15.14 - no frame if no frametitle is defined in ask-questions - 2.15.13 - PDF dropped from documentation - helptext for ask-feature is the sum of the helptext of all elements now - 2.15.12 - initialize libstorage (#288690) - chrooted scripts execution fixed - resue partition bug (#284102) fixed - rounding LVs to pesize - 2.15.11 - fix for the reuse of LVM volumes - added command line interface for opening files - removed outdated translations from .desktop-files (#271209) - reactivate hardware detection during autoinstall - 2.15.10 - always remove the installation network - 2.15.9 - remove the installation network if there is no networking section in the profile - 2.15.8 - added UI for the <ask> section - added missing import - 2.15.7 - fix for EVMS creation (#266313) - document changed behaviour: where standard keys are missing in the global variables of the grub bootloader configuration in an autoyast profile, they will be added automatically now - 2.15.6 - clone partitions more conservative (#262535) - profiles that are modified by <ask> can have pre-scripts and other <ask> sections now - the <ask> feature can execute scripts now - iSCSI boot: boot parameter 'withiscsi=1' does not have any effect with autoyast installation (#253432) - 2.15.5 - removed DTD declaration from the newlycreated XML documents - multiple questions per dialog qith the <ask> feature - compatibility code to old profiles fixed - requires in spec file fixed - partition shrinking code fixed (space after shrink calculation was wrong) - 2.15.4 - "close small gap" code removed makes trouble on small harddisks - don't clone DELL utility partition (#247330) - auto-added boot partition code fixed (#246023) - schema file fixed (#187696) - allow empty partitioning section in RNC file - don't clone drives that contain no partitions with a mountpoint - signature-handling is less restrictive in a cloned profile (#248303) - the "ask" feature can not store the answer in a list (#247826) - don't turn off the mount point widget in the UI if create=false - 2.15.3 - use the partition_id configured in the profile when reusing partitions - shrinking code fixed and warning added if partitions don't fit on disk (#245072) - some more "close window" does not work (#240631) - accept_non_trusted_gpg_key parameter added to signature handling (#242087) - don't clone extended partitions of partition type 5 (#243063) - range oprator for rules fixed to include the borders of the range - popup added when the resolver run fails - packages that are required by yast modules and which are already installed, don't get installed again - some more "close window" was not catched situations fixed (#240631) - 2.15.2 - 2.15.1 - "close window" was not catched in some dialogs (#240631) - cursor isn't shown over the default module category in "yast autoyast" (#188267) - missing bootable partition in autoinst.xml on PPC fixed (#192342) - compatibility fix for storage lib - empty partition list allowed via RNC now - device guessing code enhanced - Image Code fixed - flamethrower support dropped - ayast_setup client added - dtd files dropped - profile can be on a USB device now (fate #300579) - old rnc files dropped - fixed removing of packages via autoyast UI (#232506) - fixes in the software selection UI (#231687, #232434) - XML check during saving fixed (#227634) - 2.15.0 - schema updates - DTD files dropped - rnc check disabled if jing is not installed (#214906) - 2.14.15 - 2.14.14 - schema check for cloning after manual installation turned off - logical Volume creation fixed (#220322) - schema files removed - 'remove-package' fixed (#183267) - 2.14.13 - turn off rnc check in stage cont - 2.14.12 - 2.14.11 - fix in the partitioning dialog - minor changes in the software cloning - support for selections dropped - autoyast2-utils dropped (use inst-server-utils instead) - 2.14.10 - Signature checks turned off in UI - dropped some useless code in autopart.ycp - 2.14.9 - compat fix for yast2-storage - proofreaded text - experimental imaging feature added - strict schema check in cloning and saving added - some schema updates - 2.14.8 - fix in partition edit dialog (#206681) - 2.14.7 - a resource can turn off the logging of it's data from the profile for security reasons (Bug #192605) - 'halt' documented and added to UI - schema fixes - reusing all 4 primaries fails (fixed) - order partitions alway by partition_nr - schema files updated - 2.14.6 - resize feature added (fate #301130) - reimport scripts after the ask dialog - minor documentation updates - the <ask> feature can store the answer in a file now - error handling for ftp access fixed - configure and install removed from the examples - "by-path" fixed for <device> configuration in partitioning (#200899) - partition sizes can be configured in % now - fix for "<remove-packages> are cloned now" - 2.14.5 - 2.14.4 - <remove-packages> are cloned now - reuse partitions in UI (#158855) - exclude partitions that are NOT supposed to be in the LVM/EVMS - scripts documentation fixed - device guessing code enhanced - typos fixed - 2.14.3 - 2.14.2 - don't call the add-on_auto client in 2nd stage (#188665) - signature-handling added to UI (#187696) - fixed the pattern selection dialog when a add-on product was configured before (#187568) - inst-source and autoyast profile can be on the same partition now - added a cache to speedup cloning of software (bnc#391770) - 2.16.19 - fix for cloning the software section (bnc#391770) - 2.16.18 - UI endless loop fixed - 2.16.17 - added categories Settings and System into desktop file (bnc #382778) - moved the execution of the pxe section far to the end of stage1 (bnc#390107) - 2.16.16 - ask_on_error for add-on documented - forceboot option added to general section - 2.16.15 - Export for <mode> fixed - add autoyast2-installation to the package list - 2.16.14 - 2.16.13 - adapted to the new callback registration scheme (fate#302296) - "encryption switch" fixed when opening an encrypted profile - merged texts from proofread - XML profile on USB devices can make yast to hang when the profile can not be found by autoyast (bnc#366550) - back button for ask dialogs added (fate #303397) - logging of "ask" changed to y2debug - 2.16.12 - outdated migration chapter dropped - desktop files updated - 2.16.11 - added 'StartupNotify=true' to the desktop file (bnc #304964) - Adjusted to new API for disabled modules in ProductControl. - Adjusted RPM dependencies. - 2.16.10 - <device> autodetection for RAID added (bnc#367734) - 2.16.9 - <kernel> was not handled correctly (bnc#366553) - 2.16.8 - an ask script can influence the next dialog that is shown (fate #303398) - 2.16.7 - shell escape code fixed (#354671) - ShellEscape Code added - 2.16.6 - the "path" for an ask-question can be in a list now to change multiple elements in the profile - default for missing <element ..> fixed - Documentation update - 2.16.5 - rerun_on_error added to scripts execution to keep <ask> dialogs open until the answers passes the parsing of a script - added command line option to jump into a module (fate #5997) - experimental interactive scripts code added - Buildrequires fixed - 2.16.4 - endless loop in pre-script fixed (#351103) - 2.16.3 - profiles can be stored encrypted - documentation and UI enhancement for feature #301256 added - halt/reboot option added to general section (feature #301256) - reuse EVMS fixed (#335763) - "mountby" documentation fixed (#307124) - reset module in the autoyast UI did not work (#340517) - complete iSCSI support added (feature #302973) - relative path for autoyast scripts in the location element (second part of feature #302973) - relative path for autoyast profile (first part of feature #302973) - copy modified profile to the installed system too (#328837) - some hardware information for rules was not probed (#336339) - Some variables were moved from AutoinstStorage, AutoinstGeneral, and AutoinstSoftware to AutoinstData (yast2.rpm) to break cyclic dependencies. - Adjusted RPM dependencies. - 2.16.2 - API Call to Storage fixed (#335582) - 2.16.1 - partitioning documentation fixed - fetching profile from NFS fixed (#329791) - 2.16.0 - RNC file fixed (empty ask section allowed) - 2.15.17 - added LanUdevAuto::Import for networking udev configuration (#303916) - 2.15.16 - commandline options fixed (#269887) - 2.15.15 - Require nfs-kernel-server.rpm because nfs-utils.rpm got split (#286300). - suppress a warning - fix for the support of the new "keep install network" feature of 10.3 - 2.15.14 - no frame if no frametitle is defined in ask-questions - 2.15.13 - PDF dropped from documentation - helptext for ask-feature is the sum of the helptext of all elements now - 2.15.12 - initialize libstorage (#288690) - chrooted scripts execution fixed - resue partition bug (#284102) fixed - rounding LVs to pesize - 2.15.11 - fix for the reuse of LVM volumes - added command line interface for opening files - removed outdated translations from .desktop-files (#271209) - reactivate hardware detection during autoinstall - 2.15.10 - always remove the installation network - 2.15.9 - remove the installation network if there is no networking section in the profile - 2.15.8 - added UI for the <ask> section - added missing import - 2.15.7 - fix for EVMS creation (#266313) - document changed behaviour: where standard keys are missing in the global variables of the grub bootloader configuration in an autoyast profile, they will be added automatically now - 2.15.6 - clone partitions more conservative (#262535) - profiles that are modified by <ask> can have pre-scripts and other <ask> sections now - the <ask> feature can execute scripts now - iSCSI boot: boot parameter 'withiscsi=1' does not have any effect with autoyast installation (#253432) - 2.15.5 - removed DTD declaration from the newlycreated XML documents - multiple questions per dialog qith the <ask> feature - compatibility code to old profiles fixed - requires in spec file fixed - partition shrinking code fixed (space after shrink calculation was wrong) - 2.15.4 - "close small gap" code removed makes trouble on small harddisks - don't clone DELL utility partition (#247330) - auto-added boot partition code fixed (#246023) - schema file fixed (#187696) - allow empty partitioning section in RNC file - don't clone drives that contain no partitions with a mountpoint - signature-handling is less restrictive in a cloned profile (#248303) - the "ask" feature can not store the answer in a list (#247826) - don't turn off the mount point widget in the UI if create=false - 2.15.3 - use the partition_id configured in the profile when reusing partitions - shrinking code fixed and warning added if partitions don't fit on disk (#245072) - some more "close window" does not work (#240631) - accept_non_trusted_gpg_key parameter added to signature handling (#242087) - don't clone extended partitions of partition type 5 (#243063) - range oprator for rules fixed to include the borders of the range - popup added when the resolver run fails - packages that are required by yast modules and which are already installed, don't get installed again - some more "close window" was not catched situations fixed (#240631) - 2.15.2 - 2.15.1 - "close window" was not catched in some dialogs (#240631) - cursor isn't shown over the default module category in "yast autoyast" (#188267) - missing bootable partition in autoinst.xml on PPC fixed (#192342) - compatibility fix for storage lib - empty partition list allowed via RNC now - device guessing code enhanced - Image Code fixed - flamethrower support dropped - ayast_setup client added - dtd files dropped - profile can be on a USB device now (fate #300579) - old rnc files dropped - fixed removing of packages via autoyast UI (#232506) - fixes in the software selection UI (#231687, #232434) - XML check during saving fixed (#227634) - 2.15.0 - schema updates - DTD files dropped - rnc check disabled if jing is not installed (#214906) - 2.14.15 - 2.14.14 - schema check for cloning after manual installation turned off - logical Volume creation fixed (#220322) - schema files removed - 'remove-package' fixed (#183267) - 2.14.13 - turn off rnc check in stage cont - 2.14.12 - 2.14.11 - fix in the partitioning dialog - minor changes in the software cloning - support for selections dropped - autoyast2-utils dropped (use inst-server-utils instead) - 2.14.10 - Signature checks turned off in UI - dropped some useless code in autopart.ycp - 2.14.9 - compat fix for yast2-storage - proofreaded text - experimental imaging feature added - strict schema check in cloning and saving added - some schema updates - 2.14.8 - fix in partition edit dialog (#206681) - 2.14.7 - a resource can turn off the logging of it's data from the profile for security reasons (Bug #192605) - 'halt' documented and added to UI - schema fixes - reusing all 4 primaries fails (fixed) - order partitions alway by partition_nr - schema files updated - 2.14.6 - resize feature added (fate #301130) - reimport scripts after the ask dialog - minor documentation updates - the <ask> feature can store the answer in a file now - error handling for ftp access fixed - configure and install removed from the examples - "by-path" fixed for <device> configuration in partitioning (#200899) - partition sizes can be configured in % now - fix for "<remove-packages> are cloned now" - 2.14.5 - 2.14.4 - <remove-packages> are cloned now - reuse partitions in UI (#158855) - exclude partitions that are NOT supposed to be in the LVM/EVMS - scripts documentation fixed - device guessing code enhanced - typos fixed - 2.14.3 - 2.14.2 - don't call the add-on_auto client in 2nd stage (#188665) - signature-handling added to UI (#187696) - fixed the pattern selection dialog when a add-on product was configured before (#187568) - inst-source and autoyast profile can be on the same partition now - added a cache to speedup cloning of software (bnc#391770) - 2.16.19 - fix for cloning the software section (bnc#391770) - 2.16.18 - UI endless loop fixed - 2.16.17 - added categories Settings and System into desktop file (bnc #382778) - moved the execution of the pxe section far to the end of stage1 (bnc#390107) - 2.16.16 - ask_on_error for add-on documented - forceboot option added to general section - 2.16.15 - Export for <mode> fixed - add autoyast2-installation to the package list - 2.16.14 - 2.16.13 - adapted to the new callback registration scheme (fate#302296) - "encryption switch" fixed when opening an encrypted profile - merged texts from proofread - XML profile on USB devices can make yast to hang when the profile can not be found by autoyast (bnc#366550) - back button for ask dialogs added (fate #303397) - logging of "ask" changed to y2debug - 2.16.12 - outdated migration chapter dropped - desktop files updated - 2.16.11 - added 'StartupNotify=true' to the desktop file (bnc #304964) - Adjusted to new API for disabled modules in ProductControl. - Adjusted RPM dependencies. - 2.16.10 - <device> autodetection for RAID added (bnc#367734) - 2.16.9 - <kernel> was not handled correctly (bnc#366553) - 2.16.8 - an ask script can influence the next dialog that is shown (fate #303398) - 2.16.7 - shell escape code fixed (#354671) - ShellEscape Code added - 2.16.6 - the "path" for an ask-question can be in a list now to change multiple elements in the profile - default for missing <element ..> fixed - Documentation update - 2.16.5 - rerun_on_error added to scripts execution to keep <ask> dialogs open until the answers passes the parsing of a script - added command line option to jump into a module (fate #5997) - experimental interactive scripts code added - Buildrequires fixed - 2.16.4 - endless loop in pre-script fixed (#351103) - 2.16.3 - profiles can be stored encrypted - documentation and UI enhancement for feature #301256 added - halt/reboot option added to general section (feature #301256) - reuse EVMS fixed (#335763) - "mountby" documentation fixed (#307124) - reset module in the autoyast UI did not work (#340517) - complete iSCSI support added (feature #302973) - relative path for autoyast scripts in the location element (second part of feature #302973) - relative path for autoyast profile (first part of feature #302973) - copy modified profile to the installed system too (#328837) - some hardware information for rules was not probed (#336339) - Some variables were moved from AutoinstStorage, AutoinstGeneral, and AutoinstSoftware to AutoinstData (yast2.rpm) to break cyclic dependencies. - Adjusted RPM dependencies. - 2.16.2 - API Call to Storage fixed (#335582) - 2.16.1 - partitioning documentation fixed - fetching profile from NFS fixed (#329791) - 2.16.0 - RNC file fixed (empty ask section allowed) - 2.15.17 - added LanUdevAuto::Import for networking udev configuration (#303916) - 2.15.16 - commandline options fixed (#269887) - 2.15.15 - Require nfs-kernel-server.rpm because nfs-utils.rpm got split (#286300). - suppress a warning - fix for the support of the new "keep install network" feature of 10.3 - 2.15.14 - no frame if no frametitle is defined in ask-questions - 2.15.13 - PDF dropped from documentation - helptext for ask-feature is the sum of the helptext of all elements now - 2.15.12 - initialize libstorage (#288690) - chrooted scripts execution fixed - resue partition bug (#284102) fixed - rounding LVs to pesize - 2.15.11 - fix for the reuse of LVM volumes - added command line interface for opening files - removed outdated translations from .desktop-files (#271209) - reactivate hardware detection during autoinstall - 2.15.10 - always remove the installation network - 2.15.9 - remove the installation network if there is no networking section in the profile - 2.15.8 - added UI for the <ask> section - added missing import - 2.15.7 - fix for EVMS creation (#266313) - document changed behaviour: where standard keys are missing in the global variables of the grub bootloader configuration in an autoyast profile, they will be added automatically now - 2.15.6 - clone partitions more conservative (#262535) - profiles that are modified by <ask> can have pre-scripts and other <ask> sections now - the <ask> feature can execute scripts now - iSCSI boot: boot parameter 'withiscsi=1' does not have any effect with autoyast installation (#253432) - 2.15.5 - removed DTD declaration from the newlycreated XML documents - multiple questions per dialog qith the <ask> feature - compatibility code to old profiles fixed - requires in spec file fixed - partition shrinking code fixed (space after shrink calculation was wrong) - 2.15.4 - "close small gap" code removed makes trouble on small harddisks - don't clone DELL utility partition (#247330) - auto-added boot partition code fixed (#246023) - schema file fixed (#187696) - allow empty partitioning section in RNC file - don't clone drives that contain no partitions with a mountpoint - signature-handling is less restrictive in a cloned profile (#248303) - the "ask" feature can not store the answer in a list (#247826) - don't turn off the mount point widget in the UI if create=false - 2.15.3 - use the partition_id configured in the profile when reusing partitions - shrinking code fixed and warning added if partitions don't fit on disk (#245072) - some more "close window" does not work (#240631) - accept_non_trusted_gpg_key parameter added to signature handling (#242087) - don't clone extended partitions of partition type 5 (#243063) - range oprator for rules fixed to include the borders of the range - popup added when the resolver run fails - packages that are required by yast modules and which are already installed, don't get installed again - some more "close window" was not catched situations fixed (#240631) - 2.15.2 - 2.15.1 - "close window" was not catched in some dialogs (#240631) - cursor isn't shown over the default module category in "yast autoyast" (#188267) - missing bootable partition in autoinst.xml on PPC fixed (#192342) - compatibility fix for storage lib - empty partition list allowed via RNC now - device guessing code enhanced - Image Code fixed - flamethrower support dropped - ayast_setup client added - dtd files dropped - profile can be on a USB device now (fate #300579) - old rnc files dropped - fixed removing of packages via autoyast UI (#232506) - fixes in the software selection UI (#231687, #232434) - XML check during saving fixed (#227634) - 2.15.0 - schema updates - DTD files dropped - rnc check disabled if jing is not installed (#214906) - 2.14.15 - 2.14.14 - schema check for cloning after manual installation turned off - logical Volume creation fixed (#220322) - schema files removed - 'remove-package' fixed (#183267) - 2.14.13 - turn off rnc check in stage cont - 2.14.12 - 2.14.11 - fix in the partitioning dialog - minor changes in the software cloning - support for selections dropped - autoyast2-utils dropped (use inst-server-utils instead) - 2.14.10 - Signature checks turned off in UI - dropped some useless code in autopart.ycp - 2.14.9 - compat fix for yast2-storage - proofreaded text - experimental imaging feature added - strict schema check in cloning and saving added - some schema updates - 2.14.8 - fix in partition edit dialog (#206681) - 2.14.7 - a resource can turn off the logging of it's data from the profile for security reasons (Bug #192605) - 'halt' documented and added to UI - schema fixes - reusing all 4 primaries fails (fixed) - order partitions alway by partition_nr - schema files updated - 2.14.6 - resize feature added (fate #301130) - reimport scripts after the ask dialog - minor documentation updates - the <ask> feature can store the answer in a file now - error handling for ftp access fixed - configure and install removed from the examples - "by-path" fixed for <device> configuration in partitioning (#200899) - partition sizes can be configured in % now - fix for "<remove-packages> are cloned now" - 2.14.5 - 2.14.4 - <remove-packages> are cloned now - reuse partitions in UI (#158855) - exclude partitions that are NOT supposed to be in the LVM/EVMS - scripts documentation fixed - device guessing code enhanced - typos fixed - 2.14.3 - 2.14.2 - don't call the add-on_auto client in 2nd stage (#188665) - signature-handling added to UI (#187696) - fixed the pattern selection dialog when a add-on product was configured before (#187568) - inst-source and autoyast profile can be on the same partition now - fix CVE-2008-2667: Use mysql_set_character_set() instead of SET NAMES. This fixes a SQL injection possibility with MySQL databases that use non-Latin character sets. Patch: courier-authlib-0.60.2-authmysqllib.patch - Small changes to make rpmlint happier: * Rename keywords in init scripts * Prerequire /bin/rm - update to version 0.60.2 which o Portability fix for checking the highest available file descriptor o Fix typos o Use OPEN_MAX, instead of hardcoded - remove explicit requires for mysql-shared (library is required anyway) - update to version 0.59.3 which includes: o CRAM authentication in vchpw module o bug fixes o updated man pages - Add procps BuildRequires due to interesting configure checks - Add gdbm-devel BuildRequires - update to version 0.59.1 which o fix some bugs o Make the spec a little prettier o Change distro-detection to use "rh" and "fc" for version detection, and add support for mandriva o Added the -f option to makeuserdb o Try to recover when the LDAP server closes the persistent socket, for inactivity - fix Bug 204834 - missing rccourier-authdaemon symlink - Add mysql, pipe, pgsql sub-packages - fix CVE-2008-2667: Use mysql_set_character_set() instead of SET NAMES. This fixes a SQL injection possibility with MySQL databases that use non-Latin character sets. Patch: courier-authlib-0.60.2-authmysqllib.patch - Small changes to make rpmlint happier: * Rename keywords in init scripts * Prerequire /bin/rm - update to version 0.60.2 which o Portability fix for checking the highest available file descriptor o Fix typos o Use OPEN_MAX, instead of hardcoded - remove explicit requires for mysql-shared (library is required anyway) - update to version 0.59.3 which includes: o CRAM authentication in vchpw module o bug fixes o updated man pages - Add procps BuildRequires due to interesting configure checks - Add gdbm-devel BuildRequires - update to version 0.59.1 which o fix some bugs o Make the spec a little prettier o Change distro-detection to use "rh" and "fc" for version detection, and add support for mandriva o Added the -f option to makeuserdb o Try to recover when the LDAP server closes the persistent socket, for inactivity - fix Bug 204834 - missing rccourier-authdaemon symlink - Add mysql, pipe, pgsql sub-packages - fix CVE-2008-2667: Use mysql_set_character_set() instead of SET NAMES. This fixes a SQL injection possibility with MySQL databases that use non-Latin character sets. Patch: courier-authlib-0.60.2-authmysqllib.patch - Small changes to make rpmlint happier: * Rename keywords in init scripts * Prerequire /bin/rm - update to version 0.60.2 which o Portability fix for checking the highest available file descriptor o Fix typos o Use OPEN_MAX, instead of hardcoded - remove explicit requires for mysql-shared (library is required anyway) - update to version 0.59.3 which includes: o CRAM authentication in vchpw module o bug fixes o updated man pages - Add procps BuildRequires due to interesting configure checks - Add gdbm-devel BuildRequires - update to version 0.59.1 which o fix some bugs o Make the spec a little prettier o Change distro-detection to use "rh" and "fc" for version detection, and add support for mandriva o Added the -f option to makeuserdb o Try to recover when the LDAP server closes the persistent socket, for inactivity - fix Bug 204834 - missing rccourier-authdaemon symlink - Add mysql, pipe, pgsql sub-packages - fix CVE-2008-2667: Use mysql_set_character_set() instead of SET NAMES. This fixes a SQL injection possibility with MySQL databases that use non-Latin character sets. Patch: courier-authlib-0.60.2-authmysqllib.patch - Small changes to make rpmlint happier: * Rename keywords in init scripts * Prerequire /bin/rm - update to version 0.60.2 which o Portability fix for checking the highest available file descriptor o Fix typos o Use OPEN_MAX, instead of hardcoded - remove explicit requires for mysql-shared (library is required anyway) - update to version 0.59.3 which includes: o CRAM authentication in vchpw module o bug fixes o updated man pages - Add procps BuildRequires due to interesting configure checks - Add gdbm-devel BuildRequires - update to version 0.59.1 which o fix some bugs o Make the spec a little prettier o Change distro-detection to use "rh" and "fc" for version detection, and add support for mandriva o Added the -f option to makeuserdb o Try to recover when the LDAP server closes the persistent socket, for inactivity - fix Bug 204834 - missing rccourier-authdaemon symlink - Add mysql, pipe, pgsql sub-packages - fix CVE-2008-2667: Use mysql_set_character_set() instead of SET NAMES. This fixes a SQL injection possibility with MySQL databases that use non-Latin character sets. Patch: courier-authlib-0.60.2-authmysqllib.patch - Small changes to make rpmlint happier: * Rename keywords in init scripts * Prerequire /bin/rm - update to version 0.60.2 which o Portability fix for checking the highest available file descriptor o Fix typos o Use OPEN_MAX, instead of hardcoded - remove explicit requires for mysql-shared (library is required anyway) - update to version 0.59.3 which includes: o CRAM authentication in vchpw module o bug fixes o updated man pages - Add procps BuildRequires due to interesting configure checks - Add gdbm-devel BuildRequires - update to version 0.59.1 which o fix some bugs o Make the spec a little prettier o Change distro-detection to use "rh" and "fc" for version detection, and add support for mandriva o Added the -f option to makeuserdb o Try to recover when the LDAP server closes the persistent socket, for inactivity - fix Bug 204834 - missing rccourier-authdaemon symlink - Add mysql, pipe, pgsql sub-packages - fix CVE-2008-2667: Use mysql_set_character_set() instead of SET NAMES. This fixes a SQL injection possibility with MySQL databases that use non-Latin character sets. Patch: courier-authlib-0.60.2-authmysqllib.patch - Small changes to make rpmlint happier: * Rename keywords in init scripts * Prerequire /bin/rm - update to version 0.60.2 which o Portability fix for checking the highest available file descriptor o Fix typos o Use OPEN_MAX, instead of hardcoded - remove explicit requires for mysql-shared (library is required anyway) - update to version 0.59.3 which includes: o CRAM authentication in vchpw module o bug fixes o updated man pages - Add procps BuildRequires due to interesting configure checks - Add gdbm-devel BuildRequires - update to version 0.59.1 which o fix some bugs o Make the spec a little prettier o Change distro-detection to use "rh" and "fc" for version detection, and add support for mandriva o Added the -f option to makeuserdb o Try to recover when the LDAP server closes the persistent socket, for inactivity - fix Bug 204834 - missing rccourier-authdaemon symlink - Add mysql, pipe, pgsql sub-packages - fix CVE-2008-2667: Use mysql_set_character_set() instead of SET NAMES. This fixes a SQL injection possibility with MySQL databases that use non-Latin character sets. Patch: courier-authlib-0.60.2-authmysqllib.patch - Small changes to make rpmlint happier: * Rename keywords in init scripts * Prerequire /bin/rm - update to version 0.60.2 which o Portability fix for checking the highest available file descriptor o Fix typos o Use OPEN_MAX, instead of hardcoded - remove explicit requires for mysql-shared (library is required anyway) - update to version 0.59.3 which includes: o CRAM authentication in vchpw module o bug fixes o updated man pages - Add procps BuildRequires due to interesting configure checks - Add gdbm-devel BuildRequires - update to version 0.59.1 which o fix some bugs o Make the spec a little prettier o Change distro-detection to use "rh" and "fc" for version detection, and add support for mandriva o Added the -f option to makeuserdb o Try to recover when the LDAP server closes the persistent socket, for inactivity - fix Bug 204834 - missing rccourier-authdaemon symlink - Add mysql, pipe, pgsql sub-packages - fix CVE-2008-2667: Use mysql_set_character_set() instead of SET NAMES. This fixes a SQL injection possibility with MySQL databases that use non-Latin character sets. Patch: courier-authlib-0.60.2-authmysqllib.patch - Small changes to make rpmlint happier: * Rename keywords in init scripts * Prerequire /bin/rm - update to version 0.60.2 which o Portability fix for checking the highest available file descriptor o Fix typos o Use OPEN_MAX, instead of hardcoded - remove explicit requires for mysql-shared (library is required anyway) - update to version 0.59.3 which includes: o CRAM authentication in vchpw module o bug fixes o updated man pages - Add procps BuildRequires due to interesting configure checks - Add gdbm-devel BuildRequires - update to version 0.59.1 which o fix some bugs o Make the spec a little prettier o Change distro-detection to use "rh" and "fc" for version detection, and add support for mandriva o Added the -f option to makeuserdb o Try to recover when the LDAP server closes the persistent socket, for inactivity - fix Bug 204834 - missing rccourier-authdaemon symlink - Add mysql, pipe, pgsql sub-packages - fix CVE-2008-2667: Use mysql_set_character_set() instead of SET NAMES. This fixes a SQL injection possibility with MySQL databases that use non-Latin character sets. Patch: courier-authlib-0.60.2-authmysqllib.patch - Small changes to make rpmlint happier: * Rename keywords in init scripts * Prerequire /bin/rm - update to version 0.60.2 which o Portability fix for checking the highest available file descriptor o Fix typos o Use OPEN_MAX, instead of hardcoded - remove explicit requires for mysql-shared (library is required anyway) - update to version 0.59.3 which includes: o CRAM authentication in vchpw module o bug fixes o updated man pages - Add procps BuildRequires due to interesting configure checks - Add gdbm-devel BuildRequires - update to version 0.59.1 which o fix some bugs o Make the spec a little prettier o Change distro-detection to use "rh" and "fc" for version detection, and add support for mandriva o Added the -f option to makeuserdb o Try to recover when the LDAP server closes the persistent socket, for inactivity - fix Bug 204834 - missing rccourier-authdaemon symlink - Add mysql, pipe, pgsql sub-packages - fix CVE-2008-2667: Use mysql_set_character_set() instead of SET NAMES. This fixes a SQL injection possibility with MySQL databases that use non-Latin character sets. Patch: courier-authlib-0.60.2-authmysqllib.patch - Small changes to make rpmlint happier: * Rename keywords in init scripts * Prerequire /bin/rm - update to version 0.60.2 which o Portability fix for checking the highest available file descriptor o Fix typos o Use OPEN_MAX, instead of hardcoded - remove explicit requires for mysql-shared (library is required anyway) - update to version 0.59.3 which includes: o CRAM authentication in vchpw module o bug fixes o updated man pages - Add procps BuildRequires due to interesting configure checks - Add gdbm-devel BuildRequires - update to version 0.59.1 which o fix some bugs o Make the spec a little prettier o Change distro-detection to use "rh" and "fc" for version detection, and add support for mandriva o Added the -f option to makeuserdb o Try to recover when the LDAP server closes the persistent socket, for inactivity - fix Bug 204834 - missing rccourier-authdaemon symlink - Add mysql, pipe, pgsql sub-packages - fix CVE-2008-2667: Use mysql_set_character_set() instead of SET NAMES. This fixes a SQL injection possibility with MySQL databases that use non-Latin character sets. Patch: courier-authlib-0.60.2-authmysqllib.patch - Small changes to make rpmlint happier: * Rename keywords in init scripts * Prerequire /bin/rm - update to version 0.60.2 which o Portability fix for checking the highest available file descriptor o Fix typos o Use OPEN_MAX, instead of hardcoded - remove explicit requires for mysql-shared (library is required anyway) - update to version 0.59.3 which includes: o CRAM authentication in vchpw module o bug fixes o updated man pages - Add procps BuildRequires due to interesting configure checks - Add gdbm-devel BuildRequires - update to version 0.59.1 which o fix some bugs o Make the spec a little prettier o Change distro-detection to use "rh" and "fc" for version detection, and add support for mandriva o Added the -f option to makeuserdb o Try to recover when the LDAP server closes the persistent socket, for inactivity - fix Bug 204834 - missing rccourier-authdaemon symlink - Add mysql, pipe, pgsql sub-packages - fix CVE-2008-2667: Use mysql_set_character_set() instead of SET NAMES. This fixes a SQL injection possibility with MySQL databases that use non-Latin character sets. Patch: courier-authlib-0.60.2-authmysqllib.patch - Small changes to make rpmlint happier: * Rename keywords in init scripts * Prerequire /bin/rm - update to version 0.60.2 which o Portability fix for checking the highest available file descriptor o Fix typos o Use OPEN_MAX, instead of hardcoded - remove explicit requires for mysql-shared (library is required anyway) - update to version 0.59.3 which includes: o CRAM authentication in vchpw module o bug fixes o updated man pages - Add procps BuildRequires due to interesting configure checks - Add gdbm-devel BuildRequires - update to version 0.59.1 which o fix some bugs o Make the spec a little prettier o Change distro-detection to use "rh" and "fc" for version detection, and add support for mandriva o Added the -f option to makeuserdb o Try to recover when the LDAP server closes the persistent socket, for inactivity - fix Bug 204834 - missing rccourier-authdaemon symlink - Add mysql, pipe, pgsql sub-packages - fix CVE-2008-2667: Use mysql_set_character_set() instead of SET NAMES. This fixes a SQL injection possibility with MySQL databases that use non-Latin character sets. Patch: courier-authlib-0.60.2-authmysqllib.patch - Small changes to make rpmlint happier: * Rename keywords in init scripts * Prerequire /bin/rm - update to version 0.60.2 which o Portability fix for checking the highest available file descriptor o Fix typos o Use OPEN_MAX, instead of hardcoded - remove explicit requires for mysql-shared (library is required anyway) - update to version 0.59.3 which includes: o CRAM authentication in vchpw module o bug fixes o updated man pages - Add procps BuildRequires due to interesting configure checks - Add gdbm-devel BuildRequires - update to version 0.59.1 which o fix some bugs o Make the spec a little prettier o Change distro-detection to use "rh" and "fc" for version detection, and add support for mandriva o Added the -f option to makeuserdb o Try to recover when the LDAP server closes the persistent socket, for inactivity - fix Bug 204834 - missing rccourier-authdaemon symlink - Add mysql, pipe, pgsql sub-packages - fix CVE-2008-2667: Use mysql_set_character_set() instead of SET NAMES. This fixes a SQL injection possibility with MySQL databases that use non-Latin character sets. Patch: courier-authlib-0.60.2-authmysqllib.patch - Small changes to make rpmlint happier: * Rename keywords in init scripts * Prerequire /bin/rm - update to version 0.60.2 which o Portability fix for checking the highest available file descriptor o Fix typos o Use OPEN_MAX, instead of hardcoded - remove explicit requires for mysql-shared (library is required anyway) - update to version 0.59.3 which includes: o CRAM authentication in vchpw module o bug fixes o updated man pages - Add procps BuildRequires due to interesting configure checks - Add gdbm-devel BuildRequires - update to version 0.59.1 which o fix some bugs o Make the spec a little prettier o Change distro-detection to use "rh" and "fc" for version detection, and add support for mandriva o Added the -f option to makeuserdb o Try to recover when the LDAP server closes the persistent socket, for inactivity - fix Bug 204834 - missing rccourier-authdaemon symlink - Add mysql, pipe, pgsql sub-packages - fix CVE-2008-2667: Use mysql_set_character_set() instead of SET NAMES. This fixes a SQL injection possibility with MySQL databases that use non-Latin character sets. Patch: courier-authlib-0.60.2-authmysqllib.patch - Small changes to make rpmlint happier: * Rename keywords in init scripts * Prerequire /bin/rm - update to version 0.60.2 which o Portability fix for checking the highest available file descriptor o Fix typos o Use OPEN_MAX, instead of hardcoded - remove explicit requires for mysql-shared (library is required anyway) - update to version 0.59.3 which includes: o CRAM authentication in vchpw module o bug fixes o updated man pages - Add procps BuildRequires due to interesting configure checks - Add gdbm-devel BuildRequires - update to version 0.59.1 which o fix some bugs o Make the spec a little prettier o Change distro-detection to use "rh" and "fc" for version detection, and add support for mandriva o Added the -f option to makeuserdb o Try to recover when the LDAP server closes the persistent socket, for inactivity - fix Bug 204834 - missing rccourier-authdaemon symlink - Add mysql, pipe, pgsql sub-packages - fix CVE-2008-2667: Use mysql_set_character_set() instead of SET NAMES. This fixes a SQL injection possibility with MySQL databases that use non-Latin character sets. Patch: courier-authlib-0.60.2-authmysqllib.patch - Small changes to make rpmlint happier: * Rename keywords in init scripts * Prerequire /bin/rm - update to version 0.60.2 which o Portability fix for checking the highest available file descriptor o Fix typos o Use OPEN_MAX, instead of hardcoded - remove explicit requires for mysql-shared (library is required anyway) - update to version 0.59.3 which includes: o CRAM authentication in vchpw module o bug fixes o updated man pages - Add procps BuildRequires due to interesting configure checks - Add gdbm-devel BuildRequires - update to version 0.59.1 which o fix some bugs o Make the spec a little prettier o Change distro-detection to use "rh" and "fc" for version detection, and add support for mandriva o Added the -f option to makeuserdb o Try to recover when the LDAP server closes the persistent socket, for inactivity - fix Bug 204834 - missing rccourier-authdaemon symlink - Add mysql, pipe, pgsql sub-packages - fix CVE-2008-2667: Use mysql_set_character_set() instead of SET NAMES. This fixes a SQL injection possibility with MySQL databases that use non-Latin character sets. Patch: courier-authlib-0.60.2-authmysqllib.patch - Small changes to make rpmlint happier: * Rename keywords in init scripts * Prerequire /bin/rm - update to version 0.60.2 which o Portability fix for checking the highest available file descriptor o Fix typos o Use OPEN_MAX, instead of hardcoded - remove explicit requires for mysql-shared (library is required anyway) - update to version 0.59.3 which includes: o CRAM authentication in vchpw module o bug fixes o updated man pages - Add procps BuildRequires due to interesting configure checks - Add gdbm-devel BuildRequires - update to version 0.59.1 which o fix some bugs o Make the spec a little prettier o Change distro-detection to use "rh" and "fc" for version detection, and add support for mandriva o Added the -f option to makeuserdb o Try to recover when the LDAP server closes the persistent socket, for inactivity - fix Bug 204834 - missing rccourier-authdaemon symlink - Add mysql, pipe, pgsql sub-packages - fix CVE-2008-2667: Use mysql_set_character_set() instead of SET NAMES. This fixes a SQL injection possibility with MySQL databases that use non-Latin character sets. Patch: courier-authlib-0.60.2-authmysqllib.patch - Small changes to make rpmlint happier: * Rename keywords in init scripts * Prerequire /bin/rm - update to version 0.60.2 which o Portability fix for checking the highest available file descriptor o Fix typos o Use OPEN_MAX, instead of hardcoded - remove explicit requires for mysql-shared (library is required anyway) - update to version 0.59.3 which includes: o CRAM authentication in vchpw module o bug fixes o updated man pages - Add procps BuildRequires due to interesting configure checks - Add gdbm-devel BuildRequires - update to version 0.59.1 which o fix some bugs o Make the spec a little prettier o Change distro-detection to use "rh" and "fc" for version detection, and add support for mandriva o Added the -f option to makeuserdb o Try to recover when the LDAP server closes the persistent socket, for inactivity - fix Bug 204834 - missing rccourier-authdaemon symlink - Add mysql, pipe, pgsql sub-packages - fix CVE-2008-2667: Use mysql_set_character_set() instead of SET NAMES. This fixes a SQL injection possibility with MySQL databases that use non-Latin character sets. Patch: courier-authlib-0.60.2-authmysqllib.patch - Small changes to make rpmlint happier: * Rename keywords in init scripts * Prerequire /bin/rm - update to version 0.60.2 which o Portability fix for checking the highest available file descriptor o Fix typos o Use OPEN_MAX, instead of hardcoded - remove explicit requires for mysql-shared (library is required anyway) - update to version 0.59.3 which includes: o CRAM authentication in vchpw module o bug fixes o updated man pages - Add procps BuildRequires due to interesting configure checks - Add gdbm-devel BuildRequires - update to version 0.59.1 which o fix some bugs o Make the spec a little prettier o Change distro-detection to use "rh" and "fc" for version detection, and add support for mandriva o Added the -f option to makeuserdb o Try to recover when the LDAP server closes the persistent socket, for inactivity - fix Bug 204834 - missing rccourier-authdaemon symlink - Add mysql, pipe, pgsql sub-packages - fix CVE-2008-2667: Use mysql_set_character_set() instead of SET NAMES. This fixes a SQL injection possibility with MySQL databases that use non-Latin character sets. Patch: courier-authlib-0.60.2-authmysqllib.patch - Small changes to make rpmlint happier: * Rename keywords in init scripts * Prerequire /bin/rm - update to version 0.60.2 which o Portability fix for checking the highest available file descriptor o Fix typos o Use OPEN_MAX, instead of hardcoded - remove explicit requires for mysql-shared (library is required anyway) - update to version 0.59.3 which includes: o CRAM authentication in vchpw module o bug fixes o updated man pages - Add procps BuildRequires due to interesting configure checks - Add gdbm-devel BuildRequires - update to version 0.59.1 which o fix some bugs o Make the spec a little prettier o Change distro-detection to use "rh" and "fc" for version detection, and add support for mandriva o Added the -f option to makeuserdb o Try to recover when the LDAP server closes the persistent socket, for inactivity - fix Bug 204834 - missing rccourier-authdaemon symlink - Add mysql, pipe, pgsql sub-packages - fix CVE-2008-2667: Use mysql_set_character_set() instead of SET NAMES. This fixes a SQL injection possibility with MySQL databases that use non-Latin character sets. Patch: courier-authlib-0.60.2-authmysqllib.patch - Small changes to make rpmlint happier: * Rename keywords in init scripts * Prerequire /bin/rm - update to version 0.60.2 which o Portability fix for checking the highest available file descriptor o Fix typos o Use OPEN_MAX, instead of hardcoded - remove explicit requires for mysql-shared (library is required anyway) - update to version 0.59.3 which includes: o CRAM authentication in vchpw module o bug fixes o updated man pages - Add procps BuildRequires due to interesting configure checks - Add gdbm-devel BuildRequires - update to version 0.59.1 which o fix some bugs o Make the spec a little prettier o Change distro-detection to use "rh" and "fc" for version detection, and add support for mandriva o Added the -f option to makeuserdb o Try to recover when the LDAP server closes the persistent socket, for inactivity - fix Bug 204834 - missing rccourier-authdaemon symlink - Add mysql, pipe, pgsql sub-packages - bfo-bug15222.diff (bfo #15222, bnc #374318) * CVE-2008-2360 - RENDER Extension heap buffer overflow * CVE-2008-2361 - RENDER Extension crash * CVE-2008-2362 - RENDER Extension memory corruption * CVE-2008-1379 - MIT-SHM arbitrary memory read * CVE-2008-1377 - RECORD and Security extensions memory corruption - xserver-mode-fuzzy-check.diff * Make mode checking more tolerant like in pre-RandR times. - fix-dpi-values.diff * fixes DPI values for RANDR 1.2 capable drivers (bnc #393001) - mention ZapWarning also in Xorg manual page (bnc #391352) - xorg-server-1.4-vnc-render_sig11.diff * fixed sig11 in RENDER code (bnc #385677) - disabled patch to disable RENDER support in Xvnc, since it broke 24bit color depth support (bnc #390011) - xorg-server-1.4-vnc-disable_render.diff * disabled RENDER support in Xvnc (bnc #385677) - events.diff * eating up key events before going into the idle loop upon vt switch instead of after return (bnc #152522) - xkb_action.diff * fixed remaining unitialized warning in X.Org (bnc #83910) - fbdevhw.diff * screen blanking not supported by vesafb of Linux kernel (bnc #146462) - no longer disable AIGLX by default - XAANoOffscreenPixmaps.diff * disable Offscreen Pixmaps by default (bnc #376068) - Fix another o-b-1 in pci domain support. - randr1_1-sig11.diff * fixes Xserver crash when running xrandr on a different virtual terminal (Egbert Eich, bnc #223459) - commit-37b1258.diff * possibly fixes unwanted autorepeat (bnc #377612, bfo #14811) - bitmap_always_unscaled.diff * Default bitmap fonts should typically be set as unscaled (libv) - update to Mesa bugfix release 7.0.3 (final) sources - update to Mesa bugfix release 7.0.3 RC3 sources - confine_to_shape.diff * fixes XGrabPointer's confine_to with shaped windows (bnc #62146) - zap_warning_xserver.diff * implements FATE #302988: ZapWarning (Luc Verhaegen) Uses PCSpeaker for beep. Press once, beep. Press again within 2s (which is ample), terminate. Documented in xorg.conf manpage. - make the memory corruption fix by schwab a seperate patch to make sure it won't get lost the next time I update the VNC patch - Fix vnc server memory corruption. - commit-a6a7fad.diff * Don't break grab and focus state for a window when redirecting it. (bnc #336219, bfo #488264) - update to Mesa bugfix release 7.0.3 RC2 sources * Fixed GLX indirect vertex array rendering bug (14197) * Fixed crash when deleting framebuffer objects (bugs 13507, 14293) * User-defined clip planes enabled for R300 (bug 9871) * Fixed glBindTexture() crash upon bad target (bug 14514) * Fixed potential crash in glDrawPixels(GL_DEPTH_COMPONENT) (bug 13915) * Bad strings given to glProgramStringARB() didn't generate GL_INVALID_OPERATION * Fixed minor point rasterization regression (bug 11016) - added Requires:xkeyboard-config to xorg-x11-server - commit-50e80c3.diff: * never overwrite realInputProc with enqueueInputProc (bnc#357989, bfo#13511) - only switch to radeon driver in %post if radeonold driver is no longer available (Bug #355009) - some more cleanup in %post - Move manpage to the sub package that provides the binary. - update to Mesa bugfix release 7.0.3 RC1 sources * Added missing glw.pc.in file to release tarball * Fix GLUT/Fortran issues * GLSL gl_FrontLightModelProduct.sceneColor variable wasn't defined * Fix crash upon GLSL variable array indexes (not yet supported) * Two-sided stencil test didn't work in software rendering * Fix two-sided lighting bugs/crashes (bug 13368) * GLSL gl_FrontFacing didn't work properly * glGetActiveUniform returned incorrect sizes (bug 13751) * Fix several bugs relating to uniforms and attributes in GLSL API (Bruce Merry, bug 13753) * glTexImage3D(GL_PROXY_TEXTURE_3D) mis-set teximage depth field - updated patch for CVE-2007-6429 once more (X.Org Bug #13520) * Always test for size+offset wrapping. - updated patch for CVE-2007-6429 (Bug #345131) * Don't spuriously reject <8bpp shm pixmaps. Move size validation after depth validation, and only validate size if the bpp of the pixmap format is > 8. If bpp < 8 then we're already protected from overflow by the width and height checks. - X.Org security update * CVE-2007-5760 - XFree86 Misc extension out of bounds array index * CVE-2007-6427 - Xinput extension memory corruption. * CVE-2007-6428 - TOG-cup extension memory corruption. * CVE-2007-6429 - MIT-SHM and EVI extensions integer overflows. * CVE-2008-0006 - PCF Font parser buffer overflow. - xorg-server 1.4.0.90 (prerelease of 1.4.1) - pixman.diff * fixed include path for pixman.h - remove_bogus_modeline.diff * remove bogus monitor modelines provided by DDC (Bug #335540) - commit-184e571.diff * Adjust offsets of modes that do not fit virtual screen size. - commit-c6c284e.diff * Initialize Mode with 0 in xf86RandRModeConvert. - commit-f6401f9.diff * Don't segfault if referring to a relative output where no modes survived. - commit-f7dd0c7.diff * Only clear crtc of output if it is the one we're actually working on. - commit-fa19e84.diff * Fix initial placement of LeftOf and Above. - pixman.diff no longer required - s390(x): allow mfb build without Xorg server being built - commit-29e0e18.diff * Make config file preferred mode override monitor preferred mode. - commit-feac075.diff * Leave hardware-specified preferred modes alone when user preference exists. - obsoletes preferred_mode-fix.diff - added xorg-x11-fonts-core/xorg-x11 to Requires (Bug #341312) - ia64linuxPciInit: allocate extra space for fake devices. - updated to Mesa 7.0.2 (final) sources - updated to Mesa 7.0.2 RC1 sources - xorg-server-1.4-vnc-64bit.diff * fixes segfault on 64bit during Xserver start; make sure to define _XSERVER64 by having HAVE_DIX_CONFIG_H defined and therefore including dix-config.h, so Atom is CARD32 instead of unsigned long before and no longer messes up the pInfo structure in xf86rfbMouseInit/xf86rfbKeybInit - finally enabled build of xf4vnc (standalone Xvnc and VNC Xserver module) - updated xf4vnc patch; still disabled due to problematic vnc module - preferred_mode-fix.diff * more reasonable patch (Bug #329724) - preferred_mode-fix.diff * fixed endless loop if PreferredMode is set (Bug #329724) - removed obsolete patch p_pci-domain.diff (Bug #308693, comment #26) - apply p_pci-off-by-one.diff.ia64 on all platforms since it clearly only affects platforms, where INCLUDE_XF86_NO_DOMAIN is *not* set; this still not explains why we have seen Xserver hangups with the patch in place on at least some %ix86/x86_64 machines with fglrx/ nvidia driver IIRC; it needs to verified if this problem is still reproducable ... (Bug #308693, comment #25) - xserver-1.3.0-xkb-and-loathing.patch * Ignore (not just block) SIGALRM around calls to Popen()/Pclose(). Fixes a hang in openoffice when opening menus. (Bug #245711) - added missing ia64Pci.h; required for IA64 - recreated p_pci-off-by-one.diff.ia64; the default fuzz factor of patch (2) resulted in a hunk applied to the wrong function and therefore broke the build :-( - xorg-server 1.4 * Welcome to X.Org X Server 1.4, now with hotplugging input to go with the hotplugging output. Also included in this release are many performance and correctness fixes to the EXA acceleration architecture, support for DTrace profiling of the X Server, accelerated GLX_EXT_texture_from_pixmap with supporting DRI drivers, and many improvements to the RandR 1.2 support that was added in xorg-server-1.3. The X Server now relies on the pixman library, which replaces the fb/fbcompose.c and accelerated implementations that were previously shared through code-duplication with the cairo project. * obsolete patches: - bug-259290_trapfault.diff - cfb8-undefined.diff - commit-c09e68c - i810_dri_fix_freeze.diff - p_bug159532.diff - p_enable-altrix.diff - p_pci-ce-x.diff - p_pci-off-by-one.diff - p_xorg_rom_read.diff - randr12-2926cf1da7e4ed63573bfaecdd7e19beb3057d9b.diff - randr12-5b424b562eee863b11571de4cd0019cd9bc5b379.diff - randr12-aec0d06469a2fa7440fdd5ee03dc256a68704e77.diff - randr12-b2dcfbca2441ca8c561f86a78a76ab59ecbb40e4.diff - randr12-b4193a2eee80895c5641e77488df0e72a73a3d99.diff - remove__GLinterface.patch - support_mesa6.5.3.patch - use-composite-for-unequal-depths.patch - x86emu.diff - xephyr-sig11-fix.diff * adjusted patches: - 64bit.diff - bug-197858_dpms.diff - bug227111-ddc_screensize.diff - disable-root-xorg_conf.diff - fpic.diff - glx-align.patch - libdrm.diff - p_bug96328.diff - p_ia64-console.diff - p_vga-crashfix.diff - xephyr.diff - pixman.diff: * search for pixman instead of pixman-1 - bumped version to 7.3 - remove wrongly prebuilt xf1bpp files after extracting tarball; fixes vga module loading (Bug #328201) - do not use "make -j" to (quick)fix xf1bpp build - do not apply p_pci-domain.diff on IA64 - use updated off-by-one patch by schwab for IA64 - edit_data_sanity_check.diff: * added sanity check for monitor EDID data (Bug #326454) - reverted changes by schwab on Fri Sep 7; these resulted i a black screen during Xserver start with any driver on non-IA64 platforms - use-composite-for-unequal-depths.patch: * Use Composite when depths don't match (Bug #309107, X.Org Bug [#7447]) - Update off-by-one patch. - Remove empty patch. - fbdevhw.diff: * ignore pixclock set to 0 by Xen kernel (Bug #285523) - added several RANDR 1.2 fixes (Bug #306699) * randr12-2926cf1da7e4ed63573bfaecdd7e19beb3057d9b.diff Allocate the right number of entries for saving crtcs * randr12-5b424b562eee863b11571de4cd0019cd9bc5b379.diff Set the crtc before the output change is notified. Set the new randr crtc of the output before the output change notification is delivered to the clients. Remove RROutputSetCrtc as it is not really necessary. All we have to do is set the output's crtc on RRCrtcNotify * randr12-8d230319040f0a7f72231da2bf5ec97dc3612e21.diff Fix the output->crtc initialization in the old randr setup * randr12-aec0d06469a2fa7440fdd5ee03dc256a68704e77.diff Fix a crash when rotating the screen. Remember output->crtc before setting a NULL mode because RRCrtcNotify now sets output->crtc to NULL. Use the saved crtc to set the new mode. * randr12-b2dcfbca2441ca8c561f86a78a76ab59ecbb40e4.diff RRScanOldConfig cannot use RRFirstOutput before output is configured. RRFirstOutput returns the first active output, which won't be set until after RRScanOldConfig is finished running. Instead, just use the first output (which is the only output present with an old driver, after all). * randr12-b4193a2eee80895c5641e77488df0e72a73a3d99.diff RRScanOldConfig wasn't getting crtcs set correctly. The output crtc is set by RRCrtcNotify, which is called at the end of RRScanOldConfig. Several uses of output->crtc in this function were wrong. - i810_dri_fix_freeze.diff: * fixes freeze after pressing Ctrl-Alt-BS (X.Org Bug #10809) - xserver-mode-fuzzy-check.diff: * Fix for Xserver being more fuzzy about mode validation (Bug #270846) - disable AIGLX by default; without enabled Composite extension (still problematic on many drivers) it's rather useless anyway - updated xorg.conf manual page - fix fileconflict over doc/MAINTAINERS - build parallel - updated Mesa source to bugfix release 7.0.1 - xephyr-sig11-fix.diff: * long vs. CARD32 mismatch in KeySym definitions between client and server code - this patch seems to fix it (and the input rework in head fixed it as well in a different way) (Bug #235320) - fixed build on s390(x) - added X(7) and security(7) manual pages - updated Mesa source to final release 7.0 - updated Mesa source to release 7.0 RC1 * Mesa 7.0 is a stable, follow-on release to Mesa 6.5.3. The only difference is bug fixes. The major version number bump is due to OpenGL 2.1 API support. - simplified p_default-module-path.diff - disabled build of Xprt - moved Xdmx, Xephyr, Xnest and Xvfb to new subpackage xorg-x11-server-extra - commit-c09e68c: * Paper over a crash at exit during GLX teardown - updated to Mesa 6.5.3 sources - obsoletes the following patches: * bug-211314_mesa-destroy_buffers.diff * bug-211314_mesa-framebuffer-counting.diff * bug-211314-patch-1.diff * bug-211314-patch-2.diff * bug-211314-patch-3.diff * bug-211314-patch-4.diff * bug-211314-patch-5.diff * bug-211314-patch-6.diff * bug-211314-patch-7.diff * bug-211314-patch-8.diff * bug-211314-patch-9.diff * bug-211314-patch-10.diff * bug-211314-patch-11.diff * bug-211314_mesa-refcount-memleak-fixes.diff * Mesa-6.5.2-fix_radeon_cliprect.diff - remove__GLinterface.patch/ support_mesa6.5.3.patch * required Xserver changes for Mesa 6.5.3 - xorg-x11-server-1.2.99-unbreak-domain.patch: * This patch fixes some multi-domain systems such as Pegasos with xorg-server 1.3. Since pci-rework should get merged soon and this patch is a bit of a hack, it never got pushed upstream. (X.Org Bug #7248) - back to Mesa 6.5.2 (Bug #269155/269042) - Mesa update: 4th RC ready * This fixes some breakage in RC3. - Mesa update: 3rd release candidate * updated Windows/VC8 project files. - updated to Mesa 6.5.3rc2 sources * a number of bug fixes since the first RC - updated to Mesa 6.5.3rc1 sources - obsoletes the following patches: * bug-211314_mesa-destroy_buffers.diff * bug-211314_mesa-framebuffer-counting.diff * bug-211314-patch-1.diff * bug-211314-patch-2.diff * bug-211314-patch-3.diff * bug-211314-patch-4.diff * bug-211314-patch-5.diff * bug-211314-patch-6.diff * bug-211314-patch-7.diff * bug-211314-patch-8.diff * bug-211314-patch-9.diff * bug-211314-patch-10.diff * bug-211314-patch-11.diff * bug-211314_mesa-refcount-memleak-fixes.diff * Mesa-6.5.2-fix_radeon_cliprect.diff - GL-Mesa-6.5.3.diff: * adjusted GL subdir to Mesa 6.5.3rc1 - xserver 1.3.0.0 release * Syncmaster 226 monitor needs 60Hz refresh (#10545). * In AIGLX EnterVT processing, invoke driver EnterVT before resuming glx. * Disable CRTC when SetSingleMode has no matching mode. Update RandR as well. * Rotate screen size as needed from RandR 1.1 change requests. * Add quirk for Acer AL1706 monitor to force 60hz refresh. * RandR 1.2 spec says CRTC info contains screen-relative geometry * typo in built-in module log message * Use default screen monitor for one of the outputs. * Allow outputs to be explicitly enabled in config, overriding detect. * Was accidentally disabling rotation updates in mode set. * Disable SourceValidate in rotation to capture cursor. - Mesa-6.5.2-fix_radeon_cliprect.diff: * fixes X.Org Bug #9876 - bug-259290_trapfault.diff: * fixes crash caused by bug in XRender code (Bug #259290) - xserver 1.2.99.905 release: * CVE-2007-1003: XC-MISC Extension ProcXCMiscGetXIDList() Memory Corruption * X.Org Bug #10296: Fix timer rescheduling - obsoletes bug-243978_xcmisc.diff - xserver 1.2.99.904 release: * Don't erase current crtc for outputs on CloseScreen - bug-243978_xcmisc.diff: * mem corruption in ProcXCMiscGetXIDList (CVE-2007-1003, Bug #243978) - bug-211314_mesa-refcount-memleak-fixes.diff: * Fix for memleaks and refount bugs (Bug #211314) - p_default-module-path.diff: * only return /usr/%lib/xorg/modules in "-showDefaultModulePath" Xserver option (Bug #257360) - set Xserver version to 7.2.0 with configure option (Bugs #257360, #253702) - xserver 1.2.99.903 release: * Create driver-independent CRTC-based cursor layer. * Allow xf86_reload_cursors during server init. * Don't wedge when rotating more than one CRTC. * Correct ref counting of RRMode structures * Remove extra (and wrong) I2C ByteTimeout setting in DDC code. * Slow down DDC I2C bus using a RiseFallTime of 20us for old monitors. * Clean up Rotate state on server reset. * Clear allocated RandR screen private structure. * Clean up xf86CrtcRec and xf86OutputRec objects at CloseScreen. * Make sure RandR events are delivered from RRCrtcSet. * Fix Pending property API, adding RRPostPendingProperty. * Incorrect extra memory copy in RRChangeOutputProperty. * Ensure that crtc desired values track most recent mode. * Make pending properties force mode set. And, remove AttachScreen calls. * Set version to 1.2.99.903 (1.3 RC3) * fbdevhw: Consolidate modeset ioctl calling, report failure if it modifies mode. * fbdevhw: Fix some issues with the previous commit. * fbdevhw: Use displayWidth for fbdev virtual width when appropriate. * fbdevhw: Override RGB offsets and masks after setting initial mode. * fbdevhw: Consider mode set equal to mode requested if virtual width is larger. * fbdevhw: Only deal with RGB weight if default visual is True- or DirectColor. * Add per-drawable Xv colour key helper function. * Bump video driver ABI version to 1.2. - no longer apply bug-211314_mesa-context.diff, bug-211314_p_drawable_privclean.diff (Bug #211314, comment #114) - added different Mesa patches (Bug #211314, comments #114/#115) - Remove bug197190-ia64.diff, fix x86emu instead. - xserver 1.2.99.902 release: * Xprint: shorten font filename to fit in tar length limit * Move xf86SetSingleMode into X server from intel driver. * Add xf86SetDesiredModes to apply desired modes to crtcs. * Use EDID data to set screen physical size at server startup. * Allow relative positions to use output names or monitor identifiers. * Add xf86CrtcScreenInit to share initialization across drivers. * Add hw/xfree86/docs/README.modes, documenting new mode setting APIs. * Remove stale monitor data when output becomes disconnected. * Revert "Xprint includes a filename which is too long for tar." * Revert "Xext: Update device's lastx/lasty when sending a motion event with XTest." * Xext: Update device's lastx/lasty when sending a motion event with XTest. - xf86crtc_allowdual.diff no longer required; replaced by xrandr_12_newmode.diff in xrandr (xorg-x11 package) - bug197190-ia64.diff: * missing -DNO_LONG_LONG for IA64 (Bug #197190) - xf86crtc_allowdual.diff: * allows dualhead even when the second monitor is not yet connected during Xserver start - %post: replace "i810beta" with "intel" in existing xorg.conf - xserver 1.2.99.901 release: * RandR 1.2 * EXA damage track * minor fixes - use global permissions files for SUSE > 10.1 (Bug #246228) - improved bug-197858_dpms.diff to fix Xserver crash (Bug #197858) - bug-197858_dpms.diff: * finally fixed "X server wakes up on any ACPI event" issue (Bug #197858) - bug-211314_p_drawable_privclean.diff: * fixed for cleaning up pointers - fixed build - bug-211314_p_drawable_privclean.diff: * fixes Xserver crash in Mesa software rendering path (Bug #211314) - xserver 1.2.0 release * Bug #9219: Return BadMatch when trying to name the backing pixmap of an unrealized window. * Bug #9219: Use pWin->viewable instead of pWin->realized to catch InputOnly windows too. * Fix BSF and BSR instructions in the x86 emulator. * Bug #9555: Always define _GNU_SOURCE in glibc environments. * Bug #8991: Add glXGetDrawableAttributes dispatch; fix texture format therein. * Bump video and input ABI minors. * Fix release date. * Fix syntax error in configure check for SYSV_IPC that broke with Sun cc * Map missing keycodes for Sun Type 5 keyboard on Solaris SPARC * Update pci.ids to 2006-12-06 from pciids.sf.net * Xorg & Xserver man page updates for 1.2 release * xorg.conf man page should say "XFree86-DGA", not "Xorg-DGA" * Xserver man page: remove bc, add -wr * Update pci.ids to 2007-01-18 snapshot * Update Xserver man page to match commit ed33c7c98ad0c542e9e2dd6caa3f84879c21dd61 * Fix Tooltip from minimized clients * Fix Xming fails to use xkb bug * Fix bad commit * Set Int10Current->Tag for the linux native int10 module * added mipmap.c * configure.ac: prepare for 1.2.0 (X11R7.2) * sparc: don't include asm/kbio.h -- it no longer exists in current headers. * Minor typos in Xserver man page. * Fix several cases where optimized paths were hit when they shouldn't be. * Try dlsym(RTLD_DEFAULT) first when finding symbols. * Fix RENDER issues (bug #7555) and implement RENDER add/remove screen * For Xvfb, Xnest and Xprt, compile fbcmap.c with -DXFree86Server * Multiple integer overflows in dbe and render extensions * Require glproto >= 1.4.8 for GLX. * __glXDRIscreenProbe: Use drmOpen/CloseOnce. * xfree86/hurd: re-add missing keyboard support (bug #5613) * remove last remaning 'linux'isms (bug #5613) - obsoletes * Mesa-6.5.2.diff * xorg-server-1.1.99.901-GetDrawableAttributes.patch * int10-fix.diff * cve-2006-6101_6102_6103.diff - disabled build of VNC server/module - bug-211314_mesa-context.diff: * fixes Xserver crash in software rendering fallback (Bug #211314) - 0018-vnc-support.txt.diff * fixed unresolved symbols vncRandomBytes/deskey in VNC module (terminated Xserver when client connected) - bug227111-ddc_screensize.diff: * allow user overrides for monitor settings (Bug #227111) - loadmod-bug197195.diff: * check the complete path (Bug #197195) - added build of VNC support (0018-vnc-support.txt/ 0018-vnc-support.txt.diff); see 0018-vnc-support.txt.mbox for reference - cve-2006-6101_6102_6103.diff: * CVE-2006-6101 iDefense X.org ProcRenderAddGlyphs (Bug #225972) * CVE-2006-6102 iDefense X.org ProcDbeGetVisualInfo (Bug #225974) * CVE-2006-6103 iDefense X.org ProcDbeSwapBuffers (Bug #225975) - int10-fix.diff * Set Int10Current->Tag for the linux native int10 module (X.Org Bug #9296) * obsoletes p_initialize-pci-tag.diff - reverted latest change by schwab (Bug #197190, comment #67) - Fix off-by-one in pci multi-domain support [#229278]. - libdrm.diff: * no longer fail when some driver tries to load "drm" module - xorg-server-1.1.99.901-GetDrawableAttributes.patch: * hopefully fixes AIGLX issues (X.Org Bug #8991) - another 64bit warning fix - X.Org 7.2RC3 release * Add a -showDefaultModulePath option. * Add a -showDefaultLibPath option. * Add DIX_CFLAGS to util builds. * Fix release date, and tag 1.1.99.903 * make X server use system libdrm - this requires libdrm >= 2.3.0 * DRI: call drmSetServerInfo() before drmOpen(). * add extern to struct definition * fixup configure.ac problems with DRI_SOURCES and LBX_SOURCES * bump to 1.1.99.903 * remove CID support (bug #5553) * dri: setup libdrm hooks as early as possible. * Bug #8868: Remove drm from SUBDIRS now that the directory is gone. * Fix typo before the last commit. * Fix GL context destruction with AIGLX. * On DragonFLy, default to /dev/sysmouse (just like on FreeBSD). * ffs: handle 0 argument (bug #8968) * Bug #9023: Only check mice for "mouse" or "void" if identifier is != NULL. Fix potential NULL pointer access in timer code. - updated Mesa sources to 6.5.2 - xserver-timers.diff: * fix null pointer reference in timer code (Bug #223718) - p_pci-off-by-one.diff: * readded off by one fix, which has been dropped by accident (Bug #197190) - acpi_events.diff: * distinguish between general and input devices also for APM (Bug #197858) - removed /etc/X11/Xsession.d/92xprint-xpserverlist (Bug #220733) - mouse-fix.diff: * prevent driver from crashing when something different than "mouse" or "void" is specified; only check mice for "mouse" or "void" if identifier is != NULL. (X.Org Bug #9023) - X.Org 7.2RC2 release - adjusted p_enable-altrix.diff, p_pci-domain.diff - obsoletes p_pci-ia64.diff, xorg-xserver-ia64-int10.diff p_pci-legacy-mmap.diff - Changes in RC2 since RC1 Aaron Plattner: Fix standard VESA modes. Adam Jackson: Bug #6786: Use separate defines for server's Fixes support level. 'make dist' fixes. Fix distcheck. Include a forgotten ia64 header in the distball. Builds on ia64 now. configure.ac bump. Alan Coopersmith: Make sure xorgcfg files are included even when dist made with --disable-xorgcfg Use getisax() instead of asm code to determine available x86 ISA extensions on Solaris Pre-release message should tell users to check git, not CVS, for updates Fix automake error: BUILT_SOURCES was defined multiple times on Solaris Bug #1997: AUDIT messages should contain uid for local accesses If getpeerucred() is available, include pid & zoneid in audit messages too Make _POSIX_C_SOURCE hack work with Solaris headers Alan Hourihane: Small modification to blocking signals when switching modes. Bjorn Helgaas: Do not map full 0-1MB legacy range Bram Verweij: xfree86/linux acpi: fix tokenising Daniel Stone: GetTimeInMillis: spuport monotonic clock WaitForSomething: allow time to rewind Revert "WaitForSomething: allow time to rewind" Revert "GetTimeInMillis: spuport monotonic clock" add 'general socket' handler, port ACPI to use it WaitForSomething: allow time to rewind WaitForSomething: only rewind when delta is more than 250ms GetTimeInMillis: spuport monotonic clock GetTimeInMillis: simplify monotonic test GetTimeInMillis: use correct units for clock_gettime os: fix sun extensions test Eamon Walsh: Bug #8875: Security extension causes Xorg to core dump on server reset whitespace adjust More work on Bug #8875: revert previous fix and try using client argument Bug #8937: Extension setup functions not called on server resets Egbert Eich: Fixing mach64 driver bailing out on ia64 Make int10 fully domain aware. Erik Andren: remove XFree86 changelogs (bug #7262) Joshua Baergen: Create xorg.conf.example (Gentoo bug #138623). Laurence Withers: CreateColormap: fix return value (bug #7083) Matthias Hopf: Build with -D_PC on ix86 only. Added missing domain stripping in already domain aware code. Added linux 2.6 compatible domain aware device scanning code. Fixing domain support for ia64 Add domain support to linuxPciOpenFile(). Fix device path in altixPCI.c to be domain aware. Fix obviously wrong boundary checks + cleanup unused vars. Matthieu Herrb: kill GNU-make'ism. Handle building in a separate objdir Michel Dänzer: Fix __glXDRIbindTexImage() for 32 bpp on big endian platforms. Fix test for Option "IgnoreABI". Myron Stowe: xfree86: re-enable chipset-specific drivers for Linux/ia64 Rich Coe: CheckConnections: don't close down the server client (bug #7876) - p_ppc_domain_workaround.diff: * ugly workaround for still missing domain support on ppc (Bug #202133) - updated to snapshot of xserver-1.2-branch (soon to be released as X.Org 7.2RC2) * Make sure xorgcfg files are included even when dist made with --disable-xorgcfg * Small modification to blocking signals when switching modes. * Use getisax() instead of asm code to determine available x86 ISA extensions on Solaris * Pre-release message should tell users to check git, not CVS, for updates * Fix __glXDRIbindTexImage() for 32 bpp on big endian platforms. * Create xorg.conf.example (Gentoo bug #138623). * Fix test for Option "IgnoreABI". This option has plenty of potential for wasting the time of bug triagers without pretending it's always on. * kill GNU-make'ism. * Handle building in a separate objdir * Fix automake error: BUILT_SOURCES was defined multiple times on Solaris * Bug #1997: AUDIT messages should contain uid for local accesses * If getpeerucred() is available, include pid & zoneid in audit messages too - added /etc/modprobe.d/nvidia - xorg-xserver-ia64-int10.diff: * build int10 module with _PC only on %ix86 (Bug #197190) - added build of Xephyr; useful for debugging KDE apps (coolo) - cfb8-undefined.diff: * fixes warning for undefined behaviour - Own /etc/X11/Xsession.d directory. - Use /etc/X11/Xsession.d. - updated to X.Org 7.2RC1 - only disable AIGLX by default on SUSE <= 10.1 (Bug #197093) - no longer fake release version for fglrx driver (Bug #198125) - glx-align.patch: * reenabled -D__GLX_ALIGN64 on affected plaforms (X.Org Bug #8392) - Fixes to p_pci-domain.diff (Bug #197572) * internal domain number of by one (was supposed to be a cleanup, but other code dependet on this semantics) * fixed another long-standing of-by-1 error - p_enable-altrix.diff (Bug #197572) * This additional patch enables the build of the altrix detection routines, which have apparently not been included in Xorg 7.1 yet. This patch needs a autoreconf -fi after application. - updated to Mesa 6.5.1 - disable-fbblt-opt.diff: * Disable optimization (introduced by ajax) due to a general vesa driver crash later in memcpy (Bug #204324) - removed two source files with imcompatible license from Mesa tarball (Bug #204110) - added a check to specfile to make sure that these will not be reintroduced with the next Mesa update again (Bug #204110) - moved xf86Parser.h,xf86Optrec.h back to /usr/include/xorg, since SaX2 build issues have finally been resolved by making use of "-iquote /usr/include/xorg -I." - disable-root-xorg_conf.diff: * no longer consider to read /root/xorg.conf - only require xorg-x11-fonts-core ('fixed' + 'cursor' fonts) - fake release version for fglrx driver again, since using IgnoreABI does not help (the check for the ABI version is in the binary-only fglrx driver) - added Requires: xorg-x11-driver-{input,video} (Bug #202080) - ignore-abi.diff: * adds IgnoreABI option for xorg.conf (same as -ignoreABI) - remove .la files - no longer fake release version for fglrx driver; use the new IgnoreABI option instead! - PCI/IA64 Patches (Bug #197572): * apply new p_pci-domain.diff (mhopf) * apply new p_pci-ce-x.diff (mhopf) - PCI/IA64 Patches (Bug #197572): * removed p_mappciBIOS_complete.diff (already applied upstream) * apply p_pci-ia64.diff * apply p_pci-legacy-mmap.diff only for IA64 (as before) * disabled for now: - p_pci-domain.diff: still issues with it - p_pci-ce-x.diff: sits on top of p_pci-domain.diff - added PCI/IA64 patches, but disabled them for now (Bug #197572) - remove comp. symlinks in /usr/X11R6/bin for openSUSE >= 10.2 - fixed build for s390/s390x, e.g. use configure options --disable-install-libxf86config --disable-aiglx --disable-dri --disable-xorg - changed os-name to "openSUSE" instead of "Linux" before - fake release version for fglrx driver :-( - xinerama-sig11.diff: * prevents Xserver Sig11 with broken Xinerama config (Bug #135002) - moved /usr/%_lib/pkgconfig/xorg-server.pc to xorg-x11-server - added pkgconfig to Requires of xorg-x11-server - disable-aiglx.diff: * disabled AIGLX by default (related to Bug #197093); enable it with 'Option "AIGLX" "true"' in ServerFlags section of xorg.conf - enabled build of aiglx - patch font path also in xorg.conf when set to /usr/lib/X11/fonts/ or /usr/X11/lib/X11/fonts - patch xorg.conf in %post: * radeonold/radeon10b driver --> radeon driver - added "Requires: xorg-x11-fonts" to prevent issues like "could not open default font 'fixed'" for any Xserver - make sure that symlinks /usr/bin/X --> /var/X11R6/bin/X /var/X11R6/bin/X --> /usr/bin/Xorg are packaged. - p_xorg_acpi.diff: * fixed for archs which don't have HAVE_ACPI defined, e.g. ppc - p_xf86Mode.diff: * removes wrong warning (Bug #139510) - p_xorg_acpi.diff: * reconnect to acpid when acpid has been killed (Bug #148384) - p_xkills_wrong_client.diff: * This patch has unveiled two other problems. One is rather serious as there seems to be a non-zero possibility that the Xserver closes the wrong connection and this closes the wrong client when it looks for stale sockets of clients that have disappeared (eich, Bug #150869) - p_bug159532.diff: * X Clients can intentionally or unintenionally crash X11 by using composite on depth 4 pixmaps. This patch fixes this. (Bug #159532) - p_xnest-ignore-getimage-errors.diff: * ignores the X error on GetImage in Xnest (Bug #174228, X.Org Bug #4411) - p_initialize-pci-tag.diff: * initialize PCI tag correctly, which is used by an IA64 specific patch (see Bug #147261 for details); fixes Xserver crashes with fglrx driver - and possibly other drivers like vesa - during initial startup (!), VT switch and startup of second Xserver (SLED10 Blocker Bugs #180535, #170991, #158806) - p_ia64-console.diff: * fixes MCA after start of second Xserver (Bug #177011) - p_mouse_misc.diff: * fix X server crashes with synaptics driver (Bug #61702) - pu_fixes.diff * Fixes not yet in the official version - p_bug96328.diff: * fallback mouse device checking - p_vga-crashfix.diff: * fixes vga driver crash (#133989) - p_xorg_rom_read.diff * read rom in big chunks instead of byte-at-a-time (Bug #140811) - ps_showopts.diff * Xserver "-showopts" option to print available driver options (Bug #137374) - add /var/X11R6/bin directory for now (Bug #197188) - fix setup line - fixed fatal compiler warnings - always (and only) patch xorg.conf if necessary - update to xorg-server release 1.1.99.3 - use "-fno-strict-aliasing" - use $RPM_OPT_FLAGS - remove existing /usr/include/X11 symlink in %pre - install xf86Parser.h,xf86Optrec.h to /usr/include instead of /usr/include/xorg, so it is no longer necessary to specify "-I/usr/include/xorg" which resulted in including a wrong "shadow.h" (by X.Org) when building SaX2 (strange build error) - added permissions files - add compatibility symlink /usr/X11R6/bin/Xorg - p_ValidatePci.diff: * no longer call ValidatePci() to fix i810 driver issues (Bug #191987) - fixed build - bfo-bug15222.diff (bfo #15222, bnc #374318) * CVE-2008-2360 - RENDER Extension heap buffer overflow * CVE-2008-2361 - RENDER Extension crash * CVE-2008-2362 - RENDER Extension memory corruption * CVE-2008-1379 - MIT-SHM arbitrary memory read * CVE-2008-1377 - RECORD and Security extensions memory corruption - xserver-mode-fuzzy-check.diff * Make mode checking more tolerant like in pre-RandR times. - fix-dpi-values.diff * fixes DPI values for RANDR 1.2 capable drivers (bnc #393001) - mention ZapWarning also in Xorg manual page (bnc #391352) - xorg-server-1.4-vnc-render_sig11.diff * fixed sig11 in RENDER code (bnc #385677) - disabled patch to disable RENDER support in Xvnc, since it broke 24bit color depth support (bnc #390011) - xorg-server-1.4-vnc-disable_render.diff * disabled RENDER support in Xvnc (bnc #385677) - events.diff * eating up key events before going into the idle loop upon vt switch instead of after return (bnc #152522) - xkb_action.diff * fixed remaining unitialized warning in X.Org (bnc #83910) - fbdevhw.diff * screen blanking not supported by vesafb of Linux kernel (bnc #146462) - no longer disable AIGLX by default - XAANoOffscreenPixmaps.diff * disable Offscreen Pixmaps by default (bnc #376068) - Fix another o-b-1 in pci domain support. - randr1_1-sig11.diff * fixes Xserver crash when running xrandr on a different virtual terminal (Egbert Eich, bnc #223459) - commit-37b1258.diff * possibly fixes unwanted autorepeat (bnc #377612, bfo #14811) - bitmap_always_unscaled.diff * Default bitmap fonts should typically be set as unscaled (libv) - update to Mesa bugfix release 7.0.3 (final) sources - update to Mesa bugfix release 7.0.3 RC3 sources - confine_to_shape.diff * fixes XGrabPointer's confine_to with shaped windows (bnc #62146) - zap_warning_xserver.diff * implements FATE #302988: ZapWarning (Luc Verhaegen) Uses PCSpeaker for beep. Press once, beep. Press again within 2s (which is ample), terminate. Documented in xorg.conf manpage. - make the memory corruption fix by schwab a seperate patch to make sure it won't get lost the next time I update the VNC patch - Fix vnc server memory corruption. - commit-a6a7fad.diff * Don't break grab and focus state for a window when redirecting it. (bnc #336219, bfo #488264) - update to Mesa bugfix release 7.0.3 RC2 sources * Fixed GLX indirect vertex array rendering bug (14197) * Fixed crash when deleting framebuffer objects (bugs 13507, 14293) * User-defined clip planes enabled for R300 (bug 9871) * Fixed glBindTexture() crash upon bad target (bug 14514) * Fixed potential crash in glDrawPixels(GL_DEPTH_COMPONENT) (bug 13915) * Bad strings given to glProgramStringARB() didn't generate GL_INVALID_OPERATION * Fixed minor point rasterization regression (bug 11016) - added Requires:xkeyboard-config to xorg-x11-server - commit-50e80c3.diff: * never overwrite realInputProc with enqueueInputProc (bnc#357989, bfo#13511) - only switch to radeon driver in %post if radeonold driver is no longer available (Bug #355009) - some more cleanup in %post - Move manpage to the sub package that provides the binary. - update to Mesa bugfix release 7.0.3 RC1 sources * Added missing glw.pc.in file to release tarball * Fix GLUT/Fortran issues * GLSL gl_FrontLightModelProduct.sceneColor variable wasn't defined * Fix crash upon GLSL variable array indexes (not yet supported) * Two-sided stencil test didn't work in software rendering * Fix two-sided lighting bugs/crashes (bug 13368) * GLSL gl_FrontFacing didn't work properly * glGetActiveUniform returned incorrect sizes (bug 13751) * Fix several bugs relating to uniforms and attributes in GLSL API (Bruce Merry, bug 13753) * glTexImage3D(GL_PROXY_TEXTURE_3D) mis-set teximage depth field - updated patch for CVE-2007-6429 once more (X.Org Bug #13520) * Always test for size+offset wrapping. - updated patch for CVE-2007-6429 (Bug #345131) * Don't spuriously reject <8bpp shm pixmaps. Move size validation after depth validation, and only validate size if the bpp of the pixmap format is > 8. If bpp < 8 then we're already protected from overflow by the width and height checks. - X.Org security update * CVE-2007-5760 - XFree86 Misc extension out of bounds array index * CVE-2007-6427 - Xinput extension memory corruption. * CVE-2007-6428 - TOG-cup extension memory corruption. * CVE-2007-6429 - MIT-SHM and EVI extensions integer overflows. * CVE-2008-0006 - PCF Font parser buffer overflow. - xorg-server 1.4.0.90 (prerelease of 1.4.1) - pixman.diff * fixed include path for pixman.h - remove_bogus_modeline.diff * remove bogus monitor modelines provided by DDC (Bug #335540) - commit-184e571.diff * Adjust offsets of modes that do not fit virtual screen size. - commit-c6c284e.diff * Initialize Mode with 0 in xf86RandRModeConvert. - commit-f6401f9.diff * Don't segfault if referring to a relative output where no modes survived. - commit-f7dd0c7.diff * Only clear crtc of output if it is the one we're actually working on. - commit-fa19e84.diff * Fix initial placement of LeftOf and Above. - pixman.diff no longer required - s390(x): allow mfb build without Xorg server being built - commit-29e0e18.diff * Make config file preferred mode override monitor preferred mode. - commit-feac075.diff * Leave hardware-specified preferred modes alone when user preference exists. - obsoletes preferred_mode-fix.diff - added xorg-x11-fonts-core/xorg-x11 to Requires (Bug #341312) - ia64linuxPciInit: allocate extra space for fake devices. - updated to Mesa 7.0.2 (final) sources - updated to Mesa 7.0.2 RC1 sources - xorg-server-1.4-vnc-64bit.diff * fixes segfault on 64bit during Xserver start; make sure to define _XSERVER64 by having HAVE_DIX_CONFIG_H defined and therefore including dix-config.h, so Atom is CARD32 instead of unsigned long before and no longer messes up the pInfo structure in xf86rfbMouseInit/xf86rfbKeybInit - finally enabled build of xf4vnc (standalone Xvnc and VNC Xserver module) - updated xf4vnc patch; still disabled due to problematic vnc module - preferred_mode-fix.diff * more reasonable patch (Bug #329724) - preferred_mode-fix.diff * fixed endless loop if PreferredMode is set (Bug #329724) - removed obsolete patch p_pci-domain.diff (Bug #308693, comment #26) - apply p_pci-off-by-one.diff.ia64 on all platforms since it clearly only affects platforms, where INCLUDE_XF86_NO_DOMAIN is *not* set; this still not explains why we have seen Xserver hangups with the patch in place on at least some %ix86/x86_64 machines with fglrx/ nvidia driver IIRC; it needs to verified if this problem is still reproducable ... (Bug #308693, comment #25) - xserver-1.3.0-xkb-and-loathing.patch * Ignore (not just block) SIGALRM around calls to Popen()/Pclose(). Fixes a hang in openoffice when opening menus. (Bug #245711) - added missing ia64Pci.h; required for IA64 - recreated p_pci-off-by-one.diff.ia64; the default fuzz factor of patch (2) resulted in a hunk applied to the wrong function and therefore broke the build :-( - xorg-server 1.4 * Welcome to X.Org X Server 1.4, now with hotplugging input to go with the hotplugging output. Also included in this release are many performance and correctness fixes to the EXA acceleration architecture, support for DTrace profiling of the X Server, accelerated GLX_EXT_texture_from_pixmap with supporting DRI drivers, and many improvements to the RandR 1.2 support that was added in xorg-server-1.3. The X Server now relies on the pixman library, which replaces the fb/fbcompose.c and accelerated implementations that were previously shared through code-duplication with the cairo project. * obsolete patches: - bug-259290_trapfault.diff - cfb8-undefined.diff - commit-c09e68c - i810_dri_fix_freeze.diff - p_bug159532.diff - p_enable-altrix.diff - p_pci-ce-x.diff - p_pci-off-by-one.diff - p_xorg_rom_read.diff - randr12-2926cf1da7e4ed63573bfaecdd7e19beb3057d9b.diff - randr12-5b424b562eee863b11571de4cd0019cd9bc5b379.diff - randr12-aec0d06469a2fa7440fdd5ee03dc256a68704e77.diff - randr12-b2dcfbca2441ca8c561f86a78a76ab59ecbb40e4.diff - randr12-b4193a2eee80895c5641e77488df0e72a73a3d99.diff - remove__GLinterface.patch - support_mesa6.5.3.patch - use-composite-for-unequal-depths.patch - x86emu.diff - xephyr-sig11-fix.diff * adjusted patches: - 64bit.diff - bug-197858_dpms.diff - bug227111-ddc_screensize.diff - disable-root-xorg_conf.diff - fpic.diff - glx-align.patch - libdrm.diff - p_bug96328.diff - p_ia64-console.diff - p_vga-crashfix.diff - xephyr.diff - pixman.diff: * search for pixman instead of pixman-1 - bumped version to 7.3 - remove wrongly prebuilt xf1bpp files after extracting tarball; fixes vga module loading (Bug #328201) - do not use "make -j" to (quick)fix xf1bpp build - do not apply p_pci-domain.diff on IA64 - use updated off-by-one patch by schwab for IA64 - edit_data_sanity_check.diff: * added sanity check for monitor EDID data (Bug #326454) - reverted changes by schwab on Fri Sep 7; these resulted i a black screen during Xserver start with any driver on non-IA64 platforms - use-composite-for-unequal-depths.patch: * Use Composite when depths don't match (Bug #309107, X.Org Bug [#7447]) - Update off-by-one patch. - Remove empty patch. - fbdevhw.diff: * ignore pixclock set to 0 by Xen kernel (Bug #285523) - added several RANDR 1.2 fixes (Bug #306699) * randr12-2926cf1da7e4ed63573bfaecdd7e19beb3057d9b.diff Allocate the right number of entries for saving crtcs * randr12-5b424b562eee863b11571de4cd0019cd9bc5b379.diff Set the crtc before the output change is notified. Set the new randr crtc of the output before the output change notification is delivered to the clients. Remove RROutputSetCrtc as it is not really necessary. All we have to do is set the output's crtc on RRCrtcNotify * randr12-8d230319040f0a7f72231da2bf5ec97dc3612e21.diff Fix the output->crtc initialization in the old randr setup * randr12-aec0d06469a2fa7440fdd5ee03dc256a68704e77.diff Fix a crash when rotating the screen. Remember output->crtc before setting a NULL mode because RRCrtcNotify now sets output->crtc to NULL. Use the saved crtc to set the new mode. * randr12-b2dcfbca2441ca8c561f86a78a76ab59ecbb40e4.diff RRScanOldConfig cannot use RRFirstOutput before output is configured. RRFirstOutput returns the first active output, which won't be set until after RRScanOldConfig is finished running. Instead, just use the first output (which is the only output present with an old driver, after all). * randr12-b4193a2eee80895c5641e77488df0e72a73a3d99.diff RRScanOldConfig wasn't getting crtcs set correctly. The output crtc is set by RRCrtcNotify, which is called at the end of RRScanOldConfig. Several uses of output->crtc in this function were wrong. - i810_dri_fix_freeze.diff: * fixes freeze after pressing Ctrl-Alt-BS (X.Org Bug #10809) - xserver-mode-fuzzy-check.diff: * Fix for Xserver being more fuzzy about mode validation (Bug #270846) - disable AIGLX by default; without enabled Composite extension (still problematic on many drivers) it's rather useless anyway - updated xorg.conf manual page - fix fileconflict over doc/MAINTAINERS - build parallel - updated Mesa source to bugfix release 7.0.1 - xephyr-sig11-fix.diff: * long vs. CARD32 mismatch in KeySym definitions between client and server code - this patch seems to fix it (and the input rework in head fixed it as well in a different way) (Bug #235320) - fixed build on s390(x) - added X(7) and security(7) manual pages - updated Mesa source to final release 7.0 - updated Mesa source to release 7.0 RC1 * Mesa 7.0 is a stable, follow-on release to Mesa 6.5.3. The only difference is bug fixes. The major version number bump is due to OpenGL 2.1 API support. - simplified p_default-module-path.diff - disabled build of Xprt - moved Xdmx, Xephyr, Xnest and Xvfb to new subpackage xorg-x11-server-extra - commit-c09e68c: * Paper over a crash at exit during GLX teardown - updated to Mesa 6.5.3 sources - obsoletes the following patches: * bug-211314_mesa-destroy_buffers.diff * bug-211314_mesa-framebuffer-counting.diff * bug-211314-patch-1.diff * bug-211314-patch-2.diff * bug-211314-patch-3.diff * bug-211314-patch-4.diff * bug-211314-patch-5.diff * bug-211314-patch-6.diff * bug-211314-patch-7.diff * bug-211314-patch-8.diff * bug-211314-patch-9.diff * bug-211314-patch-10.diff * bug-211314-patch-11.diff * bug-211314_mesa-refcount-memleak-fixes.diff * Mesa-6.5.2-fix_radeon_cliprect.diff - remove__GLinterface.patch/ support_mesa6.5.3.patch * required Xserver changes for Mesa 6.5.3 - xorg-x11-server-1.2.99-unbreak-domain.patch: * This patch fixes some multi-domain systems such as Pegasos with xorg-server 1.3. Since pci-rework should get merged soon and this patch is a bit of a hack, it never got pushed upstream. (X.Org Bug #7248) - back to Mesa 6.5.2 (Bug #269155/269042) - Mesa update: 4th RC ready * This fixes some breakage in RC3. - Mesa update: 3rd release candidate * updated Windows/VC8 project files. - updated to Mesa 6.5.3rc2 sources * a number of bug fixes since the first RC - updated to Mesa 6.5.3rc1 sources - obsoletes the following patches: * bug-211314_mesa-destroy_buffers.diff * bug-211314_mesa-framebuffer-counting.diff * bug-211314-patch-1.diff * bug-211314-patch-2.diff * bug-211314-patch-3.diff * bug-211314-patch-4.diff * bug-211314-patch-5.diff * bug-211314-patch-6.diff * bug-211314-patch-7.diff * bug-211314-patch-8.diff * bug-211314-patch-9.diff * bug-211314-patch-10.diff * bug-211314-patch-11.diff * bug-211314_mesa-refcount-memleak-fixes.diff * Mesa-6.5.2-fix_radeon_cliprect.diff - GL-Mesa-6.5.3.diff: * adjusted GL subdir to Mesa 6.5.3rc1 - xserver 1.3.0.0 release * Syncmaster 226 monitor needs 60Hz refresh (#10545). * In AIGLX EnterVT processing, invoke driver EnterVT before resuming glx. * Disable CRTC when SetSingleMode has no matching mode. Update RandR as well. * Rotate screen size as needed from RandR 1.1 change requests. * Add quirk for Acer AL1706 monitor to force 60hz refresh. * RandR 1.2 spec says CRTC info contains screen-relative geometry * typo in built-in module log message * Use default screen monitor for one of the outputs. * Allow outputs to be explicitly enabled in config, overriding detect. * Was accidentally disabling rotation updates in mode set. * Disable SourceValidate in rotation to capture cursor. - Mesa-6.5.2-fix_radeon_cliprect.diff: * fixes X.Org Bug #9876 - bug-259290_trapfault.diff: * fixes crash caused by bug in XRender code (Bug #259290) - xserver 1.2.99.905 release: * CVE-2007-1003: XC-MISC Extension ProcXCMiscGetXIDList() Memory Corruption * X.Org Bug #10296: Fix timer rescheduling - obsoletes bug-243978_xcmisc.diff - xserver 1.2.99.904 release: * Don't erase current crtc for outputs on CloseScreen - bug-243978_xcmisc.diff: * mem corruption in ProcXCMiscGetXIDList (CVE-2007-1003, Bug #243978) - bug-211314_mesa-refcount-memleak-fixes.diff: * Fix for memleaks and refount bugs (Bug #211314) - p_default-module-path.diff: * only return /usr/%lib/xorg/modules in "-showDefaultModulePath" Xserver option (Bug #257360) - set Xserver version to 7.2.0 with configure option (Bugs #257360, #253702) - xserver 1.2.99.903 release: * Create driver-independent CRTC-based cursor layer. * Allow xf86_reload_cursors during server init. * Don't wedge when rotating more than one CRTC. * Correct ref counting of RRMode structures * Remove extra (and wrong) I2C ByteTimeout setting in DDC code. * Slow down DDC I2C bus using a RiseFallTime of 20us for old monitors. * Clean up Rotate state on server reset. * Clear allocated RandR screen private structure. * Clean up xf86CrtcRec and xf86OutputRec objects at CloseScreen. * Make sure RandR events are delivered from RRCrtcSet. * Fix Pending property API, adding RRPostPendingProperty. * Incorrect extra memory copy in RRChangeOutputProperty. * Ensure that crtc desired values track most recent mode. * Make pending properties force mode set. And, remove AttachScreen calls. * Set version to 1.2.99.903 (1.3 RC3) * fbdevhw: Consolidate modeset ioctl calling, report failure if it modifies mode. * fbdevhw: Fix some issues with the previous commit. * fbdevhw: Use displayWidth for fbdev virtual width when appropriate. * fbdevhw: Override RGB offsets and masks after setting initial mode. * fbdevhw: Consider mode set equal to mode requested if virtual width is larger. * fbdevhw: Only deal with RGB weight if default visual is True- or DirectColor. * Add per-drawable Xv colour key helper function. * Bump video driver ABI version to 1.2. - no longer apply bug-211314_mesa-context.diff, bug-211314_p_drawable_privclean.diff (Bug #211314, comment #114) - added different Mesa patches (Bug #211314, comments #114/#115) - Remove bug197190-ia64.diff, fix x86emu instead. - xserver 1.2.99.902 release: * Xprint: shorten font filename to fit in tar length limit * Move xf86SetSingleMode into X server from intel driver. * Add xf86SetDesiredModes to apply desired modes to crtcs. * Use EDID data to set screen physical size at server startup. * Allow relative positions to use output names or monitor identifiers. * Add xf86CrtcScreenInit to share initialization across drivers. * Add hw/xfree86/docs/README.modes, documenting new mode setting APIs. * Remove stale monitor data when output becomes disconnected. * Revert "Xprint includes a filename which is too long for tar." * Revert "Xext: Update device's lastx/lasty when sending a motion event with XTest." * Xext: Update device's lastx/lasty when sending a motion event with XTest. - xf86crtc_allowdual.diff no longer required; replaced by xrandr_12_newmode.diff in xrandr (xorg-x11 package) - bug197190-ia64.diff: * missing -DNO_LONG_LONG for IA64 (Bug #197190) - xf86crtc_allowdual.diff: * allows dualhead even when the second monitor is not yet connected during Xserver start - %post: replace "i810beta" with "intel" in existing xorg.conf - xserver 1.2.99.901 release: * RandR 1.2 * EXA damage track * minor fixes - use global permissions files for SUSE > 10.1 (Bug #246228) - improved bug-197858_dpms.diff to fix Xserver crash (Bug #197858) - bug-197858_dpms.diff: * finally fixed "X server wakes up on any ACPI event" issue (Bug #197858) - bug-211314_p_drawable_privclean.diff: * fixed for cleaning up pointers - fixed build - bug-211314_p_drawable_privclean.diff: * fixes Xserver crash in Mesa software rendering path (Bug #211314) - xserver 1.2.0 release * Bug #9219: Return BadMatch when trying to name the backing pixmap of an unrealized window. * Bug #9219: Use pWin->viewable instead of pWin->realized to catch InputOnly windows too. * Fix BSF and BSR instructions in the x86 emulator. * Bug #9555: Always define _GNU_SOURCE in glibc environments. * Bug #8991: Add glXGetDrawableAttributes dispatch; fix texture format therein. * Bump video and input ABI minors. * Fix release date. * Fix syntax error in configure check for SYSV_IPC that broke with Sun cc * Map missing keycodes for Sun Type 5 keyboard on Solaris SPARC * Update pci.ids to 2006-12-06 from pciids.sf.net * Xorg & Xserver man page updates for 1.2 release * xorg.conf man page should say "XFree86-DGA", not "Xorg-DGA" * Xserver man page: remove bc, add -wr * Update pci.ids to 2007-01-18 snapshot * Update Xserver man page to match commit ed33c7c98ad0c542e9e2dd6caa3f84879c21dd61 * Fix Tooltip from minimized clients * Fix Xming fails to use xkb bug * Fix bad commit * Set Int10Current->Tag for the linux native int10 module * added mipmap.c * configure.ac: prepare for 1.2.0 (X11R7.2) * sparc: don't include asm/kbio.h -- it no longer exists in current headers. * Minor typos in Xserver man page. * Fix several cases where optimized paths were hit when they shouldn't be. * Try dlsym(RTLD_DEFAULT) first when finding symbols. * Fix RENDER issues (bug #7555) and implement RENDER add/remove screen * For Xvfb, Xnest and Xprt, compile fbcmap.c with -DXFree86Server * Multiple integer overflows in dbe and render extensions * Require glproto >= 1.4.8 for GLX. * __glXDRIscreenProbe: Use drmOpen/CloseOnce. * xfree86/hurd: re-add missing keyboard support (bug #5613) * remove last remaning 'linux'isms (bug #5613) - obsoletes * Mesa-6.5.2.diff * xorg-server-1.1.99.901-GetDrawableAttributes.patch * int10-fix.diff * cve-2006-6101_6102_6103.diff - disabled build of VNC server/module - bug-211314_mesa-context.diff: * fixes Xserver crash in software rendering fallback (Bug #211314) - 0018-vnc-support.txt.diff * fixed unresolved symbols vncRandomBytes/deskey in VNC module (terminated Xserver when client connected) - bug227111-ddc_screensize.diff: * allow user overrides for monitor settings (Bug #227111) - loadmod-bug197195.diff: * check the complete path (Bug #197195) - added build of VNC support (0018-vnc-support.txt/ 0018-vnc-support.txt.diff); see 0018-vnc-support.txt.mbox for reference - cve-2006-6101_6102_6103.diff: * CVE-2006-6101 iDefense X.org ProcRenderAddGlyphs (Bug #225972) * CVE-2006-6102 iDefense X.org ProcDbeGetVisualInfo (Bug #225974) * CVE-2006-6103 iDefense X.org ProcDbeSwapBuffers (Bug #225975) - int10-fix.diff * Set Int10Current->Tag for the linux native int10 module (X.Org Bug #9296) * obsoletes p_initialize-pci-tag.diff - reverted latest change by schwab (Bug #197190, comment #67) - Fix off-by-one in pci multi-domain support [#229278]. - libdrm.diff: * no longer fail when some driver tries to load "drm" module - xorg-server-1.1.99.901-GetDrawableAttributes.patch: * hopefully fixes AIGLX issues (X.Org Bug #8991) - another 64bit warning fix - X.Org 7.2RC3 release * Add a -showDefaultModulePath option. * Add a -showDefaultLibPath option. * Add DIX_CFLAGS to util builds. * Fix release date, and tag 1.1.99.903 * make X server use system libdrm - this requires libdrm >= 2.3.0 * DRI: call drmSetServerInfo() before drmOpen(). * add extern to struct definition * fixup configure.ac problems with DRI_SOURCES and LBX_SOURCES * bump to 1.1.99.903 * remove CID support (bug #5553) * dri: setup libdrm hooks as early as possible. * Bug #8868: Remove drm from SUBDIRS now that the directory is gone. * Fix typo before the last commit. * Fix GL context destruction with AIGLX. * On DragonFLy, default to /dev/sysmouse (just like on FreeBSD). * ffs: handle 0 argument (bug #8968) * Bug #9023: Only check mice for "mouse" or "void" if identifier is != NULL. Fix potential NULL pointer access in timer code. - updated Mesa sources to 6.5.2 - xserver-timers.diff: * fix null pointer reference in timer code (Bug #223718) - p_pci-off-by-one.diff: * readded off by one fix, which has been dropped by accident (Bug #197190) - acpi_events.diff: * distinguish between general and input devices also for APM (Bug #197858) - removed /etc/X11/Xsession.d/92xprint-xpserverlist (Bug #220733) - mouse-fix.diff: * prevent driver from crashing when something different than "mouse" or "void" is specified; only check mice for "mouse" or "void" if identifier is != NULL. (X.Org Bug #9023) - X.Org 7.2RC2 release - adjusted p_enable-altrix.diff, p_pci-domain.diff - obsoletes p_pci-ia64.diff, xorg-xserver-ia64-int10.diff p_pci-legacy-mmap.diff - Changes in RC2 since RC1 Aaron Plattner: Fix standard VESA modes. Adam Jackson: Bug #6786: Use separate defines for server's Fixes support level. 'make dist' fixes. Fix distcheck. Include a forgotten ia64 header in the distball. Builds on ia64 now. configure.ac bump. Alan Coopersmith: Make sure xorgcfg files are included even when dist made with --disable-xorgcfg Use getisax() instead of asm code to determine available x86 ISA extensions on Solaris Pre-release message should tell users to check git, not CVS, for updates Fix automake error: BUILT_SOURCES was defined multiple times on Solaris Bug #1997: AUDIT messages should contain uid for local accesses If getpeerucred() is available, include pid & zoneid in audit messages too Make _POSIX_C_SOURCE hack work with Solaris headers Alan Hourihane: Small modification to blocking signals when switching modes. Bjorn Helgaas: Do not map full 0-1MB legacy range Bram Verweij: xfree86/linux acpi: fix tokenising Daniel Stone: GetTimeInMillis: spuport monotonic clock WaitForSomething: allow time to rewind Revert "WaitForSomething: allow time to rewind" Revert "GetTimeInMillis: spuport monotonic clock" add 'general socket' handler, port ACPI to use it WaitForSomething: allow time to rewind WaitForSomething: only rewind when delta is more than 250ms GetTimeInMillis: spuport monotonic clock GetTimeInMillis: simplify monotonic test GetTimeInMillis: use correct units for clock_gettime os: fix sun extensions test Eamon Walsh: Bug #8875: Security extension causes Xorg to core dump on server reset whitespace adjust More work on Bug #8875: revert previous fix and try using client argument Bug #8937: Extension setup functions not called on server resets Egbert Eich: Fixing mach64 driver bailing out on ia64 Make int10 fully domain aware. Erik Andren: remove XFree86 changelogs (bug #7262) Joshua Baergen: Create xorg.conf.example (Gentoo bug #138623). Laurence Withers: CreateColormap: fix return value (bug #7083) Matthias Hopf: Build with -D_PC on ix86 only. Added missing domain stripping in already domain aware code. Added linux 2.6 compatible domain aware device scanning code. Fixing domain support for ia64 Add domain support to linuxPciOpenFile(). Fix device path in altixPCI.c to be domain aware. Fix obviously wrong boundary checks + cleanup unused vars. Matthieu Herrb: kill GNU-make'ism. Handle building in a separate objdir Michel Dänzer: Fix __glXDRIbindTexImage() for 32 bpp on big endian platforms. Fix test for Option "IgnoreABI". Myron Stowe: xfree86: re-enable chipset-specific drivers for Linux/ia64 Rich Coe: CheckConnections: don't close down the server client (bug #7876) - p_ppc_domain_workaround.diff: * ugly workaround for still missing domain support on ppc (Bug #202133) - updated to snapshot of xserver-1.2-branch (soon to be released as X.Org 7.2RC2) * Make sure xorgcfg files are included even when dist made with --disable-xorgcfg * Small modification to blocking signals when switching modes. * Use getisax() instead of asm code to determine available x86 ISA extensions on Solaris * Pre-release message should tell users to check git, not CVS, for updates * Fix __glXDRIbindTexImage() for 32 bpp on big endian platforms. * Create xorg.conf.example (Gentoo bug #138623). * Fix test for Option "IgnoreABI". This option has plenty of potential for wasting the time of bug triagers without pretending it's always on. * kill GNU-make'ism. * Handle building in a separate objdir * Fix automake error: BUILT_SOURCES was defined multiple times on Solaris * Bug #1997: AUDIT messages should contain uid for local accesses * If getpeerucred() is available, include pid & zoneid in audit messages too - added /etc/modprobe.d/nvidia - xorg-xserver-ia64-int10.diff: * build int10 module with _PC only on %ix86 (Bug #197190) - added build of Xephyr; useful for debugging KDE apps (coolo) - cfb8-undefined.diff: * fixes warning for undefined behaviour - Own /etc/X11/Xsession.d directory. - Use /etc/X11/Xsession.d. - updated to X.Org 7.2RC1 - only disable AIGLX by default on SUSE <= 10.1 (Bug #197093) - no longer fake release version for fglrx driver (Bug #198125) - glx-align.patch: * reenabled -D__GLX_ALIGN64 on affected plaforms (X.Org Bug #8392) - Fixes to p_pci-domain.diff (Bug #197572) * internal domain number of by one (was supposed to be a cleanup, but other code dependet on this semantics) * fixed another long-standing of-by-1 error - p_enable-altrix.diff (Bug #197572) * This additional patch enables the build of the altrix detection routines, which have apparently not been included in Xorg 7.1 yet. This patch needs a autoreconf -fi after application. - updated to Mesa 6.5.1 - disable-fbblt-opt.diff: * Disable optimization (introduced by ajax) due to a general vesa driver crash later in memcpy (Bug #204324) - removed two source files with imcompatible license from Mesa tarball (Bug #204110) - added a check to specfile to make sure that these will not be reintroduced with the next Mesa update again (Bug #204110) - moved xf86Parser.h,xf86Optrec.h back to /usr/include/xorg, since SaX2 build issues have finally been resolved by making use of "-iquote /usr/include/xorg -I." - disable-root-xorg_conf.diff: * no longer consider to read /root/xorg.conf - only require xorg-x11-fonts-core ('fixed' + 'cursor' fonts) - fake release version for fglrx driver again, since using IgnoreABI does not help (the check for the ABI version is in the binary-only fglrx driver) - added Requires: xorg-x11-driver-{input,video} (Bug #202080) - ignore-abi.diff: * adds IgnoreABI option for xorg.conf (same as -ignoreABI) - remove .la files - no longer fake release version for fglrx driver; use the new IgnoreABI option instead! - PCI/IA64 Patches (Bug #197572): * apply new p_pci-domain.diff (mhopf) * apply new p_pci-ce-x.diff (mhopf) - PCI/IA64 Patches (Bug #197572): * removed p_mappciBIOS_complete.diff (already applied upstream) * apply p_pci-ia64.diff * apply p_pci-legacy-mmap.diff only for IA64 (as before) * disabled for now: - p_pci-domain.diff: still issues with it - p_pci-ce-x.diff: sits on top of p_pci-domain.diff - added PCI/IA64 patches, but disabled them for now (Bug #197572) - remove comp. symlinks in /usr/X11R6/bin for openSUSE >= 10.2 - fixed build for s390/s390x, e.g. use configure options --disable-install-libxf86config --disable-aiglx --disable-dri --disable-xorg - changed os-name to "openSUSE" instead of "Linux" before - fake release version for fglrx driver :-( - xinerama-sig11.diff: * prevents Xserver Sig11 with broken Xinerama config (Bug #135002) - moved /usr/%_lib/pkgconfig/xorg-server.pc to xorg-x11-server - added pkgconfig to Requires of xorg-x11-server - disable-aiglx.diff: * disabled AIGLX by default (related to Bug #197093); enable it with 'Option "AIGLX" "true"' in ServerFlags section of xorg.conf - enabled build of aiglx - patch font path also in xorg.conf when set to /usr/lib/X11/fonts/ or /usr/X11/lib/X11/fonts - patch xorg.conf in %post: * radeonold/radeon10b driver --> radeon driver - added "Requires: xorg-x11-fonts" to prevent issues like "could not open default font 'fixed'" for any Xserver - make sure that symlinks /usr/bin/X --> /var/X11R6/bin/X /var/X11R6/bin/X --> /usr/bin/Xorg are packaged. - p_xorg_acpi.diff: * fixed for archs which don't have HAVE_ACPI defined, e.g. ppc - p_xf86Mode.diff: * removes wrong warning (Bug #139510) - p_xorg_acpi.diff: * reconnect to acpid when acpid has been killed (Bug #148384) - p_xkills_wrong_client.diff: * This patch has unveiled two other problems. One is rather serious as there seems to be a non-zero possibility that the Xserver closes the wrong connection and this closes the wrong client when it looks for stale sockets of clients that have disappeared (eich, Bug #150869) - p_bug159532.diff: * X Clients can intentionally or unintenionally crash X11 by using composite on depth 4 pixmaps. This patch fixes this. (Bug #159532) - p_xnest-ignore-getimage-errors.diff: * ignores the X error on GetImage in Xnest (Bug #174228, X.Org Bug #4411) - p_initialize-pci-tag.diff: * initialize PCI tag correctly, which is used by an IA64 specific patch (see Bug #147261 for details); fixes Xserver crashes with fglrx driver - and possibly other drivers like vesa - during initial startup (!), VT switch and startup of second Xserver (SLED10 Blocker Bugs #180535, #170991, #158806) - p_ia64-console.diff: * fixes MCA after start of second Xserver (Bug #177011) - p_mouse_misc.diff: * fix X server crashes with synaptics driver (Bug #61702) - pu_fixes.diff * Fixes not yet in the official version - p_bug96328.diff: * fallback mouse device checking - p_vga-crashfix.diff: * fixes vga driver crash (#133989) - p_xorg_rom_read.diff * read rom in big chunks instead of byte-at-a-time (Bug #140811) - ps_showopts.diff * Xserver "-showopts" option to print available driver options (Bug #137374) - add /var/X11R6/bin directory for now (Bug #197188) - fix setup line - fixed fatal compiler warnings - always (and only) patch xorg.conf if necessary - update to xorg-server release 1.1.99.3 - use "-fno-strict-aliasing" - use $RPM_OPT_FLAGS - remove existing /usr/include/X11 symlink in %pre - install xf86Parser.h,xf86Optrec.h to /usr/include instead of /usr/include/xorg, so it is no longer necessary to specify "-I/usr/include/xorg" which resulted in including a wrong "shadow.h" (by X.Org) when building SaX2 (strange build error) - added permissions files - add compatibility symlink /usr/X11R6/bin/Xorg - p_ValidatePci.diff: * no longer call ValidatePci() to fix i810 driver issues (Bug #191987) - fixed build - bfo-bug15222.diff (bfo #15222, bnc #374318) * CVE-2008-2360 - RENDER Extension heap buffer overflow * CVE-2008-2361 - RENDER Extension crash * CVE-2008-2362 - RENDER Extension memory corruption * CVE-2008-1379 - MIT-SHM arbitrary memory read * CVE-2008-1377 - RECORD and Security extensions memory corruption - xserver-mode-fuzzy-check.diff * Make mode checking more tolerant like in pre-RandR times. - fix-dpi-values.diff * fixes DPI values for RANDR 1.2 capable drivers (bnc #393001) - mention ZapWarning also in Xorg manual page (bnc #391352) - xorg-server-1.4-vnc-render_sig11.diff * fixed sig11 in RENDER code (bnc #385677) - disabled patch to disable RENDER support in Xvnc, since it broke 24bit color depth support (bnc #390011) - xorg-server-1.4-vnc-disable_render.diff * disabled RENDER support in Xvnc (bnc #385677) - events.diff * eating up key events before going into the idle loop upon vt switch instead of after return (bnc #152522) - xkb_action.diff * fixed remaining unitialized warning in X.Org (bnc #83910) - fbdevhw.diff * screen blanking not supported by vesafb of Linux kernel (bnc #146462) - no longer disable AIGLX by default - XAANoOffscreenPixmaps.diff * disable Offscreen Pixmaps by default (bnc #376068) - Fix another o-b-1 in pci domain support. - randr1_1-sig11.diff * fixes Xserver crash when running xrandr on a different virtual terminal (Egbert Eich, bnc #223459) - commit-37b1258.diff * possibly fixes unwanted autorepeat (bnc #377612, bfo #14811) - bitmap_always_unscaled.diff * Default bitmap fonts should typically be set as unscaled (libv) - update to Mesa bugfix release 7.0.3 (final) sources - update to Mesa bugfix release 7.0.3 RC3 sources - confine_to_shape.diff * fixes XGrabPointer's confine_to with shaped windows (bnc #62146) - zap_warning_xserver.diff * implements FATE #302988: ZapWarning (Luc Verhaegen) Uses PCSpeaker for beep. Press once, beep. Press again within 2s (which is ample), terminate. Documented in xorg.conf manpage. - make the memory corruption fix by schwab a seperate patch to make sure it won't get lost the next time I update the VNC patch - Fix vnc server memory corruption. - commit-a6a7fad.diff * Don't break grab and focus state for a window when redirecting it. (bnc #336219, bfo #488264) - update to Mesa bugfix release 7.0.3 RC2 sources * Fixed GLX indirect vertex array rendering bug (14197) * Fixed crash when deleting framebuffer objects (bugs 13507, 14293) * User-defined clip planes enabled for R300 (bug 9871) * Fixed glBindTexture() crash upon bad target (bug 14514) * Fixed potential crash in glDrawPixels(GL_DEPTH_COMPONENT) (bug 13915) * Bad strings given to glProgramStringARB() didn't generate GL_INVALID_OPERATION * Fixed minor point rasterization regression (bug 11016) - added Requires:xkeyboard-config to xorg-x11-server - commit-50e80c3.diff: * never overwrite realInputProc with enqueueInputProc (bnc#357989, bfo#13511) - only switch to radeon driver in %post if radeonold driver is no longer available (Bug #355009) - some more cleanup in %post - Move manpage to the sub package that provides the binary. - update to Mesa bugfix release 7.0.3 RC1 sources * Added missing glw.pc.in file to release tarball * Fix GLUT/Fortran issues * GLSL gl_FrontLightModelProduct.sceneColor variable wasn't defined * Fix crash upon GLSL variable array indexes (not yet supported) * Two-sided stencil test didn't work in software rendering * Fix two-sided lighting bugs/crashes (bug 13368) * GLSL gl_FrontFacing didn't work properly * glGetActiveUniform returned incorrect sizes (bug 13751) * Fix several bugs relating to uniforms and attributes in GLSL API (Bruce Merry, bug 13753) * glTexImage3D(GL_PROXY_TEXTURE_3D) mis-set teximage depth field - updated patch for CVE-2007-6429 once more (X.Org Bug #13520) * Always test for size+offset wrapping. - updated patch for CVE-2007-6429 (Bug #345131) * Don't spuriously reject <8bpp shm pixmaps. Move size validation after depth validation, and only validate size if the bpp of the pixmap format is > 8. If bpp < 8 then we're already protected from overflow by the width and height checks. - X.Org security update * CVE-2007-5760 - XFree86 Misc extension out of bounds array index * CVE-2007-6427 - Xinput extension memory corruption. * CVE-2007-6428 - TOG-cup extension memory corruption. * CVE-2007-6429 - MIT-SHM and EVI extensions integer overflows. * CVE-2008-0006 - PCF Font parser buffer overflow. - xorg-server 1.4.0.90 (prerelease of 1.4.1) - pixman.diff * fixed include path for pixman.h - remove_bogus_modeline.diff * remove bogus monitor modelines provided by DDC (Bug #335540) - commit-184e571.diff * Adjust offsets of modes that do not fit virtual screen size. - commit-c6c284e.diff * Initialize Mode with 0 in xf86RandRModeConvert. - commit-f6401f9.diff * Don't segfault if referring to a relative output where no modes survived. - commit-f7dd0c7.diff * Only clear crtc of output if it is the one we're actually working on. - commit-fa19e84.diff * Fix initial placement of LeftOf and Above. - pixman.diff no longer required - s390(x): allow mfb build without Xorg server being built - commit-29e0e18.diff * Make config file preferred mode override monitor preferred mode. - commit-feac075.diff * Leave hardware-specified preferred modes alone when user preference exists. - obsoletes preferred_mode-fix.diff - added xorg-x11-fonts-core/xorg-x11 to Requires (Bug #341312) - ia64linuxPciInit: allocate extra space for fake devices. - updated to Mesa 7.0.2 (final) sources - updated to Mesa 7.0.2 RC1 sources - xorg-server-1.4-vnc-64bit.diff * fixes segfault on 64bit during Xserver start; make sure to define _XSERVER64 by having HAVE_DIX_CONFIG_H defined and therefore including dix-config.h, so Atom is CARD32 instead of unsigned long before and no longer messes up the pInfo structure in xf86rfbMouseInit/xf86rfbKeybInit - finally enabled build of xf4vnc (standalone Xvnc and VNC Xserver module) - updated xf4vnc patch; still disabled due to problematic vnc module - preferred_mode-fix.diff * more reasonable patch (Bug #329724) - preferred_mode-fix.diff * fixed endless loop if PreferredMode is set (Bug #329724) - removed obsolete patch p_pci-domain.diff (Bug #308693, comment #26) - apply p_pci-off-by-one.diff.ia64 on all platforms since it clearly only affects platforms, where INCLUDE_XF86_NO_DOMAIN is *not* set; this still not explains why we have seen Xserver hangups with the patch in place on at least some %ix86/x86_64 machines with fglrx/ nvidia driver IIRC; it needs to verified if this problem is still reproducable ... (Bug #308693, comment #25) - xserver-1.3.0-xkb-and-loathing.patch * Ignore (not just block) SIGALRM around calls to Popen()/Pclose(). Fixes a hang in openoffice when opening menus. (Bug #245711) - added missing ia64Pci.h; required for IA64 - recreated p_pci-off-by-one.diff.ia64; the default fuzz factor of patch (2) resulted in a hunk applied to the wrong function and therefore broke the build :-( - xorg-server 1.4 * Welcome to X.Org X Server 1.4, now with hotplugging input to go with the hotplugging output. Also included in this release are many performance and correctness fixes to the EXA acceleration architecture, support for DTrace profiling of the X Server, accelerated GLX_EXT_texture_from_pixmap with supporting DRI drivers, and many improvements to the RandR 1.2 support that was added in xorg-server-1.3. The X Server now relies on the pixman library, which replaces the fb/fbcompose.c and accelerated implementations that were previously shared through code-duplication with the cairo project. * obsolete patches: - bug-259290_trapfault.diff - cfb8-undefined.diff - commit-c09e68c - i810_dri_fix_freeze.diff - p_bug159532.diff - p_enable-altrix.diff - p_pci-ce-x.diff - p_pci-off-by-one.diff - p_xorg_rom_read.diff - randr12-2926cf1da7e4ed63573bfaecdd7e19beb3057d9b.diff - randr12-5b424b562eee863b11571de4cd0019cd9bc5b379.diff - randr12-aec0d06469a2fa7440fdd5ee03dc256a68704e77.diff - randr12-b2dcfbca2441ca8c561f86a78a76ab59ecbb40e4.diff - randr12-b4193a2eee80895c5641e77488df0e72a73a3d99.diff - remove__GLinterface.patch - support_mesa6.5.3.patch - use-composite-for-unequal-depths.patch - x86emu.diff - xephyr-sig11-fix.diff * adjusted patches: - 64bit.diff - bug-197858_dpms.diff - bug227111-ddc_screensize.diff - disable-root-xorg_conf.diff - fpic.diff - glx-align.patch - libdrm.diff - p_bug96328.diff - p_ia64-console.diff - p_vga-crashfix.diff - xephyr.diff - pixman.diff: * search for pixman instead of pixman-1 - bumped version to 7.3 - remove wrongly prebuilt xf1bpp files after extracting tarball; fixes vga module loading (Bug #328201) - do not use "make -j" to (quick)fix xf1bpp build - do not apply p_pci-domain.diff on IA64 - use updated off-by-one patch by schwab for IA64 - edit_data_sanity_check.diff: * added sanity check for monitor EDID data (Bug #326454) - reverted changes by schwab on Fri Sep 7; these resulted i a black screen during Xserver start with any driver on non-IA64 platforms - use-composite-for-unequal-depths.patch: * Use Composite when depths don't match (Bug #309107, X.Org Bug [#7447]) - Update off-by-one patch. - Remove empty patch. - fbdevhw.diff: * ignore pixclock set to 0 by Xen kernel (Bug #285523) - added several RANDR 1.2 fixes (Bug #306699) * randr12-2926cf1da7e4ed63573bfaecdd7e19beb3057d9b.diff Allocate the right number of entries for saving crtcs * randr12-5b424b562eee863b11571de4cd0019cd9bc5b379.diff Set the crtc before the output change is notified. Set the new randr crtc of the output before the output change notification is delivered to the clients. Remove RROutputSetCrtc as it is not really necessary. All we have to do is set the output's crtc on RRCrtcNotify * randr12-8d230319040f0a7f72231da2bf5ec97dc3612e21.diff Fix the output->crtc initialization in the old randr setup * randr12-aec0d06469a2fa7440fdd5ee03dc256a68704e77.diff Fix a crash when rotating the screen. Remember output->crtc before setting a NULL mode because RRCrtcNotify now sets output->crtc to NULL. Use the saved crtc to set the new mode. * randr12-b2dcfbca2441ca8c561f86a78a76ab59ecbb40e4.diff RRScanOldConfig cannot use RRFirstOutput before output is configured. RRFirstOutput returns the first active output, which won't be set until after RRScanOldConfig is finished running. Instead, just use the first output (which is the only output present with an old driver, after all). * randr12-b4193a2eee80895c5641e77488df0e72a73a3d99.diff RRScanOldConfig wasn't getting crtcs set correctly. The output crtc is set by RRCrtcNotify, which is called at the end of RRScanOldConfig. Several uses of output->crtc in this function were wrong. - i810_dri_fix_freeze.diff: * fixes freeze after pressing Ctrl-Alt-BS (X.Org Bug #10809) - xserver-mode-fuzzy-check.diff: * Fix for Xserver being more fuzzy about mode validation (Bug #270846) - disable AIGLX by default; without enabled Composite extension (still problematic on many drivers) it's rather useless anyway - updated xorg.conf manual page - fix fileconflict over doc/MAINTAINERS - build parallel - updated Mesa source to bugfix release 7.0.1 - xephyr-sig11-fix.diff: * long vs. CARD32 mismatch in KeySym definitions between client and server code - this patch seems to fix it (and the input rework in head fixed it as well in a different way) (Bug #235320) - fixed build on s390(x) - added X(7) and security(7) manual pages - updated Mesa source to final release 7.0 - updated Mesa source to release 7.0 RC1 * Mesa 7.0 is a stable, follow-on release to Mesa 6.5.3. The only difference is bug fixes. The major version number bump is due to OpenGL 2.1 API support. - simplified p_default-module-path.diff - disabled build of Xprt - moved Xdmx, Xephyr, Xnest and Xvfb to new subpackage xorg-x11-server-extra - commit-c09e68c: * Paper over a crash at exit during GLX teardown - updated to Mesa 6.5.3 sources - obsoletes the following patches: * bug-211314_mesa-destroy_buffers.diff * bug-211314_mesa-framebuffer-counting.diff * bug-211314-patch-1.diff * bug-211314-patch-2.diff * bug-211314-patch-3.diff * bug-211314-patch-4.diff * bug-211314-patch-5.diff * bug-211314-patch-6.diff * bug-211314-patch-7.diff * bug-211314-patch-8.diff * bug-211314-patch-9.diff * bug-211314-patch-10.diff * bug-211314-patch-11.diff * bug-211314_mesa-refcount-memleak-fixes.diff * Mesa-6.5.2-fix_radeon_cliprect.diff - remove__GLinterface.patch/ support_mesa6.5.3.patch * required Xserver changes for Mesa 6.5.3 - xorg-x11-server-1.2.99-unbreak-domain.patch: * This patch fixes some multi-domain systems such as Pegasos with xorg-server 1.3. Since pci-rework should get merged soon and this patch is a bit of a hack, it never got pushed upstream. (X.Org Bug #7248) - back to Mesa 6.5.2 (Bug #269155/269042) - Mesa update: 4th RC ready * This fixes some breakage in RC3. - Mesa update: 3rd release candidate * updated Windows/VC8 project files. - updated to Mesa 6.5.3rc2 sources * a number of bug fixes since the first RC - updated to Mesa 6.5.3rc1 sources - obsoletes the following patches: * bug-211314_mesa-destroy_buffers.diff * bug-211314_mesa-framebuffer-counting.diff * bug-211314-patch-1.diff * bug-211314-patch-2.diff * bug-211314-patch-3.diff * bug-211314-patch-4.diff * bug-211314-patch-5.diff * bug-211314-patch-6.diff * bug-211314-patch-7.diff * bug-211314-patch-8.diff * bug-211314-patch-9.diff * bug-211314-patch-10.diff * bug-211314-patch-11.diff * bug-211314_mesa-refcount-memleak-fixes.diff * Mesa-6.5.2-fix_radeon_cliprect.diff - GL-Mesa-6.5.3.diff: * adjusted GL subdir to Mesa 6.5.3rc1 - xserver 1.3.0.0 release * Syncmaster 226 monitor needs 60Hz refresh (#10545). * In AIGLX EnterVT processing, invoke driver EnterVT before resuming glx. * Disable CRTC when SetSingleMode has no matching mode. Update RandR as well. * Rotate screen size as needed from RandR 1.1 change requests. * Add quirk for Acer AL1706 monitor to force 60hz refresh. * RandR 1.2 spec says CRTC info contains screen-relative geometry * typo in built-in module log message * Use default screen monitor for one of the outputs. * Allow outputs to be explicitly enabled in config, overriding detect. * Was accidentally disabling rotation updates in mode set. * Disable SourceValidate in rotation to capture cursor. - Mesa-6.5.2-fix_radeon_cliprect.diff: * fixes X.Org Bug #9876 - bug-259290_trapfault.diff: * fixes crash caused by bug in XRender code (Bug #259290) - xserver 1.2.99.905 release: * CVE-2007-1003: XC-MISC Extension ProcXCMiscGetXIDList() Memory Corruption * X.Org Bug #10296: Fix timer rescheduling - obsoletes bug-243978_xcmisc.diff - xserver 1.2.99.904 release: * Don't erase current crtc for outputs on CloseScreen - bug-243978_xcmisc.diff: * mem corruption in ProcXCMiscGetXIDList (CVE-2007-1003, Bug #243978) - bug-211314_mesa-refcount-memleak-fixes.diff: * Fix for memleaks and refount bugs (Bug #211314) - p_default-module-path.diff: * only return /usr/%lib/xorg/modules in "-showDefaultModulePath" Xserver option (Bug #257360) - set Xserver version to 7.2.0 with configure option (Bugs #257360, #253702) - xserver 1.2.99.903 release: * Create driver-independent CRTC-based cursor layer. * Allow xf86_reload_cursors during server init. * Don't wedge when rotating more than one CRTC. * Correct ref counting of RRMode structures * Remove extra (and wrong) I2C ByteTimeout setting in DDC code. * Slow down DDC I2C bus using a RiseFallTime of 20us for old monitors. * Clean up Rotate state on server reset. * Clear allocated RandR screen private structure. * Clean up xf86CrtcRec and xf86OutputRec objects at CloseScreen. * Make sure RandR events are delivered from RRCrtcSet. * Fix Pending property API, adding RRPostPendingProperty. * Incorrect extra memory copy in RRChangeOutputProperty. * Ensure that crtc desired values track most recent mode. * Make pending properties force mode set. And, remove AttachScreen calls. * Set version to 1.2.99.903 (1.3 RC3) * fbdevhw: Consolidate modeset ioctl calling, report failure if it modifies mode. * fbdevhw: Fix some issues with the previous commit. * fbdevhw: Use displayWidth for fbdev virtual width when appropriate. * fbdevhw: Override RGB offsets and masks after setting initial mode. * fbdevhw: Consider mode set equal to mode requested if virtual width is larger. * fbdevhw: Only deal with RGB weight if default visual is True- or DirectColor. * Add per-drawable Xv colour key helper function. * Bump video driver ABI version to 1.2. - no longer apply bug-211314_mesa-context.diff, bug-211314_p_drawable_privclean.diff (Bug #211314, comment #114) - added different Mesa patches (Bug #211314, comments #114/#115) - Remove bug197190-ia64.diff, fix x86emu instead. - xserver 1.2.99.902 release: * Xprint: shorten font filename to fit in tar length limit * Move xf86SetSingleMode into X server from intel driver. * Add xf86SetDesiredModes to apply desired modes to crtcs. * Use EDID data to set screen physical size at server startup. * Allow relative positions to use output names or monitor identifiers. * Add xf86CrtcScreenInit to share initialization across drivers. * Add hw/xfree86/docs/README.modes, documenting new mode setting APIs. * Remove stale monitor data when output becomes disconnected. * Revert "Xprint includes a filename which is too long for tar." * Revert "Xext: Update device's lastx/lasty when sending a motion event with XTest." * Xext: Update device's lastx/lasty when sending a motion event with XTest. - xf86crtc_allowdual.diff no longer required; replaced by xrandr_12_newmode.diff in xrandr (xorg-x11 package) - bug197190-ia64.diff: * missing -DNO_LONG_LONG for IA64 (Bug #197190) - xf86crtc_allowdual.diff: * allows dualhead even when the second monitor is not yet connected during Xserver start - %post: replace "i810beta" with "intel" in existing xorg.conf - xserver 1.2.99.901 release: * RandR 1.2 * EXA damage track * minor fixes - use global permissions files for SUSE > 10.1 (Bug #246228) - improved bug-197858_dpms.diff to fix Xserver crash (Bug #197858) - bug-197858_dpms.diff: * finally fixed "X server wakes up on any ACPI event" issue (Bug #197858) - bug-211314_p_drawable_privclean.diff: * fixed for cleaning up pointers - fixed build - bug-211314_p_drawable_privclean.diff: * fixes Xserver crash in Mesa software rendering path (Bug #211314) - xserver 1.2.0 release * Bug #9219: Return BadMatch when trying to name the backing pixmap of an unrealized window. * Bug #9219: Use pWin->viewable instead of pWin->realized to catch InputOnly windows too. * Fix BSF and BSR instructions in the x86 emulator. * Bug #9555: Always define _GNU_SOURCE in glibc environments. * Bug #8991: Add glXGetDrawableAttributes dispatch; fix texture format therein. * Bump video and input ABI minors. * Fix release date. * Fix syntax error in configure check for SYSV_IPC that broke with Sun cc * Map missing keycodes for Sun Type 5 keyboard on Solaris SPARC * Update pci.ids to 2006-12-06 from pciids.sf.net * Xorg & Xserver man page updates for 1.2 release * xorg.conf man page should say "XFree86-DGA", not "Xorg-DGA" * Xserver man page: remove bc, add -wr * Update pci.ids to 2007-01-18 snapshot * Update Xserver man page to match commit ed33c7c98ad0c542e9e2dd6caa3f84879c21dd61 * Fix Tooltip from minimized clients * Fix Xming fails to use xkb bug * Fix bad commit * Set Int10Current->Tag for the linux native int10 module * added mipmap.c * configure.ac: prepare for 1.2.0 (X11R7.2) * sparc: don't include asm/kbio.h -- it no longer exists in current headers. * Minor typos in Xserver man page. * Fix several cases where optimized paths were hit when they shouldn't be. * Try dlsym(RTLD_DEFAULT) first when finding symbols. * Fix RENDER issues (bug #7555) and implement RENDER add/remove screen * For Xvfb, Xnest and Xprt, compile fbcmap.c with -DXFree86Server * Multiple integer overflows in dbe and render extensions * Require glproto >= 1.4.8 for GLX. * __glXDRIscreenProbe: Use drmOpen/CloseOnce. * xfree86/hurd: re-add missing keyboard support (bug #5613) * remove last remaning 'linux'isms (bug #5613) - obsoletes * Mesa-6.5.2.diff * xorg-server-1.1.99.901-GetDrawableAttributes.patch * int10-fix.diff * cve-2006-6101_6102_6103.diff - disabled build of VNC server/module - bug-211314_mesa-context.diff: * fixes Xserver crash in software rendering fallback (Bug #211314) - 0018-vnc-support.txt.diff * fixed unresolved symbols vncRandomBytes/deskey in VNC module (terminated Xserver when client connected) - bug227111-ddc_screensize.diff: * allow user overrides for monitor settings (Bug #227111) - loadmod-bug197195.diff: * check the complete path (Bug #197195) - added build of VNC support (0018-vnc-support.txt/ 0018-vnc-support.txt.diff); see 0018-vnc-support.txt.mbox for reference - cve-2006-6101_6102_6103.diff: * CVE-2006-6101 iDefense X.org ProcRenderAddGlyphs (Bug #225972) * CVE-2006-6102 iDefense X.org ProcDbeGetVisualInfo (Bug #225974) * CVE-2006-6103 iDefense X.org ProcDbeSwapBuffers (Bug #225975) - int10-fix.diff * Set Int10Current->Tag for the linux native int10 module (X.Org Bug #9296) * obsoletes p_initialize-pci-tag.diff - reverted latest change by schwab (Bug #197190, comment #67) - Fix off-by-one in pci multi-domain support [#229278]. - libdrm.diff: * no longer fail when some driver tries to load "drm" module - xorg-server-1.1.99.901-GetDrawableAttributes.patch: * hopefully fixes AIGLX issues (X.Org Bug #8991) - another 64bit warning fix - X.Org 7.2RC3 release * Add a -showDefaultModulePath option. * Add a -showDefaultLibPath option. * Add DIX_CFLAGS to util builds. * Fix release date, and tag 1.1.99.903 * make X server use system libdrm - this requires libdrm >= 2.3.0 * DRI: call drmSetServerInfo() before drmOpen(). * add extern to struct definition * fixup configure.ac problems with DRI_SOURCES and LBX_SOURCES * bump to 1.1.99.903 * remove CID support (bug #5553) * dri: setup libdrm hooks as early as possible. * Bug #8868: Remove drm from SUBDIRS now that the directory is gone. * Fix typo before the last commit. * Fix GL context destruction with AIGLX. * On DragonFLy, default to /dev/sysmouse (just like on FreeBSD). * ffs: handle 0 argument (bug #8968) * Bug #9023: Only check mice for "mouse" or "void" if identifier is != NULL. Fix potential NULL pointer access in timer code. - updated Mesa sources to 6.5.2 - xserver-timers.diff: * fix null pointer reference in timer code (Bug #223718) - p_pci-off-by-one.diff: * readded off by one fix, which has been dropped by accident (Bug #197190) - acpi_events.diff: * distinguish between general and input devices also for APM (Bug #197858) - removed /etc/X11/Xsession.d/92xprint-xpserverlist (Bug #220733) - mouse-fix.diff: * prevent driver from crashing when something different than "mouse" or "void" is specified; only check mice for "mouse" or "void" if identifier is != NULL. (X.Org Bug #9023) - X.Org 7.2RC2 release - adjusted p_enable-altrix.diff, p_pci-domain.diff - obsoletes p_pci-ia64.diff, xorg-xserver-ia64-int10.diff p_pci-legacy-mmap.diff - Changes in RC2 since RC1 Aaron Plattner: Fix standard VESA modes. Adam Jackson: Bug #6786: Use separate defines for server's Fixes support level. 'make dist' fixes. Fix distcheck. Include a forgotten ia64 header in the distball. Builds on ia64 now. configure.ac bump. Alan Coopersmith: Make sure xorgcfg files are included even when dist made with --disable-xorgcfg Use getisax() instead of asm code to determine available x86 ISA extensions on Solaris Pre-release message should tell users to check git, not CVS, for updates Fix automake error: BUILT_SOURCES was defined multiple times on Solaris Bug #1997: AUDIT messages should contain uid for local accesses If getpeerucred() is available, include pid & zoneid in audit messages too Make _POSIX_C_SOURCE hack work with Solaris headers Alan Hourihane: Small modification to blocking signals when switching modes. Bjorn Helgaas: Do not map full 0-1MB legacy range Bram Verweij: xfree86/linux acpi: fix tokenising Daniel Stone: GetTimeInMillis: spuport monotonic clock WaitForSomething: allow time to rewind Revert "WaitForSomething: allow time to rewind" Revert "GetTimeInMillis: spuport monotonic clock" add 'general socket' handler, port ACPI to use it WaitForSomething: allow time to rewind WaitForSomething: only rewind when delta is more than 250ms GetTimeInMillis: spuport monotonic clock GetTimeInMillis: simplify monotonic test GetTimeInMillis: use correct units for clock_gettime os: fix sun extensions test Eamon Walsh: Bug #8875: Security extension causes Xorg to core dump on server reset whitespace adjust More work on Bug #8875: revert previous fix and try using client argument Bug #8937: Extension setup functions not called on server resets Egbert Eich: Fixing mach64 driver bailing out on ia64 Make int10 fully domain aware. Erik Andren: remove XFree86 changelogs (bug #7262) Joshua Baergen: Create xorg.conf.example (Gentoo bug #138623). Laurence Withers: CreateColormap: fix return value (bug #7083) Matthias Hopf: Build with -D_PC on ix86 only. Added missing domain stripping in already domain aware code. Added linux 2.6 compatible domain aware device scanning code. Fixing domain support for ia64 Add domain support to linuxPciOpenFile(). Fix device path in altixPCI.c to be domain aware. Fix obviously wrong boundary checks + cleanup unused vars. Matthieu Herrb: kill GNU-make'ism. Handle building in a separate objdir Michel Dänzer: Fix __glXDRIbindTexImage() for 32 bpp on big endian platforms. Fix test for Option "IgnoreABI". Myron Stowe: xfree86: re-enable chipset-specific drivers for Linux/ia64 Rich Coe: CheckConnections: don't close down the server client (bug #7876) - p_ppc_domain_workaround.diff: * ugly workaround for still missing domain support on ppc (Bug #202133) - updated to snapshot of xserver-1.2-branch (soon to be released as X.Org 7.2RC2) * Make sure xorgcfg files are included even when dist made with --disable-xorgcfg * Small modification to blocking signals when switching modes. * Use getisax() instead of asm code to determine available x86 ISA extensions on Solaris * Pre-release message should tell users to check git, not CVS, for updates * Fix __glXDRIbindTexImage() for 32 bpp on big endian platforms. * Create xorg.conf.example (Gentoo bug #138623). * Fix test for Option "IgnoreABI". This option has plenty of potential for wasting the time of bug triagers without pretending it's always on. * kill GNU-make'ism. * Handle building in a separate objdir * Fix automake error: BUILT_SOURCES was defined multiple times on Solaris * Bug #1997: AUDIT messages should contain uid for local accesses * If getpeerucred() is available, include pid & zoneid in audit messages too - added /etc/modprobe.d/nvidia - xorg-xserver-ia64-int10.diff: * build int10 module with _PC only on %ix86 (Bug #197190) - added build of Xephyr; useful for debugging KDE apps (coolo) - cfb8-undefined.diff: * fixes warning for undefined behaviour - Own /etc/X11/Xsession.d directory. - Use /etc/X11/Xsession.d. - updated to X.Org 7.2RC1 - only disable AIGLX by default on SUSE <= 10.1 (Bug #197093) - no longer fake release version for fglrx driver (Bug #198125) - glx-align.patch: * reenabled -D__GLX_ALIGN64 on affected plaforms (X.Org Bug #8392) - Fixes to p_pci-domain.diff (Bug #197572) * internal domain number of by one (was supposed to be a cleanup, but other code dependet on this semantics) * fixed another long-standing of-by-1 error - p_enable-altrix.diff (Bug #197572) * This additional patch enables the build of the altrix detection routines, which have apparently not been included in Xorg 7.1 yet. This patch needs a autoreconf -fi after application. - updated to Mesa 6.5.1 - disable-fbblt-opt.diff: * Disable optimization (introduced by ajax) due to a general vesa driver crash later in memcpy (Bug #204324) - removed two source files with imcompatible license from Mesa tarball (Bug #204110) - added a check to specfile to make sure that these will not be reintroduced with the next Mesa update again (Bug #204110) - moved xf86Parser.h,xf86Optrec.h back to /usr/include/xorg, since SaX2 build issues have finally been resolved by making use of "-iquote /usr/include/xorg -I." - disable-root-xorg_conf.diff: * no longer consider to read /root/xorg.conf - only require xorg-x11-fonts-core ('fixed' + 'cursor' fonts) - fake release version for fglrx driver again, since using IgnoreABI does not help (the check for the ABI version is in the binary-only fglrx driver) - added Requires: xorg-x11-driver-{input,video} (Bug #202080) - ignore-abi.diff: * adds IgnoreABI option for xorg.conf (same as -ignoreABI) - remove .la files - no longer fake release version for fglrx driver; use the new IgnoreABI option instead! - PCI/IA64 Patches (Bug #197572): * apply new p_pci-domain.diff (mhopf) * apply new p_pci-ce-x.diff (mhopf) - PCI/IA64 Patches (Bug #197572): * removed p_mappciBIOS_complete.diff (already applied upstream) * apply p_pci-ia64.diff * apply p_pci-legacy-mmap.diff only for IA64 (as before) * disabled for now: - p_pci-domain.diff: still issues with it - p_pci-ce-x.diff: sits on top of p_pci-domain.diff - added PCI/IA64 patches, but disabled them for now (Bug #197572) - remove comp. symlinks in /usr/X11R6/bin for openSUSE >= 10.2 - fixed build for s390/s390x, e.g. use configure options --disable-install-libxf86config --disable-aiglx --disable-dri --disable-xorg - changed os-name to "openSUSE" instead of "Linux" before - fake release version for fglrx driver :-( - xinerama-sig11.diff: * prevents Xserver Sig11 with broken Xinerama config (Bug #135002) - moved /usr/%_lib/pkgconfig/xorg-server.pc to xorg-x11-server - added pkgconfig to Requires of xorg-x11-server - disable-aiglx.diff: * disabled AIGLX by default (related to Bug #197093); enable it with 'Option "AIGLX" "true"' in ServerFlags section of xorg.conf - enabled build of aiglx - patch font path also in xorg.conf when set to /usr/lib/X11/fonts/ or /usr/X11/lib/X11/fonts - patch xorg.conf in %post: * radeonold/radeon10b driver --> radeon driver - added "Requires: xorg-x11-fonts" to prevent issues like "could not open default font 'fixed'" for any Xserver - make sure that symlinks /usr/bin/X --> /var/X11R6/bin/X /var/X11R6/bin/X --> /usr/bin/Xorg are packaged. - p_xorg_acpi.diff: * fixed for archs which don't have HAVE_ACPI defined, e.g. ppc - p_xf86Mode.diff: * removes wrong warning (Bug #139510) - p_xorg_acpi.diff: * reconnect to acpid when acpid has been killed (Bug #148384) - p_xkills_wrong_client.diff: * This patch has unveiled two other problems. One is rather serious as there seems to be a non-zero possibility that the Xserver closes the wrong connection and this closes the wrong client when it looks for stale sockets of clients that have disappeared (eich, Bug #150869) - p_bug159532.diff: * X Clients can intentionally or unintenionally crash X11 by using composite on depth 4 pixmaps. This patch fixes this. (Bug #159532) - p_xnest-ignore-getimage-errors.diff: * ignores the X error on GetImage in Xnest (Bug #174228, X.Org Bug #4411) - p_initialize-pci-tag.diff: * initialize PCI tag correctly, which is used by an IA64 specific patch (see Bug #147261 for details); fixes Xserver crashes with fglrx driver - and possibly other drivers like vesa - during initial startup (!), VT switch and startup of second Xserver (SLED10 Blocker Bugs #180535, #170991, #158806) - p_ia64-console.diff: * fixes MCA after start of second Xserver (Bug #177011) - p_mouse_misc.diff: * fix X server crashes with synaptics driver (Bug #61702) - pu_fixes.diff * Fixes not yet in the official version - p_bug96328.diff: * fallback mouse device checking - p_vga-crashfix.diff: * fixes vga driver crash (#133989) - p_xorg_rom_read.diff * read rom in big chunks instead of byte-at-a-time (Bug #140811) - ps_showopts.diff * Xserver "-showopts" option to print available driver options (Bug #137374) - add /var/X11R6/bin directory for now (Bug #197188) - fix setup line - fixed fatal compiler warnings - always (and only) patch xorg.conf if necessary - update to xorg-server release 1.1.99.3 - use "-fno-strict-aliasing" - use $RPM_OPT_FLAGS - remove existing /usr/include/X11 symlink in %pre - install xf86Parser.h,xf86Optrec.h to /usr/include instead of /usr/include/xorg, so it is no longer necessary to specify "-I/usr/include/xorg" which resulted in including a wrong "shadow.h" (by X.Org) when building SaX2 (strange build error) - added permissions files - add compatibility symlink /usr/X11R6/bin/Xorg - p_ValidatePci.diff: * no longer call ValidatePci() to fix i810 driver issues (Bug #191987) - fixed build - bfo-bug15222.diff (bfo #15222, bnc #374318) * CVE-2008-2360 - RENDER Extension heap buffer overflow * CVE-2008-2361 - RENDER Extension crash * CVE-2008-2362 - RENDER Extension memory corruption * CVE-2008-1379 - MIT-SHM arbitrary memory read * CVE-2008-1377 - RECORD and Security extensions memory corruption - xserver-mode-fuzzy-check.diff * Make mode checking more tolerant like in pre-RandR times. - fix-dpi-values.diff * fixes DPI values for RANDR 1.2 capable drivers (bnc #393001) - mention ZapWarning also in Xorg manual page (bnc #391352) - xorg-server-1.4-vnc-render_sig11.diff * fixed sig11 in RENDER code (bnc #385677) - disabled patch to disable RENDER support in Xvnc, since it broke 24bit color depth support (bnc #390011) - xorg-server-1.4-vnc-disable_render.diff * disabled RENDER support in Xvnc (bnc #385677) - events.diff * eating up key events before going into the idle loop upon vt switch instead of after return (bnc #152522) - xkb_action.diff * fixed remaining unitialized warning in X.Org (bnc #83910) - fbdevhw.diff * screen blanking not supported by vesafb of Linux kernel (bnc #146462) - no longer disable AIGLX by default - XAANoOffscreenPixmaps.diff * disable Offscreen Pixmaps by default (bnc #376068) - Fix another o-b-1 in pci domain support. - randr1_1-sig11.diff * fixes Xserver crash when running xrandr on a different virtual terminal (Egbert Eich, bnc #223459) - commit-37b1258.diff * possibly fixes unwanted autorepeat (bnc #377612, bfo #14811) - bitmap_always_unscaled.diff * Default bitmap fonts should typically be set as unscaled (libv) - update to Mesa bugfix release 7.0.3 (final) sources - update to Mesa bugfix release 7.0.3 RC3 sources - confine_to_shape.diff * fixes XGrabPointer's confine_to with shaped windows (bnc #62146) - zap_warning_xserver.diff * implements FATE #302988: ZapWarning (Luc Verhaegen) Uses PCSpeaker for beep. Press once, beep. Press again within 2s (which is ample), terminate. Documented in xorg.conf manpage. - make the memory corruption fix by schwab a seperate patch to make sure it won't get lost the next time I update the VNC patch - Fix vnc server memory corruption. - commit-a6a7fad.diff * Don't break grab and focus state for a window when redirecting it. (bnc #336219, bfo #488264) - update to Mesa bugfix release 7.0.3 RC2 sources * Fixed GLX indirect vertex array rendering bug (14197) * Fixed crash when deleting framebuffer objects (bugs 13507, 14293) * User-defined clip planes enabled for R300 (bug 9871) * Fixed glBindTexture() crash upon bad target (bug 14514) * Fixed potential crash in glDrawPixels(GL_DEPTH_COMPONENT) (bug 13915) * Bad strings given to glProgramStringARB() didn't generate GL_INVALID_OPERATION * Fixed minor point rasterization regression (bug 11016) - added Requires:xkeyboard-config to xorg-x11-server - commit-50e80c3.diff: * never overwrite realInputProc with enqueueInputProc (bnc#357989, bfo#13511) - only switch to radeon driver in %post if radeonold driver is no longer available (Bug #355009) - some more cleanup in %post - Move manpage to the sub package that provides the binary. - update to Mesa bugfix release 7.0.3 RC1 sources * Added missing glw.pc.in file to release tarball * Fix GLUT/Fortran issues * GLSL gl_FrontLightModelProduct.sceneColor variable wasn't defined * Fix crash upon GLSL variable array indexes (not yet supported) * Two-sided stencil test didn't work in software rendering * Fix two-sided lighting bugs/crashes (bug 13368) * GLSL gl_FrontFacing didn't work properly * glGetActiveUniform returned incorrect sizes (bug 13751) * Fix several bugs relating to uniforms and attributes in GLSL API (Bruce Merry, bug 13753) * glTexImage3D(GL_PROXY_TEXTURE_3D) mis-set teximage depth field - updated patch for CVE-2007-6429 once more (X.Org Bug #13520) * Always test for size+offset wrapping. - updated patch for CVE-2007-6429 (Bug #345131) * Don't spuriously reject <8bpp shm pixmaps. Move size validation after depth validation, and only validate size if the bpp of the pixmap format is > 8. If bpp < 8 then we're already protected from overflow by the width and height checks. - X.Org security update * CVE-2007-5760 - XFree86 Misc extension out of bounds array index * CVE-2007-6427 - Xinput extension memory corruption. * CVE-2007-6428 - TOG-cup extension memory corruption. * CVE-2007-6429 - MIT-SHM and EVI extensions integer overflows. * CVE-2008-0006 - PCF Font parser buffer overflow. - xorg-server 1.4.0.90 (prerelease of 1.4.1) - pixman.diff * fixed include path for pixman.h - remove_bogus_modeline.diff * remove bogus monitor modelines provided by DDC (Bug #335540) - commit-184e571.diff * Adjust offsets of modes that do not fit virtual screen size. - commit-c6c284e.diff * Initialize Mode with 0 in xf86RandRModeConvert. - commit-f6401f9.diff * Don't segfault if referring to a relative output where no modes survived. - commit-f7dd0c7.diff * Only clear crtc of output if it is the one we're actually working on. - commit-fa19e84.diff * Fix initial placement of LeftOf and Above. - pixman.diff no longer required - s390(x): allow mfb build without Xorg server being built - commit-29e0e18.diff * Make config file preferred mode override monitor preferred mode. - commit-feac075.diff * Leave hardware-specified preferred modes alone when user preference exists. - obsoletes preferred_mode-fix.diff - added xorg-x11-fonts-core/xorg-x11 to Requires (Bug #341312) - ia64linuxPciInit: allocate extra space for fake devices. - updated to Mesa 7.0.2 (final) sources - updated to Mesa 7.0.2 RC1 sources - xorg-server-1.4-vnc-64bit.diff * fixes segfault on 64bit during Xserver start; make sure to define _XSERVER64 by having HAVE_DIX_CONFIG_H defined and therefore including dix-config.h, so Atom is CARD32 instead of unsigned long before and no longer messes up the pInfo structure in xf86rfbMouseInit/xf86rfbKeybInit - finally enabled build of xf4vnc (standalone Xvnc and VNC Xserver module) - updated xf4vnc patch; still disabled due to problematic vnc module - preferred_mode-fix.diff * more reasonable patch (Bug #329724) - preferred_mode-fix.diff * fixed endless loop if PreferredMode is set (Bug #329724) - removed obsolete patch p_pci-domain.diff (Bug #308693, comment #26) - apply p_pci-off-by-one.diff.ia64 on all platforms since it clearly only affects platforms, where INCLUDE_XF86_NO_DOMAIN is *not* set; this still not explains why we have seen Xserver hangups with the patch in place on at least some %ix86/x86_64 machines with fglrx/ nvidia driver IIRC; it needs to verified if this problem is still reproducable ... (Bug #308693, comment #25) - xserver-1.3.0-xkb-and-loathing.patch * Ignore (not just block) SIGALRM around calls to Popen()/Pclose(). Fixes a hang in openoffice when opening menus. (Bug #245711) - added missing ia64Pci.h; required for IA64 - recreated p_pci-off-by-one.diff.ia64; the default fuzz factor of patch (2) resulted in a hunk applied to the wrong function and therefore broke the build :-( - xorg-server 1.4 * Welcome to X.Org X Server 1.4, now with hotplugging input to go with the hotplugging output. Also included in this release are many performance and correctness fixes to the EXA acceleration architecture, support for DTrace profiling of the X Server, accelerated GLX_EXT_texture_from_pixmap with supporting DRI drivers, and many improvements to the RandR 1.2 support that was added in xorg-server-1.3. The X Server now relies on the pixman library, which replaces the fb/fbcompose.c and accelerated implementations that were previously shared through code-duplication with the cairo project. * obsolete patches: - bug-259290_trapfault.diff - cfb8-undefined.diff - commit-c09e68c - i810_dri_fix_freeze.diff - p_bug159532.diff - p_enable-altrix.diff - p_pci-ce-x.diff - p_pci-off-by-one.diff - p_xorg_rom_read.diff - randr12-2926cf1da7e4ed63573bfaecdd7e19beb3057d9b.diff - randr12-5b424b562eee863b11571de4cd0019cd9bc5b379.diff - randr12-aec0d06469a2fa7440fdd5ee03dc256a68704e77.diff - randr12-b2dcfbca2441ca8c561f86a78a76ab59ecbb40e4.diff - randr12-b4193a2eee80895c5641e77488df0e72a73a3d99.diff - remove__GLinterface.patch - support_mesa6.5.3.patch - use-composite-for-unequal-depths.patch - x86emu.diff - xephyr-sig11-fix.diff * adjusted patches: - 64bit.diff - bug-197858_dpms.diff - bug227111-ddc_screensize.diff - disable-root-xorg_conf.diff - fpic.diff - glx-align.patch - libdrm.diff - p_bug96328.diff - p_ia64-console.diff - p_vga-crashfix.diff - xephyr.diff - pixman.diff: * search for pixman instead of pixman-1 - bumped version to 7.3 - remove wrongly prebuilt xf1bpp files after extracting tarball; fixes vga module loading (Bug #328201) - do not use "make -j" to (quick)fix xf1bpp build - do not apply p_pci-domain.diff on IA64 - use updated off-by-one patch by schwab for IA64 - edit_data_sanity_check.diff: * added sanity check for monitor EDID data (Bug #326454) - reverted changes by schwab on Fri Sep 7; these resulted i a black screen during Xserver start with any driver on non-IA64 platforms - use-composite-for-unequal-depths.patch: * Use Composite when depths don't match (Bug #309107, X.Org Bug [#7447]) - Update off-by-one patch. - Remove empty patch. - fbdevhw.diff: * ignore pixclock set to 0 by Xen kernel (Bug #285523) - added several RANDR 1.2 fixes (Bug #306699) * randr12-2926cf1da7e4ed63573bfaecdd7e19beb3057d9b.diff Allocate the right number of entries for saving crtcs * randr12-5b424b562eee863b11571de4cd0019cd9bc5b379.diff Set the crtc before the output change is notified. Set the new randr crtc of the output before the output change notification is delivered to the clients. Remove RROutputSetCrtc as it is not really necessary. All we have to do is set the output's crtc on RRCrtcNotify * randr12-8d230319040f0a7f72231da2bf5ec97dc3612e21.diff Fix the output->crtc initialization in the old randr setup * randr12-aec0d06469a2fa7440fdd5ee03dc256a68704e77.diff Fix a crash when rotating the screen. Remember output->crtc before setting a NULL mode because RRCrtcNotify now sets output->crtc to NULL. Use the saved crtc to set the new mode. * randr12-b2dcfbca2441ca8c561f86a78a76ab59ecbb40e4.diff RRScanOldConfig cannot use RRFirstOutput before output is configured. RRFirstOutput returns the first active output, which won't be set until after RRScanOldConfig is finished running. Instead, just use the first output (which is the only output present with an old driver, after all). * randr12-b4193a2eee80895c5641e77488df0e72a73a3d99.diff RRScanOldConfig wasn't getting crtcs set correctly. The output crtc is set by RRCrtcNotify, which is called at the end of RRScanOldConfig. Several uses of output->crtc in this function were wrong. - i810_dri_fix_freeze.diff: * fixes freeze after pressing Ctrl-Alt-BS (X.Org Bug #10809) - xserver-mode-fuzzy-check.diff: * Fix for Xserver being more fuzzy about mode validation (Bug #270846) - disable AIGLX by default; without enabled Composite extension (still problematic on many drivers) it's rather useless anyway - updated xorg.conf manual page - fix fileconflict over doc/MAINTAINERS - build parallel - updated Mesa source to bugfix release 7.0.1 - xephyr-sig11-fix.diff: * long vs. CARD32 mismatch in KeySym definitions between client and server code - this patch seems to fix it (and the input rework in head fixed it as well in a different way) (Bug #235320) - fixed build on s390(x) - added X(7) and security(7) manual pages - updated Mesa source to final release 7.0 - updated Mesa source to release 7.0 RC1 * Mesa 7.0 is a stable, follow-on release to Mesa 6.5.3. The only difference is bug fixes. The major version number bump is due to OpenGL 2.1 API support. - simplified p_default-module-path.diff - disabled build of Xprt - moved Xdmx, Xephyr, Xnest and Xvfb to new subpackage xorg-x11-server-extra - commit-c09e68c: * Paper over a crash at exit during GLX teardown - updated to Mesa 6.5.3 sources - obsoletes the following patches: * bug-211314_mesa-destroy_buffers.diff * bug-211314_mesa-framebuffer-counting.diff * bug-211314-patch-1.diff * bug-211314-patch-2.diff * bug-211314-patch-3.diff * bug-211314-patch-4.diff * bug-211314-patch-5.diff * bug-211314-patch-6.diff * bug-211314-patch-7.diff * bug-211314-patch-8.diff * bug-211314-patch-9.diff * bug-211314-patch-10.diff * bug-211314-patch-11.diff * bug-211314_mesa-refcount-memleak-fixes.diff * Mesa-6.5.2-fix_radeon_cliprect.diff - remove__GLinterface.patch/ support_mesa6.5.3.patch * required Xserver changes for Mesa 6.5.3 - xorg-x11-server-1.2.99-unbreak-domain.patch: * This patch fixes some multi-domain systems such as Pegasos with xorg-server 1.3. Since pci-rework should get merged soon and this patch is a bit of a hack, it never got pushed upstream. (X.Org Bug #7248) - back to Mesa 6.5.2 (Bug #269155/269042) - Mesa update: 4th RC ready * This fixes some breakage in RC3. - Mesa update: 3rd release candidate * updated Windows/VC8 project files. - updated to Mesa 6.5.3rc2 sources * a number of bug fixes since the first RC - updated to Mesa 6.5.3rc1 sources - obsoletes the following patches: * bug-211314_mesa-destroy_buffers.diff * bug-211314_mesa-framebuffer-counting.diff * bug-211314-patch-1.diff * bug-211314-patch-2.diff * bug-211314-patch-3.diff * bug-211314-patch-4.diff * bug-211314-patch-5.diff * bug-211314-patch-6.diff * bug-211314-patch-7.diff * bug-211314-patch-8.diff * bug-211314-patch-9.diff * bug-211314-patch-10.diff * bug-211314-patch-11.diff * bug-211314_mesa-refcount-memleak-fixes.diff * Mesa-6.5.2-fix_radeon_cliprect.diff - GL-Mesa-6.5.3.diff: * adjusted GL subdir to Mesa 6.5.3rc1 - xserver 1.3.0.0 release * Syncmaster 226 monitor needs 60Hz refresh (#10545). * In AIGLX EnterVT processing, invoke driver EnterVT before resuming glx. * Disable CRTC when SetSingleMode has no matching mode. Update RandR as well. * Rotate screen size as needed from RandR 1.1 change requests. * Add quirk for Acer AL1706 monitor to force 60hz refresh. * RandR 1.2 spec says CRTC info contains screen-relative geometry * typo in built-in module log message * Use default screen monitor for one of the outputs. * Allow outputs to be explicitly enabled in config, overriding detect. * Was accidentally disabling rotation updates in mode set. * Disable SourceValidate in rotation to capture cursor. - Mesa-6.5.2-fix_radeon_cliprect.diff: * fixes X.Org Bug #9876 - bug-259290_trapfault.diff: * fixes crash caused by bug in XRender code (Bug #259290) - xserver 1.2.99.905 release: * CVE-2007-1003: XC-MISC Extension ProcXCMiscGetXIDList() Memory Corruption * X.Org Bug #10296: Fix timer rescheduling - obsoletes bug-243978_xcmisc.diff - xserver 1.2.99.904 release: * Don't erase current crtc for outputs on CloseScreen - bug-243978_xcmisc.diff: * mem corruption in ProcXCMiscGetXIDList (CVE-2007-1003, Bug #243978) - bug-211314_mesa-refcount-memleak-fixes.diff: * Fix for memleaks and refount bugs (Bug #211314) - p_default-module-path.diff: * only return /usr/%lib/xorg/modules in "-showDefaultModulePath" Xserver option (Bug #257360) - set Xserver version to 7.2.0 with configure option (Bugs #257360, #253702) - xserver 1.2.99.903 release: * Create driver-independent CRTC-based cursor layer. * Allow xf86_reload_cursors during server init. * Don't wedge when rotating more than one CRTC. * Correct ref counting of RRMode structures * Remove extra (and wrong) I2C ByteTimeout setting in DDC code. * Slow down DDC I2C bus using a RiseFallTime of 20us for old monitors. * Clean up Rotate state on server reset. * Clear allocated RandR screen private structure. * Clean up xf86CrtcRec and xf86OutputRec objects at CloseScreen. * Make sure RandR events are delivered from RRCrtcSet. * Fix Pending property API, adding RRPostPendingProperty. * Incorrect extra memory copy in RRChangeOutputProperty. * Ensure that crtc desired values track most recent mode. * Make pending properties force mode set. And, remove AttachScreen calls. * Set version to 1.2.99.903 (1.3 RC3) * fbdevhw: Consolidate modeset ioctl calling, report failure if it modifies mode. * fbdevhw: Fix some issues with the previous commit. * fbdevhw: Use displayWidth for fbdev virtual width when appropriate. * fbdevhw: Override RGB offsets and masks after setting initial mode. * fbdevhw: Consider mode set equal to mode requested if virtual width is larger. * fbdevhw: Only deal with RGB weight if default visual is True- or DirectColor. * Add per-drawable Xv colour key helper function. * Bump video driver ABI version to 1.2. - no longer apply bug-211314_mesa-context.diff, bug-211314_p_drawable_privclean.diff (Bug #211314, comment #114) - added different Mesa patches (Bug #211314, comments #114/#115) - Remove bug197190-ia64.diff, fix x86emu instead. - xserver 1.2.99.902 release: * Xprint: shorten font filename to fit in tar length limit * Move xf86SetSingleMode into X server from intel driver. * Add xf86SetDesiredModes to apply desired modes to crtcs. * Use EDID data to set screen physical size at server startup. * Allow relative positions to use output names or monitor identifiers. * Add xf86CrtcScreenInit to share initialization across drivers. * Add hw/xfree86/docs/README.modes, documenting new mode setting APIs. * Remove stale monitor data when output becomes disconnected. * Revert "Xprint includes a filename which is too long for tar." * Revert "Xext: Update device's lastx/lasty when sending a motion event with XTest." * Xext: Update device's lastx/lasty when sending a motion event with XTest. - xf86crtc_allowdual.diff no longer required; replaced by xrandr_12_newmode.diff in xrandr (xorg-x11 package) - bug197190-ia64.diff: * missing -DNO_LONG_LONG for IA64 (Bug #197190) - xf86crtc_allowdual.diff: * allows dualhead even when the second monitor is not yet connected during Xserver start - %post: replace "i810beta" with "intel" in existing xorg.conf - xserver 1.2.99.901 release: * RandR 1.2 * EXA damage track * minor fixes - use global permissions files for SUSE > 10.1 (Bug #246228) - improved bug-197858_dpms.diff to fix Xserver crash (Bug #197858) - bug-197858_dpms.diff: * finally fixed "X server wakes up on any ACPI event" issue (Bug #197858) - bug-211314_p_drawable_privclean.diff: * fixed for cleaning up pointers - fixed build - bug-211314_p_drawable_privclean.diff: * fixes Xserver crash in Mesa software rendering path (Bug #211314) - xserver 1.2.0 release * Bug #9219: Return BadMatch when trying to name the backing pixmap of an unrealized window. * Bug #9219: Use pWin->viewable instead of pWin->realized to catch InputOnly windows too. * Fix BSF and BSR instructions in the x86 emulator. * Bug #9555: Always define _GNU_SOURCE in glibc environments. * Bug #8991: Add glXGetDrawableAttributes dispatch; fix texture format therein. * Bump video and input ABI minors. * Fix release date. * Fix syntax error in configure check for SYSV_IPC that broke with Sun cc * Map missing keycodes for Sun Type 5 keyboard on Solaris SPARC * Update pci.ids to 2006-12-06 from pciids.sf.net * Xorg & Xserver man page updates for 1.2 release * xorg.conf man page should say "XFree86-DGA", not "Xorg-DGA" * Xserver man page: remove bc, add -wr * Update pci.ids to 2007-01-18 snapshot * Update Xserver man page to match commit ed33c7c98ad0c542e9e2dd6caa3f84879c21dd61 * Fix Tooltip from minimized clients * Fix Xming fails to use xkb bug * Fix bad commit * Set Int10Current->Tag for the linux native int10 module * added mipmap.c * configure.ac: prepare for 1.2.0 (X11R7.2) * sparc: don't include asm/kbio.h -- it no longer exists in current headers. * Minor typos in Xserver man page. * Fix several cases where optimized paths were hit when they shouldn't be. * Try dlsym(RTLD_DEFAULT) first when finding symbols. * Fix RENDER issues (bug #7555) and implement RENDER add/remove screen * For Xvfb, Xnest and Xprt, compile fbcmap.c with -DXFree86Server * Multiple integer overflows in dbe and render extensions * Require glproto >= 1.4.8 for GLX. * __glXDRIscreenProbe: Use drmOpen/CloseOnce. * xfree86/hurd: re-add missing keyboard support (bug #5613) * remove last remaning 'linux'isms (bug #5613) - obsoletes * Mesa-6.5.2.diff * xorg-server-1.1.99.901-GetDrawableAttributes.patch * int10-fix.diff * cve-2006-6101_6102_6103.diff - disabled build of VNC server/module - bug-211314_mesa-context.diff: * fixes Xserver crash in software rendering fallback (Bug #211314) - 0018-vnc-support.txt.diff * fixed unresolved symbols vncRandomBytes/deskey in VNC module (terminated Xserver when client connected) - bug227111-ddc_screensize.diff: * allow user overrides for monitor settings (Bug #227111) - loadmod-bug197195.diff: * check the complete path (Bug #197195) - added build of VNC support (0018-vnc-support.txt/ 0018-vnc-support.txt.diff); see 0018-vnc-support.txt.mbox for reference - cve-2006-6101_6102_6103.diff: * CVE-2006-6101 iDefense X.org ProcRenderAddGlyphs (Bug #225972) * CVE-2006-6102 iDefense X.org ProcDbeGetVisualInfo (Bug #225974) * CVE-2006-6103 iDefense X.org ProcDbeSwapBuffers (Bug #225975) - int10-fix.diff * Set Int10Current->Tag for the linux native int10 module (X.Org Bug #9296) * obsoletes p_initialize-pci-tag.diff - reverted latest change by schwab (Bug #197190, comment #67) - Fix off-by-one in pci multi-domain support [#229278]. - libdrm.diff: * no longer fail when some driver tries to load "drm" module - xorg-server-1.1.99.901-GetDrawableAttributes.patch: * hopefully fixes AIGLX issues (X.Org Bug #8991) - another 64bit warning fix - X.Org 7.2RC3 release * Add a -showDefaultModulePath option. * Add a -showDefaultLibPath option. * Add DIX_CFLAGS to util builds. * Fix release date, and tag 1.1.99.903 * make X server use system libdrm - this requires libdrm >= 2.3.0 * DRI: call drmSetServerInfo() before drmOpen(). * add extern to struct definition * fixup configure.ac problems with DRI_SOURCES and LBX_SOURCES * bump to 1.1.99.903 * remove CID support (bug #5553) * dri: setup libdrm hooks as early as possible. * Bug #8868: Remove drm from SUBDIRS now that the directory is gone. * Fix typo before the last commit. * Fix GL context destruction with AIGLX. * On DragonFLy, default to /dev/sysmouse (just like on FreeBSD). * ffs: handle 0 argument (bug #8968) * Bug #9023: Only check mice for "mouse" or "void" if identifier is != NULL. Fix potential NULL pointer access in timer code. - updated Mesa sources to 6.5.2 - xserver-timers.diff: * fix null pointer reference in timer code (Bug #223718) - p_pci-off-by-one.diff: * readded off by one fix, which has been dropped by accident (Bug #197190) - acpi_events.diff: * distinguish between general and input devices also for APM (Bug #197858) - removed /etc/X11/Xsession.d/92xprint-xpserverlist (Bug #220733) - mouse-fix.diff: * prevent driver from crashing when something different than "mouse" or "void" is specified; only check mice for "mouse" or "void" if identifier is != NULL. (X.Org Bug #9023) - X.Org 7.2RC2 release - adjusted p_enable-altrix.diff, p_pci-domain.diff - obsoletes p_pci-ia64.diff, xorg-xserver-ia64-int10.diff p_pci-legacy-mmap.diff - Changes in RC2 since RC1 Aaron Plattner: Fix standard VESA modes. Adam Jackson: Bug #6786: Use separate defines for server's Fixes support level. 'make dist' fixes. Fix distcheck. Include a forgotten ia64 header in the distball. Builds on ia64 now. configure.ac bump. Alan Coopersmith: Make sure xorgcfg files are included even when dist made with --disable-xorgcfg Use getisax() instead of asm code to determine available x86 ISA extensions on Solaris Pre-release message should tell users to check git, not CVS, for updates Fix automake error: BUILT_SOURCES was defined multiple times on Solaris Bug #1997: AUDIT messages should contain uid for local accesses If getpeerucred() is available, include pid & zoneid in audit messages too Make _POSIX_C_SOURCE hack work with Solaris headers Alan Hourihane: Small modification to blocking signals when switching modes. Bjorn Helgaas: Do not map full 0-1MB legacy range Bram Verweij: xfree86/linux acpi: fix tokenising Daniel Stone: GetTimeInMillis: spuport monotonic clock WaitForSomething: allow time to rewind Revert "WaitForSomething: allow time to rewind" Revert "GetTimeInMillis: spuport monotonic clock" add 'general socket' handler, port ACPI to use it WaitForSomething: allow time to rewind WaitForSomething: only rewind when delta is more than 250ms GetTimeInMillis: spuport monotonic clock GetTimeInMillis: simplify monotonic test GetTimeInMillis: use correct units for clock_gettime os: fix sun extensions test Eamon Walsh: Bug #8875: Security extension causes Xorg to core dump on server reset whitespace adjust More work on Bug #8875: revert previous fix and try using client argument Bug #8937: Extension setup functions not called on server resets Egbert Eich: Fixing mach64 driver bailing out on ia64 Make int10 fully domain aware. Erik Andren: remove XFree86 changelogs (bug #7262) Joshua Baergen: Create xorg.conf.example (Gentoo bug #138623). Laurence Withers: CreateColormap: fix return value (bug #7083) Matthias Hopf: Build with -D_PC on ix86 only. Added missing domain stripping in already domain aware code. Added linux 2.6 compatible domain aware device scanning code. Fixing domain support for ia64 Add domain support to linuxPciOpenFile(). Fix device path in altixPCI.c to be domain aware. Fix obviously wrong boundary checks + cleanup unused vars. Matthieu Herrb: kill GNU-make'ism. Handle building in a separate objdir Michel Dänzer: Fix __glXDRIbindTexImage() for 32 bpp on big endian platforms. Fix test for Option "IgnoreABI". Myron Stowe: xfree86: re-enable chipset-specific drivers for Linux/ia64 Rich Coe: CheckConnections: don't close down the server client (bug #7876) - p_ppc_domain_workaround.diff: * ugly workaround for still missing domain support on ppc (Bug #202133) - updated to snapshot of xserver-1.2-branch (soon to be released as X.Org 7.2RC2) * Make sure xorgcfg files are included even when dist made with --disable-xorgcfg * Small modification to blocking signals when switching modes. * Use getisax() instead of asm code to determine available x86 ISA extensions on Solaris * Pre-release message should tell users to check git, not CVS, for updates * Fix __glXDRIbindTexImage() for 32 bpp on big endian platforms. * Create xorg.conf.example (Gentoo bug #138623). * Fix test for Option "IgnoreABI". This option has plenty of potential for wasting the time of bug triagers without pretending it's always on. * kill GNU-make'ism. * Handle building in a separate objdir * Fix automake error: BUILT_SOURCES was defined multiple times on Solaris * Bug #1997: AUDIT messages should contain uid for local accesses * If getpeerucred() is available, include pid & zoneid in audit messages too - added /etc/modprobe.d/nvidia - xorg-xserver-ia64-int10.diff: * build int10 module with _PC only on %ix86 (Bug #197190) - added build of Xephyr; useful for debugging KDE apps (coolo) - cfb8-undefined.diff: * fixes warning for undefined behaviour - Own /etc/X11/Xsession.d directory. - Use /etc/X11/Xsession.d. - updated to X.Org 7.2RC1 - only disable AIGLX by default on SUSE <= 10.1 (Bug #197093) - no longer fake release version for fglrx driver (Bug #198125) - glx-align.patch: * reenabled -D__GLX_ALIGN64 on affected plaforms (X.Org Bug #8392) - Fixes to p_pci-domain.diff (Bug #197572) * internal domain number of by one (was supposed to be a cleanup, but other code dependet on this semantics) * fixed another long-standing of-by-1 error - p_enable-altrix.diff (Bug #197572) * This additional patch enables the build of the altrix detection routines, which have apparently not been included in Xorg 7.1 yet. This patch needs a autoreconf -fi after application. - updated to Mesa 6.5.1 - disable-fbblt-opt.diff: * Disable optimization (introduced by ajax) due to a general vesa driver crash later in memcpy (Bug #204324) - removed two source files with imcompatible license from Mesa tarball (Bug #204110) - added a check to specfile to make sure that these will not be reintroduced with the next Mesa update again (Bug #204110) - moved xf86Parser.h,xf86Optrec.h back to /usr/include/xorg, since SaX2 build issues have finally been resolved by making use of "-iquote /usr/include/xorg -I." - disable-root-xorg_conf.diff: * no longer consider to read /root/xorg.conf - only require xorg-x11-fonts-core ('fixed' + 'cursor' fonts) - fake release version for fglrx driver again, since using IgnoreABI does not help (the check for the ABI version is in the binary-only fglrx driver) - added Requires: xorg-x11-driver-{input,video} (Bug #202080) - ignore-abi.diff: * adds IgnoreABI option for xorg.conf (same as -ignoreABI) - remove .la files - no longer fake release version for fglrx driver; use the new IgnoreABI option instead! - PCI/IA64 Patches (Bug #197572): * apply new p_pci-domain.diff (mhopf) * apply new p_pci-ce-x.diff (mhopf) - PCI/IA64 Patches (Bug #197572): * removed p_mappciBIOS_complete.diff (already applied upstream) * apply p_pci-ia64.diff * apply p_pci-legacy-mmap.diff only for IA64 (as before) * disabled for now: - p_pci-domain.diff: still issues with it - p_pci-ce-x.diff: sits on top of p_pci-domain.diff - added PCI/IA64 patches, but disabled them for now (Bug #197572) - remove comp. symlinks in /usr/X11R6/bin for openSUSE >= 10.2 - fixed build for s390/s390x, e.g. use configure options --disable-install-libxf86config --disable-aiglx --disable-dri --disable-xorg - changed os-name to "openSUSE" instead of "Linux" before - fake release version for fglrx driver :-( - xinerama-sig11.diff: * prevents Xserver Sig11 with broken Xinerama config (Bug #135002) - moved /usr/%_lib/pkgconfig/xorg-server.pc to xorg-x11-server - added pkgconfig to Requires of xorg-x11-server - disable-aiglx.diff: * disabled AIGLX by default (related to Bug #197093); enable it with 'Option "AIGLX" "true"' in ServerFlags section of xorg.conf - enabled build of aiglx - patch font path also in xorg.conf when set to /usr/lib/X11/fonts/ or /usr/X11/lib/X11/fonts - patch xorg.conf in %post: * radeonold/radeon10b driver --> radeon driver - added "Requires: xorg-x11-fonts" to prevent issues like "could not open default font 'fixed'" for any Xserver - make sure that symlinks /usr/bin/X --> /var/X11R6/bin/X /var/X11R6/bin/X --> /usr/bin/Xorg are packaged. - p_xorg_acpi.diff: * fixed for archs which don't have HAVE_ACPI defined, e.g. ppc - p_xf86Mode.diff: * removes wrong warning (Bug #139510) - p_xorg_acpi.diff: * reconnect to acpid when acpid has been killed (Bug #148384) - p_xkills_wrong_client.diff: * This patch has unveiled two other problems. One is rather serious as there seems to be a non-zero possibility that the Xserver closes the wrong connection and this closes the wrong client when it looks for stale sockets of clients that have disappeared (eich, Bug #150869) - p_bug159532.diff: * X Clients can intentionally or unintenionally crash X11 by using composite on depth 4 pixmaps. This patch fixes this. (Bug #159532) - p_xnest-ignore-getimage-errors.diff: * ignores the X error on GetImage in Xnest (Bug #174228, X.Org Bug #4411) - p_initialize-pci-tag.diff: * initialize PCI tag correctly, which is used by an IA64 specific patch (see Bug #147261 for details); fixes Xserver crashes with fglrx driver - and possibly other drivers like vesa - during initial startup (!), VT switch and startup of second Xserver (SLED10 Blocker Bugs #180535, #170991, #158806) - p_ia64-console.diff: * fixes MCA after start of second Xserver (Bug #177011) - p_mouse_misc.diff: * fix X server crashes with synaptics driver (Bug #61702) - pu_fixes.diff * Fixes not yet in the official version - p_bug96328.diff: * fallback mouse device checking - p_vga-crashfix.diff: * fixes vga driver crash (#133989) - p_xorg_rom_read.diff * read rom in big chunks instead of byte-at-a-time (Bug #140811) - ps_showopts.diff * Xserver "-showopts" option to print available driver options (Bug #137374) - add /var/X11R6/bin directory for now (Bug #197188) - fix setup line - fixed fatal compiler warnings - always (and only) patch xorg.conf if necessary - update to xorg-server release 1.1.99.3 - use "-fno-strict-aliasing" - use $RPM_OPT_FLAGS - remove existing /usr/include/X11 symlink in %pre - install xf86Parser.h,xf86Optrec.h to /usr/include instead of /usr/include/xorg, so it is no longer necessary to specify "-I/usr/include/xorg" which resulted in including a wrong "shadow.h" (by X.Org) when building SaX2 (strange build error) - added permissions files - add compatibility symlink /usr/X11R6/bin/Xorg - p_ValidatePci.diff: * no longer call ValidatePci() to fix i810 driver issues (Bug #191987) - fixed build - bfo-bug15222.diff (bfo #15222, bnc #374318) * CVE-2008-2360 - RENDER Extension heap buffer overflow * CVE-2008-2361 - RENDER Extension crash * CVE-2008-2362 - RENDER Extension memory corruption * CVE-2008-1379 - MIT-SHM arbitrary memory read * CVE-2008-1377 - RECORD and Security extensions memory corruption - xserver-mode-fuzzy-check.diff * Make mode checking more tolerant like in pre-RandR times. - fix-dpi-values.diff * fixes DPI values for RANDR 1.2 capable drivers (bnc #393001) - mention ZapWarning also in Xorg manual page (bnc #391352) - xorg-server-1.4-vnc-render_sig11.diff * fixed sig11 in RENDER code (bnc #385677) - disabled patch to disable RENDER support in Xvnc, since it broke 24bit color depth support (bnc #390011) - xorg-server-1.4-vnc-disable_render.diff * disabled RENDER support in Xvnc (bnc #385677) - events.diff * eating up key events before going into the idle loop upon vt switch instead of after return (bnc #152522) - xkb_action.diff * fixed remaining unitialized warning in X.Org (bnc #83910) - fbdevhw.diff * screen blanking not supported by vesafb of Linux kernel (bnc #146462) - no longer disable AIGLX by default - XAANoOffscreenPixmaps.diff * disable Offscreen Pixmaps by default (bnc #376068) - Fix another o-b-1 in pci domain support. - randr1_1-sig11.diff * fixes Xserver crash when running xrandr on a different virtual terminal (Egbert Eich, bnc #223459) - commit-37b1258.diff * possibly fixes unwanted autorepeat (bnc #377612, bfo #14811) - bitmap_always_unscaled.diff * Default bitmap fonts should typically be set as unscaled (libv) - update to Mesa bugfix release 7.0.3 (final) sources - update to Mesa bugfix release 7.0.3 RC3 sources - confine_to_shape.diff * fixes XGrabPointer's confine_to with shaped windows (bnc #62146) - zap_warning_xserver.diff * implements FATE #302988: ZapWarning (Luc Verhaegen) Uses PCSpeaker for beep. Press once, beep. Press again within 2s (which is ample), terminate. Documented in xorg.conf manpage. - make the memory corruption fix by schwab a seperate patch to make sure it won't get lost the next time I update the VNC patch - Fix vnc server memory corruption. - commit-a6a7fad.diff * Don't break grab and focus state for a window when redirecting it. (bnc #336219, bfo #488264) - update to Mesa bugfix release 7.0.3 RC2 sources * Fixed GLX indirect vertex array rendering bug (14197) * Fixed crash when deleting framebuffer objects (bugs 13507, 14293) * User-defined clip planes enabled for R300 (bug 9871) * Fixed glBindTexture() crash upon bad target (bug 14514) * Fixed potential crash in glDrawPixels(GL_DEPTH_COMPONENT) (bug 13915) * Bad strings given to glProgramStringARB() didn't generate GL_INVALID_OPERATION * Fixed minor point rasterization regression (bug 11016) - added Requires:xkeyboard-config to xorg-x11-server - commit-50e80c3.diff: * never overwrite realInputProc with enqueueInputProc (bnc#357989, bfo#13511) - only switch to radeon driver in %post if radeonold driver is no longer available (Bug #355009) - some more cleanup in %post - Move manpage to the sub package that provides the binary. - update to Mesa bugfix release 7.0.3 RC1 sources * Added missing glw.pc.in file to release tarball * Fix GLUT/Fortran issues * GLSL gl_FrontLightModelProduct.sceneColor variable wasn't defined * Fix crash upon GLSL variable array indexes (not yet supported) * Two-sided stencil test didn't work in software rendering * Fix two-sided lighting bugs/crashes (bug 13368) * GLSL gl_FrontFacing didn't work properly * glGetActiveUniform returned incorrect sizes (bug 13751) * Fix several bugs relating to uniforms and attributes in GLSL API (Bruce Merry, bug 13753) * glTexImage3D(GL_PROXY_TEXTURE_3D) mis-set teximage depth field - updated patch for CVE-2007-6429 once more (X.Org Bug #13520) * Always test for size+offset wrapping. - updated patch for CVE-2007-6429 (Bug #345131) * Don't spuriously reject <8bpp shm pixmaps. Move size validation after depth validation, and only validate size if the bpp of the pixmap format is > 8. If bpp < 8 then we're already protected from overflow by the width and height checks. - X.Org security update * CVE-2007-5760 - XFree86 Misc extension out of bounds array index * CVE-2007-6427 - Xinput extension memory corruption. * CVE-2007-6428 - TOG-cup extension memory corruption. * CVE-2007-6429 - MIT-SHM and EVI extensions integer overflows. * CVE-2008-0006 - PCF Font parser buffer overflow. - xorg-server 1.4.0.90 (prerelease of 1.4.1) - pixman.diff * fixed include path for pixman.h - remove_bogus_modeline.diff * remove bogus monitor modelines provided by DDC (Bug #335540) - commit-184e571.diff * Adjust offsets of modes that do not fit virtual screen size. - commit-c6c284e.diff * Initialize Mode with 0 in xf86RandRModeConvert. - commit-f6401f9.diff * Don't segfault if referring to a relative output where no modes survived. - commit-f7dd0c7.diff * Only clear crtc of output if it is the one we're actually working on. - commit-fa19e84.diff * Fix initial placement of LeftOf and Above. - pixman.diff no longer required - s390(x): allow mfb build without Xorg server being built - commit-29e0e18.diff * Make config file preferred mode override monitor preferred mode. - commit-feac075.diff * Leave hardware-specified preferred modes alone when user preference exists. - obsoletes preferred_mode-fix.diff - added xorg-x11-fonts-core/xorg-x11 to Requires (Bug #341312) - ia64linuxPciInit: allocate extra space for fake devices. - updated to Mesa 7.0.2 (final) sources - updated to Mesa 7.0.2 RC1 sources - xorg-server-1.4-vnc-64bit.diff * fixes segfault on 64bit during Xserver start; make sure to define _XSERVER64 by having HAVE_DIX_CONFIG_H defined and therefore including dix-config.h, so Atom is CARD32 instead of unsigned long before and no longer messes up the pInfo structure in xf86rfbMouseInit/xf86rfbKeybInit - finally enabled build of xf4vnc (standalone Xvnc and VNC Xserver module) - updated xf4vnc patch; still disabled due to problematic vnc module - preferred_mode-fix.diff * more reasonable patch (Bug #329724) - preferred_mode-fix.diff * fixed endless loop if PreferredMode is set (Bug #329724) - removed obsolete patch p_pci-domain.diff (Bug #308693, comment #26) - apply p_pci-off-by-one.diff.ia64 on all platforms since it clearly only affects platforms, where INCLUDE_XF86_NO_DOMAIN is *not* set; this still not explains why we have seen Xserver hangups with the patch in place on at least some %ix86/x86_64 machines with fglrx/ nvidia driver IIRC; it needs to verified if this problem is still reproducable ... (Bug #308693, comment #25) - xserver-1.3.0-xkb-and-loathing.patch * Ignore (not just block) SIGALRM around calls to Popen()/Pclose(). Fixes a hang in openoffice when opening menus. (Bug #245711) - added missing ia64Pci.h; required for IA64 - recreated p_pci-off-by-one.diff.ia64; the default fuzz factor of patch (2) resulted in a hunk applied to the wrong function and therefore broke the build :-( - xorg-server 1.4 * Welcome to X.Org X Server 1.4, now with hotplugging input to go with the hotplugging output. Also included in this release are many performance and correctness fixes to the EXA acceleration architecture, support for DTrace profiling of the X Server, accelerated GLX_EXT_texture_from_pixmap with supporting DRI drivers, and many improvements to the RandR 1.2 support that was added in xorg-server-1.3. The X Server now relies on the pixman library, which replaces the fb/fbcompose.c and accelerated implementations that were previously shared through code-duplication with the cairo project. * obsolete patches: - bug-259290_trapfault.diff - cfb8-undefined.diff - commit-c09e68c - i810_dri_fix_freeze.diff - p_bug159532.diff - p_enable-altrix.diff - p_pci-ce-x.diff - p_pci-off-by-one.diff - p_xorg_rom_read.diff - randr12-2926cf1da7e4ed63573bfaecdd7e19beb3057d9b.diff - randr12-5b424b562eee863b11571de4cd0019cd9bc5b379.diff - randr12-aec0d06469a2fa7440fdd5ee03dc256a68704e77.diff - randr12-b2dcfbca2441ca8c561f86a78a76ab59ecbb40e4.diff - randr12-b4193a2eee80895c5641e77488df0e72a73a3d99.diff - remove__GLinterface.patch - support_mesa6.5.3.patch - use-composite-for-unequal-depths.patch - x86emu.diff - xephyr-sig11-fix.diff * adjusted patches: - 64bit.diff - bug-197858_dpms.diff - bug227111-ddc_screensize.diff - disable-root-xorg_conf.diff - fpic.diff - glx-align.patch - libdrm.diff - p_bug96328.diff - p_ia64-console.diff - p_vga-crashfix.diff - xephyr.diff - pixman.diff: * search for pixman instead of pixman-1 - bumped version to 7.3 - remove wrongly prebuilt xf1bpp files after extracting tarball; fixes vga module loading (Bug #328201) - do not use "make -j" to (quick)fix xf1bpp build - do not apply p_pci-domain.diff on IA64 - use updated off-by-one patch by schwab for IA64 - edit_data_sanity_check.diff: * added sanity check for monitor EDID data (Bug #326454) - reverted changes by schwab on Fri Sep 7; these resulted i a black screen during Xserver start with any driver on non-IA64 platforms - use-composite-for-unequal-depths.patch: * Use Composite when depths don't match (Bug #309107, X.Org Bug [#7447]) - Update off-by-one patch. - Remove empty patch. - fbdevhw.diff: * ignore pixclock set to 0 by Xen kernel (Bug #285523) - added several RANDR 1.2 fixes (Bug #306699) * randr12-2926cf1da7e4ed63573bfaecdd7e19beb3057d9b.diff Allocate the right number of entries for saving crtcs * randr12-5b424b562eee863b11571de4cd0019cd9bc5b379.diff Set the crtc before the output change is notified. Set the new randr crtc of the output before the output change notification is delivered to the clients. Remove RROutputSetCrtc as it is not really necessary. All we have to do is set the output's crtc on RRCrtcNotify * randr12-8d230319040f0a7f72231da2bf5ec97dc3612e21.diff Fix the output->crtc initialization in the old randr setup * randr12-aec0d06469a2fa7440fdd5ee03dc256a68704e77.diff Fix a crash when rotating the screen. Remember output->crtc before setting a NULL mode because RRCrtcNotify now sets output->crtc to NULL. Use the saved crtc to set the new mode. * randr12-b2dcfbca2441ca8c561f86a78a76ab59ecbb40e4.diff RRScanOldConfig cannot use RRFirstOutput before output is configured. RRFirstOutput returns the first active output, which won't be set until after RRScanOldConfig is finished running. Instead, just use the first output (which is the only output present with an old driver, after all). * randr12-b4193a2eee80895c5641e77488df0e72a73a3d99.diff RRScanOldConfig wasn't getting crtcs set correctly. The output crtc is set by RRCrtcNotify, which is called at the end of RRScanOldConfig. Several uses of output->crtc in this function were wrong. - i810_dri_fix_freeze.diff: * fixes freeze after pressing Ctrl-Alt-BS (X.Org Bug #10809) - xserver-mode-fuzzy-check.diff: * Fix for Xserver being more fuzzy about mode validation (Bug #270846) - disable AIGLX by default; without enabled Composite extension (still problematic on many drivers) it's rather useless anyway - updated xorg.conf manual page - fix fileconflict over doc/MAINTAINERS - build parallel - updated Mesa source to bugfix release 7.0.1 - xephyr-sig11-fix.diff: * long vs. CARD32 mismatch in KeySym definitions between client and server code - this patch seems to fix it (and the input rework in head fixed it as well in a different way) (Bug #235320) - fixed build on s390(x) - added X(7) and security(7) manual pages - updated Mesa source to final release 7.0 - updated Mesa source to release 7.0 RC1 * Mesa 7.0 is a stable, follow-on release to Mesa 6.5.3. The only difference is bug fixes. The major version number bump is due to OpenGL 2.1 API support. - simplified p_default-module-path.diff - disabled build of Xprt - moved Xdmx, Xephyr, Xnest and Xvfb to new subpackage xorg-x11-server-extra - commit-c09e68c: * Paper over a crash at exit during GLX teardown - updated to Mesa 6.5.3 sources - obsoletes the following patches: * bug-211314_mesa-destroy_buffers.diff * bug-211314_mesa-framebuffer-counting.diff * bug-211314-patch-1.diff * bug-211314-patch-2.diff * bug-211314-patch-3.diff * bug-211314-patch-4.diff * bug-211314-patch-5.diff * bug-211314-patch-6.diff * bug-211314-patch-7.diff * bug-211314-patch-8.diff * bug-211314-patch-9.diff * bug-211314-patch-10.diff * bug-211314-patch-11.diff * bug-211314_mesa-refcount-memleak-fixes.diff * Mesa-6.5.2-fix_radeon_cliprect.diff - remove__GLinterface.patch/ support_mesa6.5.3.patch * required Xserver changes for Mesa 6.5.3 - xorg-x11-server-1.2.99-unbreak-domain.patch: * This patch fixes some multi-domain systems such as Pegasos with xorg-server 1.3. Since pci-rework should get merged soon and this patch is a bit of a hack, it never got pushed upstream. (X.Org Bug #7248) - back to Mesa 6.5.2 (Bug #269155/269042) - Mesa update: 4th RC ready * This fixes some breakage in RC3. - Mesa update: 3rd release candidate * updated Windows/VC8 project files. - updated to Mesa 6.5.3rc2 sources * a number of bug fixes since the first RC - updated to Mesa 6.5.3rc1 sources - obsoletes the following patches: * bug-211314_mesa-destroy_buffers.diff * bug-211314_mesa-framebuffer-counting.diff * bug-211314-patch-1.diff * bug-211314-patch-2.diff * bug-211314-patch-3.diff * bug-211314-patch-4.diff * bug-211314-patch-5.diff * bug-211314-patch-6.diff * bug-211314-patch-7.diff * bug-211314-patch-8.diff * bug-211314-patch-9.diff * bug-211314-patch-10.diff * bug-211314-patch-11.diff * bug-211314_mesa-refcount-memleak-fixes.diff * Mesa-6.5.2-fix_radeon_cliprect.diff - GL-Mesa-6.5.3.diff: * adjusted GL subdir to Mesa 6.5.3rc1 - xserver 1.3.0.0 release * Syncmaster 226 monitor needs 60Hz refresh (#10545). * In AIGLX EnterVT processing, invoke driver EnterVT before resuming glx. * Disable CRTC when SetSingleMode has no matching mode. Update RandR as well. * Rotate screen size as needed from RandR 1.1 change requests. * Add quirk for Acer AL1706 monitor to force 60hz refresh. * RandR 1.2 spec says CRTC info contains screen-relative geometry * typo in built-in module log message * Use default screen monitor for one of the outputs. * Allow outputs to be explicitly enabled in config, overriding detect. * Was accidentally disabling rotation updates in mode set. * Disable SourceValidate in rotation to capture cursor. - Mesa-6.5.2-fix_radeon_cliprect.diff: * fixes X.Org Bug #9876 - bug-259290_trapfault.diff: * fixes crash caused by bug in XRender code (Bug #259290) - xserver 1.2.99.905 release: * CVE-2007-1003: XC-MISC Extension ProcXCMiscGetXIDList() Memory Corruption * X.Org Bug #10296: Fix timer rescheduling - obsoletes bug-243978_xcmisc.diff - xserver 1.2.99.904 release: * Don't erase current crtc for outputs on CloseScreen - bug-243978_xcmisc.diff: * mem corruption in ProcXCMiscGetXIDList (CVE-2007-1003, Bug #243978) - bug-211314_mesa-refcount-memleak-fixes.diff: * Fix for memleaks and refount bugs (Bug #211314) - p_default-module-path.diff: * only return /usr/%lib/xorg/modules in "-showDefaultModulePath" Xserver option (Bug #257360) - set Xserver version to 7.2.0 with configure option (Bugs #257360, #253702) - xserver 1.2.99.903 release: * Create driver-independent CRTC-based cursor layer. * Allow xf86_reload_cursors during server init. * Don't wedge when rotating more than one CRTC. * Correct ref counting of RRMode structures * Remove extra (and wrong) I2C ByteTimeout setting in DDC code. * Slow down DDC I2C bus using a RiseFallTime of 20us for old monitors. * Clean up Rotate state on server reset. * Clear allocated RandR screen private structure. * Clean up xf86CrtcRec and xf86OutputRec objects at CloseScreen. * Make sure RandR events are delivered from RRCrtcSet. * Fix Pending property API, adding RRPostPendingProperty. * Incorrect extra memory copy in RRChangeOutputProperty. * Ensure that crtc desired values track most recent mode. * Make pending properties force mode set. And, remove AttachScreen calls. * Set version to 1.2.99.903 (1.3 RC3) * fbdevhw: Consolidate modeset ioctl calling, report failure if it modifies mode. * fbdevhw: Fix some issues with the previous commit. * fbdevhw: Use displayWidth for fbdev virtual width when appropriate. * fbdevhw: Override RGB offsets and masks after setting initial mode. * fbdevhw: Consider mode set equal to mode requested if virtual width is larger. * fbdevhw: Only deal with RGB weight if default visual is True- or DirectColor. * Add per-drawable Xv colour key helper function. * Bump video driver ABI version to 1.2. - no longer apply bug-211314_mesa-context.diff, bug-211314_p_drawable_privclean.diff (Bug #211314, comment #114) - added different Mesa patches (Bug #211314, comments #114/#115) - Remove bug197190-ia64.diff, fix x86emu instead. - xserver 1.2.99.902 release: * Xprint: shorten font filename to fit in tar length limit * Move xf86SetSingleMode into X server from intel driver. * Add xf86SetDesiredModes to apply desired modes to crtcs. * Use EDID data to set screen physical size at server startup. * Allow relative positions to use output names or monitor identifiers. * Add xf86CrtcScreenInit to share initialization across drivers. * Add hw/xfree86/docs/README.modes, documenting new mode setting APIs. * Remove stale monitor data when output becomes disconnected. * Revert "Xprint includes a filename which is too long for tar." * Revert "Xext: Update device's lastx/lasty when sending a motion event with XTest." * Xext: Update device's lastx/lasty when sending a motion event with XTest. - xf86crtc_allowdual.diff no longer required; replaced by xrandr_12_newmode.diff in xrandr (xorg-x11 package) - bug197190-ia64.diff: * missing -DNO_LONG_LONG for IA64 (Bug #197190) - xf86crtc_allowdual.diff: * allows dualhead even when the second monitor is not yet connected during Xserver start - %post: replace "i810beta" with "intel" in existing xorg.conf - xserver 1.2.99.901 release: * RandR 1.2 * EXA damage track * minor fixes - use global permissions files for SUSE > 10.1 (Bug #246228) - improved bug-197858_dpms.diff to fix Xserver crash (Bug #197858) - bug-197858_dpms.diff: * finally fixed "X server wakes up on any ACPI event" issue (Bug #197858) - bug-211314_p_drawable_privclean.diff: * fixed for cleaning up pointers - fixed build - bug-211314_p_drawable_privclean.diff: * fixes Xserver crash in Mesa software rendering path (Bug #211314) - xserver 1.2.0 release * Bug #9219: Return BadMatch when trying to name the backing pixmap of an unrealized window. * Bug #9219: Use pWin->viewable instead of pWin->realized to catch InputOnly windows too. * Fix BSF and BSR instructions in the x86 emulator. * Bug #9555: Always define _GNU_SOURCE in glibc environments. * Bug #8991: Add glXGetDrawableAttributes dispatch; fix texture format therein. * Bump video and input ABI minors. * Fix release date. * Fix syntax error in configure check for SYSV_IPC that broke with Sun cc * Map missing keycodes for Sun Type 5 keyboard on Solaris SPARC * Update pci.ids to 2006-12-06 from pciids.sf.net * Xorg & Xserver man page updates for 1.2 release * xorg.conf man page should say "XFree86-DGA", not "Xorg-DGA" * Xserver man page: remove bc, add -wr * Update pci.ids to 2007-01-18 snapshot * Update Xserver man page to match commit ed33c7c98ad0c542e9e2dd6caa3f84879c21dd61 * Fix Tooltip from minimized clients * Fix Xming fails to use xkb bug * Fix bad commit * Set Int10Current->Tag for the linux native int10 module * added mipmap.c * configure.ac: prepare for 1.2.0 (X11R7.2) * sparc: don't include asm/kbio.h -- it no longer exists in current headers. * Minor typos in Xserver man page. * Fix several cases where optimized paths were hit when they shouldn't be. * Try dlsym(RTLD_DEFAULT) first when finding symbols. * Fix RENDER issues (bug #7555) and implement RENDER add/remove screen * For Xvfb, Xnest and Xprt, compile fbcmap.c with -DXFree86Server * Multiple integer overflows in dbe and render extensions * Require glproto >= 1.4.8 for GLX. * __glXDRIscreenProbe: Use drmOpen/CloseOnce. * xfree86/hurd: re-add missing keyboard support (bug #5613) * remove last remaning 'linux'isms (bug #5613) - obsoletes * Mesa-6.5.2.diff * xorg-server-1.1.99.901-GetDrawableAttributes.patch * int10-fix.diff * cve-2006-6101_6102_6103.diff - disabled build of VNC server/module - bug-211314_mesa-context.diff: * fixes Xserver crash in software rendering fallback (Bug #211314) - 0018-vnc-support.txt.diff * fixed unresolved symbols vncRandomBytes/deskey in VNC module (terminated Xserver when client connected) - bug227111-ddc_screensize.diff: * allow user overrides for monitor settings (Bug #227111) - loadmod-bug197195.diff: * check the complete path (Bug #197195) - added build of VNC support (0018-vnc-support.txt/ 0018-vnc-support.txt.diff); see 0018-vnc-support.txt.mbox for reference - cve-2006-6101_6102_6103.diff: * CVE-2006-6101 iDefense X.org ProcRenderAddGlyphs (Bug #225972) * CVE-2006-6102 iDefense X.org ProcDbeGetVisualInfo (Bug #225974) * CVE-2006-6103 iDefense X.org ProcDbeSwapBuffers (Bug #225975) - int10-fix.diff * Set Int10Current->Tag for the linux native int10 module (X.Org Bug #9296) * obsoletes p_initialize-pci-tag.diff - reverted latest change by schwab (Bug #197190, comment #67) - Fix off-by-one in pci multi-domain support [#229278]. - libdrm.diff: * no longer fail when some driver tries to load "drm" module - xorg-server-1.1.99.901-GetDrawableAttributes.patch: * hopefully fixes AIGLX issues (X.Org Bug #8991) - another 64bit warning fix - X.Org 7.2RC3 release * Add a -showDefaultModulePath option. * Add a -showDefaultLibPath option. * Add DIX_CFLAGS to util builds. * Fix release date, and tag 1.1.99.903 * make X server use system libdrm - this requires libdrm >= 2.3.0 * DRI: call drmSetServerInfo() before drmOpen(). * add extern to struct definition * fixup configure.ac problems with DRI_SOURCES and LBX_SOURCES * bump to 1.1.99.903 * remove CID support (bug #5553) * dri: setup libdrm hooks as early as possible. * Bug #8868: Remove drm from SUBDIRS now that the directory is gone. * Fix typo before the last commit. * Fix GL context destruction with AIGLX. * On DragonFLy, default to /dev/sysmouse (just like on FreeBSD). * ffs: handle 0 argument (bug #8968) * Bug #9023: Only check mice for "mouse" or "void" if identifier is != NULL. Fix potential NULL pointer access in timer code. - updated Mesa sources to 6.5.2 - xserver-timers.diff: * fix null pointer reference in timer code (Bug #223718) - p_pci-off-by-one.diff: * readded off by one fix, which has been dropped by accident (Bug #197190) - acpi_events.diff: * distinguish between general and input devices also for APM (Bug #197858) - removed /etc/X11/Xsession.d/92xprint-xpserverlist (Bug #220733) - mouse-fix.diff: * prevent driver from crashing when something different than "mouse" or "void" is specified; only check mice for "mouse" or "void" if identifier is != NULL. (X.Org Bug #9023) - X.Org 7.2RC2 release - adjusted p_enable-altrix.diff, p_pci-domain.diff - obsoletes p_pci-ia64.diff, xorg-xserver-ia64-int10.diff p_pci-legacy-mmap.diff - Changes in RC2 since RC1 Aaron Plattner: Fix standard VESA modes. Adam Jackson: Bug #6786: Use separate defines for server's Fixes support level. 'make dist' fixes. Fix distcheck. Include a forgotten ia64 header in the distball. Builds on ia64 now. configure.ac bump. Alan Coopersmith: Make sure xorgcfg files are included even when dist made with --disable-xorgcfg Use getisax() instead of asm code to determine available x86 ISA extensions on Solaris Pre-release message should tell users to check git, not CVS, for updates Fix automake error: BUILT_SOURCES was defined multiple times on Solaris Bug #1997: AUDIT messages should contain uid for local accesses If getpeerucred() is available, include pid & zoneid in audit messages too Make _POSIX_C_SOURCE hack work with Solaris headers Alan Hourihane: Small modification to blocking signals when switching modes. Bjorn Helgaas: Do not map full 0-1MB legacy range Bram Verweij: xfree86/linux acpi: fix tokenising Daniel Stone: GetTimeInMillis: spuport monotonic clock WaitForSomething: allow time to rewind Revert "WaitForSomething: allow time to rewind" Revert "GetTimeInMillis: spuport monotonic clock" add 'general socket' handler, port ACPI to use it WaitForSomething: allow time to rewind WaitForSomething: only rewind when delta is more than 250ms GetTimeInMillis: spuport monotonic clock GetTimeInMillis: simplify monotonic test GetTimeInMillis: use correct units for clock_gettime os: fix sun extensions test Eamon Walsh: Bug #8875: Security extension causes Xorg to core dump on server reset whitespace adjust More work on Bug #8875: revert previous fix and try using client argument Bug #8937: Extension setup functions not called on server resets Egbert Eich: Fixing mach64 driver bailing out on ia64 Make int10 fully domain aware. Erik Andren: remove XFree86 changelogs (bug #7262) Joshua Baergen: Create xorg.conf.example (Gentoo bug #138623). Laurence Withers: CreateColormap: fix return value (bug #7083) Matthias Hopf: Build with -D_PC on ix86 only. Added missing domain stripping in already domain aware code. Added linux 2.6 compatible domain aware device scanning code. Fixing domain support for ia64 Add domain support to linuxPciOpenFile(). Fix device path in altixPCI.c to be domain aware. Fix obviously wrong boundary checks + cleanup unused vars. Matthieu Herrb: kill GNU-make'ism. Handle building in a separate objdir Michel Dänzer: Fix __glXDRIbindTexImage() for 32 bpp on big endian platforms. Fix test for Option "IgnoreABI". Myron Stowe: xfree86: re-enable chipset-specific drivers for Linux/ia64 Rich Coe: CheckConnections: don't close down the server client (bug #7876) - p_ppc_domain_workaround.diff: * ugly workaround for still missing domain support on ppc (Bug #202133) - updated to snapshot of xserver-1.2-branch (soon to be released as X.Org 7.2RC2) * Make sure xorgcfg files are included even when dist made with --disable-xorgcfg * Small modification to blocking signals when switching modes. * Use getisax() instead of asm code to determine available x86 ISA extensions on Solaris * Pre-release message should tell users to check git, not CVS, for updates * Fix __glXDRIbindTexImage() for 32 bpp on big endian platforms. * Create xorg.conf.example (Gentoo bug #138623). * Fix test for Option "IgnoreABI". This option has plenty of potential for wasting the time of bug triagers without pretending it's always on. * kill GNU-make'ism. * Handle building in a separate objdir * Fix automake error: BUILT_SOURCES was defined multiple times on Solaris * Bug #1997: AUDIT messages should contain uid for local accesses * If getpeerucred() is available, include pid & zoneid in audit messages too - added /etc/modprobe.d/nvidia - xorg-xserver-ia64-int10.diff: * build int10 module with _PC only on %ix86 (Bug #197190) - added build of Xephyr; useful for debugging KDE apps (coolo) - cfb8-undefined.diff: * fixes warning for undefined behaviour - Own /etc/X11/Xsession.d directory. - Use /etc/X11/Xsession.d. - updated to X.Org 7.2RC1 - only disable AIGLX by default on SUSE <= 10.1 (Bug #197093) - no longer fake release version for fglrx driver (Bug #198125) - glx-align.patch: * reenabled -D__GLX_ALIGN64 on affected plaforms (X.Org Bug #8392) - Fixes to p_pci-domain.diff (Bug #197572) * internal domain number of by one (was supposed to be a cleanup, but other code dependet on this semantics) * fixed another long-standing of-by-1 error - p_enable-altrix.diff (Bug #197572) * This additional patch enables the build of the altrix detection routines, which have apparently not been included in Xorg 7.1 yet. This patch needs a autoreconf -fi after application. - updated to Mesa 6.5.1 - disable-fbblt-opt.diff: * Disable optimization (introduced by ajax) due to a general vesa driver crash later in memcpy (Bug #204324) - removed two source files with imcompatible license from Mesa tarball (Bug #204110) - added a check to specfile to make sure that these will not be reintroduced with the next Mesa update again (Bug #204110) - moved xf86Parser.h,xf86Optrec.h back to /usr/include/xorg, since SaX2 build issues have finally been resolved by making use of "-iquote /usr/include/xorg -I." - disable-root-xorg_conf.diff: * no longer consider to read /root/xorg.conf - only require xorg-x11-fonts-core ('fixed' + 'cursor' fonts) - fake release version for fglrx driver again, since using IgnoreABI does not help (the check for the ABI version is in the binary-only fglrx driver) - added Requires: xorg-x11-driver-{input,video} (Bug #202080) - ignore-abi.diff: * adds IgnoreABI option for xorg.conf (same as -ignoreABI) - remove .la files - no longer fake release version for fglrx driver; use the new IgnoreABI option instead! - PCI/IA64 Patches (Bug #197572): * apply new p_pci-domain.diff (mhopf) * apply new p_pci-ce-x.diff (mhopf) - PCI/IA64 Patches (Bug #197572): * removed p_mappciBIOS_complete.diff (already applied upstream) * apply p_pci-ia64.diff * apply p_pci-legacy-mmap.diff only for IA64 (as before) * disabled for now: - p_pci-domain.diff: still issues with it - p_pci-ce-x.diff: sits on top of p_pci-domain.diff - added PCI/IA64 patches, but disabled them for now (Bug #197572) - remove comp. symlinks in /usr/X11R6/bin for openSUSE >= 10.2 - fixed build for s390/s390x, e.g. use configure options --disable-install-libxf86config --disable-aiglx --disable-dri --disable-xorg - changed os-name to "openSUSE" instead of "Linux" before - fake release version for fglrx driver :-( - xinerama-sig11.diff: * prevents Xserver Sig11 with broken Xinerama config (Bug #135002) - moved /usr/%_lib/pkgconfig/xorg-server.pc to xorg-x11-server - added pkgconfig to Requires of xorg-x11-server - disable-aiglx.diff: * disabled AIGLX by default (related to Bug #197093); enable it with 'Option "AIGLX" "true"' in ServerFlags section of xorg.conf - enabled build of aiglx - patch font path also in xorg.conf when set to /usr/lib/X11/fonts/ or /usr/X11/lib/X11/fonts - patch xorg.conf in %post: * radeonold/radeon10b driver --> radeon driver - added "Requires: xorg-x11-fonts" to prevent issues like "could not open default font 'fixed'" for any Xserver - make sure that symlinks /usr/bin/X --> /var/X11R6/bin/X /var/X11R6/bin/X --> /usr/bin/Xorg are packaged. - p_xorg_acpi.diff: * fixed for archs which don't have HAVE_ACPI defined, e.g. ppc - p_xf86Mode.diff: * removes wrong warning (Bug #139510) - p_xorg_acpi.diff: * reconnect to acpid when acpid has been killed (Bug #148384) - p_xkills_wrong_client.diff: * This patch has unveiled two other problems. One is rather serious as there seems to be a non-zero possibility that the Xserver closes the wrong connection and this closes the wrong client when it looks for stale sockets of clients that have disappeared (eich, Bug #150869) - p_bug159532.diff: * X Clients can intentionally or unintenionally crash X11 by using composite on depth 4 pixmaps. This patch fixes this. (Bug #159532) - p_xnest-ignore-getimage-errors.diff: * ignores the X error on GetImage in Xnest (Bug #174228, X.Org Bug #4411) - p_initialize-pci-tag.diff: * initialize PCI tag correctly, which is used by an IA64 specific patch (see Bug #147261 for details); fixes Xserver crashes with fglrx driver - and possibly other drivers like vesa - during initial startup (!), VT switch and startup of second Xserver (SLED10 Blocker Bugs #180535, #170991, #158806) - p_ia64-console.diff: * fixes MCA after start of second Xserver (Bug #177011) - p_mouse_misc.diff: * fix X server crashes with synaptics driver (Bug #61702) - pu_fixes.diff * Fixes not yet in the official version - p_bug96328.diff: * fallback mouse device checking - p_vga-crashfix.diff: * fixes vga driver crash (#133989) - p_xorg_rom_read.diff * read rom in big chunks instead of byte-at-a-time (Bug #140811) - ps_showopts.diff * Xserver "-showopts" option to print available driver options (Bug #137374) - add /var/X11R6/bin directory for now (Bug #197188) - fix setup line - fixed fatal compiler warnings - always (and only) patch xorg.conf if necessary - update to xorg-server release 1.1.99.3 - use "-fno-strict-aliasing" - use $RPM_OPT_FLAGS - remove existing /usr/include/X11 symlink in %pre - install xf86Parser.h,xf86Optrec.h to /usr/include instead of /usr/include/xorg, so it is no longer necessary to specify "-I/usr/include/xorg" which resulted in including a wrong "shadow.h" (by X.Org) when building SaX2 (strange build error) - added permissions files - add compatibility symlink /usr/X11R6/bin/Xorg - p_ValidatePci.diff: * no longer call ValidatePci() to fix i810 driver issues (Bug #191987) - fixed build - bfo-bug15222.diff (bfo #15222, bnc #374318) * CVE-2008-2360 - RENDER Extension heap buffer overflow * CVE-2008-2361 - RENDER Extension crash * CVE-2008-2362 - RENDER Extension memory corruption * CVE-2008-1379 - MIT-SHM arbitrary memory read * CVE-2008-1377 - RECORD and Security extensions memory corruption - xserver-mode-fuzzy-check.diff * Make mode checking more tolerant like in pre-RandR times. - fix-dpi-values.diff * fixes DPI values for RANDR 1.2 capable drivers (bnc #393001) - mention ZapWarning also in Xorg manual page (bnc #391352) - xorg-server-1.4-vnc-render_sig11.diff * fixed sig11 in RENDER code (bnc #385677) - disabled patch to disable RENDER support in Xvnc, since it broke 24bit color depth support (bnc #390011) - xorg-server-1.4-vnc-disable_render.diff * disabled RENDER support in Xvnc (bnc #385677) - events.diff * eating up key events before going into the idle loop upon vt switch instead of after return (bnc #152522) - xkb_action.diff * fixed remaining unitialized warning in X.Org (bnc #83910) - fbdevhw.diff * screen blanking not supported by vesafb of Linux kernel (bnc #146462) - no longer disable AIGLX by default - XAANoOffscreenPixmaps.diff * disable Offscreen Pixmaps by default (bnc #376068) - Fix another o-b-1 in pci domain support. - randr1_1-sig11.diff * fixes Xserver crash when running xrandr on a different virtual terminal (Egbert Eich, bnc #223459) - commit-37b1258.diff * possibly fixes unwanted autorepeat (bnc #377612, bfo #14811) - bitmap_always_unscaled.diff * Default bitmap fonts should typically be set as unscaled (libv) - update to Mesa bugfix release 7.0.3 (final) sources - update to Mesa bugfix release 7.0.3 RC3 sources - confine_to_shape.diff * fixes XGrabPointer's confine_to with shaped windows (bnc #62146) - zap_warning_xserver.diff * implements FATE #302988: ZapWarning (Luc Verhaegen) Uses PCSpeaker for beep. Press once, beep. Press again within 2s (which is ample), terminate. Documented in xorg.conf manpage. - make the memory corruption fix by schwab a seperate patch to make sure it won't get lost the next time I update the VNC patch - Fix vnc server memory corruption. - commit-a6a7fad.diff * Don't break grab and focus state for a window when redirecting it. (bnc #336219, bfo #488264) - update to Mesa bugfix release 7.0.3 RC2 sources * Fixed GLX indirect vertex array rendering bug (14197) * Fixed crash when deleting framebuffer objects (bugs 13507, 14293) * User-defined clip planes enabled for R300 (bug 9871) * Fixed glBindTexture() crash upon bad target (bug 14514) * Fixed potential crash in glDrawPixels(GL_DEPTH_COMPONENT) (bug 13915) * Bad strings given to glProgramStringARB() didn't generate GL_INVALID_OPERATION * Fixed minor point rasterization regression (bug 11016) - added Requires:xkeyboard-config to xorg-x11-server - commit-50e80c3.diff: * never overwrite realInputProc with enqueueInputProc (bnc#357989, bfo#13511) - only switch to radeon driver in %post if radeonold driver is no longer available (Bug #355009) - some more cleanup in %post - Move manpage to the sub package that provides the binary. - update to Mesa bugfix release 7.0.3 RC1 sources * Added missing glw.pc.in file to release tarball * Fix GLUT/Fortran issues * GLSL gl_FrontLightModelProduct.sceneColor variable wasn't defined * Fix crash upon GLSL variable array indexes (not yet supported) * Two-sided stencil test didn't work in software rendering * Fix two-sided lighting bugs/crashes (bug 13368) * GLSL gl_FrontFacing didn't work properly * glGetActiveUniform returned incorrect sizes (bug 13751) * Fix several bugs relating to uniforms and attributes in GLSL API (Bruce Merry, bug 13753) * glTexImage3D(GL_PROXY_TEXTURE_3D) mis-set teximage depth field - updated patch for CVE-2007-6429 once more (X.Org Bug #13520) * Always test for size+offset wrapping. - updated patch for CVE-2007-6429 (Bug #345131) * Don't spuriously reject <8bpp shm pixmaps. Move size validation after depth validation, and only validate size if the bpp of the pixmap format is > 8. If bpp < 8 then we're already protected from overflow by the width and height checks. - X.Org security update * CVE-2007-5760 - XFree86 Misc extension out of bounds array index * CVE-2007-6427 - Xinput extension memory corruption. * CVE-2007-6428 - TOG-cup extension memory corruption. * CVE-2007-6429 - MIT-SHM and EVI extensions integer overflows. * CVE-2008-0006 - PCF Font parser buffer overflow. - xorg-server 1.4.0.90 (prerelease of 1.4.1) - pixman.diff * fixed include path for pixman.h - remove_bogus_modeline.diff * remove bogus monitor modelines provided by DDC (Bug #335540) - commit-184e571.diff * Adjust offsets of modes that do not fit virtual screen size. - commit-c6c284e.diff * Initialize Mode with 0 in xf86RandRModeConvert. - commit-f6401f9.diff * Don't segfault if referring to a relative output where no modes survived. - commit-f7dd0c7.diff * Only clear crtc of output if it is the one we're actually working on. - commit-fa19e84.diff * Fix initial placement of LeftOf and Above. - pixman.diff no longer required - s390(x): allow mfb build without Xorg server being built - commit-29e0e18.diff * Make config file preferred mode override monitor preferred mode. - commit-feac075.diff * Leave hardware-specified preferred modes alone when user preference exists. - obsoletes preferred_mode-fix.diff - added xorg-x11-fonts-core/xorg-x11 to Requires (Bug #341312) - ia64linuxPciInit: allocate extra space for fake devices. - updated to Mesa 7.0.2 (final) sources - updated to Mesa 7.0.2 RC1 sources - xorg-server-1.4-vnc-64bit.diff * fixes segfault on 64bit during Xserver start; make sure to define _XSERVER64 by having HAVE_DIX_CONFIG_H defined and therefore including dix-config.h, so Atom is CARD32 instead of unsigned long before and no longer messes up the pInfo structure in xf86rfbMouseInit/xf86rfbKeybInit - finally enabled build of xf4vnc (standalone Xvnc and VNC Xserver module) - updated xf4vnc patch; still disabled due to problematic vnc module - preferred_mode-fix.diff * more reasonable patch (Bug #329724) - preferred_mode-fix.diff * fixed endless loop if PreferredMode is set (Bug #329724) - removed obsolete patch p_pci-domain.diff (Bug #308693, comment #26) - apply p_pci-off-by-one.diff.ia64 on all platforms since it clearly only affects platforms, where INCLUDE_XF86_NO_DOMAIN is *not* set; this still not explains why we have seen Xserver hangups with the patch in place on at least some %ix86/x86_64 machines with fglrx/ nvidia driver IIRC; it needs to verified if this problem is still reproducable ... (Bug #308693, comment #25) - xserver-1.3.0-xkb-and-loathing.patch * Ignore (not just block) SIGALRM around calls to Popen()/Pclose(). Fixes a hang in openoffice when opening menus. (Bug #245711) - added missing ia64Pci.h; required for IA64 - recreated p_pci-off-by-one.diff.ia64; the default fuzz factor of patch (2) resulted in a hunk applied to the wrong function and therefore broke the build :-( - xorg-server 1.4 * Welcome to X.Org X Server 1.4, now with hotplugging input to go with the hotplugging output. Also included in this release are many performance and correctness fixes to the EXA acceleration architecture, support for DTrace profiling of the X Server, accelerated GLX_EXT_texture_from_pixmap with supporting DRI drivers, and many improvements to the RandR 1.2 support that was added in xorg-server-1.3. The X Server now relies on the pixman library, which replaces the fb/fbcompose.c and accelerated implementations that were previously shared through code-duplication with the cairo project. * obsolete patches: - bug-259290_trapfault.diff - cfb8-undefined.diff - commit-c09e68c - i810_dri_fix_freeze.diff - p_bug159532.diff - p_enable-altrix.diff - p_pci-ce-x.diff - p_pci-off-by-one.diff - p_xorg_rom_read.diff - randr12-2926cf1da7e4ed63573bfaecdd7e19beb3057d9b.diff - randr12-5b424b562eee863b11571de4cd0019cd9bc5b379.diff - randr12-aec0d06469a2fa7440fdd5ee03dc256a68704e77.diff - randr12-b2dcfbca2441ca8c561f86a78a76ab59ecbb40e4.diff - randr12-b4193a2eee80895c5641e77488df0e72a73a3d99.diff - remove__GLinterface.patch - support_mesa6.5.3.patch - use-composite-for-unequal-depths.patch - x86emu.diff - xephyr-sig11-fix.diff * adjusted patches: - 64bit.diff - bug-197858_dpms.diff - bug227111-ddc_screensize.diff - disable-root-xorg_conf.diff - fpic.diff - glx-align.patch - libdrm.diff - p_bug96328.diff - p_ia64-console.diff - p_vga-crashfix.diff - xephyr.diff - pixman.diff: * search for pixman instead of pixman-1 - bumped version to 7.3 - remove wrongly prebuilt xf1bpp files after extracting tarball; fixes vga module loading (Bug #328201) - do not use "make -j" to (quick)fix xf1bpp build - do not apply p_pci-domain.diff on IA64 - use updated off-by-one patch by schwab for IA64 - edit_data_sanity_check.diff: * added sanity check for monitor EDID data (Bug #326454) - reverted changes by schwab on Fri Sep 7; these resulted i a black screen during Xserver start with any driver on non-IA64 platforms - use-composite-for-unequal-depths.patch: * Use Composite when depths don't match (Bug #309107, X.Org Bug [#7447]) - Update off-by-one patch. - Remove empty patch. - fbdevhw.diff: * ignore pixclock set to 0 by Xen kernel (Bug #285523) - added several RANDR 1.2 fixes (Bug #306699) * randr12-2926cf1da7e4ed63573bfaecdd7e19beb3057d9b.diff Allocate the right number of entries for saving crtcs * randr12-5b424b562eee863b11571de4cd0019cd9bc5b379.diff Set the crtc before the output change is notified. Set the new randr crtc of the output before the output change notification is delivered to the clients. Remove RROutputSetCrtc as it is not really necessary. All we have to do is set the output's crtc on RRCrtcNotify * randr12-8d230319040f0a7f72231da2bf5ec97dc3612e21.diff Fix the output->crtc initialization in the old randr setup * randr12-aec0d06469a2fa7440fdd5ee03dc256a68704e77.diff Fix a crash when rotating the screen. Remember output->crtc before setting a NULL mode because RRCrtcNotify now sets output->crtc to NULL. Use the saved crtc to set the new mode. * randr12-b2dcfbca2441ca8c561f86a78a76ab59ecbb40e4.diff RRScanOldConfig cannot use RRFirstOutput before output is configured. RRFirstOutput returns the first active output, which won't be set until after RRScanOldConfig is finished running. Instead, just use the first output (which is the only output present with an old driver, after all). * randr12-b4193a2eee80895c5641e77488df0e72a73a3d99.diff RRScanOldConfig wasn't getting crtcs set correctly. The output crtc is set by RRCrtcNotify, which is called at the end of RRScanOldConfig. Several uses of output->crtc in this function were wrong. - i810_dri_fix_freeze.diff: * fixes freeze after pressing Ctrl-Alt-BS (X.Org Bug #10809) - xserver-mode-fuzzy-check.diff: * Fix for Xserver being more fuzzy about mode validation (Bug #270846) - disable AIGLX by default; without enabled Composite extension (still problematic on many drivers) it's rather useless anyway - updated xorg.conf manual page - fix fileconflict over doc/MAINTAINERS - build parallel - updated Mesa source to bugfix release 7.0.1 - xephyr-sig11-fix.diff: * long vs. CARD32 mismatch in KeySym definitions between client and server code - this patch seems to fix it (and the input rework in head fixed it as well in a different way) (Bug #235320) - fixed build on s390(x) - added X(7) and security(7) manual pages - updated Mesa source to final release 7.0 - updated Mesa source to release 7.0 RC1 * Mesa 7.0 is a stable, follow-on release to Mesa 6.5.3. The only difference is bug fixes. The major version number bump is due to OpenGL 2.1 API support. - simplified p_default-module-path.diff - disabled build of Xprt - moved Xdmx, Xephyr, Xnest and Xvfb to new subpackage xorg-x11-server-extra - commit-c09e68c: * Paper over a crash at exit during GLX teardown - updated to Mesa 6.5.3 sources - obsoletes the following patches: * bug-211314_mesa-destroy_buffers.diff * bug-211314_mesa-framebuffer-counting.diff * bug-211314-patch-1.diff * bug-211314-patch-2.diff * bug-211314-patch-3.diff * bug-211314-patch-4.diff * bug-211314-patch-5.diff * bug-211314-patch-6.diff * bug-211314-patch-7.diff * bug-211314-patch-8.diff * bug-211314-patch-9.diff * bug-211314-patch-10.diff * bug-211314-patch-11.diff * bug-211314_mesa-refcount-memleak-fixes.diff * Mesa-6.5.2-fix_radeon_cliprect.diff - remove__GLinterface.patch/ support_mesa6.5.3.patch * required Xserver changes for Mesa 6.5.3 - xorg-x11-server-1.2.99-unbreak-domain.patch: * This patch fixes some multi-domain systems such as Pegasos with xorg-server 1.3. Since pci-rework should get merged soon and this patch is a bit of a hack, it never got pushed upstream. (X.Org Bug #7248) - back to Mesa 6.5.2 (Bug #269155/269042) - Mesa update: 4th RC ready * This fixes some breakage in RC3. - Mesa update: 3rd release candidate * updated Windows/VC8 project files. - updated to Mesa 6.5.3rc2 sources * a number of bug fixes since the first RC - updated to Mesa 6.5.3rc1 sources - obsoletes the following patches: * bug-211314_mesa-destroy_buffers.diff * bug-211314_mesa-framebuffer-counting.diff * bug-211314-patch-1.diff * bug-211314-patch-2.diff * bug-211314-patch-3.diff * bug-211314-patch-4.diff * bug-211314-patch-5.diff * bug-211314-patch-6.diff * bug-211314-patch-7.diff * bug-211314-patch-8.diff * bug-211314-patch-9.diff * bug-211314-patch-10.diff * bug-211314-patch-11.diff * bug-211314_mesa-refcount-memleak-fixes.diff * Mesa-6.5.2-fix_radeon_cliprect.diff - GL-Mesa-6.5.3.diff: * adjusted GL subdir to Mesa 6.5.3rc1 - xserver 1.3.0.0 release * Syncmaster 226 monitor needs 60Hz refresh (#10545). * In AIGLX EnterVT processing, invoke driver EnterVT before resuming glx. * Disable CRTC when SetSingleMode has no matching mode. Update RandR as well. * Rotate screen size as needed from RandR 1.1 change requests. * Add quirk for Acer AL1706 monitor to force 60hz refresh. * RandR 1.2 spec says CRTC info contains screen-relative geometry * typo in built-in module log message * Use default screen monitor for one of the outputs. * Allow outputs to be explicitly enabled in config, overriding detect. * Was accidentally disabling rotation updates in mode set. * Disable SourceValidate in rotation to capture cursor. - Mesa-6.5.2-fix_radeon_cliprect.diff: * fixes X.Org Bug #9876 - bug-259290_trapfault.diff: * fixes crash caused by bug in XRender code (Bug #259290) - xserver 1.2.99.905 release: * CVE-2007-1003: XC-MISC Extension ProcXCMiscGetXIDList() Memory Corruption * X.Org Bug #10296: Fix timer rescheduling - obsoletes bug-243978_xcmisc.diff - xserver 1.2.99.904 release: * Don't erase current crtc for outputs on CloseScreen - bug-243978_xcmisc.diff: * mem corruption in ProcXCMiscGetXIDList (CVE-2007-1003, Bug #243978) - bug-211314_mesa-refcount-memleak-fixes.diff: * Fix for memleaks and refount bugs (Bug #211314) - p_default-module-path.diff: * only return /usr/%lib/xorg/modules in "-showDefaultModulePath" Xserver option (Bug #257360) - set Xserver version to 7.2.0 with configure option (Bugs #257360, #253702) - xserver 1.2.99.903 release: * Create driver-independent CRTC-based cursor layer. * Allow xf86_reload_cursors during server init. * Don't wedge when rotating more than one CRTC. * Correct ref counting of RRMode structures * Remove extra (and wrong) I2C ByteTimeout setting in DDC code. * Slow down DDC I2C bus using a RiseFallTime of 20us for old monitors. * Clean up Rotate state on server reset. * Clear allocated RandR screen private structure. * Clean up xf86CrtcRec and xf86OutputRec objects at CloseScreen. * Make sure RandR events are delivered from RRCrtcSet. * Fix Pending property API, adding RRPostPendingProperty. * Incorrect extra memory copy in RRChangeOutputProperty. * Ensure that crtc desired values track most recent mode. * Make pending properties force mode set. And, remove AttachScreen calls. * Set version to 1.2.99.903 (1.3 RC3) * fbdevhw: Consolidate modeset ioctl calling, report failure if it modifies mode. * fbdevhw: Fix some issues with the previous commit. * fbdevhw: Use displayWidth for fbdev virtual width when appropriate. * fbdevhw: Override RGB offsets and masks after setting initial mode. * fbdevhw: Consider mode set equal to mode requested if virtual width is larger. * fbdevhw: Only deal with RGB weight if default visual is True- or DirectColor. * Add per-drawable Xv colour key helper function. * Bump video driver ABI version to 1.2. - no longer apply bug-211314_mesa-context.diff, bug-211314_p_drawable_privclean.diff (Bug #211314, comment #114) - added different Mesa patches (Bug #211314, comments #114/#115) - Remove bug197190-ia64.diff, fix x86emu instead. - xserver 1.2.99.902 release: * Xprint: shorten font filename to fit in tar length limit * Move xf86SetSingleMode into X server from intel driver. * Add xf86SetDesiredModes to apply desired modes to crtcs. * Use EDID data to set screen physical size at server startup. * Allow relative positions to use output names or monitor identifiers. * Add xf86CrtcScreenInit to share initialization across drivers. * Add hw/xfree86/docs/README.modes, documenting new mode setting APIs. * Remove stale monitor data when output becomes disconnected. * Revert "Xprint includes a filename which is too long for tar." * Revert "Xext: Update device's lastx/lasty when sending a motion event with XTest." * Xext: Update device's lastx/lasty when sending a motion event with XTest. - xf86crtc_allowdual.diff no longer required; replaced by xrandr_12_newmode.diff in xrandr (xorg-x11 package) - bug197190-ia64.diff: * missing -DNO_LONG_LONG for IA64 (Bug #197190) - xf86crtc_allowdual.diff: * allows dualhead even when the second monitor is not yet connected during Xserver start - %post: replace "i810beta" with "intel" in existing xorg.conf - xserver 1.2.99.901 release: * RandR 1.2 * EXA damage track * minor fixes - use global permissions files for SUSE > 10.1 (Bug #246228) - improved bug-197858_dpms.diff to fix Xserver crash (Bug #197858) - bug-197858_dpms.diff: * finally fixed "X server wakes up on any ACPI event" issue (Bug #197858) - bug-211314_p_drawable_privclean.diff: * fixed for cleaning up pointers - fixed build - bug-211314_p_drawable_privclean.diff: * fixes Xserver crash in Mesa software rendering path (Bug #211314) - xserver 1.2.0 release * Bug #9219: Return BadMatch when trying to name the backing pixmap of an unrealized window. * Bug #9219: Use pWin->viewable instead of pWin->realized to catch InputOnly windows too. * Fix BSF and BSR instructions in the x86 emulator. * Bug #9555: Always define _GNU_SOURCE in glibc environments. * Bug #8991: Add glXGetDrawableAttributes dispatch; fix texture format therein. * Bump video and input ABI minors. * Fix release date. * Fix syntax error in configure check for SYSV_IPC that broke with Sun cc * Map missing keycodes for Sun Type 5 keyboard on Solaris SPARC * Update pci.ids to 2006-12-06 from pciids.sf.net * Xorg & Xserver man page updates for 1.2 release * xorg.conf man page should say "XFree86-DGA", not "Xorg-DGA" * Xserver man page: remove bc, add -wr * Update pci.ids to 2007-01-18 snapshot * Update Xserver man page to match commit ed33c7c98ad0c542e9e2dd6caa3f84879c21dd61 * Fix Tooltip from minimized clients * Fix Xming fails to use xkb bug * Fix bad commit * Set Int10Current->Tag for the linux native int10 module * added mipmap.c * configure.ac: prepare for 1.2.0 (X11R7.2) * sparc: don't include asm/kbio.h -- it no longer exists in current headers. * Minor typos in Xserver man page. * Fix several cases where optimized paths were hit when they shouldn't be. * Try dlsym(RTLD_DEFAULT) first when finding symbols. * Fix RENDER issues (bug #7555) and implement RENDER add/remove screen * For Xvfb, Xnest and Xprt, compile fbcmap.c with -DXFree86Server * Multiple integer overflows in dbe and render extensions * Require glproto >= 1.4.8 for GLX. * __glXDRIscreenProbe: Use drmOpen/CloseOnce. * xfree86/hurd: re-add missing keyboard support (bug #5613) * remove last remaning 'linux'isms (bug #5613) - obsoletes * Mesa-6.5.2.diff * xorg-server-1.1.99.901-GetDrawableAttributes.patch * int10-fix.diff * cve-2006-6101_6102_6103.diff - disabled build of VNC server/module - bug-211314_mesa-context.diff: * fixes Xserver crash in software rendering fallback (Bug #211314) - 0018-vnc-support.txt.diff * fixed unresolved symbols vncRandomBytes/deskey in VNC module (terminated Xserver when client connected) - bug227111-ddc_screensize.diff: * allow user overrides for monitor settings (Bug #227111) - loadmod-bug197195.diff: * check the complete path (Bug #197195) - added build of VNC support (0018-vnc-support.txt/ 0018-vnc-support.txt.diff); see 0018-vnc-support.txt.mbox for reference - cve-2006-6101_6102_6103.diff: * CVE-2006-6101 iDefense X.org ProcRenderAddGlyphs (Bug #225972) * CVE-2006-6102 iDefense X.org ProcDbeGetVisualInfo (Bug #225974) * CVE-2006-6103 iDefense X.org ProcDbeSwapBuffers (Bug #225975) - int10-fix.diff * Set Int10Current->Tag for the linux native int10 module (X.Org Bug #9296) * obsoletes p_initialize-pci-tag.diff - reverted latest change by schwab (Bug #197190, comment #67) - Fix off-by-one in pci multi-domain support [#229278]. - libdrm.diff: * no longer fail when some driver tries to load "drm" module - xorg-server-1.1.99.901-GetDrawableAttributes.patch: * hopefully fixes AIGLX issues (X.Org Bug #8991) - another 64bit warning fix - X.Org 7.2RC3 release * Add a -showDefaultModulePath option. * Add a -showDefaultLibPath option. * Add DIX_CFLAGS to util builds. * Fix release date, and tag 1.1.99.903 * make X server use system libdrm - this requires libdrm >= 2.3.0 * DRI: call drmSetServerInfo() before drmOpen(). * add extern to struct definition * fixup configure.ac problems with DRI_SOURCES and LBX_SOURCES * bump to 1.1.99.903 * remove CID support (bug #5553) * dri: setup libdrm hooks as early as possible. * Bug #8868: Remove drm from SUBDIRS now that the directory is gone. * Fix typo before the last commit. * Fix GL context destruction with AIGLX. * On DragonFLy, default to /dev/sysmouse (just like on FreeBSD). * ffs: handle 0 argument (bug #8968) * Bug #9023: Only check mice for "mouse" or "void" if identifier is != NULL. Fix potential NULL pointer access in timer code. - updated Mesa sources to 6.5.2 - xserver-timers.diff: * fix null pointer reference in timer code (Bug #223718) - p_pci-off-by-one.diff: * readded off by one fix, which has been dropped by accident (Bug #197190) - acpi_events.diff: * distinguish between general and input devices also for APM (Bug #197858) - removed /etc/X11/Xsession.d/92xprint-xpserverlist (Bug #220733) - mouse-fix.diff: * prevent driver from crashing when something different than "mouse" or "void" is specified; only check mice for "mouse" or "void" if identifier is != NULL. (X.Org Bug #9023) - X.Org 7.2RC2 release - adjusted p_enable-altrix.diff, p_pci-domain.diff - obsoletes p_pci-ia64.diff, xorg-xserver-ia64-int10.diff p_pci-legacy-mmap.diff - Changes in RC2 since RC1 Aaron Plattner: Fix standard VESA modes. Adam Jackson: Bug #6786: Use separate defines for server's Fixes support level. 'make dist' fixes. Fix distcheck. Include a forgotten ia64 header in the distball. Builds on ia64 now. configure.ac bump. Alan Coopersmith: Make sure xorgcfg files are included even when dist made with --disable-xorgcfg Use getisax() instead of asm code to determine available x86 ISA extensions on Solaris Pre-release message should tell users to check git, not CVS, for updates Fix automake error: BUILT_SOURCES was defined multiple times on Solaris Bug #1997: AUDIT messages should contain uid for local accesses If getpeerucred() is available, include pid & zoneid in audit messages too Make _POSIX_C_SOURCE hack work with Solaris headers Alan Hourihane: Small modification to blocking signals when switching modes. Bjorn Helgaas: Do not map full 0-1MB legacy range Bram Verweij: xfree86/linux acpi: fix tokenising Daniel Stone: GetTimeInMillis: spuport monotonic clock WaitForSomething: allow time to rewind Revert "WaitForSomething: allow time to rewind" Revert "GetTimeInMillis: spuport monotonic clock" add 'general socket' handler, port ACPI to use it WaitForSomething: allow time to rewind WaitForSomething: only rewind when delta is more than 250ms GetTimeInMillis: spuport monotonic clock GetTimeInMillis: simplify monotonic test GetTimeInMillis: use correct units for clock_gettime os: fix sun extensions test Eamon Walsh: Bug #8875: Security extension causes Xorg to core dump on server reset whitespace adjust More work on Bug #8875: revert previous fix and try using client argument Bug #8937: Extension setup functions not called on server resets Egbert Eich: Fixing mach64 driver bailing out on ia64 Make int10 fully domain aware. Erik Andren: remove XFree86 changelogs (bug #7262) Joshua Baergen: Create xorg.conf.example (Gentoo bug #138623). Laurence Withers: CreateColormap: fix return value (bug #7083) Matthias Hopf: Build with -D_PC on ix86 only. Added missing domain stripping in already domain aware code. Added linux 2.6 compatible domain aware device scanning code. Fixing domain support for ia64 Add domain support to linuxPciOpenFile(). Fix device path in altixPCI.c to be domain aware. Fix obviously wrong boundary checks + cleanup unused vars. Matthieu Herrb: kill GNU-make'ism. Handle building in a separate objdir Michel Dänzer: Fix __glXDRIbindTexImage() for 32 bpp on big endian platforms. Fix test for Option "IgnoreABI". Myron Stowe: xfree86: re-enable chipset-specific drivers for Linux/ia64 Rich Coe: CheckConnections: don't close down the server client (bug #7876) - p_ppc_domain_workaround.diff: * ugly workaround for still missing domain support on ppc (Bug #202133) - updated to snapshot of xserver-1.2-branch (soon to be released as X.Org 7.2RC2) * Make sure xorgcfg files are included even when dist made with --disable-xorgcfg * Small modification to blocking signals when switching modes. * Use getisax() instead of asm code to determine available x86 ISA extensions on Solaris * Pre-release message should tell users to check git, not CVS, for updates * Fix __glXDRIbindTexImage() for 32 bpp on big endian platforms. * Create xorg.conf.example (Gentoo bug #138623). * Fix test for Option "IgnoreABI". This option has plenty of potential for wasting the time of bug triagers without pretending it's always on. * kill GNU-make'ism. * Handle building in a separate objdir * Fix automake error: BUILT_SOURCES was defined multiple times on Solaris * Bug #1997: AUDIT messages should contain uid for local accesses * If getpeerucred() is available, include pid & zoneid in audit messages too - added /etc/modprobe.d/nvidia - xorg-xserver-ia64-int10.diff: * build int10 module with _PC only on %ix86 (Bug #197190) - added build of Xephyr; useful for debugging KDE apps (coolo) - cfb8-undefined.diff: * fixes warning for undefined behaviour - Own /etc/X11/Xsession.d directory. - Use /etc/X11/Xsession.d. - updated to X.Org 7.2RC1 - only disable AIGLX by default on SUSE <= 10.1 (Bug #197093) - no longer fake release version for fglrx driver (Bug #198125) - glx-align.patch: * reenabled -D__GLX_ALIGN64 on affected plaforms (X.Org Bug #8392) - Fixes to p_pci-domain.diff (Bug #197572) * internal domain number of by one (was supposed to be a cleanup, but other code dependet on this semantics) * fixed another long-standing of-by-1 error - p_enable-altrix.diff (Bug #197572) * This additional patch enables the build of the altrix detection routines, which have apparently not been included in Xorg 7.1 yet. This patch needs a autoreconf -fi after application. - updated to Mesa 6.5.1 - disable-fbblt-opt.diff: * Disable optimization (introduced by ajax) due to a general vesa driver crash later in memcpy (Bug #204324) - removed two source files with imcompatible license from Mesa tarball (Bug #204110) - added a check to specfile to make sure that these will not be reintroduced with the next Mesa update again (Bug #204110) - moved xf86Parser.h,xf86Optrec.h back to /usr/include/xorg, since SaX2 build issues have finally been resolved by making use of "-iquote /usr/include/xorg -I." - disable-root-xorg_conf.diff: * no longer consider to read /root/xorg.conf - only require xorg-x11-fonts-core ('fixed' + 'cursor' fonts) - fake release version for fglrx driver again, since using IgnoreABI does not help (the check for the ABI version is in the binary-only fglrx driver) - added Requires: xorg-x11-driver-{input,video} (Bug #202080) - ignore-abi.diff: * adds IgnoreABI option for xorg.conf (same as -ignoreABI) - remove .la files - no longer fake release version for fglrx driver; use the new IgnoreABI option instead! - PCI/IA64 Patches (Bug #197572): * apply new p_pci-domain.diff (mhopf) * apply new p_pci-ce-x.diff (mhopf) - PCI/IA64 Patches (Bug #197572): * removed p_mappciBIOS_complete.diff (already applied upstream) * apply p_pci-ia64.diff * apply p_pci-legacy-mmap.diff only for IA64 (as before) * disabled for now: - p_pci-domain.diff: still issues with it - p_pci-ce-x.diff: sits on top of p_pci-domain.diff - added PCI/IA64 patches, but disabled them for now (Bug #197572) - remove comp. symlinks in /usr/X11R6/bin for openSUSE >= 10.2 - fixed build for s390/s390x, e.g. use configure options --disable-install-libxf86config --disable-aiglx --disable-dri --disable-xorg - changed os-name to "openSUSE" instead of "Linux" before - fake release version for fglrx driver :-( - xinerama-sig11.diff: * prevents Xserver Sig11 with broken Xinerama config (Bug #135002) - moved /usr/%_lib/pkgconfig/xorg-server.pc to xorg-x11-server - added pkgconfig to Requires of xorg-x11-server - disable-aiglx.diff: * disabled AIGLX by default (related to Bug #197093); enable it with 'Option "AIGLX" "true"' in ServerFlags section of xorg.conf - enabled build of aiglx - patch font path also in xorg.conf when set to /usr/lib/X11/fonts/ or /usr/X11/lib/X11/fonts - patch xorg.conf in %post: * radeonold/radeon10b driver --> radeon driver - added "Requires: xorg-x11-fonts" to prevent issues like "could not open default font 'fixed'" for any Xserver - make sure that symlinks /usr/bin/X --> /var/X11R6/bin/X /var/X11R6/bin/X --> /usr/bin/Xorg are packaged. - p_xorg_acpi.diff: * fixed for archs which don't have HAVE_ACPI defined, e.g. ppc - p_xf86Mode.diff: * removes wrong warning (Bug #139510) - p_xorg_acpi.diff: * reconnect to acpid when acpid has been killed (Bug #148384) - p_xkills_wrong_client.diff: * This patch has unveiled two other problems. One is rather serious as there seems to be a non-zero possibility that the Xserver closes the wrong connection and this closes the wrong client when it looks for stale sockets of clients that have disappeared (eich, Bug #150869) - p_bug159532.diff: * X Clients can intentionally or unintenionally crash X11 by using composite on depth 4 pixmaps. This patch fixes this. (Bug #159532) - p_xnest-ignore-getimage-errors.diff: * ignores the X error on GetImage in Xnest (Bug #174228, X.Org Bug #4411) - p_initialize-pci-tag.diff: * initialize PCI tag correctly, which is used by an IA64 specific patch (see Bug #147261 for details); fixes Xserver crashes with fglrx driver - and possibly other drivers like vesa - during initial startup (!), VT switch and startup of second Xserver (SLED10 Blocker Bugs #180535, #170991, #158806) - p_ia64-console.diff: * fixes MCA after start of second Xserver (Bug #177011) - p_mouse_misc.diff: * fix X server crashes with synaptics driver (Bug #61702) - pu_fixes.diff * Fixes not yet in the official version - p_bug96328.diff: * fallback mouse device checking - p_vga-crashfix.diff: * fixes vga driver crash (#133989) - p_xorg_rom_read.diff * read rom in big chunks instead of byte-at-a-time (Bug #140811) - ps_showopts.diff * Xserver "-showopts" option to print available driver options (Bug #137374) - add /var/X11R6/bin directory for now (Bug #197188) - fix setup line - fixed fatal compiler warnings - always (and only) patch xorg.conf if necessary - update to xorg-server release 1.1.99.3 - use "-fno-strict-aliasing" - use $RPM_OPT_FLAGS - remove existing /usr/include/X11 symlink in %pre - install xf86Parser.h,xf86Optrec.h to /usr/include instead of /usr/include/xorg, so it is no longer necessary to specify "-I/usr/include/xorg" which resulted in including a wrong "shadow.h" (by X.Org) when building SaX2 (strange build error) - added permissions files - add compatibility symlink /usr/X11R6/bin/Xorg - p_ValidatePci.diff: * no longer call ValidatePci() to fix i810 driver issues (Bug #191987) - fixed build - bfo-bug15222.diff (bfo #15222, bnc #374318) * CVE-2008-2360 - RENDER Extension heap buffer overflow * CVE-2008-2361 - RENDER Extension crash * CVE-2008-2362 - RENDER Extension memory corruption * CVE-2008-1379 - MIT-SHM arbitrary memory read * CVE-2008-1377 - RECORD and Security extensions memory corruption - xserver-mode-fuzzy-check.diff * Make mode checking more tolerant like in pre-RandR times. - fix-dpi-values.diff * fixes DPI values for RANDR 1.2 capable drivers (bnc #393001) - mention ZapWarning also in Xorg manual page (bnc #391352) - xorg-server-1.4-vnc-render_sig11.diff * fixed sig11 in RENDER code (bnc #385677) - disabled patch to disable RENDER support in Xvnc, since it broke 24bit color depth support (bnc #390011) - xorg-server-1.4-vnc-disable_render.diff * disabled RENDER support in Xvnc (bnc #385677) - events.diff * eating up key events before going into the idle loop upon vt switch instead of after return (bnc #152522) - xkb_action.diff * fixed remaining unitialized warning in X.Org (bnc #83910) - fbdevhw.diff * screen blanking not supported by vesafb of Linux kernel (bnc #146462) - no longer disable AIGLX by default - XAANoOffscreenPixmaps.diff * disable Offscreen Pixmaps by default (bnc #376068) - Fix another o-b-1 in pci domain support. - randr1_1-sig11.diff * fixes Xserver crash when running xrandr on a different virtual terminal (Egbert Eich, bnc #223459) - commit-37b1258.diff * possibly fixes unwanted autorepeat (bnc #377612, bfo #14811) - bitmap_always_unscaled.diff * Default bitmap fonts should typically be set as unscaled (libv) - update to Mesa bugfix release 7.0.3 (final) sources - update to Mesa bugfix release 7.0.3 RC3 sources - confine_to_shape.diff * fixes XGrabPointer's confine_to with shaped windows (bnc #62146) - zap_warning_xserver.diff * implements FATE #302988: ZapWarning (Luc Verhaegen) Uses PCSpeaker for beep. Press once, beep. Press again within 2s (which is ample), terminate. Documented in xorg.conf manpage. - make the memory corruption fix by schwab a seperate patch to make sure it won't get lost the next time I update the VNC patch - Fix vnc server memory corruption. - commit-a6a7fad.diff * Don't break grab and focus state for a window when redirecting it. (bnc #336219, bfo #488264) - update to Mesa bugfix release 7.0.3 RC2 sources * Fixed GLX indirect vertex array rendering bug (14197) * Fixed crash when deleting framebuffer objects (bugs 13507, 14293) * User-defined clip planes enabled for R300 (bug 9871) * Fixed glBindTexture() crash upon bad target (bug 14514) * Fixed potential crash in glDrawPixels(GL_DEPTH_COMPONENT) (bug 13915) * Bad strings given to glProgramStringARB() didn't generate GL_INVALID_OPERATION * Fixed minor point rasterization regression (bug 11016) - added Requires:xkeyboard-config to xorg-x11-server - commit-50e80c3.diff: * never overwrite realInputProc with enqueueInputProc (bnc#357989, bfo#13511) - only switch to radeon driver in %post if radeonold driver is no longer available (Bug #355009) - some more cleanup in %post - Move manpage to the sub package that provides the binary. - update to Mesa bugfix release 7.0.3 RC1 sources * Added missing glw.pc.in file to release tarball * Fix GLUT/Fortran issues * GLSL gl_FrontLightModelProduct.sceneColor variable wasn't defined * Fix crash upon GLSL variable array indexes (not yet supported) * Two-sided stencil test didn't work in software rendering * Fix two-sided lighting bugs/crashes (bug 13368) * GLSL gl_FrontFacing didn't work properly * glGetActiveUniform returned incorrect sizes (bug 13751) * Fix several bugs relating to uniforms and attributes in GLSL API (Bruce Merry, bug 13753) * glTexImage3D(GL_PROXY_TEXTURE_3D) mis-set teximage depth field - updated patch for CVE-2007-6429 once more (X.Org Bug #13520) * Always test for size+offset wrapping. - updated patch for CVE-2007-6429 (Bug #345131) * Don't spuriously reject <8bpp shm pixmaps. Move size validation after depth validation, and only validate size if the bpp of the pixmap format is > 8. If bpp < 8 then we're already protected from overflow by the width and height checks. - X.Org security update * CVE-2007-5760 - XFree86 Misc extension out of bounds array index * CVE-2007-6427 - Xinput extension memory corruption. * CVE-2007-6428 - TOG-cup extension memory corruption. * CVE-2007-6429 - MIT-SHM and EVI extensions integer overflows. * CVE-2008-0006 - PCF Font parser buffer overflow. - xorg-server 1.4.0.90 (prerelease of 1.4.1) - pixman.diff * fixed include path for pixman.h - remove_bogus_modeline.diff * remove bogus monitor modelines provided by DDC (Bug #335540) - commit-184e571.diff * Adjust offsets of modes that do not fit virtual screen size. - commit-c6c284e.diff * Initialize Mode with 0 in xf86RandRModeConvert. - commit-f6401f9.diff * Don't segfault if referring to a relative output where no modes survived. - commit-f7dd0c7.diff * Only clear crtc of output if it is the one we're actually working on. - commit-fa19e84.diff * Fix initial placement of LeftOf and Above. - pixman.diff no longer required - s390(x): allow mfb build without Xorg server being built - commit-29e0e18.diff * Make config file preferred mode override monitor preferred mode. - commit-feac075.diff * Leave hardware-specified preferred modes alone when user preference exists. - obsoletes preferred_mode-fix.diff - added xorg-x11-fonts-core/xorg-x11 to Requires (Bug #341312) - ia64linuxPciInit: allocate extra space for fake devices. - updated to Mesa 7.0.2 (final) sources - updated to Mesa 7.0.2 RC1 sources - xorg-server-1.4-vnc-64bit.diff * fixes segfault on 64bit during Xserver start; make sure to define _XSERVER64 by having HAVE_DIX_CONFIG_H defined and therefore including dix-config.h, so Atom is CARD32 instead of unsigned long before and no longer messes up the pInfo structure in xf86rfbMouseInit/xf86rfbKeybInit - finally enabled build of xf4vnc (standalone Xvnc and VNC Xserver module) - updated xf4vnc patch; still disabled due to problematic vnc module - preferred_mode-fix.diff * more reasonable patch (Bug #329724) - preferred_mode-fix.diff * fixed endless loop if PreferredMode is set (Bug #329724) - removed obsolete patch p_pci-domain.diff (Bug #308693, comment #26) - apply p_pci-off-by-one.diff.ia64 on all platforms since it clearly only affects platforms, where INCLUDE_XF86_NO_DOMAIN is *not* set; this still not explains why we have seen Xserver hangups with the patch in place on at least some %ix86/x86_64 machines with fglrx/ nvidia driver IIRC; it needs to verified if this problem is still reproducable ... (Bug #308693, comment #25) - xserver-1.3.0-xkb-and-loathing.patch * Ignore (not just block) SIGALRM around calls to Popen()/Pclose(). Fixes a hang in openoffice when opening menus. (Bug #245711) - added missing ia64Pci.h; required for IA64 - recreated p_pci-off-by-one.diff.ia64; the default fuzz factor of patch (2) resulted in a hunk applied to the wrong function and therefore broke the build :-( - xorg-server 1.4 * Welcome to X.Org X Server 1.4, now with hotplugging input to go with the hotplugging output. Also included in this release are many performance and correctness fixes to the EXA acceleration architecture, support for DTrace profiling of the X Server, accelerated GLX_EXT_texture_from_pixmap with supporting DRI drivers, and many improvements to the RandR 1.2 support that was added in xorg-server-1.3. The X Server now relies on the pixman library, which replaces the fb/fbcompose.c and accelerated implementations that were previously shared through code-duplication with the cairo project. * obsolete patches: - bug-259290_trapfault.diff - cfb8-undefined.diff - commit-c09e68c - i810_dri_fix_freeze.diff - p_bug159532.diff - p_enable-altrix.diff - p_pci-ce-x.diff - p_pci-off-by-one.diff - p_xorg_rom_read.diff - randr12-2926cf1da7e4ed63573bfaecdd7e19beb3057d9b.diff - randr12-5b424b562eee863b11571de4cd0019cd9bc5b379.diff - randr12-aec0d06469a2fa7440fdd5ee03dc256a68704e77.diff - randr12-b2dcfbca2441ca8c561f86a78a76ab59ecbb40e4.diff - randr12-b4193a2eee80895c5641e77488df0e72a73a3d99.diff - remove__GLinterface.patch - support_mesa6.5.3.patch - use-composite-for-unequal-depths.patch - x86emu.diff - xephyr-sig11-fix.diff * adjusted patches: - 64bit.diff - bug-197858_dpms.diff - bug227111-ddc_screensize.diff - disable-root-xorg_conf.diff - fpic.diff - glx-align.patch - libdrm.diff - p_bug96328.diff - p_ia64-console.diff - p_vga-crashfix.diff - xephyr.diff - pixman.diff: * search for pixman instead of pixman-1 - bumped version to 7.3 - remove wrongly prebuilt xf1bpp files after extracting tarball; fixes vga module loading (Bug #328201) - do not use "make -j" to (quick)fix xf1bpp build - do not apply p_pci-domain.diff on IA64 - use updated off-by-one patch by schwab for IA64 - edit_data_sanity_check.diff: * added sanity check for monitor EDID data (Bug #326454) - reverted changes by schwab on Fri Sep 7; these resulted i a black screen during Xserver start with any driver on non-IA64 platforms - use-composite-for-unequal-depths.patch: * Use Composite when depths don't match (Bug #309107, X.Org Bug [#7447]) - Update off-by-one patch. - Remove empty patch. - fbdevhw.diff: * ignore pixclock set to 0 by Xen kernel (Bug #285523) - added several RANDR 1.2 fixes (Bug #306699) * randr12-2926cf1da7e4ed63573bfaecdd7e19beb3057d9b.diff Allocate the right number of entries for saving crtcs * randr12-5b424b562eee863b11571de4cd0019cd9bc5b379.diff Set the crtc before the output change is notified. Set the new randr crtc of the output before the output change notification is delivered to the clients. Remove RROutputSetCrtc as it is not really necessary. All we have to do is set the output's crtc on RRCrtcNotify * randr12-8d230319040f0a7f72231da2bf5ec97dc3612e21.diff Fix the output->crtc initialization in the old randr setup * randr12-aec0d06469a2fa7440fdd5ee03dc256a68704e77.diff Fix a crash when rotating the screen. Remember output->crtc before setting a NULL mode because RRCrtcNotify now sets output->crtc to NULL. Use the saved crtc to set the new mode. * randr12-b2dcfbca2441ca8c561f86a78a76ab59ecbb40e4.diff RRScanOldConfig cannot use RRFirstOutput before output is configured. RRFirstOutput returns the first active output, which won't be set until after RRScanOldConfig is finished running. Instead, just use the first output (which is the only output present with an old driver, after all). * randr12-b4193a2eee80895c5641e77488df0e72a73a3d99.diff RRScanOldConfig wasn't getting crtcs set correctly. The output crtc is set by RRCrtcNotify, which is called at the end of RRScanOldConfig. Several uses of output->crtc in this function were wrong. - i810_dri_fix_freeze.diff: * fixes freeze after pressing Ctrl-Alt-BS (X.Org Bug #10809) - xserver-mode-fuzzy-check.diff: * Fix for Xserver being more fuzzy about mode validation (Bug #270846) - disable AIGLX by default; without enabled Composite extension (still problematic on many drivers) it's rather useless anyway - updated xorg.conf manual page - fix fileconflict over doc/MAINTAINERS - build parallel - updated Mesa source to bugfix release 7.0.1 - xephyr-sig11-fix.diff: * long vs. CARD32 mismatch in KeySym definitions between client and server code - this patch seems to fix it (and the input rework in head fixed it as well in a different way) (Bug #235320) - fixed build on s390(x) - added X(7) and security(7) manual pages - updated Mesa source to final release 7.0 - updated Mesa source to release 7.0 RC1 * Mesa 7.0 is a stable, follow-on release to Mesa 6.5.3. The only difference is bug fixes. The major version number bump is due to OpenGL 2.1 API support. - simplified p_default-module-path.diff - disabled build of Xprt - moved Xdmx, Xephyr, Xnest and Xvfb to new subpackage xorg-x11-server-extra - commit-c09e68c: * Paper over a crash at exit during GLX teardown - updated to Mesa 6.5.3 sources - obsoletes the following patches: * bug-211314_mesa-destroy_buffers.diff * bug-211314_mesa-framebuffer-counting.diff * bug-211314-patch-1.diff * bug-211314-patch-2.diff * bug-211314-patch-3.diff * bug-211314-patch-4.diff * bug-211314-patch-5.diff * bug-211314-patch-6.diff * bug-211314-patch-7.diff * bug-211314-patch-8.diff * bug-211314-patch-9.diff * bug-211314-patch-10.diff * bug-211314-patch-11.diff * bug-211314_mesa-refcount-memleak-fixes.diff * Mesa-6.5.2-fix_radeon_cliprect.diff - remove__GLinterface.patch/ support_mesa6.5.3.patch * required Xserver changes for Mesa 6.5.3 - xorg-x11-server-1.2.99-unbreak-domain.patch: * This patch fixes some multi-domain systems such as Pegasos with xorg-server 1.3. Since pci-rework should get merged soon and this patch is a bit of a hack, it never got pushed upstream. (X.Org Bug #7248) - back to Mesa 6.5.2 (Bug #269155/269042) - Mesa update: 4th RC ready * This fixes some breakage in RC3. - Mesa update: 3rd release candidate * updated Windows/VC8 project files. - updated to Mesa 6.5.3rc2 sources * a number of bug fixes since the first RC - updated to Mesa 6.5.3rc1 sources - obsoletes the following patches: * bug-211314_mesa-destroy_buffers.diff * bug-211314_mesa-framebuffer-counting.diff * bug-211314-patch-1.diff * bug-211314-patch-2.diff * bug-211314-patch-3.diff * bug-211314-patch-4.diff * bug-211314-patch-5.diff * bug-211314-patch-6.diff * bug-211314-patch-7.diff * bug-211314-patch-8.diff * bug-211314-patch-9.diff * bug-211314-patch-10.diff * bug-211314-patch-11.diff * bug-211314_mesa-refcount-memleak-fixes.diff * Mesa-6.5.2-fix_radeon_cliprect.diff - GL-Mesa-6.5.3.diff: * adjusted GL subdir to Mesa 6.5.3rc1 - xserver 1.3.0.0 release * Syncmaster 226 monitor needs 60Hz refresh (#10545). * In AIGLX EnterVT processing, invoke driver EnterVT before resuming glx. * Disable CRTC when SetSingleMode has no matching mode. Update RandR as well. * Rotate screen size as needed from RandR 1.1 change requests. * Add quirk for Acer AL1706 monitor to force 60hz refresh. * RandR 1.2 spec says CRTC info contains screen-relative geometry * typo in built-in module log message * Use default screen monitor for one of the outputs. * Allow outputs to be explicitly enabled in config, overriding detect. * Was accidentally disabling rotation updates in mode set. * Disable SourceValidate in rotation to capture cursor. - Mesa-6.5.2-fix_radeon_cliprect.diff: * fixes X.Org Bug #9876 - bug-259290_trapfault.diff: * fixes crash caused by bug in XRender code (Bug #259290) - xserver 1.2.99.905 release: * CVE-2007-1003: XC-MISC Extension ProcXCMiscGetXIDList() Memory Corruption * X.Org Bug #10296: Fix timer rescheduling - obsoletes bug-243978_xcmisc.diff - xserver 1.2.99.904 release: * Don't erase current crtc for outputs on CloseScreen - bug-243978_xcmisc.diff: * mem corruption in ProcXCMiscGetXIDList (CVE-2007-1003, Bug #243978) - bug-211314_mesa-refcount-memleak-fixes.diff: * Fix for memleaks and refount bugs (Bug #211314) - p_default-module-path.diff: * only return /usr/%lib/xorg/modules in "-showDefaultModulePath" Xserver option (Bug #257360) - set Xserver version to 7.2.0 with configure option (Bugs #257360, #253702) - xserver 1.2.99.903 release: * Create driver-independent CRTC-based cursor layer. * Allow xf86_reload_cursors during server init. * Don't wedge when rotating more than one CRTC. * Correct ref counting of RRMode structures * Remove extra (and wrong) I2C ByteTimeout setting in DDC code. * Slow down DDC I2C bus using a RiseFallTime of 20us for old monitors. * Clean up Rotate state on server reset. * Clear allocated RandR screen private structure. * Clean up xf86CrtcRec and xf86OutputRec objects at CloseScreen. * Make sure RandR events are delivered from RRCrtcSet. * Fix Pending property API, adding RRPostPendingProperty. * Incorrect extra memory copy in RRChangeOutputProperty. * Ensure that crtc desired values track most recent mode. * Make pending properties force mode set. And, remove AttachScreen calls. * Set version to 1.2.99.903 (1.3 RC3) * fbdevhw: Consolidate modeset ioctl calling, report failure if it modifies mode. * fbdevhw: Fix some issues with the previous commit. * fbdevhw: Use displayWidth for fbdev virtual width when appropriate. * fbdevhw: Override RGB offsets and masks after setting initial mode. * fbdevhw: Consider mode set equal to mode requested if virtual width is larger. * fbdevhw: Only deal with RGB weight if default visual is True- or DirectColor. * Add per-drawable Xv colour key helper function. * Bump video driver ABI version to 1.2. - no longer apply bug-211314_mesa-context.diff, bug-211314_p_drawable_privclean.diff (Bug #211314, comment #114) - added different Mesa patches (Bug #211314, comments #114/#115) - Remove bug197190-ia64.diff, fix x86emu instead. - xserver 1.2.99.902 release: * Xprint: shorten font filename to fit in tar length limit * Move xf86SetSingleMode into X server from intel driver. * Add xf86SetDesiredModes to apply desired modes to crtcs. * Use EDID data to set screen physical size at server startup. * Allow relative positions to use output names or monitor identifiers. * Add xf86CrtcScreenInit to share initialization across drivers. * Add hw/xfree86/docs/README.modes, documenting new mode setting APIs. * Remove stale monitor data when output becomes disconnected. * Revert "Xprint includes a filename which is too long for tar." * Revert "Xext: Update device's lastx/lasty when sending a motion event with XTest." * Xext: Update device's lastx/lasty when sending a motion event with XTest. - xf86crtc_allowdual.diff no longer required; replaced by xrandr_12_newmode.diff in xrandr (xorg-x11 package) - bug197190-ia64.diff: * missing -DNO_LONG_LONG for IA64 (Bug #197190) - xf86crtc_allowdual.diff: * allows dualhead even when the second monitor is not yet connected during Xserver start - %post: replace "i810beta" with "intel" in existing xorg.conf - xserver 1.2.99.901 release: * RandR 1.2 * EXA damage track * minor fixes - use global permissions files for SUSE > 10.1 (Bug #246228) - improved bug-197858_dpms.diff to fix Xserver crash (Bug #197858) - bug-197858_dpms.diff: * finally fixed "X server wakes up on any ACPI event" issue (Bug #197858) - bug-211314_p_drawable_privclean.diff: * fixed for cleaning up pointers - fixed build - bug-211314_p_drawable_privclean.diff: * fixes Xserver crash in Mesa software rendering path (Bug #211314) - xserver 1.2.0 release * Bug #9219: Return BadMatch when trying to name the backing pixmap of an unrealized window. * Bug #9219: Use pWin->viewable instead of pWin->realized to catch InputOnly windows too. * Fix BSF and BSR instructions in the x86 emulator. * Bug #9555: Always define _GNU_SOURCE in glibc environments. * Bug #8991: Add glXGetDrawableAttributes dispatch; fix texture format therein. * Bump video and input ABI minors. * Fix release date. * Fix syntax error in configure check for SYSV_IPC that broke with Sun cc * Map missing keycodes for Sun Type 5 keyboard on Solaris SPARC * Update pci.ids to 2006-12-06 from pciids.sf.net * Xorg & Xserver man page updates for 1.2 release * xorg.conf man page should say "XFree86-DGA", not "Xorg-DGA" * Xserver man page: remove bc, add -wr * Update pci.ids to 2007-01-18 snapshot * Update Xserver man page to match commit ed33c7c98ad0c542e9e2dd6caa3f84879c21dd61 * Fix Tooltip from minimized clients * Fix Xming fails to use xkb bug * Fix bad commit * Set Int10Current->Tag for the linux native int10 module * added mipmap.c * configure.ac: prepare for 1.2.0 (X11R7.2) * sparc: don't include asm/kbio.h -- it no longer exists in current headers. * Minor typos in Xserver man page. * Fix several cases where optimized paths were hit when they shouldn't be. * Try dlsym(RTLD_DEFAULT) first when finding symbols. * Fix RENDER issues (bug #7555) and implement RENDER add/remove screen * For Xvfb, Xnest and Xprt, compile fbcmap.c with -DXFree86Server * Multiple integer overflows in dbe and render extensions * Require glproto >= 1.4.8 for GLX. * __glXDRIscreenProbe: Use drmOpen/CloseOnce. * xfree86/hurd: re-add missing keyboard support (bug #5613) * remove last remaning 'linux'isms (bug #5613) - obsoletes * Mesa-6.5.2.diff * xorg-server-1.1.99.901-GetDrawableAttributes.patch * int10-fix.diff * cve-2006-6101_6102_6103.diff - disabled build of VNC server/module - bug-211314_mesa-context.diff: * fixes Xserver crash in software rendering fallback (Bug #211314) - 0018-vnc-support.txt.diff * fixed unresolved symbols vncRandomBytes/deskey in VNC module (terminated Xserver when client connected) - bug227111-ddc_screensize.diff: * allow user overrides for monitor settings (Bug #227111) - loadmod-bug197195.diff: * check the complete path (Bug #197195) - added build of VNC support (0018-vnc-support.txt/ 0018-vnc-support.txt.diff); see 0018-vnc-support.txt.mbox for reference - cve-2006-6101_6102_6103.diff: * CVE-2006-6101 iDefense X.org ProcRenderAddGlyphs (Bug #225972) * CVE-2006-6102 iDefense X.org ProcDbeGetVisualInfo (Bug #225974) * CVE-2006-6103 iDefense X.org ProcDbeSwapBuffers (Bug #225975) - int10-fix.diff * Set Int10Current->Tag for the linux native int10 module (X.Org Bug #9296) * obsoletes p_initialize-pci-tag.diff - reverted latest change by schwab (Bug #197190, comment #67) - Fix off-by-one in pci multi-domain support [#229278]. - libdrm.diff: * no longer fail when some driver tries to load "drm" module - xorg-server-1.1.99.901-GetDrawableAttributes.patch: * hopefully fixes AIGLX issues (X.Org Bug #8991) - another 64bit warning fix - X.Org 7.2RC3 release * Add a -showDefaultModulePath option. * Add a -showDefaultLibPath option. * Add DIX_CFLAGS to util builds. * Fix release date, and tag 1.1.99.903 * make X server use system libdrm - this requires libdrm >= 2.3.0 * DRI: call drmSetServerInfo() before drmOpen(). * add extern to struct definition * fixup configure.ac problems with DRI_SOURCES and LBX_SOURCES * bump to 1.1.99.903 * remove CID support (bug #5553) * dri: setup libdrm hooks as early as possible. * Bug #8868: Remove drm from SUBDIRS now that the directory is gone. * Fix typo before the last commit. * Fix GL context destruction with AIGLX. * On DragonFLy, default to /dev/sysmouse (just like on FreeBSD). * ffs: handle 0 argument (bug #8968) * Bug #9023: Only check mice for "mouse" or "void" if identifier is != NULL. Fix potential NULL pointer access in timer code. - updated Mesa sources to 6.5.2 - xserver-timers.diff: * fix null pointer reference in timer code (Bug #223718) - p_pci-off-by-one.diff: * readded off by one fix, which has been dropped by accident (Bug #197190) - acpi_events.diff: * distinguish between general and input devices also for APM (Bug #197858) - removed /etc/X11/Xsession.d/92xprint-xpserverlist (Bug #220733) - mouse-fix.diff: * prevent driver from crashing when something different than "mouse" or "void" is specified; only check mice for "mouse" or "void" if identifier is != NULL. (X.Org Bug #9023) - X.Org 7.2RC2 release - adjusted p_enable-altrix.diff, p_pci-domain.diff - obsoletes p_pci-ia64.diff, xorg-xserver-ia64-int10.diff p_pci-legacy-mmap.diff - Changes in RC2 since RC1 Aaron Plattner: Fix standard VESA modes. Adam Jackson: Bug #6786: Use separate defines for server's Fixes support level. 'make dist' fixes. Fix distcheck. Include a forgotten ia64 header in the distball. Builds on ia64 now. configure.ac bump. Alan Coopersmith: Make sure xorgcfg files are included even when dist made with --disable-xorgcfg Use getisax() instead of asm code to determine available x86 ISA extensions on Solaris Pre-release message should tell users to check git, not CVS, for updates Fix automake error: BUILT_SOURCES was defined multiple times on Solaris Bug #1997: AUDIT messages should contain uid for local accesses If getpeerucred() is available, include pid & zoneid in audit messages too Make _POSIX_C_SOURCE hack work with Solaris headers Alan Hourihane: Small modification to blocking signals when switching modes. Bjorn Helgaas: Do not map full 0-1MB legacy range Bram Verweij: xfree86/linux acpi: fix tokenising Daniel Stone: GetTimeInMillis: spuport monotonic clock WaitForSomething: allow time to rewind Revert "WaitForSomething: allow time to rewind" Revert "GetTimeInMillis: spuport monotonic clock" add 'general socket' handler, port ACPI to use it WaitForSomething: allow time to rewind WaitForSomething: only rewind when delta is more than 250ms GetTimeInMillis: spuport monotonic clock GetTimeInMillis: simplify monotonic test GetTimeInMillis: use correct units for clock_gettime os: fix sun extensions test Eamon Walsh: Bug #8875: Security extension causes Xorg to core dump on server reset whitespace adjust More work on Bug #8875: revert previous fix and try using client argument Bug #8937: Extension setup functions not called on server resets Egbert Eich: Fixing mach64 driver bailing out on ia64 Make int10 fully domain aware. Erik Andren: remove XFree86 changelogs (bug #7262) Joshua Baergen: Create xorg.conf.example (Gentoo bug #138623). Laurence Withers: CreateColormap: fix return value (bug #7083) Matthias Hopf: Build with -D_PC on ix86 only. Added missing domain stripping in already domain aware code. Added linux 2.6 compatible domain aware device scanning code. Fixing domain support for ia64 Add domain support to linuxPciOpenFile(). Fix device path in altixPCI.c to be domain aware. Fix obviously wrong boundary checks + cleanup unused vars. Matthieu Herrb: kill GNU-make'ism. Handle building in a separate objdir Michel Dänzer: Fix __glXDRIbindTexImage() for 32 bpp on big endian platforms. Fix test for Option "IgnoreABI". Myron Stowe: xfree86: re-enable chipset-specific drivers for Linux/ia64 Rich Coe: CheckConnections: don't close down the server client (bug #7876) - p_ppc_domain_workaround.diff: * ugly workaround for still missing domain support on ppc (Bug #202133) - updated to snapshot of xserver-1.2-branch (soon to be released as X.Org 7.2RC2) * Make sure xorgcfg files are included even when dist made with --disable-xorgcfg * Small modification to blocking signals when switching modes. * Use getisax() instead of asm code to determine available x86 ISA extensions on Solaris * Pre-release message should tell users to check git, not CVS, for updates * Fix __glXDRIbindTexImage() for 32 bpp on big endian platforms. * Create xorg.conf.example (Gentoo bug #138623). * Fix test for Option "IgnoreABI". This option has plenty of potential for wasting the time of bug triagers without pretending it's always on. * kill GNU-make'ism. * Handle building in a separate objdir * Fix automake error: BUILT_SOURCES was defined multiple times on Solaris * Bug #1997: AUDIT messages should contain uid for local accesses * If getpeerucred() is available, include pid & zoneid in audit messages too - added /etc/modprobe.d/nvidia - xorg-xserver-ia64-int10.diff: * build int10 module with _PC only on %ix86 (Bug #197190) - added build of Xephyr; useful for debugging KDE apps (coolo) - cfb8-undefined.diff: * fixes warning for undefined behaviour - Own /etc/X11/Xsession.d directory. - Use /etc/X11/Xsession.d. - updated to X.Org 7.2RC1 - only disable AIGLX by default on SUSE <= 10.1 (Bug #197093) - no longer fake release version for fglrx driver (Bug #198125) - glx-align.patch: * reenabled -D__GLX_ALIGN64 on affected plaforms (X.Org Bug #8392) - Fixes to p_pci-domain.diff (Bug #197572) * internal domain number of by one (was supposed to be a cleanup, but other code dependet on this semantics) * fixed another long-standing of-by-1 error - p_enable-altrix.diff (Bug #197572) * This additional patch enables the build of the altrix detection routines, which have apparently not been included in Xorg 7.1 yet. This patch needs a autoreconf -fi after application. - updated to Mesa 6.5.1 - disable-fbblt-opt.diff: * Disable optimization (introduced by ajax) due to a general vesa driver crash later in memcpy (Bug #204324) - removed two source files with imcompatible license from Mesa tarball (Bug #204110) - added a check to specfile to make sure that these will not be reintroduced with the next Mesa update again (Bug #204110) - moved xf86Parser.h,xf86Optrec.h back to /usr/include/xorg, since SaX2 build issues have finally been resolved by making use of "-iquote /usr/include/xorg -I." - disable-root-xorg_conf.diff: * no longer consider to read /root/xorg.conf - only require xorg-x11-fonts-core ('fixed' + 'cursor' fonts) - fake release version for fglrx driver again, since using IgnoreABI does not help (the check for the ABI version is in the binary-only fglrx driver) - added Requires: xorg-x11-driver-{input,video} (Bug #202080) - ignore-abi.diff: * adds IgnoreABI option for xorg.conf (same as -ignoreABI) - remove .la files - no longer fake release version for fglrx driver; use the new IgnoreABI option instead! - PCI/IA64 Patches (Bug #197572): * apply new p_pci-domain.diff (mhopf) * apply new p_pci-ce-x.diff (mhopf) - PCI/IA64 Patches (Bug #197572): * removed p_mappciBIOS_complete.diff (already applied upstream) * apply p_pci-ia64.diff * apply p_pci-legacy-mmap.diff only for IA64 (as before) * disabled for now: - p_pci-domain.diff: still issues with it - p_pci-ce-x.diff: sits on top of p_pci-domain.diff - added PCI/IA64 patches, but disabled them for now (Bug #197572) - remove comp. symlinks in /usr/X11R6/bin for openSUSE >= 10.2 - fixed build for s390/s390x, e.g. use configure options --disable-install-libxf86config --disable-aiglx --disable-dri --disable-xorg - changed os-name to "openSUSE" instead of "Linux" before - fake release version for fglrx driver :-( - xinerama-sig11.diff: * prevents Xserver Sig11 with broken Xinerama config (Bug #135002) - moved /usr/%_lib/pkgconfig/xorg-server.pc to xorg-x11-server - added pkgconfig to Requires of xorg-x11-server - disable-aiglx.diff: * disabled AIGLX by default (related to Bug #197093); enable it with 'Option "AIGLX" "true"' in ServerFlags section of xorg.conf - enabled build of aiglx - patch font path also in xorg.conf when set to /usr/lib/X11/fonts/ or /usr/X11/lib/X11/fonts - patch xorg.conf in %post: * radeonold/radeon10b driver --> radeon driver - added "Requires: xorg-x11-fonts" to prevent issues like "could not open default font 'fixed'" for any Xserver - make sure that symlinks /usr/bin/X --> /var/X11R6/bin/X /var/X11R6/bin/X --> /usr/bin/Xorg are packaged. - p_xorg_acpi.diff: * fixed for archs which don't have HAVE_ACPI defined, e.g. ppc - p_xf86Mode.diff: * removes wrong warning (Bug #139510) - p_xorg_acpi.diff: * reconnect to acpid when acpid has been killed (Bug #148384) - p_xkills_wrong_client.diff: * This patch has unveiled two other problems. One is rather serious as there seems to be a non-zero possibility that the Xserver closes the wrong connection and this closes the wrong client when it looks for stale sockets of clients that have disappeared (eich, Bug #150869) - p_bug159532.diff: * X Clients can intentionally or unintenionally crash X11 by using composite on depth 4 pixmaps. This patch fixes this. (Bug #159532) - p_xnest-ignore-getimage-errors.diff: * ignores the X error on GetImage in Xnest (Bug #174228, X.Org Bug #4411) - p_initialize-pci-tag.diff: * initialize PCI tag correctly, which is used by an IA64 specific patch (see Bug #147261 for details); fixes Xserver crashes with fglrx driver - and possibly other drivers like vesa - during initial startup (!), VT switch and startup of second Xserver (SLED10 Blocker Bugs #180535, #170991, #158806) - p_ia64-console.diff: * fixes MCA after start of second Xserver (Bug #177011) - p_mouse_misc.diff: * fix X server crashes with synaptics driver (Bug #61702) - pu_fixes.diff * Fixes not yet in the official version - p_bug96328.diff: * fallback mouse device checking - p_vga-crashfix.diff: * fixes vga driver crash (#133989) - p_xorg_rom_read.diff * read rom in big chunks instead of byte-at-a-time (Bug #140811) - ps_showopts.diff * Xserver "-showopts" option to print available driver options (Bug #137374) - add /var/X11R6/bin directory for now (Bug #197188) - fix setup line - fixed fatal compiler warnings - always (and only) patch xorg.conf if necessary - update to xorg-server release 1.1.99.3 - use "-fno-strict-aliasing" - use $RPM_OPT_FLAGS - remove existing /usr/include/X11 symlink in %pre - install xf86Parser.h,xf86Optrec.h to /usr/include instead of /usr/include/xorg, so it is no longer necessary to specify "-I/usr/include/xorg" which resulted in including a wrong "shadow.h" (by X.Org) when building SaX2 (strange build error) - added permissions files - add compatibility symlink /usr/X11R6/bin/Xorg - p_ValidatePci.diff: * no longer call ValidatePci() to fix i810 driver issues (Bug #191987) - fixed build - bfo-bug15222.diff (bfo #15222, bnc #374318) * CVE-2008-2360 - RENDER Extension heap buffer overflow * CVE-2008-2361 - RENDER Extension crash * CVE-2008-2362 - RENDER Extension memory corruption * CVE-2008-1379 - MIT-SHM arbitrary memory read * CVE-2008-1377 - RECORD and Security extensions memory corruption - xserver-mode-fuzzy-check.diff * Make mode checking more tolerant like in pre-RandR times. - fix-dpi-values.diff * fixes DPI values for RANDR 1.2 capable drivers (bnc #393001) - mention ZapWarning also in Xorg manual page (bnc #391352) - xorg-server-1.4-vnc-render_sig11.diff * fixed sig11 in RENDER code (bnc #385677) - disabled patch to disable RENDER support in Xvnc, since it broke 24bit color depth support (bnc #390011) - xorg-server-1.4-vnc-disable_render.diff * disabled RENDER support in Xvnc (bnc #385677) - events.diff * eating up key events before going into the idle loop upon vt switch instead of after return (bnc #152522) - xkb_action.diff * fixed remaining unitialized warning in X.Org (bnc #83910) - fbdevhw.diff * screen blanking not supported by vesafb of Linux kernel (bnc #146462) - no longer disable AIGLX by default - XAANoOffscreenPixmaps.diff * disable Offscreen Pixmaps by default (bnc #376068) - Fix another o-b-1 in pci domain support. - randr1_1-sig11.diff * fixes Xserver crash when running xrandr on a different virtual terminal (Egbert Eich, bnc #223459) - commit-37b1258.diff * possibly fixes unwanted autorepeat (bnc #377612, bfo #14811) - bitmap_always_unscaled.diff * Default bitmap fonts should typically be set as unscaled (libv) - update to Mesa bugfix release 7.0.3 (final) sources - update to Mesa bugfix release 7.0.3 RC3 sources - confine_to_shape.diff * fixes XGrabPointer's confine_to with shaped windows (bnc #62146) - zap_warning_xserver.diff * implements FATE #302988: ZapWarning (Luc Verhaegen) Uses PCSpeaker for beep. Press once, beep. Press again within 2s (which is ample), terminate. Documented in xorg.conf manpage. - make the memory corruption fix by schwab a seperate patch to make sure it won't get lost the next time I update the VNC patch - Fix vnc server memory corruption. - commit-a6a7fad.diff * Don't break grab and focus state for a window when redirecting it. (bnc #336219, bfo #488264) - update to Mesa bugfix release 7.0.3 RC2 sources * Fixed GLX indirect vertex array rendering bug (14197) * Fixed crash when deleting framebuffer objects (bugs 13507, 14293) * User-defined clip planes enabled for R300 (bug 9871) * Fixed glBindTexture() crash upon bad target (bug 14514) * Fixed potential crash in glDrawPixels(GL_DEPTH_COMPONENT) (bug 13915) * Bad strings given to glProgramStringARB() didn't generate GL_INVALID_OPERATION * Fixed minor point rasterization regression (bug 11016) - added Requires:xkeyboard-config to xorg-x11-server - commit-50e80c3.diff: * never overwrite realInputProc with enqueueInputProc (bnc#357989, bfo#13511) - only switch to radeon driver in %post if radeonold driver is no longer available (Bug #355009) - some more cleanup in %post - Move manpage to the sub package that provides the binary. - update to Mesa bugfix release 7.0.3 RC1 sources * Added missing glw.pc.in file to release tarball * Fix GLUT/Fortran issues * GLSL gl_FrontLightModelProduct.sceneColor variable wasn't defined * Fix crash upon GLSL variable array indexes (not yet supported) * Two-sided stencil test didn't work in software rendering * Fix two-sided lighting bugs/crashes (bug 13368) * GLSL gl_FrontFacing didn't work properly * glGetActiveUniform returned incorrect sizes (bug 13751) * Fix several bugs relating to uniforms and attributes in GLSL API (Bruce Merry, bug 13753) * glTexImage3D(GL_PROXY_TEXTURE_3D) mis-set teximage depth field - updated patch for CVE-2007-6429 once more (X.Org Bug #13520) * Always test for size+offset wrapping. - updated patch for CVE-2007-6429 (Bug #345131) * Don't spuriously reject <8bpp shm pixmaps. Move size validation after depth validation, and only validate size if the bpp of the pixmap format is > 8. If bpp < 8 then we're already protected from overflow by the width and height checks. - X.Org security update * CVE-2007-5760 - XFree86 Misc extension out of bounds array index * CVE-2007-6427 - Xinput extension memory corruption. * CVE-2007-6428 - TOG-cup extension memory corruption. * CVE-2007-6429 - MIT-SHM and EVI extensions integer overflows. * CVE-2008-0006 - PCF Font parser buffer overflow. - xorg-server 1.4.0.90 (prerelease of 1.4.1) - pixman.diff * fixed include path for pixman.h - remove_bogus_modeline.diff * remove bogus monitor modelines provided by DDC (Bug #335540) - commit-184e571.diff * Adjust offsets of modes that do not fit virtual screen size. - commit-c6c284e.diff * Initialize Mode with 0 in xf86RandRModeConvert. - commit-f6401f9.diff * Don't segfault if referring to a relative output where no modes survived. - commit-f7dd0c7.diff * Only clear crtc of output if it is the one we're actually working on. - commit-fa19e84.diff * Fix initial placement of LeftOf and Above. - pixman.diff no longer required - s390(x): allow mfb build without Xorg server being built - commit-29e0e18.diff * Make config file preferred mode override monitor preferred mode. - commit-feac075.diff * Leave hardware-specified preferred modes alone when user preference exists. - obsoletes preferred_mode-fix.diff - added xorg-x11-fonts-core/xorg-x11 to Requires (Bug #341312) - ia64linuxPciInit: allocate extra space for fake devices. - updated to Mesa 7.0.2 (final) sources - updated to Mesa 7.0.2 RC1 sources - xorg-server-1.4-vnc-64bit.diff * fixes segfault on 64bit during Xserver start; make sure to define _XSERVER64 by having HAVE_DIX_CONFIG_H defined and therefore including dix-config.h, so Atom is CARD32 instead of unsigned long before and no longer messes up the pInfo structure in xf86rfbMouseInit/xf86rfbKeybInit - finally enabled build of xf4vnc (standalone Xvnc and VNC Xserver module) - updated xf4vnc patch; still disabled due to problematic vnc module - preferred_mode-fix.diff * more reasonable patch (Bug #329724) - preferred_mode-fix.diff * fixed endless loop if PreferredMode is set (Bug #329724) - removed obsolete patch p_pci-domain.diff (Bug #308693, comment #26) - apply p_pci-off-by-one.diff.ia64 on all platforms since it clearly only affects platforms, where INCLUDE_XF86_NO_DOMAIN is *not* set; this still not explains why we have seen Xserver hangups with the patch in place on at least some %ix86/x86_64 machines with fglrx/ nvidia driver IIRC; it needs to verified if this problem is still reproducable ... (Bug #308693, comment #25) - xserver-1.3.0-xkb-and-loathing.patch * Ignore (not just block) SIGALRM around calls to Popen()/Pclose(). Fixes a hang in openoffice when opening menus. (Bug #245711) - added missing ia64Pci.h; required for IA64 - recreated p_pci-off-by-one.diff.ia64; the default fuzz factor of patch (2) resulted in a hunk applied to the wrong function and therefore broke the build :-( - xorg-server 1.4 * Welcome to X.Org X Server 1.4, now with hotplugging input to go with the hotplugging output. Also included in this release are many performance and correctness fixes to the EXA acceleration architecture, support for DTrace profiling of the X Server, accelerated GLX_EXT_texture_from_pixmap with supporting DRI drivers, and many improvements to the RandR 1.2 support that was added in xorg-server-1.3. The X Server now relies on the pixman library, which replaces the fb/fbcompose.c and accelerated implementations that were previously shared through code-duplication with the cairo project. * obsolete patches: - bug-259290_trapfault.diff - cfb8-undefined.diff - commit-c09e68c - i810_dri_fix_freeze.diff - p_bug159532.diff - p_enable-altrix.diff - p_pci-ce-x.diff - p_pci-off-by-one.diff - p_xorg_rom_read.diff - randr12-2926cf1da7e4ed63573bfaecdd7e19beb3057d9b.diff - randr12-5b424b562eee863b11571de4cd0019cd9bc5b379.diff - randr12-aec0d06469a2fa7440fdd5ee03dc256a68704e77.diff - randr12-b2dcfbca2441ca8c561f86a78a76ab59ecbb40e4.diff - randr12-b4193a2eee80895c5641e77488df0e72a73a3d99.diff - remove__GLinterface.patch - support_mesa6.5.3.patch - use-composite-for-unequal-depths.patch - x86emu.diff - xephyr-sig11-fix.diff * adjusted patches: - 64bit.diff - bug-197858_dpms.diff - bug227111-ddc_screensize.diff - disable-root-xorg_conf.diff - fpic.diff - glx-align.patch - libdrm.diff - p_bug96328.diff - p_ia64-console.diff - p_vga-crashfix.diff - xephyr.diff - pixman.diff: * search for pixman instead of pixman-1 - bumped version to 7.3 - remove wrongly prebuilt xf1bpp files after extracting tarball; fixes vga module loading (Bug #328201) - do not use "make -j" to (quick)fix xf1bpp build - do not apply p_pci-domain.diff on IA64 - use updated off-by-one patch by schwab for IA64 - edit_data_sanity_check.diff: * added sanity check for monitor EDID data (Bug #326454) - reverted changes by schwab on Fri Sep 7; these resulted i a black screen during Xserver start with any driver on non-IA64 platforms - use-composite-for-unequal-depths.patch: * Use Composite when depths don't match (Bug #309107, X.Org Bug [#7447]) - Update off-by-one patch. - Remove empty patch. - fbdevhw.diff: * ignore pixclock set to 0 by Xen kernel (Bug #285523) - added several RANDR 1.2 fixes (Bug #306699) * randr12-2926cf1da7e4ed63573bfaecdd7e19beb3057d9b.diff Allocate the right number of entries for saving crtcs * randr12-5b424b562eee863b11571de4cd0019cd9bc5b379.diff Set the crtc before the output change is notified. Set the new randr crtc of the output before the output change notification is delivered to the clients. Remove RROutputSetCrtc as it is not really necessary. All we have to do is set the output's crtc on RRCrtcNotify * randr12-8d230319040f0a7f72231da2bf5ec97dc3612e21.diff Fix the output->crtc initialization in the old randr setup * randr12-aec0d06469a2fa7440fdd5ee03dc256a68704e77.diff Fix a crash when rotating the screen. Remember output->crtc before setting a NULL mode because RRCrtcNotify now sets output->crtc to NULL. Use the saved crtc to set the new mode. * randr12-b2dcfbca2441ca8c561f86a78a76ab59ecbb40e4.diff RRScanOldConfig cannot use RRFirstOutput before output is configured. RRFirstOutput returns the first active output, which won't be set until after RRScanOldConfig is finished running. Instead, just use the first output (which is the only output present with an old driver, after all). * randr12-b4193a2eee80895c5641e77488df0e72a73a3d99.diff RRScanOldConfig wasn't getting crtcs set correctly. The output crtc is set by RRCrtcNotify, which is called at the end of RRScanOldConfig. Several uses of output->crtc in this function were wrong. - i810_dri_fix_freeze.diff: * fixes freeze after pressing Ctrl-Alt-BS (X.Org Bug #10809) - xserver-mode-fuzzy-check.diff: * Fix for Xserver being more fuzzy about mode validation (Bug #270846) - disable AIGLX by default; without enabled Composite extension (still problematic on many drivers) it's rather useless anyway - updated xorg.conf manual page - fix fileconflict over doc/MAINTAINERS - build parallel - updated Mesa source to bugfix release 7.0.1 - xephyr-sig11-fix.diff: * long vs. CARD32 mismatch in KeySym definitions between client and server code - this patch seems to fix it (and the input rework in head fixed it as well in a different way) (Bug #235320) - fixed build on s390(x) - added X(7) and security(7) manual pages - updated Mesa source to final release 7.0 - updated Mesa source to release 7.0 RC1 * Mesa 7.0 is a stable, follow-on release to Mesa 6.5.3. The only difference is bug fixes. The major version number bump is due to OpenGL 2.1 API support. - simplified p_default-module-path.diff - disabled build of Xprt - moved Xdmx, Xephyr, Xnest and Xvfb to new subpackage xorg-x11-server-extra - commit-c09e68c: * Paper over a crash at exit during GLX teardown - updated to Mesa 6.5.3 sources - obsoletes the following patches: * bug-211314_mesa-destroy_buffers.diff * bug-211314_mesa-framebuffer-counting.diff * bug-211314-patch-1.diff * bug-211314-patch-2.diff * bug-211314-patch-3.diff * bug-211314-patch-4.diff * bug-211314-patch-5.diff * bug-211314-patch-6.diff * bug-211314-patch-7.diff * bug-211314-patch-8.diff * bug-211314-patch-9.diff * bug-211314-patch-10.diff * bug-211314-patch-11.diff * bug-211314_mesa-refcount-memleak-fixes.diff * Mesa-6.5.2-fix_radeon_cliprect.diff - remove__GLinterface.patch/ support_mesa6.5.3.patch * required Xserver changes for Mesa 6.5.3 - xorg-x11-server-1.2.99-unbreak-domain.patch: * This patch fixes some multi-domain systems such as Pegasos with xorg-server 1.3. Since pci-rework should get merged soon and this patch is a bit of a hack, it never got pushed upstream. (X.Org Bug #7248) - back to Mesa 6.5.2 (Bug #269155/269042) - Mesa update: 4th RC ready * This fixes some breakage in RC3. - Mesa update: 3rd release candidate * updated Windows/VC8 project files. - updated to Mesa 6.5.3rc2 sources * a number of bug fixes since the first RC - updated to Mesa 6.5.3rc1 sources - obsoletes the following patches: * bug-211314_mesa-destroy_buffers.diff * bug-211314_mesa-framebuffer-counting.diff * bug-211314-patch-1.diff * bug-211314-patch-2.diff * bug-211314-patch-3.diff * bug-211314-patch-4.diff * bug-211314-patch-5.diff * bug-211314-patch-6.diff * bug-211314-patch-7.diff * bug-211314-patch-8.diff * bug-211314-patch-9.diff * bug-211314-patch-10.diff * bug-211314-patch-11.diff * bug-211314_mesa-refcount-memleak-fixes.diff * Mesa-6.5.2-fix_radeon_cliprect.diff - GL-Mesa-6.5.3.diff: * adjusted GL subdir to Mesa 6.5.3rc1 - xserver 1.3.0.0 release * Syncmaster 226 monitor needs 60Hz refresh (#10545). * In AIGLX EnterVT processing, invoke driver EnterVT before resuming glx. * Disable CRTC when SetSingleMode has no matching mode. Update RandR as well. * Rotate screen size as needed from RandR 1.1 change requests. * Add quirk for Acer AL1706 monitor to force 60hz refresh. * RandR 1.2 spec says CRTC info contains screen-relative geometry * typo in built-in module log message * Use default screen monitor for one of the outputs. * Allow outputs to be explicitly enabled in config, overriding detect. * Was accidentally disabling rotation updates in mode set. * Disable SourceValidate in rotation to capture cursor. - Mesa-6.5.2-fix_radeon_cliprect.diff: * fixes X.Org Bug #9876 - bug-259290_trapfault.diff: * fixes crash caused by bug in XRender code (Bug #259290) - xserver 1.2.99.905 release: * CVE-2007-1003: XC-MISC Extension ProcXCMiscGetXIDList() Memory Corruption * X.Org Bug #10296: Fix timer rescheduling - obsoletes bug-243978_xcmisc.diff - xserver 1.2.99.904 release: * Don't erase current crtc for outputs on CloseScreen - bug-243978_xcmisc.diff: * mem corruption in ProcXCMiscGetXIDList (CVE-2007-1003, Bug #243978) - bug-211314_mesa-refcount-memleak-fixes.diff: * Fix for memleaks and refount bugs (Bug #211314) - p_default-module-path.diff: * only return /usr/%lib/xorg/modules in "-showDefaultModulePath" Xserver option (Bug #257360) - set Xserver version to 7.2.0 with configure option (Bugs #257360, #253702) - xserver 1.2.99.903 release: * Create driver-independent CRTC-based cursor layer. * Allow xf86_reload_cursors during server init. * Don't wedge when rotating more than one CRTC. * Correct ref counting of RRMode structures * Remove extra (and wrong) I2C ByteTimeout setting in DDC code. * Slow down DDC I2C bus using a RiseFallTime of 20us for old monitors. * Clean up Rotate state on server reset. * Clear allocated RandR screen private structure. * Clean up xf86CrtcRec and xf86OutputRec objects at CloseScreen. * Make sure RandR events are delivered from RRCrtcSet. * Fix Pending property API, adding RRPostPendingProperty. * Incorrect extra memory copy in RRChangeOutputProperty. * Ensure that crtc desired values track most recent mode. * Make pending properties force mode set. And, remove AttachScreen calls. * Set version to 1.2.99.903 (1.3 RC3) * fbdevhw: Consolidate modeset ioctl calling, report failure if it modifies mode. * fbdevhw: Fix some issues with the previous commit. * fbdevhw: Use displayWidth for fbdev virtual width when appropriate. * fbdevhw: Override RGB offsets and masks after setting initial mode. * fbdevhw: Consider mode set equal to mode requested if virtual width is larger. * fbdevhw: Only deal with RGB weight if default visual is True- or DirectColor. * Add per-drawable Xv colour key helper function. * Bump video driver ABI version to 1.2. - no longer apply bug-211314_mesa-context.diff, bug-211314_p_drawable_privclean.diff (Bug #211314, comment #114) - added different Mesa patches (Bug #211314, comments #114/#115) - Remove bug197190-ia64.diff, fix x86emu instead. - xserver 1.2.99.902 release: * Xprint: shorten font filename to fit in tar length limit * Move xf86SetSingleMode into X server from intel driver. * Add xf86SetDesiredModes to apply desired modes to crtcs. * Use EDID data to set screen physical size at server startup. * Allow relative positions to use output names or monitor identifiers. * Add xf86CrtcScreenInit to share initialization across drivers. * Add hw/xfree86/docs/README.modes, documenting new mode setting APIs. * Remove stale monitor data when output becomes disconnected. * Revert "Xprint includes a filename which is too long for tar." * Revert "Xext: Update device's lastx/lasty when sending a motion event with XTest." * Xext: Update device's lastx/lasty when sending a motion event with XTest. - xf86crtc_allowdual.diff no longer required; replaced by xrandr_12_newmode.diff in xrandr (xorg-x11 package) - bug197190-ia64.diff: * missing -DNO_LONG_LONG for IA64 (Bug #197190) - xf86crtc_allowdual.diff: * allows dualhead even when the second monitor is not yet connected during Xserver start - %post: replace "i810beta" with "intel" in existing xorg.conf - xserver 1.2.99.901 release: * RandR 1.2 * EXA damage track * minor fixes - use global permissions files for SUSE > 10.1 (Bug #246228) - improved bug-197858_dpms.diff to fix Xserver crash (Bug #197858) - bug-197858_dpms.diff: * finally fixed "X server wakes up on any ACPI event" issue (Bug #197858) - bug-211314_p_drawable_privclean.diff: * fixed for cleaning up pointers - fixed build - bug-211314_p_drawable_privclean.diff: * fixes Xserver crash in Mesa software rendering path (Bug #211314) - xserver 1.2.0 release * Bug #9219: Return BadMatch when trying to name the backing pixmap of an unrealized window. * Bug #9219: Use pWin->viewable instead of pWin->realized to catch InputOnly windows too. * Fix BSF and BSR instructions in the x86 emulator. * Bug #9555: Always define _GNU_SOURCE in glibc environments. * Bug #8991: Add glXGetDrawableAttributes dispatch; fix texture format therein. * Bump video and input ABI minors. * Fix release date. * Fix syntax error in configure check for SYSV_IPC that broke with Sun cc * Map missing keycodes for Sun Type 5 keyboard on Solaris SPARC * Update pci.ids to 2006-12-06 from pciids.sf.net * Xorg & Xserver man page updates for 1.2 release * xorg.conf man page should say "XFree86-DGA", not "Xorg-DGA" * Xserver man page: remove bc, add -wr * Update pci.ids to 2007-01-18 snapshot * Update Xserver man page to match commit ed33c7c98ad0c542e9e2dd6caa3f84879c21dd61 * Fix Tooltip from minimized clients * Fix Xming fails to use xkb bug * Fix bad commit * Set Int10Current->Tag for the linux native int10 module * added mipmap.c * configure.ac: prepare for 1.2.0 (X11R7.2) * sparc: don't include asm/kbio.h -- it no longer exists in current headers. * Minor typos in Xserver man page. * Fix several cases where optimized paths were hit when they shouldn't be. * Try dlsym(RTLD_DEFAULT) first when finding symbols. * Fix RENDER issues (bug #7555) and implement RENDER add/remove screen * For Xvfb, Xnest and Xprt, compile fbcmap.c with -DXFree86Server * Multiple integer overflows in dbe and render extensions * Require glproto >= 1.4.8 for GLX. * __glXDRIscreenProbe: Use drmOpen/CloseOnce. * xfree86/hurd: re-add missing keyboard support (bug #5613) * remove last remaning 'linux'isms (bug #5613) - obsoletes * Mesa-6.5.2.diff * xorg-server-1.1.99.901-GetDrawableAttributes.patch * int10-fix.diff * cve-2006-6101_6102_6103.diff - disabled build of VNC server/module - bug-211314_mesa-context.diff: * fixes Xserver crash in software rendering fallback (Bug #211314) - 0018-vnc-support.txt.diff * fixed unresolved symbols vncRandomBytes/deskey in VNC module (terminated Xserver when client connected) - bug227111-ddc_screensize.diff: * allow user overrides for monitor settings (Bug #227111) - loadmod-bug197195.diff: * check the complete path (Bug #197195) - added build of VNC support (0018-vnc-support.txt/ 0018-vnc-support.txt.diff); see 0018-vnc-support.txt.mbox for reference - cve-2006-6101_6102_6103.diff: * CVE-2006-6101 iDefense X.org ProcRenderAddGlyphs (Bug #225972) * CVE-2006-6102 iDefense X.org ProcDbeGetVisualInfo (Bug #225974) * CVE-2006-6103 iDefense X.org ProcDbeSwapBuffers (Bug #225975) - int10-fix.diff * Set Int10Current->Tag for the linux native int10 module (X.Org Bug #9296) * obsoletes p_initialize-pci-tag.diff - reverted latest change by schwab (Bug #197190, comment #67) - Fix off-by-one in pci multi-domain support [#229278]. - libdrm.diff: * no longer fail when some driver tries to load "drm" module - xorg-server-1.1.99.901-GetDrawableAttributes.patch: * hopefully fixes AIGLX issues (X.Org Bug #8991) - another 64bit warning fix - X.Org 7.2RC3 release * Add a -showDefaultModulePath option. * Add a -showDefaultLibPath option. * Add DIX_CFLAGS to util builds. * Fix release date, and tag 1.1.99.903 * make X server use system libdrm - this requires libdrm >= 2.3.0 * DRI: call drmSetServerInfo() before drmOpen(). * add extern to struct definition * fixup configure.ac problems with DRI_SOURCES and LBX_SOURCES * bump to 1.1.99.903 * remove CID support (bug #5553) * dri: setup libdrm hooks as early as possible. * Bug #8868: Remove drm from SUBDIRS now that the directory is gone. * Fix typo before the last commit. * Fix GL context destruction with AIGLX. * On DragonFLy, default to /dev/sysmouse (just like on FreeBSD). * ffs: handle 0 argument (bug #8968) * Bug #9023: Only check mice for "mouse" or "void" if identifier is != NULL. Fix potential NULL pointer access in timer code. - updated Mesa sources to 6.5.2 - xserver-timers.diff: * fix null pointer reference in timer code (Bug #223718) - p_pci-off-by-one.diff: * readded off by one fix, which has been dropped by accident (Bug #197190) - acpi_events.diff: * distinguish between general and input devices also for APM (Bug #197858) - removed /etc/X11/Xsession.d/92xprint-xpserverlist (Bug #220733) - mouse-fix.diff: * prevent driver from crashing when something different than "mouse" or "void" is specified; only check mice for "mouse" or "void" if identifier is != NULL. (X.Org Bug #9023) - X.Org 7.2RC2 release - adjusted p_enable-altrix.diff, p_pci-domain.diff - obsoletes p_pci-ia64.diff, xorg-xserver-ia64-int10.diff p_pci-legacy-mmap.diff - Changes in RC2 since RC1 Aaron Plattner: Fix standard VESA modes. Adam Jackson: Bug #6786: Use separate defines for server's Fixes support level. 'make dist' fixes. Fix distcheck. Include a forgotten ia64 header in the distball. Builds on ia64 now. configure.ac bump. Alan Coopersmith: Make sure xorgcfg files are included even when dist made with --disable-xorgcfg Use getisax() instead of asm code to determine available x86 ISA extensions on Solaris Pre-release message should tell users to check git, not CVS, for updates Fix automake error: BUILT_SOURCES was defined multiple times on Solaris Bug #1997: AUDIT messages should contain uid for local accesses If getpeerucred() is available, include pid & zoneid in audit messages too Make _POSIX_C_SOURCE hack work with Solaris headers Alan Hourihane: Small modification to blocking signals when switching modes. Bjorn Helgaas: Do not map full 0-1MB legacy range Bram Verweij: xfree86/linux acpi: fix tokenising Daniel Stone: GetTimeInMillis: spuport monotonic clock WaitForSomething: allow time to rewind Revert "WaitForSomething: allow time to rewind" Revert "GetTimeInMillis: spuport monotonic clock" add 'general socket' handler, port ACPI to use it WaitForSomething: allow time to rewind WaitForSomething: only rewind when delta is more than 250ms GetTimeInMillis: spuport monotonic clock GetTimeInMillis: simplify monotonic test GetTimeInMillis: use correct units for clock_gettime os: fix sun extensions test Eamon Walsh: Bug #8875: Security extension causes Xorg to core dump on server reset whitespace adjust More work on Bug #8875: revert previous fix and try using client argument Bug #8937: Extension setup functions not called on server resets Egbert Eich: Fixing mach64 driver bailing out on ia64 Make int10 fully domain aware. Erik Andren: remove XFree86 changelogs (bug #7262) Joshua Baergen: Create xorg.conf.example (Gentoo bug #138623). Laurence Withers: CreateColormap: fix return value (bug #7083) Matthias Hopf: Build with -D_PC on ix86 only. Added missing domain stripping in already domain aware code. Added linux 2.6 compatible domain aware device scanning code. Fixing domain support for ia64 Add domain support to linuxPciOpenFile(). Fix device path in altixPCI.c to be domain aware. Fix obviously wrong boundary checks + cleanup unused vars. Matthieu Herrb: kill GNU-make'ism. Handle building in a separate objdir Michel Dänzer: Fix __glXDRIbindTexImage() for 32 bpp on big endian platforms. Fix test for Option "IgnoreABI". Myron Stowe: xfree86: re-enable chipset-specific drivers for Linux/ia64 Rich Coe: CheckConnections: don't close down the server client (bug #7876) - p_ppc_domain_workaround.diff: * ugly workaround for still missing domain support on ppc (Bug #202133) - updated to snapshot of xserver-1.2-branch (soon to be released as X.Org 7.2RC2) * Make sure xorgcfg files are included even when dist made with --disable-xorgcfg * Small modification to blocking signals when switching modes. * Use getisax() instead of asm code to determine available x86 ISA extensions on Solaris * Pre-release message should tell users to check git, not CVS, for updates * Fix __glXDRIbindTexImage() for 32 bpp on big endian platforms. * Create xorg.conf.example (Gentoo bug #138623). * Fix test for Option "IgnoreABI". This option has plenty of potential for wasting the time of bug triagers without pretending it's always on. * kill GNU-make'ism. * Handle building in a separate objdir * Fix automake error: BUILT_SOURCES was defined multiple times on Solaris * Bug #1997: AUDIT messages should contain uid for local accesses * If getpeerucred() is available, include pid & zoneid in audit messages too - added /etc/modprobe.d/nvidia - xorg-xserver-ia64-int10.diff: * build int10 module with _PC only on %ix86 (Bug #197190) - added build of Xephyr; useful for debugging KDE apps (coolo) - cfb8-undefined.diff: * fixes warning for undefined behaviour - Own /etc/X11/Xsession.d directory. - Use /etc/X11/Xsession.d. - updated to X.Org 7.2RC1 - only disable AIGLX by default on SUSE <= 10.1 (Bug #197093) - no longer fake release version for fglrx driver (Bug #198125) - glx-align.patch: * reenabled -D__GLX_ALIGN64 on affected plaforms (X.Org Bug #8392) - Fixes to p_pci-domain.diff (Bug #197572) * internal domain number of by one (was supposed to be a cleanup, but other code dependet on this semantics) * fixed another long-standing of-by-1 error - p_enable-altrix.diff (Bug #197572) * This additional patch enables the build of the altrix detection routines, which have apparently not been included in Xorg 7.1 yet. This patch needs a autoreconf -fi after application. - updated to Mesa 6.5.1 - disable-fbblt-opt.diff: * Disable optimization (introduced by ajax) due to a general vesa driver crash later in memcpy (Bug #204324) - removed two source files with imcompatible license from Mesa tarball (Bug #204110) - added a check to specfile to make sure that these will not be reintroduced with the next Mesa update again (Bug #204110) - moved xf86Parser.h,xf86Optrec.h back to /usr/include/xorg, since SaX2 build issues have finally been resolved by making use of "-iquote /usr/include/xorg -I." - disable-root-xorg_conf.diff: * no longer consider to read /root/xorg.conf - only require xorg-x11-fonts-core ('fixed' + 'cursor' fonts) - fake release version for fglrx driver again, since using IgnoreABI does not help (the check for the ABI version is in the binary-only fglrx driver) - added Requires: xorg-x11-driver-{input,video} (Bug #202080) - ignore-abi.diff: * adds IgnoreABI option for xorg.conf (same as -ignoreABI) - remove .la files - no longer fake release version for fglrx driver; use the new IgnoreABI option instead! - PCI/IA64 Patches (Bug #197572): * apply new p_pci-domain.diff (mhopf) * apply new p_pci-ce-x.diff (mhopf) - PCI/IA64 Patches (Bug #197572): * removed p_mappciBIOS_complete.diff (already applied upstream) * apply p_pci-ia64.diff * apply p_pci-legacy-mmap.diff only for IA64 (as before) * disabled for now: - p_pci-domain.diff: still issues with it - p_pci-ce-x.diff: sits on top of p_pci-domain.diff - added PCI/IA64 patches, but disabled them for now (Bug #197572) - remove comp. symlinks in /usr/X11R6/bin for openSUSE >= 10.2 - fixed build for s390/s390x, e.g. use configure options --disable-install-libxf86config --disable-aiglx --disable-dri --disable-xorg - changed os-name to "openSUSE" instead of "Linux" before - fake release version for fglrx driver :-( - xinerama-sig11.diff: * prevents Xserver Sig11 with broken Xinerama config (Bug #135002) - moved /usr/%_lib/pkgconfig/xorg-server.pc to xorg-x11-server - added pkgconfig to Requires of xorg-x11-server - disable-aiglx.diff: * disabled AIGLX by default (related to Bug #197093); enable it with 'Option "AIGLX" "true"' in ServerFlags section of xorg.conf - enabled build of aiglx - patch font path also in xorg.conf when set to /usr/lib/X11/fonts/ or /usr/X11/lib/X11/fonts - patch xorg.conf in %post: * radeonold/radeon10b driver --> radeon driver - added "Requires: xorg-x11-fonts" to prevent issues like "could not open default font 'fixed'" for any Xserver - make sure that symlinks /usr/bin/X --> /var/X11R6/bin/X /var/X11R6/bin/X --> /usr/bin/Xorg are packaged. - p_xorg_acpi.diff: * fixed for archs which don't have HAVE_ACPI defined, e.g. ppc - p_xf86Mode.diff: * removes wrong warning (Bug #139510) - p_xorg_acpi.diff: * reconnect to acpid when acpid has been killed (Bug #148384) - p_xkills_wrong_client.diff: * This patch has unveiled two other problems. One is rather serious as there seems to be a non-zero possibility that the Xserver closes the wrong connection and this closes the wrong client when it looks for stale sockets of clients that have disappeared (eich, Bug #150869) - p_bug159532.diff: * X Clients can intentionally or unintenionally crash X11 by using composite on depth 4 pixmaps. This patch fixes this. (Bug #159532) - p_xnest-ignore-getimage-errors.diff: * ignores the X error on GetImage in Xnest (Bug #174228, X.Org Bug #4411) - p_initialize-pci-tag.diff: * initialize PCI tag correctly, which is used by an IA64 specific patch (see Bug #147261 for details); fixes Xserver crashes with fglrx driver - and possibly other drivers like vesa - during initial startup (!), VT switch and startup of second Xserver (SLED10 Blocker Bugs #180535, #170991, #158806) - p_ia64-console.diff: * fixes MCA after start of second Xserver (Bug #177011) - p_mouse_misc.diff: * fix X server crashes with synaptics driver (Bug #61702) - pu_fixes.diff * Fixes not yet in the official version - p_bug96328.diff: * fallback mouse device checking - p_vga-crashfix.diff: * fixes vga driver crash (#133989) - p_xorg_rom_read.diff * read rom in big chunks instead of byte-at-a-time (Bug #140811) - ps_showopts.diff * Xserver "-showopts" option to print available driver options (Bug #137374) - add /var/X11R6/bin directory for now (Bug #197188) - fix setup line - fixed fatal compiler warnings - always (and only) patch xorg.conf if necessary - update to xorg-server release 1.1.99.3 - use "-fno-strict-aliasing" - use $RPM_OPT_FLAGS - remove existing /usr/include/X11 symlink in %pre - install xf86Parser.h,xf86Optrec.h to /usr/include instead of /usr/include/xorg, so it is no longer necessary to specify "-I/usr/include/xorg" which resulted in including a wrong "shadow.h" (by X.Org) when building SaX2 (strange build error) - added permissions files - add compatibility symlink /usr/X11R6/bin/Xorg - p_ValidatePci.diff: * no longer call ValidatePci() to fix i810 driver issues (Bug #191987) - fixed build - bfo-bug15222.diff (bfo #15222, bnc #374318) * CVE-2008-2360 - RENDER Extension heap buffer overflow * CVE-2008-2361 - RENDER Extension crash * CVE-2008-2362 - RENDER Extension memory corruption * CVE-2008-1379 - MIT-SHM arbitrary memory read * CVE-2008-1377 - RECORD and Security extensions memory corruption - xserver-mode-fuzzy-check.diff * Make mode checking more tolerant like in pre-RandR times. - fix-dpi-values.diff * fixes DPI values for RANDR 1.2 capable drivers (bnc #393001) - mention ZapWarning also in Xorg manual page (bnc #391352) - xorg-server-1.4-vnc-render_sig11.diff * fixed sig11 in RENDER code (bnc #385677) - disabled patch to disable RENDER support in Xvnc, since it broke 24bit color depth support (bnc #390011) - xorg-server-1.4-vnc-disable_render.diff * disabled RENDER support in Xvnc (bnc #385677) - events.diff * eating up key events before going into the idle loop upon vt switch instead of after return (bnc #152522) - xkb_action.diff * fixed remaining unitialized warning in X.Org (bnc #83910) - fbdevhw.diff * screen blanking not supported by vesafb of Linux kernel (bnc #146462) - no longer disable AIGLX by default - XAANoOffscreenPixmaps.diff * disable Offscreen Pixmaps by default (bnc #376068) - Fix another o-b-1 in pci domain support. - randr1_1-sig11.diff * fixes Xserver crash when running xrandr on a different virtual terminal (Egbert Eich, bnc #223459) - commit-37b1258.diff * possibly fixes unwanted autorepeat (bnc #377612, bfo #14811) - bitmap_always_unscaled.diff * Default bitmap fonts should typically be set as unscaled (libv) - update to Mesa bugfix release 7.0.3 (final) sources - update to Mesa bugfix release 7.0.3 RC3 sources - confine_to_shape.diff * fixes XGrabPointer's confine_to with shaped windows (bnc #62146) - zap_warning_xserver.diff * implements FATE #302988: ZapWarning (Luc Verhaegen) Uses PCSpeaker for beep. Press once, beep. Press again within 2s (which is ample), terminate. Documented in xorg.conf manpage. - make the memory corruption fix by schwab a seperate patch to make sure it won't get lost the next time I update the VNC patch - Fix vnc server memory corruption. - commit-a6a7fad.diff * Don't break grab and focus state for a window when redirecting it. (bnc #336219, bfo #488264) - update to Mesa bugfix release 7.0.3 RC2 sources * Fixed GLX indirect vertex array rendering bug (14197) * Fixed crash when deleting framebuffer objects (bugs 13507, 14293) * User-defined clip planes enabled for R300 (bug 9871) * Fixed glBindTexture() crash upon bad target (bug 14514) * Fixed potential crash in glDrawPixels(GL_DEPTH_COMPONENT) (bug 13915) * Bad strings given to glProgramStringARB() didn't generate GL_INVALID_OPERATION * Fixed minor point rasterization regression (bug 11016) - added Requires:xkeyboard-config to xorg-x11-server - commit-50e80c3.diff: * never overwrite realInputProc with enqueueInputProc (bnc#357989, bfo#13511) - only switch to radeon driver in %post if radeonold driver is no longer available (Bug #355009) - some more cleanup in %post - Move manpage to the sub package that provides the binary. - update to Mesa bugfix release 7.0.3 RC1 sources * Added missing glw.pc.in file to release tarball * Fix GLUT/Fortran issues * GLSL gl_FrontLightModelProduct.sceneColor variable wasn't defined * Fix crash upon GLSL variable array indexes (not yet supported) * Two-sided stencil test didn't work in software rendering * Fix two-sided lighting bugs/crashes (bug 13368) * GLSL gl_FrontFacing didn't work properly * glGetActiveUniform returned incorrect sizes (bug 13751) * Fix several bugs relating to uniforms and attributes in GLSL API (Bruce Merry, bug 13753) * glTexImage3D(GL_PROXY_TEXTURE_3D) mis-set teximage depth field - updated patch for CVE-2007-6429 once more (X.Org Bug #13520) * Always test for size+offset wrapping. - updated patch for CVE-2007-6429 (Bug #345131) * Don't spuriously reject <8bpp shm pixmaps. Move size validation after depth validation, and only validate size if the bpp of the pixmap format is > 8. If bpp < 8 then we're already protected from overflow by the width and height checks. - X.Org security update * CVE-2007-5760 - XFree86 Misc extension out of bounds array index * CVE-2007-6427 - Xinput extension memory corruption. * CVE-2007-6428 - TOG-cup extension memory corruption. * CVE-2007-6429 - MIT-SHM and EVI extensions integer overflows. * CVE-2008-0006 - PCF Font parser buffer overflow. - xorg-server 1.4.0.90 (prerelease of 1.4.1) - pixman.diff * fixed include path for pixman.h - remove_bogus_modeline.diff * remove bogus monitor modelines provided by DDC (Bug #335540) - commit-184e571.diff * Adjust offsets of modes that do not fit virtual screen size. - commit-c6c284e.diff * Initialize Mode with 0 in xf86RandRModeConvert. - commit-f6401f9.diff * Don't segfault if referring to a relative output where no modes survived. - commit-f7dd0c7.diff * Only clear crtc of output if it is the one we're actually working on. - commit-fa19e84.diff * Fix initial placement of LeftOf and Above. - pixman.diff no longer required - s390(x): allow mfb build without Xorg server being built - commit-29e0e18.diff * Make config file preferred mode override monitor preferred mode. - commit-feac075.diff * Leave hardware-specified preferred modes alone when user preference exists. - obsoletes preferred_mode-fix.diff - added xorg-x11-fonts-core/xorg-x11 to Requires (Bug #341312) - ia64linuxPciInit: allocate extra space for fake devices. - updated to Mesa 7.0.2 (final) sources - updated to Mesa 7.0.2 RC1 sources - xorg-server-1.4-vnc-64bit.diff * fixes segfault on 64bit during Xserver start; make sure to define _XSERVER64 by having HAVE_DIX_CONFIG_H defined and therefore including dix-config.h, so Atom is CARD32 instead of unsigned long before and no longer messes up the pInfo structure in xf86rfbMouseInit/xf86rfbKeybInit - finally enabled build of xf4vnc (standalone Xvnc and VNC Xserver module) - updated xf4vnc patch; still disabled due to problematic vnc module - preferred_mode-fix.diff * more reasonable patch (Bug #329724) - preferred_mode-fix.diff * fixed endless loop if PreferredMode is set (Bug #329724) - removed obsolete patch p_pci-domain.diff (Bug #308693, comment #26) - apply p_pci-off-by-one.diff.ia64 on all platforms since it clearly only affects platforms, where INCLUDE_XF86_NO_DOMAIN is *not* set; this still not explains why we have seen Xserver hangups with the patch in place on at least some %ix86/x86_64 machines with fglrx/ nvidia driver IIRC; it needs to verified if this problem is still reproducable ... (Bug #308693, comment #25) - xserver-1.3.0-xkb-and-loathing.patch * Ignore (not just block) SIGALRM around calls to Popen()/Pclose(). Fixes a hang in openoffice when opening menus. (Bug #245711) - added missing ia64Pci.h; required for IA64 - recreated p_pci-off-by-one.diff.ia64; the default fuzz factor of patch (2) resulted in a hunk applied to the wrong function and therefore broke the build :-( - xorg-server 1.4 * Welcome to X.Org X Server 1.4, now with hotplugging input to go with the hotplugging output. Also included in this release are many performance and correctness fixes to the EXA acceleration architecture, support for DTrace profiling of the X Server, accelerated GLX_EXT_texture_from_pixmap with supporting DRI drivers, and many improvements to the RandR 1.2 support that was added in xorg-server-1.3. The X Server now relies on the pixman library, which replaces the fb/fbcompose.c and accelerated implementations that were previously shared through code-duplication with the cairo project. * obsolete patches: - bug-259290_trapfault.diff - cfb8-undefined.diff - commit-c09e68c - i810_dri_fix_freeze.diff - p_bug159532.diff - p_enable-altrix.diff - p_pci-ce-x.diff - p_pci-off-by-one.diff - p_xorg_rom_read.diff - randr12-2926cf1da7e4ed63573bfaecdd7e19beb3057d9b.diff - randr12-5b424b562eee863b11571de4cd0019cd9bc5b379.diff - randr12-aec0d06469a2fa7440fdd5ee03dc256a68704e77.diff - randr12-b2dcfbca2441ca8c561f86a78a76ab59ecbb40e4.diff - randr12-b4193a2eee80895c5641e77488df0e72a73a3d99.diff - remove__GLinterface.patch - support_mesa6.5.3.patch - use-composite-for-unequal-depths.patch - x86emu.diff - xephyr-sig11-fix.diff * adjusted patches: - 64bit.diff - bug-197858_dpms.diff - bug227111-ddc_screensize.diff - disable-root-xorg_conf.diff - fpic.diff - glx-align.patch - libdrm.diff - p_bug96328.diff - p_ia64-console.diff - p_vga-crashfix.diff - xephyr.diff - pixman.diff: * search for pixman instead of pixman-1 - bumped version to 7.3 - remove wrongly prebuilt xf1bpp files after extracting tarball; fixes vga module loading (Bug #328201) - do not use "make -j" to (quick)fix xf1bpp build - do not apply p_pci-domain.diff on IA64 - use updated off-by-one patch by schwab for IA64 - edit_data_sanity_check.diff: * added sanity check for monitor EDID data (Bug #326454) - reverted changes by schwab on Fri Sep 7; these resulted i a black screen during Xserver start with any driver on non-IA64 platforms - use-composite-for-unequal-depths.patch: * Use Composite when depths don't match (Bug #309107, X.Org Bug [#7447]) - Update off-by-one patch. - Remove empty patch. - fbdevhw.diff: * ignore pixclock set to 0 by Xen kernel (Bug #285523) - added several RANDR 1.2 fixes (Bug #306699) * randr12-2926cf1da7e4ed63573bfaecdd7e19beb3057d9b.diff Allocate the right number of entries for saving crtcs * randr12-5b424b562eee863b11571de4cd0019cd9bc5b379.diff Set the crtc before the output change is notified. Set the new randr crtc of the output before the output change notification is delivered to the clients. Remove RROutputSetCrtc as it is not really necessary. All we have to do is set the output's crtc on RRCrtcNotify * randr12-8d230319040f0a7f72231da2bf5ec97dc3612e21.diff Fix the output->crtc initialization in the old randr setup * randr12-aec0d06469a2fa7440fdd5ee03dc256a68704e77.diff Fix a crash when rotating the screen. Remember output->crtc before setting a NULL mode because RRCrtcNotify now sets output->crtc to NULL. Use the saved crtc to set the new mode. * randr12-b2dcfbca2441ca8c561f86a78a76ab59ecbb40e4.diff RRScanOldConfig cannot use RRFirstOutput before output is configured. RRFirstOutput returns the first active output, which won't be set until after RRScanOldConfig is finished running. Instead, just use the first output (which is the only output present with an old driver, after all). * randr12-b4193a2eee80895c5641e77488df0e72a73a3d99.diff RRScanOldConfig wasn't getting crtcs set correctly. The output crtc is set by RRCrtcNotify, which is called at the end of RRScanOldConfig. Several uses of output->crtc in this function were wrong. - i810_dri_fix_freeze.diff: * fixes freeze after pressing Ctrl-Alt-BS (X.Org Bug #10809) - xserver-mode-fuzzy-check.diff: * Fix for Xserver being more fuzzy about mode validation (Bug #270846) - disable AIGLX by default; without enabled Composite extension (still problematic on many drivers) it's rather useless anyway - updated xorg.conf manual page - fix fileconflict over doc/MAINTAINERS - build parallel - updated Mesa source to bugfix release 7.0.1 - xephyr-sig11-fix.diff: * long vs. CARD32 mismatch in KeySym definitions between client and server code - this patch seems to fix it (and the input rework in head fixed it as well in a different way) (Bug #235320) - fixed build on s390(x) - added X(7) and security(7) manual pages - updated Mesa source to final release 7.0 - updated Mesa source to release 7.0 RC1 * Mesa 7.0 is a stable, follow-on release to Mesa 6.5.3. The only difference is bug fixes. The major version number bump is due to OpenGL 2.1 API support. - simplified p_default-module-path.diff - disabled build of Xprt - moved Xdmx, Xephyr, Xnest and Xvfb to new subpackage xorg-x11-server-extra - commit-c09e68c: * Paper over a crash at exit during GLX teardown - updated to Mesa 6.5.3 sources - obsoletes the following patches: * bug-211314_mesa-destroy_buffers.diff * bug-211314_mesa-framebuffer-counting.diff * bug-211314-patch-1.diff * bug-211314-patch-2.diff * bug-211314-patch-3.diff * bug-211314-patch-4.diff * bug-211314-patch-5.diff * bug-211314-patch-6.diff * bug-211314-patch-7.diff * bug-211314-patch-8.diff * bug-211314-patch-9.diff * bug-211314-patch-10.diff * bug-211314-patch-11.diff * bug-211314_mesa-refcount-memleak-fixes.diff * Mesa-6.5.2-fix_radeon_cliprect.diff - remove__GLinterface.patch/ support_mesa6.5.3.patch * required Xserver changes for Mesa 6.5.3 - xorg-x11-server-1.2.99-unbreak-domain.patch: * This patch fixes some multi-domain systems such as Pegasos with xorg-server 1.3. Since pci-rework should get merged soon and this patch is a bit of a hack, it never got pushed upstream. (X.Org Bug #7248) - back to Mesa 6.5.2 (Bug #269155/269042) - Mesa update: 4th RC ready * This fixes some breakage in RC3. - Mesa update: 3rd release candidate * updated Windows/VC8 project files. - updated to Mesa 6.5.3rc2 sources * a number of bug fixes since the first RC - updated to Mesa 6.5.3rc1 sources - obsoletes the following patches: * bug-211314_mesa-destroy_buffers.diff * bug-211314_mesa-framebuffer-counting.diff * bug-211314-patch-1.diff * bug-211314-patch-2.diff * bug-211314-patch-3.diff * bug-211314-patch-4.diff * bug-211314-patch-5.diff * bug-211314-patch-6.diff * bug-211314-patch-7.diff * bug-211314-patch-8.diff * bug-211314-patch-9.diff * bug-211314-patch-10.diff * bug-211314-patch-11.diff * bug-211314_mesa-refcount-memleak-fixes.diff * Mesa-6.5.2-fix_radeon_cliprect.diff - GL-Mesa-6.5.3.diff: * adjusted GL subdir to Mesa 6.5.3rc1 - xserver 1.3.0.0 release * Syncmaster 226 monitor needs 60Hz refresh (#10545). * In AIGLX EnterVT processing, invoke driver EnterVT before resuming glx. * Disable CRTC when SetSingleMode has no matching mode. Update RandR as well. * Rotate screen size as needed from RandR 1.1 change requests. * Add quirk for Acer AL1706 monitor to force 60hz refresh. * RandR 1.2 spec says CRTC info contains screen-relative geometry * typo in built-in module log message * Use default screen monitor for one of the outputs. * Allow outputs to be explicitly enabled in config, overriding detect. * Was accidentally disabling rotation updates in mode set. * Disable SourceValidate in rotation to capture cursor. - Mesa-6.5.2-fix_radeon_cliprect.diff: * fixes X.Org Bug #9876 - bug-259290_trapfault.diff: * fixes crash caused by bug in XRender code (Bug #259290) - xserver 1.2.99.905 release: * CVE-2007-1003: XC-MISC Extension ProcXCMiscGetXIDList() Memory Corruption * X.Org Bug #10296: Fix timer rescheduling - obsoletes bug-243978_xcmisc.diff - xserver 1.2.99.904 release: * Don't erase current crtc for outputs on CloseScreen - bug-243978_xcmisc.diff: * mem corruption in ProcXCMiscGetXIDList (CVE-2007-1003, Bug #243978) - bug-211314_mesa-refcount-memleak-fixes.diff: * Fix for memleaks and refount bugs (Bug #211314) - p_default-module-path.diff: * only return /usr/%lib/xorg/modules in "-showDefaultModulePath" Xserver option (Bug #257360) - set Xserver version to 7.2.0 with configure option (Bugs #257360, #253702) - xserver 1.2.99.903 release: * Create driver-independent CRTC-based cursor layer. * Allow xf86_reload_cursors during server init. * Don't wedge when rotating more than one CRTC. * Correct ref counting of RRMode structures * Remove extra (and wrong) I2C ByteTimeout setting in DDC code. * Slow down DDC I2C bus using a RiseFallTime of 20us for old monitors. * Clean up Rotate state on server reset. * Clear allocated RandR screen private structure. * Clean up xf86CrtcRec and xf86OutputRec objects at CloseScreen. * Make sure RandR events are delivered from RRCrtcSet. * Fix Pending property API, adding RRPostPendingProperty. * Incorrect extra memory copy in RRChangeOutputProperty. * Ensure that crtc desired values track most recent mode. * Make pending properties force mode set. And, remove AttachScreen calls. * Set version to 1.2.99.903 (1.3 RC3) * fbdevhw: Consolidate modeset ioctl calling, report failure if it modifies mode. * fbdevhw: Fix some issues with the previous commit. * fbdevhw: Use displayWidth for fbdev virtual width when appropriate. * fbdevhw: Override RGB offsets and masks after setting initial mode. * fbdevhw: Consider mode set equal to mode requested if virtual width is larger. * fbdevhw: Only deal with RGB weight if default visual is True- or DirectColor. * Add per-drawable Xv colour key helper function. * Bump video driver ABI version to 1.2. - no longer apply bug-211314_mesa-context.diff, bug-211314_p_drawable_privclean.diff (Bug #211314, comment #114) - added different Mesa patches (Bug #211314, comments #114/#115) - Remove bug197190-ia64.diff, fix x86emu instead. - xserver 1.2.99.902 release: * Xprint: shorten font filename to fit in tar length limit * Move xf86SetSingleMode into X server from intel driver. * Add xf86SetDesiredModes to apply desired modes to crtcs. * Use EDID data to set screen physical size at server startup. * Allow relative positions to use output names or monitor identifiers. * Add xf86CrtcScreenInit to share initialization across drivers. * Add hw/xfree86/docs/README.modes, documenting new mode setting APIs. * Remove stale monitor data when output becomes disconnected. * Revert "Xprint includes a filename which is too long for tar." * Revert "Xext: Update device's lastx/lasty when sending a motion event with XTest." * Xext: Update device's lastx/lasty when sending a motion event with XTest. - xf86crtc_allowdual.diff no longer required; replaced by xrandr_12_newmode.diff in xrandr (xorg-x11 package) - bug197190-ia64.diff: * missing -DNO_LONG_LONG for IA64 (Bug #197190) - xf86crtc_allowdual.diff: * allows dualhead even when the second monitor is not yet connected during Xserver start - %post: replace "i810beta" with "intel" in existing xorg.conf - xserver 1.2.99.901 release: * RandR 1.2 * EXA damage track * minor fixes - use global permissions files for SUSE > 10.1 (Bug #246228) - improved bug-197858_dpms.diff to fix Xserver crash (Bug #197858) - bug-197858_dpms.diff: * finally fixed "X server wakes up on any ACPI event" issue (Bug #197858) - bug-211314_p_drawable_privclean.diff: * fixed for cleaning up pointers - fixed build - bug-211314_p_drawable_privclean.diff: * fixes Xserver crash in Mesa software rendering path (Bug #211314) - xserver 1.2.0 release * Bug #9219: Return BadMatch when trying to name the backing pixmap of an unrealized window. * Bug #9219: Use pWin->viewable instead of pWin->realized to catch InputOnly windows too. * Fix BSF and BSR instructions in the x86 emulator. * Bug #9555: Always define _GNU_SOURCE in glibc environments. * Bug #8991: Add glXGetDrawableAttributes dispatch; fix texture format therein. * Bump video and input ABI minors. * Fix release date. * Fix syntax error in configure check for SYSV_IPC that broke with Sun cc * Map missing keycodes for Sun Type 5 keyboard on Solaris SPARC * Update pci.ids to 2006-12-06 from pciids.sf.net * Xorg & Xserver man page updates for 1.2 release * xorg.conf man page should say "XFree86-DGA", not "Xorg-DGA" * Xserver man page: remove bc, add -wr * Update pci.ids to 2007-01-18 snapshot * Update Xserver man page to match commit ed33c7c98ad0c542e9e2dd6caa3f84879c21dd61 * Fix Tooltip from minimized clients * Fix Xming fails to use xkb bug * Fix bad commit * Set Int10Current->Tag for the linux native int10 module * added mipmap.c * configure.ac: prepare for 1.2.0 (X11R7.2) * sparc: don't include asm/kbio.h -- it no longer exists in current headers. * Minor typos in Xserver man page. * Fix several cases where optimized paths were hit when they shouldn't be. * Try dlsym(RTLD_DEFAULT) first when finding symbols. * Fix RENDER issues (bug #7555) and implement RENDER add/remove screen * For Xvfb, Xnest and Xprt, compile fbcmap.c with -DXFree86Server * Multiple integer overflows in dbe and render extensions * Require glproto >= 1.4.8 for GLX. * __glXDRIscreenProbe: Use drmOpen/CloseOnce. * xfree86/hurd: re-add missing keyboard support (bug #5613) * remove last remaning 'linux'isms (bug #5613) - obsoletes * Mesa-6.5.2.diff * xorg-server-1.1.99.901-GetDrawableAttributes.patch * int10-fix.diff * cve-2006-6101_6102_6103.diff - disabled build of VNC server/module - bug-211314_mesa-context.diff: * fixes Xserver crash in software rendering fallback (Bug #211314) - 0018-vnc-support.txt.diff * fixed unresolved symbols vncRandomBytes/deskey in VNC module (terminated Xserver when client connected) - bug227111-ddc_screensize.diff: * allow user overrides for monitor settings (Bug #227111) - loadmod-bug197195.diff: * check the complete path (Bug #197195) - added build of VNC support (0018-vnc-support.txt/ 0018-vnc-support.txt.diff); see 0018-vnc-support.txt.mbox for reference - cve-2006-6101_6102_6103.diff: * CVE-2006-6101 iDefense X.org ProcRenderAddGlyphs (Bug #225972) * CVE-2006-6102 iDefense X.org ProcDbeGetVisualInfo (Bug #225974) * CVE-2006-6103 iDefense X.org ProcDbeSwapBuffers (Bug #225975) - int10-fix.diff * Set Int10Current->Tag for the linux native int10 module (X.Org Bug #9296) * obsoletes p_initialize-pci-tag.diff - reverted latest change by schwab (Bug #197190, comment #67) - Fix off-by-one in pci multi-domain support [#229278]. - libdrm.diff: * no longer fail when some driver tries to load "drm" module - xorg-server-1.1.99.901-GetDrawableAttributes.patch: * hopefully fixes AIGLX issues (X.Org Bug #8991) - another 64bit warning fix - X.Org 7.2RC3 release * Add a -showDefaultModulePath option. * Add a -showDefaultLibPath option. * Add DIX_CFLAGS to util builds. * Fix release date, and tag 1.1.99.903 * make X server use system libdrm - this requires libdrm >= 2.3.0 * DRI: call drmSetServerInfo() before drmOpen(). * add extern to struct definition * fixup configure.ac problems with DRI_SOURCES and LBX_SOURCES * bump to 1.1.99.903 * remove CID support (bug #5553) * dri: setup libdrm hooks as early as possible. * Bug #8868: Remove drm from SUBDIRS now that the directory is gone. * Fix typo before the last commit. * Fix GL context destruction with AIGLX. * On DragonFLy, default to /dev/sysmouse (just like on FreeBSD). * ffs: handle 0 argument (bug #8968) * Bug #9023: Only check mice for "mouse" or "void" if identifier is != NULL. Fix potential NULL pointer access in timer code. - updated Mesa sources to 6.5.2 - xserver-timers.diff: * fix null pointer reference in timer code (Bug #223718) - p_pci-off-by-one.diff: * readded off by one fix, which has been dropped by accident (Bug #197190) - acpi_events.diff: * distinguish between general and input devices also for APM (Bug #197858) - removed /etc/X11/Xsession.d/92xprint-xpserverlist (Bug #220733) - mouse-fix.diff: * prevent driver from crashing when something different than "mouse" or "void" is specified; only check mice for "mouse" or "void" if identifier is != NULL. (X.Org Bug #9023) - X.Org 7.2RC2 release - adjusted p_enable-altrix.diff, p_pci-domain.diff - obsoletes p_pci-ia64.diff, xorg-xserver-ia64-int10.diff p_pci-legacy-mmap.diff - Changes in RC2 since RC1 Aaron Plattner: Fix standard VESA modes. Adam Jackson: Bug #6786: Use separate defines for server's Fixes support level. 'make dist' fixes. Fix distcheck. Include a forgotten ia64 header in the distball. Builds on ia64 now. configure.ac bump. Alan Coopersmith: Make sure xorgcfg files are included even when dist made with --disable-xorgcfg Use getisax() instead of asm code to determine available x86 ISA extensions on Solaris Pre-release message should tell users to check git, not CVS, for updates Fix automake error: BUILT_SOURCES was defined multiple times on Solaris Bug #1997: AUDIT messages should contain uid for local accesses If getpeerucred() is available, include pid & zoneid in audit messages too Make _POSIX_C_SOURCE hack work with Solaris headers Alan Hourihane: Small modification to blocking signals when switching modes. Bjorn Helgaas: Do not map full 0-1MB legacy range Bram Verweij: xfree86/linux acpi: fix tokenising Daniel Stone: GetTimeInMillis: spuport monotonic clock WaitForSomething: allow time to rewind Revert "WaitForSomething: allow time to rewind" Revert "GetTimeInMillis: spuport monotonic clock" add 'general socket' handler, port ACPI to use it WaitForSomething: allow time to rewind WaitForSomething: only rewind when delta is more than 250ms GetTimeInMillis: spuport monotonic clock GetTimeInMillis: simplify monotonic test GetTimeInMillis: use correct units for clock_gettime os: fix sun extensions test Eamon Walsh: Bug #8875: Security extension causes Xorg to core dump on server reset whitespace adjust More work on Bug #8875: revert previous fix and try using client argument Bug #8937: Extension setup functions not called on server resets Egbert Eich: Fixing mach64 driver bailing out on ia64 Make int10 fully domain aware. Erik Andren: remove XFree86 changelogs (bug #7262) Joshua Baergen: Create xorg.conf.example (Gentoo bug #138623). Laurence Withers: CreateColormap: fix return value (bug #7083) Matthias Hopf: Build with -D_PC on ix86 only. Added missing domain stripping in already domain aware code. Added linux 2.6 compatible domain aware device scanning code. Fixing domain support for ia64 Add domain support to linuxPciOpenFile(). Fix device path in altixPCI.c to be domain aware. Fix obviously wrong boundary checks + cleanup unused vars. Matthieu Herrb: kill GNU-make'ism. Handle building in a separate objdir Michel Dänzer: Fix __glXDRIbindTexImage() for 32 bpp on big endian platforms. Fix test for Option "IgnoreABI". Myron Stowe: xfree86: re-enable chipset-specific drivers for Linux/ia64 Rich Coe: CheckConnections: don't close down the server client (bug #7876) - p_ppc_domain_workaround.diff: * ugly workaround for still missing domain support on ppc (Bug #202133) - updated to snapshot of xserver-1.2-branch (soon to be released as X.Org 7.2RC2) * Make sure xorgcfg files are included even when dist made with --disable-xorgcfg * Small modification to blocking signals when switching modes. * Use getisax() instead of asm code to determine available x86 ISA extensions on Solaris * Pre-release message should tell users to check git, not CVS, for updates * Fix __glXDRIbindTexImage() for 32 bpp on big endian platforms. * Create xorg.conf.example (Gentoo bug #138623). * Fix test for Option "IgnoreABI". This option has plenty of potential for wasting the time of bug triagers without pretending it's always on. * kill GNU-make'ism. * Handle building in a separate objdir * Fix automake error: BUILT_SOURCES was defined multiple times on Solaris * Bug #1997: AUDIT messages should contain uid for local accesses * If getpeerucred() is available, include pid & zoneid in audit messages too - added /etc/modprobe.d/nvidia - xorg-xserver-ia64-int10.diff: * build int10 module with _PC only on %ix86 (Bug #197190) - added build of Xephyr; useful for debugging KDE apps (coolo) - cfb8-undefined.diff: * fixes warning for undefined behaviour - Own /etc/X11/Xsession.d directory. - Use /etc/X11/Xsession.d. - updated to X.Org 7.2RC1 - only disable AIGLX by default on SUSE <= 10.1 (Bug #197093) - no longer fake release version for fglrx driver (Bug #198125) - glx-align.patch: * reenabled -D__GLX_ALIGN64 on affected plaforms (X.Org Bug #8392) - Fixes to p_pci-domain.diff (Bug #197572) * internal domain number of by one (was supposed to be a cleanup, but other code dependet on this semantics) * fixed another long-standing of-by-1 error - p_enable-altrix.diff (Bug #197572) * This additional patch enables the build of the altrix detection routines, which have apparently not been included in Xorg 7.1 yet. This patch needs a autoreconf -fi after application. - updated to Mesa 6.5.1 - disable-fbblt-opt.diff: * Disable optimization (introduced by ajax) due to a general vesa driver crash later in memcpy (Bug #204324) - removed two source files with imcompatible license from Mesa tarball (Bug #204110) - added a check to specfile to make sure that these will not be reintroduced with the next Mesa update again (Bug #204110) - moved xf86Parser.h,xf86Optrec.h back to /usr/include/xorg, since SaX2 build issues have finally been resolved by making use of "-iquote /usr/include/xorg -I." - disable-root-xorg_conf.diff: * no longer consider to read /root/xorg.conf - only require xorg-x11-fonts-core ('fixed' + 'cursor' fonts) - fake release version for fglrx driver again, since using IgnoreABI does not help (the check for the ABI version is in the binary-only fglrx driver) - added Requires: xorg-x11-driver-{input,video} (Bug #202080) - ignore-abi.diff: * adds IgnoreABI option for xorg.conf (same as -ignoreABI) - remove .la files - no longer fake release version for fglrx driver; use the new IgnoreABI option instead! - PCI/IA64 Patches (Bug #197572): * apply new p_pci-domain.diff (mhopf) * apply new p_pci-ce-x.diff (mhopf) - PCI/IA64 Patches (Bug #197572): * removed p_mappciBIOS_complete.diff (already applied upstream) * apply p_pci-ia64.diff * apply p_pci-legacy-mmap.diff only for IA64 (as before) * disabled for now: - p_pci-domain.diff: still issues with it - p_pci-ce-x.diff: sits on top of p_pci-domain.diff - added PCI/IA64 patches, but disabled them for now (Bug #197572) - remove comp. symlinks in /usr/X11R6/bin for openSUSE >= 10.2 - fixed build for s390/s390x, e.g. use configure options --disable-install-libxf86config --disable-aiglx --disable-dri --disable-xorg - changed os-name to "openSUSE" instead of "Linux" before - fake release version for fglrx driver :-( - xinerama-sig11.diff: * prevents Xserver Sig11 with broken Xinerama config (Bug #135002) - moved /usr/%_lib/pkgconfig/xorg-server.pc to xorg-x11-server - added pkgconfig to Requires of xorg-x11-server - disable-aiglx.diff: * disabled AIGLX by default (related to Bug #197093); enable it with 'Option "AIGLX" "true"' in ServerFlags section of xorg.conf - enabled build of aiglx - patch font path also in xorg.conf when set to /usr/lib/X11/fonts/ or /usr/X11/lib/X11/fonts - patch xorg.conf in %post: * radeonold/radeon10b driver --> radeon driver - added "Requires: xorg-x11-fonts" to prevent issues like "could not open default font 'fixed'" for any Xserver - make sure that symlinks /usr/bin/X --> /var/X11R6/bin/X /var/X11R6/bin/X --> /usr/bin/Xorg are packaged. - p_xorg_acpi.diff: * fixed for archs which don't have HAVE_ACPI defined, e.g. ppc - p_xf86Mode.diff: * removes wrong warning (Bug #139510) - p_xorg_acpi.diff: * reconnect to acpid when acpid has been killed (Bug #148384) - p_xkills_wrong_client.diff: * This patch has unveiled two other problems. One is rather serious as there seems to be a non-zero possibility that the Xserver closes the wrong connection and this closes the wrong client when it looks for stale sockets of clients that have disappeared (eich, Bug #150869) - p_bug159532.diff: * X Clients can intentionally or unintenionally crash X11 by using composite on depth 4 pixmaps. This patch fixes this. (Bug #159532) - p_xnest-ignore-getimage-errors.diff: * ignores the X error on GetImage in Xnest (Bug #174228, X.Org Bug #4411) - p_initialize-pci-tag.diff: * initialize PCI tag correctly, which is used by an IA64 specific patch (see Bug #147261 for details); fixes Xserver crashes with fglrx driver - and possibly other drivers like vesa - during initial startup (!), VT switch and startup of second Xserver (SLED10 Blocker Bugs #180535, #170991, #158806) - p_ia64-console.diff: * fixes MCA after start of second Xserver (Bug #177011) - p_mouse_misc.diff: * fix X server crashes with synaptics driver (Bug #61702) - pu_fixes.diff * Fixes not yet in the official version - p_bug96328.diff: * fallback mouse device checking - p_vga-crashfix.diff: * fixes vga driver crash (#133989) - p_xorg_rom_read.diff * read rom in big chunks instead of byte-at-a-time (Bug #140811) - ps_showopts.diff * Xserver "-showopts" option to print available driver options (Bug #137374) - add /var/X11R6/bin directory for now (Bug #197188) - fix setup line - fixed fatal compiler warnings - always (and only) patch xorg.conf if necessary - update to xorg-server release 1.1.99.3 - use "-fno-strict-aliasing" - use $RPM_OPT_FLAGS - remove existing /usr/include/X11 symlink in %pre - install xf86Parser.h,xf86Optrec.h to /usr/include instead of /usr/include/xorg, so it is no longer necessary to specify "-I/usr/include/xorg" which resulted in including a wrong "shadow.h" (by X.Org) when building SaX2 (strange build error) - added permissions files - add compatibility symlink /usr/X11R6/bin/Xorg - p_ValidatePci.diff: * no longer call ValidatePci() to fix i810 driver issues (Bug #191987) - fixed build - bfo-bug15222.diff (bfo #15222, bnc #374318) * CVE-2008-2360 - RENDER Extension heap buffer overflow * CVE-2008-2361 - RENDER Extension crash * CVE-2008-2362 - RENDER Extension memory corruption * CVE-2008-1379 - MIT-SHM arbitrary memory read * CVE-2008-1377 - RECORD and Security extensions memory corruption - xserver-mode-fuzzy-check.diff * Make mode checking more tolerant like in pre-RandR times. - fix-dpi-values.diff * fixes DPI values for RANDR 1.2 capable drivers (bnc #393001) - mention ZapWarning also in Xorg manual page (bnc #391352) - xorg-server-1.4-vnc-render_sig11.diff * fixed sig11 in RENDER code (bnc #385677) - disabled patch to disable RENDER support in Xvnc, since it broke 24bit color depth support (bnc #390011) - xorg-server-1.4-vnc-disable_render.diff * disabled RENDER support in Xvnc (bnc #385677) - events.diff * eating up key events before going into the idle loop upon vt switch instead of after return (bnc #152522) - xkb_action.diff * fixed remaining unitialized warning in X.Org (bnc #83910) - fbdevhw.diff * screen blanking not supported by vesafb of Linux kernel (bnc #146462) - no longer disable AIGLX by default - XAANoOffscreenPixmaps.diff * disable Offscreen Pixmaps by default (bnc #376068) - Fix another o-b-1 in pci domain support. - randr1_1-sig11.diff * fixes Xserver crash when running xrandr on a different virtual terminal (Egbert Eich, bnc #223459) - commit-37b1258.diff * possibly fixes unwanted autorepeat (bnc #377612, bfo #14811) - bitmap_always_unscaled.diff * Default bitmap fonts should typically be set as unscaled (libv) - update to Mesa bugfix release 7.0.3 (final) sources - update to Mesa bugfix release 7.0.3 RC3 sources - confine_to_shape.diff * fixes XGrabPointer's confine_to with shaped windows (bnc #62146) - zap_warning_xserver.diff * implements FATE #302988: ZapWarning (Luc Verhaegen) Uses PCSpeaker for beep. Press once, beep. Press again within 2s (which is ample), terminate. Documented in xorg.conf manpage. - make the memory corruption fix by schwab a seperate patch to make sure it won't get lost the next time I update the VNC patch - Fix vnc server memory corruption. - commit-a6a7fad.diff * Don't break grab and focus state for a window when redirecting it. (bnc #336219, bfo #488264) - update to Mesa bugfix release 7.0.3 RC2 sources * Fixed GLX indirect vertex array rendering bug (14197) * Fixed crash when deleting framebuffer objects (bugs 13507, 14293) * User-defined clip planes enabled for R300 (bug 9871) * Fixed glBindTexture() crash upon bad target (bug 14514) * Fixed potential crash in glDrawPixels(GL_DEPTH_COMPONENT) (bug 13915) * Bad strings given to glProgramStringARB() didn't generate GL_INVALID_OPERATION * Fixed minor point rasterization regression (bug 11016) - added Requires:xkeyboard-config to xorg-x11-server - commit-50e80c3.diff: * never overwrite realInputProc with enqueueInputProc (bnc#357989, bfo#13511) - only switch to radeon driver in %post if radeonold driver is no longer available (Bug #355009) - some more cleanup in %post - Move manpage to the sub package that provides the binary. - update to Mesa bugfix release 7.0.3 RC1 sources * Added missing glw.pc.in file to release tarball * Fix GLUT/Fortran issues * GLSL gl_FrontLightModelProduct.sceneColor variable wasn't defined * Fix crash upon GLSL variable array indexes (not yet supported) * Two-sided stencil test didn't work in software rendering * Fix two-sided lighting bugs/crashes (bug 13368) * GLSL gl_FrontFacing didn't work properly * glGetActiveUniform returned incorrect sizes (bug 13751) * Fix several bugs relating to uniforms and attributes in GLSL API (Bruce Merry, bug 13753) * glTexImage3D(GL_PROXY_TEXTURE_3D) mis-set teximage depth field - updated patch for CVE-2007-6429 once more (X.Org Bug #13520) * Always test for size+offset wrapping. - updated patch for CVE-2007-6429 (Bug #345131) * Don't spuriously reject <8bpp shm pixmaps. Move size validation after depth validation, and only validate size if the bpp of the pixmap format is > 8. If bpp < 8 then we're already protected from overflow by the width and height checks. - X.Org security update * CVE-2007-5760 - XFree86 Misc extension out of bounds array index * CVE-2007-6427 - Xinput extension memory corruption. * CVE-2007-6428 - TOG-cup extension memory corruption. * CVE-2007-6429 - MIT-SHM and EVI extensions integer overflows. * CVE-2008-0006 - PCF Font parser buffer overflow. - xorg-server 1.4.0.90 (prerelease of 1.4.1) - pixman.diff * fixed include path for pixman.h - remove_bogus_modeline.diff * remove bogus monitor modelines provided by DDC (Bug #335540) - commit-184e571.diff * Adjust offsets of modes that do not fit virtual screen size. - commit-c6c284e.diff * Initialize Mode with 0 in xf86RandRModeConvert. - commit-f6401f9.diff * Don't segfault if referring to a relative output where no modes survived. - commit-f7dd0c7.diff * Only clear crtc of output if it is the one we're actually working on. - commit-fa19e84.diff * Fix initial placement of LeftOf and Above. - pixman.diff no longer required - s390(x): allow mfb build without Xorg server being built - commit-29e0e18.diff * Make config file preferred mode override monitor preferred mode. - commit-feac075.diff * Leave hardware-specified preferred modes alone when user preference exists. - obsoletes preferred_mode-fix.diff - added xorg-x11-fonts-core/xorg-x11 to Requires (Bug #341312) - ia64linuxPciInit: allocate extra space for fake devices. - updated to Mesa 7.0.2 (final) sources - updated to Mesa 7.0.2 RC1 sources - xorg-server-1.4-vnc-64bit.diff * fixes segfault on 64bit during Xserver start; make sure to define _XSERVER64 by having HAVE_DIX_CONFIG_H defined and therefore including dix-config.h, so Atom is CARD32 instead of unsigned long before and no longer messes up the pInfo structure in xf86rfbMouseInit/xf86rfbKeybInit - finally enabled build of xf4vnc (standalone Xvnc and VNC Xserver module) - updated xf4vnc patch; still disabled due to problematic vnc module - preferred_mode-fix.diff * more reasonable patch (Bug #329724) - preferred_mode-fix.diff * fixed endless loop if PreferredMode is set (Bug #329724) - removed obsolete patch p_pci-domain.diff (Bug #308693, comment #26) - apply p_pci-off-by-one.diff.ia64 on all platforms since it clearly only affects platforms, where INCLUDE_XF86_NO_DOMAIN is *not* set; this still not explains why we have seen Xserver hangups with the patch in place on at least some %ix86/x86_64 machines with fglrx/ nvidia driver IIRC; it needs to verified if this problem is still reproducable ... (Bug #308693, comment #25) - xserver-1.3.0-xkb-and-loathing.patch * Ignore (not just block) SIGALRM around calls to Popen()/Pclose(). Fixes a hang in openoffice when opening menus. (Bug #245711) - added missing ia64Pci.h; required for IA64 - recreated p_pci-off-by-one.diff.ia64; the default fuzz factor of patch (2) resulted in a hunk applied to the wrong function and therefore broke the build :-( - xorg-server 1.4 * Welcome to X.Org X Server 1.4, now with hotplugging input to go with the hotplugging output. Also included in this release are many performance and correctness fixes to the EXA acceleration architecture, support for DTrace profiling of the X Server, accelerated GLX_EXT_texture_from_pixmap with supporting DRI drivers, and many improvements to the RandR 1.2 support that was added in xorg-server-1.3. The X Server now relies on the pixman library, which replaces the fb/fbcompose.c and accelerated implementations that were previously shared through code-duplication with the cairo project. * obsolete patches: - bug-259290_trapfault.diff - cfb8-undefined.diff - commit-c09e68c - i810_dri_fix_freeze.diff - p_bug159532.diff - p_enable-altrix.diff - p_pci-ce-x.diff - p_pci-off-by-one.diff - p_xorg_rom_read.diff - randr12-2926cf1da7e4ed63573bfaecdd7e19beb3057d9b.diff - randr12-5b424b562eee863b11571de4cd0019cd9bc5b379.diff - randr12-aec0d06469a2fa7440fdd5ee03dc256a68704e77.diff - randr12-b2dcfbca2441ca8c561f86a78a76ab59ecbb40e4.diff - randr12-b4193a2eee80895c5641e77488df0e72a73a3d99.diff - remove__GLinterface.patch - support_mesa6.5.3.patch - use-composite-for-unequal-depths.patch - x86emu.diff - xephyr-sig11-fix.diff * adjusted patches: - 64bit.diff - bug-197858_dpms.diff - bug227111-ddc_screensize.diff - disable-root-xorg_conf.diff - fpic.diff - glx-align.patch - libdrm.diff - p_bug96328.diff - p_ia64-console.diff - p_vga-crashfix.diff - xephyr.diff - pixman.diff: * search for pixman instead of pixman-1 - bumped version to 7.3 - remove wrongly prebuilt xf1bpp files after extracting tarball; fixes vga module loading (Bug #328201) - do not use "make -j" to (quick)fix xf1bpp build - do not apply p_pci-domain.diff on IA64 - use updated off-by-one patch by schwab for IA64 - edit_data_sanity_check.diff: * added sanity check for monitor EDID data (Bug #326454) - reverted changes by schwab on Fri Sep 7; these resulted i a black screen during Xserver start with any driver on non-IA64 platforms - use-composite-for-unequal-depths.patch: * Use Composite when depths don't match (Bug #309107, X.Org Bug [#7447]) - Update off-by-one patch. - Remove empty patch. - fbdevhw.diff: * ignore pixclock set to 0 by Xen kernel (Bug #285523) - added several RANDR 1.2 fixes (Bug #306699) * randr12-2926cf1da7e4ed63573bfaecdd7e19beb3057d9b.diff Allocate the right number of entries for saving crtcs * randr12-5b424b562eee863b11571de4cd0019cd9bc5b379.diff Set the crtc before the output change is notified. Set the new randr crtc of the output before the output change notification is delivered to the clients. Remove RROutputSetCrtc as it is not really necessary. All we have to do is set the output's crtc on RRCrtcNotify * randr12-8d230319040f0a7f72231da2bf5ec97dc3612e21.diff Fix the output->crtc initialization in the old randr setup * randr12-aec0d06469a2fa7440fdd5ee03dc256a68704e77.diff Fix a crash when rotating the screen. Remember output->crtc before setting a NULL mode because RRCrtcNotify now sets output->crtc to NULL. Use the saved crtc to set the new mode. * randr12-b2dcfbca2441ca8c561f86a78a76ab59ecbb40e4.diff RRScanOldConfig cannot use RRFirstOutput before output is configured. RRFirstOutput returns the first active output, which won't be set until after RRScanOldConfig is finished running. Instead, just use the first output (which is the only output present with an old driver, after all). * randr12-b4193a2eee80895c5641e77488df0e72a73a3d99.diff RRScanOldConfig wasn't getting crtcs set correctly. The output crtc is set by RRCrtcNotify, which is called at the end of RRScanOldConfig. Several uses of output->crtc in this function were wrong. - i810_dri_fix_freeze.diff: * fixes freeze after pressing Ctrl-Alt-BS (X.Org Bug #10809) - xserver-mode-fuzzy-check.diff: * Fix for Xserver being more fuzzy about mode validation (Bug #270846) - disable AIGLX by default; without enabled Composite extension (still problematic on many drivers) it's rather useless anyway - updated xorg.conf manual page - fix fileconflict over doc/MAINTAINERS - build parallel - updated Mesa source to bugfix release 7.0.1 - xephyr-sig11-fix.diff: * long vs. CARD32 mismatch in KeySym definitions between client and server code - this patch seems to fix it (and the input rework in head fixed it as well in a different way) (Bug #235320) - fixed build on s390(x) - added X(7) and security(7) manual pages - updated Mesa source to final release 7.0 - updated Mesa source to release 7.0 RC1 * Mesa 7.0 is a stable, follow-on release to Mesa 6.5.3. The only difference is bug fixes. The major version number bump is due to OpenGL 2.1 API support. - simplified p_default-module-path.diff - disabled build of Xprt - moved Xdmx, Xephyr, Xnest and Xvfb to new subpackage xorg-x11-server-extra - commit-c09e68c: * Paper over a crash at exit during GLX teardown - updated to Mesa 6.5.3 sources - obsoletes the following patches: * bug-211314_mesa-destroy_buffers.diff * bug-211314_mesa-framebuffer-counting.diff * bug-211314-patch-1.diff * bug-211314-patch-2.diff * bug-211314-patch-3.diff * bug-211314-patch-4.diff * bug-211314-patch-5.diff * bug-211314-patch-6.diff * bug-211314-patch-7.diff * bug-211314-patch-8.diff * bug-211314-patch-9.diff * bug-211314-patch-10.diff * bug-211314-patch-11.diff * bug-211314_mesa-refcount-memleak-fixes.diff * Mesa-6.5.2-fix_radeon_cliprect.diff - remove__GLinterface.patch/ support_mesa6.5.3.patch * required Xserver changes for Mesa 6.5.3 - xorg-x11-server-1.2.99-unbreak-domain.patch: * This patch fixes some multi-domain systems such as Pegasos with xorg-server 1.3. Since pci-rework should get merged soon and this patch is a bit of a hack, it never got pushed upstream. (X.Org Bug #7248) - back to Mesa 6.5.2 (Bug #269155/269042) - Mesa update: 4th RC ready * This fixes some breakage in RC3. - Mesa update: 3rd release candidate * updated Windows/VC8 project files. - updated to Mesa 6.5.3rc2 sources * a number of bug fixes since the first RC - updated to Mesa 6.5.3rc1 sources - obsoletes the following patches: * bug-211314_mesa-destroy_buffers.diff * bug-211314_mesa-framebuffer-counting.diff * bug-211314-patch-1.diff * bug-211314-patch-2.diff * bug-211314-patch-3.diff * bug-211314-patch-4.diff * bug-211314-patch-5.diff * bug-211314-patch-6.diff * bug-211314-patch-7.diff * bug-211314-patch-8.diff * bug-211314-patch-9.diff * bug-211314-patch-10.diff * bug-211314-patch-11.diff * bug-211314_mesa-refcount-memleak-fixes.diff * Mesa-6.5.2-fix_radeon_cliprect.diff - GL-Mesa-6.5.3.diff: * adjusted GL subdir to Mesa 6.5.3rc1 - xserver 1.3.0.0 release * Syncmaster 226 monitor needs 60Hz refresh (#10545). * In AIGLX EnterVT processing, invoke driver EnterVT before resuming glx. * Disable CRTC when SetSingleMode has no matching mode. Update RandR as well. * Rotate screen size as needed from RandR 1.1 change requests. * Add quirk for Acer AL1706 monitor to force 60hz refresh. * RandR 1.2 spec says CRTC info contains screen-relative geometry * typo in built-in module log message * Use default screen monitor for one of the outputs. * Allow outputs to be explicitly enabled in config, overriding detect. * Was accidentally disabling rotation updates in mode set. * Disable SourceValidate in rotation to capture cursor. - Mesa-6.5.2-fix_radeon_cliprect.diff: * fixes X.Org Bug #9876 - bug-259290_trapfault.diff: * fixes crash caused by bug in XRender code (Bug #259290) - xserver 1.2.99.905 release: * CVE-2007-1003: XC-MISC Extension ProcXCMiscGetXIDList() Memory Corruption * X.Org Bug #10296: Fix timer rescheduling - obsoletes bug-243978_xcmisc.diff - xserver 1.2.99.904 release: * Don't erase current crtc for outputs on CloseScreen - bug-243978_xcmisc.diff: * mem corruption in ProcXCMiscGetXIDList (CVE-2007-1003, Bug #243978) - bug-211314_mesa-refcount-memleak-fixes.diff: * Fix for memleaks and refount bugs (Bug #211314) - p_default-module-path.diff: * only return /usr/%lib/xorg/modules in "-showDefaultModulePath" Xserver option (Bug #257360) - set Xserver version to 7.2.0 with configure option (Bugs #257360, #253702) - xserver 1.2.99.903 release: * Create driver-independent CRTC-based cursor layer. * Allow xf86_reload_cursors during server init. * Don't wedge when rotating more than one CRTC. * Correct ref counting of RRMode structures * Remove extra (and wrong) I2C ByteTimeout setting in DDC code. * Slow down DDC I2C bus using a RiseFallTime of 20us for old monitors. * Clean up Rotate state on server reset. * Clear allocated RandR screen private structure. * Clean up xf86CrtcRec and xf86OutputRec objects at CloseScreen. * Make sure RandR events are delivered from RRCrtcSet. * Fix Pending property API, adding RRPostPendingProperty. * Incorrect extra memory copy in RRChangeOutputProperty. * Ensure that crtc desired values track most recent mode. * Make pending properties force mode set. And, remove AttachScreen calls. * Set version to 1.2.99.903 (1.3 RC3) * fbdevhw: Consolidate modeset ioctl calling, report failure if it modifies mode. * fbdevhw: Fix some issues with the previous commit. * fbdevhw: Use displayWidth for fbdev virtual width when appropriate. * fbdevhw: Override RGB offsets and masks after setting initial mode. * fbdevhw: Consider mode set equal to mode requested if virtual width is larger. * fbdevhw: Only deal with RGB weight if default visual is True- or DirectColor. * Add per-drawable Xv colour key helper function. * Bump video driver ABI version to 1.2. - no longer apply bug-211314_mesa-context.diff, bug-211314_p_drawable_privclean.diff (Bug #211314, comment #114) - added different Mesa patches (Bug #211314, comments #114/#115) - Remove bug197190-ia64.diff, fix x86emu instead. - xserver 1.2.99.902 release: * Xprint: shorten font filename to fit in tar length limit * Move xf86SetSingleMode into X server from intel driver. * Add xf86SetDesiredModes to apply desired modes to crtcs. * Use EDID data to set screen physical size at server startup. * Allow relative positions to use output names or monitor identifiers. * Add xf86CrtcScreenInit to share initialization across drivers. * Add hw/xfree86/docs/README.modes, documenting new mode setting APIs. * Remove stale monitor data when output becomes disconnected. * Revert "Xprint includes a filename which is too long for tar." * Revert "Xext: Update device's lastx/lasty when sending a motion event with XTest." * Xext: Update device's lastx/lasty when sending a motion event with XTest. - xf86crtc_allowdual.diff no longer required; replaced by xrandr_12_newmode.diff in xrandr (xorg-x11 package) - bug197190-ia64.diff: * missing -DNO_LONG_LONG for IA64 (Bug #197190) - xf86crtc_allowdual.diff: * allows dualhead even when the second monitor is not yet connected during Xserver start - %post: replace "i810beta" with "intel" in existing xorg.conf - xserver 1.2.99.901 release: * RandR 1.2 * EXA damage track * minor fixes - use global permissions files for SUSE > 10.1 (Bug #246228) - improved bug-197858_dpms.diff to fix Xserver crash (Bug #197858) - bug-197858_dpms.diff: * finally fixed "X server wakes up on any ACPI event" issue (Bug #197858) - bug-211314_p_drawable_privclean.diff: * fixed for cleaning up pointers - fixed build - bug-211314_p_drawable_privclean.diff: * fixes Xserver crash in Mesa software rendering path (Bug #211314) - xserver 1.2.0 release * Bug #9219: Return BadMatch when trying to name the backing pixmap of an unrealized window. * Bug #9219: Use pWin->viewable instead of pWin->realized to catch InputOnly windows too. * Fix BSF and BSR instructions in the x86 emulator. * Bug #9555: Always define _GNU_SOURCE in glibc environments. * Bug #8991: Add glXGetDrawableAttributes dispatch; fix texture format therein. * Bump video and input ABI minors. * Fix release date. * Fix syntax error in configure check for SYSV_IPC that broke with Sun cc * Map missing keycodes for Sun Type 5 keyboard on Solaris SPARC * Update pci.ids to 2006-12-06 from pciids.sf.net * Xorg & Xserver man page updates for 1.2 release * xorg.conf man page should say "XFree86-DGA", not "Xorg-DGA" * Xserver man page: remove bc, add -wr * Update pci.ids to 2007-01-18 snapshot * Update Xserver man page to match commit ed33c7c98ad0c542e9e2dd6caa3f84879c21dd61 * Fix Tooltip from minimized clients * Fix Xming fails to use xkb bug * Fix bad commit * Set Int10Current->Tag for the linux native int10 module * added mipmap.c * configure.ac: prepare for 1.2.0 (X11R7.2) * sparc: don't include asm/kbio.h -- it no longer exists in current headers. * Minor typos in Xserver man page. * Fix several cases where optimized paths were hit when they shouldn't be. * Try dlsym(RTLD_DEFAULT) first when finding symbols. * Fix RENDER issues (bug #7555) and implement RENDER add/remove screen * For Xvfb, Xnest and Xprt, compile fbcmap.c with -DXFree86Server * Multiple integer overflows in dbe and render extensions * Require glproto >= 1.4.8 for GLX. * __glXDRIscreenProbe: Use drmOpen/CloseOnce. * xfree86/hurd: re-add missing keyboard support (bug #5613) * remove last remaning 'linux'isms (bug #5613) - obsoletes * Mesa-6.5.2.diff * xorg-server-1.1.99.901-GetDrawableAttributes.patch * int10-fix.diff * cve-2006-6101_6102_6103.diff - disabled build of VNC server/module - bug-211314_mesa-context.diff: * fixes Xserver crash in software rendering fallback (Bug #211314) - 0018-vnc-support.txt.diff * fixed unresolved symbols vncRandomBytes/deskey in VNC module (terminated Xserver when client connected) - bug227111-ddc_screensize.diff: * allow user overrides for monitor settings (Bug #227111) - loadmod-bug197195.diff: * check the complete path (Bug #197195) - added build of VNC support (0018-vnc-support.txt/ 0018-vnc-support.txt.diff); see 0018-vnc-support.txt.mbox for reference - cve-2006-6101_6102_6103.diff: * CVE-2006-6101 iDefense X.org ProcRenderAddGlyphs (Bug #225972) * CVE-2006-6102 iDefense X.org ProcDbeGetVisualInfo (Bug #225974) * CVE-2006-6103 iDefense X.org ProcDbeSwapBuffers (Bug #225975) - int10-fix.diff * Set Int10Current->Tag for the linux native int10 module (X.Org Bug #9296) * obsoletes p_initialize-pci-tag.diff - reverted latest change by schwab (Bug #197190, comment #67) - Fix off-by-one in pci multi-domain support [#229278]. - libdrm.diff: * no longer fail when some driver tries to load "drm" module - xorg-server-1.1.99.901-GetDrawableAttributes.patch: * hopefully fixes AIGLX issues (X.Org Bug #8991) - another 64bit warning fix - X.Org 7.2RC3 release * Add a -showDefaultModulePath option. * Add a -showDefaultLibPath option. * Add DIX_CFLAGS to util builds. * Fix release date, and tag 1.1.99.903 * make X server use system libdrm - this requires libdrm >= 2.3.0 * DRI: call drmSetServerInfo() before drmOpen(). * add extern to struct definition * fixup configure.ac problems with DRI_SOURCES and LBX_SOURCES * bump to 1.1.99.903 * remove CID support (bug #5553) * dri: setup libdrm hooks as early as possible. * Bug #8868: Remove drm from SUBDIRS now that the directory is gone. * Fix typo before the last commit. * Fix GL context destruction with AIGLX. * On DragonFLy, default to /dev/sysmouse (just like on FreeBSD). * ffs: handle 0 argument (bug #8968) * Bug #9023: Only check mice for "mouse" or "void" if identifier is != NULL. Fix potential NULL pointer access in timer code. - updated Mesa sources to 6.5.2 - xserver-timers.diff: * fix null pointer reference in timer code (Bug #223718) - p_pci-off-by-one.diff: * readded off by one fix, which has been dropped by accident (Bug #197190) - acpi_events.diff: * distinguish between general and input devices also for APM (Bug #197858) - removed /etc/X11/Xsession.d/92xprint-xpserverlist (Bug #220733) - mouse-fix.diff: * prevent driver from crashing when something different than "mouse" or "void" is specified; only check mice for "mouse" or "void" if identifier is != NULL. (X.Org Bug #9023) - X.Org 7.2RC2 release - adjusted p_enable-altrix.diff, p_pci-domain.diff - obsoletes p_pci-ia64.diff, xorg-xserver-ia64-int10.diff p_pci-legacy-mmap.diff - Changes in RC2 since RC1 Aaron Plattner: Fix standard VESA modes. Adam Jackson: Bug #6786: Use separate defines for server's Fixes support level. 'make dist' fixes. Fix distcheck. Include a forgotten ia64 header in the distball. Builds on ia64 now. configure.ac bump. Alan Coopersmith: Make sure xorgcfg files are included even when dist made with --disable-xorgcfg Use getisax() instead of asm code to determine available x86 ISA extensions on Solaris Pre-release message should tell users to check git, not CVS, for updates Fix automake error: BUILT_SOURCES was defined multiple times on Solaris Bug #1997: AUDIT messages should contain uid for local accesses If getpeerucred() is available, include pid & zoneid in audit messages too Make _POSIX_C_SOURCE hack work with Solaris headers Alan Hourihane: Small modification to blocking signals when switching modes. Bjorn Helgaas: Do not map full 0-1MB legacy range Bram Verweij: xfree86/linux acpi: fix tokenising Daniel Stone: GetTimeInMillis: spuport monotonic clock WaitForSomething: allow time to rewind Revert "WaitForSomething: allow time to rewind" Revert "GetTimeInMillis: spuport monotonic clock" add 'general socket' handler, port ACPI to use it WaitForSomething: allow time to rewind WaitForSomething: only rewind when delta is more than 250ms GetTimeInMillis: spuport monotonic clock GetTimeInMillis: simplify monotonic test GetTimeInMillis: use correct units for clock_gettime os: fix sun extensions test Eamon Walsh: Bug #8875: Security extension causes Xorg to core dump on server reset whitespace adjust More work on Bug #8875: revert previous fix and try using client argument Bug #8937: Extension setup functions not called on server resets Egbert Eich: Fixing mach64 driver bailing out on ia64 Make int10 fully domain aware. Erik Andren: remove XFree86 changelogs (bug #7262) Joshua Baergen: Create xorg.conf.example (Gentoo bug #138623). Laurence Withers: CreateColormap: fix return value (bug #7083) Matthias Hopf: Build with -D_PC on ix86 only. Added missing domain stripping in already domain aware code. Added linux 2.6 compatible domain aware device scanning code. Fixing domain support for ia64 Add domain support to linuxPciOpenFile(). Fix device path in altixPCI.c to be domain aware. Fix obviously wrong boundary checks + cleanup unused vars. Matthieu Herrb: kill GNU-make'ism. Handle building in a separate objdir Michel Dänzer: Fix __glXDRIbindTexImage() for 32 bpp on big endian platforms. Fix test for Option "IgnoreABI". Myron Stowe: xfree86: re-enable chipset-specific drivers for Linux/ia64 Rich Coe: CheckConnections: don't close down the server client (bug #7876) - p_ppc_domain_workaround.diff: * ugly workaround for still missing domain support on ppc (Bug #202133) - updated to snapshot of xserver-1.2-branch (soon to be released as X.Org 7.2RC2) * Make sure xorgcfg files are included even when dist made with --disable-xorgcfg * Small modification to blocking signals when switching modes. * Use getisax() instead of asm code to determine available x86 ISA extensions on Solaris * Pre-release message should tell users to check git, not CVS, for updates * Fix __glXDRIbindTexImage() for 32 bpp on big endian platforms. * Create xorg.conf.example (Gentoo bug #138623). * Fix test for Option "IgnoreABI". This option has plenty of potential for wasting the time of bug triagers without pretending it's always on. * kill GNU-make'ism. * Handle building in a separate objdir * Fix automake error: BUILT_SOURCES was defined multiple times on Solaris * Bug #1997: AUDIT messages should contain uid for local accesses * If getpeerucred() is available, include pid & zoneid in audit messages too - added /etc/modprobe.d/nvidia - xorg-xserver-ia64-int10.diff: * build int10 module with _PC only on %ix86 (Bug #197190) - added build of Xephyr; useful for debugging KDE apps (coolo) - cfb8-undefined.diff: * fixes warning for undefined behaviour - Own /etc/X11/Xsession.d directory. - Use /etc/X11/Xsession.d. - updated to X.Org 7.2RC1 - only disable AIGLX by default on SUSE <= 10.1 (Bug #197093) - no longer fake release version for fglrx driver (Bug #198125) - glx-align.patch: * reenabled -D__GLX_ALIGN64 on affected plaforms (X.Org Bug #8392) - Fixes to p_pci-domain.diff (Bug #197572) * internal domain number of by one (was supposed to be a cleanup, but other code dependet on this semantics) * fixed another long-standing of-by-1 error - p_enable-altrix.diff (Bug #197572) * This additional patch enables the build of the altrix detection routines, which have apparently not been included in Xorg 7.1 yet. This patch needs a autoreconf -fi after application. - updated to Mesa 6.5.1 - disable-fbblt-opt.diff: * Disable optimization (introduced by ajax) due to a general vesa driver crash later in memcpy (Bug #204324) - removed two source files with imcompatible license from Mesa tarball (Bug #204110) - added a check to specfile to make sure that these will not be reintroduced with the next Mesa update again (Bug #204110) - moved xf86Parser.h,xf86Optrec.h back to /usr/include/xorg, since SaX2 build issues have finally been resolved by making use of "-iquote /usr/include/xorg -I." - disable-root-xorg_conf.diff: * no longer consider to read /root/xorg.conf - only require xorg-x11-fonts-core ('fixed' + 'cursor' fonts) - fake release version for fglrx driver again, since using IgnoreABI does not help (the check for the ABI version is in the binary-only fglrx driver) - added Requires: xorg-x11-driver-{input,video} (Bug #202080) - ignore-abi.diff: * adds IgnoreABI option for xorg.conf (same as -ignoreABI) - remove .la files - no longer fake release version for fglrx driver; use the new IgnoreABI option instead! - PCI/IA64 Patches (Bug #197572): * apply new p_pci-domain.diff (mhopf) * apply new p_pci-ce-x.diff (mhopf) - PCI/IA64 Patches (Bug #197572): * removed p_mappciBIOS_complete.diff (already applied upstream) * apply p_pci-ia64.diff * apply p_pci-legacy-mmap.diff only for IA64 (as before) * disabled for now: - p_pci-domain.diff: still issues with it - p_pci-ce-x.diff: sits on top of p_pci-domain.diff - added PCI/IA64 patches, but disabled them for now (Bug #197572) - remove comp. symlinks in /usr/X11R6/bin for openSUSE >= 10.2 - fixed build for s390/s390x, e.g. use configure options --disable-install-libxf86config --disable-aiglx --disable-dri --disable-xorg - changed os-name to "openSUSE" instead of "Linux" before - fake release version for fglrx driver :-( - xinerama-sig11.diff: * prevents Xserver Sig11 with broken Xinerama config (Bug #135002) - moved /usr/%_lib/pkgconfig/xorg-server.pc to xorg-x11-server - added pkgconfig to Requires of xorg-x11-server - disable-aiglx.diff: * disabled AIGLX by default (related to Bug #197093); enable it with 'Option "AIGLX" "true"' in ServerFlags section of xorg.conf - enabled build of aiglx - patch font path also in xorg.conf when set to /usr/lib/X11/fonts/ or /usr/X11/lib/X11/fonts - patch xorg.conf in %post: * radeonold/radeon10b driver --> radeon driver - added "Requires: xorg-x11-fonts" to prevent issues like "could not open default font 'fixed'" for any Xserver - make sure that symlinks /usr/bin/X --> /var/X11R6/bin/X /var/X11R6/bin/X --> /usr/bin/Xorg are packaged. - p_xorg_acpi.diff: * fixed for archs which don't have HAVE_ACPI defined, e.g. ppc - p_xf86Mode.diff: * removes wrong warning (Bug #139510) - p_xorg_acpi.diff: * reconnect to acpid when acpid has been killed (Bug #148384) - p_xkills_wrong_client.diff: * This patch has unveiled two other problems. One is rather serious as there seems to be a non-zero possibility that the Xserver closes the wrong connection and this closes the wrong client when it looks for stale sockets of clients that have disappeared (eich, Bug #150869) - p_bug159532.diff: * X Clients can intentionally or unintenionally crash X11 by using composite on depth 4 pixmaps. This patch fixes this. (Bug #159532) - p_xnest-ignore-getimage-errors.diff: * ignores the X error on GetImage in Xnest (Bug #174228, X.Org Bug #4411) - p_initialize-pci-tag.diff: * initialize PCI tag correctly, which is used by an IA64 specific patch (see Bug #147261 for details); fixes Xserver crashes with fglrx driver - and possibly other drivers like vesa - during initial startup (!), VT switch and startup of second Xserver (SLED10 Blocker Bugs #180535, #170991, #158806) - p_ia64-console.diff: * fixes MCA after start of second Xserver (Bug #177011) - p_mouse_misc.diff: * fix X server crashes with synaptics driver (Bug #61702) - pu_fixes.diff * Fixes not yet in the official version - p_bug96328.diff: * fallback mouse device checking - p_vga-crashfix.diff: * fixes vga driver crash (#133989) - p_xorg_rom_read.diff * read rom in big chunks instead of byte-at-a-time (Bug #140811) - ps_showopts.diff * Xserver "-showopts" option to print available driver options (Bug #137374) - add /var/X11R6/bin directory for now (Bug #197188) - fix setup line - fixed fatal compiler warnings - always (and only) patch xorg.conf if necessary - update to xorg-server release 1.1.99.3 - use "-fno-strict-aliasing" - use $RPM_OPT_FLAGS - remove existing /usr/include/X11 symlink in %pre - install xf86Parser.h,xf86Optrec.h to /usr/include instead of /usr/include/xorg, so it is no longer necessary to specify "-I/usr/include/xorg" which resulted in including a wrong "shadow.h" (by X.Org) when building SaX2 (strange build error) - added permissions files - add compatibility symlink /usr/X11R6/bin/Xorg - p_ValidatePci.diff: * no longer call ValidatePci() to fix i810 driver issues (Bug #191987) - fixed build - bfo-bug15222.diff (bfo #15222, bnc #374318) * CVE-2008-2360 - RENDER Extension heap buffer overflow * CVE-2008-2361 - RENDER Extension crash * CVE-2008-2362 - RENDER Extension memory corruption * CVE-2008-1379 - MIT-SHM arbitrary memory read * CVE-2008-1377 - RECORD and Security extensions memory corruption - xserver-mode-fuzzy-check.diff * Make mode checking more tolerant like in pre-RandR times. - fix-dpi-values.diff * fixes DPI values for RANDR 1.2 capable drivers (bnc #393001) - mention ZapWarning also in Xorg manual page (bnc #391352) - xorg-server-1.4-vnc-render_sig11.diff * fixed sig11 in RENDER code (bnc #385677) - disabled patch to disable RENDER support in Xvnc, since it broke 24bit color depth support (bnc #390011) - xorg-server-1.4-vnc-disable_render.diff * disabled RENDER support in Xvnc (bnc #385677) - events.diff * eating up key events before going into the idle loop upon vt switch instead of after return (bnc #152522) - xkb_action.diff * fixed remaining unitialized warning in X.Org (bnc #83910) - fbdevhw.diff * screen blanking not supported by vesafb of Linux kernel (bnc #146462) - no longer disable AIGLX by default - XAANoOffscreenPixmaps.diff * disable Offscreen Pixmaps by default (bnc #376068) - Fix another o-b-1 in pci domain support. - randr1_1-sig11.diff * fixes Xserver crash when running xrandr on a different virtual terminal (Egbert Eich, bnc #223459) - commit-37b1258.diff * possibly fixes unwanted autorepeat (bnc #377612, bfo #14811) - bitmap_always_unscaled.diff * Default bitmap fonts should typically be set as unscaled (libv) - update to Mesa bugfix release 7.0.3 (final) sources - update to Mesa bugfix release 7.0.3 RC3 sources - confine_to_shape.diff * fixes XGrabPointer's confine_to with shaped windows (bnc #62146) - zap_warning_xserver.diff * implements FATE #302988: ZapWarning (Luc Verhaegen) Uses PCSpeaker for beep. Press once, beep. Press again within 2s (which is ample), terminate. Documented in xorg.conf manpage. - make the memory corruption fix by schwab a seperate patch to make sure it won't get lost the next time I update the VNC patch - Fix vnc server memory corruption. - commit-a6a7fad.diff * Don't break grab and focus state for a window when redirecting it. (bnc #336219, bfo #488264) - update to Mesa bugfix release 7.0.3 RC2 sources * Fixed GLX indirect vertex array rendering bug (14197) * Fixed crash when deleting framebuffer objects (bugs 13507, 14293) * User-defined clip planes enabled for R300 (bug 9871) * Fixed glBindTexture() crash upon bad target (bug 14514) * Fixed potential crash in glDrawPixels(GL_DEPTH_COMPONENT) (bug 13915) * Bad strings given to glProgramStringARB() didn't generate GL_INVALID_OPERATION * Fixed minor point rasterization regression (bug 11016) - added Requires:xkeyboard-config to xorg-x11-server - commit-50e80c3.diff: * never overwrite realInputProc with enqueueInputProc (bnc#357989, bfo#13511) - only switch to radeon driver in %post if radeonold driver is no longer available (Bug #355009) - some more cleanup in %post - Move manpage to the sub package that provides the binary. - update to Mesa bugfix release 7.0.3 RC1 sources * Added missing glw.pc.in file to release tarball * Fix GLUT/Fortran issues * GLSL gl_FrontLightModelProduct.sceneColor variable wasn't defined * Fix crash upon GLSL variable array indexes (not yet supported) * Two-sided stencil test didn't work in software rendering * Fix two-sided lighting bugs/crashes (bug 13368) * GLSL gl_FrontFacing didn't work properly * glGetActiveUniform returned incorrect sizes (bug 13751) * Fix several bugs relating to uniforms and attributes in GLSL API (Bruce Merry, bug 13753) * glTexImage3D(GL_PROXY_TEXTURE_3D) mis-set teximage depth field - updated patch for CVE-2007-6429 once more (X.Org Bug #13520) * Always test for size+offset wrapping. - updated patch for CVE-2007-6429 (Bug #345131) * Don't spuriously reject <8bpp shm pixmaps. Move size validation after depth validation, and only validate size if the bpp of the pixmap format is > 8. If bpp < 8 then we're already protected from overflow by the width and height checks. - X.Org security update * CVE-2007-5760 - XFree86 Misc extension out of bounds array index * CVE-2007-6427 - Xinput extension memory corruption. * CVE-2007-6428 - TOG-cup extension memory corruption. * CVE-2007-6429 - MIT-SHM and EVI extensions integer overflows. * CVE-2008-0006 - PCF Font parser buffer overflow. - xorg-server 1.4.0.90 (prerelease of 1.4.1) - pixman.diff * fixed include path for pixman.h - remove_bogus_modeline.diff * remove bogus monitor modelines provided by DDC (Bug #335540) - commit-184e571.diff * Adjust offsets of modes that do not fit virtual screen size. - commit-c6c284e.diff * Initialize Mode with 0 in xf86RandRModeConvert. - commit-f6401f9.diff * Don't segfault if referring to a relative output where no modes survived. - commit-f7dd0c7.diff * Only clear crtc of output if it is the one we're actually working on. - commit-fa19e84.diff * Fix initial placement of LeftOf and Above. - pixman.diff no longer required - s390(x): allow mfb build without Xorg server being built - commit-29e0e18.diff * Make config file preferred mode override monitor preferred mode. - commit-feac075.diff * Leave hardware-specified preferred modes alone when user preference exists. - obsoletes preferred_mode-fix.diff - added xorg-x11-fonts-core/xorg-x11 to Requires (Bug #341312) - ia64linuxPciInit: allocate extra space for fake devices. - updated to Mesa 7.0.2 (final) sources - updated to Mesa 7.0.2 RC1 sources - xorg-server-1.4-vnc-64bit.diff * fixes segfault on 64bit during Xserver start; make sure to define _XSERVER64 by having HAVE_DIX_CONFIG_H defined and therefore including dix-config.h, so Atom is CARD32 instead of unsigned long before and no longer messes up the pInfo structure in xf86rfbMouseInit/xf86rfbKeybInit - finally enabled build of xf4vnc (standalone Xvnc and VNC Xserver module) - updated xf4vnc patch; still disabled due to problematic vnc module - preferred_mode-fix.diff * more reasonable patch (Bug #329724) - preferred_mode-fix.diff * fixed endless loop if PreferredMode is set (Bug #329724) - removed obsolete patch p_pci-domain.diff (Bug #308693, comment #26) - apply p_pci-off-by-one.diff.ia64 on all platforms since it clearly only affects platforms, where INCLUDE_XF86_NO_DOMAIN is *not* set; this still not explains why we have seen Xserver hangups with the patch in place on at least some %ix86/x86_64 machines with fglrx/ nvidia driver IIRC; it needs to verified if this problem is still reproducable ... (Bug #308693, comment #25) - xserver-1.3.0-xkb-and-loathing.patch * Ignore (not just block) SIGALRM around calls to Popen()/Pclose(). Fixes a hang in openoffice when opening menus. (Bug #245711) - added missing ia64Pci.h; required for IA64 - recreated p_pci-off-by-one.diff.ia64; the default fuzz factor of patch (2) resulted in a hunk applied to the wrong function and therefore broke the build :-( - xorg-server 1.4 * Welcome to X.Org X Server 1.4, now with hotplugging input to go with the hotplugging output. Also included in this release are many performance and correctness fixes to the EXA acceleration architecture, support for DTrace profiling of the X Server, accelerated GLX_EXT_texture_from_pixmap with supporting DRI drivers, and many improvements to the RandR 1.2 support that was added in xorg-server-1.3. The X Server now relies on the pixman library, which replaces the fb/fbcompose.c and accelerated implementations that were previously shared through code-duplication with the cairo project. * obsolete patches: - bug-259290_trapfault.diff - cfb8-undefined.diff - commit-c09e68c - i810_dri_fix_freeze.diff - p_bug159532.diff - p_enable-altrix.diff - p_pci-ce-x.diff - p_pci-off-by-one.diff - p_xorg_rom_read.diff - randr12-2926cf1da7e4ed63573bfaecdd7e19beb3057d9b.diff - randr12-5b424b562eee863b11571de4cd0019cd9bc5b379.diff - randr12-aec0d06469a2fa7440fdd5ee03dc256a68704e77.diff - randr12-b2dcfbca2441ca8c561f86a78a76ab59ecbb40e4.diff - randr12-b4193a2eee80895c5641e77488df0e72a73a3d99.diff - remove__GLinterface.patch - support_mesa6.5.3.patch - use-composite-for-unequal-depths.patch - x86emu.diff - xephyr-sig11-fix.diff * adjusted patches: - 64bit.diff - bug-197858_dpms.diff - bug227111-ddc_screensize.diff - disable-root-xorg_conf.diff - fpic.diff - glx-align.patch - libdrm.diff - p_bug96328.diff - p_ia64-console.diff - p_vga-crashfix.diff - xephyr.diff - pixman.diff: * search for pixman instead of pixman-1 - bumped version to 7.3 - remove wrongly prebuilt xf1bpp files after extracting tarball; fixes vga module loading (Bug #328201) - do not use "make -j" to (quick)fix xf1bpp build - do not apply p_pci-domain.diff on IA64 - use updated off-by-one patch by schwab for IA64 - edit_data_sanity_check.diff: * added sanity check for monitor EDID data (Bug #326454) - reverted changes by schwab on Fri Sep 7; these resulted i a black screen during Xserver start with any driver on non-IA64 platforms - use-composite-for-unequal-depths.patch: * Use Composite when depths don't match (Bug #309107, X.Org Bug [#7447]) - Update off-by-one patch. - Remove empty patch. - fbdevhw.diff: * ignore pixclock set to 0 by Xen kernel (Bug #285523) - added several RANDR 1.2 fixes (Bug #306699) * randr12-2926cf1da7e4ed63573bfaecdd7e19beb3057d9b.diff Allocate the right number of entries for saving crtcs * randr12-5b424b562eee863b11571de4cd0019cd9bc5b379.diff Set the crtc before the output change is notified. Set the new randr crtc of the output before the output change notification is delivered to the clients. Remove RROutputSetCrtc as it is not really necessary. All we have to do is set the output's crtc on RRCrtcNotify * randr12-8d230319040f0a7f72231da2bf5ec97dc3612e21.diff Fix the output->crtc initialization in the old randr setup * randr12-aec0d06469a2fa7440fdd5ee03dc256a68704e77.diff Fix a crash when rotating the screen. Remember output->crtc before setting a NULL mode because RRCrtcNotify now sets output->crtc to NULL. Use the saved crtc to set the new mode. * randr12-b2dcfbca2441ca8c561f86a78a76ab59ecbb40e4.diff RRScanOldConfig cannot use RRFirstOutput before output is configured. RRFirstOutput returns the first active output, which won't be set until after RRScanOldConfig is finished running. Instead, just use the first output (which is the only output present with an old driver, after all). * randr12-b4193a2eee80895c5641e77488df0e72a73a3d99.diff RRScanOldConfig wasn't getting crtcs set correctly. The output crtc is set by RRCrtcNotify, which is called at the end of RRScanOldConfig. Several uses of output->crtc in this function were wrong. - i810_dri_fix_freeze.diff: * fixes freeze after pressing Ctrl-Alt-BS (X.Org Bug #10809) - xserver-mode-fuzzy-check.diff: * Fix for Xserver being more fuzzy about mode validation (Bug #270846) - disable AIGLX by default; without enabled Composite extension (still problematic on many drivers) it's rather useless anyway - updated xorg.conf manual page - fix fileconflict over doc/MAINTAINERS - build parallel - updated Mesa source to bugfix release 7.0.1 - xephyr-sig11-fix.diff: * long vs. CARD32 mismatch in KeySym definitions between client and server code - this patch seems to fix it (and the input rework in head fixed it as well in a different way) (Bug #235320) - fixed build on s390(x) - added X(7) and security(7) manual pages - updated Mesa source to final release 7.0 - updated Mesa source to release 7.0 RC1 * Mesa 7.0 is a stable, follow-on release to Mesa 6.5.3. The only difference is bug fixes. The major version number bump is due to OpenGL 2.1 API support. - simplified p_default-module-path.diff - disabled build of Xprt - moved Xdmx, Xephyr, Xnest and Xvfb to new subpackage xorg-x11-server-extra - commit-c09e68c: * Paper over a crash at exit during GLX teardown - updated to Mesa 6.5.3 sources - obsoletes the following patches: * bug-211314_mesa-destroy_buffers.diff * bug-211314_mesa-framebuffer-counting.diff * bug-211314-patch-1.diff * bug-211314-patch-2.diff * bug-211314-patch-3.diff * bug-211314-patch-4.diff * bug-211314-patch-5.diff * bug-211314-patch-6.diff * bug-211314-patch-7.diff * bug-211314-patch-8.diff * bug-211314-patch-9.diff * bug-211314-patch-10.diff * bug-211314-patch-11.diff * bug-211314_mesa-refcount-memleak-fixes.diff * Mesa-6.5.2-fix_radeon_cliprect.diff - remove__GLinterface.patch/ support_mesa6.5.3.patch * required Xserver changes for Mesa 6.5.3 - xorg-x11-server-1.2.99-unbreak-domain.patch: * This patch fixes some multi-domain systems such as Pegasos with xorg-server 1.3. Since pci-rework should get merged soon and this patch is a bit of a hack, it never got pushed upstream. (X.Org Bug #7248) - back to Mesa 6.5.2 (Bug #269155/269042) - Mesa update: 4th RC ready * This fixes some breakage in RC3. - Mesa update: 3rd release candidate * updated Windows/VC8 project files. - updated to Mesa 6.5.3rc2 sources * a number of bug fixes since the first RC - updated to Mesa 6.5.3rc1 sources - obsoletes the following patches: * bug-211314_mesa-destroy_buffers.diff * bug-211314_mesa-framebuffer-counting.diff * bug-211314-patch-1.diff * bug-211314-patch-2.diff * bug-211314-patch-3.diff * bug-211314-patch-4.diff * bug-211314-patch-5.diff * bug-211314-patch-6.diff * bug-211314-patch-7.diff * bug-211314-patch-8.diff * bug-211314-patch-9.diff * bug-211314-patch-10.diff * bug-211314-patch-11.diff * bug-211314_mesa-refcount-memleak-fixes.diff * Mesa-6.5.2-fix_radeon_cliprect.diff - GL-Mesa-6.5.3.diff: * adjusted GL subdir to Mesa 6.5.3rc1 - xserver 1.3.0.0 release * Syncmaster 226 monitor needs 60Hz refresh (#10545). * In AIGLX EnterVT processing, invoke driver EnterVT before resuming glx. * Disable CRTC when SetSingleMode has no matching mode. Update RandR as well. * Rotate screen size as needed from RandR 1.1 change requests. * Add quirk for Acer AL1706 monitor to force 60hz refresh. * RandR 1.2 spec says CRTC info contains screen-relative geometry * typo in built-in module log message * Use default screen monitor for one of the outputs. * Allow outputs to be explicitly enabled in config, overriding detect. * Was accidentally disabling rotation updates in mode set. * Disable SourceValidate in rotation to capture cursor. - Mesa-6.5.2-fix_radeon_cliprect.diff: * fixes X.Org Bug #9876 - bug-259290_trapfault.diff: * fixes crash caused by bug in XRender code (Bug #259290) - xserver 1.2.99.905 release: * CVE-2007-1003: XC-MISC Extension ProcXCMiscGetXIDList() Memory Corruption * X.Org Bug #10296: Fix timer rescheduling - obsoletes bug-243978_xcmisc.diff - xserver 1.2.99.904 release: * Don't erase current crtc for outputs on CloseScreen - bug-243978_xcmisc.diff: * mem corruption in ProcXCMiscGetXIDList (CVE-2007-1003, Bug #243978) - bug-211314_mesa-refcount-memleak-fixes.diff: * Fix for memleaks and refount bugs (Bug #211314) - p_default-module-path.diff: * only return /usr/%lib/xorg/modules in "-showDefaultModulePath" Xserver option (Bug #257360) - set Xserver version to 7.2.0 with configure option (Bugs #257360, #253702) - xserver 1.2.99.903 release: * Create driver-independent CRTC-based cursor layer. * Allow xf86_reload_cursors during server init. * Don't wedge when rotating more than one CRTC. * Correct ref counting of RRMode structures * Remove extra (and wrong) I2C ByteTimeout setting in DDC code. * Slow down DDC I2C bus using a RiseFallTime of 20us for old monitors. * Clean up Rotate state on server reset. * Clear allocated RandR screen private structure. * Clean up xf86CrtcRec and xf86OutputRec objects at CloseScreen. * Make sure RandR events are delivered from RRCrtcSet. * Fix Pending property API, adding RRPostPendingProperty. * Incorrect extra memory copy in RRChangeOutputProperty. * Ensure that crtc desired values track most recent mode. * Make pending properties force mode set. And, remove AttachScreen calls. * Set version to 1.2.99.903 (1.3 RC3) * fbdevhw: Consolidate modeset ioctl calling, report failure if it modifies mode. * fbdevhw: Fix some issues with the previous commit. * fbdevhw: Use displayWidth for fbdev virtual width when appropriate. * fbdevhw: Override RGB offsets and masks after setting initial mode. * fbdevhw: Consider mode set equal to mode requested if virtual width is larger. * fbdevhw: Only deal with RGB weight if default visual is True- or DirectColor. * Add per-drawable Xv colour key helper function. * Bump video driver ABI version to 1.2. - no longer apply bug-211314_mesa-context.diff, bug-211314_p_drawable_privclean.diff (Bug #211314, comment #114) - added different Mesa patches (Bug #211314, comments #114/#115) - Remove bug197190-ia64.diff, fix x86emu instead. - xserver 1.2.99.902 release: * Xprint: shorten font filename to fit in tar length limit * Move xf86SetSingleMode into X server from intel driver. * Add xf86SetDesiredModes to apply desired modes to crtcs. * Use EDID data to set screen physical size at server startup. * Allow relative positions to use output names or monitor identifiers. * Add xf86CrtcScreenInit to share initialization across drivers. * Add hw/xfree86/docs/README.modes, documenting new mode setting APIs. * Remove stale monitor data when output becomes disconnected. * Revert "Xprint includes a filename which is too long for tar." * Revert "Xext: Update device's lastx/lasty when sending a motion event with XTest." * Xext: Update device's lastx/lasty when sending a motion event with XTest. - xf86crtc_allowdual.diff no longer required; replaced by xrandr_12_newmode.diff in xrandr (xorg-x11 package) - bug197190-ia64.diff: * missing -DNO_LONG_LONG for IA64 (Bug #197190) - xf86crtc_allowdual.diff: * allows dualhead even when the second monitor is not yet connected during Xserver start - %post: replace "i810beta" with "intel" in existing xorg.conf - xserver 1.2.99.901 release: * RandR 1.2 * EXA damage track * minor fixes - use global permissions files for SUSE > 10.1 (Bug #246228) - improved bug-197858_dpms.diff to fix Xserver crash (Bug #197858) - bug-197858_dpms.diff: * finally fixed "X server wakes up on any ACPI event" issue (Bug #197858) - bug-211314_p_drawable_privclean.diff: * fixed for cleaning up pointers - fixed build - bug-211314_p_drawable_privclean.diff: * fixes Xserver crash in Mesa software rendering path (Bug #211314) - xserver 1.2.0 release * Bug #9219: Return BadMatch when trying to name the backing pixmap of an unrealized window. * Bug #9219: Use pWin->viewable instead of pWin->realized to catch InputOnly windows too. * Fix BSF and BSR instructions in the x86 emulator. * Bug #9555: Always define _GNU_SOURCE in glibc environments. * Bug #8991: Add glXGetDrawableAttributes dispatch; fix texture format therein. * Bump video and input ABI minors. * Fix release date. * Fix syntax error in configure check for SYSV_IPC that broke with Sun cc * Map missing keycodes for Sun Type 5 keyboard on Solaris SPARC * Update pci.ids to 2006-12-06 from pciids.sf.net * Xorg & Xserver man page updates for 1.2 release * xorg.conf man page should say "XFree86-DGA", not "Xorg-DGA" * Xserver man page: remove bc, add -wr * Update pci.ids to 2007-01-18 snapshot * Update Xserver man page to match commit ed33c7c98ad0c542e9e2dd6caa3f84879c21dd61 * Fix Tooltip from minimized clients * Fix Xming fails to use xkb bug * Fix bad commit * Set Int10Current->Tag for the linux native int10 module * added mipmap.c * configure.ac: prepare for 1.2.0 (X11R7.2) * sparc: don't include asm/kbio.h -- it no longer exists in current headers. * Minor typos in Xserver man page. * Fix several cases where optimized paths were hit when they shouldn't be. * Try dlsym(RTLD_DEFAULT) first when finding symbols. * Fix RENDER issues (bug #7555) and implement RENDER add/remove screen * For Xvfb, Xnest and Xprt, compile fbcmap.c with -DXFree86Server * Multiple integer overflows in dbe and render extensions * Require glproto >= 1.4.8 for GLX. * __glXDRIscreenProbe: Use drmOpen/CloseOnce. * xfree86/hurd: re-add missing keyboard support (bug #5613) * remove last remaning 'linux'isms (bug #5613) - obsoletes * Mesa-6.5.2.diff * xorg-server-1.1.99.901-GetDrawableAttributes.patch * int10-fix.diff * cve-2006-6101_6102_6103.diff - disabled build of VNC server/module - bug-211314_mesa-context.diff: * fixes Xserver crash in software rendering fallback (Bug #211314) - 0018-vnc-support.txt.diff * fixed unresolved symbols vncRandomBytes/deskey in VNC module (terminated Xserver when client connected) - bug227111-ddc_screensize.diff: * allow user overrides for monitor settings (Bug #227111) - loadmod-bug197195.diff: * check the complete path (Bug #197195) - added build of VNC support (0018-vnc-support.txt/ 0018-vnc-support.txt.diff); see 0018-vnc-support.txt.mbox for reference - cve-2006-6101_6102_6103.diff: * CVE-2006-6101 iDefense X.org ProcRenderAddGlyphs (Bug #225972) * CVE-2006-6102 iDefense X.org ProcDbeGetVisualInfo (Bug #225974) * CVE-2006-6103 iDefense X.org ProcDbeSwapBuffers (Bug #225975) - int10-fix.diff * Set Int10Current->Tag for the linux native int10 module (X.Org Bug #9296) * obsoletes p_initialize-pci-tag.diff - reverted latest change by schwab (Bug #197190, comment #67) - Fix off-by-one in pci multi-domain support [#229278]. - libdrm.diff: * no longer fail when some driver tries to load "drm" module - xorg-server-1.1.99.901-GetDrawableAttributes.patch: * hopefully fixes AIGLX issues (X.Org Bug #8991) - another 64bit warning fix - X.Org 7.2RC3 release * Add a -showDefaultModulePath option. * Add a -showDefaultLibPath option. * Add DIX_CFLAGS to util builds. * Fix release date, and tag 1.1.99.903 * make X server use system libdrm - this requires libdrm >= 2.3.0 * DRI: call drmSetServerInfo() before drmOpen(). * add extern to struct definition * fixup configure.ac problems with DRI_SOURCES and LBX_SOURCES * bump to 1.1.99.903 * remove CID support (bug #5553) * dri: setup libdrm hooks as early as possible. * Bug #8868: Remove drm from SUBDIRS now that the directory is gone. * Fix typo before the last commit. * Fix GL context destruction with AIGLX. * On DragonFLy, default to /dev/sysmouse (just like on FreeBSD). * ffs: handle 0 argument (bug #8968) * Bug #9023: Only check mice for "mouse" or "void" if identifier is != NULL. Fix potential NULL pointer access in timer code. - updated Mesa sources to 6.5.2 - xserver-timers.diff: * fix null pointer reference in timer code (Bug #223718) - p_pci-off-by-one.diff: * readded off by one fix, which has been dropped by accident (Bug #197190) - acpi_events.diff: * distinguish between general and input devices also for APM (Bug #197858) - removed /etc/X11/Xsession.d/92xprint-xpserverlist (Bug #220733) - mouse-fix.diff: * prevent driver from crashing when something different than "mouse" or "void" is specified; only check mice for "mouse" or "void" if identifier is != NULL. (X.Org Bug #9023) - X.Org 7.2RC2 release - adjusted p_enable-altrix.diff, p_pci-domain.diff - obsoletes p_pci-ia64.diff, xorg-xserver-ia64-int10.diff p_pci-legacy-mmap.diff - Changes in RC2 since RC1 Aaron Plattner: Fix standard VESA modes. Adam Jackson: Bug #6786: Use separate defines for server's Fixes support level. 'make dist' fixes. Fix distcheck. Include a forgotten ia64 header in the distball. Builds on ia64 now. configure.ac bump. Alan Coopersmith: Make sure xorgcfg files are included even when dist made with --disable-xorgcfg Use getisax() instead of asm code to determine available x86 ISA extensions on Solaris Pre-release message should tell users to check git, not CVS, for updates Fix automake error: BUILT_SOURCES was defined multiple times on Solaris Bug #1997: AUDIT messages should contain uid for local accesses If getpeerucred() is available, include pid & zoneid in audit messages too Make _POSIX_C_SOURCE hack work with Solaris headers Alan Hourihane: Small modification to blocking signals when switching modes. Bjorn Helgaas: Do not map full 0-1MB legacy range Bram Verweij: xfree86/linux acpi: fix tokenising Daniel Stone: GetTimeInMillis: spuport monotonic clock WaitForSomething: allow time to rewind Revert "WaitForSomething: allow time to rewind" Revert "GetTimeInMillis: spuport monotonic clock" add 'general socket' handler, port ACPI to use it WaitForSomething: allow time to rewind WaitForSomething: only rewind when delta is more than 250ms GetTimeInMillis: spuport monotonic clock GetTimeInMillis: simplify monotonic test GetTimeInMillis: use correct units for clock_gettime os: fix sun extensions test Eamon Walsh: Bug #8875: Security extension causes Xorg to core dump on server reset whitespace adjust More work on Bug #8875: revert previous fix and try using client argument Bug #8937: Extension setup functions not called on server resets Egbert Eich: Fixing mach64 driver bailing out on ia64 Make int10 fully domain aware. Erik Andren: remove XFree86 changelogs (bug #7262) Joshua Baergen: Create xorg.conf.example (Gentoo bug #138623). Laurence Withers: CreateColormap: fix return value (bug #7083) Matthias Hopf: Build with -D_PC on ix86 only. Added missing domain stripping in already domain aware code. Added linux 2.6 compatible domain aware device scanning code. Fixing domain support for ia64 Add domain support to linuxPciOpenFile(). Fix device path in altixPCI.c to be domain aware. Fix obviously wrong boundary checks + cleanup unused vars. Matthieu Herrb: kill GNU-make'ism. Handle building in a separate objdir Michel Dänzer: Fix __glXDRIbindTexImage() for 32 bpp on big endian platforms. Fix test for Option "IgnoreABI". Myron Stowe: xfree86: re-enable chipset-specific drivers for Linux/ia64 Rich Coe: CheckConnections: don't close down the server client (bug #7876) - p_ppc_domain_workaround.diff: * ugly workaround for still missing domain support on ppc (Bug #202133) - updated to snapshot of xserver-1.2-branch (soon to be released as X.Org 7.2RC2) * Make sure xorgcfg files are included even when dist made with --disable-xorgcfg * Small modification to blocking signals when switching modes. * Use getisax() instead of asm code to determine available x86 ISA extensions on Solaris * Pre-release message should tell users to check git, not CVS, for updates * Fix __glXDRIbindTexImage() for 32 bpp on big endian platforms. * Create xorg.conf.example (Gentoo bug #138623). * Fix test for Option "IgnoreABI". This option has plenty of potential for wasting the time of bug triagers without pretending it's always on. * kill GNU-make'ism. * Handle building in a separate objdir * Fix automake error: BUILT_SOURCES was defined multiple times on Solaris * Bug #1997: AUDIT messages should contain uid for local accesses * If getpeerucred() is available, include pid & zoneid in audit messages too - added /etc/modprobe.d/nvidia - xorg-xserver-ia64-int10.diff: * build int10 module with _PC only on %ix86 (Bug #197190) - added build of Xephyr; useful for debugging KDE apps (coolo) - cfb8-undefined.diff: * fixes warning for undefined behaviour - Own /etc/X11/Xsession.d directory. - Use /etc/X11/Xsession.d. - updated to X.Org 7.2RC1 - only disable AIGLX by default on SUSE <= 10.1 (Bug #197093) - no longer fake release version for fglrx driver (Bug #198125) - glx-align.patch: * reenabled -D__GLX_ALIGN64 on affected plaforms (X.Org Bug #8392) - Fixes to p_pci-domain.diff (Bug #197572) * internal domain number of by one (was supposed to be a cleanup, but other code dependet on this semantics) * fixed another long-standing of-by-1 error - p_enable-altrix.diff (Bug #197572) * This additional patch enables the build of the altrix detection routines, which have apparently not been included in Xorg 7.1 yet. This patch needs a autoreconf -fi after application. - updated to Mesa 6.5.1 - disable-fbblt-opt.diff: * Disable optimization (introduced by ajax) due to a general vesa driver crash later in memcpy (Bug #204324) - removed two source files with imcompatible license from Mesa tarball (Bug #204110) - added a check to specfile to make sure that these will not be reintroduced with the next Mesa update again (Bug #204110) - moved xf86Parser.h,xf86Optrec.h back to /usr/include/xorg, since SaX2 build issues have finally been resolved by making use of "-iquote /usr/include/xorg -I." - disable-root-xorg_conf.diff: * no longer consider to read /root/xorg.conf - only require xorg-x11-fonts-core ('fixed' + 'cursor' fonts) - fake release version for fglrx driver again, since using IgnoreABI does not help (the check for the ABI version is in the binary-only fglrx driver) - added Requires: xorg-x11-driver-{input,video} (Bug #202080) - ignore-abi.diff: * adds IgnoreABI option for xorg.conf (same as -ignoreABI) - remove .la files - no longer fake release version for fglrx driver; use the new IgnoreABI option instead! - PCI/IA64 Patches (Bug #197572): * apply new p_pci-domain.diff (mhopf) * apply new p_pci-ce-x.diff (mhopf) - PCI/IA64 Patches (Bug #197572): * removed p_mappciBIOS_complete.diff (already applied upstream) * apply p_pci-ia64.diff * apply p_pci-legacy-mmap.diff only for IA64 (as before) * disabled for now: - p_pci-domain.diff: still issues with it - p_pci-ce-x.diff: sits on top of p_pci-domain.diff - added PCI/IA64 patches, but disabled them for now (Bug #197572) - remove comp. symlinks in /usr/X11R6/bin for openSUSE >= 10.2 - fixed build for s390/s390x, e.g. use configure options --disable-install-libxf86config --disable-aiglx --disable-dri --disable-xorg - changed os-name to "openSUSE" instead of "Linux" before - fake release version for fglrx driver :-( - xinerama-sig11.diff: * prevents Xserver Sig11 with broken Xinerama config (Bug #135002) - moved /usr/%_lib/pkgconfig/xorg-server.pc to xorg-x11-server - added pkgconfig to Requires of xorg-x11-server - disable-aiglx.diff: * disabled AIGLX by default (related to Bug #197093); enable it with 'Option "AIGLX" "true"' in ServerFlags section of xorg.conf - enabled build of aiglx - patch font path also in xorg.conf when set to /usr/lib/X11/fonts/ or /usr/X11/lib/X11/fonts - patch xorg.conf in %post: * radeonold/radeon10b driver --> radeon driver - added "Requires: xorg-x11-fonts" to prevent issues like "could not open default font 'fixed'" for any Xserver - make sure that symlinks /usr/bin/X --> /var/X11R6/bin/X /var/X11R6/bin/X --> /usr/bin/Xorg are packaged. - p_xorg_acpi.diff: * fixed for archs which don't have HAVE_ACPI defined, e.g. ppc - p_xf86Mode.diff: * removes wrong warning (Bug #139510) - p_xorg_acpi.diff: * reconnect to acpid when acpid has been killed (Bug #148384) - p_xkills_wrong_client.diff: * This patch has unveiled two other problems. One is rather serious as there seems to be a non-zero possibility that the Xserver closes the wrong connection and this closes the wrong client when it looks for stale sockets of clients that have disappeared (eich, Bug #150869) - p_bug159532.diff: * X Clients can intentionally or unintenionally crash X11 by using composite on depth 4 pixmaps. This patch fixes this. (Bug #159532) - p_xnest-ignore-getimage-errors.diff: * ignores the X error on GetImage in Xnest (Bug #174228, X.Org Bug #4411) - p_initialize-pci-tag.diff: * initialize PCI tag correctly, which is used by an IA64 specific patch (see Bug #147261 for details); fixes Xserver crashes with fglrx driver - and possibly other drivers like vesa - during initial startup (!), VT switch and startup of second Xserver (SLED10 Blocker Bugs #180535, #170991, #158806) - p_ia64-console.diff: * fixes MCA after start of second Xserver (Bug #177011) - p_mouse_misc.diff: * fix X server crashes with synaptics driver (Bug #61702) - pu_fixes.diff * Fixes not yet in the official version - p_bug96328.diff: * fallback mouse device checking - p_vga-crashfix.diff: * fixes vga driver crash (#133989) - p_xorg_rom_read.diff * read rom in big chunks instead of byte-at-a-time (Bug #140811) - ps_showopts.diff * Xserver "-showopts" option to print available driver options (Bug #137374) - add /var/X11R6/bin directory for now (Bug #197188) - fix setup line - fixed fatal compiler warnings - always (and only) patch xorg.conf if necessary - update to xorg-server release 1.1.99.3 - use "-fno-strict-aliasing" - use $RPM_OPT_FLAGS - remove existing /usr/include/X11 symlink in %pre - install xf86Parser.h,xf86Optrec.h to /usr/include instead of /usr/include/xorg, so it is no longer necessary to specify "-I/usr/include/xorg" which resulted in including a wrong "shadow.h" (by X.Org) when building SaX2 (strange build error) - added permissions files - add compatibility symlink /usr/X11R6/bin/Xorg - p_ValidatePci.diff: * no longer call ValidatePci() to fix i810 driver issues (Bug #191987) - fixed build - bfo-bug15222.diff (bfo #15222, bnc #374318) * CVE-2008-2360 - RENDER Extension heap buffer overflow * CVE-2008-2361 - RENDER Extension crash * CVE-2008-2362 - RENDER Extension memory corruption * CVE-2008-1379 - MIT-SHM arbitrary memory read * CVE-2008-1377 - RECORD and Security extensions memory corruption - xserver-mode-fuzzy-check.diff * Make mode checking more tolerant like in pre-RandR times. - fix-dpi-values.diff * fixes DPI values for RANDR 1.2 capable drivers (bnc #393001) - mention ZapWarning also in Xorg manual page (bnc #391352) - xorg-server-1.4-vnc-render_sig11.diff * fixed sig11 in RENDER code (bnc #385677) - disabled patch to disable RENDER support in Xvnc, since it broke 24bit color depth support (bnc #390011) - xorg-server-1.4-vnc-disable_render.diff * disabled RENDER support in Xvnc (bnc #385677) - events.diff * eating up key events before going into the idle loop upon vt switch instead of after return (bnc #152522) - xkb_action.diff * fixed remaining unitialized warning in X.Org (bnc #83910) - fbdevhw.diff * screen blanking not supported by vesafb of Linux kernel (bnc #146462) - no longer disable AIGLX by default - XAANoOffscreenPixmaps.diff * disable Offscreen Pixmaps by default (bnc #376068) - Fix another o-b-1 in pci domain support. - randr1_1-sig11.diff * fixes Xserver crash when running xrandr on a different virtual terminal (Egbert Eich, bnc #223459) - commit-37b1258.diff * possibly fixes unwanted autorepeat (bnc #377612, bfo #14811) - bitmap_always_unscaled.diff * Default bitmap fonts should typically be set as unscaled (libv) - update to Mesa bugfix release 7.0.3 (final) sources - update to Mesa bugfix release 7.0.3 RC3 sources - confine_to_shape.diff * fixes XGrabPointer's confine_to with shaped windows (bnc #62146) - zap_warning_xserver.diff * implements FATE #302988: ZapWarning (Luc Verhaegen) Uses PCSpeaker for beep. Press once, beep. Press again within 2s (which is ample), terminate. Documented in xorg.conf manpage. - make the memory corruption fix by schwab a seperate patch to make sure it won't get lost the next time I update the VNC patch - Fix vnc server memory corruption. - commit-a6a7fad.diff * Don't break grab and focus state for a window when redirecting it. (bnc #336219, bfo #488264) - update to Mesa bugfix release 7.0.3 RC2 sources * Fixed GLX indirect vertex array rendering bug (14197) * Fixed crash when deleting framebuffer objects (bugs 13507, 14293) * User-defined clip planes enabled for R300 (bug 9871) * Fixed glBindTexture() crash upon bad target (bug 14514) * Fixed potential crash in glDrawPixels(GL_DEPTH_COMPONENT) (bug 13915) * Bad strings given to glProgramStringARB() didn't generate GL_INVALID_OPERATION * Fixed minor point rasterization regression (bug 11016) - added Requires:xkeyboard-config to xorg-x11-server - commit-50e80c3.diff: * never overwrite realInputProc with enqueueInputProc (bnc#357989, bfo#13511) - only switch to radeon driver in %post if radeonold driver is no longer available (Bug #355009) - some more cleanup in %post - Move manpage to the sub package that provides the binary. - update to Mesa bugfix release 7.0.3 RC1 sources * Added missing glw.pc.in file to release tarball * Fix GLUT/Fortran issues * GLSL gl_FrontLightModelProduct.sceneColor variable wasn't defined * Fix crash upon GLSL variable array indexes (not yet supported) * Two-sided stencil test didn't work in software rendering * Fix two-sided lighting bugs/crashes (bug 13368) * GLSL gl_FrontFacing didn't work properly * glGetActiveUniform returned incorrect sizes (bug 13751) * Fix several bugs relating to uniforms and attributes in GLSL API (Bruce Merry, bug 13753) * glTexImage3D(GL_PROXY_TEXTURE_3D) mis-set teximage depth field - updated patch for CVE-2007-6429 once more (X.Org Bug #13520) * Always test for size+offset wrapping. - updated patch for CVE-2007-6429 (Bug #345131) * Don't spuriously reject <8bpp shm pixmaps. Move size validation after depth validation, and only validate size if the bpp of the pixmap format is > 8. If bpp < 8 then we're already protected from overflow by the width and height checks. - X.Org security update * CVE-2007-5760 - XFree86 Misc extension out of bounds array index * CVE-2007-6427 - Xinput extension memory corruption. * CVE-2007-6428 - TOG-cup extension memory corruption. * CVE-2007-6429 - MIT-SHM and EVI extensions integer overflows. * CVE-2008-0006 - PCF Font parser buffer overflow. - xorg-server 1.4.0.90 (prerelease of 1.4.1) - pixman.diff * fixed include path for pixman.h - remove_bogus_modeline.diff * remove bogus monitor modelines provided by DDC (Bug #335540) - commit-184e571.diff * Adjust offsets of modes that do not fit virtual screen size. - commit-c6c284e.diff * Initialize Mode with 0 in xf86RandRModeConvert. - commit-f6401f9.diff * Don't segfault if referring to a relative output where no modes survived. - commit-f7dd0c7.diff * Only clear crtc of output if it is the one we're actually working on. - commit-fa19e84.diff * Fix initial placement of LeftOf and Above. - pixman.diff no longer required - s390(x): allow mfb build without Xorg server being built - commit-29e0e18.diff * Make config file preferred mode override monitor preferred mode. - commit-feac075.diff * Leave hardware-specified preferred modes alone when user preference exists. - obsoletes preferred_mode-fix.diff - added xorg-x11-fonts-core/xorg-x11 to Requires (Bug #341312) - ia64linuxPciInit: allocate extra space for fake devices. - updated to Mesa 7.0.2 (final) sources - updated to Mesa 7.0.2 RC1 sources - xorg-server-1.4-vnc-64bit.diff * fixes segfault on 64bit during Xserver start; make sure to define _XSERVER64 by having HAVE_DIX_CONFIG_H defined and therefore including dix-config.h, so Atom is CARD32 instead of unsigned long before and no longer messes up the pInfo structure in xf86rfbMouseInit/xf86rfbKeybInit - finally enabled build of xf4vnc (standalone Xvnc and VNC Xserver module) - updated xf4vnc patch; still disabled due to problematic vnc module - preferred_mode-fix.diff * more reasonable patch (Bug #329724) - preferred_mode-fix.diff * fixed endless loop if PreferredMode is set (Bug #329724) - removed obsolete patch p_pci-domain.diff (Bug #308693, comment #26) - apply p_pci-off-by-one.diff.ia64 on all platforms since it clearly only affects platforms, where INCLUDE_XF86_NO_DOMAIN is *not* set; this still not explains why we have seen Xserver hangups with the patch in place on at least some %ix86/x86_64 machines with fglrx/ nvidia driver IIRC; it needs to verified if this problem is still reproducable ... (Bug #308693, comment #25) - xserver-1.3.0-xkb-and-loathing.patch * Ignore (not just block) SIGALRM around calls to Popen()/Pclose(). Fixes a hang in openoffice when opening menus. (Bug #245711) - added missing ia64Pci.h; required for IA64 - recreated p_pci-off-by-one.diff.ia64; the default fuzz factor of patch (2) resulted in a hunk applied to the wrong function and therefore broke the build :-( - xorg-server 1.4 * Welcome to X.Org X Server 1.4, now with hotplugging input to go with the hotplugging output. Also included in this release are many performance and correctness fixes to the EXA acceleration architecture, support for DTrace profiling of the X Server, accelerated GLX_EXT_texture_from_pixmap with supporting DRI drivers, and many improvements to the RandR 1.2 support that was added in xorg-server-1.3. The X Server now relies on the pixman library, which replaces the fb/fbcompose.c and accelerated implementations that were previously shared through code-duplication with the cairo project. * obsolete patches: - bug-259290_trapfault.diff - cfb8-undefined.diff - commit-c09e68c - i810_dri_fix_freeze.diff - p_bug159532.diff - p_enable-altrix.diff - p_pci-ce-x.diff - p_pci-off-by-one.diff - p_xorg_rom_read.diff - randr12-2926cf1da7e4ed63573bfaecdd7e19beb3057d9b.diff - randr12-5b424b562eee863b11571de4cd0019cd9bc5b379.diff - randr12-aec0d06469a2fa7440fdd5ee03dc256a68704e77.diff - randr12-b2dcfbca2441ca8c561f86a78a76ab59ecbb40e4.diff - randr12-b4193a2eee80895c5641e77488df0e72a73a3d99.diff - remove__GLinterface.patch - support_mesa6.5.3.patch - use-composite-for-unequal-depths.patch - x86emu.diff - xephyr-sig11-fix.diff * adjusted patches: - 64bit.diff - bug-197858_dpms.diff - bug227111-ddc_screensize.diff - disable-root-xorg_conf.diff - fpic.diff - glx-align.patch - libdrm.diff - p_bug96328.diff - p_ia64-console.diff - p_vga-crashfix.diff - xephyr.diff - pixman.diff: * search for pixman instead of pixman-1 - bumped version to 7.3 - remove wrongly prebuilt xf1bpp files after extracting tarball; fixes vga module loading (Bug #328201) - do not use "make -j" to (quick)fix xf1bpp build - do not apply p_pci-domain.diff on IA64 - use updated off-by-one patch by schwab for IA64 - edit_data_sanity_check.diff: * added sanity check for monitor EDID data (Bug #326454) - reverted changes by schwab on Fri Sep 7; these resulted i a black screen during Xserver start with any driver on non-IA64 platforms - use-composite-for-unequal-depths.patch: * Use Composite when depths don't match (Bug #309107, X.Org Bug [#7447]) - Update off-by-one patch. - Remove empty patch. - fbdevhw.diff: * ignore pixclock set to 0 by Xen kernel (Bug #285523) - added several RANDR 1.2 fixes (Bug #306699) * randr12-2926cf1da7e4ed63573bfaecdd7e19beb3057d9b.diff Allocate the right number of entries for saving crtcs * randr12-5b424b562eee863b11571de4cd0019cd9bc5b379.diff Set the crtc before the output change is notified. Set the new randr crtc of the output before the output change notification is delivered to the clients. Remove RROutputSetCrtc as it is not really necessary. All we have to do is set the output's crtc on RRCrtcNotify * randr12-8d230319040f0a7f72231da2bf5ec97dc3612e21.diff Fix the output->crtc initialization in the old randr setup * randr12-aec0d06469a2fa7440fdd5ee03dc256a68704e77.diff Fix a crash when rotating the screen. Remember output->crtc before setting a NULL mode because RRCrtcNotify now sets output->crtc to NULL. Use the saved crtc to set the new mode. * randr12-b2dcfbca2441ca8c561f86a78a76ab59ecbb40e4.diff RRScanOldConfig cannot use RRFirstOutput before output is configured. RRFirstOutput returns the first active output, which won't be set until after RRScanOldConfig is finished running. Instead, just use the first output (which is the only output present with an old driver, after all). * randr12-b4193a2eee80895c5641e77488df0e72a73a3d99.diff RRScanOldConfig wasn't getting crtcs set correctly. The output crtc is set by RRCrtcNotify, which is called at the end of RRScanOldConfig. Several uses of output->crtc in this function were wrong. - i810_dri_fix_freeze.diff: * fixes freeze after pressing Ctrl-Alt-BS (X.Org Bug #10809) - xserver-mode-fuzzy-check.diff: * Fix for Xserver being more fuzzy about mode validation (Bug #270846) - disable AIGLX by default; without enabled Composite extension (still problematic on many drivers) it's rather useless anyway - updated xorg.conf manual page - fix fileconflict over doc/MAINTAINERS - build parallel - updated Mesa source to bugfix release 7.0.1 - xephyr-sig11-fix.diff: * long vs. CARD32 mismatch in KeySym definitions between client and server code - this patch seems to fix it (and the input rework in head fixed it as well in a different way) (Bug #235320) - fixed build on s390(x) - added X(7) and security(7) manual pages - updated Mesa source to final release 7.0 - updated Mesa source to release 7.0 RC1 * Mesa 7.0 is a stable, follow-on release to Mesa 6.5.3. The only difference is bug fixes. The major version number bump is due to OpenGL 2.1 API support. - simplified p_default-module-path.diff - disabled build of Xprt - moved Xdmx, Xephyr, Xnest and Xvfb to new subpackage xorg-x11-server-extra - commit-c09e68c: * Paper over a crash at exit during GLX teardown - updated to Mesa 6.5.3 sources - obsoletes the following patches: * bug-211314_mesa-destroy_buffers.diff * bug-211314_mesa-framebuffer-counting.diff * bug-211314-patch-1.diff * bug-211314-patch-2.diff * bug-211314-patch-3.diff * bug-211314-patch-4.diff * bug-211314-patch-5.diff * bug-211314-patch-6.diff * bug-211314-patch-7.diff * bug-211314-patch-8.diff * bug-211314-patch-9.diff * bug-211314-patch-10.diff * bug-211314-patch-11.diff * bug-211314_mesa-refcount-memleak-fixes.diff * Mesa-6.5.2-fix_radeon_cliprect.diff - remove__GLinterface.patch/ support_mesa6.5.3.patch * required Xserver changes for Mesa 6.5.3 - xorg-x11-server-1.2.99-unbreak-domain.patch: * This patch fixes some multi-domain systems such as Pegasos with xorg-server 1.3. Since pci-rework should get merged soon and this patch is a bit of a hack, it never got pushed upstream. (X.Org Bug #7248) - back to Mesa 6.5.2 (Bug #269155/269042) - Mesa update: 4th RC ready * This fixes some breakage in RC3. - Mesa update: 3rd release candidate * updated Windows/VC8 project files. - updated to Mesa 6.5.3rc2 sources * a number of bug fixes since the first RC - updated to Mesa 6.5.3rc1 sources - obsoletes the following patches: * bug-211314_mesa-destroy_buffers.diff * bug-211314_mesa-framebuffer-counting.diff * bug-211314-patch-1.diff * bug-211314-patch-2.diff * bug-211314-patch-3.diff * bug-211314-patch-4.diff * bug-211314-patch-5.diff * bug-211314-patch-6.diff * bug-211314-patch-7.diff * bug-211314-patch-8.diff * bug-211314-patch-9.diff * bug-211314-patch-10.diff * bug-211314-patch-11.diff * bug-211314_mesa-refcount-memleak-fixes.diff * Mesa-6.5.2-fix_radeon_cliprect.diff - GL-Mesa-6.5.3.diff: * adjusted GL subdir to Mesa 6.5.3rc1 - xserver 1.3.0.0 release * Syncmaster 226 monitor needs 60Hz refresh (#10545). * In AIGLX EnterVT processing, invoke driver EnterVT before resuming glx. * Disable CRTC when SetSingleMode has no matching mode. Update RandR as well. * Rotate screen size as needed from RandR 1.1 change requests. * Add quirk for Acer AL1706 monitor to force 60hz refresh. * RandR 1.2 spec says CRTC info contains screen-relative geometry * typo in built-in module log message * Use default screen monitor for one of the outputs. * Allow outputs to be explicitly enabled in config, overriding detect. * Was accidentally disabling rotation updates in mode set. * Disable SourceValidate in rotation to capture cursor. - Mesa-6.5.2-fix_radeon_cliprect.diff: * fixes X.Org Bug #9876 - bug-259290_trapfault.diff: * fixes crash caused by bug in XRender code (Bug #259290) - xserver 1.2.99.905 release: * CVE-2007-1003: XC-MISC Extension ProcXCMiscGetXIDList() Memory Corruption * X.Org Bug #10296: Fix timer rescheduling - obsoletes bug-243978_xcmisc.diff - xserver 1.2.99.904 release: * Don't erase current crtc for outputs on CloseScreen - bug-243978_xcmisc.diff: * mem corruption in ProcXCMiscGetXIDList (CVE-2007-1003, Bug #243978) - bug-211314_mesa-refcount-memleak-fixes.diff: * Fix for memleaks and refount bugs (Bug #211314) - p_default-module-path.diff: * only return /usr/%lib/xorg/modules in "-showDefaultModulePath" Xserver option (Bug #257360) - set Xserver version to 7.2.0 with configure option (Bugs #257360, #253702) - xserver 1.2.99.903 release: * Create driver-independent CRTC-based cursor layer. * Allow xf86_reload_cursors during server init. * Don't wedge when rotating more than one CRTC. * Correct ref counting of RRMode structures * Remove extra (and wrong) I2C ByteTimeout setting in DDC code. * Slow down DDC I2C bus using a RiseFallTime of 20us for old monitors. * Clean up Rotate state on server reset. * Clear allocated RandR screen private structure. * Clean up xf86CrtcRec and xf86OutputRec objects at CloseScreen. * Make sure RandR events are delivered from RRCrtcSet. * Fix Pending property API, adding RRPostPendingProperty. * Incorrect extra memory copy in RRChangeOutputProperty. * Ensure that crtc desired values track most recent mode. * Make pending properties force mode set. And, remove AttachScreen calls. * Set version to 1.2.99.903 (1.3 RC3) * fbdevhw: Consolidate modeset ioctl calling, report failure if it modifies mode. * fbdevhw: Fix some issues with the previous commit. * fbdevhw: Use displayWidth for fbdev virtual width when appropriate. * fbdevhw: Override RGB offsets and masks after setting initial mode. * fbdevhw: Consider mode set equal to mode requested if virtual width is larger. * fbdevhw: Only deal with RGB weight if default visual is True- or DirectColor. * Add per-drawable Xv colour key helper function. * Bump video driver ABI version to 1.2. - no longer apply bug-211314_mesa-context.diff, bug-211314_p_drawable_privclean.diff (Bug #211314, comment #114) - added different Mesa patches (Bug #211314, comments #114/#115) - Remove bug197190-ia64.diff, fix x86emu instead. - xserver 1.2.99.902 release: * Xprint: shorten font filename to fit in tar length limit * Move xf86SetSingleMode into X server from intel driver. * Add xf86SetDesiredModes to apply desired modes to crtcs. * Use EDID data to set screen physical size at server startup. * Allow relative positions to use output names or monitor identifiers. * Add xf86CrtcScreenInit to share initialization across drivers. * Add hw/xfree86/docs/README.modes, documenting new mode setting APIs. * Remove stale monitor data when output becomes disconnected. * Revert "Xprint includes a filename which is too long for tar." * Revert "Xext: Update device's lastx/lasty when sending a motion event with XTest." * Xext: Update device's lastx/lasty when sending a motion event with XTest. - xf86crtc_allowdual.diff no longer required; replaced by xrandr_12_newmode.diff in xrandr (xorg-x11 package) - bug197190-ia64.diff: * missing -DNO_LONG_LONG for IA64 (Bug #197190) - xf86crtc_allowdual.diff: * allows dualhead even when the second monitor is not yet connected during Xserver start - %post: replace "i810beta" with "intel" in existing xorg.conf - xserver 1.2.99.901 release: * RandR 1.2 * EXA damage track * minor fixes - use global permissions files for SUSE > 10.1 (Bug #246228) - improved bug-197858_dpms.diff to fix Xserver crash (Bug #197858) - bug-197858_dpms.diff: * finally fixed "X server wakes up on any ACPI event" issue (Bug #197858) - bug-211314_p_drawable_privclean.diff: * fixed for cleaning up pointers - fixed build - bug-211314_p_drawable_privclean.diff: * fixes Xserver crash in Mesa software rendering path (Bug #211314) - xserver 1.2.0 release * Bug #9219: Return BadMatch when trying to name the backing pixmap of an unrealized window. * Bug #9219: Use pWin->viewable instead of pWin->realized to catch InputOnly windows too. * Fix BSF and BSR instructions in the x86 emulator. * Bug #9555: Always define _GNU_SOURCE in glibc environments. * Bug #8991: Add glXGetDrawableAttributes dispatch; fix texture format therein. * Bump video and input ABI minors. * Fix release date. * Fix syntax error in configure check for SYSV_IPC that broke with Sun cc * Map missing keycodes for Sun Type 5 keyboard on Solaris SPARC * Update pci.ids to 2006-12-06 from pciids.sf.net * Xorg & Xserver man page updates for 1.2 release * xorg.conf man page should say "XFree86-DGA", not "Xorg-DGA" * Xserver man page: remove bc, add -wr * Update pci.ids to 2007-01-18 snapshot * Update Xserver man page to match commit ed33c7c98ad0c542e9e2dd6caa3f84879c21dd61 * Fix Tooltip from minimized clients * Fix Xming fails to use xkb bug * Fix bad commit * Set Int10Current->Tag for the linux native int10 module * added mipmap.c * configure.ac: prepare for 1.2.0 (X11R7.2) * sparc: don't include asm/kbio.h -- it no longer exists in current headers. * Minor typos in Xserver man page. * Fix several cases where optimized paths were hit when they shouldn't be. * Try dlsym(RTLD_DEFAULT) first when finding symbols. * Fix RENDER issues (bug #7555) and implement RENDER add/remove screen * For Xvfb, Xnest and Xprt, compile fbcmap.c with -DXFree86Server * Multiple integer overflows in dbe and render extensions * Require glproto >= 1.4.8 for GLX. * __glXDRIscreenProbe: Use drmOpen/CloseOnce. * xfree86/hurd: re-add missing keyboard support (bug #5613) * remove last remaning 'linux'isms (bug #5613) - obsoletes * Mesa-6.5.2.diff * xorg-server-1.1.99.901-GetDrawableAttributes.patch * int10-fix.diff * cve-2006-6101_6102_6103.diff - disabled build of VNC server/module - bug-211314_mesa-context.diff: * fixes Xserver crash in software rendering fallback (Bug #211314) - 0018-vnc-support.txt.diff * fixed unresolved symbols vncRandomBytes/deskey in VNC module (terminated Xserver when client connected) - bug227111-ddc_screensize.diff: * allow user overrides for monitor settings (Bug #227111) - loadmod-bug197195.diff: * check the complete path (Bug #197195) - added build of VNC support (0018-vnc-support.txt/ 0018-vnc-support.txt.diff); see 0018-vnc-support.txt.mbox for reference - cve-2006-6101_6102_6103.diff: * CVE-2006-6101 iDefense X.org ProcRenderAddGlyphs (Bug #225972) * CVE-2006-6102 iDefense X.org ProcDbeGetVisualInfo (Bug #225974) * CVE-2006-6103 iDefense X.org ProcDbeSwapBuffers (Bug #225975) - int10-fix.diff * Set Int10Current->Tag for the linux native int10 module (X.Org Bug #9296) * obsoletes p_initialize-pci-tag.diff - reverted latest change by schwab (Bug #197190, comment #67) - Fix off-by-one in pci multi-domain support [#229278]. - libdrm.diff: * no longer fail when some driver tries to load "drm" module - xorg-server-1.1.99.901-GetDrawableAttributes.patch: * hopefully fixes AIGLX issues (X.Org Bug #8991) - another 64bit warning fix - X.Org 7.2RC3 release * Add a -showDefaultModulePath option. * Add a -showDefaultLibPath option. * Add DIX_CFLAGS to util builds. * Fix release date, and tag 1.1.99.903 * make X server use system libdrm - this requires libdrm >= 2.3.0 * DRI: call drmSetServerInfo() before drmOpen(). * add extern to struct definition * fixup configure.ac problems with DRI_SOURCES and LBX_SOURCES * bump to 1.1.99.903 * remove CID support (bug #5553) * dri: setup libdrm hooks as early as possible. * Bug #8868: Remove drm from SUBDIRS now that the directory is gone. * Fix typo before the last commit. * Fix GL context destruction with AIGLX. * On DragonFLy, default to /dev/sysmouse (just like on FreeBSD). * ffs: handle 0 argument (bug #8968) * Bug #9023: Only check mice for "mouse" or "void" if identifier is != NULL. Fix potential NULL pointer access in timer code. - updated Mesa sources to 6.5.2 - xserver-timers.diff: * fix null pointer reference in timer code (Bug #223718) - p_pci-off-by-one.diff: * readded off by one fix, which has been dropped by accident (Bug #197190) - acpi_events.diff: * distinguish between general and input devices also for APM (Bug #197858) - removed /etc/X11/Xsession.d/92xprint-xpserverlist (Bug #220733) - mouse-fix.diff: * prevent driver from crashing when something different than "mouse" or "void" is specified; only check mice for "mouse" or "void" if identifier is != NULL. (X.Org Bug #9023) - X.Org 7.2RC2 release - adjusted p_enable-altrix.diff, p_pci-domain.diff - obsoletes p_pci-ia64.diff, xorg-xserver-ia64-int10.diff p_pci-legacy-mmap.diff - Changes in RC2 since RC1 Aaron Plattner: Fix standard VESA modes. Adam Jackson: Bug #6786: Use separate defines for server's Fixes support level. 'make dist' fixes. Fix distcheck. Include a forgotten ia64 header in the distball. Builds on ia64 now. configure.ac bump. Alan Coopersmith: Make sure xorgcfg files are included even when dist made with --disable-xorgcfg Use getisax() instead of asm code to determine available x86 ISA extensions on Solaris Pre-release message should tell users to check git, not CVS, for updates Fix automake error: BUILT_SOURCES was defined multiple times on Solaris Bug #1997: AUDIT messages should contain uid for local accesses If getpeerucred() is available, include pid & zoneid in audit messages too Make _POSIX_C_SOURCE hack work with Solaris headers Alan Hourihane: Small modification to blocking signals when switching modes. Bjorn Helgaas: Do not map full 0-1MB legacy range Bram Verweij: xfree86/linux acpi: fix tokenising Daniel Stone: GetTimeInMillis: spuport monotonic clock WaitForSomething: allow time to rewind Revert "WaitForSomething: allow time to rewind" Revert "GetTimeInMillis: spuport monotonic clock" add 'general socket' handler, port ACPI to use it WaitForSomething: allow time to rewind WaitForSomething: only rewind when delta is more than 250ms GetTimeInMillis: spuport monotonic clock GetTimeInMillis: simplify monotonic test GetTimeInMillis: use correct units for clock_gettime os: fix sun extensions test Eamon Walsh: Bug #8875: Security extension causes Xorg to core dump on server reset whitespace adjust More work on Bug #8875: revert previous fix and try using client argument Bug #8937: Extension setup functions not called on server resets Egbert Eich: Fixing mach64 driver bailing out on ia64 Make int10 fully domain aware. Erik Andren: remove XFree86 changelogs (bug #7262) Joshua Baergen: Create xorg.conf.example (Gentoo bug #138623). Laurence Withers: CreateColormap: fix return value (bug #7083) Matthias Hopf: Build with -D_PC on ix86 only. Added missing domain stripping in already domain aware code. Added linux 2.6 compatible domain aware device scanning code. Fixing domain support for ia64 Add domain support to linuxPciOpenFile(). Fix device path in altixPCI.c to be domain aware. Fix obviously wrong boundary checks + cleanup unused vars. Matthieu Herrb: kill GNU-make'ism. Handle building in a separate objdir Michel Dänzer: Fix __glXDRIbindTexImage() for 32 bpp on big endian platforms. Fix test for Option "IgnoreABI". Myron Stowe: xfree86: re-enable chipset-specific drivers for Linux/ia64 Rich Coe: CheckConnections: don't close down the server client (bug #7876) - p_ppc_domain_workaround.diff: * ugly workaround for still missing domain support on ppc (Bug #202133) - updated to snapshot of xserver-1.2-branch (soon to be released as X.Org 7.2RC2) * Make sure xorgcfg files are included even when dist made with --disable-xorgcfg * Small modification to blocking signals when switching modes. * Use getisax() instead of asm code to determine available x86 ISA extensions on Solaris * Pre-release message should tell users to check git, not CVS, for updates * Fix __glXDRIbindTexImage() for 32 bpp on big endian platforms. * Create xorg.conf.example (Gentoo bug #138623). * Fix test for Option "IgnoreABI". This option has plenty of potential for wasting the time of bug triagers without pretending it's always on. * kill GNU-make'ism. * Handle building in a separate objdir * Fix automake error: BUILT_SOURCES was defined multiple times on Solaris * Bug #1997: AUDIT messages should contain uid for local accesses * If getpeerucred() is available, include pid & zoneid in audit messages too - added /etc/modprobe.d/nvidia - xorg-xserver-ia64-int10.diff: * build int10 module with _PC only on %ix86 (Bug #197190) - added build of Xephyr; useful for debugging KDE apps (coolo) - cfb8-undefined.diff: * fixes warning for undefined behaviour - Own /etc/X11/Xsession.d directory. - Use /etc/X11/Xsession.d. - updated to X.Org 7.2RC1 - only disable AIGLX by default on SUSE <= 10.1 (Bug #197093) - no longer fake release version for fglrx driver (Bug #198125) - glx-align.patch: * reenabled -D__GLX_ALIGN64 on affected plaforms (X.Org Bug #8392) - Fixes to p_pci-domain.diff (Bug #197572) * internal domain number of by one (was supposed to be a cleanup, but other code dependet on this semantics) * fixed another long-standing of-by-1 error - p_enable-altrix.diff (Bug #197572) * This additional patch enables the build of the altrix detection routines, which have apparently not been included in Xorg 7.1 yet. This patch needs a autoreconf -fi after application. - updated to Mesa 6.5.1 - disable-fbblt-opt.diff: * Disable optimization (introduced by ajax) due to a general vesa driver crash later in memcpy (Bug #204324) - removed two source files with imcompatible license from Mesa tarball (Bug #204110) - added a check to specfile to make sure that these will not be reintroduced with the next Mesa update again (Bug #204110) - moved xf86Parser.h,xf86Optrec.h back to /usr/include/xorg, since SaX2 build issues have finally been resolved by making use of "-iquote /usr/include/xorg -I." - disable-root-xorg_conf.diff: * no longer consider to read /root/xorg.conf - only require xorg-x11-fonts-core ('fixed' + 'cursor' fonts) - fake release version for fglrx driver again, since using IgnoreABI does not help (the check for the ABI version is in the binary-only fglrx driver) - added Requires: xorg-x11-driver-{input,video} (Bug #202080) - ignore-abi.diff: * adds IgnoreABI option for xorg.conf (same as -ignoreABI) - remove .la files - no longer fake release version for fglrx driver; use the new IgnoreABI option instead! - PCI/IA64 Patches (Bug #197572): * apply new p_pci-domain.diff (mhopf) * apply new p_pci-ce-x.diff (mhopf) - PCI/IA64 Patches (Bug #197572): * removed p_mappciBIOS_complete.diff (already applied upstream) * apply p_pci-ia64.diff * apply p_pci-legacy-mmap.diff only for IA64 (as before) * disabled for now: - p_pci-domain.diff: still issues with it - p_pci-ce-x.diff: sits on top of p_pci-domain.diff - added PCI/IA64 patches, but disabled them for now (Bug #197572) - remove comp. symlinks in /usr/X11R6/bin for openSUSE >= 10.2 - fixed build for s390/s390x, e.g. use configure options --disable-install-libxf86config --disable-aiglx --disable-dri --disable-xorg - changed os-name to "openSUSE" instead of "Linux" before - fake release version for fglrx driver :-( - xinerama-sig11.diff: * prevents Xserver Sig11 with broken Xinerama config (Bug #135002) - moved /usr/%_lib/pkgconfig/xorg-server.pc to xorg-x11-server - added pkgconfig to Requires of xorg-x11-server - disable-aiglx.diff: * disabled AIGLX by default (related to Bug #197093); enable it with 'Option "AIGLX" "true"' in ServerFlags section of xorg.conf - enabled build of aiglx - patch font path also in xorg.conf when set to /usr/lib/X11/fonts/ or /usr/X11/lib/X11/fonts - patch xorg.conf in %post: * radeonold/radeon10b driver --> radeon driver - added "Requires: xorg-x11-fonts" to prevent issues like "could not open default font 'fixed'" for any Xserver - make sure that symlinks /usr/bin/X --> /var/X11R6/bin/X /var/X11R6/bin/X --> /usr/bin/Xorg are packaged. - p_xorg_acpi.diff: * fixed for archs which don't have HAVE_ACPI defined, e.g. ppc - p_xf86Mode.diff: * removes wrong warning (Bug #139510) - p_xorg_acpi.diff: * reconnect to acpid when acpid has been killed (Bug #148384) - p_xkills_wrong_client.diff: * This patch has unveiled two other problems. One is rather serious as there seems to be a non-zero possibility that the Xserver closes the wrong connection and this closes the wrong client when it looks for stale sockets of clients that have disappeared (eich, Bug #150869) - p_bug159532.diff: * X Clients can intentionally or unintenionally crash X11 by using composite on depth 4 pixmaps. This patch fixes this. (Bug #159532) - p_xnest-ignore-getimage-errors.diff: * ignores the X error on GetImage in Xnest (Bug #174228, X.Org Bug #4411) - p_initialize-pci-tag.diff: * initialize PCI tag correctly, which is used by an IA64 specific patch (see Bug #147261 for details); fixes Xserver crashes with fglrx driver - and possibly other drivers like vesa - during initial startup (!), VT switch and startup of second Xserver (SLED10 Blocker Bugs #180535, #170991, #158806) - p_ia64-console.diff: * fixes MCA after start of second Xserver (Bug #177011) - p_mouse_misc.diff: * fix X server crashes with synaptics driver (Bug #61702) - pu_fixes.diff * Fixes not yet in the official version - p_bug96328.diff: * fallback mouse device checking - p_vga-crashfix.diff: * fixes vga driver crash (#133989) - p_xorg_rom_read.diff * read rom in big chunks instead of byte-at-a-time (Bug #140811) - ps_showopts.diff * Xserver "-showopts" option to print available driver options (Bug #137374) - add /var/X11R6/bin directory for now (Bug #197188) - fix setup line - fixed fatal compiler warnings - always (and only) patch xorg.conf if necessary - update to xorg-server release 1.1.99.3 - use "-fno-strict-aliasing" - use $RPM_OPT_FLAGS - remove existing /usr/include/X11 symlink in %pre - install xf86Parser.h,xf86Optrec.h to /usr/include instead of /usr/include/xorg, so it is no longer necessary to specify "-I/usr/include/xorg" which resulted in including a wrong "shadow.h" (by X.Org) when building SaX2 (strange build error) - added permissions files - add compatibility symlink /usr/X11R6/bin/Xorg - p_ValidatePci.diff: * no longer call ValidatePci() to fix i810 driver issues (Bug #191987) - fixed build - security update to version 9.50 [bnc#400367] * Lot's of security and bug fixes and new features. See Changelog for more details. - all archs (i386, ppc, x86_64) use shared qt3 library and gcc4 - enabled native 64bit build [bnc#204729] - dropped sparc arch - Opera now works with Flash plug-in also on 64bit [bnc#336213] - deleted bugzilla-300536-oneclick.patch because file associations are rewritten manually in spec file - applying bugzilla-208048-scim-qtimm-problem.patch for all archs - deleted unused and obsolete extra file search.ini - using AutopreReq on - added hicolor opera icon [bnc#384209] * created by Aakash Soneri (http://www.akkasone.com/) * redistributed with written permission of the author * http://akkasone.deviantart.com/art/Opera-8-Browser-Icon-22991716 - registration file opera.reg no longer needed - refactored spec file - security update to 9.27 [bnc#376714] * Fixed an issue where newsfeed prompts could cause Opera to execute arbitrary code. * Solved an issue where resized canvas patterns could cause Opera to execute arbitrary code. * Improved keyboard handling of password inputs. * Fixed a BitTorrent transfer stability issue. * Resolved stablity issues with the Acid 3 test. * Additional stability fixes. - security update to 9.26 [bnc#363574] * Fixed an issue where simulated text inputs could trick users into uploading arbitrary files. * Image properties can no longer be used to execute scripts. * Fixed an issue where the representation of DOM attribute values could allow cross site scripting. * Fixed a stability issue found in Opera 9.0 to 9.25, when Opera connects securely to Windows Server 2008 or other servers supporting the TLS Certificate Status extension. * Additional stability fixes. - owning directories /usr/share/icons/hicolor/*/* - added missing coreutils PreReq - set Requires: on qt3 only for build with shared libs - applying oneclick patch also on ppc arch - security update to 9.25 [#350579] CVE-2007-6520, CVE-2007-6521, CVE-2007-6522, CVE-2007-6523, CVE-2007-6524 * Fixed an issue where plug-ins could be used to allow cross domain scripting. * Fixed an issue with TLS certificates that could be used to execute arbitrary code. * Rich text editing can no longer be used to allow cross domain scripting. * Fixed a problem where malformed BMP files could cause Opera to temporarily freeze. * Prevented bitmaps from revealing random data from memory. - security update to 9.24 CVE-2007-5540, CVE-2007-5541 [#334832] * Fixed an issue where external news readers and e-mail clients could be used to execute arbitrary code * Fixed an issue where scripts could overwrite functions on pages from other domains. - updated language files to meet the version [#331913] - don't build on x86_64, let's use the x86 version until we get something native - fix #300536 add one-click installation associations to opera - update to 9.23 (#300605 - VUL-0: opera: a specially crafted JavaScript can make Opera execute arbitrary code) - #300536 - add one-click installation associations to opera - update to 9.22 (#293101 VUL-0: opera 9.22 fixes double free bug) Crafted torrent files can execute arbitrary code; CVE-2007-2809 - fix #289701 – old opera icons - put desktop file into package and replaced references to the old icon - update to 9.21 fix release - fix rpmlint warning about unsupported distro (8.20) - added unzip to buildrequires - update to 9.20 (#264218 - VUL-0: opera version 9.20 released) - Bugzilla #208048: add workaround to start script to avoid bad page layout in some locales when scim-qtimm is installed. - update to 9.10 - fix #189635 - opera9 cannot be installed during system upgrade - fix #208742 - VUL-0: opera: RSA signature forgery problem - update to 9.02 - #190137: incompatible language files in Opera 9.0-1.1 & Opera 9.0-1.3 - #188632 - Opera 9.0 denial of service with A tag - security update to version 9.50 [bnc#400367] * Lot's of security and bug fixes and new features. See Changelog for more details. - all archs (i386, ppc, x86_64) use shared qt3 library and gcc4 - enabled native 64bit build [bnc#204729] - dropped sparc arch - Opera now works with Flash plug-in also on 64bit [bnc#336213] - deleted bugzilla-300536-oneclick.patch because file associations are rewritten manually in spec file - applying bugzilla-208048-scim-qtimm-problem.patch for all archs - deleted unused and obsolete extra file search.ini - using AutopreReq on - added hicolor opera icon [bnc#384209] * created by Aakash Soneri (http://www.akkasone.com/) * redistributed with written permission of the author * http://akkasone.deviantart.com/art/Opera-8-Browser-Icon-22991716 - registration file opera.reg no longer needed - refactored spec file - security update to 9.27 [bnc#376714] * Fixed an issue where newsfeed prompts could cause Opera to execute arbitrary code. * Solved an issue where resized canvas patterns could cause Opera to execute arbitrary code. * Improved keyboard handling of password inputs. * Fixed a BitTorrent transfer stability issue. * Resolved stablity issues with the Acid 3 test. * Additional stability fixes. - security update to 9.26 [bnc#363574] * Fixed an issue where simulated text inputs could trick users into uploading arbitrary files. * Image properties can no longer be used to execute scripts. * Fixed an issue where the representation of DOM attribute values could allow cross site scripting. * Fixed a stability issue found in Opera 9.0 to 9.25, when Opera connects securely to Windows Server 2008 or other servers supporting the TLS Certificate Status extension. * Additional stability fixes. - owning directories /usr/share/icons/hicolor/*/* - added missing coreutils PreReq - set Requires: on qt3 only for build with shared libs - applying oneclick patch also on ppc arch - security update to 9.25 [#350579] CVE-2007-6520, CVE-2007-6521, CVE-2007-6522, CVE-2007-6523, CVE-2007-6524 * Fixed an issue where plug-ins could be used to allow cross domain scripting. * Fixed an issue with TLS certificates that could be used to execute arbitrary code. * Rich text editing can no longer be used to allow cross domain scripting. * Fixed a problem where malformed BMP files could cause Opera to temporarily freeze. * Prevented bitmaps from revealing random data from memory. - security update to 9.24 CVE-2007-5540, CVE-2007-5541 [#334832] * Fixed an issue where external news readers and e-mail clients could be used to execute arbitrary code * Fixed an issue where scripts could overwrite functions on pages from other domains. - updated language files to meet the version [#331913] - don't build on x86_64, let's use the x86 version until we get something native - fix #300536 add one-click installation associations to opera - update to 9.23 (#300605 - VUL-0: opera: a specially crafted JavaScript can make Opera execute arbitrary code) - #300536 - add one-click installation associations to opera - update to 9.22 (#293101 VUL-0: opera 9.22 fixes double free bug) Crafted torrent files can execute arbitrary code; CVE-2007-2809 - fix #289701 – old opera icons - put desktop file into package and replaced references to the old icon - update to 9.21 fix release - fix rpmlint warning about unsupported distro (8.20) - added unzip to buildrequires - update to 9.20 (#264218 - VUL-0: opera version 9.20 released) - Bugzilla #208048: add workaround to start script to avoid bad page layout in some locales when scim-qtimm is installed. - update to 9.10 - fix #189635 - opera9 cannot be installed during system upgrade - fix #208742 - VUL-0: opera: RSA signature forgery problem - update to 9.02 - #190137: incompatible language files in Opera 9.0-1.1 & Opera 9.0-1.3 - #188632 - Opera 9.0 denial of service with A tag - security update to version 9.50 [bnc#400367] * Lot's of security and bug fixes and new features. See Changelog for more details. - all archs (i386, ppc, x86_64) use shared qt3 library and gcc4 - enabled native 64bit build [bnc#204729] - dropped sparc arch - Opera now works with Flash plug-in also on 64bit [bnc#336213] - deleted bugzilla-300536-oneclick.patch because file associations are rewritten manually in spec file - applying bugzilla-208048-scim-qtimm-problem.patch for all archs - deleted unused and obsolete extra file search.ini - using AutopreReq on - added hicolor opera icon [bnc#384209] * created by Aakash Soneri (http://www.akkasone.com/) * redistributed with written permission of the author * http://akkasone.deviantart.com/art/Opera-8-Browser-Icon-22991716 - registration file opera.reg no longer needed - refactored spec file - security update to 9.27 [bnc#376714] * Fixed an issue where newsfeed prompts could cause Opera to execute arbitrary code. * Solved an issue where resized canvas patterns could cause Opera to execute arbitrary code. * Improved keyboard handling of password inputs. * Fixed a BitTorrent transfer stability issue. * Resolved stablity issues with the Acid 3 test. * Additional stability fixes. - security update to 9.26 [bnc#363574] * Fixed an issue where simulated text inputs could trick users into uploading arbitrary files. * Image properties can no longer be used to execute scripts. * Fixed an issue where the representation of DOM attribute values could allow cross site scripting. * Fixed a stability issue found in Opera 9.0 to 9.25, when Opera connects securely to Windows Server 2008 or other servers supporting the TLS Certificate Status extension. * Additional stability fixes. - owning directories /usr/share/icons/hicolor/*/* - added missing coreutils PreReq - set Requires: on qt3 only for build with shared libs - applying oneclick patch also on ppc arch - security update to 9.25 [#350579] CVE-2007-6520, CVE-2007-6521, CVE-2007-6522, CVE-2007-6523, CVE-2007-6524 * Fixed an issue where plug-ins could be used to allow cross domain scripting. * Fixed an issue with TLS certificates that could be used to execute arbitrary code. * Rich text editing can no longer be used to allow cross domain scripting. * Fixed a problem where malformed BMP files could cause Opera to temporarily freeze. * Prevented bitmaps from revealing random data from memory. - security update to 9.24 CVE-2007-5540, CVE-2007-5541 [#334832] * Fixed an issue where external news readers and e-mail clients could be used to execute arbitrary code * Fixed an issue where scripts could overwrite functions on pages from other domains. - updated language files to meet the version [#331913] - don't build on x86_64, let's use the x86 version until we get something native - fix #300536 add one-click installation associations to opera - update to 9.23 (#300605 - VUL-0: opera: a specially crafted JavaScript can make Opera execute arbitrary code) - #300536 - add one-click installation associations to opera - update to 9.22 (#293101 VUL-0: opera 9.22 fixes double free bug) Crafted torrent files can execute arbitrary code; CVE-2007-2809 - fix #289701 – old opera icons - put desktop file into package and replaced references to the old icon - update to 9.21 fix release - fix rpmlint warning about unsupported distro (8.20) - added unzip to buildrequires - update to 9.20 (#264218 - VUL-0: opera version 9.20 released) - Bugzilla #208048: add workaround to start script to avoid bad page layout in some locales when scim-qtimm is installed. - update to 9.10 - fix #189635 - opera9 cannot be installed during system upgrade - fix #208742 - VUL-0: opera: RSA signature forgery problem - update to 9.02 - #190137: incompatible language files in Opera 9.0-1.1 & Opera 9.0-1.3 - #188632 - Opera 9.0 denial of service with A tag - Scan service links even for non LSB scripts (bnc#391014) - really remove last reference to boot.setclock (bnc#384254) - Remove last occurence of boot.setclock (bnc#384254) - Also ignore temporary (mostly?) errors if executed within an rpm scriptlet (bnc#385498, bnc#384254) - Move stat() check for /etc/insserv.conf.d/ configure files to scan_conf() otherwise we never scan those files. - Ignore temporary errors during update with YaST/zypper (bnc#385498) - boot.clock was into two scripts for boot and shutdown Todo: make insserv knowing about Required-Stop to merge them again to one boot.clock. - add boot.crypto-early to insserv.conf - Avoid SIGSEGV in functions which can handle NULL pointers thanks goes to Petter Reinholdtsen for his report - New version 1.11.0 of insserv - Code cleanup, update copyrights, and manual pages - Use __attribute__ of gcc for better function management - Use __attribute__ of gcc for alignment of list_t pointers - Some preparation listing.c for kill link sorting (TODO) - Add and integrate many patches from Debian svn tree done by Petter Reinholdtsen * Make it possible to set the path at runtime, to make it easier to write test suites * Support for reading LSB headers info from override directory * Accept script names like 'rc.local' for Debian build * Use other defaults on Debian systems (start, stop levels) * Put redundant level informations in one API * Fix the handling of stop scripts and the shutdown sequence on Debian systems * Better loop report * Make loops fatal if not forced - Clean the API for listing the services - Don't run HW clock in parallel mode to have well defined timestamps during enabling local fs and running startpar - Even disabled scripts should be occur in dependcies (#331615) - Handle return values of strsep in case of several provides - Do not scan services links if removed later on - Scan all scripts for Start-Before even if already known (#297214) - Do not add disabled scripts to the depend files - Remove hotplug and pcmcia from insserv.conf because they are dropped (bug #291417) - Scan all files in `should start before' even facilities - Read insserv.conf in other root environments - Ignore rcs-files (bug #278520) - Split insserv.conf off from source tar ball to avoid patching - Add boot.crypto to $local_fs - Add smbfs/cifs to $remote_fs - Add missed `start this script before' feature patch (fate#301269) - Remove obsolate `$netdaemons' facility (#209380) - Add `start this script before' feature (fate #301269) - Create new version 1.09.0 of insserv - Expand aliases even for services which requires $all (#216202) - Scan service links even for non LSB scripts (bnc#391014) - really remove last reference to boot.setclock (bnc#384254) - Remove last occurence of boot.setclock (bnc#384254) - Also ignore temporary (mostly?) errors if executed within an rpm scriptlet (bnc#385498, bnc#384254) - Move stat() check for /etc/insserv.conf.d/ configure files to scan_conf() otherwise we never scan those files. - Ignore temporary errors during update with YaST/zypper (bnc#385498) - boot.clock was into two scripts for boot and shutdown Todo: make insserv knowing about Required-Stop to merge them again to one boot.clock. - add boot.crypto-early to insserv.conf - Avoid SIGSEGV in functions which can handle NULL pointers thanks goes to Petter Reinholdtsen for his report - New version 1.11.0 of insserv - Code cleanup, update copyrights, and manual pages - Use __attribute__ of gcc for better function management - Use __attribute__ of gcc for alignment of list_t pointers - Some preparation listing.c for kill link sorting (TODO) - Add and integrate many patches from Debian svn tree done by Petter Reinholdtsen * Make it possible to set the path at runtime, to make it easier to write test suites * Support for reading LSB headers info from override directory * Accept script names like 'rc.local' for Debian build * Use other defaults on Debian systems (start, stop levels) * Put redundant level informations in one API * Fix the handling of stop scripts and the shutdown sequence on Debian systems * Better loop report * Make loops fatal if not forced - Clean the API for listing the services - Don't run HW clock in parallel mode to have well defined timestamps during enabling local fs and running startpar - Even disabled scripts should be occur in dependcies (#331615) - Handle return values of strsep in case of several provides - Do not scan services links if removed later on - Scan all scripts for Start-Before even if already known (#297214) - Do not add disabled scripts to the depend files - Remove hotplug and pcmcia from insserv.conf because they are dropped (bug #291417) - Scan all files in `should start before' even facilities - Read insserv.conf in other root environments - Ignore rcs-files (bug #278520) - Split insserv.conf off from source tar ball to avoid patching - Add boot.crypto to $local_fs - Add smbfs/cifs to $remote_fs - Add missed `start this script before' feature patch (fate#301269) - Remove obsolate `$netdaemons' facility (#209380) - Add `start this script before' feature (fate #301269) - Create new version 1.09.0 of insserv - Expand aliases even for services which requires $all (#216202) - Scan service links even for non LSB scripts (bnc#391014) - really remove last reference to boot.setclock (bnc#384254) - Remove last occurence of boot.setclock (bnc#384254) - Also ignore temporary (mostly?) errors if executed within an rpm scriptlet (bnc#385498, bnc#384254) - Move stat() check for /etc/insserv.conf.d/ configure files to scan_conf() otherwise we never scan those files. - Ignore temporary errors during update with YaST/zypper (bnc#385498) - boot.clock was into two scripts for boot and shutdown Todo: make insserv knowing about Required-Stop to merge them again to one boot.clock. - add boot.crypto-early to insserv.conf - Avoid SIGSEGV in functions which can handle NULL pointers thanks goes to Petter Reinholdtsen for his report - New version 1.11.0 of insserv - Code cleanup, update copyrights, and manual pages - Use __attribute__ of gcc for better function management - Use __attribute__ of gcc for alignment of list_t pointers - Some preparation listing.c for kill link sorting (TODO) - Add and integrate many patches from Debian svn tree done by Petter Reinholdtsen * Make it possible to set the path at runtime, to make it easier to write test suites * Support for reading LSB headers info from override directory * Accept script names like 'rc.local' for Debian build * Use other defaults on Debian systems (start, stop levels) * Put redundant level informations in one API * Fix the handling of stop scripts and the shutdown sequence on Debian systems * Better loop report * Make loops fatal if not forced - Clean the API for listing the services - Don't run HW clock in parallel mode to have well defined timestamps during enabling local fs and running startpar - Even disabled scripts should be occur in dependcies (#331615) - Handle return values of strsep in case of several provides - Do not scan services links if removed later on - Scan all scripts for Start-Before even if already known (#297214) - Do not add disabled scripts to the depend files - Remove hotplug and pcmcia from insserv.conf because they are dropped (bug #291417) - Scan all files in `should start before' even facilities - Read insserv.conf in other root environments - Ignore rcs-files (bug #278520) - Split insserv.conf off from source tar ball to avoid patching - Add boot.crypto to $local_fs - Add smbfs/cifs to $remote_fs - Add missed `start this script before' feature patch (fate#301269) - Remove obsolate `$netdaemons' facility (#209380) - Add `start this script before' feature (fate #301269) - Create new version 1.09.0 of insserv - Expand aliases even for services which requires $all (#216202) - Scan service links even for non LSB scripts (bnc#391014) - really remove last reference to boot.setclock (bnc#384254) - Remove last occurence of boot.setclock (bnc#384254) - Also ignore temporary (mostly?) errors if executed within an rpm scriptlet (bnc#385498, bnc#384254) - Move stat() check for /etc/insserv.conf.d/ configure files to scan_conf() otherwise we never scan those files. - Ignore temporary errors during update with YaST/zypper (bnc#385498) - boot.clock was into two scripts for boot and shutdown Todo: make insserv knowing about Required-Stop to merge them again to one boot.clock. - add boot.crypto-early to insserv.conf - Avoid SIGSEGV in functions which can handle NULL pointers thanks goes to Petter Reinholdtsen for his report - New version 1.11.0 of insserv - Code cleanup, update copyrights, and manual pages - Use __attribute__ of gcc for better function management - Use __attribute__ of gcc for alignment of list_t pointers - Some preparation listing.c for kill link sorting (TODO) - Add and integrate many patches from Debian svn tree done by Petter Reinholdtsen * Make it possible to set the path at runtime, to make it easier to write test suites * Support for reading LSB headers info from override directory * Accept script names like 'rc.local' for Debian build * Use other defaults on Debian systems (start, stop levels) * Put redundant level informations in one API * Fix the handling of stop scripts and the shutdown sequence on Debian systems * Better loop report * Make loops fatal if not forced - Clean the API for listing the services - Don't run HW clock in parallel mode to have well defined timestamps during enabling local fs and running startpar - Even disabled scripts should be occur in dependcies (#331615) - Handle return values of strsep in case of several provides - Do not scan services links if removed later on - Scan all scripts for Start-Before even if already known (#297214) - Do not add disabled scripts to the depend files - Remove hotplug and pcmcia from insserv.conf because they are dropped (bug #291417) - Scan all files in `should start before' even facilities - Read insserv.conf in other root environments - Ignore rcs-files (bug #278520) - Split insserv.conf off from source tar ball to avoid patching - Add boot.crypto to $local_fs - Add smbfs/cifs to $remote_fs - Add missed `start this script before' feature patch (fate#301269) - Remove obsolate `$netdaemons' facility (#209380) - Add `start this script before' feature (fate #301269) - Create new version 1.09.0 of insserv - Expand aliases even for services which requires $all (#216202) - fix image size calculation for the case of uncompressible data - whitelist update for s2ram (CVS as of today) (bnc#398858) - add a fix from Rafael J Wysocki for a resume failure when using encryption. See: http://article.gmane.org/gmane.linux.kernel.suspend.devel/5393 - add fixes from CVS for a possible endless loop in the new memory allocator code and a bug in the image saving code - update to current CVS: - whitelist update - make resume_pause work correctly (ENTER to continue...) - more verbose logging to stderr -> pm-utils logfile - remove bogus "readdir(): Inappropriate ioctl for device" message - make vbetool more verbose when retrying and sleep between retries - add openSUSE 11.0 whitelist quirks for kernel 2.6.25 (bnc#387956) - update to current CVS: - new memory allocator code - faster and cleaner - various small code cleanups - whitelist update - update to current CVS: - the save-compressed-images-faster patch is upstream - whitelist update for s2ram, fixing various novell bugzillas - update to current CVS: - use the new ioctls present in kernel 2.6.25 - whitelist update - refreshed some of the patches - added suspend-0.80-vbetool-retry-on-errors.diff to workaround temporary vbetool failures - added suspend-0.80.080506-save-compressed-images-faster.diff which greatly improves the speed of compressed s2disk - update to current CVS: - huge whitelist update for s2ram - libgcc_s fix is upstream - minor cleanups in the build system - specfile more buildservice-friendly - add patch suspend-build-with-gcc_s.diff: - this makes splashy actually work again - update to current CVS (only s2ram whitelist updates) - whitelist update for s2ram - mention http://en.opensuse.org/S2ram instead of sf.net page in help messages - more detailed instructions on bugreporting (from upstream cvs) - update to suspend-0.80 - buildsystem conversion to autoconf - huge whitelist update for s2ram - ppc support - Changes needed because of splashy update: - add suspend-0.69.9-glib.diff - add pkgconfig and glib2-devel to BuildRequires - remove SUSE 10.1 specific documentation for newer distros - fix wrong condition in %post (still b.n.c #326234) - fix update case (mkinitrd returning an error, b.n.c #326234) - updated the s2ram whitelist: - suspend-s2ram-LenovoX60Tablet.diff (b.n.c #265613) - suspend-s2ram-DellXPSM1330.diff (b.n.c #325757) - added patches to update the s2ram whitelist: - suspend-s2ram-HPnc6320.diff (b.n.c #310179) - suspend-s2ram-LenovoX61Tablet.diff (b.n.c #310198) - suspend-s2ram-several_SonyVaio.diff (b.n.c #310223) - updated to current CVS (0.7rc, will be 0.7 soon) - code cleanups for better maintainability - various whitelist updates for s2ram - use system-wide lzo library instead of private copy of liblzf - Makefile fix merged - in case the user aborted suspend to disk, return zero to avoid a nasty popup from kpowersave - speedup image writing by starting writeout earlier - add suspend-input.diff: Read keyboard events from /dev/input/event*. DirectFB implementation uses threads which are frozen during image writing (novell bug 293826) - suspend-default-splash.diff: default to using splash for s2disk - update to current cvs: - whitelist updates - fix acpi_video_mode setting, was not effective before - correct the Aspire 1690 whitelist entry (novell bug 293662) - fix build with old "make" (SLED10) - update to current cvs: - whitelist updates - some small changes in button handling during suspend to disk, press "r" for reboot instead of shutdown - suspend framebuffers during suspend to RAM, might help with some of those NOFB entries. - build with splashy support - enable dynamic linking for the resume binary - suspend-disable-bootsplash.diff: Enable splashy in favour of broken bootsplash support. Patch will get removed once upstream gets the changes - update to current CVS: - lots of whitelist updates (novell bugs 290734 and 290618) - return an error on "--identify" if the machine is unknown or "unsure". - default keyfile patch included upstream - removed "use console 63" patch, makes debugging harder and will be unnecessary once the splash-support is included - update to current CVS: - whitelist updates - refactoring of arch-specific code - reworked help-texts - default to using compression for s2disk - default RSA key file to /etc/suspend.key - update to current CVS: - whitelist updates - documentation updates - update to vbetool-1.0 codebase: - move to external libx86 - Makefile cleanup - various "platform mode" fixes for s2disk/resume - error path fixes in s2disk - better error messages - add libx86-devel to BuildRequires: - remove obsolete openSUSE-Factory-README.txt - update to current CVS, only whitelist updates - update to current CVS, which has: - lots of whitelist updates - Makefile reworked - loglevel mangling during boot fixed correctly - unblank the console after resume from disk - more space-efficient storage of encryption details in image - various other small fixes - update to current CVS, which has: - all new s2ram option pci_save for machines that need PCI state saving of the graphics card - lots of whitelist updates - documentation update - some fixes for encrypted suspend on 64bit machines - fix "press del to abort image saving" with splash usage - fix swap-offset on large swapfiles - whitelist update: Dell D410 (bug #220865) - change version from 0.5 to 0.50 to avoid update problems - whitelist update: * HP Compaq nc6120 (bug 159688) * MAXDATA IMPERIO4045A * fix ThinkPad X41 Tablet entry (bug #220865) - update to released version 0.50: - incorporates all our fixes - whitelist updates - add "swap-offset" tool for using swapfiles to suspend (not supported yet by the kernel and our initrd) - fix blocker bug 219629, resume never resumed. - update to current CVS: - ability to abort writing the image to disk - do not touch on-disk inode of snapshot device after freezing - whitelist updates - add command line option handling to s2disk/s2both - do not mess up the loglevel on resume (bug 218284) - always use console 63 for suspend messages - cleanup error path on failed suspend - update to current CVS: - fix suspend to swap partitions > 2GB - add support for swap files (needs newer kernel) - whitelist update - package version number restructured to make future updates to upcoming releases smoother - link also against libz when linking against libpci - update to current CVS: - fix platform mode - s2ram whitelist updates - use "maximum speed" options for liblzf - enable image-encryption. - update to current CVS which does: - implement code for using ACPI methods to suspend ("platform mode") - timing for suspend and resume - whitelist updates - config file options are completely commented out now. - update to current CVS which does: - bootsplash fixes, alternative implementation (not used) - Makefile reworked - whitelist updated - updated documentation for openSUSE factory - update documentation for userspace swsusp for openSUSE factory - update to current CVS which does: - documentation updates (how to use userspace swsusp on SuSE) - incorporate suspend-fs.h-include-fix.diff - whitelist updates - fix build (compression was not enabled) - update to current CVS which does: - documentation updates - incorporate the vbetool 64bit fix - whitelist updates - fix build with newer glibc - fix segfaults in vbetool code on 64bit machines. - update to current CVS which does (among others): - various whitelist updates - upgrade vbetool code to vbetool-0.6 (should be a no-op) - add "--vbe_mode" option to support more machines - build the tools for userspace-suspend (s2disk, s2both, resume). This needs a custom kernel and only unencrypted suspend is compiled in due to license issues. - fix image size calculation for the case of uncompressible data - whitelist update for s2ram (CVS as of today) (bnc#398858) - add a fix from Rafael J Wysocki for a resume failure when using encryption. See: http://article.gmane.org/gmane.linux.kernel.suspend.devel/5393 - add fixes from CVS for a possible endless loop in the new memory allocator code and a bug in the image saving code - update to current CVS: - whitelist update - make resume_pause work correctly (ENTER to continue...) - more verbose logging to stderr -> pm-utils logfile - remove bogus "readdir(): Inappropriate ioctl for device" message - make vbetool more verbose when retrying and sleep between retries - add openSUSE 11.0 whitelist quirks for kernel 2.6.25 (bnc#387956) - update to current CVS: - new memory allocator code - faster and cleaner - various small code cleanups - whitelist update - update to current CVS: - the save-compressed-images-faster patch is upstream - whitelist update for s2ram, fixing various novell bugzillas - update to current CVS: - use the new ioctls present in kernel 2.6.25 - whitelist update - refreshed some of the patches - added suspend-0.80-vbetool-retry-on-errors.diff to workaround temporary vbetool failures - added suspend-0.80.080506-save-compressed-images-faster.diff which greatly improves the speed of compressed s2disk - update to current CVS: - huge whitelist update for s2ram - libgcc_s fix is upstream - minor cleanups in the build system - specfile more buildservice-friendly - add patch suspend-build-with-gcc_s.diff: - this makes splashy actually work again - update to current CVS (only s2ram whitelist updates) - whitelist update for s2ram - mention http://en.opensuse.org/S2ram instead of sf.net page in help messages - more detailed instructions on bugreporting (from upstream cvs) - update to suspend-0.80 - buildsystem conversion to autoconf - huge whitelist update for s2ram - ppc support - Changes needed because of splashy update: - add suspend-0.69.9-glib.diff - add pkgconfig and glib2-devel to BuildRequires - remove SUSE 10.1 specific documentation for newer distros - fix wrong condition in %post (still b.n.c #326234) - fix update case (mkinitrd returning an error, b.n.c #326234) - updated the s2ram whitelist: - suspend-s2ram-LenovoX60Tablet.diff (b.n.c #265613) - suspend-s2ram-DellXPSM1330.diff (b.n.c #325757) - added patches to update the s2ram whitelist: - suspend-s2ram-HPnc6320.diff (b.n.c #310179) - suspend-s2ram-LenovoX61Tablet.diff (b.n.c #310198) - suspend-s2ram-several_SonyVaio.diff (b.n.c #310223) - updated to current CVS (0.7rc, will be 0.7 soon) - code cleanups for better maintainability - various whitelist updates for s2ram - use system-wide lzo library instead of private copy of liblzf - Makefile fix merged - in case the user aborted suspend to disk, return zero to avoid a nasty popup from kpowersave - speedup image writing by starting writeout earlier - add suspend-input.diff: Read keyboard events from /dev/input/event*. DirectFB implementation uses threads which are frozen during image writing (novell bug 293826) - suspend-default-splash.diff: default to using splash for s2disk - update to current cvs: - whitelist updates - fix acpi_video_mode setting, was not effective before - correct the Aspire 1690 whitelist entry (novell bug 293662) - fix build with old "make" (SLED10) - update to current cvs: - whitelist updates - some small changes in button handling during suspend to disk, press "r" for reboot instead of shutdown - suspend framebuffers during suspend to RAM, might help with some of those NOFB entries. - build with splashy support - enable dynamic linking for the resume binary - suspend-disable-bootsplash.diff: Enable splashy in favour of broken bootsplash support. Patch will get removed once upstream gets the changes - update to current CVS: - lots of whitelist updates (novell bugs 290734 and 290618) - return an error on "--identify" if the machine is unknown or "unsure". - default keyfile patch included upstream - removed "use console 63" patch, makes debugging harder and will be unnecessary once the splash-support is included - update to current CVS: - whitelist updates - refactoring of arch-specific code - reworked help-texts - default to using compression for s2disk - default RSA key file to /etc/suspend.key - update to current CVS: - whitelist updates - documentation updates - update to vbetool-1.0 codebase: - move to external libx86 - Makefile cleanup - various "platform mode" fixes for s2disk/resume - error path fixes in s2disk - better error messages - add libx86-devel to BuildRequires: - remove obsolete openSUSE-Factory-README.txt - update to current CVS, only whitelist updates - update to current CVS, which has: - lots of whitelist updates - Makefile reworked - loglevel mangling during boot fixed correctly - unblank the console after resume from disk - more space-efficient storage of encryption details in image - various other small fixes - update to current CVS, which has: - all new s2ram option pci_save for machines that need PCI state saving of the graphics card - lots of whitelist updates - documentation update - some fixes for encrypted suspend on 64bit machines - fix "press del to abort image saving" with splash usage - fix swap-offset on large swapfiles - whitelist update: Dell D410 (bug #220865) - change version from 0.5 to 0.50 to avoid update problems - whitelist update: * HP Compaq nc6120 (bug 159688) * MAXDATA IMPERIO4045A * fix ThinkPad X41 Tablet entry (bug #220865) - update to released version 0.50: - incorporates all our fixes - whitelist updates - add "swap-offset" tool for using swapfiles to suspend (not supported yet by the kernel and our initrd) - fix blocker bug 219629, resume never resumed. - update to current CVS: - ability to abort writing the image to disk - do not touch on-disk inode of snapshot device after freezing - whitelist updates - add command line option handling to s2disk/s2both - do not mess up the loglevel on resume (bug 218284) - always use console 63 for suspend messages - cleanup error path on failed suspend - update to current CVS: - fix suspend to swap partitions > 2GB - add support for swap files (needs newer kernel) - whitelist update - package version number restructured to make future updates to upcoming releases smoother - link also against libz when linking against libpci - update to current CVS: - fix platform mode - s2ram whitelist updates - use "maximum speed" options for liblzf - enable image-encryption. - update to current CVS which does: - implement code for using ACPI methods to suspend ("platform mode") - timing for suspend and resume - whitelist updates - config file options are completely commented out now. - update to current CVS which does: - bootsplash fixes, alternative implementation (not used) - Makefile reworked - whitelist updated - updated documentation for openSUSE factory - update documentation for userspace swsusp for openSUSE factory - update to current CVS which does: - documentation updates (how to use userspace swsusp on SuSE) - incorporate suspend-fs.h-include-fix.diff - whitelist updates - fix build (compression was not enabled) - update to current CVS which does: - documentation updates - incorporate the vbetool 64bit fix - whitelist updates - fix build with newer glibc - fix segfaults in vbetool code on 64bit machines. - update to current CVS which does (among others): - various whitelist updates - upgrade vbetool code to vbetool-0.6 (should be a no-op) - add "--vbe_mode" option to support more machines - build the tools for userspace-suspend (s2disk, s2both, resume). This needs a custom kernel and only unencrypted suspend is compiled in due to license issues. - fix image size calculation for the case of uncompressible data - whitelist update for s2ram (CVS as of today) (bnc#398858) - add a fix from Rafael J Wysocki for a resume failure when using encryption. See: http://article.gmane.org/gmane.linux.kernel.suspend.devel/5393 - add fixes from CVS for a possible endless loop in the new memory allocator code and a bug in the image saving code - update to current CVS: - whitelist update - make resume_pause work correctly (ENTER to continue...) - more verbose logging to stderr -> pm-utils logfile - remove bogus "readdir(): Inappropriate ioctl for device" message - make vbetool more verbose when retrying and sleep between retries - add openSUSE 11.0 whitelist quirks for kernel 2.6.25 (bnc#387956) - update to current CVS: - new memory allocator code - faster and cleaner - various small code cleanups - whitelist update - update to current CVS: - the save-compressed-images-faster patch is upstream - whitelist update for s2ram, fixing various novell bugzillas - update to current CVS: - use the new ioctls present in kernel 2.6.25 - whitelist update - refreshed some of the patches - added suspend-0.80-vbetool-retry-on-errors.diff to workaround temporary vbetool failures - added suspend-0.80.080506-save-compressed-images-faster.diff which greatly improves the speed of compressed s2disk - update to current CVS: - huge whitelist update for s2ram - libgcc_s fix is upstream - minor cleanups in the build system - specfile more buildservice-friendly - add patch suspend-build-with-gcc_s.diff: - this makes splashy actually work again - update to current CVS (only s2ram whitelist updates) - whitelist update for s2ram - mention http://en.opensuse.org/S2ram instead of sf.net page in help messages - more detailed instructions on bugreporting (from upstream cvs) - update to suspend-0.80 - buildsystem conversion to autoconf - huge whitelist update for s2ram - ppc support - Changes needed because of splashy update: - add suspend-0.69.9-glib.diff - add pkgconfig and glib2-devel to BuildRequires - remove SUSE 10.1 specific documentation for newer distros - fix wrong condition in %post (still b.n.c #326234) - fix update case (mkinitrd returning an error, b.n.c #326234) - updated the s2ram whitelist: - suspend-s2ram-LenovoX60Tablet.diff (b.n.c #265613) - suspend-s2ram-DellXPSM1330.diff (b.n.c #325757) - added patches to update the s2ram whitelist: - suspend-s2ram-HPnc6320.diff (b.n.c #310179) - suspend-s2ram-LenovoX61Tablet.diff (b.n.c #310198) - suspend-s2ram-several_SonyVaio.diff (b.n.c #310223) - updated to current CVS (0.7rc, will be 0.7 soon) - code cleanups for better maintainability - various whitelist updates for s2ram - use system-wide lzo library instead of private copy of liblzf - Makefile fix merged - in case the user aborted suspend to disk, return zero to avoid a nasty popup from kpowersave - speedup image writing by starting writeout earlier - add suspend-input.diff: Read keyboard events from /dev/input/event*. DirectFB implementation uses threads which are frozen during image writing (novell bug 293826) - suspend-default-splash.diff: default to using splash for s2disk - update to current cvs: - whitelist updates - fix acpi_video_mode setting, was not effective before - correct the Aspire 1690 whitelist entry (novell bug 293662) - fix build with old "make" (SLED10) - update to current cvs: - whitelist updates - some small changes in button handling during suspend to disk, press "r" for reboot instead of shutdown - suspend framebuffers during suspend to RAM, might help with some of those NOFB entries. - build with splashy support - enable dynamic linking for the resume binary - suspend-disable-bootsplash.diff: Enable splashy in favour of broken bootsplash support. Patch will get removed once upstream gets the changes - update to current CVS: - lots of whitelist updates (novell bugs 290734 and 290618) - return an error on "--identify" if the machine is unknown or "unsure". - default keyfile patch included upstream - removed "use console 63" patch, makes debugging harder and will be unnecessary once the splash-support is included - update to current CVS: - whitelist updates - refactoring of arch-specific code - reworked help-texts - default to using compression for s2disk - default RSA key file to /etc/suspend.key - update to current CVS: - whitelist updates - documentation updates - update to vbetool-1.0 codebase: - move to external libx86 - Makefile cleanup - various "platform mode" fixes for s2disk/resume - error path fixes in s2disk - better error messages - add libx86-devel to BuildRequires: - remove obsolete openSUSE-Factory-README.txt - update to current CVS, only whitelist updates - update to current CVS, which has: - lots of whitelist updates - Makefile reworked - loglevel mangling during boot fixed correctly - unblank the console after resume from disk - more space-efficient storage of encryption details in image - various other small fixes - update to current CVS, which has: - all new s2ram option pci_save for machines that need PCI state saving of the graphics card - lots of whitelist updates - documentation update - some fixes for encrypted suspend on 64bit machines - fix "press del to abort image saving" with splash usage - fix swap-offset on large swapfiles - whitelist update: Dell D410 (bug #220865) - change version from 0.5 to 0.50 to avoid update problems - whitelist update: * HP Compaq nc6120 (bug 159688) * MAXDATA IMPERIO4045A * fix ThinkPad X41 Tablet entry (bug #220865) - update to released version 0.50: - incorporates all our fixes - whitelist updates - add "swap-offset" tool for using swapfiles to suspend (not supported yet by the kernel and our initrd) - fix blocker bug 219629, resume never resumed. - update to current CVS: - ability to abort writing the image to disk - do not touch on-disk inode of snapshot device after freezing - whitelist updates - add command line option handling to s2disk/s2both - do not mess up the loglevel on resume (bug 218284) - always use console 63 for suspend messages - cleanup error path on failed suspend - update to current CVS: - fix suspend to swap partitions > 2GB - add support for swap files (needs newer kernel) - whitelist update - package version number restructured to make future updates to upcoming releases smoother - link also against libz when linking against libpci - update to current CVS: - fix platform mode - s2ram whitelist updates - use "maximum speed" options for liblzf - enable image-encryption. - update to current CVS which does: - implement code for using ACPI methods to suspend ("platform mode") - timing for suspend and resume - whitelist updates - config file options are completely commented out now. - update to current CVS which does: - bootsplash fixes, alternative implementation (not used) - Makefile reworked - whitelist updated - updated documentation for openSUSE factory - update documentation for userspace swsusp for openSUSE factory - update to current CVS which does: - documentation updates (how to use userspace swsusp on SuSE) - incorporate suspend-fs.h-include-fix.diff - whitelist updates - fix build (compression was not enabled) - update to current CVS which does: - documentation updates - incorporate the vbetool 64bit fix - whitelist updates - fix build with newer glibc - fix segfaults in vbetool code on 64bit machines. - update to current CVS which does (among others): - various whitelist updates - upgrade vbetool code to vbetool-0.6 (should be a no-op) - add "--vbe_mode" option to support more machines - build the tools for userspace-suspend (s2disk, s2both, resume). This needs a custom kernel and only unencrypted suspend is compiled in due to license issues. - fix image size calculation for the case of uncompressible data - whitelist update for s2ram (CVS as of today) (bnc#398858) - add a fix from Rafael J Wysocki for a resume failure when using encryption. See: http://article.gmane.org/gmane.linux.kernel.suspend.devel/5393 - add fixes from CVS for a possible endless loop in the new memory allocator code and a bug in the image saving code - update to current CVS: - whitelist update - make resume_pause work correctly (ENTER to continue...) - more verbose logging to stderr -> pm-utils logfile - remove bogus "readdir(): Inappropriate ioctl for device" message - make vbetool more verbose when retrying and sleep between retries - add openSUSE 11.0 whitelist quirks for kernel 2.6.25 (bnc#387956) - update to current CVS: - new memory allocator code - faster and cleaner - various small code cleanups - whitelist update - update to current CVS: - the save-compressed-images-faster patch is upstream - whitelist update for s2ram, fixing various novell bugzillas - update to current CVS: - use the new ioctls present in kernel 2.6.25 - whitelist update - refreshed some of the patches - added suspend-0.80-vbetool-retry-on-errors.diff to workaround temporary vbetool failures - added suspend-0.80.080506-save-compressed-images-faster.diff which greatly improves the speed of compressed s2disk - update to current CVS: - huge whitelist update for s2ram - libgcc_s fix is upstream - minor cleanups in the build system - specfile more buildservice-friendly - add patch suspend-build-with-gcc_s.diff: - this makes splashy actually work again - update to current CVS (only s2ram whitelist updates) - whitelist update for s2ram - mention http://en.opensuse.org/S2ram instead of sf.net page in help messages - more detailed instructions on bugreporting (from upstream cvs) - update to suspend-0.80 - buildsystem conversion to autoconf - huge whitelist update for s2ram - ppc support - Changes needed because of splashy update: - add suspend-0.69.9-glib.diff - add pkgconfig and glib2-devel to BuildRequires - remove SUSE 10.1 specific documentation for newer distros - fix wrong condition in %post (still b.n.c #326234) - fix update case (mkinitrd returning an error, b.n.c #326234) - updated the s2ram whitelist: - suspend-s2ram-LenovoX60Tablet.diff (b.n.c #265613) - suspend-s2ram-DellXPSM1330.diff (b.n.c #325757) - added patches to update the s2ram whitelist: - suspend-s2ram-HPnc6320.diff (b.n.c #310179) - suspend-s2ram-LenovoX61Tablet.diff (b.n.c #310198) - suspend-s2ram-several_SonyVaio.diff (b.n.c #310223) - updated to current CVS (0.7rc, will be 0.7 soon) - code cleanups for better maintainability - various whitelist updates for s2ram - use system-wide lzo library instead of private copy of liblzf - Makefile fix merged - in case the user aborted suspend to disk, return zero to avoid a nasty popup from kpowersave - speedup image writing by starting writeout earlier - add suspend-input.diff: Read keyboard events from /dev/input/event*. DirectFB implementation uses threads which are frozen during image writing (novell bug 293826) - suspend-default-splash.diff: default to using splash for s2disk - update to current cvs: - whitelist updates - fix acpi_video_mode setting, was not effective before - correct the Aspire 1690 whitelist entry (novell bug 293662) - fix build with old "make" (SLED10) - update to current cvs: - whitelist updates - some small changes in button handling during suspend to disk, press "r" for reboot instead of shutdown - suspend framebuffers during suspend to RAM, might help with some of those NOFB entries. - build with splashy support - enable dynamic linking for the resume binary - suspend-disable-bootsplash.diff: Enable splashy in favour of broken bootsplash support. Patch will get removed once upstream gets the changes - update to current CVS: - lots of whitelist updates (novell bugs 290734 and 290618) - return an error on "--identify" if the machine is unknown or "unsure". - default keyfile patch included upstream - removed "use console 63" patch, makes debugging harder and will be unnecessary once the splash-support is included - update to current CVS: - whitelist updates - refactoring of arch-specific code - reworked help-texts - default to using compression for s2disk - default RSA key file to /etc/suspend.key - update to current CVS: - whitelist updates - documentation updates - update to vbetool-1.0 codebase: - move to external libx86 - Makefile cleanup - various "platform mode" fixes for s2disk/resume - error path fixes in s2disk - better error messages - add libx86-devel to BuildRequires: - remove obsolete openSUSE-Factory-README.txt - update to current CVS, only whitelist updates - update to current CVS, which has: - lots of whitelist updates - Makefile reworked - loglevel mangling during boot fixed correctly - unblank the console after resume from disk - more space-efficient storage of encryption details in image - various other small fixes - update to current CVS, which has: - all new s2ram option pci_save for machines that need PCI state saving of the graphics card - lots of whitelist updates - documentation update - some fixes for encrypted suspend on 64bit machines - fix "press del to abort image saving" with splash usage - fix swap-offset on large swapfiles - whitelist update: Dell D410 (bug #220865) - change version from 0.5 to 0.50 to avoid update problems - whitelist update: * HP Compaq nc6120 (bug 159688) * MAXDATA IMPERIO4045A * fix ThinkPad X41 Tablet entry (bug #220865) - update to released version 0.50: - incorporates all our fixes - whitelist updates - add "swap-offset" tool for using swapfiles to suspend (not supported yet by the kernel and our initrd) - fix blocker bug 219629, resume never resumed. - update to current CVS: - ability to abort writing the image to disk - do not touch on-disk inode of snapshot device after freezing - whitelist updates - add command line option handling to s2disk/s2both - do not mess up the loglevel on resume (bug 218284) - always use console 63 for suspend messages - cleanup error path on failed suspend - update to current CVS: - fix suspend to swap partitions > 2GB - add support for swap files (needs newer kernel) - whitelist update - package version number restructured to make future updates to upcoming releases smoother - link also against libz when linking against libpci - update to current CVS: - fix platform mode - s2ram whitelist updates - use "maximum speed" options for liblzf - enable image-encryption. - update to current CVS which does: - implement code for using ACPI methods to suspend ("platform mode") - timing for suspend and resume - whitelist updates - config file options are completely commented out now. - update to current CVS which does: - bootsplash fixes, alternative implementation (not used) - Makefile reworked - whitelist updated - updated documentation for openSUSE factory - update documentation for userspace swsusp for openSUSE factory - update to current CVS which does: - documentation updates (how to use userspace swsusp on SuSE) - incorporate suspend-fs.h-include-fix.diff - whitelist updates - fix build (compression was not enabled) - update to current CVS which does: - documentation updates - incorporate the vbetool 64bit fix - whitelist updates - fix build with newer glibc - fix segfaults in vbetool code on 64bit machines. - update to current CVS which does (among others): - various whitelist updates - upgrade vbetool code to vbetool-0.6 (should be a no-op) - add "--vbe_mode" option to support more machines - build the tools for userspace-suspend (s2disk, s2both, resume). This needs a custom kernel and only unencrypted suspend is compiled in due to license issues. - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - add patch to fix windows disappearing after activating composite effects (bnc#390675) - add patch to fix kwin per-window shortcuts (bnc#381356) - fix crash killing kwin_kill_helper (kde#156998) - minimal Solid NetworkManager 0.7 backend fixes network status is always unknown (bnc#397072) - don't deinstall KDE3 due to kdebase3-ksysguard conflict - fix panel sizing issue - call kde4-migrate if present (bnc#372170) - backport unmounting in device notifier (bnc#391223) - fix "switch user" doesn't work always (bnc#392269) - fix logout from "Classic Menu Style" lacks power off/restart/ standby/suspend options (bnc#391765) - copy suspend parts from ksmserver logout dialog (bnc#390147) - make drop of local files to Plasma desktop copy to ~/Desktop - add option how to render desktop icon labels (bnc#382747) - fix "save session" menu item missing in kmenu (bnc#383757) - add sysinfo:/ entry to start menu in "Computer" tab as on KDE3 - make krunner search prefer KDE4 applications (bnc#381849) - hidden option to disable desktop toolbox (bnc#393211) - make ksmserver shutdown dialog use Plasma text color (bnc#391828) - fix opening within Firefox and Mozilla from Klipper (bnc#384203) - rename Oxygen window decoration to Ozone - support for KDE3 hotplug actions (bnc#378338) - fixed rotate-wacom-pointers.diff to work with current xsetwacom (bnc#391440) - add ported rotate-wacom-pointers.diff (bnc#385149) - correct ksysguardd package name and require it - kdm4: terminate local x servers by default (bnc#381672) - kdm4: make delayed popup work again (bnc#381197) - use the server cmd from sysconfig - fix possible ksmserver<->knotify deadlock during KDE startup - fix crash preventing setting of time/date (bnc#386429) - set a preloader by default - fix kdm4 requiring root for shutdown - add Kontact/KDE4 instead of Kontact/KDE3 to Kickoff (bnc#386374) - fix potential Plasma crash after deleting plasmoids (bnc#386462) - Administrator mode for date/time module, to make it usable - update to 4.0.4 * http://kde.org/announcements/changelog_4_0_3to4_0_4.php - fix fileconflicts by introducing an upstream-branding package for kde4-kdm - Fix stacking problems in KWin (bnc#378773) - Add missing ICE check for ksmserver (bnc#384774) - fix focus issues in kde4-kdm (bnc#381501) - update Plasma diff from openSUSE Plasma branch: several bugfixes including bnc#381704, bnc#379082, bnc#382510, bnc#377728, bnc#382169, bnc#381191, bnc#382497 - use radiobuttons for sessions menu (bnc#382138) - fix unknown icon on suspend (#bnc381194) - ksplashx changes needed for 11.0 splashscreen (bnc:#375581) - update 4_0_BRANCH.diff * memleak fixes in kwin and ksplashsimple - remove self conflict (bnc#379338) - fix file conflicts - improve logout, shutdown, restart confirmation and add countdown - draw rounded background behind system tray windows - don't align on every added file but only first run (bnc#379463) - add kgreeter_generic from 4.1 branch (fate#301954) - fix wallpaper not immediately updating (bnc#378771) - update Plasma diff from openSUSE Plasma branch: * draw desktop icons old style * remove useless desktop rubber band * add "(Un)Lock Widgets" and "Show Desktop" to and remove "Zoom Out" from desktop toolbox * fix not disappearing plasmoid handles (bnc#369994) * fix moving of rotated plasmoids (bnc#377108) * taskmanager: "Show only tasks from the current screen" option * digital-clock: add date tooltip, add "Show Seconds" option * pager: add window icons support * kickoff: backported KDE trunk appearance - branding changes, split off kdebase4-workspace-branding-upstream - GUI for selecting the WM (bnc#332079) - fix devel splitting for kwin headers - fix config installation dir - use Plasma diff created against branches/work/plasma-4.0-openSUSE which consolidates ported local patches, backported upstream and yet upstream uncommited features. This introduces: * moving of plasmoids on panels * adding and removing of panels * switching of start menu style * list newly installed applications within Kickoff * allow removing of uninstancable applets from a panel * Plasma theme selector, color change and tint support - update to 4.0.3 - oxygen windecoration configurable colors (kde#152030) - 4_0_BRANCH.diff update, including * full screen handling fixes * repaint bugs with alien windows - fix kdm autologin and theming (bnc#365885) - fix plasma crashes on startup (bnc#364977) - update to 4.0.2 - update branch diff after Plasma backport week-end - backport kickoff/simpleapplet view selection feature - remove sessions already in other packages - let kdm require workspace for the greeter plugins - build with PAM support (bnc#353531) - moved showdesktop & trash plasmoids to kdebase4-workspace-plamoids - fix file conflicts - update to final 4.0.1 tarball - fix user session switching - add location option to panel configuration dialog - remove kinfocenter handbook - update to 4.0.1 release - backport of panel size configuration dialog - backport of display configuration for traditional launcher menu - start Kickoff application browser always at top-level - add "install all public kwin headers" patch - fix app menu starting and system tray icons regressions - add application menu shortening feature and fix alphabetical sort - update KDE_4_0_BRANCH.diff (incl. taskbar attention flash) - don't migrate ~/Desktop icons to Dashboard which will not work - migrate Trash.desktop to Trash plasmoid (added it for that) - open Dashboard toolbox when Dashboard view is activated - set GTK2_RC_FILES for better style of GTK applications - fix locking of session (#355155) - update KDE_4_0_BRANCH.diff - more SUSE-like default panel setup (size, icons, plasmoids): * adds showdesktop plasmoid - backport taskbar plasmoid features: * use more than one row if there are many windows * option to show only the windows on current desktop - fix build - update to 4.0 release - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - fix build - fix filelist - update to 3.96.3 - update to 3.96.2 - reenable OpenGL support - update to 3.96.0 - updaste to 3.95.1 - update to 3.95.0 - update to 3.93.0.svn720097 - update to 3.93.0.svn717339 - update to 3.93.0.svn712052 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703920 - update to 3.92.0.svn700775 - fix more file conflicts - update to 3.92.0.svn697325 - fix file conflicts - update to KDE 4.0 Beta 1 - don't show System Settings on non-KDE/KDE3 desktop - use the non generic lib version for libkonq - update to 3.91.0.svn672298 - update to 3.90.1.svn679137 - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - run %fdupes - fix prefix of two bins - Buildrequires libusb -> libusb-devel - show .desktop files of kdebase4-runtime only in a KDE session - libkdeinit -> libkdeinit4 - fix package file conflicts - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - add patch to fix windows disappearing after activating composite effects (bnc#390675) - add patch to fix kwin per-window shortcuts (bnc#381356) - fix crash killing kwin_kill_helper (kde#156998) - minimal Solid NetworkManager 0.7 backend fixes network status is always unknown (bnc#397072) - don't deinstall KDE3 due to kdebase3-ksysguard conflict - fix panel sizing issue - call kde4-migrate if present (bnc#372170) - backport unmounting in device notifier (bnc#391223) - fix "switch user" doesn't work always (bnc#392269) - fix logout from "Classic Menu Style" lacks power off/restart/ standby/suspend options (bnc#391765) - copy suspend parts from ksmserver logout dialog (bnc#390147) - make drop of local files to Plasma desktop copy to ~/Desktop - add option how to render desktop icon labels (bnc#382747) - fix "save session" menu item missing in kmenu (bnc#383757) - add sysinfo:/ entry to start menu in "Computer" tab as on KDE3 - make krunner search prefer KDE4 applications (bnc#381849) - hidden option to disable desktop toolbox (bnc#393211) - make ksmserver shutdown dialog use Plasma text color (bnc#391828) - fix opening within Firefox and Mozilla from Klipper (bnc#384203) - rename Oxygen window decoration to Ozone - support for KDE3 hotplug actions (bnc#378338) - fixed rotate-wacom-pointers.diff to work with current xsetwacom (bnc#391440) - add ported rotate-wacom-pointers.diff (bnc#385149) - correct ksysguardd package name and require it - kdm4: terminate local x servers by default (bnc#381672) - kdm4: make delayed popup work again (bnc#381197) - use the server cmd from sysconfig - fix possible ksmserver<->knotify deadlock during KDE startup - fix crash preventing setting of time/date (bnc#386429) - set a preloader by default - fix kdm4 requiring root for shutdown - add Kontact/KDE4 instead of Kontact/KDE3 to Kickoff (bnc#386374) - fix potential Plasma crash after deleting plasmoids (bnc#386462) - Administrator mode for date/time module, to make it usable - update to 4.0.4 * http://kde.org/announcements/changelog_4_0_3to4_0_4.php - fix fileconflicts by introducing an upstream-branding package for kde4-kdm - Fix stacking problems in KWin (bnc#378773) - Add missing ICE check for ksmserver (bnc#384774) - fix focus issues in kde4-kdm (bnc#381501) - update Plasma diff from openSUSE Plasma branch: several bugfixes including bnc#381704, bnc#379082, bnc#382510, bnc#377728, bnc#382169, bnc#381191, bnc#382497 - use radiobuttons for sessions menu (bnc#382138) - fix unknown icon on suspend (#bnc381194) - ksplashx changes needed for 11.0 splashscreen (bnc:#375581) - update 4_0_BRANCH.diff * memleak fixes in kwin and ksplashsimple - remove self conflict (bnc#379338) - fix file conflicts - improve logout, shutdown, restart confirmation and add countdown - draw rounded background behind system tray windows - don't align on every added file but only first run (bnc#379463) - add kgreeter_generic from 4.1 branch (fate#301954) - fix wallpaper not immediately updating (bnc#378771) - update Plasma diff from openSUSE Plasma branch: * draw desktop icons old style * remove useless desktop rubber band * add "(Un)Lock Widgets" and "Show Desktop" to and remove "Zoom Out" from desktop toolbox * fix not disappearing plasmoid handles (bnc#369994) * fix moving of rotated plasmoids (bnc#377108) * taskmanager: "Show only tasks from the current screen" option * digital-clock: add date tooltip, add "Show Seconds" option * pager: add window icons support * kickoff: backported KDE trunk appearance - branding changes, split off kdebase4-workspace-branding-upstream - GUI for selecting the WM (bnc#332079) - fix devel splitting for kwin headers - fix config installation dir - use Plasma diff created against branches/work/plasma-4.0-openSUSE which consolidates ported local patches, backported upstream and yet upstream uncommited features. This introduces: * moving of plasmoids on panels * adding and removing of panels * switching of start menu style * list newly installed applications within Kickoff * allow removing of uninstancable applets from a panel * Plasma theme selector, color change and tint support - update to 4.0.3 - oxygen windecoration configurable colors (kde#152030) - 4_0_BRANCH.diff update, including * full screen handling fixes * repaint bugs with alien windows - fix kdm autologin and theming (bnc#365885) - fix plasma crashes on startup (bnc#364977) - update to 4.0.2 - update branch diff after Plasma backport week-end - backport kickoff/simpleapplet view selection feature - remove sessions already in other packages - let kdm require workspace for the greeter plugins - build with PAM support (bnc#353531) - moved showdesktop & trash plasmoids to kdebase4-workspace-plamoids - fix file conflicts - update to final 4.0.1 tarball - fix user session switching - add location option to panel configuration dialog - remove kinfocenter handbook - update to 4.0.1 release - backport of panel size configuration dialog - backport of display configuration for traditional launcher menu - start Kickoff application browser always at top-level - add "install all public kwin headers" patch - fix app menu starting and system tray icons regressions - add application menu shortening feature and fix alphabetical sort - update KDE_4_0_BRANCH.diff (incl. taskbar attention flash) - don't migrate ~/Desktop icons to Dashboard which will not work - migrate Trash.desktop to Trash plasmoid (added it for that) - open Dashboard toolbox when Dashboard view is activated - set GTK2_RC_FILES for better style of GTK applications - fix locking of session (#355155) - update KDE_4_0_BRANCH.diff - more SUSE-like default panel setup (size, icons, plasmoids): * adds showdesktop plasmoid - backport taskbar plasmoid features: * use more than one row if there are many windows * option to show only the windows on current desktop - fix build - update to 4.0 release - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - fix build - fix filelist - update to 3.96.3 - update to 3.96.2 - reenable OpenGL support - update to 3.96.0 - updaste to 3.95.1 - update to 3.95.0 - update to 3.93.0.svn720097 - update to 3.93.0.svn717339 - update to 3.93.0.svn712052 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703920 - update to 3.92.0.svn700775 - fix more file conflicts - update to 3.92.0.svn697325 - fix file conflicts - update to KDE 4.0 Beta 1 - don't show System Settings on non-KDE/KDE3 desktop - use the non generic lib version for libkonq - update to 3.91.0.svn672298 - update to 3.90.1.svn679137 - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - run %fdupes - fix prefix of two bins - Buildrequires libusb -> libusb-devel - show .desktop files of kdebase4-runtime only in a KDE session - libkdeinit -> libkdeinit4 - fix package file conflicts - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - add patch to fix windows disappearing after activating composite effects (bnc#390675) - add patch to fix kwin per-window shortcuts (bnc#381356) - fix crash killing kwin_kill_helper (kde#156998) - minimal Solid NetworkManager 0.7 backend fixes network status is always unknown (bnc#397072) - don't deinstall KDE3 due to kdebase3-ksysguard conflict - fix panel sizing issue - call kde4-migrate if present (bnc#372170) - backport unmounting in device notifier (bnc#391223) - fix "switch user" doesn't work always (bnc#392269) - fix logout from "Classic Menu Style" lacks power off/restart/ standby/suspend options (bnc#391765) - copy suspend parts from ksmserver logout dialog (bnc#390147) - make drop of local files to Plasma desktop copy to ~/Desktop - add option how to render desktop icon labels (bnc#382747) - fix "save session" menu item missing in kmenu (bnc#383757) - add sysinfo:/ entry to start menu in "Computer" tab as on KDE3 - make krunner search prefer KDE4 applications (bnc#381849) - hidden option to disable desktop toolbox (bnc#393211) - make ksmserver shutdown dialog use Plasma text color (bnc#391828) - fix opening within Firefox and Mozilla from Klipper (bnc#384203) - rename Oxygen window decoration to Ozone - support for KDE3 hotplug actions (bnc#378338) - fixed rotate-wacom-pointers.diff to work with current xsetwacom (bnc#391440) - add ported rotate-wacom-pointers.diff (bnc#385149) - correct ksysguardd package name and require it - kdm4: terminate local x servers by default (bnc#381672) - kdm4: make delayed popup work again (bnc#381197) - use the server cmd from sysconfig - fix possible ksmserver<->knotify deadlock during KDE startup - fix crash preventing setting of time/date (bnc#386429) - set a preloader by default - fix kdm4 requiring root for shutdown - add Kontact/KDE4 instead of Kontact/KDE3 to Kickoff (bnc#386374) - fix potential Plasma crash after deleting plasmoids (bnc#386462) - Administrator mode for date/time module, to make it usable - update to 4.0.4 * http://kde.org/announcements/changelog_4_0_3to4_0_4.php - fix fileconflicts by introducing an upstream-branding package for kde4-kdm - Fix stacking problems in KWin (bnc#378773) - Add missing ICE check for ksmserver (bnc#384774) - fix focus issues in kde4-kdm (bnc#381501) - update Plasma diff from openSUSE Plasma branch: several bugfixes including bnc#381704, bnc#379082, bnc#382510, bnc#377728, bnc#382169, bnc#381191, bnc#382497 - use radiobuttons for sessions menu (bnc#382138) - fix unknown icon on suspend (#bnc381194) - ksplashx changes needed for 11.0 splashscreen (bnc:#375581) - update 4_0_BRANCH.diff * memleak fixes in kwin and ksplashsimple - remove self conflict (bnc#379338) - fix file conflicts - improve logout, shutdown, restart confirmation and add countdown - draw rounded background behind system tray windows - don't align on every added file but only first run (bnc#379463) - add kgreeter_generic from 4.1 branch (fate#301954) - fix wallpaper not immediately updating (bnc#378771) - update Plasma diff from openSUSE Plasma branch: * draw desktop icons old style * remove useless desktop rubber band * add "(Un)Lock Widgets" and "Show Desktop" to and remove "Zoom Out" from desktop toolbox * fix not disappearing plasmoid handles (bnc#369994) * fix moving of rotated plasmoids (bnc#377108) * taskmanager: "Show only tasks from the current screen" option * digital-clock: add date tooltip, add "Show Seconds" option * pager: add window icons support * kickoff: backported KDE trunk appearance - branding changes, split off kdebase4-workspace-branding-upstream - GUI for selecting the WM (bnc#332079) - fix devel splitting for kwin headers - fix config installation dir - use Plasma diff created against branches/work/plasma-4.0-openSUSE which consolidates ported local patches, backported upstream and yet upstream uncommited features. This introduces: * moving of plasmoids on panels * adding and removing of panels * switching of start menu style * list newly installed applications within Kickoff * allow removing of uninstancable applets from a panel * Plasma theme selector, color change and tint support - update to 4.0.3 - oxygen windecoration configurable colors (kde#152030) - 4_0_BRANCH.diff update, including * full screen handling fixes * repaint bugs with alien windows - fix kdm autologin and theming (bnc#365885) - fix plasma crashes on startup (bnc#364977) - update to 4.0.2 - update branch diff after Plasma backport week-end - backport kickoff/simpleapplet view selection feature - remove sessions already in other packages - let kdm require workspace for the greeter plugins - build with PAM support (bnc#353531) - moved showdesktop & trash plasmoids to kdebase4-workspace-plamoids - fix file conflicts - update to final 4.0.1 tarball - fix user session switching - add location option to panel configuration dialog - remove kinfocenter handbook - update to 4.0.1 release - backport of panel size configuration dialog - backport of display configuration for traditional launcher menu - start Kickoff application browser always at top-level - add "install all public kwin headers" patch - fix app menu starting and system tray icons regressions - add application menu shortening feature and fix alphabetical sort - update KDE_4_0_BRANCH.diff (incl. taskbar attention flash) - don't migrate ~/Desktop icons to Dashboard which will not work - migrate Trash.desktop to Trash plasmoid (added it for that) - open Dashboard toolbox when Dashboard view is activated - set GTK2_RC_FILES for better style of GTK applications - fix locking of session (#355155) - update KDE_4_0_BRANCH.diff - more SUSE-like default panel setup (size, icons, plasmoids): * adds showdesktop plasmoid - backport taskbar plasmoid features: * use more than one row if there are many windows * option to show only the windows on current desktop - fix build - update to 4.0 release - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - fix build - fix filelist - update to 3.96.3 - update to 3.96.2 - reenable OpenGL support - update to 3.96.0 - updaste to 3.95.1 - update to 3.95.0 - update to 3.93.0.svn720097 - update to 3.93.0.svn717339 - update to 3.93.0.svn712052 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703920 - update to 3.92.0.svn700775 - fix more file conflicts - update to 3.92.0.svn697325 - fix file conflicts - update to KDE 4.0 Beta 1 - don't show System Settings on non-KDE/KDE3 desktop - use the non generic lib version for libkonq - update to 3.91.0.svn672298 - update to 3.90.1.svn679137 - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - run %fdupes - fix prefix of two bins - Buildrequires libusb -> libusb-devel - show .desktop files of kdebase4-runtime only in a KDE session - libkdeinit -> libkdeinit4 - fix package file conflicts - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - add patch to fix windows disappearing after activating composite effects (bnc#390675) - add patch to fix kwin per-window shortcuts (bnc#381356) - fix crash killing kwin_kill_helper (kde#156998) - minimal Solid NetworkManager 0.7 backend fixes network status is always unknown (bnc#397072) - don't deinstall KDE3 due to kdebase3-ksysguard conflict - fix panel sizing issue - call kde4-migrate if present (bnc#372170) - backport unmounting in device notifier (bnc#391223) - fix "switch user" doesn't work always (bnc#392269) - fix logout from "Classic Menu Style" lacks power off/restart/ standby/suspend options (bnc#391765) - copy suspend parts from ksmserver logout dialog (bnc#390147) - make drop of local files to Plasma desktop copy to ~/Desktop - add option how to render desktop icon labels (bnc#382747) - fix "save session" menu item missing in kmenu (bnc#383757) - add sysinfo:/ entry to start menu in "Computer" tab as on KDE3 - make krunner search prefer KDE4 applications (bnc#381849) - hidden option to disable desktop toolbox (bnc#393211) - make ksmserver shutdown dialog use Plasma text color (bnc#391828) - fix opening within Firefox and Mozilla from Klipper (bnc#384203) - rename Oxygen window decoration to Ozone - support for KDE3 hotplug actions (bnc#378338) - fixed rotate-wacom-pointers.diff to work with current xsetwacom (bnc#391440) - add ported rotate-wacom-pointers.diff (bnc#385149) - correct ksysguardd package name and require it - kdm4: terminate local x servers by default (bnc#381672) - kdm4: make delayed popup work again (bnc#381197) - use the server cmd from sysconfig - fix possible ksmserver<->knotify deadlock during KDE startup - fix crash preventing setting of time/date (bnc#386429) - set a preloader by default - fix kdm4 requiring root for shutdown - add Kontact/KDE4 instead of Kontact/KDE3 to Kickoff (bnc#386374) - fix potential Plasma crash after deleting plasmoids (bnc#386462) - Administrator mode for date/time module, to make it usable - update to 4.0.4 * http://kde.org/announcements/changelog_4_0_3to4_0_4.php - fix fileconflicts by introducing an upstream-branding package for kde4-kdm - Fix stacking problems in KWin (bnc#378773) - Add missing ICE check for ksmserver (bnc#384774) - fix focus issues in kde4-kdm (bnc#381501) - update Plasma diff from openSUSE Plasma branch: several bugfixes including bnc#381704, bnc#379082, bnc#382510, bnc#377728, bnc#382169, bnc#381191, bnc#382497 - use radiobuttons for sessions menu (bnc#382138) - fix unknown icon on suspend (#bnc381194) - ksplashx changes needed for 11.0 splashscreen (bnc:#375581) - update 4_0_BRANCH.diff * memleak fixes in kwin and ksplashsimple - remove self conflict (bnc#379338) - fix file conflicts - improve logout, shutdown, restart confirmation and add countdown - draw rounded background behind system tray windows - don't align on every added file but only first run (bnc#379463) - add kgreeter_generic from 4.1 branch (fate#301954) - fix wallpaper not immediately updating (bnc#378771) - update Plasma diff from openSUSE Plasma branch: * draw desktop icons old style * remove useless desktop rubber band * add "(Un)Lock Widgets" and "Show Desktop" to and remove "Zoom Out" from desktop toolbox * fix not disappearing plasmoid handles (bnc#369994) * fix moving of rotated plasmoids (bnc#377108) * taskmanager: "Show only tasks from the current screen" option * digital-clock: add date tooltip, add "Show Seconds" option * pager: add window icons support * kickoff: backported KDE trunk appearance - branding changes, split off kdebase4-workspace-branding-upstream - GUI for selecting the WM (bnc#332079) - fix devel splitting for kwin headers - fix config installation dir - use Plasma diff created against branches/work/plasma-4.0-openSUSE which consolidates ported local patches, backported upstream and yet upstream uncommited features. This introduces: * moving of plasmoids on panels * adding and removing of panels * switching of start menu style * list newly installed applications within Kickoff * allow removing of uninstancable applets from a panel * Plasma theme selector, color change and tint support - update to 4.0.3 - oxygen windecoration configurable colors (kde#152030) - 4_0_BRANCH.diff update, including * full screen handling fixes * repaint bugs with alien windows - fix kdm autologin and theming (bnc#365885) - fix plasma crashes on startup (bnc#364977) - update to 4.0.2 - update branch diff after Plasma backport week-end - backport kickoff/simpleapplet view selection feature - remove sessions already in other packages - let kdm require workspace for the greeter plugins - build with PAM support (bnc#353531) - moved showdesktop & trash plasmoids to kdebase4-workspace-plamoids - fix file conflicts - update to final 4.0.1 tarball - fix user session switching - add location option to panel configuration dialog - remove kinfocenter handbook - update to 4.0.1 release - backport of panel size configuration dialog - backport of display configuration for traditional launcher menu - start Kickoff application browser always at top-level - add "install all public kwin headers" patch - fix app menu starting and system tray icons regressions - add application menu shortening feature and fix alphabetical sort - update KDE_4_0_BRANCH.diff (incl. taskbar attention flash) - don't migrate ~/Desktop icons to Dashboard which will not work - migrate Trash.desktop to Trash plasmoid (added it for that) - open Dashboard toolbox when Dashboard view is activated - set GTK2_RC_FILES for better style of GTK applications - fix locking of session (#355155) - update KDE_4_0_BRANCH.diff - more SUSE-like default panel setup (size, icons, plasmoids): * adds showdesktop plasmoid - backport taskbar plasmoid features: * use more than one row if there are many windows * option to show only the windows on current desktop - fix build - update to 4.0 release - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - fix build - fix filelist - update to 3.96.3 - update to 3.96.2 - reenable OpenGL support - update to 3.96.0 - updaste to 3.95.1 - update to 3.95.0 - update to 3.93.0.svn720097 - update to 3.93.0.svn717339 - update to 3.93.0.svn712052 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703920 - update to 3.92.0.svn700775 - fix more file conflicts - update to 3.92.0.svn697325 - fix file conflicts - update to KDE 4.0 Beta 1 - don't show System Settings on non-KDE/KDE3 desktop - use the non generic lib version for libkonq - update to 3.91.0.svn672298 - update to 3.90.1.svn679137 - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - run %fdupes - fix prefix of two bins - Buildrequires libusb -> libusb-devel - show .desktop files of kdebase4-runtime only in a KDE session - libkdeinit -> libkdeinit4 - fix package file conflicts - initial package in abuild - add patch to fix windows disappearing after activating composite effects (bnc#390675) - add patch to fix kwin per-window shortcuts (bnc#381356) - fix crash killing kwin_kill_helper (kde#156998) - minimal Solid NetworkManager 0.7 backend fixes network status is always unknown (bnc#397072) - don't deinstall KDE3 due to kdebase3-ksysguard conflict - fix panel sizing issue - call kde4-migrate if present (bnc#372170) - backport unmounting in device notifier (bnc#391223) - fix "switch user" doesn't work always (bnc#392269) - fix logout from "Classic Menu Style" lacks power off/restart/ standby/suspend options (bnc#391765) - copy suspend parts from ksmserver logout dialog (bnc#390147) - make drop of local files to Plasma desktop copy to ~/Desktop - add option how to render desktop icon labels (bnc#382747) - fix "save session" menu item missing in kmenu (bnc#383757) - add sysinfo:/ entry to start menu in "Computer" tab as on KDE3 - make krunner search prefer KDE4 applications (bnc#381849) - hidden option to disable desktop toolbox (bnc#393211) - make ksmserver shutdown dialog use Plasma text color (bnc#391828) - fix opening within Firefox and Mozilla from Klipper (bnc#384203) - rename Oxygen window decoration to Ozone - support for KDE3 hotplug actions (bnc#378338) - fixed rotate-wacom-pointers.diff to work with current xsetwacom (bnc#391440) - add ported rotate-wacom-pointers.diff (bnc#385149) - correct ksysguardd package name and require it - kdm4: terminate local x servers by default (bnc#381672) - kdm4: make delayed popup work again (bnc#381197) - use the server cmd from sysconfig - fix possible ksmserver<->knotify deadlock during KDE startup - fix crash preventing setting of time/date (bnc#386429) - set a preloader by default - fix kdm4 requiring root for shutdown - add Kontact/KDE4 instead of Kontact/KDE3 to Kickoff (bnc#386374) - fix potential Plasma crash after deleting plasmoids (bnc#386462) - Administrator mode for date/time module, to make it usable - update to 4.0.4 * http://kde.org/announcements/changelog_4_0_3to4_0_4.php - fix fileconflicts by introducing an upstream-branding package for kde4-kdm - Fix stacking problems in KWin (bnc#378773) - Add missing ICE check for ksmserver (bnc#384774) - fix focus issues in kde4-kdm (bnc#381501) - update Plasma diff from openSUSE Plasma branch: several bugfixes including bnc#381704, bnc#379082, bnc#382510, bnc#377728, bnc#382169, bnc#381191, bnc#382497 - use radiobuttons for sessions menu (bnc#382138) - fix unknown icon on suspend (#bnc381194) - ksplashx changes needed for 11.0 splashscreen (bnc:#375581) - update 4_0_BRANCH.diff * memleak fixes in kwin and ksplashsimple - remove self conflict (bnc#379338) - fix file conflicts - improve logout, shutdown, restart confirmation and add countdown - draw rounded background behind system tray windows - don't align on every added file but only first run (bnc#379463) - add kgreeter_generic from 4.1 branch (fate#301954) - fix wallpaper not immediately updating (bnc#378771) - update Plasma diff from openSUSE Plasma branch: * draw desktop icons old style * remove useless desktop rubber band * add "(Un)Lock Widgets" and "Show Desktop" to and remove "Zoom Out" from desktop toolbox * fix not disappearing plasmoid handles (bnc#369994) * fix moving of rotated plasmoids (bnc#377108) * taskmanager: "Show only tasks from the current screen" option * digital-clock: add date tooltip, add "Show Seconds" option * pager: add window icons support * kickoff: backported KDE trunk appearance - branding changes, split off kdebase4-workspace-branding-upstream - GUI for selecting the WM (bnc#332079) - fix devel splitting for kwin headers - fix config installation dir - use Plasma diff created against branches/work/plasma-4.0-openSUSE which consolidates ported local patches, backported upstream and yet upstream uncommited features. This introduces: * moving of plasmoids on panels * adding and removing of panels * switching of start menu style * list newly installed applications within Kickoff * allow removing of uninstancable applets from a panel * Plasma theme selector, color change and tint support - update to 4.0.3 - oxygen windecoration configurable colors (kde#152030) - 4_0_BRANCH.diff update, including * full screen handling fixes * repaint bugs with alien windows - fix kdm autologin and theming (bnc#365885) - fix plasma crashes on startup (bnc#364977) - update to 4.0.2 - update branch diff after Plasma backport week-end - backport kickoff/simpleapplet view selection feature - remove sessions already in other packages - let kdm require workspace for the greeter plugins - build with PAM support (bnc#353531) - moved showdesktop & trash plasmoids to kdebase4-workspace-plamoids - fix file conflicts - update to final 4.0.1 tarball - fix user session switching - add location option to panel configuration dialog - remove kinfocenter handbook - update to 4.0.1 release - backport of panel size configuration dialog - backport of display configuration for traditional launcher menu - start Kickoff application browser always at top-level - add "install all public kwin headers" patch - fix app menu starting and system tray icons regressions - add application menu shortening feature and fix alphabetical sort - update KDE_4_0_BRANCH.diff (incl. taskbar attention flash) - don't migrate ~/Desktop icons to Dashboard which will not work - migrate Trash.desktop to Trash plasmoid (added it for that) - open Dashboard toolbox when Dashboard view is activated - set GTK2_RC_FILES for better style of GTK applications - fix locking of session (#355155) - update KDE_4_0_BRANCH.diff - more SUSE-like default panel setup (size, icons, plasmoids): * adds showdesktop plasmoid - backport taskbar plasmoid features: * use more than one row if there are many windows * option to show only the windows on current desktop - fix build - update to 4.0 release - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - fix build - fix filelist - update to 3.96.3 - update to 3.96.2 - reenable OpenGL support - update to 3.96.0 - updaste to 3.95.1 - update to 3.95.0 - update to 3.93.0.svn720097 - update to 3.93.0.svn717339 - update to 3.93.0.svn712052 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703920 - update to 3.92.0.svn700775 - fix more file conflicts - update to 3.92.0.svn697325 - fix file conflicts - update to KDE 4.0 Beta 1 - don't show System Settings on non-KDE/KDE3 desktop - use the non generic lib version for libkonq - update to 3.91.0.svn672298 - update to 3.90.1.svn679137 - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - run %fdupes - fix prefix of two bins - Buildrequires libusb -> libusb-devel - show .desktop files of kdebase4-runtime only in a KDE session - libkdeinit -> libkdeinit4 - fix package file conflicts - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - add patch to fix windows disappearing after activating composite effects (bnc#390675) - add patch to fix kwin per-window shortcuts (bnc#381356) - fix crash killing kwin_kill_helper (kde#156998) - minimal Solid NetworkManager 0.7 backend fixes network status is always unknown (bnc#397072) - don't deinstall KDE3 due to kdebase3-ksysguard conflict - fix panel sizing issue - call kde4-migrate if present (bnc#372170) - backport unmounting in device notifier (bnc#391223) - fix "switch user" doesn't work always (bnc#392269) - fix logout from "Classic Menu Style" lacks power off/restart/ standby/suspend options (bnc#391765) - copy suspend parts from ksmserver logout dialog (bnc#390147) - make drop of local files to Plasma desktop copy to ~/Desktop - add option how to render desktop icon labels (bnc#382747) - fix "save session" menu item missing in kmenu (bnc#383757) - add sysinfo:/ entry to start menu in "Computer" tab as on KDE3 - make krunner search prefer KDE4 applications (bnc#381849) - hidden option to disable desktop toolbox (bnc#393211) - make ksmserver shutdown dialog use Plasma text color (bnc#391828) - fix opening within Firefox and Mozilla from Klipper (bnc#384203) - rename Oxygen window decoration to Ozone - support for KDE3 hotplug actions (bnc#378338) - fixed rotate-wacom-pointers.diff to work with current xsetwacom (bnc#391440) - add ported rotate-wacom-pointers.diff (bnc#385149) - correct ksysguardd package name and require it - kdm4: terminate local x servers by default (bnc#381672) - kdm4: make delayed popup work again (bnc#381197) - use the server cmd from sysconfig - fix possible ksmserver<->knotify deadlock during KDE startup - fix crash preventing setting of time/date (bnc#386429) - set a preloader by default - fix kdm4 requiring root for shutdown - add Kontact/KDE4 instead of Kontact/KDE3 to Kickoff (bnc#386374) - fix potential Plasma crash after deleting plasmoids (bnc#386462) - Administrator mode for date/time module, to make it usable - update to 4.0.4 * http://kde.org/announcements/changelog_4_0_3to4_0_4.php - fix fileconflicts by introducing an upstream-branding package for kde4-kdm - Fix stacking problems in KWin (bnc#378773) - Add missing ICE check for ksmserver (bnc#384774) - fix focus issues in kde4-kdm (bnc#381501) - update Plasma diff from openSUSE Plasma branch: several bugfixes including bnc#381704, bnc#379082, bnc#382510, bnc#377728, bnc#382169, bnc#381191, bnc#382497 - use radiobuttons for sessions menu (bnc#382138) - fix unknown icon on suspend (#bnc381194) - ksplashx changes needed for 11.0 splashscreen (bnc:#375581) - update 4_0_BRANCH.diff * memleak fixes in kwin and ksplashsimple - remove self conflict (bnc#379338) - fix file conflicts - improve logout, shutdown, restart confirmation and add countdown - draw rounded background behind system tray windows - don't align on every added file but only first run (bnc#379463) - add kgreeter_generic from 4.1 branch (fate#301954) - fix wallpaper not immediately updating (bnc#378771) - update Plasma diff from openSUSE Plasma branch: * draw desktop icons old style * remove useless desktop rubber band * add "(Un)Lock Widgets" and "Show Desktop" to and remove "Zoom Out" from desktop toolbox * fix not disappearing plasmoid handles (bnc#369994) * fix moving of rotated plasmoids (bnc#377108) * taskmanager: "Show only tasks from the current screen" option * digital-clock: add date tooltip, add "Show Seconds" option * pager: add window icons support * kickoff: backported KDE trunk appearance - branding changes, split off kdebase4-workspace-branding-upstream - GUI for selecting the WM (bnc#332079) - fix devel splitting for kwin headers - fix config installation dir - use Plasma diff created against branches/work/plasma-4.0-openSUSE which consolidates ported local patches, backported upstream and yet upstream uncommited features. This introduces: * moving of plasmoids on panels * adding and removing of panels * switching of start menu style * list newly installed applications within Kickoff * allow removing of uninstancable applets from a panel * Plasma theme selector, color change and tint support - update to 4.0.3 - oxygen windecoration configurable colors (kde#152030) - 4_0_BRANCH.diff update, including * full screen handling fixes * repaint bugs with alien windows - fix kdm autologin and theming (bnc#365885) - fix plasma crashes on startup (bnc#364977) - update to 4.0.2 - update branch diff after Plasma backport week-end - backport kickoff/simpleapplet view selection feature - remove sessions already in other packages - let kdm require workspace for the greeter plugins - build with PAM support (bnc#353531) - moved showdesktop & trash plasmoids to kdebase4-workspace-plamoids - fix file conflicts - update to final 4.0.1 tarball - fix user session switching - add location option to panel configuration dialog - remove kinfocenter handbook - update to 4.0.1 release - backport of panel size configuration dialog - backport of display configuration for traditional launcher menu - start Kickoff application browser always at top-level - add "install all public kwin headers" patch - fix app menu starting and system tray icons regressions - add application menu shortening feature and fix alphabetical sort - update KDE_4_0_BRANCH.diff (incl. taskbar attention flash) - don't migrate ~/Desktop icons to Dashboard which will not work - migrate Trash.desktop to Trash plasmoid (added it for that) - open Dashboard toolbox when Dashboard view is activated - set GTK2_RC_FILES for better style of GTK applications - fix locking of session (#355155) - update KDE_4_0_BRANCH.diff - more SUSE-like default panel setup (size, icons, plasmoids): * adds showdesktop plasmoid - backport taskbar plasmoid features: * use more than one row if there are many windows * option to show only the windows on current desktop - fix build - update to 4.0 release - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - fix build - fix filelist - update to 3.96.3 - update to 3.96.2 - reenable OpenGL support - update to 3.96.0 - updaste to 3.95.1 - update to 3.95.0 - update to 3.93.0.svn720097 - update to 3.93.0.svn717339 - update to 3.93.0.svn712052 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703920 - update to 3.92.0.svn700775 - fix more file conflicts - update to 3.92.0.svn697325 - fix file conflicts - update to KDE 4.0 Beta 1 - don't show System Settings on non-KDE/KDE3 desktop - use the non generic lib version for libkonq - update to 3.91.0.svn672298 - update to 3.90.1.svn679137 - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - run %fdupes - fix prefix of two bins - Buildrequires libusb -> libusb-devel - show .desktop files of kdebase4-runtime only in a KDE session - libkdeinit -> libkdeinit4 - fix package file conflicts - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - add patch to fix windows disappearing after activating composite effects (bnc#390675) - add patch to fix kwin per-window shortcuts (bnc#381356) - fix crash killing kwin_kill_helper (kde#156998) - minimal Solid NetworkManager 0.7 backend fixes network status is always unknown (bnc#397072) - don't deinstall KDE3 due to kdebase3-ksysguard conflict - fix panel sizing issue - call kde4-migrate if present (bnc#372170) - backport unmounting in device notifier (bnc#391223) - fix "switch user" doesn't work always (bnc#392269) - fix logout from "Classic Menu Style" lacks power off/restart/ standby/suspend options (bnc#391765) - copy suspend parts from ksmserver logout dialog (bnc#390147) - make drop of local files to Plasma desktop copy to ~/Desktop - add option how to render desktop icon labels (bnc#382747) - fix "save session" menu item missing in kmenu (bnc#383757) - add sysinfo:/ entry to start menu in "Computer" tab as on KDE3 - make krunner search prefer KDE4 applications (bnc#381849) - hidden option to disable desktop toolbox (bnc#393211) - make ksmserver shutdown dialog use Plasma text color (bnc#391828) - fix opening within Firefox and Mozilla from Klipper (bnc#384203) - rename Oxygen window decoration to Ozone - support for KDE3 hotplug actions (bnc#378338) - fixed rotate-wacom-pointers.diff to work with current xsetwacom (bnc#391440) - add ported rotate-wacom-pointers.diff (bnc#385149) - correct ksysguardd package name and require it - kdm4: terminate local x servers by default (bnc#381672) - kdm4: make delayed popup work again (bnc#381197) - use the server cmd from sysconfig - fix possible ksmserver<->knotify deadlock during KDE startup - fix crash preventing setting of time/date (bnc#386429) - set a preloader by default - fix kdm4 requiring root for shutdown - add Kontact/KDE4 instead of Kontact/KDE3 to Kickoff (bnc#386374) - fix potential Plasma crash after deleting plasmoids (bnc#386462) - Administrator mode for date/time module, to make it usable - update to 4.0.4 * http://kde.org/announcements/changelog_4_0_3to4_0_4.php - fix fileconflicts by introducing an upstream-branding package for kde4-kdm - Fix stacking problems in KWin (bnc#378773) - Add missing ICE check for ksmserver (bnc#384774) - fix focus issues in kde4-kdm (bnc#381501) - update Plasma diff from openSUSE Plasma branch: several bugfixes including bnc#381704, bnc#379082, bnc#382510, bnc#377728, bnc#382169, bnc#381191, bnc#382497 - use radiobuttons for sessions menu (bnc#382138) - fix unknown icon on suspend (#bnc381194) - ksplashx changes needed for 11.0 splashscreen (bnc:#375581) - update 4_0_BRANCH.diff * memleak fixes in kwin and ksplashsimple - remove self conflict (bnc#379338) - fix file conflicts - improve logout, shutdown, restart confirmation and add countdown - draw rounded background behind system tray windows - don't align on every added file but only first run (bnc#379463) - add kgreeter_generic from 4.1 branch (fate#301954) - fix wallpaper not immediately updating (bnc#378771) - update Plasma diff from openSUSE Plasma branch: * draw desktop icons old style * remove useless desktop rubber band * add "(Un)Lock Widgets" and "Show Desktop" to and remove "Zoom Out" from desktop toolbox * fix not disappearing plasmoid handles (bnc#369994) * fix moving of rotated plasmoids (bnc#377108) * taskmanager: "Show only tasks from the current screen" option * digital-clock: add date tooltip, add "Show Seconds" option * pager: add window icons support * kickoff: backported KDE trunk appearance - branding changes, split off kdebase4-workspace-branding-upstream - GUI for selecting the WM (bnc#332079) - fix devel splitting for kwin headers - fix config installation dir - use Plasma diff created against branches/work/plasma-4.0-openSUSE which consolidates ported local patches, backported upstream and yet upstream uncommited features. This introduces: * moving of plasmoids on panels * adding and removing of panels * switching of start menu style * list newly installed applications within Kickoff * allow removing of uninstancable applets from a panel * Plasma theme selector, color change and tint support - update to 4.0.3 - oxygen windecoration configurable colors (kde#152030) - 4_0_BRANCH.diff update, including * full screen handling fixes * repaint bugs with alien windows - fix kdm autologin and theming (bnc#365885) - fix plasma crashes on startup (bnc#364977) - update to 4.0.2 - update branch diff after Plasma backport week-end - backport kickoff/simpleapplet view selection feature - remove sessions already in other packages - let kdm require workspace for the greeter plugins - build with PAM support (bnc#353531) - moved showdesktop & trash plasmoids to kdebase4-workspace-plamoids - fix file conflicts - update to final 4.0.1 tarball - fix user session switching - add location option to panel configuration dialog - remove kinfocenter handbook - update to 4.0.1 release - backport of panel size configuration dialog - backport of display configuration for traditional launcher menu - start Kickoff application browser always at top-level - add "install all public kwin headers" patch - fix app menu starting and system tray icons regressions - add application menu shortening feature and fix alphabetical sort - update KDE_4_0_BRANCH.diff (incl. taskbar attention flash) - don't migrate ~/Desktop icons to Dashboard which will not work - migrate Trash.desktop to Trash plasmoid (added it for that) - open Dashboard toolbox when Dashboard view is activated - set GTK2_RC_FILES for better style of GTK applications - fix locking of session (#355155) - update KDE_4_0_BRANCH.diff - more SUSE-like default panel setup (size, icons, plasmoids): * adds showdesktop plasmoid - backport taskbar plasmoid features: * use more than one row if there are many windows * option to show only the windows on current desktop - fix build - update to 4.0 release - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - fix build - fix filelist - update to 3.96.3 - update to 3.96.2 - reenable OpenGL support - update to 3.96.0 - updaste to 3.95.1 - update to 3.95.0 - update to 3.93.0.svn720097 - update to 3.93.0.svn717339 - update to 3.93.0.svn712052 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703920 - update to 3.92.0.svn700775 - fix more file conflicts - update to 3.92.0.svn697325 - fix file conflicts - update to KDE 4.0 Beta 1 - don't show System Settings on non-KDE/KDE3 desktop - use the non generic lib version for libkonq - update to 3.91.0.svn672298 - update to 3.90.1.svn679137 - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - run %fdupes - fix prefix of two bins - Buildrequires libusb -> libusb-devel - show .desktop files of kdebase4-runtime only in a KDE session - libkdeinit -> libkdeinit4 - fix package file conflicts - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - add patch to fix windows disappearing after activating composite effects (bnc#390675) - add patch to fix kwin per-window shortcuts (bnc#381356) - fix crash killing kwin_kill_helper (kde#156998) - minimal Solid NetworkManager 0.7 backend fixes network status is always unknown (bnc#397072) - don't deinstall KDE3 due to kdebase3-ksysguard conflict - fix panel sizing issue - call kde4-migrate if present (bnc#372170) - backport unmounting in device notifier (bnc#391223) - fix "switch user" doesn't work always (bnc#392269) - fix logout from "Classic Menu Style" lacks power off/restart/ standby/suspend options (bnc#391765) - copy suspend parts from ksmserver logout dialog (bnc#390147) - make drop of local files to Plasma desktop copy to ~/Desktop - add option how to render desktop icon labels (bnc#382747) - fix "save session" menu item missing in kmenu (bnc#383757) - add sysinfo:/ entry to start menu in "Computer" tab as on KDE3 - make krunner search prefer KDE4 applications (bnc#381849) - hidden option to disable desktop toolbox (bnc#393211) - make ksmserver shutdown dialog use Plasma text color (bnc#391828) - fix opening within Firefox and Mozilla from Klipper (bnc#384203) - rename Oxygen window decoration to Ozone - support for KDE3 hotplug actions (bnc#378338) - fixed rotate-wacom-pointers.diff to work with current xsetwacom (bnc#391440) - add ported rotate-wacom-pointers.diff (bnc#385149) - correct ksysguardd package name and require it - kdm4: terminate local x servers by default (bnc#381672) - kdm4: make delayed popup work again (bnc#381197) - use the server cmd from sysconfig - fix possible ksmserver<->knotify deadlock during KDE startup - fix crash preventing setting of time/date (bnc#386429) - set a preloader by default - fix kdm4 requiring root for shutdown - add Kontact/KDE4 instead of Kontact/KDE3 to Kickoff (bnc#386374) - fix potential Plasma crash after deleting plasmoids (bnc#386462) - Administrator mode for date/time module, to make it usable - update to 4.0.4 * http://kde.org/announcements/changelog_4_0_3to4_0_4.php - fix fileconflicts by introducing an upstream-branding package for kde4-kdm - Fix stacking problems in KWin (bnc#378773) - Add missing ICE check for ksmserver (bnc#384774) - fix focus issues in kde4-kdm (bnc#381501) - update Plasma diff from openSUSE Plasma branch: several bugfixes including bnc#381704, bnc#379082, bnc#382510, bnc#377728, bnc#382169, bnc#381191, bnc#382497 - use radiobuttons for sessions menu (bnc#382138) - fix unknown icon on suspend (#bnc381194) - ksplashx changes needed for 11.0 splashscreen (bnc:#375581) - update 4_0_BRANCH.diff * memleak fixes in kwin and ksplashsimple - remove self conflict (bnc#379338) - fix file conflicts - improve logout, shutdown, restart confirmation and add countdown - draw rounded background behind system tray windows - don't align on every added file but only first run (bnc#379463) - add kgreeter_generic from 4.1 branch (fate#301954) - fix wallpaper not immediately updating (bnc#378771) - update Plasma diff from openSUSE Plasma branch: * draw desktop icons old style * remove useless desktop rubber band * add "(Un)Lock Widgets" and "Show Desktop" to and remove "Zoom Out" from desktop toolbox * fix not disappearing plasmoid handles (bnc#369994) * fix moving of rotated plasmoids (bnc#377108) * taskmanager: "Show only tasks from the current screen" option * digital-clock: add date tooltip, add "Show Seconds" option * pager: add window icons support * kickoff: backported KDE trunk appearance - branding changes, split off kdebase4-workspace-branding-upstream - GUI for selecting the WM (bnc#332079) - fix devel splitting for kwin headers - fix config installation dir - use Plasma diff created against branches/work/plasma-4.0-openSUSE which consolidates ported local patches, backported upstream and yet upstream uncommited features. This introduces: * moving of plasmoids on panels * adding and removing of panels * switching of start menu style * list newly installed applications within Kickoff * allow removing of uninstancable applets from a panel * Plasma theme selector, color change and tint support - update to 4.0.3 - oxygen windecoration configurable colors (kde#152030) - 4_0_BRANCH.diff update, including * full screen handling fixes * repaint bugs with alien windows - fix kdm autologin and theming (bnc#365885) - fix plasma crashes on startup (bnc#364977) - update to 4.0.2 - update branch diff after Plasma backport week-end - backport kickoff/simpleapplet view selection feature - remove sessions already in other packages - let kdm require workspace for the greeter plugins - build with PAM support (bnc#353531) - moved showdesktop & trash plasmoids to kdebase4-workspace-plamoids - fix file conflicts - update to final 4.0.1 tarball - fix user session switching - add location option to panel configuration dialog - remove kinfocenter handbook - update to 4.0.1 release - backport of panel size configuration dialog - backport of display configuration for traditional launcher menu - start Kickoff application browser always at top-level - add "install all public kwin headers" patch - fix app menu starting and system tray icons regressions - add application menu shortening feature and fix alphabetical sort - update KDE_4_0_BRANCH.diff (incl. taskbar attention flash) - don't migrate ~/Desktop icons to Dashboard which will not work - migrate Trash.desktop to Trash plasmoid (added it for that) - open Dashboard toolbox when Dashboard view is activated - set GTK2_RC_FILES for better style of GTK applications - fix locking of session (#355155) - update KDE_4_0_BRANCH.diff - more SUSE-like default panel setup (size, icons, plasmoids): * adds showdesktop plasmoid - backport taskbar plasmoid features: * use more than one row if there are many windows * option to show only the windows on current desktop - fix build - update to 4.0 release - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - fix build - fix filelist - update to 3.96.3 - update to 3.96.2 - reenable OpenGL support - update to 3.96.0 - updaste to 3.95.1 - update to 3.95.0 - update to 3.93.0.svn720097 - update to 3.93.0.svn717339 - update to 3.93.0.svn712052 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703920 - update to 3.92.0.svn700775 - fix more file conflicts - update to 3.92.0.svn697325 - fix file conflicts - update to KDE 4.0 Beta 1 - don't show System Settings on non-KDE/KDE3 desktop - use the non generic lib version for libkonq - update to 3.91.0.svn672298 - update to 3.90.1.svn679137 - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - run %fdupes - fix prefix of two bins - Buildrequires libusb -> libusb-devel - show .desktop files of kdebase4-runtime only in a KDE session - libkdeinit -> libkdeinit4 - fix package file conflicts - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - add patch to fix windows disappearing after activating composite effects (bnc#390675) - add patch to fix kwin per-window shortcuts (bnc#381356) - fix crash killing kwin_kill_helper (kde#156998) - minimal Solid NetworkManager 0.7 backend fixes network status is always unknown (bnc#397072) - don't deinstall KDE3 due to kdebase3-ksysguard conflict - fix panel sizing issue - call kde4-migrate if present (bnc#372170) - backport unmounting in device notifier (bnc#391223) - fix "switch user" doesn't work always (bnc#392269) - fix logout from "Classic Menu Style" lacks power off/restart/ standby/suspend options (bnc#391765) - copy suspend parts from ksmserver logout dialog (bnc#390147) - make drop of local files to Plasma desktop copy to ~/Desktop - add option how to render desktop icon labels (bnc#382747) - fix "save session" menu item missing in kmenu (bnc#383757) - add sysinfo:/ entry to start menu in "Computer" tab as on KDE3 - make krunner search prefer KDE4 applications (bnc#381849) - hidden option to disable desktop toolbox (bnc#393211) - make ksmserver shutdown dialog use Plasma text color (bnc#391828) - fix opening within Firefox and Mozilla from Klipper (bnc#384203) - rename Oxygen window decoration to Ozone - support for KDE3 hotplug actions (bnc#378338) - fixed rotate-wacom-pointers.diff to work with current xsetwacom (bnc#391440) - add ported rotate-wacom-pointers.diff (bnc#385149) - correct ksysguardd package name and require it - kdm4: terminate local x servers by default (bnc#381672) - kdm4: make delayed popup work again (bnc#381197) - use the server cmd from sysconfig - fix possible ksmserver<->knotify deadlock during KDE startup - fix crash preventing setting of time/date (bnc#386429) - set a preloader by default - fix kdm4 requiring root for shutdown - add Kontact/KDE4 instead of Kontact/KDE3 to Kickoff (bnc#386374) - fix potential Plasma crash after deleting plasmoids (bnc#386462) - Administrator mode for date/time module, to make it usable - update to 4.0.4 * http://kde.org/announcements/changelog_4_0_3to4_0_4.php - fix fileconflicts by introducing an upstream-branding package for kde4-kdm - Fix stacking problems in KWin (bnc#378773) - Add missing ICE check for ksmserver (bnc#384774) - fix focus issues in kde4-kdm (bnc#381501) - update Plasma diff from openSUSE Plasma branch: several bugfixes including bnc#381704, bnc#379082, bnc#382510, bnc#377728, bnc#382169, bnc#381191, bnc#382497 - use radiobuttons for sessions menu (bnc#382138) - fix unknown icon on suspend (#bnc381194) - ksplashx changes needed for 11.0 splashscreen (bnc:#375581) - update 4_0_BRANCH.diff * memleak fixes in kwin and ksplashsimple - remove self conflict (bnc#379338) - fix file conflicts - improve logout, shutdown, restart confirmation and add countdown - draw rounded background behind system tray windows - don't align on every added file but only first run (bnc#379463) - add kgreeter_generic from 4.1 branch (fate#301954) - fix wallpaper not immediately updating (bnc#378771) - update Plasma diff from openSUSE Plasma branch: * draw desktop icons old style * remove useless desktop rubber band * add "(Un)Lock Widgets" and "Show Desktop" to and remove "Zoom Out" from desktop toolbox * fix not disappearing plasmoid handles (bnc#369994) * fix moving of rotated plasmoids (bnc#377108) * taskmanager: "Show only tasks from the current screen" option * digital-clock: add date tooltip, add "Show Seconds" option * pager: add window icons support * kickoff: backported KDE trunk appearance - branding changes, split off kdebase4-workspace-branding-upstream - GUI for selecting the WM (bnc#332079) - fix devel splitting for kwin headers - fix config installation dir - use Plasma diff created against branches/work/plasma-4.0-openSUSE which consolidates ported local patches, backported upstream and yet upstream uncommited features. This introduces: * moving of plasmoids on panels * adding and removing of panels * switching of start menu style * list newly installed applications within Kickoff * allow removing of uninstancable applets from a panel * Plasma theme selector, color change and tint support - update to 4.0.3 - oxygen windecoration configurable colors (kde#152030) - 4_0_BRANCH.diff update, including * full screen handling fixes * repaint bugs with alien windows - fix kdm autologin and theming (bnc#365885) - fix plasma crashes on startup (bnc#364977) - update to 4.0.2 - update branch diff after Plasma backport week-end - backport kickoff/simpleapplet view selection feature - remove sessions already in other packages - let kdm require workspace for the greeter plugins - build with PAM support (bnc#353531) - moved showdesktop & trash plasmoids to kdebase4-workspace-plamoids - fix file conflicts - update to final 4.0.1 tarball - fix user session switching - add location option to panel configuration dialog - remove kinfocenter handbook - update to 4.0.1 release - backport of panel size configuration dialog - backport of display configuration for traditional launcher menu - start Kickoff application browser always at top-level - add "install all public kwin headers" patch - fix app menu starting and system tray icons regressions - add application menu shortening feature and fix alphabetical sort - update KDE_4_0_BRANCH.diff (incl. taskbar attention flash) - don't migrate ~/Desktop icons to Dashboard which will not work - migrate Trash.desktop to Trash plasmoid (added it for that) - open Dashboard toolbox when Dashboard view is activated - set GTK2_RC_FILES for better style of GTK applications - fix locking of session (#355155) - update KDE_4_0_BRANCH.diff - more SUSE-like default panel setup (size, icons, plasmoids): * adds showdesktop plasmoid - backport taskbar plasmoid features: * use more than one row if there are many windows * option to show only the windows on current desktop - fix build - update to 4.0 release - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - fix build - fix filelist - update to 3.96.3 - update to 3.96.2 - reenable OpenGL support - update to 3.96.0 - updaste to 3.95.1 - update to 3.95.0 - update to 3.93.0.svn720097 - update to 3.93.0.svn717339 - update to 3.93.0.svn712052 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703920 - update to 3.92.0.svn700775 - fix more file conflicts - update to 3.92.0.svn697325 - fix file conflicts - update to KDE 4.0 Beta 1 - don't show System Settings on non-KDE/KDE3 desktop - use the non generic lib version for libkonq - update to 3.91.0.svn672298 - update to 3.90.1.svn679137 - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - run %fdupes - fix prefix of two bins - Buildrequires libusb -> libusb-devel - show .desktop files of kdebase4-runtime only in a KDE session - libkdeinit -> libkdeinit4 - fix package file conflicts - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - add patch to fix windows disappearing after activating composite effects (bnc#390675) - add patch to fix kwin per-window shortcuts (bnc#381356) - fix crash killing kwin_kill_helper (kde#156998) - minimal Solid NetworkManager 0.7 backend fixes network status is always unknown (bnc#397072) - don't deinstall KDE3 due to kdebase3-ksysguard conflict - fix panel sizing issue - call kde4-migrate if present (bnc#372170) - backport unmounting in device notifier (bnc#391223) - fix "switch user" doesn't work always (bnc#392269) - fix logout from "Classic Menu Style" lacks power off/restart/ standby/suspend options (bnc#391765) - copy suspend parts from ksmserver logout dialog (bnc#390147) - make drop of local files to Plasma desktop copy to ~/Desktop - add option how to render desktop icon labels (bnc#382747) - fix "save session" menu item missing in kmenu (bnc#383757) - add sysinfo:/ entry to start menu in "Computer" tab as on KDE3 - make krunner search prefer KDE4 applications (bnc#381849) - hidden option to disable desktop toolbox (bnc#393211) - make ksmserver shutdown dialog use Plasma text color (bnc#391828) - fix opening within Firefox and Mozilla from Klipper (bnc#384203) - rename Oxygen window decoration to Ozone - support for KDE3 hotplug actions (bnc#378338) - fixed rotate-wacom-pointers.diff to work with current xsetwacom (bnc#391440) - add ported rotate-wacom-pointers.diff (bnc#385149) - correct ksysguardd package name and require it - kdm4: terminate local x servers by default (bnc#381672) - kdm4: make delayed popup work again (bnc#381197) - use the server cmd from sysconfig - fix possible ksmserver<->knotify deadlock during KDE startup - fix crash preventing setting of time/date (bnc#386429) - set a preloader by default - fix kdm4 requiring root for shutdown - add Kontact/KDE4 instead of Kontact/KDE3 to Kickoff (bnc#386374) - fix potential Plasma crash after deleting plasmoids (bnc#386462) - Administrator mode for date/time module, to make it usable - update to 4.0.4 * http://kde.org/announcements/changelog_4_0_3to4_0_4.php - fix fileconflicts by introducing an upstream-branding package for kde4-kdm - Fix stacking problems in KWin (bnc#378773) - Add missing ICE check for ksmserver (bnc#384774) - fix focus issues in kde4-kdm (bnc#381501) - update Plasma diff from openSUSE Plasma branch: several bugfixes including bnc#381704, bnc#379082, bnc#382510, bnc#377728, bnc#382169, bnc#381191, bnc#382497 - use radiobuttons for sessions menu (bnc#382138) - fix unknown icon on suspend (#bnc381194) - ksplashx changes needed for 11.0 splashscreen (bnc:#375581) - update 4_0_BRANCH.diff * memleak fixes in kwin and ksplashsimple - remove self conflict (bnc#379338) - fix file conflicts - improve logout, shutdown, restart confirmation and add countdown - draw rounded background behind system tray windows - don't align on every added file but only first run (bnc#379463) - add kgreeter_generic from 4.1 branch (fate#301954) - fix wallpaper not immediately updating (bnc#378771) - update Plasma diff from openSUSE Plasma branch: * draw desktop icons old style * remove useless desktop rubber band * add "(Un)Lock Widgets" and "Show Desktop" to and remove "Zoom Out" from desktop toolbox * fix not disappearing plasmoid handles (bnc#369994) * fix moving of rotated plasmoids (bnc#377108) * taskmanager: "Show only tasks from the current screen" option * digital-clock: add date tooltip, add "Show Seconds" option * pager: add window icons support * kickoff: backported KDE trunk appearance - branding changes, split off kdebase4-workspace-branding-upstream - GUI for selecting the WM (bnc#332079) - fix devel splitting for kwin headers - fix config installation dir - use Plasma diff created against branches/work/plasma-4.0-openSUSE which consolidates ported local patches, backported upstream and yet upstream uncommited features. This introduces: * moving of plasmoids on panels * adding and removing of panels * switching of start menu style * list newly installed applications within Kickoff * allow removing of uninstancable applets from a panel * Plasma theme selector, color change and tint support - update to 4.0.3 - oxygen windecoration configurable colors (kde#152030) - 4_0_BRANCH.diff update, including * full screen handling fixes * repaint bugs with alien windows - fix kdm autologin and theming (bnc#365885) - fix plasma crashes on startup (bnc#364977) - update to 4.0.2 - update branch diff after Plasma backport week-end - backport kickoff/simpleapplet view selection feature - remove sessions already in other packages - let kdm require workspace for the greeter plugins - build with PAM support (bnc#353531) - moved showdesktop & trash plasmoids to kdebase4-workspace-plamoids - fix file conflicts - update to final 4.0.1 tarball - fix user session switching - add location option to panel configuration dialog - remove kinfocenter handbook - update to 4.0.1 release - backport of panel size configuration dialog - backport of display configuration for traditional launcher menu - start Kickoff application browser always at top-level - add "install all public kwin headers" patch - fix app menu starting and system tray icons regressions - add application menu shortening feature and fix alphabetical sort - update KDE_4_0_BRANCH.diff (incl. taskbar attention flash) - don't migrate ~/Desktop icons to Dashboard which will not work - migrate Trash.desktop to Trash plasmoid (added it for that) - open Dashboard toolbox when Dashboard view is activated - set GTK2_RC_FILES for better style of GTK applications - fix locking of session (#355155) - update KDE_4_0_BRANCH.diff - more SUSE-like default panel setup (size, icons, plasmoids): * adds showdesktop plasmoid - backport taskbar plasmoid features: * use more than one row if there are many windows * option to show only the windows on current desktop - fix build - update to 4.0 release - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - fix build - fix filelist - update to 3.96.3 - update to 3.96.2 - reenable OpenGL support - update to 3.96.0 - updaste to 3.95.1 - update to 3.95.0 - update to 3.93.0.svn720097 - update to 3.93.0.svn717339 - update to 3.93.0.svn712052 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703920 - update to 3.92.0.svn700775 - fix more file conflicts - update to 3.92.0.svn697325 - fix file conflicts - update to KDE 4.0 Beta 1 - don't show System Settings on non-KDE/KDE3 desktop - use the non generic lib version for libkonq - update to 3.91.0.svn672298 - update to 3.90.1.svn679137 - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - run %fdupes - fix prefix of two bins - Buildrequires libusb -> libusb-devel - show .desktop files of kdebase4-runtime only in a KDE session - libkdeinit -> libkdeinit4 - fix package file conflicts - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - add patch to fix windows disappearing after activating composite effects (bnc#390675) - add patch to fix kwin per-window shortcuts (bnc#381356) - fix crash killing kwin_kill_helper (kde#156998) - minimal Solid NetworkManager 0.7 backend fixes network status is always unknown (bnc#397072) - don't deinstall KDE3 due to kdebase3-ksysguard conflict - fix panel sizing issue - call kde4-migrate if present (bnc#372170) - backport unmounting in device notifier (bnc#391223) - fix "switch user" doesn't work always (bnc#392269) - fix logout from "Classic Menu Style" lacks power off/restart/ standby/suspend options (bnc#391765) - copy suspend parts from ksmserver logout dialog (bnc#390147) - make drop of local files to Plasma desktop copy to ~/Desktop - add option how to render desktop icon labels (bnc#382747) - fix "save session" menu item missing in kmenu (bnc#383757) - add sysinfo:/ entry to start menu in "Computer" tab as on KDE3 - make krunner search prefer KDE4 applications (bnc#381849) - hidden option to disable desktop toolbox (bnc#393211) - make ksmserver shutdown dialog use Plasma text color (bnc#391828) - fix opening within Firefox and Mozilla from Klipper (bnc#384203) - rename Oxygen window decoration to Ozone - support for KDE3 hotplug actions (bnc#378338) - fixed rotate-wacom-pointers.diff to work with current xsetwacom (bnc#391440) - add ported rotate-wacom-pointers.diff (bnc#385149) - correct ksysguardd package name and require it - kdm4: terminate local x servers by default (bnc#381672) - kdm4: make delayed popup work again (bnc#381197) - use the server cmd from sysconfig - fix possible ksmserver<->knotify deadlock during KDE startup - fix crash preventing setting of time/date (bnc#386429) - set a preloader by default - fix kdm4 requiring root for shutdown - add Kontact/KDE4 instead of Kontact/KDE3 to Kickoff (bnc#386374) - fix potential Plasma crash after deleting plasmoids (bnc#386462) - Administrator mode for date/time module, to make it usable - update to 4.0.4 * http://kde.org/announcements/changelog_4_0_3to4_0_4.php - fix fileconflicts by introducing an upstream-branding package for kde4-kdm - Fix stacking problems in KWin (bnc#378773) - Add missing ICE check for ksmserver (bnc#384774) - fix focus issues in kde4-kdm (bnc#381501) - update Plasma diff from openSUSE Plasma branch: several bugfixes including bnc#381704, bnc#379082, bnc#382510, bnc#377728, bnc#382169, bnc#381191, bnc#382497 - use radiobuttons for sessions menu (bnc#382138) - fix unknown icon on suspend (#bnc381194) - ksplashx changes needed for 11.0 splashscreen (bnc:#375581) - update 4_0_BRANCH.diff * memleak fixes in kwin and ksplashsimple - remove self conflict (bnc#379338) - fix file conflicts - improve logout, shutdown, restart confirmation and add countdown - draw rounded background behind system tray windows - don't align on every added file but only first run (bnc#379463) - add kgreeter_generic from 4.1 branch (fate#301954) - fix wallpaper not immediately updating (bnc#378771) - update Plasma diff from openSUSE Plasma branch: * draw desktop icons old style * remove useless desktop rubber band * add "(Un)Lock Widgets" and "Show Desktop" to and remove "Zoom Out" from desktop toolbox * fix not disappearing plasmoid handles (bnc#369994) * fix moving of rotated plasmoids (bnc#377108) * taskmanager: "Show only tasks from the current screen" option * digital-clock: add date tooltip, add "Show Seconds" option * pager: add window icons support * kickoff: backported KDE trunk appearance - branding changes, split off kdebase4-workspace-branding-upstream - GUI for selecting the WM (bnc#332079) - fix devel splitting for kwin headers - fix config installation dir - use Plasma diff created against branches/work/plasma-4.0-openSUSE which consolidates ported local patches, backported upstream and yet upstream uncommited features. This introduces: * moving of plasmoids on panels * adding and removing of panels * switching of start menu style * list newly installed applications within Kickoff * allow removing of uninstancable applets from a panel * Plasma theme selector, color change and tint support - update to 4.0.3 - oxygen windecoration configurable colors (kde#152030) - 4_0_BRANCH.diff update, including * full screen handling fixes * repaint bugs with alien windows - fix kdm autologin and theming (bnc#365885) - fix plasma crashes on startup (bnc#364977) - update to 4.0.2 - update branch diff after Plasma backport week-end - backport kickoff/simpleapplet view selection feature - remove sessions already in other packages - let kdm require workspace for the greeter plugins - build with PAM support (bnc#353531) - moved showdesktop & trash plasmoids to kdebase4-workspace-plamoids - fix file conflicts - update to final 4.0.1 tarball - fix user session switching - add location option to panel configuration dialog - remove kinfocenter handbook - update to 4.0.1 release - backport of panel size configuration dialog - backport of display configuration for traditional launcher menu - start Kickoff application browser always at top-level - add "install all public kwin headers" patch - fix app menu starting and system tray icons regressions - add application menu shortening feature and fix alphabetical sort - update KDE_4_0_BRANCH.diff (incl. taskbar attention flash) - don't migrate ~/Desktop icons to Dashboard which will not work - migrate Trash.desktop to Trash plasmoid (added it for that) - open Dashboard toolbox when Dashboard view is activated - set GTK2_RC_FILES for better style of GTK applications - fix locking of session (#355155) - update KDE_4_0_BRANCH.diff - more SUSE-like default panel setup (size, icons, plasmoids): * adds showdesktop plasmoid - backport taskbar plasmoid features: * use more than one row if there are many windows * option to show only the windows on current desktop - fix build - update to 4.0 release - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - fix build - fix filelist - update to 3.96.3 - update to 3.96.2 - reenable OpenGL support - update to 3.96.0 - updaste to 3.95.1 - update to 3.95.0 - update to 3.93.0.svn720097 - update to 3.93.0.svn717339 - update to 3.93.0.svn712052 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703920 - update to 3.92.0.svn700775 - fix more file conflicts - update to 3.92.0.svn697325 - fix file conflicts - update to KDE 4.0 Beta 1 - don't show System Settings on non-KDE/KDE3 desktop - use the non generic lib version for libkonq - update to 3.91.0.svn672298 - update to 3.90.1.svn679137 - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - run %fdupes - fix prefix of two bins - Buildrequires libusb -> libusb-devel - show .desktop files of kdebase4-runtime only in a KDE session - libkdeinit -> libkdeinit4 - fix package file conflicts - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - add patch to fix windows disappearing after activating composite effects (bnc#390675) - add patch to fix kwin per-window shortcuts (bnc#381356) - fix crash killing kwin_kill_helper (kde#156998) - minimal Solid NetworkManager 0.7 backend fixes network status is always unknown (bnc#397072) - don't deinstall KDE3 due to kdebase3-ksysguard conflict - fix panel sizing issue - call kde4-migrate if present (bnc#372170) - backport unmounting in device notifier (bnc#391223) - fix "switch user" doesn't work always (bnc#392269) - fix logout from "Classic Menu Style" lacks power off/restart/ standby/suspend options (bnc#391765) - copy suspend parts from ksmserver logout dialog (bnc#390147) - make drop of local files to Plasma desktop copy to ~/Desktop - add option how to render desktop icon labels (bnc#382747) - fix "save session" menu item missing in kmenu (bnc#383757) - add sysinfo:/ entry to start menu in "Computer" tab as on KDE3 - make krunner search prefer KDE4 applications (bnc#381849) - hidden option to disable desktop toolbox (bnc#393211) - make ksmserver shutdown dialog use Plasma text color (bnc#391828) - fix opening within Firefox and Mozilla from Klipper (bnc#384203) - rename Oxygen window decoration to Ozone - support for KDE3 hotplug actions (bnc#378338) - fixed rotate-wacom-pointers.diff to work with current xsetwacom (bnc#391440) - add ported rotate-wacom-pointers.diff (bnc#385149) - correct ksysguardd package name and require it - kdm4: terminate local x servers by default (bnc#381672) - kdm4: make delayed popup work again (bnc#381197) - use the server cmd from sysconfig - fix possible ksmserver<->knotify deadlock during KDE startup - fix crash preventing setting of time/date (bnc#386429) - set a preloader by default - fix kdm4 requiring root for shutdown - add Kontact/KDE4 instead of Kontact/KDE3 to Kickoff (bnc#386374) - fix potential Plasma crash after deleting plasmoids (bnc#386462) - Administrator mode for date/time module, to make it usable - update to 4.0.4 * http://kde.org/announcements/changelog_4_0_3to4_0_4.php - fix fileconflicts by introducing an upstream-branding package for kde4-kdm - Fix stacking problems in KWin (bnc#378773) - Add missing ICE check for ksmserver (bnc#384774) - fix focus issues in kde4-kdm (bnc#381501) - update Plasma diff from openSUSE Plasma branch: several bugfixes including bnc#381704, bnc#379082, bnc#382510, bnc#377728, bnc#382169, bnc#381191, bnc#382497 - use radiobuttons for sessions menu (bnc#382138) - fix unknown icon on suspend (#bnc381194) - ksplashx changes needed for 11.0 splashscreen (bnc:#375581) - update 4_0_BRANCH.diff * memleak fixes in kwin and ksplashsimple - remove self conflict (bnc#379338) - fix file conflicts - improve logout, shutdown, restart confirmation and add countdown - draw rounded background behind system tray windows - don't align on every added file but only first run (bnc#379463) - add kgreeter_generic from 4.1 branch (fate#301954) - fix wallpaper not immediately updating (bnc#378771) - update Plasma diff from openSUSE Plasma branch: * draw desktop icons old style * remove useless desktop rubber band * add "(Un)Lock Widgets" and "Show Desktop" to and remove "Zoom Out" from desktop toolbox * fix not disappearing plasmoid handles (bnc#369994) * fix moving of rotated plasmoids (bnc#377108) * taskmanager: "Show only tasks from the current screen" option * digital-clock: add date tooltip, add "Show Seconds" option * pager: add window icons support * kickoff: backported KDE trunk appearance - branding changes, split off kdebase4-workspace-branding-upstream - GUI for selecting the WM (bnc#332079) - fix devel splitting for kwin headers - fix config installation dir - use Plasma diff created against branches/work/plasma-4.0-openSUSE which consolidates ported local patches, backported upstream and yet upstream uncommited features. This introduces: * moving of plasmoids on panels * adding and removing of panels * switching of start menu style * list newly installed applications within Kickoff * allow removing of uninstancable applets from a panel * Plasma theme selector, color change and tint support - update to 4.0.3 - oxygen windecoration configurable colors (kde#152030) - 4_0_BRANCH.diff update, including * full screen handling fixes * repaint bugs with alien windows - fix kdm autologin and theming (bnc#365885) - fix plasma crashes on startup (bnc#364977) - update to 4.0.2 - update branch diff after Plasma backport week-end - backport kickoff/simpleapplet view selection feature - remove sessions already in other packages - let kdm require workspace for the greeter plugins - build with PAM support (bnc#353531) - moved showdesktop & trash plasmoids to kdebase4-workspace-plamoids - fix file conflicts - update to final 4.0.1 tarball - fix user session switching - add location option to panel configuration dialog - remove kinfocenter handbook - update to 4.0.1 release - backport of panel size configuration dialog - backport of display configuration for traditional launcher menu - start Kickoff application browser always at top-level - add "install all public kwin headers" patch - fix app menu starting and system tray icons regressions - add application menu shortening feature and fix alphabetical sort - update KDE_4_0_BRANCH.diff (incl. taskbar attention flash) - don't migrate ~/Desktop icons to Dashboard which will not work - migrate Trash.desktop to Trash plasmoid (added it for that) - open Dashboard toolbox when Dashboard view is activated - set GTK2_RC_FILES for better style of GTK applications - fix locking of session (#355155) - update KDE_4_0_BRANCH.diff - more SUSE-like default panel setup (size, icons, plasmoids): * adds showdesktop plasmoid - backport taskbar plasmoid features: * use more than one row if there are many windows * option to show only the windows on current desktop - fix build - update to 4.0 release - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - fix build - fix filelist - update to 3.96.3 - update to 3.96.2 - reenable OpenGL support - update to 3.96.0 - updaste to 3.95.1 - update to 3.95.0 - update to 3.93.0.svn720097 - update to 3.93.0.svn717339 - update to 3.93.0.svn712052 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703920 - update to 3.92.0.svn700775 - fix more file conflicts - update to 3.92.0.svn697325 - fix file conflicts - update to KDE 4.0 Beta 1 - don't show System Settings on non-KDE/KDE3 desktop - use the non generic lib version for libkonq - update to 3.91.0.svn672298 - update to 3.90.1.svn679137 - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - run %fdupes - fix prefix of two bins - Buildrequires libusb -> libusb-devel - show .desktop files of kdebase4-runtime only in a KDE session - libkdeinit -> libkdeinit4 - fix package file conflicts - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - add patch to fix windows disappearing after activating composite effects (bnc#390675) - add patch to fix kwin per-window shortcuts (bnc#381356) - fix crash killing kwin_kill_helper (kde#156998) - minimal Solid NetworkManager 0.7 backend fixes network status is always unknown (bnc#397072) - don't deinstall KDE3 due to kdebase3-ksysguard conflict - fix panel sizing issue - call kde4-migrate if present (bnc#372170) - backport unmounting in device notifier (bnc#391223) - fix "switch user" doesn't work always (bnc#392269) - fix logout from "Classic Menu Style" lacks power off/restart/ standby/suspend options (bnc#391765) - copy suspend parts from ksmserver logout dialog (bnc#390147) - make drop of local files to Plasma desktop copy to ~/Desktop - add option how to render desktop icon labels (bnc#382747) - fix "save session" menu item missing in kmenu (bnc#383757) - add sysinfo:/ entry to start menu in "Computer" tab as on KDE3 - make krunner search prefer KDE4 applications (bnc#381849) - hidden option to disable desktop toolbox (bnc#393211) - make ksmserver shutdown dialog use Plasma text color (bnc#391828) - fix opening within Firefox and Mozilla from Klipper (bnc#384203) - rename Oxygen window decoration to Ozone - support for KDE3 hotplug actions (bnc#378338) - fixed rotate-wacom-pointers.diff to work with current xsetwacom (bnc#391440) - add ported rotate-wacom-pointers.diff (bnc#385149) - correct ksysguardd package name and require it - kdm4: terminate local x servers by default (bnc#381672) - kdm4: make delayed popup work again (bnc#381197) - use the server cmd from sysconfig - fix possible ksmserver<->knotify deadlock during KDE startup - fix crash preventing setting of time/date (bnc#386429) - set a preloader by default - fix kdm4 requiring root for shutdown - add Kontact/KDE4 instead of Kontact/KDE3 to Kickoff (bnc#386374) - fix potential Plasma crash after deleting plasmoids (bnc#386462) - Administrator mode for date/time module, to make it usable - update to 4.0.4 * http://kde.org/announcements/changelog_4_0_3to4_0_4.php - fix fileconflicts by introducing an upstream-branding package for kde4-kdm - Fix stacking problems in KWin (bnc#378773) - Add missing ICE check for ksmserver (bnc#384774) - fix focus issues in kde4-kdm (bnc#381501) - update Plasma diff from openSUSE Plasma branch: several bugfixes including bnc#381704, bnc#379082, bnc#382510, bnc#377728, bnc#382169, bnc#381191, bnc#382497 - use radiobuttons for sessions menu (bnc#382138) - fix unknown icon on suspend (#bnc381194) - ksplashx changes needed for 11.0 splashscreen (bnc:#375581) - update 4_0_BRANCH.diff * memleak fixes in kwin and ksplashsimple - remove self conflict (bnc#379338) - fix file conflicts - improve logout, shutdown, restart confirmation and add countdown - draw rounded background behind system tray windows - don't align on every added file but only first run (bnc#379463) - add kgreeter_generic from 4.1 branch (fate#301954) - fix wallpaper not immediately updating (bnc#378771) - update Plasma diff from openSUSE Plasma branch: * draw desktop icons old style * remove useless desktop rubber band * add "(Un)Lock Widgets" and "Show Desktop" to and remove "Zoom Out" from desktop toolbox * fix not disappearing plasmoid handles (bnc#369994) * fix moving of rotated plasmoids (bnc#377108) * taskmanager: "Show only tasks from the current screen" option * digital-clock: add date tooltip, add "Show Seconds" option * pager: add window icons support * kickoff: backported KDE trunk appearance - branding changes, split off kdebase4-workspace-branding-upstream - GUI for selecting the WM (bnc#332079) - fix devel splitting for kwin headers - fix config installation dir - use Plasma diff created against branches/work/plasma-4.0-openSUSE which consolidates ported local patches, backported upstream and yet upstream uncommited features. This introduces: * moving of plasmoids on panels * adding and removing of panels * switching of start menu style * list newly installed applications within Kickoff * allow removing of uninstancable applets from a panel * Plasma theme selector, color change and tint support - update to 4.0.3 - oxygen windecoration configurable colors (kde#152030) - 4_0_BRANCH.diff update, including * full screen handling fixes * repaint bugs with alien windows - fix kdm autologin and theming (bnc#365885) - fix plasma crashes on startup (bnc#364977) - update to 4.0.2 - update branch diff after Plasma backport week-end - backport kickoff/simpleapplet view selection feature - remove sessions already in other packages - let kdm require workspace for the greeter plugins - build with PAM support (bnc#353531) - moved showdesktop & trash plasmoids to kdebase4-workspace-plamoids - fix file conflicts - update to final 4.0.1 tarball - fix user session switching - add location option to panel configuration dialog - remove kinfocenter handbook - update to 4.0.1 release - backport of panel size configuration dialog - backport of display configuration for traditional launcher menu - start Kickoff application browser always at top-level - add "install all public kwin headers" patch - fix app menu starting and system tray icons regressions - add application menu shortening feature and fix alphabetical sort - update KDE_4_0_BRANCH.diff (incl. taskbar attention flash) - don't migrate ~/Desktop icons to Dashboard which will not work - migrate Trash.desktop to Trash plasmoid (added it for that) - open Dashboard toolbox when Dashboard view is activated - set GTK2_RC_FILES for better style of GTK applications - fix locking of session (#355155) - update KDE_4_0_BRANCH.diff - more SUSE-like default panel setup (size, icons, plasmoids): * adds showdesktop plasmoid - backport taskbar plasmoid features: * use more than one row if there are many windows * option to show only the windows on current desktop - fix build - update to 4.0 release - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - fix build - fix filelist - update to 3.96.3 - update to 3.96.2 - reenable OpenGL support - update to 3.96.0 - updaste to 3.95.1 - update to 3.95.0 - update to 3.93.0.svn720097 - update to 3.93.0.svn717339 - update to 3.93.0.svn712052 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703920 - update to 3.92.0.svn700775 - fix more file conflicts - update to 3.92.0.svn697325 - fix file conflicts - update to KDE 4.0 Beta 1 - don't show System Settings on non-KDE/KDE3 desktop - use the non generic lib version for libkonq - update to 3.91.0.svn672298 - update to 3.90.1.svn679137 - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - run %fdupes - fix prefix of two bins - Buildrequires libusb -> libusb-devel - show .desktop files of kdebase4-runtime only in a KDE session - libkdeinit -> libkdeinit4 - fix package file conflicts - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - add patch to fix windows disappearing after activating composite effects (bnc#390675) - add patch to fix kwin per-window shortcuts (bnc#381356) - fix crash killing kwin_kill_helper (kde#156998) - minimal Solid NetworkManager 0.7 backend fixes network status is always unknown (bnc#397072) - don't deinstall KDE3 due to kdebase3-ksysguard conflict - fix panel sizing issue - call kde4-migrate if present (bnc#372170) - backport unmounting in device notifier (bnc#391223) - fix "switch user" doesn't work always (bnc#392269) - fix logout from "Classic Menu Style" lacks power off/restart/ standby/suspend options (bnc#391765) - copy suspend parts from ksmserver logout dialog (bnc#390147) - make drop of local files to Plasma desktop copy to ~/Desktop - add option how to render desktop icon labels (bnc#382747) - fix "save session" menu item missing in kmenu (bnc#383757) - add sysinfo:/ entry to start menu in "Computer" tab as on KDE3 - make krunner search prefer KDE4 applications (bnc#381849) - hidden option to disable desktop toolbox (bnc#393211) - make ksmserver shutdown dialog use Plasma text color (bnc#391828) - fix opening within Firefox and Mozilla from Klipper (bnc#384203) - rename Oxygen window decoration to Ozone - support for KDE3 hotplug actions (bnc#378338) - fixed rotate-wacom-pointers.diff to work with current xsetwacom (bnc#391440) - add ported rotate-wacom-pointers.diff (bnc#385149) - correct ksysguardd package name and require it - kdm4: terminate local x servers by default (bnc#381672) - kdm4: make delayed popup work again (bnc#381197) - use the server cmd from sysconfig - fix possible ksmserver<->knotify deadlock during KDE startup - fix crash preventing setting of time/date (bnc#386429) - set a preloader by default - fix kdm4 requiring root for shutdown - add Kontact/KDE4 instead of Kontact/KDE3 to Kickoff (bnc#386374) - fix potential Plasma crash after deleting plasmoids (bnc#386462) - Administrator mode for date/time module, to make it usable - update to 4.0.4 * http://kde.org/announcements/changelog_4_0_3to4_0_4.php - fix fileconflicts by introducing an upstream-branding package for kde4-kdm - Fix stacking problems in KWin (bnc#378773) - Add missing ICE check for ksmserver (bnc#384774) - fix focus issues in kde4-kdm (bnc#381501) - update Plasma diff from openSUSE Plasma branch: several bugfixes including bnc#381704, bnc#379082, bnc#382510, bnc#377728, bnc#382169, bnc#381191, bnc#382497 - use radiobuttons for sessions menu (bnc#382138) - fix unknown icon on suspend (#bnc381194) - ksplashx changes needed for 11.0 splashscreen (bnc:#375581) - update 4_0_BRANCH.diff * memleak fixes in kwin and ksplashsimple - remove self conflict (bnc#379338) - fix file conflicts - improve logout, shutdown, restart confirmation and add countdown - draw rounded background behind system tray windows - don't align on every added file but only first run (bnc#379463) - add kgreeter_generic from 4.1 branch (fate#301954) - fix wallpaper not immediately updating (bnc#378771) - update Plasma diff from openSUSE Plasma branch: * draw desktop icons old style * remove useless desktop rubber band * add "(Un)Lock Widgets" and "Show Desktop" to and remove "Zoom Out" from desktop toolbox * fix not disappearing plasmoid handles (bnc#369994) * fix moving of rotated plasmoids (bnc#377108) * taskmanager: "Show only tasks from the current screen" option * digital-clock: add date tooltip, add "Show Seconds" option * pager: add window icons support * kickoff: backported KDE trunk appearance - branding changes, split off kdebase4-workspace-branding-upstream - GUI for selecting the WM (bnc#332079) - fix devel splitting for kwin headers - fix config installation dir - use Plasma diff created against branches/work/plasma-4.0-openSUSE which consolidates ported local patches, backported upstream and yet upstream uncommited features. This introduces: * moving of plasmoids on panels * adding and removing of panels * switching of start menu style * list newly installed applications within Kickoff * allow removing of uninstancable applets from a panel * Plasma theme selector, color change and tint support - update to 4.0.3 - oxygen windecoration configurable colors (kde#152030) - 4_0_BRANCH.diff update, including * full screen handling fixes * repaint bugs with alien windows - fix kdm autologin and theming (bnc#365885) - fix plasma crashes on startup (bnc#364977) - update to 4.0.2 - update branch diff after Plasma backport week-end - backport kickoff/simpleapplet view selection feature - remove sessions already in other packages - let kdm require workspace for the greeter plugins - build with PAM support (bnc#353531) - moved showdesktop & trash plasmoids to kdebase4-workspace-plamoids - fix file conflicts - update to final 4.0.1 tarball - fix user session switching - add location option to panel configuration dialog - remove kinfocenter handbook - update to 4.0.1 release - backport of panel size configuration dialog - backport of display configuration for traditional launcher menu - start Kickoff application browser always at top-level - add "install all public kwin headers" patch - fix app menu starting and system tray icons regressions - add application menu shortening feature and fix alphabetical sort - update KDE_4_0_BRANCH.diff (incl. taskbar attention flash) - don't migrate ~/Desktop icons to Dashboard which will not work - migrate Trash.desktop to Trash plasmoid (added it for that) - open Dashboard toolbox when Dashboard view is activated - set GTK2_RC_FILES for better style of GTK applications - fix locking of session (#355155) - update KDE_4_0_BRANCH.diff - more SUSE-like default panel setup (size, icons, plasmoids): * adds showdesktop plasmoid - backport taskbar plasmoid features: * use more than one row if there are many windows * option to show only the windows on current desktop - fix build - update to 4.0 release - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - fix build - fix filelist - update to 3.96.3 - update to 3.96.2 - reenable OpenGL support - update to 3.96.0 - updaste to 3.95.1 - update to 3.95.0 - update to 3.93.0.svn720097 - update to 3.93.0.svn717339 - update to 3.93.0.svn712052 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703920 - update to 3.92.0.svn700775 - fix more file conflicts - update to 3.92.0.svn697325 - fix file conflicts - update to KDE 4.0 Beta 1 - don't show System Settings on non-KDE/KDE3 desktop - use the non generic lib version for libkonq - update to 3.91.0.svn672298 - update to 3.90.1.svn679137 - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - run %fdupes - fix prefix of two bins - Buildrequires libusb -> libusb-devel - show .desktop files of kdebase4-runtime only in a KDE session - libkdeinit -> libkdeinit4 - fix package file conflicts - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - Pull critical bugfixes from trunk: * crash on deleting korganizer categories (kde#153740) * kmail folder selector crash * kmail mime type detection * korganizer multiple todo deletion crash * kmail composer invisible widgets (kde#162711) * kmail losing non-ascii chars on send (kde#162673) * kmail composer doesn't respect encoding (kde#162707) * korg select default type in reminder dlg (kde#158354) * kmail online imap filter mail eater * kmail crash in rfc2231 decoder * kmail crash due to bad debug code (kde#156319) * kmail save local subscriptions sooner (kde#163268) * kmail filter action crash (kde#156990) * kmail crash on inline forward of multiple mails (kde#163159) * kaddressbook contact picture display (kde#162897) * kalarm time display (kde#163408) - Restore the definition of Kontact's plugins, caused crash on start (bnc#398807) - Remove kpilot and kmobiletools dependency as these are not part of KDE 4.1 - Disable Kontact planner plugin, not part of KDE 4.1 - Fix display of kaddressbook contact fields (bnc#388618,kde#163041) - don't install /usr/share/applications/kde4/kcontactmanager.desktop - Move Kontact plugins' desktop files to subpackages (bnc#389141) - Add versioning to libkleopatra libraries (bnc#391350) - Update to kdepim 4.1beta1 * Fix kontact view switch sidepane fills entire window (bnc#389141) - Exclude akonadi resources, not yet production ready - weather plugin is disabled upstream now, remove our patch - update to 4.0.74 - use the backported kdelibs4.1 functionality for spellchecking - update branch diff for mbox fix - add missing devel package requires - Fix invalid return type in KTimeTracker - update to 4.0.73 - update to 4.0.72 - Adapt to new Akonadi location, update to 4.0.71 - remove weather kontact plugin - kweather is broken - remove plasmabiff (doesn't build against KDE 4.0 anymore) - update to 4.0.70 - give akonadi %post a ldconfig - work around build problem - Remove private libraries' link-edit .so files, nobody builds vs them and they break kdepim3 apps as ld.so tries to link them - fix build once again, fix packaging errors - fix build once again, fix packaging errors - update to 4.0.69: * fixes almost build (finally) * no changelog available - fix file globbing - update to 4.0.68 - update to 4.0.67 - update to 4.0.66 - fix file conflict - disable nepomuk stuff for 4.0 - update to 4.0.65 - update to 4.0.63 - update to 4.0.62 - update to 4.0.61 - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - update to 3.96.3 - update to 3.96.2 - fix file conflicts - update to 3.96.1 - update to 3.96.0 - update to 3.95.2 - update to 3.95.1 - update to KDE 4.0 Beta4 - update to 3.94.1 - fix build - add category for kcontactmanager.desktop - add directory to filelist - update to KDE 4.0 Beta 3 - update to 3.93.0.svn720115 - update to 3.93.0.svn717255 - update to 3.93.0.svn712059 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703914 - update to 3.92.0.svn700937 - update to 3.92.0.svn697324 - Resolve file conflict between kdepim4 and kdepim4-knotes - remove kitchensync temporarily, not compatible with our libopensync - update to KDE 4.0 Beta 1 - update to 3.91.0.svn672299 - update to 3.90.1.svn679144, run fdupes - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - update to 3.90.1.svn668119 - initial package in abuild - add patch to fix windows disappearing after activating composite effects (bnc#390675) - add patch to fix kwin per-window shortcuts (bnc#381356) - fix crash killing kwin_kill_helper (kde#156998) - minimal Solid NetworkManager 0.7 backend fixes network status is always unknown (bnc#397072) - don't deinstall KDE3 due to kdebase3-ksysguard conflict - fix panel sizing issue - call kde4-migrate if present (bnc#372170) - backport unmounting in device notifier (bnc#391223) - fix "switch user" doesn't work always (bnc#392269) - fix logout from "Classic Menu Style" lacks power off/restart/ standby/suspend options (bnc#391765) - copy suspend parts from ksmserver logout dialog (bnc#390147) - make drop of local files to Plasma desktop copy to ~/Desktop - add option how to render desktop icon labels (bnc#382747) - fix "save session" menu item missing in kmenu (bnc#383757) - add sysinfo:/ entry to start menu in "Computer" tab as on KDE3 - make krunner search prefer KDE4 applications (bnc#381849) - hidden option to disable desktop toolbox (bnc#393211) - make ksmserver shutdown dialog use Plasma text color (bnc#391828) - fix opening within Firefox and Mozilla from Klipper (bnc#384203) - rename Oxygen window decoration to Ozone - support for KDE3 hotplug actions (bnc#378338) - fixed rotate-wacom-pointers.diff to work with current xsetwacom (bnc#391440) - add ported rotate-wacom-pointers.diff (bnc#385149) - correct ksysguardd package name and require it - kdm4: terminate local x servers by default (bnc#381672) - kdm4: make delayed popup work again (bnc#381197) - use the server cmd from sysconfig - fix possible ksmserver<->knotify deadlock during KDE startup - fix crash preventing setting of time/date (bnc#386429) - set a preloader by default - fix kdm4 requiring root for shutdown - add Kontact/KDE4 instead of Kontact/KDE3 to Kickoff (bnc#386374) - fix potential Plasma crash after deleting plasmoids (bnc#386462) - Administrator mode for date/time module, to make it usable - update to 4.0.4 * http://kde.org/announcements/changelog_4_0_3to4_0_4.php - fix fileconflicts by introducing an upstream-branding package for kde4-kdm - Fix stacking problems in KWin (bnc#378773) - Add missing ICE check for ksmserver (bnc#384774) - fix focus issues in kde4-kdm (bnc#381501) - update Plasma diff from openSUSE Plasma branch: several bugfixes including bnc#381704, bnc#379082, bnc#382510, bnc#377728, bnc#382169, bnc#381191, bnc#382497 - use radiobuttons for sessions menu (bnc#382138) - fix unknown icon on suspend (#bnc381194) - ksplashx changes needed for 11.0 splashscreen (bnc:#375581) - update 4_0_BRANCH.diff * memleak fixes in kwin and ksplashsimple - remove self conflict (bnc#379338) - fix file conflicts - improve logout, shutdown, restart confirmation and add countdown - draw rounded background behind system tray windows - don't align on every added file but only first run (bnc#379463) - add kgreeter_generic from 4.1 branch (fate#301954) - fix wallpaper not immediately updating (bnc#378771) - update Plasma diff from openSUSE Plasma branch: * draw desktop icons old style * remove useless desktop rubber band * add "(Un)Lock Widgets" and "Show Desktop" to and remove "Zoom Out" from desktop toolbox * fix not disappearing plasmoid handles (bnc#369994) * fix moving of rotated plasmoids (bnc#377108) * taskmanager: "Show only tasks from the current screen" option * digital-clock: add date tooltip, add "Show Seconds" option * pager: add window icons support * kickoff: backported KDE trunk appearance - branding changes, split off kdebase4-workspace-branding-upstream - GUI for selecting the WM (bnc#332079) - fix devel splitting for kwin headers - fix config installation dir - use Plasma diff created against branches/work/plasma-4.0-openSUSE which consolidates ported local patches, backported upstream and yet upstream uncommited features. This introduces: * moving of plasmoids on panels * adding and removing of panels * switching of start menu style * list newly installed applications within Kickoff * allow removing of uninstancable applets from a panel * Plasma theme selector, color change and tint support - update to 4.0.3 - oxygen windecoration configurable colors (kde#152030) - 4_0_BRANCH.diff update, including * full screen handling fixes * repaint bugs with alien windows - fix kdm autologin and theming (bnc#365885) - fix plasma crashes on startup (bnc#364977) - update to 4.0.2 - update branch diff after Plasma backport week-end - backport kickoff/simpleapplet view selection feature - remove sessions already in other packages - let kdm require workspace for the greeter plugins - build with PAM support (bnc#353531) - moved showdesktop & trash plasmoids to kdebase4-workspace-plamoids - fix file conflicts - update to final 4.0.1 tarball - fix user session switching - add location option to panel configuration dialog - remove kinfocenter handbook - update to 4.0.1 release - backport of panel size configuration dialog - backport of display configuration for traditional launcher menu - start Kickoff application browser always at top-level - add "install all public kwin headers" patch - fix app menu starting and system tray icons regressions - add application menu shortening feature and fix alphabetical sort - update KDE_4_0_BRANCH.diff (incl. taskbar attention flash) - don't migrate ~/Desktop icons to Dashboard which will not work - migrate Trash.desktop to Trash plasmoid (added it for that) - open Dashboard toolbox when Dashboard view is activated - set GTK2_RC_FILES for better style of GTK applications - fix locking of session (#355155) - update KDE_4_0_BRANCH.diff - more SUSE-like default panel setup (size, icons, plasmoids): * adds showdesktop plasmoid - backport taskbar plasmoid features: * use more than one row if there are many windows * option to show only the windows on current desktop - fix build - update to 4.0 release - update to 3.97.2 - update to 3.97.1 - update to 3.97.0 - fix build - fix filelist - update to 3.96.3 - update to 3.96.2 - reenable OpenGL support - update to 3.96.0 - updaste to 3.95.1 - update to 3.95.0 - update to 3.93.0.svn720097 - update to 3.93.0.svn717339 - update to 3.93.0.svn712052 - update to KDE 4.0 Beta 2 - update to 3.92.0.svn703920 - update to 3.92.0.svn700775 - fix more file conflicts - update to 3.92.0.svn697325 - fix file conflicts - update to KDE 4.0 Beta 1 - don't show System Settings on non-KDE/KDE3 desktop - use the non generic lib version for libkonq - update to 3.91.0.svn672298 - update to 3.90.1.svn679137 - update to 3.90.1.svn670093 - fix build - simplify spec file by using macros from kde4-filesystem - run %fdupes - fix prefix of two bins - Buildrequires libusb -> libusb-devel - show .desktop files of kdebase4-runtime only in a KDE session - libkdeinit -> libkdeinit4 - fix package file conflicts - initial package in abuild - Merge changes from the Build Service (thanks, Wolfgang) (bnc#400001 and SWAMP#18164). - update to version 1.9 - removed obsolete mozilla-fsync* patch - make it possible to ignore NM events with a pref (bmo#424626) (toolkit.networkmanager.ignore=false|true) (mozilla-network-status.patch) - modify pref to not stop at punctuation for selections (bnc#395070) - fixed restart command for session managers (bnc#396552) - do not compile cairo with SSE support (bnc#397815) - mozilla-js.pc uses correct cflags (bnc#397814) - Fix baselibs.conf to mention mozilla-xulrunner190-translations (bnc#393856). - Add mozilla-pkgconfig.patch (part of bnc#381154). - Add mozilla-fsync-bmo499050.patch (bmo#499050). - Merge changes from the build service (thanks, Wolfgang): + Only use gconf proxy settings under GNOME (bnc#381172) + Add mozilla-extensionmanager.patch (bnc#381733, and #382969) + Add mozilla-system-hunspell.patch to enable use of the system's hunspell (bnc#382437) + Add mozilla-gnome-proxies.patch: * Only use gconf proxy settings when running under GNOME (bnc#381172) * Correctly read the ignored hosts settings from gconf (bmo#429520) + Add mozilla-helperapp.patch to offer the gconf default for protocol handlers (bnc#383697) - Rename the -lang subpackage to -stranslations (bnc#381635). - Merge changes from the build service: + Add mozilla-chrome-registry.patch to fix a startup crash (bmo#391311 and bnc#379523) + Add mozilla-scroll.patch to fix scrolling performance issues (bmo#424915 and bnc#377055) + Update baselibs.conf. - Better sync against the build service's version. - added baselibs.conf file to create xxbit packages - update to version 1.9b5 * including fix for bnc #368967 * integrated mozilla-gnome-vfs.patch - updated shipped locales "Provides" - fixed version upgrading (remove leftovers from previous versions) - remove executable flags from JS scripts - CSS DPI scaling now occurs with higher dpi values now (>192) - prerequire coreutils for 'rm' in post scripts - Merge changes from the build service (thanks, Wolfgang). - new snapshot version 1.9b4 - updated shipped locales "Provides" - enabled url classifier component (needed for Firefox' safe browsing feature) - added mozilla-gnome-vfs.patch (#368238) - new snapshot 20080228 - source archive contains browser components now to make it easier to keep xulrunner and firefox in sync (use shipped-locales from browser now instead of keeping a copy in the package) - proxy-type 5 is default now (removed from default prefs) - new snapshot 20080227 - use system provided sqlite for factory/11.0 - use fdupes - tweak default preferences - fix debuginfo package - fix wrong executable permissions - fix wrong ownership of the gnomevfs libs - add add-plugins.sh to manage dictionaries - new snapshot 20080225 - added -gnomevfs subpackage for evaluation - added back -l10n subpackage - initial xulrunner 1.9 package * doesn't update any prior xulrunner yet * can be installed in parallel * just updates the /usr/bin/xulrunner link to the new version * needs NSPR 4.7.1 and NSS 3.12 - Merge changes from the build service (thanks, Wolfgang) (bnc#400001 and SWAMP#18164). - update to version 3.0 - fixed double entry in bookmarks for www.opensuse.org (bnc#396980 - Add Planet SUSE, forums.o.o and How to participate to default URLs. - network.protocol-handler.app.* prefs are no longer supported; remove references to them from firefox-suse-default-prefs.js (bnc#383697). - Update to Firefox 3.0b5 (2.9.95) (thanks, Wolfgang). - Merge changes from the build service (thanks, Wolfgang) - Update to the fourth Firefox 3.0 Beta (2.9.94): + Based upon the Gecko 1.9 Web rendering platform, which improves performance, stability, and rendering correctness; it also boasts a considerable simplification in its code + Security improvements: * One-click site info * Malware Protection * New Web Forgery Protection page * New SSL error pages * Add-ons and Plugin version check * Secure add-on updates * Effective top-level domain (eTLD) service to better restrict cookies and other restricted content to a single domain * Better protection against cross-site JSON data leaks + Usability improvements: * Easier password management * Simplified add-on installation * New Download Manager * Resumable downloading * Full page zoom * Podcasts and Videocasts can be associated with your media playback tools * Tab scrolling and quickmenu * Save what you were doing: Firefox will prompt users to save tabs on exit * Optimized Open in Tabs behavior * Location and Search bar size can now be customized with a simple resizer item * Text selection improvements * Find toolbar * Improved integration with Linux: Firefox's default icons, buttons, and menu styles now use the native GTK theme + Personalization improvements: * Star button: quickly add bookmarks from the location bar with a single click; a second click lets you file and tag them * Tags: associate keywords with your bookmarks to sort them by topic * Location bar & auto-complete * Smart Bookmarks Folder * Places Organizer: view, organize and search through all of your bookmarks, tags, and browsing history with multiple views and smart folders to store your frequent searches * Web-based protocol handlers * Download & Install Add-ons * Easy to use Download Actions + Improved platform for web developers: * New graphics and font handling: new graphics and text rendering architectures in Gecko 1.9 provides rendering improvements in CSS, SVG as well as improved display of fonts with ligatures and complex scripts * Color management: (set gfx.color_management.enabled on in about:config and restart the browser to enable.); Firefox can now adjust images with embedded color profiles * Offline support: enables web applications to provide offline functionality (website authors must add support for offline browsing to their site for this feature to be available to users) + Improved performance: * Speed: improvements to the JavaScript engine as well as profile guided optimizations have resulted in significant improvements in performance; compared to Firefox 2, web applications like Google Mail and Zoho Office run twice as fast in Firefox 3 Beta 4, and the popular SunSpider test from Apple shows improvements over previous releases * Memory usage: Several new technologies work together to reduce the amount of memory used by Firefox 3 Beta 4 over a web browsing session; memory cycles are broken and collected by an automated cycle collector, a new memory allocator reduces fragmentation, hundreds of leaks have been fixed, and caching strategies have been tuned * Reliability: A user's bookmarks, history, cookies, and preferences are now stored in a transactionally secure database format which will prevent data loss even if their system crashes - This version depends upon the mozilla-xulrunner190 package - Drop various stale packages, respin several that have been kept around, and add a few new ones. - Security update to version 2.0.0.12 (bnc#354469): + MFSA 2008-11/CVE-2008-0594 Web forgery overwrite with div overlay + MFSA 2008-10/CVE-2008-0593 URL token stealing via stylesheet redirect + MFSA 2008-09/CVE-2008-0592 Mishandling of locally-saved plain text files + MFSA 2008-08/CVE-2008-0591 File action dialog tampering + MFSA 2008-06/CVE-2008-0419 Web browsing history and forward navigation stealing + MFSA 2008-05/CVE-2008-0418 Directory traversal via chrome: URI + MFSA 2008-04/CVE-2008-0417 Stored password corruption + MFSA 2008-03/CVE-2008-0415 Privilege escalation, XSS, Remote Code Execution + MFSA 2008-02/CVE-2008-0414 Multiple file input focus stealing vulnerabilities + MFSA 2008-01/CVE-2008-0412 Crashes with evidence of memory corruption (rv:1.8.1.12) - Reference libaoss.so in start script (bnc#117079) - Remove mozilla-canvas-1.8.1.10.patch, as it has been upstreamed - Update firefox-ui-lockdown.patch (FATE#301534, FATE#302023, and FATE#302024) - Add application/x-xpinstall mime type to MozillaFirefox.desktop - Add MozillaFirefox.xml to bind .xpi to application/x-xpinstall in desktop. - Add mozilla-maxpathlen.patch (#354150 and bmo #412610). - Add firefox-348446-empty-lists.patch (bnc#348446). - Respin proxy-dev.patch (bnc#340678) -- thanks, Anders! - Security update to version 2.0.0.10 (#341905, #341591): + MFSA 2007-39 Referer-spoofing via window.location race condition + MFSA 2007-38 Memory corruption vulnerabilities (rv:1.8.1.10) + MFSA 2007-37 jar: URI scheme XSS hazard + Fixes for regressions introduced in 2.0.0.8 + Updated dbus.patch, startup.patch, misc.dif, and configure.patch - Add mozilla-gcc4.3-fixes.patch - Add mozilla-canvas-1.8.1.10.patch (#341591#c10). - Build with -ftree-vrp -fwrapv, per advice in #342603#c17. - Add firefox-gcc4.3-fixes.patch. - Security update to version 2.0.0.8 (#332512) (thanks, Wolfgang) * MFSA 2007-29 Crashes with evidence of memory corruption * MFSA 2007-30 onUnload Tailgating * MFSA 2007-31 Digest authentication request splitting * MFSA 2007-32 File input focus stealing vulnerability * MFSA 2007-33 XUL pages can hide the window titlebar * MFSA 2007-34 Possible file stealing through sftp protocol * MFSA 2007-35 XPCNativeWraper pollution using Script object complete advisories on http://www.mozilla.org/projects/security/known-vulnerabilities.html - Don't explicitly require libaoss.so (#326751). - Update the Novell Support search plugin in search-addons.tar.bz2 (#297261) - Set the browser.tabs.loadFolderAndReplace preference to false by default (#230759). - fix hardlinks accross partitions - Add http://software.opensuse.org/search?baseproject=openSUSE:10.3 to the default bookmarks (#308223). - move last change a bit further in specfile - Mark a .png file as nonexecutable. - Minor .spec update (#305193) + Remove two obsolete patches + Correct releasedate + Include only the officially supported locales. - Merge changes from the build service (thanks, Wolfgang): + Provide locale dependency information (#302288) + Add x11-session.patch, supporting X11 session management (#227047) + Update to version 2.0.0.6 * MFSA 2007-26 Privilege escalation through chrome-loaded about:blank windows * MFSA 2007-27 Unescaped URIs passed to external programs (only relevant on Windows) - Use %fdupes. - Adjust bookmarks: Add news.opensuse.org, use new software.o.o page. - Revert previous change. - Added support for ymp in the mimetypes.rdf - Added OneClickInstallUrlHandler for handing the actual call from firefox. - Fixes bnc #295677 - Security update to version 2.0.0.5 (#288115) which has fixes for: MFSA 2007-18 CVE-2007-3734 - Browser flaws CVE-2007-3735 - Javascript flaws MFSA 2007-19 CVE-2007-3736 MFSA 2007-20 CVE-2007-3089 MFSA 2007-21 CVE-2007-3737 MFSA 2007-22 CVE-2007-3285 MFSA 2007-23 CVE-2007-3670 MFSA 2007-24 CVE-2007-3656 MFSA 2007-25 CVE-2007-3738 - fix changelog entry order - Use mozilla.sh.in from the build service (#230681). - Removed invalid desktop category "Application" (#254654). - Security update to version 2.0.0.4 - Refresh configure.patch, startup.patch, and visibility.patch - Now use l10n-%{version}.tar.bz2 instead of l10n.tar.bz2. - added unzip to BuildRequires - add Japanese to the languages which get PANGO enabled in the start script to support the Japanese combining characters U+3099 U+309A (see bugzilla #262718 comment #29). - Package gconf stuff. - Security update to 2.0.0.2 (#244923), which covers: + mfsa2007-01 * CVE-2007-0775 - layout engine crashes * CVE-2007-0776 - SVG * CVE-2007-0777 - javascript engine corruption + mfsa2007-02 * CVE-2007-0995 - Invalid trailing characters in HTML tag attributes * CVE-2007-0996 - Child frame character set inheritance * CVE-2006-6077 - Injected password forms + mfsa2007-02 + mfsa2007-03 * CVE-2007-0078 + mfsa2007-04 * CVE-2007-0079 + mfsa2007-05 * CVE-2007-0780 * CVE-2007-0800 + mfsa2007-06 * CVE-2007-0008 - client flaw * CVE-2007-0009 - server flaw + mfsa2007-07 * CVE-2007-0981 - Updates mozilla.sh.in (#230681) - Fixes #232209 - Updates the man page (#243037) - Properly propagates exit codes (#241492) - Adds em-356370.patch (#217374) - Fixup the Gnome paths, keeping in closer sync with the buildservice. - Gnome is now in /usr, so remove references to /opt/gnome - Install firefox.png with the executable bit not set. - readd MozillaFirebird provides (was incorrect in removing it). - Do not provide MozillaFirebird, just obsolete it. - Update gecko-lockdown.patch (#220616). - Update firefox-suse-default-prefs.js, adding 'pref("browser.backspace_action", 2);' (#217374) - Fix last change (#224431). - Change download bookmark (#224431). - Rename bookmark folder to openSUSE. - Sync from Buildservice with following critical fixes (thanks Wolfgang Rosenauer!): * fixed system-proxies.patch to actually work (#223881). * Rearrange Bookmarks to pass trademark review. - Fix tango theme (#223796). - Use www.opensuse.org as home page. - Set novell.com as home page. - Update from BuildService (thanks Wolfgang!): - fixed crash in htmlparser (#217257, bmo #358797) - added gconf2 as PreReq (#212505) - added 32bit libaoss.so as requirement (#216266) - Removed SUSE searchplugin (Portal not available anymore) (#216054) - Removed obsolete xul-picker.patch and system-nspr.patch - Fixed building on 10.1 and 10.0 (dbus) - Removed obsolete throbber preference - updated tango theme - Another fix for 214125, patch by Wolfgang Rosenauer. - Fix gcc warnings about undefined operations, patch by Robert O'Callahan. - Update system-proxies.patch to fix error box (214125), patch by Robert O'Callahan. - Update to current CVS version of 2.0. - Use www.opensuse.org as default home page for now (#203547). - Disable non-working plasticfox and tango themes. - Fix building of locales. - update to version 2.0rc3: * New features: Visual Refresh, Built-in phishing protection, Enhanced search capabilities, Improved tabbed browsing, Resuming your browsing session, Previewing and subscribing to Web feeds, Inline spell checking, Live Titles, Improved Add-ons manager, JavaScript 1.7, Extended search plugin format, Updates to the extension system, Client-side session and persistent storage, SVG text - disabled debugging. - security update to version 1.5.0.7 - added greasemonkey helper change (#199920) - fixed packager.mk for new make version - fixed crash in dbus component (patch by thoenig #197928) - use external adresses for PAC configuration (#196506) - added symlink for Firefox 1.0.x compatibility - update to regression release 1.5.0.6 (#195043) - security update to version 1.5.0.5 (#195043) * observer-lock.patch integrated now - fixed leak in JS' liveconnect (#186066) - fixed desktop file for old distributions (StartupNotify=false) - Merge changes from the Build Service (thanks, Wolfgang) (bnc#400001 and SWAMP#18164). - update to version 1.9 - removed obsolete mozilla-fsync* patch - make it possible to ignore NM events with a pref (bmo#424626) (toolkit.networkmanager.ignore=false|true) (mozilla-network-status.patch) - modify pref to not stop at punctuation for selections (bnc#395070) - fixed restart command for session managers (bnc#396552) - do not compile cairo with SSE support (bnc#397815) - mozilla-js.pc uses correct cflags (bnc#397814) - Fix baselibs.conf to mention mozilla-xulrunner190-translations (bnc#393856). - Add mozilla-pkgconfig.patch (part of bnc#381154). - Add mozilla-fsync-bmo499050.patch (bmo#499050). - Merge changes from the build service (thanks, Wolfgang): + Only use gconf proxy settings under GNOME (bnc#381172) + Add mozilla-extensionmanager.patch (bnc#381733, and #382969) + Add mozilla-system-hunspell.patch to enable use of the system's hunspell (bnc#382437) + Add mozilla-gnome-proxies.patch: * Only use gconf proxy settings when running under GNOME (bnc#381172) * Correctly read the ignored hosts settings from gconf (bmo#429520) + Add mozilla-helperapp.patch to offer the gconf default for protocol handlers (bnc#383697) - Rename the -lang subpackage to -stranslations (bnc#381635). - Merge changes from the build service: + Add mozilla-chrome-registry.patch to fix a startup crash (bmo#391311 and bnc#379523) + Add mozilla-scroll.patch to fix scrolling performance issues (bmo#424915 and bnc#377055) + Update baselibs.conf. - Better sync against the build service's version. - added baselibs.conf file to create xxbit packages - update to version 1.9b5 * including fix for bnc #368967 * integrated mozilla-gnome-vfs.patch - updated shipped locales "Provides" - fixed version upgrading (remove leftovers from previous versions) - remove executable flags from JS scripts - CSS DPI scaling now occurs with higher dpi values now (>192) - prerequire coreutils for 'rm' in post scripts - Merge changes from the build service (thanks, Wolfgang). - new snapshot version 1.9b4 - updated shipped locales "Provides" - enabled url classifier component (needed for Firefox' safe browsing feature) - added mozilla-gnome-vfs.patch (#368238) - new snapshot 20080228 - source archive contains browser components now to make it easier to keep xulrunner and firefox in sync (use shipped-locales from browser now instead of keeping a copy in the package) - proxy-type 5 is default now (removed from default prefs) - new snapshot 20080227 - use system provided sqlite for factory/11.0 - use fdupes - tweak default preferences - fix debuginfo package - fix wrong executable permissions - fix wrong ownership of the gnomevfs libs - add add-plugins.sh to manage dictionaries - new snapshot 20080225 - added -gnomevfs subpackage for evaluation - added back -l10n subpackage - initial xulrunner 1.9 package * doesn't update any prior xulrunner yet * can be installed in parallel * just updates the /usr/bin/xulrunner link to the new version * needs NSPR 4.7.1 and NSS 3.12 - Merge changes from the Build Service (thanks, Wolfgang) (bnc#400001 and SWAMP#18164). - update to version 1.9 - removed obsolete mozilla-fsync* patch - make it possible to ignore NM events with a pref (bmo#424626) (toolkit.networkmanager.ignore=false|true) (mozilla-network-status.patch) - modify pref to not stop at punctuation for selections (bnc#395070) - fixed restart command for session managers (bnc#396552) - do not compile cairo with SSE support (bnc#397815) - mozilla-js.pc uses correct cflags (bnc#397814) - Fix baselibs.conf to mention mozilla-xulrunner190-translations (bnc#393856). - Add mozilla-pkgconfig.patch (part of bnc#381154). - Add mozilla-fsync-bmo499050.patch (bmo#499050). - Merge changes from the build service (thanks, Wolfgang): + Only use gconf proxy settings under GNOME (bnc#381172) + Add mozilla-extensionmanager.patch (bnc#381733, and #382969) + Add mozilla-system-hunspell.patch to enable use of the system's hunspell (bnc#382437) + Add mozilla-gnome-proxies.patch: * Only use gconf proxy settings when running under GNOME (bnc#381172) * Correctly read the ignored hosts settings from gconf (bmo#429520) + Add mozilla-helperapp.patch to offer the gconf default for protocol handlers (bnc#383697) - Rename the -lang subpackage to -stranslations (bnc#381635). - Merge changes from the build service: + Add mozilla-chrome-registry.patch to fix a startup crash (bmo#391311 and bnc#379523) + Add mozilla-scroll.patch to fix scrolling performance issues (bmo#424915 and bnc#377055) + Update baselibs.conf. - Better sync against the build service's version. - added baselibs.conf file to create xxbit packages - update to version 1.9b5 * including fix for bnc #368967 * integrated mozilla-gnome-vfs.patch - updated shipped locales "Provides" - fixed version upgrading (remove leftovers from previous versions) - remove executable flags from JS scripts - CSS DPI scaling now occurs with higher dpi values now (>192) - prerequire coreutils for 'rm' in post scripts - Merge changes from the build service (thanks, Wolfgang). - new snapshot version 1.9b4 - updated shipped locales "Provides" - enabled url classifier component (needed for Firefox' safe browsing feature) - added mozilla-gnome-vfs.patch (#368238) - new snapshot 20080228 - source archive contains browser components now to make it easier to keep xulrunner and firefox in sync (use shipped-locales from browser now instead of keeping a copy in the package) - proxy-type 5 is default now (removed from default prefs) - new snapshot 20080227 - use system provided sqlite for factory/11.0 - use fdupes - tweak default preferences - fix debuginfo package - fix wrong executable permissions - fix wrong ownership of the gnomevfs libs - add add-plugins.sh to manage dictionaries - new snapshot 20080225 - added -gnomevfs subpackage for evaluation - added back -l10n subpackage - initial xulrunner 1.9 package * doesn't update any prior xulrunner yet * can be installed in parallel * just updates the /usr/bin/xulrunner link to the new version * needs NSPR 4.7.1 and NSS 3.12 - Merge changes from the Build Service (thanks, Wolfgang) (bnc#400001 and SWAMP#18164). - update to version 1.9 - removed obsolete mozilla-fsync* patch - make it possible to ignore NM events with a pref (bmo#424626) (toolkit.networkmanager.ignore=false|true) (mozilla-network-status.patch) - modify pref to not stop at punctuation for selections (bnc#395070) - fixed restart command for session managers (bnc#396552) - do not compile cairo with SSE support (bnc#397815) - mozilla-js.pc uses correct cflags (bnc#397814) - Fix baselibs.conf to mention mozilla-xulrunner190-translations (bnc#393856). - Add mozilla-pkgconfig.patch (part of bnc#381154). - Add mozilla-fsync-bmo499050.patch (bmo#499050). - Merge changes from the build service (thanks, Wolfgang): + Only use gconf proxy settings under GNOME (bnc#381172) + Add mozilla-extensionmanager.patch (bnc#381733, and #382969) + Add mozilla-system-hunspell.patch to enable use of the system's hunspell (bnc#382437) + Add mozilla-gnome-proxies.patch: * Only use gconf proxy settings when running under GNOME (bnc#381172) * Correctly read the ignored hosts settings from gconf (bmo#429520) + Add mozilla-helperapp.patch to offer the gconf default for protocol handlers (bnc#383697) - Rename the -lang subpackage to -stranslations (bnc#381635). - Merge changes from the build service: + Add mozilla-chrome-registry.patch to fix a startup crash (bmo#391311 and bnc#379523) + Add mozilla-scroll.patch to fix scrolling performance issues (bmo#424915 and bnc#377055) + Update baselibs.conf. - Better sync against the build service's version. - added baselibs.conf file to create xxbit packages - update to version 1.9b5 * including fix for bnc #368967 * integrated mozilla-gnome-vfs.patch - updated shipped locales "Provides" - fixed version upgrading (remove leftovers from previous versions) - remove executable flags from JS scripts - CSS DPI scaling now occurs with higher dpi values now (>192) - prerequire coreutils for 'rm' in post scripts - Merge changes from the build service (thanks, Wolfgang). - new snapshot version 1.9b4 - updated shipped locales "Provides" - enabled url classifier component (needed for Firefox' safe browsing feature) - added mozilla-gnome-vfs.patch (#368238) - new snapshot 20080228 - source archive contains browser components now to make it easier to keep xulrunner and firefox in sync (use shipped-locales from browser now instead of keeping a copy in the package) - proxy-type 5 is default now (removed from default prefs) - new snapshot 20080227 - use system provided sqlite for factory/11.0 - use fdupes - tweak default preferences - fix debuginfo package - fix wrong executable permissions - fix wrong ownership of the gnomevfs libs - add add-plugins.sh to manage dictionaries - new snapshot 20080225 - added -gnomevfs subpackage for evaluation - added back -l10n subpackage - initial xulrunner 1.9 package * doesn't update any prior xulrunner yet * can be installed in parallel * just updates the /usr/bin/xulrunner link to the new version * needs NSPR 4.7.1 and NSS 3.12 - Merge changes from the Build Service (thanks, Wolfgang) (bnc#400001 and SWAMP#18164). - update to version 1.9 - removed obsolete mozilla-fsync* patch - make it possible to ignore NM events with a pref (bmo#424626) (toolkit.networkmanager.ignore=false|true) (mozilla-network-status.patch) - modify pref to not stop at punctuation for selections (bnc#395070) - fixed restart command for session managers (bnc#396552) - do not compile cairo with SSE support (bnc#397815) - mozilla-js.pc uses correct cflags (bnc#397814) - Fix baselibs.conf to mention mozilla-xulrunner190-translations (bnc#393856). - Add mozilla-pkgconfig.patch (part of bnc#381154). - Add mozilla-fsync-bmo499050.patch (bmo#499050). - Merge changes from the build service (thanks, Wolfgang): + Only use gconf proxy settings under GNOME (bnc#381172) + Add mozilla-extensionmanager.patch (bnc#381733, and #382969) + Add mozilla-system-hunspell.patch to enable use of the system's hunspell (bnc#382437) + Add mozilla-gnome-proxies.patch: * Only use gconf proxy settings when running under GNOME (bnc#381172) * Correctly read the ignored hosts settings from gconf (bmo#429520) + Add mozilla-helperapp.patch to offer the gconf default for protocol handlers (bnc#383697) - Rename the -lang subpackage to -stranslations (bnc#381635). - Merge changes from the build service: + Add mozilla-chrome-registry.patch to fix a startup crash (bmo#391311 and bnc#379523) + Add mozilla-scroll.patch to fix scrolling performance issues (bmo#424915 and bnc#377055) + Update baselibs.conf. - Better sync against the build service's version. - added baselibs.conf file to create xxbit packages - update to version 1.9b5 * including fix for bnc #368967 * integrated mozilla-gnome-vfs.patch - updated shipped locales "Provides" - fixed version upgrading (remove leftovers from previous versions) - remove executable flags from JS scripts - CSS DPI scaling now occurs with higher dpi values now (>192) - prerequire coreutils for 'rm' in post scripts - Merge changes from the build service (thanks, Wolfgang). - new snapshot version 1.9b4 - updated shipped locales "Provides" - enabled url classifier component (needed for Firefox' safe browsing feature) - added mozilla-gnome-vfs.patch (#368238) - new snapshot 20080228 - source archive contains browser components now to make it easier to keep xulrunner and firefox in sync (use shipped-locales from browser now instead of keeping a copy in the package) - proxy-type 5 is default now (removed from default prefs) - new snapshot 20080227 - use system provided sqlite for factory/11.0 - use fdupes - tweak default preferences - fix debuginfo package - fix wrong executable permissions - fix wrong ownership of the gnomevfs libs - add add-plugins.sh to manage dictionaries - new snapshot 20080225 - added -gnomevfs subpackage for evaluation - added back -l10n subpackage - initial xulrunner 1.9 package * doesn't update any prior xulrunner yet * can be installed in parallel * just updates the /usr/bin/xulrunner link to the new version * needs NSPR 4.7.1 and NSS 3.12 - Merge changes from the Build Service (thanks, Wolfgang) (bnc#400001 and SWAMP#18164). - update to version 1.9 - removed obsolete mozilla-fsync* patch - make it possible to ignore NM events with a pref (bmo#424626) (toolkit.networkmanager.ignore=false|true) (mozilla-network-status.patch) - modify pref to not stop at punctuation for selections (bnc#395070) - fixed restart command for session managers (bnc#396552) - do not compile cairo with SSE support (bnc#397815) - mozilla-js.pc uses correct cflags (bnc#397814) - Fix baselibs.conf to mention mozilla-xulrunner190-translations (bnc#393856). - Add mozilla-pkgconfig.patch (part of bnc#381154). - Add mozilla-fsync-bmo499050.patch (bmo#499050). - Merge changes from the build service (thanks, Wolfgang): + Only use gconf proxy settings under GNOME (bnc#381172) + Add mozilla-extensionmanager.patch (bnc#381733, and #382969) + Add mozilla-system-hunspell.patch to enable use of the system's hunspell (bnc#382437) + Add mozilla-gnome-proxies.patch: * Only use gconf proxy settings when running under GNOME (bnc#381172) * Correctly read the ignored hosts settings from gconf (bmo#429520) + Add mozilla-helperapp.patch to offer the gconf default for protocol handlers (bnc#383697) - Rename the -lang subpackage to -stranslations (bnc#381635). - Merge changes from the build service: + Add mozilla-chrome-registry.patch to fix a startup crash (bmo#391311 and bnc#379523) + Add mozilla-scroll.patch to fix scrolling performance issues (bmo#424915 and bnc#377055) + Update baselibs.conf. - Better sync against the build service's version. - added baselibs.conf file to create xxbit packages - update to version 1.9b5 * including fix for bnc #368967 * integrated mozilla-gnome-vfs.patch - updated shipped locales "Provides" - fixed version upgrading (remove leftovers from previous versions) - remove executable flags from JS scripts - CSS DPI scaling now occurs with higher dpi values now (>192) - prerequire coreutils for 'rm' in post scripts - Merge changes from the build service (thanks, Wolfgang). - new snapshot version 1.9b4 - updated shipped locales "Provides" - enabled url classifier component (needed for Firefox' safe browsing feature) - added mozilla-gnome-vfs.patch (#368238) - new snapshot 20080228 - source archive contains browser components now to make it easier to keep xulrunner and firefox in sync (use shipped-locales from browser now instead of keeping a copy in the package) - proxy-type 5 is default now (removed from default prefs) - new snapshot 20080227 - use system provided sqlite for factory/11.0 - use fdupes - tweak default preferences - fix debuginfo package - fix wrong executable permissions - fix wrong ownership of the gnomevfs libs - add add-plugins.sh to manage dictionaries - new snapshot 20080225 - added -gnomevfs subpackage for evaluation - added back -l10n subpackage - initial xulrunner 1.9 package * doesn't update any prior xulrunner yet * can be installed in parallel * just updates the /usr/bin/xulrunner link to the new version * needs NSPR 4.7.1 and NSS 3.12 - Merge changes from the build service (thanks, Wolfgang) (bnc#400001 and SWAMP#18164). - update to version 3.0 - fixed double entry in bookmarks for www.opensuse.org (bnc#396980 - Add Planet SUSE, forums.o.o and How to participate to default URLs. - network.protocol-handler.app.* prefs are no longer supported; remove references to them from firefox-suse-default-prefs.js (bnc#383697). - Update to Firefox 3.0b5 (2.9.95) (thanks, Wolfgang). - Merge changes from the build service (thanks, Wolfgang) - Update to the fourth Firefox 3.0 Beta (2.9.94): + Based upon the Gecko 1.9 Web rendering platform, which improves performance, stability, and rendering correctness; it also boasts a considerable simplification in its code + Security improvements: * One-click site info * Malware Protection * New Web Forgery Protection page * New SSL error pages * Add-ons and Plugin version check * Secure add-on updates * Effective top-level domain (eTLD) service to better restrict cookies and other restricted content to a single domain * Better protection against cross-site JSON data leaks + Usability improvements: * Easier password management * Simplified add-on installation * New Download Manager * Resumable downloading * Full page zoom * Podcasts and Videocasts can be associated with your media playback tools * Tab scrolling and quickmenu * Save what you were doing: Firefox will prompt users to save tabs on exit * Optimized Open in Tabs behavior * Location and Search bar size can now be customized with a simple resizer item * Text selection improvements * Find toolbar * Improved integration with Linux: Firefox's default icons, buttons, and menu styles now use the native GTK theme + Personalization improvements: * Star button: quickly add bookmarks from the location bar with a single click; a second click lets you file and tag them * Tags: associate keywords with your bookmarks to sort them by topic * Location bar & auto-complete * Smart Bookmarks Folder * Places Organizer: view, organize and search through all of your bookmarks, tags, and browsing history with multiple views and smart folders to store your frequent searches * Web-based protocol handlers * Download & Install Add-ons * Easy to use Download Actions + Improved platform for web developers: * New graphics and font handling: new graphics and text rendering architectures in Gecko 1.9 provides rendering improvements in CSS, SVG as well as improved display of fonts with ligatures and complex scripts * Color management: (set gfx.color_management.enabled on in about:config and restart the browser to enable.); Firefox can now adjust images with embedded color profiles * Offline support: enables web applications to provide offline functionality (website authors must add support for offline browsing to their site for this feature to be available to users) + Improved performance: * Speed: improvements to the JavaScript engine as well as profile guided optimizations have resulted in significant improvements in performance; compared to Firefox 2, web applications like Google Mail and Zoho Office run twice as fast in Firefox 3 Beta 4, and the popular SunSpider test from Apple shows improvements over previous releases * Memory usage: Several new technologies work together to reduce the amount of memory used by Firefox 3 Beta 4 over a web browsing session; memory cycles are broken and collected by an automated cycle collector, a new memory allocator reduces fragmentation, hundreds of leaks have been fixed, and caching strategies have been tuned * Reliability: A user's bookmarks, history, cookies, and preferences are now stored in a transactionally secure database format which will prevent data loss even if their system crashes - This version depends upon the mozilla-xulrunner190 package - Drop various stale packages, respin several that have been kept around, and add a few new ones. - Security update to version 2.0.0.12 (bnc#354469): + MFSA 2008-11/CVE-2008-0594 Web forgery overwrite with div overlay + MFSA 2008-10/CVE-2008-0593 URL token stealing via stylesheet redirect + MFSA 2008-09/CVE-2008-0592 Mishandling of locally-saved plain text files + MFSA 2008-08/CVE-2008-0591 File action dialog tampering + MFSA 2008-06/CVE-2008-0419 Web browsing history and forward navigation stealing + MFSA 2008-05/CVE-2008-0418 Directory traversal via chrome: URI + MFSA 2008-04/CVE-2008-0417 Stored password corruption + MFSA 2008-03/CVE-2008-0415 Privilege escalation, XSS, Remote Code Execution + MFSA 2008-02/CVE-2008-0414 Multiple file input focus stealing vulnerabilities + MFSA 2008-01/CVE-2008-0412 Crashes with evidence of memory corruption (rv:1.8.1.12) - Reference libaoss.so in start script (bnc#117079) - Remove mozilla-canvas-1.8.1.10.patch, as it has been upstreamed - Update firefox-ui-lockdown.patch (FATE#301534, FATE#302023, and FATE#302024) - Add application/x-xpinstall mime type to MozillaFirefox.desktop - Add MozillaFirefox.xml to bind .xpi to application/x-xpinstall in desktop. - Add mozilla-maxpathlen.patch (#354150 and bmo #412610). - Add firefox-348446-empty-lists.patch (bnc#348446). - Respin proxy-dev.patch (bnc#340678) -- thanks, Anders! - Security update to version 2.0.0.10 (#341905, #341591): + MFSA 2007-39 Referer-spoofing via window.location race condition + MFSA 2007-38 Memory corruption vulnerabilities (rv:1.8.1.10) + MFSA 2007-37 jar: URI scheme XSS hazard + Fixes for regressions introduced in 2.0.0.8 + Updated dbus.patch, startup.patch, misc.dif, and configure.patch - Add mozilla-gcc4.3-fixes.patch - Add mozilla-canvas-1.8.1.10.patch (#341591#c10). - Build with -ftree-vrp -fwrapv, per advice in #342603#c17. - Add firefox-gcc4.3-fixes.patch. - Security update to version 2.0.0.8 (#332512) (thanks, Wolfgang) * MFSA 2007-29 Crashes with evidence of memory corruption * MFSA 2007-30 onUnload Tailgating * MFSA 2007-31 Digest authentication request splitting * MFSA 2007-32 File input focus stealing vulnerability * MFSA 2007-33 XUL pages can hide the window titlebar * MFSA 2007-34 Possible file stealing through sftp protocol * MFSA 2007-35 XPCNativeWraper pollution using Script object complete advisories on http://www.mozilla.org/projects/security/known-vulnerabilities.html - Don't explicitly require libaoss.so (#326751). - Update the Novell Support search plugin in search-addons.tar.bz2 (#297261) - Set the browser.tabs.loadFolderAndReplace preference to false by default (#230759). - fix hardlinks accross partitions - Add http://software.opensuse.org/search?baseproject=openSUSE:10.3 to the default bookmarks (#308223). - move last change a bit further in specfile - Mark a .png file as nonexecutable. - Minor .spec update (#305193) + Remove two obsolete patches + Correct releasedate + Include only the officially supported locales. - Merge changes from the build service (thanks, Wolfgang): + Provide locale dependency information (#302288) + Add x11-session.patch, supporting X11 session management (#227047) + Update to version 2.0.0.6 * MFSA 2007-26 Privilege escalation through chrome-loaded about:blank windows * MFSA 2007-27 Unescaped URIs passed to external programs (only relevant on Windows) - Use %fdupes. - Adjust bookmarks: Add news.opensuse.org, use new software.o.o page. - Revert previous change. - Added support for ymp in the mimetypes.rdf - Added OneClickInstallUrlHandler for handing the actual call from firefox. - Fixes bnc #295677 - Security update to version 2.0.0.5 (#288115) which has fixes for: MFSA 2007-18 CVE-2007-3734 - Browser flaws CVE-2007-3735 - Javascript flaws MFSA 2007-19 CVE-2007-3736 MFSA 2007-20 CVE-2007-3089 MFSA 2007-21 CVE-2007-3737 MFSA 2007-22 CVE-2007-3285 MFSA 2007-23 CVE-2007-3670 MFSA 2007-24 CVE-2007-3656 MFSA 2007-25 CVE-2007-3738 - fix changelog entry order - Use mozilla.sh.in from the build service (#230681). - Removed invalid desktop category "Application" (#254654). - Security update to version 2.0.0.4 - Refresh configure.patch, startup.patch, and visibility.patch - Now use l10n-%{version}.tar.bz2 instead of l10n.tar.bz2. - added unzip to BuildRequires - add Japanese to the languages which get PANGO enabled in the start script to support the Japanese combining characters U+3099 U+309A (see bugzilla #262718 comment #29). - Package gconf stuff. - Security update to 2.0.0.2 (#244923), which covers: + mfsa2007-01 * CVE-2007-0775 - layout engine crashes * CVE-2007-0776 - SVG * CVE-2007-0777 - javascript engine corruption + mfsa2007-02 * CVE-2007-0995 - Invalid trailing characters in HTML tag attributes * CVE-2007-0996 - Child frame character set inheritance * CVE-2006-6077 - Injected password forms + mfsa2007-02 + mfsa2007-03 * CVE-2007-0078 + mfsa2007-04 * CVE-2007-0079 + mfsa2007-05 * CVE-2007-0780 * CVE-2007-0800 + mfsa2007-06 * CVE-2007-0008 - client flaw * CVE-2007-0009 - server flaw + mfsa2007-07 * CVE-2007-0981 - Updates mozilla.sh.in (#230681) - Fixes #232209 - Updates the man page (#243037) - Properly propagates exit codes (#241492) - Adds em-356370.patch (#217374) - Fixup the Gnome paths, keeping in closer sync with the buildservice. - Gnome is now in /usr, so remove references to /opt/gnome - Install firefox.png with the executable bit not set. - readd MozillaFirebird provides (was incorrect in removing it). - Do not provide MozillaFirebird, just obsolete it. - Update gecko-lockdown.patch (#220616). - Update firefox-suse-default-prefs.js, adding 'pref("browser.backspace_action", 2);' (#217374) - Fix last change (#224431). - Change download bookmark (#224431). - Rename bookmark folder to openSUSE. - Sync from Buildservice with following critical fixes (thanks Wolfgang Rosenauer!): * fixed system-proxies.patch to actually work (#223881). * Rearrange Bookmarks to pass trademark review. - Fix tango theme (#223796). - Use www.opensuse.org as home page. - Set novell.com as home page. - Update from BuildService (thanks Wolfgang!): - fixed crash in htmlparser (#217257, bmo #358797) - added gconf2 as PreReq (#212505) - added 32bit libaoss.so as requirement (#216266) - Removed SUSE searchplugin (Portal not available anymore) (#216054) - Removed obsolete xul-picker.patch and system-nspr.patch - Fixed building on 10.1 and 10.0 (dbus) - Removed obsolete throbber preference - updated tango theme - Another fix for 214125, patch by Wolfgang Rosenauer. - Fix gcc warnings about undefined operations, patch by Robert O'Callahan. - Update system-proxies.patch to fix error box (214125), patch by Robert O'Callahan. - Update to current CVS version of 2.0. - Use www.opensuse.org as default home page for now (#203547). - Disable non-working plasticfox and tango themes. - Fix building of locales. - update to version 2.0rc3: * New features: Visual Refresh, Built-in phishing protection, Enhanced search capabilities, Improved tabbed browsing, Resuming your browsing session, Previewing and subscribing to Web feeds, Inline spell checking, Live Titles, Improved Add-ons manager, JavaScript 1.7, Extended search plugin format, Updates to the extension system, Client-side session and persistent storage, SVG text - disabled debugging. - security update to version 1.5.0.7 - added greasemonkey helper change (#199920) - fixed packager.mk for new make version - fixed crash in dbus component (patch by thoenig #197928) - use external adresses for PAC configuration (#196506) - added symlink for Firefox 1.0.x compatibility - update to regression release 1.5.0.6 (#195043) - security update to version 1.5.0.5 (#195043) * observer-lock.patch integrated now - fixed leak in JS' liveconnect (#186066) - fixed desktop file for old distributions (StartupNotify=false) - Merge changes from the Build Service (thanks, Wolfgang) (bnc#400001 and SWAMP#18164). - update to version 1.9 - removed obsolete mozilla-fsync* patch - make it possible to ignore NM events with a pref (bmo#424626) (toolkit.networkmanager.ignore=false|true) (mozilla-network-status.patch) - modify pref to not stop at punctuation for selections (bnc#395070) - fixed restart command for session managers (bnc#396552) - do not compile cairo with SSE support (bnc#397815) - mozilla-js.pc uses correct cflags (bnc#397814) - Fix baselibs.conf to mention mozilla-xulrunner190-translations (bnc#393856). - Add mozilla-pkgconfig.patch (part of bnc#381154). - Add mozilla-fsync-bmo499050.patch (bmo#499050). - Merge changes from the build service (thanks, Wolfgang): + Only use gconf proxy settings under GNOME (bnc#381172) + Add mozilla-extensionmanager.patch (bnc#381733, and #382969) + Add mozilla-system-hunspell.patch to enable use of the system's hunspell (bnc#382437) + Add mozilla-gnome-proxies.patch: * Only use gconf proxy settings when running under GNOME (bnc#381172) * Correctly read the ignored hosts settings from gconf (bmo#429520) + Add mozilla-helperapp.patch to offer the gconf default for protocol handlers (bnc#383697) - Rename the -lang subpackage to -stranslations (bnc#381635). - Merge changes from the build service: + Add mozilla-chrome-registry.patch to fix a startup crash (bmo#391311 and bnc#379523) + Add mozilla-scroll.patch to fix scrolling performance issues (bmo#424915 and bnc#377055) + Update baselibs.conf. - Better sync against the build service's version. - added baselibs.conf file to create xxbit packages - update to version 1.9b5 * including fix for bnc #368967 * integrated mozilla-gnome-vfs.patch - updated shipped locales "Provides" - fixed version upgrading (remove leftovers from previous versions) - remove executable flags from JS scripts - CSS DPI scaling now occurs with higher dpi values now (>192) - prerequire coreutils for 'rm' in post scripts - Merge changes from the build service (thanks, Wolfgang). - new snapshot version 1.9b4 - updated shipped locales "Provides" - enabled url classifier component (needed for Firefox' safe browsing feature) - added mozilla-gnome-vfs.patch (#368238) - new snapshot 20080228 - source archive contains browser components now to make it easier to keep xulrunner and firefox in sync (use shipped-locales from browser now instead of keeping a copy in the package) - proxy-type 5 is default now (removed from default prefs) - new snapshot 20080227 - use system provided sqlite for factory/11.0 - use fdupes - tweak default preferences - fix debuginfo package - fix wrong executable permissions - fix wrong ownership of the gnomevfs libs - add add-plugins.sh to manage dictionaries - new snapshot 20080225 - added -gnomevfs subpackage for evaluation - added back -l10n subpackage - initial xulrunner 1.9 package * doesn't update any prior xulrunner yet * can be installed in parallel * just updates the /usr/bin/xulrunner link to the new version * needs NSPR 4.7.1 and NSS 3.12 - Merge changes from the build service (thanks, Wolfgang) (bnc#400001 and SWAMP#18164). - update to version 3.0 - fixed double entry in bookmarks for www.opensuse.org (bnc#396980 - Add Planet SUSE, forums.o.o and How to participate to default URLs. - network.protocol-handler.app.* prefs are no longer supported; remove references to them from firefox-suse-default-prefs.js (bnc#383697). - Update to Firefox 3.0b5 (2.9.95) (thanks, Wolfgang). - Merge changes from the build service (thanks, Wolfgang) - Update to the fourth Firefox 3.0 Beta (2.9.94): + Based upon the Gecko 1.9 Web rendering platform, which improves performance, stability, and rendering correctness; it also boasts a considerable simplification in its code + Security improvements: * One-click site info * Malware Protection * New Web Forgery Protection page * New SSL error pages * Add-ons and Plugin version check * Secure add-on updates * Effective top-level domain (eTLD) service to better restrict cookies and other restricted content to a single domain * Better protection against cross-site JSON data leaks + Usability improvements: * Easier password management * Simplified add-on installation * New Download Manager * Resumable downloading * Full page zoom * Podcasts and Videocasts can be associated with your media playback tools * Tab scrolling and quickmenu * Save what you were doing: Firefox will prompt users to save tabs on exit * Optimized Open in Tabs behavior * Location and Search bar size can now be customized with a simple resizer item * Text selection improvements * Find toolbar * Improved integration with Linux: Firefox's default icons, buttons, and menu styles now use the native GTK theme + Personalization improvements: * Star button: quickly add bookmarks from the location bar with a single click; a second click lets you file and tag them * Tags: associate keywords with your bookmarks to sort them by topic * Location bar & auto-complete * Smart Bookmarks Folder * Places Organizer: view, organize and search through all of your bookmarks, tags, and browsing history with multiple views and smart folders to store your frequent searches * Web-based protocol handlers * Download & Install Add-ons * Easy to use Download Actions + Improved platform for web developers: * New graphics and font handling: new graphics and text rendering architectures in Gecko 1.9 provides rendering improvements in CSS, SVG as well as improved display of fonts with ligatures and complex scripts * Color management: (set gfx.color_management.enabled on in about:config and restart the browser to enable.); Firefox can now adjust images with embedded color profiles * Offline support: enables web applications to provide offline functionality (website authors must add support for offline browsing to their site for this feature to be available to users) + Improved performance: * Speed: improvements to the JavaScript engine as well as profile guided optimizations have resulted in significant improvements in performance; compared to Firefox 2, web applications like Google Mail and Zoho Office run twice as fast in Firefox 3 Beta 4, and the popular SunSpider test from Apple shows improvements over previous releases * Memory usage: Several new technologies work together to reduce the amount of memory used by Firefox 3 Beta 4 over a web browsing session; memory cycles are broken and collected by an automated cycle collector, a new memory allocator reduces fragmentation, hundreds of leaks have been fixed, and caching strategies have been tuned * Reliability: A user's bookmarks, history, cookies, and preferences are now stored in a transactionally secure database format which will prevent data loss even if their system crashes - This version depends upon the mozilla-xulrunner190 package - Drop various stale packages, respin several that have been kept around, and add a few new ones. - Security update to version 2.0.0.12 (bnc#354469): + MFSA 2008-11/CVE-2008-0594 Web forgery overwrite with div overlay + MFSA 2008-10/CVE-2008-0593 URL token stealing via stylesheet redirect + MFSA 2008-09/CVE-2008-0592 Mishandling of locally-saved plain text files + MFSA 2008-08/CVE-2008-0591 File action dialog tampering + MFSA 2008-06/CVE-2008-0419 Web browsing history and forward navigation stealing + MFSA 2008-05/CVE-2008-0418 Directory traversal via chrome: URI + MFSA 2008-04/CVE-2008-0417 Stored password corruption + MFSA 2008-03/CVE-2008-0415 Privilege escalation, XSS, Remote Code Execution + MFSA 2008-02/CVE-2008-0414 Multiple file input focus stealing vulnerabilities + MFSA 2008-01/CVE-2008-0412 Crashes with evidence of memory corruption (rv:1.8.1.12) - Reference libaoss.so in start script (bnc#117079) - Remove mozilla-canvas-1.8.1.10.patch, as it has been upstreamed - Update firefox-ui-lockdown.patch (FATE#301534, FATE#302023, and FATE#302024) - Add application/x-xpinstall mime type to MozillaFirefox.desktop - Add MozillaFirefox.xml to bind .xpi to application/x-xpinstall in desktop. - Add mozilla-maxpathlen.patch (#354150 and bmo #412610). - Add firefox-348446-empty-lists.patch (bnc#348446). - Respin proxy-dev.patch (bnc#340678) -- thanks, Anders! - Security update to version 2.0.0.10 (#341905, #341591): + MFSA 2007-39 Referer-spoofing via window.location race condition + MFSA 2007-38 Memory corruption vulnerabilities (rv:1.8.1.10) + MFSA 2007-37 jar: URI scheme XSS hazard + Fixes for regressions introduced in 2.0.0.8 + Updated dbus.patch, startup.patch, misc.dif, and configure.patch - Add mozilla-gcc4.3-fixes.patch - Add mozilla-canvas-1.8.1.10.patch (#341591#c10). - Build with -ftree-vrp -fwrapv, per advice in #342603#c17. - Add firefox-gcc4.3-fixes.patch. - Security update to version 2.0.0.8 (#332512) (thanks, Wolfgang) * MFSA 2007-29 Crashes with evidence of memory corruption * MFSA 2007-30 onUnload Tailgating * MFSA 2007-31 Digest authentication request splitting * MFSA 2007-32 File input focus stealing vulnerability * MFSA 2007-33 XUL pages can hide the window titlebar * MFSA 2007-34 Possible file stealing through sftp protocol * MFSA 2007-35 XPCNativeWraper pollution using Script object complete advisories on http://www.mozilla.org/projects/security/known-vulnerabilities.html - Don't explicitly require libaoss.so (#326751). - Update the Novell Support search plugin in search-addons.tar.bz2 (#297261) - Set the browser.tabs.loadFolderAndReplace preference to false by default (#230759). - fix hardlinks accross partitions - Add http://software.opensuse.org/search?baseproject=openSUSE:10.3 to the default bookmarks (#308223). - move last change a bit further in specfile - Mark a .png file as nonexecutable. - Minor .spec update (#305193) + Remove two obsolete patches + Correct releasedate + Include only the officially supported locales. - Merge changes from the build service (thanks, Wolfgang): + Provide locale dependency information (#302288) + Add x11-session.patch, supporting X11 session management (#227047) + Update to version 2.0.0.6 * MFSA 2007-26 Privilege escalation through chrome-loaded about:blank windows * MFSA 2007-27 Unescaped URIs passed to external programs (only relevant on Windows) - Use %fdupes. - Adjust bookmarks: Add news.opensuse.org, use new software.o.o page. - Revert previous change. - Added support for ymp in the mimetypes.rdf - Added OneClickInstallUrlHandler for handing the actual call from firefox. - Fixes bnc #295677 - Security update to version 2.0.0.5 (#288115) which has fixes for: MFSA 2007-18 CVE-2007-3734 - Browser flaws CVE-2007-3735 - Javascript flaws MFSA 2007-19 CVE-2007-3736 MFSA 2007-20 CVE-2007-3089 MFSA 2007-21 CVE-2007-3737 MFSA 2007-22 CVE-2007-3285 MFSA 2007-23 CVE-2007-3670 MFSA 2007-24 CVE-2007-3656 MFSA 2007-25 CVE-2007-3738 - fix changelog entry order - Use mozilla.sh.in from the build service (#230681). - Removed invalid desktop category "Application" (#254654). - Security update to version 2.0.0.4 - Refresh configure.patch, startup.patch, and visibility.patch - Now use l10n-%{version}.tar.bz2 instead of l10n.tar.bz2. - added unzip to BuildRequires - add Japanese to the languages which get PANGO enabled in the start script to support the Japanese combining characters U+3099 U+309A (see bugzilla #262718 comment #29). - Package gconf stuff. - Security update to 2.0.0.2 (#244923), which covers: + mfsa2007-01 * CVE-2007-0775 - layout engine crashes * CVE-2007-0776 - SVG * CVE-2007-0777 - javascript engine corruption + mfsa2007-02 * CVE-2007-0995 - Invalid trailing characters in HTML tag attributes * CVE-2007-0996 - Child frame character set inheritance * CVE-2006-6077 - Injected password forms + mfsa2007-02 + mfsa2007-03 * CVE-2007-0078 + mfsa2007-04 * CVE-2007-0079 + mfsa2007-05 * CVE-2007-0780 * CVE-2007-0800 + mfsa2007-06 * CVE-2007-0008 - client flaw * CVE-2007-0009 - server flaw + mfsa2007-07 * CVE-2007-0981 - Updates mozilla.sh.in (#230681) - Fixes #232209 - Updates the man page (#243037) - Properly propagates exit codes (#241492) - Adds em-356370.patch (#217374) - Fixup the Gnome paths, keeping in closer sync with the buildservice. - Gnome is now in /usr, so remove references to /opt/gnome - Install firefox.png with the executable bit not set. - readd MozillaFirebird provides (was incorrect in removing it). - Do not provide MozillaFirebird, just obsolete it. - Update gecko-lockdown.patch (#220616). - Update firefox-suse-default-prefs.js, adding 'pref("browser.backspace_action", 2);' (#217374) - Fix last change (#224431). - Change download bookmark (#224431). - Rename bookmark folder to openSUSE. - Sync from Buildservice with following critical fixes (thanks Wolfgang Rosenauer!): * fixed system-proxies.patch to actually work (#223881). * Rearrange Bookmarks to pass trademark review. - Fix tango theme (#223796). - Use www.opensuse.org as home page. - Set novell.com as home page. - Update from BuildService (thanks Wolfgang!): - fixed crash in htmlparser (#217257, bmo #358797) - added gconf2 as PreReq (#212505) - added 32bit libaoss.so as requirement (#216266) - Removed SUSE searchplugin (Portal not available anymore) (#216054) - Removed obsolete xul-picker.patch and system-nspr.patch - Fixed building on 10.1 and 10.0 (dbus) - Removed obsolete throbber preference - updated tango theme - Another fix for 214125, patch by Wolfgang Rosenauer. - Fix gcc warnings about undefined operations, patch by Robert O'Callahan. - Update system-proxies.patch to fix error box (214125), patch by Robert O'Callahan. - Update to current CVS version of 2.0. - Use www.opensuse.org as default home page for now (#203547). - Disable non-working plasticfox and tango themes. - Fix building of locales. - update to version 2.0rc3: * New features: Visual Refresh, Built-in phishing protection, Enhanced search capabilities, Improved tabbed browsing, Resuming your browsing session, Previewing and subscribing to Web feeds, Inline spell checking, Live Titles, Improved Add-ons manager, JavaScript 1.7, Extended search plugin format, Updates to the extension system, Client-side session and persistent storage, SVG text - disabled debugging. - security update to version 1.5.0.7 - added greasemonkey helper change (#199920) - fixed packager.mk for new make version - fixed crash in dbus component (patch by thoenig #197928) - use external adresses for PAC configuration (#196506) - added symlink for Firefox 1.0.x compatibility - update to regression release 1.5.0.6 (#195043) - security update to version 1.5.0.5 (#195043) * observer-lock.patch integrated now - fixed leak in JS' liveconnect (#186066) - fixed desktop file for old distributions (StartupNotify=false) - Merge changes from the Build Service (thanks, Wolfgang) (bnc#400001 and SWAMP#18164). - update to version 1.9 - removed obsolete mozilla-fsync* patch - make it possible to ignore NM events with a pref (bmo#424626) (toolkit.networkmanager.ignore=false|true) (mozilla-network-status.patch) - modify pref to not stop at punctuation for selections (bnc#395070) - fixed restart command for session managers (bnc#396552) - do not compile cairo with SSE support (bnc#397815) - mozilla-js.pc uses correct cflags (bnc#397814) - Fix baselibs.conf to mention mozilla-xulrunner190-translations (bnc#393856). - Add mozilla-pkgconfig.patch (part of bnc#381154). - Add mozilla-fsync-bmo499050.patch (bmo#499050). - Merge changes from the build service (thanks, Wolfgang): + Only use gconf proxy settings under GNOME (bnc#381172) + Add mozilla-extensionmanager.patch (bnc#381733, and #382969) + Add mozilla-system-hunspell.patch to enable use of the system's hunspell (bnc#382437) + Add mozilla-gnome-proxies.patch: * Only use gconf proxy settings when running under GNOME (bnc#381172) * Correctly read the ignored hosts settings from gconf (bmo#429520) + Add mozilla-helperapp.patch to offer the gconf default for protocol handlers (bnc#383697) - Rename the -lang subpackage to -stranslations (bnc#381635). - Merge changes from the build service: + Add mozilla-chrome-registry.patch to fix a startup crash (bmo#391311 and bnc#379523) + Add mozilla-scroll.patch to fix scrolling performance issues (bmo#424915 and bnc#377055) + Update baselibs.conf. - Better sync against the build service's version. - added baselibs.conf file to create xxbit packages - update to version 1.9b5 * including fix for bnc #368967 * integrated mozilla-gnome-vfs.patch - updated shipped locales "Provides" - fixed version upgrading (remove leftovers from previous versions) - remove executable flags from JS scripts - CSS DPI scaling now occurs with higher dpi values now (>192) - prerequire coreutils for 'rm' in post scripts - Merge changes from the build service (thanks, Wolfgang). - new snapshot version 1.9b4 - updated shipped locales "Provides" - enabled url classifier component (needed for Firefox' safe browsing feature) - added mozilla-gnome-vfs.patch (#368238) - new snapshot 20080228 - source archive contains browser components now to make it easier to keep xulrunner and firefox in sync (use shipped-locales from browser now instead of keeping a copy in the package) - proxy-type 5 is default now (removed from default prefs) - new snapshot 20080227 - use system provided sqlite for factory/11.0 - use fdupes - tweak default preferences - fix debuginfo package - fix wrong executable permissions - fix wrong ownership of the gnomevfs libs - add add-plugins.sh to manage dictionaries - new snapshot 20080225 - added -gnomevfs subpackage for evaluation - added back -l10n subpackage - initial xulrunner 1.9 package * doesn't update any prior xulrunner yet * can be installed in parallel * just updates the /usr/bin/xulrunner link to the new version * needs NSPR 4.7.1 and NSS 3.12 - Merge changes from the build service (thanks, Wolfgang) (bnc#400001 and SWAMP#18164). - update to version 3.0 - fixed double entry in bookmarks for www.opensuse.org (bnc#396980 - Add Planet SUSE, forums.o.o and How to participate to default URLs. - network.protocol-handler.app.* prefs are no longer supported; remove references to them from firefox-suse-default-prefs.js (bnc#383697). - Update to Firefox 3.0b5 (2.9.95) (thanks, Wolfgang). - Merge changes from the build service (thanks, Wolfgang) - Update to the fourth Firefox 3.0 Beta (2.9.94): + Based upon the Gecko 1.9 Web rendering platform, which improves performance, stability, and rendering correctness; it also boasts a considerable simplification in its code + Security improvements: * One-click site info * Malware Protection * New Web Forgery Protection page * New SSL error pages * Add-ons and Plugin version check * Secure add-on updates * Effective top-level domain (eTLD) service to better restrict cookies and other restricted content to a single domain * Better protection against cross-site JSON data leaks + Usability improvements: * Easier password management * Simplified add-on installation * New Download Manager * Resumable downloading * Full page zoom * Podcasts and Videocasts can be associated with your media playback tools * Tab scrolling and quickmenu * Save what you were doing: Firefox will prompt users to save tabs on exit * Optimized Open in Tabs behavior * Location and Search bar size can now be customized with a simple resizer item * Text selection improvements * Find toolbar * Improved integration with Linux: Firefox's default icons, buttons, and menu styles now use the native GTK theme + Personalization improvements: * Star button: quickly add bookmarks from the location bar with a single click; a second click lets you file and tag them * Tags: associate keywords with your bookmarks to sort them by topic * Location bar & auto-complete * Smart Bookmarks Folder * Places Organizer: view, organize and search through all of your bookmarks, tags, and browsing history with multiple views and smart folders to store your frequent searches * Web-based protocol handlers * Download & Install Add-ons * Easy to use Download Actions + Improved platform for web developers: * New graphics and font handling: new graphics and text rendering architectures in Gecko 1.9 provides rendering improvements in CSS, SVG as well as improved display of fonts with ligatures and complex scripts * Color management: (set gfx.color_management.enabled on in about:config and restart the browser to enable.); Firefox can now adjust images with embedded color profiles * Offline support: enables web applications to provide offline functionality (website authors must add support for offline browsing to their site for this feature to be available to users) + Improved performance: * Speed: improvements to the JavaScript engine as well as profile guided optimizations have resulted in significant improvements in performance; compared to Firefox 2, web applications like Google Mail and Zoho Office run twice as fast in Firefox 3 Beta 4, and the popular SunSpider test from Apple shows improvements over previous releases * Memory usage: Several new technologies work together to reduce the amount of memory used by Firefox 3 Beta 4 over a web browsing session; memory cycles are broken and collected by an automated cycle collector, a new memory allocator reduces fragmentation, hundreds of leaks have been fixed, and caching strategies have been tuned * Reliability: A user's bookmarks, history, cookies, and preferences are now stored in a transactionally secure database format which will prevent data loss even if their system crashes - This version depends upon the mozilla-xulrunner190 package - Drop various stale packages, respin several that have been kept around, and add a few new ones. - Security update to version 2.0.0.12 (bnc#354469): + MFSA 2008-11/CVE-2008-0594 Web forgery overwrite with div overlay + MFSA 2008-10/CVE-2008-0593 URL token stealing via stylesheet redirect + MFSA 2008-09/CVE-2008-0592 Mishandling of locally-saved plain text files + MFSA 2008-08/CVE-2008-0591 File action dialog tampering + MFSA 2008-06/CVE-2008-0419 Web browsing history and forward navigation stealing + MFSA 2008-05/CVE-2008-0418 Directory traversal via chrome: URI + MFSA 2008-04/CVE-2008-0417 Stored password corruption + MFSA 2008-03/CVE-2008-0415 Privilege escalation, XSS, Remote Code Execution + MFSA 2008-02/CVE-2008-0414 Multiple file input focus stealing vulnerabilities + MFSA 2008-01/CVE-2008-0412 Crashes with evidence of memory corruption (rv:1.8.1.12) - Reference libaoss.so in start script (bnc#117079) - Remove mozilla-canvas-1.8.1.10.patch, as it has been upstreamed - Update firefox-ui-lockdown.patch (FATE#301534, FATE#302023, and FATE#302024) - Add application/x-xpinstall mime type to MozillaFirefox.desktop - Add MozillaFirefox.xml to bind .xpi to application/x-xpinstall in desktop. - Add mozilla-maxpathlen.patch (#354150 and bmo #412610). - Add firefox-348446-empty-lists.patch (bnc#348446). - Respin proxy-dev.patch (bnc#340678) -- thanks, Anders! - Security update to version 2.0.0.10 (#341905, #341591): + MFSA 2007-39 Referer-spoofing via window.location race condition + MFSA 2007-38 Memory corruption vulnerabilities (rv:1.8.1.10) + MFSA 2007-37 jar: URI scheme XSS hazard + Fixes for regressions introduced in 2.0.0.8 + Updated dbus.patch, startup.patch, misc.dif, and configure.patch - Add mozilla-gcc4.3-fixes.patch - Add mozilla-canvas-1.8.1.10.patch (#341591#c10). - Build with -ftree-vrp -fwrapv, per advice in #342603#c17. - Add firefox-gcc4.3-fixes.patch. - Security update to version 2.0.0.8 (#332512) (thanks, Wolfgang) * MFSA 2007-29 Crashes with evidence of memory corruption * MFSA 2007-30 onUnload Tailgating * MFSA 2007-31 Digest authentication request splitting * MFSA 2007-32 File input focus stealing vulnerability * MFSA 2007-33 XUL pages can hide the window titlebar * MFSA 2007-34 Possible file stealing through sftp protocol * MFSA 2007-35 XPCNativeWraper pollution using Script object complete advisories on http://www.mozilla.org/projects/security/known-vulnerabilities.html - Don't explicitly require libaoss.so (#326751). - Update the Novell Support search plugin in search-addons.tar.bz2 (#297261) - Set the browser.tabs.loadFolderAndReplace preference to false by default (#230759). - fix hardlinks accross partitions - Add http://software.opensuse.org/search?baseproject=openSUSE:10.3 to the default bookmarks (#308223). - move last change a bit further in specfile - Mark a .png file as nonexecutable. - Minor .spec update (#305193) + Remove two obsolete patches + Correct releasedate + Include only the officially supported locales. - Merge changes from the build service (thanks, Wolfgang): + Provide locale dependency information (#302288) + Add x11-session.patch, supporting X11 session management (#227047) + Update to version 2.0.0.6 * MFSA 2007-26 Privilege escalation through chrome-loaded about:blank windows * MFSA 2007-27 Unescaped URIs passed to external programs (only relevant on Windows) - Use %fdupes. - Adjust bookmarks: Add news.opensuse.org, use new software.o.o page. - Revert previous change. - Added support for ymp in the mimetypes.rdf - Added OneClickInstallUrlHandler for handing the actual call from firefox. - Fixes bnc #295677 - Security update to version 2.0.0.5 (#288115) which has fixes for: MFSA 2007-18 CVE-2007-3734 - Browser flaws CVE-2007-3735 - Javascript flaws MFSA 2007-19 CVE-2007-3736 MFSA 2007-20 CVE-2007-3089 MFSA 2007-21 CVE-2007-3737 MFSA 2007-22 CVE-2007-3285 MFSA 2007-23 CVE-2007-3670 MFSA 2007-24 CVE-2007-3656 MFSA 2007-25 CVE-2007-3738 - fix changelog entry order - Use mozilla.sh.in from the build service (#230681). - Removed invalid desktop category "Application" (#254654). - Security update to version 2.0.0.4 - Refresh configure.patch, startup.patch, and visibility.patch - Now use l10n-%{version}.tar.bz2 instead of l10n.tar.bz2. - added unzip to BuildRequires - add Japanese to the languages which get PANGO enabled in the start script to support the Japanese combining characters U+3099 U+309A (see bugzilla #262718 comment #29). - Package gconf stuff. - Security update to 2.0.0.2 (#244923), which covers: + mfsa2007-01 * CVE-2007-0775 - layout engine crashes * CVE-2007-0776 - SVG * CVE-2007-0777 - javascript engine corruption + mfsa2007-02 * CVE-2007-0995 - Invalid trailing characters in HTML tag attributes * CVE-2007-0996 - Child frame character set inheritance * CVE-2006-6077 - Injected password forms + mfsa2007-02 + mfsa2007-03 * CVE-2007-0078 + mfsa2007-04 * CVE-2007-0079 + mfsa2007-05 * CVE-2007-0780 * CVE-2007-0800 + mfsa2007-06 * CVE-2007-0008 - client flaw * CVE-2007-0009 - server flaw + mfsa2007-07 * CVE-2007-0981 - Updates mozilla.sh.in (#230681) - Fixes #232209 - Updates the man page (#243037) - Properly propagates exit codes (#241492) - Adds em-356370.patch (#217374) - Fixup the Gnome paths, keeping in closer sync with the buildservice. - Gnome is now in /usr, so remove references to /opt/gnome - Install firefox.png with the executable bit not set. - readd MozillaFirebird provides (was incorrect in removing it). - Do not provide MozillaFirebird, just obsolete it. - Update gecko-lockdown.patch (#220616). - Update firefox-suse-default-prefs.js, adding 'pref("browser.backspace_action", 2);' (#217374) - Fix last change (#224431). - Change download bookmark (#224431). - Rename bookmark folder to openSUSE. - Sync from Buildservice with following critical fixes (thanks Wolfgang Rosenauer!): * fixed system-proxies.patch to actually work (#223881). * Rearrange Bookmarks to pass trademark review. - Fix tango theme (#223796). - Use www.opensuse.org as home page. - Set novell.com as home page. - Update from BuildService (thanks Wolfgang!): - fixed crash in htmlparser (#217257, bmo #358797) - added gconf2 as PreReq (#212505) - added 32bit libaoss.so as requirement (#216266) - Removed SUSE searchplugin (Portal not available anymore) (#216054) - Removed obsolete xul-picker.patch and system-nspr.patch - Fixed building on 10.1 and 10.0 (dbus) - Removed obsolete throbber preference - updated tango theme - Another fix for 214125, patch by Wolfgang Rosenauer. - Fix gcc warnings about undefined operations, patch by Robert O'Callahan. - Update system-proxies.patch to fix error box (214125), patch by Robert O'Callahan. - Update to current CVS version of 2.0. - Use www.opensuse.org as default home page for now (#203547). - Disable non-working plasticfox and tango themes. - Fix building of locales. - update to version 2.0rc3: * New features: Visual Refresh, Built-in phishing protection, Enhanced search capabilities, Improved tabbed browsing, Resuming your browsing session, Previewing and subscribing to Web feeds, Inline spell checking, Live Titles, Improved Add-ons manager, JavaScript 1.7, Extended search plugin format, Updates to the extension system, Client-side session and persistent storage, SVG text - disabled debugging. - security update to version 1.5.0.7 - added greasemonkey helper change (#199920) - fixed packager.mk for new make version - fixed crash in dbus component (patch by thoenig #197928) - use external adresses for PAC configuration (#196506) - added symlink for Firefox 1.0.x compatibility - update to regression release 1.5.0.6 (#195043) - security update to version 1.5.0.5 (#195043) * observer-lock.patch integrated now - fixed leak in JS' liveconnect (#186066) - fixed desktop file for old distributions (StartupNotify=false) - Merge changes from the Build Service (thanks, Wolfgang) (bnc#400001 and SWAMP#18164). - update to version 1.9 - removed obsolete mozilla-fsync* patch - make it possible to ignore NM events with a pref (bmo#424626) (toolkit.networkmanager.ignore=false|true) (mozilla-network-status.patch) - modify pref to not stop at punctuation for selections (bnc#395070) - fixed restart command for session managers (bnc#396552) - do not compile cairo with SSE support (bnc#397815) - mozilla-js.pc uses correct cflags (bnc#397814) - Fix baselibs.conf to mention mozilla-xulrunner190-translations (bnc#393856). - Add mozilla-pkgconfig.patch (part of bnc#381154). - Add mozilla-fsync-bmo499050.patch (bmo#499050). - Merge changes from the build service (thanks, Wolfgang): + Only use gconf proxy settings under GNOME (bnc#381172) + Add mozilla-extensionmanager.patch (bnc#381733, and #382969) + Add mozilla-system-hunspell.patch to enable use of the system's hunspell (bnc#382437) + Add mozilla-gnome-proxies.patch: * Only use gconf proxy settings when running under GNOME (bnc#381172) * Correctly read the ignored hosts settings from gconf (bmo#429520) + Add mozilla-helperapp.patch to offer the gconf default for protocol handlers (bnc#383697) - Rename the -lang subpackage to -stranslations (bnc#381635). - Merge changes from the build service: + Add mozilla-chrome-registry.patch to fix a startup crash (bmo#391311 and bnc#379523) + Add mozilla-scroll.patch to fix scrolling performance issues (bmo#424915 and bnc#377055) + Update baselibs.conf. - Better sync against the build service's version. - added baselibs.conf file to create xxbit packages - update to version 1.9b5 * including fix for bnc #368967 * integrated mozilla-gnome-vfs.patch - updated shipped locales "Provides" - fixed version upgrading (remove leftovers from previous versions) - remove executable flags from JS scripts - CSS DPI scaling now occurs with higher dpi values now (>192) - prerequire coreutils for 'rm' in post scripts - Merge changes from the build service (thanks, Wolfgang). - new snapshot version 1.9b4 - updated shipped locales "Provides" - enabled url classifier component (needed for Firefox' safe browsing feature) - added mozilla-gnome-vfs.patch (#368238) - new snapshot 20080228 - source archive contains browser components now to make it easier to keep xulrunner and firefox in sync (use shipped-locales from browser now instead of keeping a copy in the package) - proxy-type 5 is default now (removed from default prefs) - new snapshot 20080227 - use system provided sqlite for factory/11.0 - use fdupes - tweak default preferences - fix debuginfo package - fix wrong executable permissions - fix wrong ownership of the gnomevfs libs - add add-plugins.sh to manage dictionaries - new snapshot 20080225 - added -gnomevfs subpackage for evaluation - added back -l10n subpackage - initial xulrunner 1.9 package * doesn't update any prior xulrunner yet * can be installed in parallel * just updates the /usr/bin/xulrunner link to the new version * needs NSPR 4.7.1 and NSS 3.12 - Merge changes from the Build Service (thanks, Wolfgang) (bnc#400001 and SWAMP#18164). - update to version 1.9 - removed obsolete mozilla-fsync* patch - make it possible to ignore NM events with a pref (bmo#424626) (toolkit.networkmanager.ignore=false|true) (mozilla-network-status.patch) - modify pref to not stop at punctuation for selections (bnc#395070) - fixed restart command for session managers (bnc#396552) - do not compile cairo with SSE support (bnc#397815) - mozilla-js.pc uses correct cflags (bnc#397814) - Fix baselibs.conf to mention mozilla-xulrunner190-translations (bnc#393856). - Add mozilla-pkgconfig.patch (part of bnc#381154). - Add mozilla-fsync-bmo499050.patch (bmo#499050). - Merge changes from the build service (thanks, Wolfgang): + Only use gconf proxy settings under GNOME (bnc#381172) + Add mozilla-extensionmanager.patch (bnc#381733, and #382969) + Add mozilla-system-hunspell.patch to enable use of the system's hunspell (bnc#382437) + Add mozilla-gnome-proxies.patch: * Only use gconf proxy settings when running under GNOME (bnc#381172) * Correctly read the ignored hosts settings from gconf (bmo#429520) + Add mozilla-helperapp.patch to offer the gconf default for protocol handlers (bnc#383697) - Rename the -lang subpackage to -stranslations (bnc#381635). - Merge changes from the build service: + Add mozilla-chrome-registry.patch to fix a startup crash (bmo#391311 and bnc#379523) + Add mozilla-scroll.patch to fix scrolling performance issues (bmo#424915 and bnc#377055) + Update baselibs.conf. - Better sync against the build service's version. - added baselibs.conf file to create xxbit packages - update to version 1.9b5 * including fix for bnc #368967 * integrated mozilla-gnome-vfs.patch - updated shipped locales "Provides" - fixed version upgrading (remove leftovers from previous versions) - remove executable flags from JS scripts - CSS DPI scaling now occurs with higher dpi values now (>192) - prerequire coreutils for 'rm' in post scripts - Merge changes from the build service (thanks, Wolfgang). - new snapshot version 1.9b4 - updated shipped locales "Provides" - enabled url classifier component (needed for Firefox' safe browsing feature) - added mozilla-gnome-vfs.patch (#368238) - new snapshot 20080228 - source archive contains browser components now to make it easier to keep xulrunner and firefox in sync (use shipped-locales from browser now instead of keeping a copy in the package) - proxy-type 5 is default now (removed from default prefs) - new snapshot 20080227 - use system provided sqlite for factory/11.0 - use fdupes - tweak default preferences - fix debuginfo package - fix wrong executable permissions - fix wrong ownership of the gnomevfs libs - add add-plugins.sh to manage dictionaries - new snapshot 20080225 - added -gnomevfs subpackage for evaluation - added back -l10n subpackage - initial xulrunner 1.9 package * doesn't update any prior xulrunner yet * can be installed in parallel * just updates the /usr/bin/xulrunner link to the new version * needs NSPR 4.7.1 and NSS 3.12 - Merge changes from the build service (thanks, Wolfgang) (bnc#400001 and SWAMP#18164). - update to version 3.0 - fixed double entry in bookmarks for www.opensuse.org (bnc#396980 - Add Planet SUSE, forums.o.o and How to participate to default URLs. - network.protocol-handler.app.* prefs are no longer supported; remove references to them from firefox-suse-default-prefs.js (bnc#383697). - Update to Firefox 3.0b5 (2.9.95) (thanks, Wolfgang). - Merge changes from the build service (thanks, Wolfgang) - Update to the fourth Firefox 3.0 Beta (2.9.94): + Based upon the Gecko 1.9 Web rendering platform, which improves performance, stability, and rendering correctness; it also boasts a considerable simplification in its code + Security improvements: * One-click site info * Malware Protection * New Web Forgery Protection page * New SSL error pages * Add-ons and Plugin version check * Secure add-on updates * Effective top-level domain (eTLD) service to better restrict cookies and other restricted content to a single domain * Better protection against cross-site JSON data leaks + Usability improvements: * Easier password management * Simplified add-on installation * New Download Manager * Resumable downloading * Full page zoom * Podcasts and Videocasts can be associated with your media playback tools * Tab scrolling and quickmenu * Save what you were doing: Firefox will prompt users to save tabs on exit * Optimized Open in Tabs behavior * Location and Search bar size can now be customized with a simple resizer item * Text selection improvements * Find toolbar * Improved integration with Linux: Firefox's default icons, buttons, and menu styles now use the native GTK theme + Personalization improvements: * Star button: quickly add bookmarks from the location bar with a single click; a second click lets you file and tag them * Tags: associate keywords with your bookmarks to sort them by topic * Location bar & auto-complete * Smart Bookmarks Folder * Places Organizer: view, organize and search through all of your bookmarks, tags, and browsing history with multiple views and smart folders to store your frequent searches * Web-based protocol handlers * Download & Install Add-ons * Easy to use Download Actions + Improved platform for web developers: * New graphics and font handling: new graphics and text rendering architectures in Gecko 1.9 provides rendering improvements in CSS, SVG as well as improved display of fonts with ligatures and complex scripts * Color management: (set gfx.color_management.enabled on in about:config and restart the browser to enable.); Firefox can now adjust images with embedded color profiles * Offline support: enables web applications to provide offline functionality (website authors must add support for offline browsing to their site for this feature to be available to users) + Improved performance: * Speed: improvements to the JavaScript engine as well as profile guided optimizations have resulted in significant improvements in performance; compared to Firefox 2, web applications like Google Mail and Zoho Office run twice as fast in Firefox 3 Beta 4, and the popular SunSpider test from Apple shows improvements over previous releases * Memory usage: Several new technologies work together to reduce the amount of memory used by Firefox 3 Beta 4 over a web browsing session; memory cycles are broken and collected by an automated cycle collector, a new memory allocator reduces fragmentation, hundreds of leaks have been fixed, and caching strategies have been tuned * Reliability: A user's bookmarks, history, cookies, and preferences are now stored in a transactionally secure database format which will prevent data loss even if their system crashes - This version depends upon the mozilla-xulrunner190 package - Drop various stale packages, respin several that have been kept around, and add a few new ones. - Security update to version 2.0.0.12 (bnc#354469): + MFSA 2008-11/CVE-2008-0594 Web forgery overwrite with div overlay + MFSA 2008-10/CVE-2008-0593 URL token stealing via stylesheet redirect + MFSA 2008-09/CVE-2008-0592 Mishandling of locally-saved plain text files + MFSA 2008-08/CVE-2008-0591 File action dialog tampering + MFSA 2008-06/CVE-2008-0419 Web browsing history and forward navigation stealing + MFSA 2008-05/CVE-2008-0418 Directory traversal via chrome: URI + MFSA 2008-04/CVE-2008-0417 Stored password corruption + MFSA 2008-03/CVE-2008-0415 Privilege escalation, XSS, Remote Code Execution + MFSA 2008-02/CVE-2008-0414 Multiple file input focus stealing vulnerabilities + MFSA 2008-01/CVE-2008-0412 Crashes with evidence of memory corruption (rv:1.8.1.12) - Reference libaoss.so in start script (bnc#117079) - Remove mozilla-canvas-1.8.1.10.patch, as it has been upstreamed - Update firefox-ui-lockdown.patch (FATE#301534, FATE#302023, and FATE#302024) - Add application/x-xpinstall mime type to MozillaFirefox.desktop - Add MozillaFirefox.xml to bind .xpi to application/x-xpinstall in desktop. - Add mozilla-maxpathlen.patch (#354150 and bmo #412610). - Add firefox-348446-empty-lists.patch (bnc#348446). - Respin proxy-dev.patch (bnc#340678) -- thanks, Anders! - Security update to version 2.0.0.10 (#341905, #341591): + MFSA 2007-39 Referer-spoofing via window.location race condition + MFSA 2007-38 Memory corruption vulnerabilities (rv:1.8.1.10) + MFSA 2007-37 jar: URI scheme XSS hazard + Fixes for regressions introduced in 2.0.0.8 + Updated dbus.patch, startup.patch, misc.dif, and configure.patch - Add mozilla-gcc4.3-fixes.patch - Add mozilla-canvas-1.8.1.10.patch (#341591#c10). - Build with -ftree-vrp -fwrapv, per advice in #342603#c17. - Add firefox-gcc4.3-fixes.patch. - Security update to version 2.0.0.8 (#332512) (thanks, Wolfgang) * MFSA 2007-29 Crashes with evidence of memory corruption * MFSA 2007-30 onUnload Tailgating * MFSA 2007-31 Digest authentication request splitting * MFSA 2007-32 File input focus stealing vulnerability * MFSA 2007-33 XUL pages can hide the window titlebar * MFSA 2007-34 Possible file stealing through sftp protocol * MFSA 2007-35 XPCNativeWraper pollution using Script object complete advisories on http://www.mozilla.org/projects/security/known-vulnerabilities.html - Don't explicitly require libaoss.so (#326751). - Update the Novell Support search plugin in search-addons.tar.bz2 (#297261) - Set the browser.tabs.loadFolderAndReplace preference to false by default (#230759). - fix hardlinks accross partitions - Add http://software.opensuse.org/search?baseproject=openSUSE:10.3 to the default bookmarks (#308223). - move last change a bit further in specfile - Mark a .png file as nonexecutable. - Minor .spec update (#305193) + Remove two obsolete patches + Correct releasedate + Include only the officially supported locales. - Merge changes from the build service (thanks, Wolfgang): + Provide locale dependency information (#302288) + Add x11-session.patch, supporting X11 session management (#227047) + Update to version 2.0.0.6 * MFSA 2007-26 Privilege escalation through chrome-loaded about:blank windows * MFSA 2007-27 Unescaped URIs passed to external programs (only relevant on Windows) - Use %fdupes. - Adjust bookmarks: Add news.opensuse.org, use new software.o.o page. - Revert previous change. - Added support for ymp in the mimetypes.rdf - Added OneClickInstallUrlHandler for handing the actual call from firefox. - Fixes bnc #295677 - Security update to version 2.0.0.5 (#288115) which has fixes for: MFSA 2007-18 CVE-2007-3734 - Browser flaws CVE-2007-3735 - Javascript flaws MFSA 2007-19 CVE-2007-3736 MFSA 2007-20 CVE-2007-3089 MFSA 2007-21 CVE-2007-3737 MFSA 2007-22 CVE-2007-3285 MFSA 2007-23 CVE-2007-3670 MFSA 2007-24 CVE-2007-3656 MFSA 2007-25 CVE-2007-3738 - fix changelog entry order - Use mozilla.sh.in from the build service (#230681). - Removed invalid desktop category "Application" (#254654). - Security update to version 2.0.0.4 - Refresh configure.patch, startup.patch, and visibility.patch - Now use l10n-%{version}.tar.bz2 instead of l10n.tar.bz2. - added unzip to BuildRequires - add Japanese to the languages which get PANGO enabled in the start script to support the Japanese combining characters U+3099 U+309A (see bugzilla #262718 comment #29). - Package gconf stuff. - Security update to 2.0.0.2 (#244923), which covers: + mfsa2007-01 * CVE-2007-0775 - layout engine crashes * CVE-2007-0776 - SVG * CVE-2007-0777 - javascript engine corruption + mfsa2007-02 * CVE-2007-0995 - Invalid trailing characters in HTML tag attributes * CVE-2007-0996 - Child frame character set inheritance * CVE-2006-6077 - Injected password forms + mfsa2007-02 + mfsa2007-03 * CVE-2007-0078 + mfsa2007-04 * CVE-2007-0079 + mfsa2007-05 * CVE-2007-0780 * CVE-2007-0800 + mfsa2007-06 * CVE-2007-0008 - client flaw * CVE-2007-0009 - server flaw + mfsa2007-07 * CVE-2007-0981 - Updates mozilla.sh.in (#230681) - Fixes #232209 - Updates the man page (#243037) - Properly propagates exit codes (#241492) - Adds em-356370.patch (#217374) - Fixup the Gnome paths, keeping in closer sync with the buildservice. - Gnome is now in /usr, so remove references to /opt/gnome - Install firefox.png with the executable bit not set. - readd MozillaFirebird provides (was incorrect in removing it). - Do not provide MozillaFirebird, just obsolete it. - Update gecko-lockdown.patch (#220616). - Update firefox-suse-default-prefs.js, adding 'pref("browser.backspace_action", 2);' (#217374) - Fix last change (#224431). - Change download bookmark (#224431). - Rename bookmark folder to openSUSE. - Sync from Buildservice with following critical fixes (thanks Wolfgang Rosenauer!): * fixed system-proxies.patch to actually work (#223881). * Rearrange Bookmarks to pass trademark review. - Fix tango theme (#223796). - Use www.opensuse.org as home page. - Set novell.com as home page. - Update from BuildService (thanks Wolfgang!): - fixed crash in htmlparser (#217257, bmo #358797) - added gconf2 as PreReq (#212505) - added 32bit libaoss.so as requirement (#216266) - Removed SUSE searchplugin (Portal not available anymore) (#216054) - Removed obsolete xul-picker.patch and system-nspr.patch - Fixed building on 10.1 and 10.0 (dbus) - Removed obsolete throbber preference - updated tango theme - Another fix for 214125, patch by Wolfgang Rosenauer. - Fix gcc warnings about undefined operations, patch by Robert O'Callahan. - Update system-proxies.patch to fix error box (214125), patch by Robert O'Callahan. - Update to current CVS version of 2.0. - Use www.opensuse.org as default home page for now (#203547). - Disable non-working plasticfox and tango themes. - Fix building of locales. - update to version 2.0rc3: * New features: Visual Refresh, Built-in phishing protection, Enhanced search capabilities, Improved tabbed browsing, Resuming your browsing session, Previewing and subscribing to Web feeds, Inline spell checking, Live Titles, Improved Add-ons manager, JavaScript 1.7, Extended search plugin format, Updates to the extension system, Client-side session and persistent storage, SVG text - disabled debugging. - security update to version 1.5.0.7 - added greasemonkey helper change (#199920) - fixed packager.mk for new make version - fixed crash in dbus component (patch by thoenig #197928) - use external adresses for PAC configuration (#196506) - added symlink for Firefox 1.0.x compatibility - update to regression release 1.5.0.6 (#195043) - security update to version 1.5.0.5 (#195043) * observer-lock.patch integrated now - fixed leak in JS' liveconnect (#186066) - fixed desktop file for old distributions (StartupNotify=false) - Merge changes from the Build Service (thanks, Wolfgang) (bnc#400001 and SWAMP#18164). - update to version 1.9 - removed obsolete mozilla-fsync* patch - make it possible to ignore NM events with a pref (bmo#424626) (toolkit.networkmanager.ignore=false|true) (mozilla-network-status.patch) - modify pref to not stop at punctuation for selections (bnc#395070) - fixed restart command for session managers (bnc#396552) - do not compile cairo with SSE support (bnc#397815) - mozilla-js.pc uses correct cflags (bnc#397814) - Fix baselibs.conf to mention mozilla-xulrunner190-translations (bnc#393856). - Add mozilla-pkgconfig.patch (part of bnc#381154). - Add mozilla-fsync-bmo499050.patch (bmo#499050). - Merge changes from the build service (thanks, Wolfgang): + Only use gconf proxy settings under GNOME (bnc#381172) + Add mozilla-extensionmanager.patch (bnc#381733, and #382969) + Add mozilla-system-hunspell.patch to enable use of the system's hunspell (bnc#382437) + Add mozilla-gnome-proxies.patch: * Only use gconf proxy settings when running under GNOME (bnc#381172) * Correctly read the ignored hosts settings from gconf (bmo#429520) + Add mozilla-helperapp.patch to offer the gconf default for protocol handlers (bnc#383697) - Rename the -lang subpackage to -stranslations (bnc#381635). - Merge changes from the build service: + Add mozilla-chrome-registry.patch to fix a startup crash (bmo#391311 and bnc#379523) + Add mozilla-scroll.patch to fix scrolling performance issues (bmo#424915 and bnc#377055) + Update baselibs.conf. - Better sync against the build service's version. - added baselibs.conf file to create xxbit packages - update to version 1.9b5 * including fix for bnc #368967 * integrated mozilla-gnome-vfs.patch - updated shipped locales "Provides" - fixed version upgrading (remove leftovers from previous versions) - remove executable flags from JS scripts - CSS DPI scaling now occurs with higher dpi values now (>192) - prerequire coreutils for 'rm' in post scripts - Merge changes from the build service (thanks, Wolfgang). - new snapshot version 1.9b4 - updated shipped locales "Provides" - enabled url classifier component (needed for Firefox' safe browsing feature) - added mozilla-gnome-vfs.patch (#368238) - new snapshot 20080228 - source archive contains browser components now to make it easier to keep xulrunner and firefox in sync (use shipped-locales from browser now instead of keeping a copy in the package) - proxy-type 5 is default now (removed from default prefs) - new snapshot 20080227 - use system provided sqlite for factory/11.0 - use fdupes - tweak default preferences - fix debuginfo package - fix wrong executable permissions - fix wrong ownership of the gnomevfs libs - add add-plugins.sh to manage dictionaries - new snapshot 20080225 - added -gnomevfs subpackage for evaluation - added back -l10n subpackage - initial xulrunner 1.9 package * doesn't update any prior xulrunner yet * can be installed in parallel * just updates the /usr/bin/xulrunner link to the new version * needs NSPR 4.7.1 and NSS 3.12 - Merge changes from the Build Service (thanks, Wolfgang) (bnc#400001 and SWAMP#18164). - update to version 1.9 - removed obsolete mozilla-fsync* patch - make it possible to ignore NM events with a pref (bmo#424626) (toolkit.networkmanager.ignore=false|true) (mozilla-network-status.patch) - modify pref to not stop at punctuation for selections (bnc#395070) - fixed restart command for session managers (bnc#396552) - do not compile cairo with SSE support (bnc#397815) - mozilla-js.pc uses correct cflags (bnc#397814) - Fix baselibs.conf to mention mozilla-xulrunner190-translations (bnc#393856). - Add mozilla-pkgconfig.patch (part of bnc#381154). - Add mozilla-fsync-bmo499050.patch (bmo#499050). - Merge changes from the build service (thanks, Wolfgang): + Only use gconf proxy settings under GNOME (bnc#381172) + Add mozilla-extensionmanager.patch (bnc#381733, and #382969) + Add mozilla-system-hunspell.patch to enable use of the system's hunspell (bnc#382437) + Add mozilla-gnome-proxies.patch: * Only use gconf proxy settings when running under GNOME (bnc#381172) * Correctly read the ignored hosts settings from gconf (bmo#429520) + Add mozilla-helperapp.patch to offer the gconf default for protocol handlers (bnc#383697) - Rename the -lang subpackage to -stranslations (bnc#381635). - Merge changes from the build service: + Add mozilla-chrome-registry.patch to fix a startup crash (bmo#391311 and bnc#379523) + Add mozilla-scroll.patch to fix scrolling performance issues (bmo#424915 and bnc#377055) + Update baselibs.conf. - Better sync against the build service's version. - added baselibs.conf file to create xxbit packages - update to version 1.9b5 * including fix for bnc #368967 * integrated mozilla-gnome-vfs.patch - updated shipped locales "Provides" - fixed version upgrading (remove leftovers from previous versions) - remove executable flags from JS scripts - CSS DPI scaling now occurs with higher dpi values now (>192) - prerequire coreutils for 'rm' in post scripts - Merge changes from the build service (thanks, Wolfgang). - new snapshot version 1.9b4 - updated shipped locales "Provides" - enabled url classifier component (needed for Firefox' safe browsing feature) - added mozilla-gnome-vfs.patch (#368238) - new snapshot 20080228 - source archive contains browser components now to make it easier to keep xulrunner and firefox in sync (use shipped-locales from browser now instead of keeping a copy in the package) - proxy-type 5 is default now (removed from default prefs) - new snapshot 20080227 - use system provided sqlite for factory/11.0 - use fdupes - tweak default preferences - fix debuginfo package - fix wrong executable permissions - fix wrong ownership of the gnomevfs libs - add add-plugins.sh to manage dictionaries - new snapshot 20080225 - added -gnomevfs subpackage for evaluation - added back -l10n subpackage - initial xulrunner 1.9 package * doesn't update any prior xulrunner yet * can be installed in parallel * just updates the /usr/bin/xulrunner link to the new version * needs NSPR 4.7.1 and NSS 3.12 - Merge changes from the build service (thanks, Wolfgang) (bnc#400001 and SWAMP#18164). - update to version 3.0 - fixed double entry in bookmarks for www.opensuse.org (bnc#396980 - Add Planet SUSE, forums.o.o and How to participate to default URLs. - network.protocol-handler.app.* prefs are no longer supported; remove references to them from firefox-suse-default-prefs.js (bnc#383697). - Update to Firefox 3.0b5 (2.9.95) (thanks, Wolfgang). - Merge changes from the build service (thanks, Wolfgang) - Update to the fourth Firefox 3.0 Beta (2.9.94): + Based upon the Gecko 1.9 Web rendering platform, which improves performance, stability, and rendering correctness; it also boasts a considerable simplification in its code + Security improvements: * One-click site info * Malware Protection * New Web Forgery Protection page * New SSL error pages * Add-ons and Plugin version check * Secure add-on updates * Effective top-level domain (eTLD) service to better restrict cookies and other restricted content to a single domain * Better protection against cross-site JSON data leaks + Usability improvements: * Easier password management * Simplified add-on installation * New Download Manager * Resumable downloading * Full page zoom * Podcasts and Videocasts can be associated with your media playback tools * Tab scrolling and quickmenu * Save what you were doing: Firefox will prompt users to save tabs on exit * Optimized Open in Tabs behavior * Location and Search bar size can now be customized with a simple resizer item * Text selection improvements * Find toolbar * Improved integration with Linux: Firefox's default icons, buttons, and menu styles now use the native GTK theme + Personalization improvements: * Star button: quickly add bookmarks from the location bar with a single click; a second click lets you file and tag them * Tags: associate keywords with your bookmarks to sort them by topic * Location bar & auto-complete * Smart Bookmarks Folder * Places Organizer: view, organize and search through all of your bookmarks, tags, and browsing history with multiple views and smart folders to store your frequent searches * Web-based protocol handlers * Download & Install Add-ons * Easy to use Download Actions + Improved platform for web developers: * New graphics and font handling: new graphics and text rendering architectures in Gecko 1.9 provides rendering improvements in CSS, SVG as well as improved display of fonts with ligatures and complex scripts * Color management: (set gfx.color_management.enabled on in about:config and restart the browser to enable.); Firefox can now adjust images with embedded color profiles * Offline support: enables web applications to provide offline functionality (website authors must add support for offline browsing to their site for this feature to be available to users) + Improved performance: * Speed: improvements to the JavaScript engine as well as profile guided optimizations have resulted in significant improvements in performance; compared to Firefox 2, web applications like Google Mail and Zoho Office run twice as fast in Firefox 3 Beta 4, and the popular SunSpider test from Apple shows improvements over previous releases * Memory usage: Several new technologies work together to reduce the amount of memory used by Firefox 3 Beta 4 over a web browsing session; memory cycles are broken and collected by an automated cycle collector, a new memory allocator reduces fragmentation, hundreds of leaks have been fixed, and caching strategies have been tuned * Reliability: A user's bookmarks, history, cookies, and preferences are now stored in a transactionally secure database format which will prevent data loss even if their system crashes - This version depends upon the mozilla-xulrunner190 package - Drop various stale packages, respin several that have been kept around, and add a few new ones. - Security update to version 2.0.0.12 (bnc#354469): + MFSA 2008-11/CVE-2008-0594 Web forgery overwrite with div overlay + MFSA 2008-10/CVE-2008-0593 URL token stealing via stylesheet redirect + MFSA 2008-09/CVE-2008-0592 Mishandling of locally-saved plain text files + MFSA 2008-08/CVE-2008-0591 File action dialog tampering + MFSA 2008-06/CVE-2008-0419 Web browsing history and forward navigation stealing + MFSA 2008-05/CVE-2008-0418 Directory traversal via chrome: URI + MFSA 2008-04/CVE-2008-0417 Stored password corruption + MFSA 2008-03/CVE-2008-0415 Privilege escalation, XSS, Remote Code Execution + MFSA 2008-02/CVE-2008-0414 Multiple file input focus stealing vulnerabilities + MFSA 2008-01/CVE-2008-0412 Crashes with evidence of memory corruption (rv:1.8.1.12) - Reference libaoss.so in start script (bnc#117079) - Remove mozilla-canvas-1.8.1.10.patch, as it has been upstreamed - Update firefox-ui-lockdown.patch (FATE#301534, FATE#302023, and FATE#302024) - Add application/x-xpinstall mime type to MozillaFirefox.desktop - Add MozillaFirefox.xml to bind .xpi to application/x-xpinstall in desktop. - Add mozilla-maxpathlen.patch (#354150 and bmo #412610). - Add firefox-348446-empty-lists.patch (bnc#348446). - Respin proxy-dev.patch (bnc#340678) -- thanks, Anders! - Security update to version 2.0.0.10 (#341905, #341591): + MFSA 2007-39 Referer-spoofing via window.location race condition + MFSA 2007-38 Memory corruption vulnerabilities (rv:1.8.1.10) + MFSA 2007-37 jar: URI scheme XSS hazard + Fixes for regressions introduced in 2.0.0.8 + Updated dbus.patch, startup.patch, misc.dif, and configure.patch - Add mozilla-gcc4.3-fixes.patch - Add mozilla-canvas-1.8.1.10.patch (#341591#c10). - Build with -ftree-vrp -fwrapv, per advice in #342603#c17. - Add firefox-gcc4.3-fixes.patch. - Security update to version 2.0.0.8 (#332512) (thanks, Wolfgang) * MFSA 2007-29 Crashes with evidence of memory corruption * MFSA 2007-30 onUnload Tailgating * MFSA 2007-31 Digest authentication request splitting * MFSA 2007-32 File input focus stealing vulnerability * MFSA 2007-33 XUL pages can hide the window titlebar * MFSA 2007-34 Possible file stealing through sftp protocol * MFSA 2007-35 XPCNativeWraper pollution using Script object complete advisories on http://www.mozilla.org/projects/security/known-vulnerabilities.html - Don't explicitly require libaoss.so (#326751). - Update the Novell Support search plugin in search-addons.tar.bz2 (#297261) - Set the browser.tabs.loadFolderAndReplace preference to false by default (#230759). - fix hardlinks accross partitions - Add http://software.opensuse.org/search?baseproject=openSUSE:10.3 to the default bookmarks (#308223). - move last change a bit further in specfile - Mark a .png file as nonexecutable. - Minor .spec update (#305193) + Remove two obsolete patches + Correct releasedate + Include only the officially supported locales. - Merge changes from the build service (thanks, Wolfgang): + Provide locale dependency information (#302288) + Add x11-session.patch, supporting X11 session management (#227047) + Update to version 2.0.0.6 * MFSA 2007-26 Privilege escalation through chrome-loaded about:blank windows * MFSA 2007-27 Unescaped URIs passed to external programs (only relevant on Windows) - Use %fdupes. - Adjust bookmarks: Add news.opensuse.org, use new software.o.o page. - Revert previous change. - Added support for ymp in the mimetypes.rdf - Added OneClickInstallUrlHandler for handing the actual call from firefox. - Fixes bnc #295677 - Security update to version 2.0.0.5 (#288115) which has fixes for: MFSA 2007-18 CVE-2007-3734 - Browser flaws CVE-2007-3735 - Javascript flaws MFSA 2007-19 CVE-2007-3736 MFSA 2007-20 CVE-2007-3089 MFSA 2007-21 CVE-2007-3737 MFSA 2007-22 CVE-2007-3285 MFSA 2007-23 CVE-2007-3670 MFSA 2007-24 CVE-2007-3656 MFSA 2007-25 CVE-2007-3738 - fix changelog entry order - Use mozilla.sh.in from the build service (#230681). - Removed invalid desktop category "Application" (#254654). - Security update to version 2.0.0.4 - Refresh configure.patch, startup.patch, and visibility.patch - Now use l10n-%{version}.tar.bz2 instead of l10n.tar.bz2. - added unzip to BuildRequires - add Japanese to the languages which get PANGO enabled in the start script to support the Japanese combining characters U+3099 U+309A (see bugzilla #262718 comment #29). - Package gconf stuff. - Security update to 2.0.0.2 (#244923), which covers: + mfsa2007-01 * CVE-2007-0775 - layout engine crashes * CVE-2007-0776 - SVG * CVE-2007-0777 - javascript engine corruption + mfsa2007-02 * CVE-2007-0995 - Invalid trailing characters in HTML tag attributes * CVE-2007-0996 - Child frame character set inheritance * CVE-2006-6077 - Injected password forms + mfsa2007-02 + mfsa2007-03 * CVE-2007-0078 + mfsa2007-04 * CVE-2007-0079 + mfsa2007-05 * CVE-2007-0780 * CVE-2007-0800 + mfsa2007-06 * CVE-2007-0008 - client flaw * CVE-2007-0009 - server flaw + mfsa2007-07 * CVE-2007-0981 - Updates mozilla.sh.in (#230681) - Fixes #232209 - Updates the man page (#243037) - Properly propagates exit codes (#241492) - Adds em-356370.patch (#217374) - Fixup the Gnome paths, keeping in closer sync with the buildservice. - Gnome is now in /usr, so remove references to /opt/gnome - Install firefox.png with the executable bit not set. - readd MozillaFirebird provides (was incorrect in removing it). - Do not provide MozillaFirebird, just obsolete it. - Update gecko-lockdown.patch (#220616). - Update firefox-suse-default-prefs.js, adding 'pref("browser.backspace_action", 2);' (#217374) - Fix last change (#224431). - Change download bookmark (#224431). - Rename bookmark folder to openSUSE. - Sync from Buildservice with following critical fixes (thanks Wolfgang Rosenauer!): * fixed system-proxies.patch to actually work (#223881). * Rearrange Bookmarks to pass trademark review. - Fix tango theme (#223796). - Use www.opensuse.org as home page. - Set novell.com as home page. - Update from BuildService (thanks Wolfgang!): - fixed crash in htmlparser (#217257, bmo #358797) - added gconf2 as PreReq (#212505) - added 32bit libaoss.so as requirement (#216266) - Removed SUSE searchplugin (Portal not available anymore) (#216054) - Removed obsolete xul-picker.patch and system-nspr.patch - Fixed building on 10.1 and 10.0 (dbus) - Removed obsolete throbber preference - updated tango theme - Another fix for 214125, patch by Wolfgang Rosenauer. - Fix gcc warnings about undefined operations, patch by Robert O'Callahan. - Update system-proxies.patch to fix error box (214125), patch by Robert O'Callahan. - Update to current CVS version of 2.0. - Use www.opensuse.org as default home page for now (#203547). - Disable non-working plasticfox and tango themes. - Fix building of locales. - update to version 2.0rc3: * New features: Visual Refresh, Built-in phishing protection, Enhanced search capabilities, Improved tabbed browsing, Resuming your browsing session, Previewing and subscribing to Web feeds, Inline spell checking, Live Titles, Improved Add-ons manager, JavaScript 1.7, Extended search plugin format, Updates to the extension system, Client-side session and persistent storage, SVG text - disabled debugging. - security update to version 1.5.0.7 - added greasemonkey helper change (#199920) - fixed packager.mk for new make version - fixed crash in dbus component (patch by thoenig #197928) - use external adresses for PAC configuration (#196506) - added symlink for Firefox 1.0.x compatibility - update to regression release 1.5.0.6 (#195043) - security update to version 1.5.0.5 (#195043) * observer-lock.patch integrated now - fixed leak in JS' liveconnect (#186066) - fixed desktop file for old distributions (StartupNotify=false) - Update to r821737 * Select the correct security mode for wireless connections * Notify about NetworkManager not running (bnc#383195) * Show if a wireless network is encrypted (bnc#393070) * Fix listing available networks (bnc#397589) * Fix crash when NeworkManager is restarted (bnc#397678) * Allow user-defined notifications (bnc#398425) * Fix WPA-EAP TTLS and PEAP (bnc#396347) * Update translations * Several smaller bugfixes - Update to r815960 * Merge trayicons together (bnc#383032) * Build package NetworkManager-devel (needed for external VPN plugins like novellvpn) * Build packages NetworkManager-openvpn-kde and NetworkManager-vpnc-kde (bnc#389168) * Preselect the correct wireless settings (bnc#391759) * Left click opens the context menu (bnc#392966) * Several smaller bugfixes - Update to r812889, late features: * VPN support * UMTS/CDMA/GSM support - Update to current development branch 0.7r805840, changes: * Allow deletion of connections (bnc#384126) * Some minor bugfixes (bnc#379470, bnc#381718, bnc#384201) * Update API to match NetworkManager's * Other bugfixes and cleanups - Update to current development branch 0.7r795743, changes: * Fix usage with current NM * Bugfixes * GUI cleanups - Update to current development branch 0.7r785504, changes: * Connections are persisted and therefore automatically connected on startup * Some GUI cleanups * Lot's of fixes - disable final to fix build - Update to current unstable branch 0.7 - add patch knetworkmanager-fix_corrupted_tray-hschaa-01.patch (fixes b.n.c #264959) - add patch knetworkmanager-fix_segfault-hschaa-01.patch (fixes b.n.c #304705) - add patch knetworkmanager-dbus_race-hschaa-01.patch (fixes b.n.c #304956) - add translation_update_hu.patch - fix various memory corruptions, memory leaks and other bugs - add patch knetworkmanager-show_message-hschaa-01.patch (fixes b.n.c #264176) - add patch knetworkmanager-infodialog_tab-hschaa-01.patch (fixes b.n.c #295593) - add patch knetworkmanager-enablebutton-hschaa-01.patch (fixes b.n.c #277720) - add patch knetworkmanager-fixbuild_u64-hschaa-01.patch (fixes build on i386) - update knetworkmanager.default.sh to respect KDEHOME (fixes b.n.c #290292) - add patch knetworkmanager-fixnetworksui-hschaa-01.patch (fixes b.n.c #293449) - add patch knetworkmanager-version-hschaa-01.patch which fixes broken autoconnecting on kde start - update to 0.2r674918 (fixes b.n.c #206641, #182202, #199164, #260440) - remove patches knetworkmanager-vpnc_pwds-hschaa-01.patch, knetworkmanager-newnetwork_crash-hschaa-01.patch, knetworkmanager-wpaeap_storage-hschaa-01.patch: commited upstream - add patch knetworkmanager-vpnc_pwds-hschaa-01.patch (fixes b.n.c #281343) - move kde_post_install - Revised offline mode infrastructure (#237274) - add patch knetworkmanager-newnetwork_crash-hschaa-01.patch (fixes b.n.c #269253) - Use the right source file (instead of the wrong one which was checked in on Apr 4) - add patch knetworkmanager-wpaeap_storage-hschaa-01.patch (fixes b.n.c #253413 and #253414) - update to KDE SVN r646731 (fixes b.n.c #230683, #254352) - fix build (new icon location check) - Branch off new subpackages NetworkManager-kde-openvpn and NetworkManager-kde-vpnc to avoid gnome dependencies brought in through NetworkManager-gnome (b.n.c #198529). - new subpackage NetworkManager-kde-devel contains headers for building plugins for KNetworkManager - update to KDE SVN r631225 - remove patches knetworkmanager-notify-hschaa-01.patch (b.n.c [#159061]), knetworkmanager-vpnoverlay-hschaa-01.patch (b.n.c [#159061]) and knetworkmanager-vpn-utf8-suport-hschaa-01.patch (b.n.c #222918): Comitted upstream. - update to KDE SVN r606753: - add patch knetworkmanager-vpn-utf8-suport-hschaa-01.patch: Support utf8 encoding in VPN name, service etc. (b.n.c #222918) - add patch knetworkmanager-vpnoverlay-hschaa-01.patch: Show a symbol in the system tray when a VPN connection is established (b.n.c #159061) - add patch knetworkmanager-notify-hschaa-01.patch: Show warning if VPN connection attempt failed (b.n.c #159061) - beautify connection dialog when manually connecting to a network - update to KDE SVN r602671 - do not spawn warnings in libnm-util (b.n.c 216083) - remove patch knetworkmanager-dialup-yast-thoenig-01.patch: Fix is now upstream - add patch knetworkmanager-dialup-yast-thoenig-01.patch: Feed KProcess properly to call YaST for dial-up configuration (b.n.c [#216835]) - update patch knetworkmanager-fallback-thoenig-02.patch: Fix storage of networks with 'fallback' flag. - add patch knetworkmanager-fallback-thoenig-01.patch: The flag 'trusted' is gone (NetworkManager API change). Remove the corresponding bits and replace with the 'fallback' flag. If this flag is set for a wireless network, NetworkManager will also try to connect to that network even if it has not been found by scanning (helps when using broken wireless drivers) - update to KDE SVN r588481 - open KWallet only when connecting to an encrypted network (b.n.c [#204809]) - ignore signal from NetworkManager if its state did not change (b.n.c #165275) - move SuSE specific code to a separate patch (knetworkmanager-kde-networkstatus-wstephenson-01.patch) - persist settings for "Offline Mode" and "Disable Wireless" - avoid flickering of the tray icon - remove absolute path to g-k-d - this version will be released as online update for SL10.1, SLED10 and SLES10. - Update to r821737 * Select the correct security mode for wireless connections * Notify about NetworkManager not running (bnc#383195) * Show if a wireless network is encrypted (bnc#393070) * Fix listing available networks (bnc#397589) * Fix crash when NeworkManager is restarted (bnc#397678) * Allow user-defined notifications (bnc#398425) * Fix WPA-EAP TTLS and PEAP (bnc#396347) * Update translations * Several smaller bugfixes - Update to r815960 * Merge trayicons together (bnc#383032) * Build package NetworkManager-devel (needed for external VPN plugins like novellvpn) * Build packages NetworkManager-openvpn-kde and NetworkManager-vpnc-kde (bnc#389168) * Preselect the correct wireless settings (bnc#391759) * Left click opens the context menu (bnc#392966) * Several smaller bugfixes - Update to r812889, late features: * VPN support * UMTS/CDMA/GSM support - Update to current development branch 0.7r805840, changes: * Allow deletion of connections (bnc#384126) * Some minor bugfixes (bnc#379470, bnc#381718, bnc#384201) * Update API to match NetworkManager's * Other bugfixes and cleanups - Update to current development branch 0.7r795743, changes: * Fix usage with current NM * Bugfixes * GUI cleanups - Update to current development branch 0.7r785504, changes: * Connections are persisted and therefore automatically connected on startup * Some GUI cleanups * Lot's of fixes - disable final to fix build - Update to current unstable branch 0.7 - add patch knetworkmanager-fix_corrupted_tray-hschaa-01.patch (fixes b.n.c #264959) - add patch knetworkmanager-fix_segfault-hschaa-01.patch (fixes b.n.c #304705) - add patch knetworkmanager-dbus_race-hschaa-01.patch (fixes b.n.c #304956) - add translation_update_hu.patch - fix various memory corruptions, memory leaks and other bugs - add patch knetworkmanager-show_message-hschaa-01.patch (fixes b.n.c #264176) - add patch knetworkmanager-infodialog_tab-hschaa-01.patch (fixes b.n.c #295593) - add patch knetworkmanager-enablebutton-hschaa-01.patch (fixes b.n.c #277720) - add patch knetworkmanager-fixbuild_u64-hschaa-01.patch (fixes build on i386) - update knetworkmanager.default.sh to respect KDEHOME (fixes b.n.c #290292) - add patch knetworkmanager-fixnetworksui-hschaa-01.patch (fixes b.n.c #293449) - add patch knetworkmanager-version-hschaa-01.patch which fixes broken autoconnecting on kde start - update to 0.2r674918 (fixes b.n.c #206641, #182202, #199164, #260440) - remove patches knetworkmanager-vpnc_pwds-hschaa-01.patch, knetworkmanager-newnetwork_crash-hschaa-01.patch, knetworkmanager-wpaeap_storage-hschaa-01.patch: commited upstream - add patch knetworkmanager-vpnc_pwds-hschaa-01.patch (fixes b.n.c #281343) - move kde_post_install - Revised offline mode infrastructure (#237274) - add patch knetworkmanager-newnetwork_crash-hschaa-01.patch (fixes b.n.c #269253) - Use the right source file (instead of the wrong one which was checked in on Apr 4) - add patch knetworkmanager-wpaeap_storage-hschaa-01.patch (fixes b.n.c #253413 and #253414) - update to KDE SVN r646731 (fixes b.n.c #230683, #254352) - fix build (new icon location check) - Branch off new subpackages NetworkManager-kde-openvpn and NetworkManager-kde-vpnc to avoid gnome dependencies brought in through NetworkManager-gnome (b.n.c #198529). - new subpackage NetworkManager-kde-devel contains headers for building plugins for KNetworkManager - update to KDE SVN r631225 - remove patches knetworkmanager-notify-hschaa-01.patch (b.n.c [#159061]), knetworkmanager-vpnoverlay-hschaa-01.patch (b.n.c [#159061]) and knetworkmanager-vpn-utf8-suport-hschaa-01.patch (b.n.c #222918): Comitted upstream. - update to KDE SVN r606753: - add patch knetworkmanager-vpn-utf8-suport-hschaa-01.patch: Support utf8 encoding in VPN name, service etc. (b.n.c #222918) - add patch knetworkmanager-vpnoverlay-hschaa-01.patch: Show a symbol in the system tray when a VPN connection is established (b.n.c #159061) - add patch knetworkmanager-notify-hschaa-01.patch: Show warning if VPN connection attempt failed (b.n.c #159061) - beautify connection dialog when manually connecting to a network - update to KDE SVN r602671 - do not spawn warnings in libnm-util (b.n.c 216083) - remove patch knetworkmanager-dialup-yast-thoenig-01.patch: Fix is now upstream - add patch knetworkmanager-dialup-yast-thoenig-01.patch: Feed KProcess properly to call YaST for dial-up configuration (b.n.c [#216835]) - update patch knetworkmanager-fallback-thoenig-02.patch: Fix storage of networks with 'fallback' flag. - add patch knetworkmanager-fallback-thoenig-01.patch: The flag 'trusted' is gone (NetworkManager API change). Remove the corresponding bits and replace with the 'fallback' flag. If this flag is set for a wireless network, NetworkManager will also try to connect to that network even if it has not been found by scanning (helps when using broken wireless drivers) - update to KDE SVN r588481 - open KWallet only when connecting to an encrypted network (b.n.c [#204809]) - ignore signal from NetworkManager if its state did not change (b.n.c #165275) - move SuSE specific code to a separate patch (knetworkmanager-kde-networkstatus-wstephenson-01.patch) - persist settings for "Offline Mode" and "Disable Wireless" - avoid flickering of the tray icon - remove absolute path to g-k-d - this version will be released as online update for SL10.1, SLED10 and SLES10. - Update to r821737 * Select the correct security mode for wireless connections * Notify about NetworkManager not running (bnc#383195) * Show if a wireless network is encrypted (bnc#393070) * Fix listing available networks (bnc#397589) * Fix crash when NeworkManager is restarted (bnc#397678) * Allow user-defined notifications (bnc#398425) * Fix WPA-EAP TTLS and PEAP (bnc#396347) * Update translations * Several smaller bugfixes - Update to r815960 * Merge trayicons together (bnc#383032) * Build package NetworkManager-devel (needed for external VPN plugins like novellvpn) * Build packages NetworkManager-openvpn-kde and NetworkManager-vpnc-kde (bnc#389168) * Preselect the correct wireless settings (bnc#391759) * Left click opens the context menu (bnc#392966) * Several smaller bugfixes - Update to r812889, late features: * VPN support * UMTS/CDMA/GSM support - Update to current development branch 0.7r805840, changes: * Allow deletion of connections (bnc#384126) * Some minor bugfixes (bnc#379470, bnc#381718, bnc#384201) * Update API to match NetworkManager's * Other bugfixes and cleanups - Update to current development branch 0.7r795743, changes: * Fix usage with current NM * Bugfixes * GUI cleanups - Update to current development branch 0.7r785504, changes: * Connections are persisted and therefore automatically connected on startup * Some GUI cleanups * Lot's of fixes - disable final to fix build - Update to current unstable branch 0.7 - add patch knetworkmanager-fix_corrupted_tray-hschaa-01.patch (fixes b.n.c #264959) - add patch knetworkmanager-fix_segfault-hschaa-01.patch (fixes b.n.c #304705) - add patch knetworkmanager-dbus_race-hschaa-01.patch (fixes b.n.c #304956) - add translation_update_hu.patch - fix various memory corruptions, memory leaks and other bugs - add patch knetworkmanager-show_message-hschaa-01.patch (fixes b.n.c #264176) - add patch knetworkmanager-infodialog_tab-hschaa-01.patch (fixes b.n.c #295593) - add patch knetworkmanager-enablebutton-hschaa-01.patch (fixes b.n.c #277720) - add patch knetworkmanager-fixbuild_u64-hschaa-01.patch (fixes build on i386) - update knetworkmanager.default.sh to respect KDEHOME (fixes b.n.c #290292) - add patch knetworkmanager-fixnetworksui-hschaa-01.patch (fixes b.n.c #293449) - add patch knetworkmanager-version-hschaa-01.patch which fixes broken autoconnecting on kde start - update to 0.2r674918 (fixes b.n.c #206641, #182202, #199164, #260440) - remove patches knetworkmanager-vpnc_pwds-hschaa-01.patch, knetworkmanager-newnetwork_crash-hschaa-01.patch, knetworkmanager-wpaeap_storage-hschaa-01.patch: commited upstream - add patch knetworkmanager-vpnc_pwds-hschaa-01.patch (fixes b.n.c #281343) - move kde_post_install - Revised offline mode infrastructure (#237274) - add patch knetworkmanager-newnetwork_crash-hschaa-01.patch (fixes b.n.c #269253) - Use the right source file (instead of the wrong one which was checked in on Apr 4) - add patch knetworkmanager-wpaeap_storage-hschaa-01.patch (fixes b.n.c #253413 and #253414) - update to KDE SVN r646731 (fixes b.n.c #230683, #254352) - fix build (new icon location check) - Branch off new subpackages NetworkManager-kde-openvpn and NetworkManager-kde-vpnc to avoid gnome dependencies brought in through NetworkManager-gnome (b.n.c #198529). - new subpackage NetworkManager-kde-devel contains headers for building plugins for KNetworkManager - update to KDE SVN r631225 - remove patches knetworkmanager-notify-hschaa-01.patch (b.n.c [#159061]), knetworkmanager-vpnoverlay-hschaa-01.patch (b.n.c [#159061]) and knetworkmanager-vpn-utf8-suport-hschaa-01.patch (b.n.c #222918): Comitted upstream. - update to KDE SVN r606753: - add patch knetworkmanager-vpn-utf8-suport-hschaa-01.patch: Support utf8 encoding in VPN name, service etc. (b.n.c #222918) - add patch knetworkmanager-vpnoverlay-hschaa-01.patch: Show a symbol in the system tray when a VPN connection is established (b.n.c #159061) - add patch knetworkmanager-notify-hschaa-01.patch: Show warning if VPN connection attempt failed (b.n.c #159061) - beautify connection dialog when manually connecting to a network - update to KDE SVN r602671 - do not spawn warnings in libnm-util (b.n.c 216083) - remove patch knetworkmanager-dialup-yast-thoenig-01.patch: Fix is now upstream - add patch knetworkmanager-dialup-yast-thoenig-01.patch: Feed KProcess properly to call YaST for dial-up configuration (b.n.c [#216835]) - update patch knetworkmanager-fallback-thoenig-02.patch: Fix storage of networks with 'fallback' flag. - add patch knetworkmanager-fallback-thoenig-01.patch: The flag 'trusted' is gone (NetworkManager API change). Remove the corresponding bits and replace with the 'fallback' flag. If this flag is set for a wireless network, NetworkManager will also try to connect to that network even if it has not been found by scanning (helps when using broken wireless drivers) - update to KDE SVN r588481 - open KWallet only when connecting to an encrypted network (b.n.c [#204809]) - ignore signal from NetworkManager if its state did not change (b.n.c #165275) - move SuSE specific code to a separate patch (knetworkmanager-kde-networkstatus-wstephenson-01.patch) - persist settings for "Offline Mode" and "Disable Wireless" - avoid flickering of the tray icon - remove absolute path to g-k-d - this version will be released as online update for SL10.1, SLED10 and SLES10. - Update to r821737 * Select the correct security mode for wireless connections * Notify about NetworkManager not running (bnc#383195) * Show if a wireless network is encrypted (bnc#393070) * Fix listing available networks (bnc#397589) * Fix crash when NeworkManager is restarted (bnc#397678) * Allow user-defined notifications (bnc#398425) * Fix WPA-EAP TTLS and PEAP (bnc#396347) * Update translations * Several smaller bugfixes - Update to r815960 * Merge trayicons together (bnc#383032) * Build package NetworkManager-devel (needed for external VPN plugins like novellvpn) * Build packages NetworkManager-openvpn-kde and NetworkManager-vpnc-kde (bnc#389168) * Preselect the correct wireless settings (bnc#391759) * Left click opens the context menu (bnc#392966) * Several smaller bugfixes - Update to r812889, late features: * VPN support * UMTS/CDMA/GSM support - Update to current development branch 0.7r805840, changes: * Allow deletion of connections (bnc#384126) * Some minor bugfixes (bnc#379470, bnc#381718, bnc#384201) * Update API to match NetworkManager's * Other bugfixes and cleanups - Update to current development branch 0.7r795743, changes: * Fix usage with current NM * Bugfixes * GUI cleanups - Update to current development branch 0.7r785504, changes: * Connections are persisted and therefore automatically connected on startup * Some GUI cleanups * Lot's of fixes - disable final to fix build - Update to current unstable branch 0.7 - add patch knetworkmanager-fix_corrupted_tray-hschaa-01.patch (fixes b.n.c #264959) - add patch knetworkmanager-fix_segfault-hschaa-01.patch (fixes b.n.c #304705) - add patch knetworkmanager-dbus_race-hschaa-01.patch (fixes b.n.c #304956) - add translation_update_hu.patch - fix various memory corruptions, memory leaks and other bugs - add patch knetworkmanager-show_message-hschaa-01.patch (fixes b.n.c #264176) - add patch knetworkmanager-infodialog_tab-hschaa-01.patch (fixes b.n.c #295593) - add patch knetworkmanager-enablebutton-hschaa-01.patch (fixes b.n.c #277720) - add patch knetworkmanager-fixbuild_u64-hschaa-01.patch (fixes build on i386) - update knetworkmanager.default.sh to respect KDEHOME (fixes b.n.c #290292) - add patch knetworkmanager-fixnetworksui-hschaa-01.patch (fixes b.n.c #293449) - add patch knetworkmanager-version-hschaa-01.patch which fixes broken autoconnecting on kde start - update to 0.2r674918 (fixes b.n.c #206641, #182202, #199164, #260440) - remove patches knetworkmanager-vpnc_pwds-hschaa-01.patch, knetworkmanager-newnetwork_crash-hschaa-01.patch, knetworkmanager-wpaeap_storage-hschaa-01.patch: commited upstream - add patch knetworkmanager-vpnc_pwds-hschaa-01.patch (fixes b.n.c #281343) - move kde_post_install - Revised offline mode infrastructure (#237274) - add patch knetworkmanager-newnetwork_crash-hschaa-01.patch (fixes b.n.c #269253) - Use the right source file (instead of the wrong one which was checked in on Apr 4) - add patch knetworkmanager-wpaeap_storage-hschaa-01.patch (fixes b.n.c #253413 and #253414) - update to KDE SVN r646731 (fixes b.n.c #230683, #254352) - fix build (new icon location check) - Branch off new subpackages NetworkManager-kde-openvpn and NetworkManager-kde-vpnc to avoid gnome dependencies brought in through NetworkManager-gnome (b.n.c #198529). - new subpackage NetworkManager-kde-devel contains headers for building plugins for KNetworkManager - update to KDE SVN r631225 - remove patches knetworkmanager-notify-hschaa-01.patch (b.n.c [#159061]), knetworkmanager-vpnoverlay-hschaa-01.patch (b.n.c [#159061]) and knetworkmanager-vpn-utf8-suport-hschaa-01.patch (b.n.c #222918): Comitted upstream. - update to KDE SVN r606753: - add patch knetworkmanager-vpn-utf8-suport-hschaa-01.patch: Support utf8 encoding in VPN name, service etc. (b.n.c #222918) - add patch knetworkmanager-vpnoverlay-hschaa-01.patch: Show a symbol in the system tray when a VPN connection is established (b.n.c #159061) - add patch knetworkmanager-notify-hschaa-01.patch: Show warning if VPN connection attempt failed (b.n.c #159061) - beautify connection dialog when manually connecting to a network - update to KDE SVN r602671 - do not spawn warnings in libnm-util (b.n.c 216083) - remove patch knetworkmanager-dialup-yast-thoenig-01.patch: Fix is now upstream - add patch knetworkmanager-dialup-yast-thoenig-01.patch: Feed KProcess properly to call YaST for dial-up configuration (b.n.c [#216835]) - update patch knetworkmanager-fallback-thoenig-02.patch: Fix storage of networks with 'fallback' flag. - add patch knetworkmanager-fallback-thoenig-01.patch: The flag 'trusted' is gone (NetworkManager API change). Remove the corresponding bits and replace with the 'fallback' flag. If this flag is set for a wireless network, NetworkManager will also try to connect to that network even if it has not been found by scanning (helps when using broken wireless drivers) - update to KDE SVN r588481 - open KWallet only when connecting to an encrypted network (b.n.c [#204809]) - ignore signal from NetworkManager if its state did not change (b.n.c #165275) - move SuSE specific code to a separate patch (knetworkmanager-kde-networkstatus-wstephenson-01.patch) - persist settings for "Offline Mode" and "Disable Wireless" - avoid flickering of the tray icon - remove absolute path to g-k-d - this version will be released as online update for SL10.1, SLED10 and SLES10. - Update to r821737 * Select the correct security mode for wireless connections * Notify about NetworkManager not running (bnc#383195) * Show if a wireless network is encrypted (bnc#393070) * Fix listing available networks (bnc#397589) * Fix crash when NeworkManager is restarted (bnc#397678) * Allow user-defined notifications (bnc#398425) * Fix WPA-EAP TTLS and PEAP (bnc#396347) * Update translations * Several smaller bugfixes - Update to r815960 * Merge trayicons together (bnc#383032) * Build package NetworkManager-devel (needed for external VPN plugins like novellvpn) * Build packages NetworkManager-openvpn-kde and NetworkManager-vpnc-kde (bnc#389168) * Preselect the correct wireless settings (bnc#391759) * Left click opens the context menu (bnc#392966) * Several smaller bugfixes - Update to r812889, late features: * VPN support * UMTS/CDMA/GSM support - Update to current development branch 0.7r805840, changes: * Allow deletion of connections (bnc#384126) * Some minor bugfixes (bnc#379470, bnc#381718, bnc#384201) * Update API to match NetworkManager's * Other bugfixes and cleanups - Update to current development branch 0.7r795743, changes: * Fix usage with current NM * Bugfixes * GUI cleanups - Update to current development branch 0.7r785504, changes: * Connections are persisted and therefore automatically connected on startup * Some GUI cleanups * Lot's of fixes - disable final to fix build - Update to current unstable branch 0.7 - add patch knetworkmanager-fix_corrupted_tray-hschaa-01.patch (fixes b.n.c #264959) - add patch knetworkmanager-fix_segfault-hschaa-01.patch (fixes b.n.c #304705) - add patch knetworkmanager-dbus_race-hschaa-01.patch (fixes b.n.c #304956) - add translation_update_hu.patch - fix various memory corruptions, memory leaks and other bugs - add patch knetworkmanager-show_message-hschaa-01.patch (fixes b.n.c #264176) - add patch knetworkmanager-infodialog_tab-hschaa-01.patch (fixes b.n.c #295593) - add patch knetworkmanager-enablebutton-hschaa-01.patch (fixes b.n.c #277720) - add patch knetworkmanager-fixbuild_u64-hschaa-01.patch (fixes build on i386) - update knetworkmanager.default.sh to respect KDEHOME (fixes b.n.c #290292) - add patch knetworkmanager-fixnetworksui-hschaa-01.patch (fixes b.n.c #293449) - add patch knetworkmanager-version-hschaa-01.patch which fixes broken autoconnecting on kde start - update to 0.2r674918 (fixes b.n.c #206641, #182202, #199164, #260440) - remove patches knetworkmanager-vpnc_pwds-hschaa-01.patch, knetworkmanager-newnetwork_crash-hschaa-01.patch, knetworkmanager-wpaeap_storage-hschaa-01.patch: commited upstream - add patch knetworkmanager-vpnc_pwds-hschaa-01.patch (fixes b.n.c #281343) - move kde_post_install - Revised offline mode infrastructure (#237274) - add patch knetworkmanager-newnetwork_crash-hschaa-01.patch (fixes b.n.c #269253) - Use the right source file (instead of the wrong one which was checked in on Apr 4) - add patch knetworkmanager-wpaeap_storage-hschaa-01.patch (fixes b.n.c #253413 and #253414) - update to KDE SVN r646731 (fixes b.n.c #230683, #254352) - fix build (new icon location check) - Branch off new subpackages NetworkManager-kde-openvpn and NetworkManager-kde-vpnc to avoid gnome dependencies brought in through NetworkManager-gnome (b.n.c #198529). - new subpackage NetworkManager-kde-devel contains headers for building plugins for KNetworkManager - update to KDE SVN r631225 - remove patches knetworkmanager-notify-hschaa-01.patch (b.n.c [#159061]), knetworkmanager-vpnoverlay-hschaa-01.patch (b.n.c [#159061]) and knetworkmanager-vpn-utf8-suport-hschaa-01.patch (b.n.c #222918): Comitted upstream. - update to KDE SVN r606753: - add patch knetworkmanager-vpn-utf8-suport-hschaa-01.patch: Support utf8 encoding in VPN name, service etc. (b.n.c #222918) - add patch knetworkmanager-vpnoverlay-hschaa-01.patch: Show a symbol in the system tray when a VPN connection is established (b.n.c #159061) - add patch knetworkmanager-notify-hschaa-01.patch: Show warning if VPN connection attempt failed (b.n.c #159061) - beautify connection dialog when manually connecting to a network - update to KDE SVN r602671 - do not spawn warnings in libnm-util (b.n.c 216083) - remove patch knetworkmanager-dialup-yast-thoenig-01.patch: Fix is now upstream - add patch knetworkmanager-dialup-yast-thoenig-01.patch: Feed KProcess properly to call YaST for dial-up configuration (b.n.c [#216835]) - update patch knetworkmanager-fallback-thoenig-02.patch: Fix storage of networks with 'fallback' flag. - add patch knetworkmanager-fallback-thoenig-01.patch: The flag 'trusted' is gone (NetworkManager API change). Remove the corresponding bits and replace with the 'fallback' flag. If this flag is set for a wireless network, NetworkManager will also try to connect to that network even if it has not been found by scanning (helps when using broken wireless drivers) - update to KDE SVN r588481 - open KWallet only when connecting to an encrypted network (b.n.c [#204809]) - ignore signal from NetworkManager if its state did not change (b.n.c #165275) - move SuSE specific code to a separate patch (knetworkmanager-kde-networkstatus-wstephenson-01.patch) - persist settings for "Offline Mode" and "Disable Wireless" - avoid flickering of the tray icon - remove absolute path to g-k-d - this version will be released as online update for SL10.1, SLED10 and SLES10. - Update to r821737 * Select the correct security mode for wireless connections * Notify about NetworkManager not running (bnc#383195) * Show if a wireless network is encrypted (bnc#393070) * Fix listing available networks (bnc#397589) * Fix crash when NeworkManager is restarted (bnc#397678) * Allow user-defined notifications (bnc#398425) * Fix WPA-EAP TTLS and PEAP (bnc#396347) * Update translations * Several smaller bugfixes - Update to r815960 * Merge trayicons together (bnc#383032) * Build package NetworkManager-devel (needed for external VPN plugins like novellvpn) * Build packages NetworkManager-openvpn-kde and NetworkManager-vpnc-kde (bnc#389168) * Preselect the correct wireless settings (bnc#391759) * Left click opens the context menu (bnc#392966) * Several smaller bugfixes - Update to r812889, late features: * VPN support * UMTS/CDMA/GSM support - Update to current development branch 0.7r805840, changes: * Allow deletion of connections (bnc#384126) * Some minor bugfixes (bnc#379470, bnc#381718, bnc#384201) * Update API to match NetworkManager's * Other bugfixes and cleanups - Update to current development branch 0.7r795743, changes: * Fix usage with current NM * Bugfixes * GUI cleanups - Update to current development branch 0.7r785504, changes: * Connections are persisted and therefore automatically connected on startup * Some GUI cleanups * Lot's of fixes - disable final to fix build - Update to current unstable branch 0.7 - add patch knetworkmanager-fix_corrupted_tray-hschaa-01.patch (fixes b.n.c #264959) - add patch knetworkmanager-fix_segfault-hschaa-01.patch (fixes b.n.c #304705) - add patch knetworkmanager-dbus_race-hschaa-01.patch (fixes b.n.c #304956) - add translation_update_hu.patch - fix various memory corruptions, memory leaks and other bugs - add patch knetworkmanager-show_message-hschaa-01.patch (fixes b.n.c #264176) - add patch knetworkmanager-infodialog_tab-hschaa-01.patch (fixes b.n.c #295593) - add patch knetworkmanager-enablebutton-hschaa-01.patch (fixes b.n.c #277720) - add patch knetworkmanager-fixbuild_u64-hschaa-01.patch (fixes build on i386) - update knetworkmanager.default.sh to respect KDEHOME (fixes b.n.c #290292) - add patch knetworkmanager-fixnetworksui-hschaa-01.patch (fixes b.n.c #293449) - add patch knetworkmanager-version-hschaa-01.patch which fixes broken autoconnecting on kde start - update to 0.2r674918 (fixes b.n.c #206641, #182202, #199164, #260440) - remove patches knetworkmanager-vpnc_pwds-hschaa-01.patch, knetworkmanager-newnetwork_crash-hschaa-01.patch, knetworkmanager-wpaeap_storage-hschaa-01.patch: commited upstream - add patch knetworkmanager-vpnc_pwds-hschaa-01.patch (fixes b.n.c #281343) - move kde_post_install - Revised offline mode infrastructure (#237274) - add patch knetworkmanager-newnetwork_crash-hschaa-01.patch (fixes b.n.c #269253) - Use the right source file (instead of the wrong one which was checked in on Apr 4) - add patch knetworkmanager-wpaeap_storage-hschaa-01.patch (fixes b.n.c #253413 and #253414) - update to KDE SVN r646731 (fixes b.n.c #230683, #254352) - fix build (new icon location check) - Branch off new subpackages NetworkManager-kde-openvpn and NetworkManager-kde-vpnc to avoid gnome dependencies brought in through NetworkManager-gnome (b.n.c #198529). - new subpackage NetworkManager-kde-devel contains headers for building plugins for KNetworkManager - update to KDE SVN r631225 - remove patches knetworkmanager-notify-hschaa-01.patch (b.n.c [#159061]), knetworkmanager-vpnoverlay-hschaa-01.patch (b.n.c [#159061]) and knetworkmanager-vpn-utf8-suport-hschaa-01.patch (b.n.c #222918): Comitted upstream. - update to KDE SVN r606753: - add patch knetworkmanager-vpn-utf8-suport-hschaa-01.patch: Support utf8 encoding in VPN name, service etc. (b.n.c #222918) - add patch knetworkmanager-vpnoverlay-hschaa-01.patch: Show a symbol in the system tray when a VPN connection is established (b.n.c #159061) - add patch knetworkmanager-notify-hschaa-01.patch: Show warning if VPN connection attempt failed (b.n.c #159061) - beautify connection dialog when manually connecting to a network - update to KDE SVN r602671 - do not spawn warnings in libnm-util (b.n.c 216083) - remove patch knetworkmanager-dialup-yast-thoenig-01.patch: Fix is now upstream - add patch knetworkmanager-dialup-yast-thoenig-01.patch: Feed KProcess properly to call YaST for dial-up configuration (b.n.c [#216835]) - update patch knetworkmanager-fallback-thoenig-02.patch: Fix storage of networks with 'fallback' flag. - add patch knetworkmanager-fallback-thoenig-01.patch: The flag 'trusted' is gone (NetworkManager API change). Remove the corresponding bits and replace with the 'fallback' flag. If this flag is set for a wireless network, NetworkManager will also try to connect to that network even if it has not been found by scanning (helps when using broken wireless drivers) - update to KDE SVN r588481 - open KWallet only when connecting to an encrypted network (b.n.c [#204809]) - ignore signal from NetworkManager if its state did not change (b.n.c #165275) - move SuSE specific code to a separate patch (knetworkmanager-kde-networkstatus-wstephenson-01.patch) - persist settings for "Offline Mode" and "Disable Wireless" - avoid flickering of the tray icon - remove absolute path to g-k-d - this version will be released as online update for SL10.1, SLED10 and SLES10. - Update to r821737 * Select the correct security mode for wireless connections * Notify about NetworkManager not running (bnc#383195) * Show if a wireless network is encrypted (bnc#393070) * Fix listing available networks (bnc#397589) * Fix crash when NeworkManager is restarted (bnc#397678) * Allow user-defined notifications (bnc#398425) * Fix WPA-EAP TTLS and PEAP (bnc#396347) * Update translations * Several smaller bugfixes - Update to r815960 * Merge trayicons together (bnc#383032) * Build package NetworkManager-devel (needed for external VPN plugins like novellvpn) * Build packages NetworkManager-openvpn-kde and NetworkManager-vpnc-kde (bnc#389168) * Preselect the correct wireless settings (bnc#391759) * Left click opens the context menu (bnc#392966) * Several smaller bugfixes - Update to r812889, late features: * VPN support * UMTS/CDMA/GSM support - Update to current development branch 0.7r805840, changes: * Allow deletion of connections (bnc#384126) * Some minor bugfixes (bnc#379470, bnc#381718, bnc#384201) * Update API to match NetworkManager's * Other bugfixes and cleanups - Update to current development branch 0.7r795743, changes: * Fix usage with current NM * Bugfixes * GUI cleanups - Update to current development branch 0.7r785504, changes: * Connections are persisted and therefore automatically connected on startup * Some GUI cleanups * Lot's of fixes - disable final to fix build - Update to current unstable branch 0.7 - add patch knetworkmanager-fix_corrupted_tray-hschaa-01.patch (fixes b.n.c #264959) - add patch knetworkmanager-fix_segfault-hschaa-01.patch (fixes b.n.c #304705) - add patch knetworkmanager-dbus_race-hschaa-01.patch (fixes b.n.c #304956) - add translation_update_hu.patch - fix various memory corruptions, memory leaks and other bugs - add patch knetworkmanager-show_message-hschaa-01.patch (fixes b.n.c #264176) - add patch knetworkmanager-infodialog_tab-hschaa-01.patch (fixes b.n.c #295593) - add patch knetworkmanager-enablebutton-hschaa-01.patch (fixes b.n.c #277720) - add patch knetworkmanager-fixbuild_u64-hschaa-01.patch (fixes build on i386) - update knetworkmanager.default.sh to respect KDEHOME (fixes b.n.c #290292) - add patch knetworkmanager-fixnetworksui-hschaa-01.patch (fixes b.n.c #293449) - add patch knetworkmanager-version-hschaa-01.patch which fixes broken autoconnecting on kde start - update to 0.2r674918 (fixes b.n.c #206641, #182202, #199164, #260440) - remove patches knetworkmanager-vpnc_pwds-hschaa-01.patch, knetworkmanager-newnetwork_crash-hschaa-01.patch, knetworkmanager-wpaeap_storage-hschaa-01.patch: commited upstream - add patch knetworkmanager-vpnc_pwds-hschaa-01.patch (fixes b.n.c #281343) - move kde_post_install - Revised offline mode infrastructure (#237274) - add patch knetworkmanager-newnetwork_crash-hschaa-01.patch (fixes b.n.c #269253) - Use the right source file (instead of the wrong one which was checked in on Apr 4) - add patch knetworkmanager-wpaeap_storage-hschaa-01.patch (fixes b.n.c #253413 and #253414) - update to KDE SVN r646731 (fixes b.n.c #230683, #254352) - fix build (new icon location check) - Branch off new subpackages NetworkManager-kde-openvpn and NetworkManager-kde-vpnc to avoid gnome dependencies brought in through NetworkManager-gnome (b.n.c #198529). - new subpackage NetworkManager-kde-devel contains headers for building plugins for KNetworkManager - update to KDE SVN r631225 - remove patches knetworkmanager-notify-hschaa-01.patch (b.n.c [#159061]), knetworkmanager-vpnoverlay-hschaa-01.patch (b.n.c [#159061]) and knetworkmanager-vpn-utf8-suport-hschaa-01.patch (b.n.c #222918): Comitted upstream. - update to KDE SVN r606753: - add patch knetworkmanager-vpn-utf8-suport-hschaa-01.patch: Support utf8 encoding in VPN name, service etc. (b.n.c #222918) - add patch knetworkmanager-vpnoverlay-hschaa-01.patch: Show a symbol in the system tray when a VPN connection is established (b.n.c #159061) - add patch knetworkmanager-notify-hschaa-01.patch: Show warning if VPN connection attempt failed (b.n.c #159061) - beautify connection dialog when manually connecting to a network - update to KDE SVN r602671 - do not spawn warnings in libnm-util (b.n.c 216083) - remove patch knetworkmanager-dialup-yast-thoenig-01.patch: Fix is now upstream - add patch knetworkmanager-dialup-yast-thoenig-01.patch: Feed KProcess properly to call YaST for dial-up configuration (b.n.c [#216835]) - update patch knetworkmanager-fallback-thoenig-02.patch: Fix storage of networks with 'fallback' flag. - add patch knetworkmanager-fallback-thoenig-01.patch: The flag 'trusted' is gone (NetworkManager API change). Remove the corresponding bits and replace with the 'fallback' flag. If this flag is set for a wireless network, NetworkManager will also try to connect to that network even if it has not been found by scanning (helps when using broken wireless drivers) - update to KDE SVN r588481 - open KWallet only when connecting to an encrypted network (b.n.c [#204809]) - ignore signal from NetworkManager if its state did not change (b.n.c #165275) - move SuSE specific code to a separate patch (knetworkmanager-kde-networkstatus-wstephenson-01.patch) - persist settings for "Offline Mode" and "Disable Wireless" - avoid flickering of the tray icon - remove absolute path to g-k-d - this version will be released as online update for SL10.1, SLED10 and SLES10. - Update to r821737 * Select the correct security mode for wireless connections * Notify about NetworkManager not running (bnc#383195) * Show if a wireless network is encrypted (bnc#393070) * Fix listing available networks (bnc#397589) * Fix crash when NeworkManager is restarted (bnc#397678) * Allow user-defined notifications (bnc#398425) * Fix WPA-EAP TTLS and PEAP (bnc#396347) * Update translations * Several smaller bugfixes - Update to r815960 * Merge trayicons together (bnc#383032) * Build package NetworkManager-devel (needed for external VPN plugins like novellvpn) * Build packages NetworkManager-openvpn-kde and NetworkManager-vpnc-kde (bnc#389168) * Preselect the correct wireless settings (bnc#391759) * Left click opens the context menu (bnc#392966) * Several smaller bugfixes - Update to r812889, late features: * VPN support * UMTS/CDMA/GSM support - Update to current development branch 0.7r805840, changes: * Allow deletion of connections (bnc#384126) * Some minor bugfixes (bnc#379470, bnc#381718, bnc#384201) * Update API to match NetworkManager's * Other bugfixes and cleanups - Update to current development branch 0.7r795743, changes: * Fix usage with current NM * Bugfixes * GUI cleanups - Update to current development branch 0.7r785504, changes: * Connections are persisted and therefore automatically connected on startup * Some GUI cleanups * Lot's of fixes - disable final to fix build - Update to current unstable branch 0.7 - add patch knetworkmanager-fix_corrupted_tray-hschaa-01.patch (fixes b.n.c #264959) - add patch knetworkmanager-fix_segfault-hschaa-01.patch (fixes b.n.c #304705) - add patch knetworkmanager-dbus_race-hschaa-01.patch (fixes b.n.c #304956) - add translation_update_hu.patch - fix various memory corruptions, memory leaks and other bugs - add patch knetworkmanager-show_message-hschaa-01.patch (fixes b.n.c #264176) - add patch knetworkmanager-infodialog_tab-hschaa-01.patch (fixes b.n.c #295593) - add patch knetworkmanager-enablebutton-hschaa-01.patch (fixes b.n.c #277720) - add patch knetworkmanager-fixbuild_u64-hschaa-01.patch (fixes build on i386) - update knetworkmanager.default.sh to respect KDEHOME (fixes b.n.c #290292) - add patch knetworkmanager-fixnetworksui-hschaa-01.patch (fixes b.n.c #293449) - add patch knetworkmanager-version-hschaa-01.patch which fixes broken autoconnecting on kde start - update to 0.2r674918 (fixes b.n.c #206641, #182202, #199164, #260440) - remove patches knetworkmanager-vpnc_pwds-hschaa-01.patch, knetworkmanager-newnetwork_crash-hschaa-01.patch, knetworkmanager-wpaeap_storage-hschaa-01.patch: commited upstream - add patch knetworkmanager-vpnc_pwds-hschaa-01.patch (fixes b.n.c #281343) - move kde_post_install - Revised offline mode infrastructure (#237274) - add patch knetworkmanager-newnetwork_crash-hschaa-01.patch (fixes b.n.c #269253) - Use the right source file (instead of the wrong one which was checked in on Apr 4) - add patch knetworkmanager-wpaeap_storage-hschaa-01.patch (fixes b.n.c #253413 and #253414) - update to KDE SVN r646731 (fixes b.n.c #230683, #254352) - fix build (new icon location check) - Branch off new subpackages NetworkManager-kde-openvpn and NetworkManager-kde-vpnc to avoid gnome dependencies brought in through NetworkManager-gnome (b.n.c #198529). - new subpackage NetworkManager-kde-devel contains headers for building plugins for KNetworkManager - update to KDE SVN r631225 - remove patches knetworkmanager-notify-hschaa-01.patch (b.n.c [#159061]), knetworkmanager-vpnoverlay-hschaa-01.patch (b.n.c [#159061]) and knetworkmanager-vpn-utf8-suport-hschaa-01.patch (b.n.c #222918): Comitted upstream. - update to KDE SVN r606753: - add patch knetworkmanager-vpn-utf8-suport-hschaa-01.patch: Support utf8 encoding in VPN name, service etc. (b.n.c #222918) - add patch knetworkmanager-vpnoverlay-hschaa-01.patch: Show a symbol in the system tray when a VPN connection is established (b.n.c #159061) - add patch knetworkmanager-notify-hschaa-01.patch: Show warning if VPN connection attempt failed (b.n.c #159061) - beautify connection dialog when manually connecting to a network - update to KDE SVN r602671 - do not spawn warnings in libnm-util (b.n.c 216083) - remove patch knetworkmanager-dialup-yast-thoenig-01.patch: Fix is now upstream - add patch knetworkmanager-dialup-yast-thoenig-01.patch: Feed KProcess properly to call YaST for dial-up configuration (b.n.c [#216835]) - update patch knetworkmanager-fallback-thoenig-02.patch: Fix storage of networks with 'fallback' flag. - add patch knetworkmanager-fallback-thoenig-01.patch: The flag 'trusted' is gone (NetworkManager API change). Remove the corresponding bits and replace with the 'fallback' flag. If this flag is set for a wireless network, NetworkManager will also try to connect to that network even if it has not been found by scanning (helps when using broken wireless drivers) - update to KDE SVN r588481 - open KWallet only when connecting to an encrypted network (b.n.c [#204809]) - ignore signal from NetworkManager if its state did not change (b.n.c #165275) - move SuSE specific code to a separate patch (knetworkmanager-kde-networkstatus-wstephenson-01.patch) - persist settings for "Offline Mode" and "Disable Wireless" - avoid flickering of the tray icon - remove absolute path to g-k-d - this version will be released as online update for SL10.1, SLED10 and SLES10. - Update to r821737 * Select the correct security mode for wireless connections * Notify about NetworkManager not running (bnc#383195) * Show if a wireless network is encrypted (bnc#393070) * Fix listing available networks (bnc#397589) * Fix crash when NeworkManager is restarted (bnc#397678) * Allow user-defined notifications (bnc#398425) * Fix WPA-EAP TTLS and PEAP (bnc#396347) * Update translations * Several smaller bugfixes - Update to r815960 * Merge trayicons together (bnc#383032) * Build package NetworkManager-devel (needed for external VPN plugins like novellvpn) * Build packages NetworkManager-openvpn-kde and NetworkManager-vpnc-kde (bnc#389168) * Preselect the correct wireless settings (bnc#391759) * Left click opens the context menu (bnc#392966) * Several smaller bugfixes - Update to r812889, late features: * VPN support * UMTS/CDMA/GSM support - Update to current development branch 0.7r805840, changes: * Allow deletion of connections (bnc#384126) * Some minor bugfixes (bnc#379470, bnc#381718, bnc#384201) * Update API to match NetworkManager's * Other bugfixes and cleanups - Update to current development branch 0.7r795743, changes: * Fix usage with current NM * Bugfixes * GUI cleanups - Update to current development branch 0.7r785504, changes: * Connections are persisted and therefore automatically connected on startup * Some GUI cleanups * Lot's of fixes - disable final to fix build - Update to current unstable branch 0.7 - add patch knetworkmanager-fix_corrupted_tray-hschaa-01.patch (fixes b.n.c #264959) - add patch knetworkmanager-fix_segfault-hschaa-01.patch (fixes b.n.c #304705) - add patch knetworkmanager-dbus_race-hschaa-01.patch (fixes b.n.c #304956) - add translation_update_hu.patch - fix various memory corruptions, memory leaks and other bugs - add patch knetworkmanager-show_message-hschaa-01.patch (fixes b.n.c #264176) - add patch knetworkmanager-infodialog_tab-hschaa-01.patch (fixes b.n.c #295593) - add patch knetworkmanager-enablebutton-hschaa-01.patch (fixes b.n.c #277720) - add patch knetworkmanager-fixbuild_u64-hschaa-01.patch (fixes build on i386) - update knetworkmanager.default.sh to respect KDEHOME (fixes b.n.c #290292) - add patch knetworkmanager-fixnetworksui-hschaa-01.patch (fixes b.n.c #293449) - add patch knetworkmanager-version-hschaa-01.patch which fixes broken autoconnecting on kde start - update to 0.2r674918 (fixes b.n.c #206641, #182202, #199164, #260440) - remove patches knetworkmanager-vpnc_pwds-hschaa-01.patch, knetworkmanager-newnetwork_crash-hschaa-01.patch, knetworkmanager-wpaeap_storage-hschaa-01.patch: commited upstream - add patch knetworkmanager-vpnc_pwds-hschaa-01.patch (fixes b.n.c #281343) - move kde_post_install - Revised offline mode infrastructure (#237274) - add patch knetworkmanager-newnetwork_crash-hschaa-01.patch (fixes b.n.c #269253) - Use the right source file (instead of the wrong one which was checked in on Apr 4) - add patch knetworkmanager-wpaeap_storage-hschaa-01.patch (fixes b.n.c #253413 and #253414) - update to KDE SVN r646731 (fixes b.n.c #230683, #254352) - fix build (new icon location check) - Branch off new subpackages NetworkManager-kde-openvpn and NetworkManager-kde-vpnc to avoid gnome dependencies brought in through NetworkManager-gnome (b.n.c #198529). - new subpackage NetworkManager-kde-devel contains headers for building plugins for KNetworkManager - update to KDE SVN r631225 - remove patches knetworkmanager-notify-hschaa-01.patch (b.n.c [#159061]), knetworkmanager-vpnoverlay-hschaa-01.patch (b.n.c [#159061]) and knetworkmanager-vpn-utf8-suport-hschaa-01.patch (b.n.c #222918): Comitted upstream. - update to KDE SVN r606753: - add patch knetworkmanager-vpn-utf8-suport-hschaa-01.patch: Support utf8 encoding in VPN name, service etc. (b.n.c #222918) - add patch knetworkmanager-vpnoverlay-hschaa-01.patch: Show a symbol in the system tray when a VPN connection is established (b.n.c #159061) - add patch knetworkmanager-notify-hschaa-01.patch: Show warning if VPN connection attempt failed (b.n.c #159061) - beautify connection dialog when manually connecting to a network - update to KDE SVN r602671 - do not spawn warnings in libnm-util (b.n.c 216083) - remove patch knetworkmanager-dialup-yast-thoenig-01.patch: Fix is now upstream - add patch knetworkmanager-dialup-yast-thoenig-01.patch: Feed KProcess properly to call YaST for dial-up configuration (b.n.c [#216835]) - update patch knetworkmanager-fallback-thoenig-02.patch: Fix storage of networks with 'fallback' flag. - add patch knetworkmanager-fallback-thoenig-01.patch: The flag 'trusted' is gone (NetworkManager API change). Remove the corresponding bits and replace with the 'fallback' flag. If this flag is set for a wireless network, NetworkManager will also try to connect to that network even if it has not been found by scanning (helps when using broken wireless drivers) - update to KDE SVN r588481 - open KWallet only when connecting to an encrypted network (b.n.c [#204809]) - ignore signal from NetworkManager if its state did not change (b.n.c #165275) - move SuSE specific code to a separate patch (knetworkmanager-kde-networkstatus-wstephenson-01.patch) - persist settings for "Offline Mode" and "Disable Wireless" - avoid flickering of the tray icon - remove absolute path to g-k-d - this version will be released as online update for SL10.1, SLED10 and SLES10. - Update to r821737 * Select the correct security mode for wireless connections * Notify about NetworkManager not running (bnc#383195) * Show if a wireless network is encrypted (bnc#393070) * Fix listing available networks (bnc#397589) * Fix crash when NeworkManager is restarted (bnc#397678) * Allow user-defined notifications (bnc#398425) * Fix WPA-EAP TTLS and PEAP (bnc#396347) * Update translations * Several smaller bugfixes - Update to r815960 * Merge trayicons together (bnc#383032) * Build package NetworkManager-devel (needed for external VPN plugins like novellvpn) * Build packages NetworkManager-openvpn-kde and NetworkManager-vpnc-kde (bnc#389168) * Preselect the correct wireless settings (bnc#391759) * Left click opens the context menu (bnc#392966) * Several smaller bugfixes - Update to r812889, late features: * VPN support * UMTS/CDMA/GSM support - Update to current development branch 0.7r805840, changes: * Allow deletion of connections (bnc#384126) * Some minor bugfixes (bnc#379470, bnc#381718, bnc#384201) * Update API to match NetworkManager's * Other bugfixes and cleanups - Update to current development branch 0.7r795743, changes: * Fix usage with current NM * Bugfixes * GUI cleanups - Update to current development branch 0.7r785504, changes: * Connections are persisted and therefore automatically connected on startup * Some GUI cleanups * Lot's of fixes - disable final to fix build - Update to current unstable branch 0.7 - add patch knetworkmanager-fix_corrupted_tray-hschaa-01.patch (fixes b.n.c #264959) - add patch knetworkmanager-fix_segfault-hschaa-01.patch (fixes b.n.c #304705) - add patch knetworkmanager-dbus_race-hschaa-01.patch (fixes b.n.c #304956) - add translation_update_hu.patch - fix various memory corruptions, memory leaks and other bugs - add patch knetworkmanager-show_message-hschaa-01.patch (fixes b.n.c #264176) - add patch knetworkmanager-infodialog_tab-hschaa-01.patch (fixes b.n.c #295593) - add patch knetworkmanager-enablebutton-hschaa-01.patch (fixes b.n.c #277720) - add patch knetworkmanager-fixbuild_u64-hschaa-01.patch (fixes build on i386) - update knetworkmanager.default.sh to respect KDEHOME (fixes b.n.c #290292) - add patch knetworkmanager-fixnetworksui-hschaa-01.patch (fixes b.n.c #293449) - add patch knetworkmanager-version-hschaa-01.patch which fixes broken autoconnecting on kde start - update to 0.2r674918 (fixes b.n.c #206641, #182202, #199164, #260440) - remove patches knetworkmanager-vpnc_pwds-hschaa-01.patch, knetworkmanager-newnetwork_crash-hschaa-01.patch, knetworkmanager-wpaeap_storage-hschaa-01.patch: commited upstream - add patch knetworkmanager-vpnc_pwds-hschaa-01.patch (fixes b.n.c #281343) - move kde_post_install - Revised offline mode infrastructure (#237274) - add patch knetworkmanager-newnetwork_crash-hschaa-01.patch (fixes b.n.c #269253) - Use the right source file (instead of the wrong one which was checked in on Apr 4) - add patch knetworkmanager-wpaeap_storage-hschaa-01.patch (fixes b.n.c #253413 and #253414) - update to KDE SVN r646731 (fixes b.n.c #230683, #254352) - fix build (new icon location check) - Branch off new subpackages NetworkManager-kde-openvpn and NetworkManager-kde-vpnc to avoid gnome dependencies brought in through NetworkManager-gnome (b.n.c #198529). - new subpackage NetworkManager-kde-devel contains headers for building plugins for KNetworkManager - update to KDE SVN r631225 - remove patches knetworkmanager-notify-hschaa-01.patch (b.n.c [#159061]), knetworkmanager-vpnoverlay-hschaa-01.patch (b.n.c [#159061]) and knetworkmanager-vpn-utf8-suport-hschaa-01.patch (b.n.c #222918): Comitted upstream. - update to KDE SVN r606753: - add patch knetworkmanager-vpn-utf8-suport-hschaa-01.patch: Support utf8 encoding in VPN name, service etc. (b.n.c #222918) - add patch knetworkmanager-vpnoverlay-hschaa-01.patch: Show a symbol in the system tray when a VPN connection is established (b.n.c #159061) - add patch knetworkmanager-notify-hschaa-01.patch: Show warning if VPN connection attempt failed (b.n.c #159061) - beautify connection dialog when manually connecting to a network - update to KDE SVN r602671 - do not spawn warnings in libnm-util (b.n.c 216083) - remove patch knetworkmanager-dialup-yast-thoenig-01.patch: Fix is now upstream - add patch knetworkmanager-dialup-yast-thoenig-01.patch: Feed KProcess properly to call YaST for dial-up configuration (b.n.c [#216835]) - update patch knetworkmanager-fallback-thoenig-02.patch: Fix storage of networks with 'fallback' flag. - add patch knetworkmanager-fallback-thoenig-01.patch: The flag 'trusted' is gone (NetworkManager API change). Remove the corresponding bits and replace with the 'fallback' flag. If this flag is set for a wireless network, NetworkManager will also try to connect to that network even if it has not been found by scanning (helps when using broken wireless drivers) - update to KDE SVN r588481 - open KWallet only when connecting to an encrypted network (b.n.c [#204809]) - ignore signal from NetworkManager if its state did not change (b.n.c #165275) - move SuSE specific code to a separate patch (knetworkmanager-kde-networkstatus-wstephenson-01.patch) - persist settings for "Offline Mode" and "Disable Wireless" - avoid flickering of the tray icon - remove absolute path to g-k-d - this version will be released as online update for SL10.1, SLED10 and SLES10. - Update to r821737 * Select the correct security mode for wireless connections * Notify about NetworkManager not running (bnc#383195) * Show if a wireless network is encrypted (bnc#393070) * Fix listing available networks (bnc#397589) * Fix crash when NeworkManager is restarted (bnc#397678) * Allow user-defined notifications (bnc#398425) * Fix WPA-EAP TTLS and PEAP (bnc#396347) * Update translations * Several smaller bugfixes - Update to r815960 * Merge trayicons together (bnc#383032) * Build package NetworkManager-devel (needed for external VPN plugins like novellvpn) * Build packages NetworkManager-openvpn-kde and NetworkManager-vpnc-kde (bnc#389168) * Preselect the correct wireless settings (bnc#391759) * Left click opens the context menu (bnc#392966) * Several smaller bugfixes - Update to r812889, late features: * VPN support * UMTS/CDMA/GSM support - Update to current development branch 0.7r805840, changes: * Allow deletion of connections (bnc#384126) * Some minor bugfixes (bnc#379470, bnc#381718, bnc#384201) * Update API to match NetworkManager's * Other bugfixes and cleanups - Update to current development branch 0.7r795743, changes: * Fix usage with current NM * Bugfixes * GUI cleanups - Update to current development branch 0.7r785504, changes: * Connections are persisted and therefore automatically connected on startup * Some GUI cleanups * Lot's of fixes - disable final to fix build - Update to current unstable branch 0.7 - add patch knetworkmanager-fix_corrupted_tray-hschaa-01.patch (fixes b.n.c #264959) - add patch knetworkmanager-fix_segfault-hschaa-01.patch (fixes b.n.c #304705) - add patch knetworkmanager-dbus_race-hschaa-01.patch (fixes b.n.c #304956) - add translation_update_hu.patch - fix various memory corruptions, memory leaks and other bugs - add patch knetworkmanager-show_message-hschaa-01.patch (fixes b.n.c #264176) - add patch knetworkmanager-infodialog_tab-hschaa-01.patch (fixes b.n.c #295593) - add patch knetworkmanager-enablebutton-hschaa-01.patch (fixes b.n.c #277720) - add patch knetworkmanager-fixbuild_u64-hschaa-01.patch (fixes build on i386) - update knetworkmanager.default.sh to respect KDEHOME (fixes b.n.c #290292) - add patch knetworkmanager-fixnetworksui-hschaa-01.patch (fixes b.n.c #293449) - add patch knetworkmanager-version-hschaa-01.patch which fixes broken autoconnecting on kde start - update to 0.2r674918 (fixes b.n.c #206641, #182202, #199164, #260440) - remove patches knetworkmanager-vpnc_pwds-hschaa-01.patch, knetworkmanager-newnetwork_crash-hschaa-01.patch, knetworkmanager-wpaeap_storage-hschaa-01.patch: commited upstream - add patch knetworkmanager-vpnc_pwds-hschaa-01.patch (fixes b.n.c #281343) - move kde_post_install - Revised offline mode infrastructure (#237274) - add patch knetworkmanager-newnetwork_crash-hschaa-01.patch (fixes b.n.c #269253) - Use the right source file (instead of the wrong one which was checked in on Apr 4) - add patch knetworkmanager-wpaeap_storage-hschaa-01.patch (fixes b.n.c #253413 and #253414) - update to KDE SVN r646731 (fixes b.n.c #230683, #254352) - fix build (new icon location check) - Branch off new subpackages NetworkManager-kde-openvpn and NetworkManager-kde-vpnc to avoid gnome dependencies brought in through NetworkManager-gnome (b.n.c #198529). - new subpackage NetworkManager-kde-devel contains headers for building plugins for KNetworkManager - update to KDE SVN r631225 - remove patches knetworkmanager-notify-hschaa-01.patch (b.n.c [#159061]), knetworkmanager-vpnoverlay-hschaa-01.patch (b.n.c [#159061]) and knetworkmanager-vpn-utf8-suport-hschaa-01.patch (b.n.c #222918): Comitted upstream. - update to KDE SVN r606753: - add patch knetworkmanager-vpn-utf8-suport-hschaa-01.patch: Support utf8 encoding in VPN name, service etc. (b.n.c #222918) - add patch knetworkmanager-vpnoverlay-hschaa-01.patch: Show a symbol in the system tray when a VPN connection is established (b.n.c #159061) - add patch knetworkmanager-notify-hschaa-01.patch: Show warning if VPN connection attempt failed (b.n.c #159061) - beautify connection dialog when manually connecting to a network - update to KDE SVN r602671 - do not spawn warnings in libnm-util (b.n.c 216083) - remove patch knetworkmanager-dialup-yast-thoenig-01.patch: Fix is now upstream - add patch knetworkmanager-dialup-yast-thoenig-01.patch: Feed KProcess properly to call YaST for dial-up configuration (b.n.c [#216835]) - update patch knetworkmanager-fallback-thoenig-02.patch: Fix storage of networks with 'fallback' flag. - add patch knetworkmanager-fallback-thoenig-01.patch: The flag 'trusted' is gone (NetworkManager API change). Remove the corresponding bits and replace with the 'fallback' flag. If this flag is set for a wireless network, NetworkManager will also try to connect to that network even if it has not been found by scanning (helps when using broken wireless drivers) - update to KDE SVN r588481 - open KWallet only when connecting to an encrypted network (b.n.c [#204809]) - ignore signal from NetworkManager if its state did not change (b.n.c #165275) - move SuSE specific code to a separate patch (knetworkmanager-kde-networkstatus-wstephenson-01.patch) - persist settings for "Offline Mode" and "Disable Wireless" - avoid flickering of the tray icon - remove absolute path to g-k-d - this version will be released as online update for SL10.1, SLED10 and SLES10. - Update to r821737 * Select the correct security mode for wireless connections * Notify about NetworkManager not running (bnc#383195) * Show if a wireless network is encrypted (bnc#393070) * Fix listing available networks (bnc#397589) * Fix crash when NeworkManager is restarted (bnc#397678) * Allow user-defined notifications (bnc#398425) * Fix WPA-EAP TTLS and PEAP (bnc#396347) * Update translations * Several smaller bugfixes - Update to r815960 * Merge trayicons together (bnc#383032) * Build package NetworkManager-devel (needed for external VPN plugins like novellvpn) * Build packages NetworkManager-openvpn-kde and NetworkManager-vpnc-kde (bnc#389168) * Preselect the correct wireless settings (bnc#391759) * Left click opens the context menu (bnc#392966) * Several smaller bugfixes - Update to r812889, late features: * VPN support * UMTS/CDMA/GSM support - Update to current development branch 0.7r805840, changes: * Allow deletion of connections (bnc#384126) * Some minor bugfixes (bnc#379470, bnc#381718, bnc#384201) * Update API to match NetworkManager's * Other bugfixes and cleanups - Update to current development branch 0.7r795743, changes: * Fix usage with current NM * Bugfixes * GUI cleanups - Update to current development branch 0.7r785504, changes: * Connections are persisted and therefore automatically connected on startup * Some GUI cleanups * Lot's of fixes - disable final to fix build - Update to current unstable branch 0.7 - add patch knetworkmanager-fix_corrupted_tray-hschaa-01.patch (fixes b.n.c #264959) - add patch knetworkmanager-fix_segfault-hschaa-01.patch (fixes b.n.c #304705) - add patch knetworkmanager-dbus_race-hschaa-01.patch (fixes b.n.c #304956) - add translation_update_hu.patch - fix various memory corruptions, memory leaks and other bugs - add patch knetworkmanager-show_message-hschaa-01.patch (fixes b.n.c #264176) - add patch knetworkmanager-infodialog_tab-hschaa-01.patch (fixes b.n.c #295593) - add patch knetworkmanager-enablebutton-hschaa-01.patch (fixes b.n.c #277720) - add patch knetworkmanager-fixbuild_u64-hschaa-01.patch (fixes build on i386) - update knetworkmanager.default.sh to respect KDEHOME (fixes b.n.c #290292) - add patch knetworkmanager-fixnetworksui-hschaa-01.patch (fixes b.n.c #293449) - add patch knetworkmanager-version-hschaa-01.patch which fixes broken autoconnecting on kde start - update to 0.2r674918 (fixes b.n.c #206641, #182202, #199164, #260440) - remove patches knetworkmanager-vpnc_pwds-hschaa-01.patch, knetworkmanager-newnetwork_crash-hschaa-01.patch, knetworkmanager-wpaeap_storage-hschaa-01.patch: commited upstream - add patch knetworkmanager-vpnc_pwds-hschaa-01.patch (fixes b.n.c #281343) - move kde_post_install - Revised offline mode infrastructure (#237274) - add patch knetworkmanager-newnetwork_crash-hschaa-01.patch (fixes b.n.c #269253) - Use the right source file (instead of the wrong one which was checked in on Apr 4) - add patch knetworkmanager-wpaeap_storage-hschaa-01.patch (fixes b.n.c #253413 and #253414) - update to KDE SVN r646731 (fixes b.n.c #230683, #254352) - fix build (new icon location check) - Branch off new subpackages NetworkManager-kde-openvpn and NetworkManager-kde-vpnc to avoid gnome dependencies brought in through NetworkManager-gnome (b.n.c #198529). - new subpackage NetworkManager-kde-devel contains headers for building plugins for KNetworkManager - update to KDE SVN r631225 - remove patches knetworkmanager-notify-hschaa-01.patch (b.n.c [#159061]), knetworkmanager-vpnoverlay-hschaa-01.patch (b.n.c [#159061]) and knetworkmanager-vpn-utf8-suport-hschaa-01.patch (b.n.c #222918): Comitted upstream. - update to KDE SVN r606753: - add patch knetworkmanager-vpn-utf8-suport-hschaa-01.patch: Support utf8 encoding in VPN name, service etc. (b.n.c #222918) - add patch knetworkmanager-vpnoverlay-hschaa-01.patch: Show a symbol in the system tray when a VPN connection is established (b.n.c #159061) - add patch knetworkmanager-notify-hschaa-01.patch: Show warning if VPN connection attempt failed (b.n.c #159061) - beautify connection dialog when manually connecting to a network - update to KDE SVN r602671 - do not spawn warnings in libnm-util (b.n.c 216083) - remove patch knetworkmanager-dialup-yast-thoenig-01.patch: Fix is now upstream - add patch knetworkmanager-dialup-yast-thoenig-01.patch: Feed KProcess properly to call YaST for dial-up configuration (b.n.c [#216835]) - update patch knetworkmanager-fallback-thoenig-02.patch: Fix storage of networks with 'fallback' flag. - add patch knetworkmanager-fallback-thoenig-01.patch: The flag 'trusted' is gone (NetworkManager API change). Remove the corresponding bits and replace with the 'fallback' flag. If this flag is set for a wireless network, NetworkManager will also try to connect to that network even if it has not been found by scanning (helps when using broken wireless drivers) - update to KDE SVN r588481 - open KWallet only when connecting to an encrypted network (b.n.c [#204809]) - ignore signal from NetworkManager if its state did not change (b.n.c #165275) - move SuSE specific code to a separate patch (knetworkmanager-kde-networkstatus-wstephenson-01.patch) - persist settings for "Offline Mode" and "Disable Wireless" - avoid flickering of the tray icon - remove absolute path to g-k-d - this version will be released as online update for SL10.1, SLED10 and SLES10. - Update to version 2008c (Marocco, Mongolia, Pakistan DST changes) [bnc#396308] - Update to version 2008b (esp. Chile, Cuba, Iraq, Syria DST changes) [bnc#368760] - Update to version 2007k (esp. Argentina DST change) [#350489] - Use RPM_OPT_FLAGS. - Update to version 2007j (esp. Venezuela time shift) - Update to version 2007h - Fix %post script to work in patch RPMs as well - Update to version 2007g - Fix %post if /etc/localtime doesn't exist yet - Split timezone package to a separate physical package - Use fdupes to reduce timezone data size. - Update to head of glibc-2.6 branch. - Fix update on ppc. - Add a provide for "rtld(GNU_HASH)". - Fix section selection in crt objects. - Backport fix for crashing printf() of some invalid ldouble values - Added few fixes from 2.6 CVS before 2.6.1 gets released - Update glibc to version 2.6 - Update tzdata to version 2007f - Update build checks. - only keep symtab for libpthread* - Fix strtod() exponent limit calculations [#230909] - Fix random nscd crashes under very heavy passwd/group queries load [#192391] - Add some enums from CVS to sys/personality.h [#253710] - Fix pthread_atfork()-induced hangs in threaded programs [#256237] - Fix llrintl() on ppc64 [#241183] - Fix makecontext() segfault [#249780] - Fix potential dladdr() breakage [#241464] - Fix some races in client programs with nscd garbage collection [#252138] - Update localtime during timezone update [#239888] - temporary disable powerpc cputuned libs to reduce turnaround time - Update to the latest upstream timezone data [#231833] - Remove -ffortify. - Remove -fstack-protector. - Removed references to /opt/gnome. - link power4 to ppc970, link power6 to power6x - Update the powerpc cpu-tuned environment to v0.05 - Update ppc build check. - Fix for Brazilian and Wester Australia timezone DSTs [#213375,#223196] - Disable power6 optimization for 10.2, not all pieces are there [#219962] - Change ld.so madvise() call to posix_fadvise() - Fix mallopt(M_MXFAST,0) behaviour [#198760] - Update the powerpc cpu-tuned environment to v0.04 [#215117] - Update the powerpc cpu-tuned environment to v0.03 [#212549] - Improve glibc powerpc optimization [#212548,#212580,#214282] - add ldconfig-old-cache patch to speed up ldconfig - dont use uninitialized (and wrong) variable in glibc-2.4.90-bdirect.diff [#212470] - Update to the latest 2.5 CVS - More friendly -Bdirect behaviour in case of missing libraries - Fix 2.4.90-nscd patch wrt. new gcc - Fix warnings in testsuite (patch from CVS). - Update to 2.5 CVS - official release (only minimal changes in CVS since the last update) - Fix a thinko in the -Bdirect patch - fix devel requires - Make the dynamic linker support direct bindings (Michael Meeks' Solaris-like -Bdirect with minor changes by me) - Split the kernel headers to a new package (linux-kernel-headers) - Fix broken assertion [#208189]. - Fix mistake when removing some patches - Update to current CVS - Fix 64bit-cleanliness gcc warnings - Add /usr/lib{,64}/Xaw3d to /etc/ld.so.conf (by schwab@suse.de, from original STABLE) [#205169] - Fix chown() instead of lchown() called in fchownat() emulation [#201751] - Fix glob() overflowing stack when producing massive number of matches [#190458] - Update to current CVS - Fix cut'n'paste error in a last-minute change - Update to current CVS - Fix powerpc-cpu tarball extension - Move crypt-blowfish to a patch so that quilt works on the tree - Use asm-powerpc for ppc and ppc64. - Fix chroot check in glibc_post_upgrade. - Update to current CVS, should fix false positive heap overflow trigger from malloc() causing gcc to hang [#201724] - Update the powerpc cpu-tuned environment to v0.02 [#199274] - Update to current CVS - Drop pthread_mutexattr_getprioceiling() out of range fix Ported from STABLE: - Remove libc5 reference from /etc/ld.so.conf, shlibs5 is no longer supported [#181947] - Fix name of a dummy ia64 header from offsets.h to asm-offsets.h [#191394] - Update to current CVS snapshot (highlight: support for .gnu.hash fast linking support) - pthread_mutexattr_getprioceiling() was returning prioceiling out of range [#182782] - Fix the HTML documentation missing an index [#190585] - Update to version 2008c (Marocco, Mongolia, Pakistan DST changes) [bnc#396308] - Update to version 2008b (esp. Chile, Cuba, Iraq, Syria DST changes) [bnc#368760] - Update to version 2007k (esp. Argentina DST change) [#350489] - Use RPM_OPT_FLAGS. - Update to version 2007j (esp. Venezuela time shift) - Update to version 2007h - Fix %post script to work in patch RPMs as well - Update to version 2007g - Fix %post if /etc/localtime doesn't exist yet - Split timezone package to a separate physical package - Use fdupes to reduce timezone data size. - Update to head of glibc-2.6 branch. - Fix update on ppc. - Add a provide for "rtld(GNU_HASH)". - Fix section selection in crt objects. - Backport fix for crashing printf() of some invalid ldouble values - Added few fixes from 2.6 CVS before 2.6.1 gets released - Update glibc to version 2.6 - Update tzdata to version 2007f - Update build checks. - only keep symtab for libpthread* - Fix strtod() exponent limit calculations [#230909] - Fix random nscd crashes under very heavy passwd/group queries load [#192391] - Add some enums from CVS to sys/personality.h [#253710] - Fix pthread_atfork()-induced hangs in threaded programs [#256237] - Fix llrintl() on ppc64 [#241183] - Fix makecontext() segfault [#249780] - Fix potential dladdr() breakage [#241464] - Fix some races in client programs with nscd garbage collection [#252138] - Update localtime during timezone update [#239888] - temporary disable powerpc cputuned libs to reduce turnaround time - Update to the latest upstream timezone data [#231833] - Remove -ffortify. - Remove -fstack-protector. - Removed references to /opt/gnome. - link power4 to ppc970, link power6 to power6x - Update the powerpc cpu-tuned environment to v0.05 - Update ppc build check. - Fix for Brazilian and Wester Australia timezone DSTs [#213375,#223196] - Disable power6 optimization for 10.2, not all pieces are there [#219962] - Change ld.so madvise() call to posix_fadvise() - Fix mallopt(M_MXFAST,0) behaviour [#198760] - Update the powerpc cpu-tuned environment to v0.04 [#215117] - Update the powerpc cpu-tuned environment to v0.03 [#212549] - Improve glibc powerpc optimization [#212548,#212580,#214282] - add ldconfig-old-cache patch to speed up ldconfig - dont use uninitialized (and wrong) variable in glibc-2.4.90-bdirect.diff [#212470] - Update to the latest 2.5 CVS - More friendly -Bdirect behaviour in case of missing libraries - Fix 2.4.90-nscd patch wrt. new gcc - Fix warnings in testsuite (patch from CVS). - Update to 2.5 CVS - official release (only minimal changes in CVS since the last update) - Fix a thinko in the -Bdirect patch - fix devel requires - Make the dynamic linker support direct bindings (Michael Meeks' Solaris-like -Bdirect with minor changes by me) - Split the kernel headers to a new package (linux-kernel-headers) - Fix broken assertion [#208189]. - Fix mistake when removing some patches - Update to current CVS - Fix 64bit-cleanliness gcc warnings - Add /usr/lib{,64}/Xaw3d to /etc/ld.so.conf (by schwab@suse.de, from original STABLE) [#205169] - Fix chown() instead of lchown() called in fchownat() emulation [#201751] - Fix glob() overflowing stack when producing massive number of matches [#190458] - Update to current CVS - Fix cut'n'paste error in a last-minute change - Update to current CVS - Fix powerpc-cpu tarball extension - Move crypt-blowfish to a patch so that quilt works on the tree - Use asm-powerpc for ppc and ppc64. - Fix chroot check in glibc_post_upgrade. - Update to current CVS, should fix false positive heap overflow trigger from malloc() causing gcc to hang [#201724] - Update the powerpc cpu-tuned environment to v0.02 [#199274] - Update to current CVS - Drop pthread_mutexattr_getprioceiling() out of range fix Ported from STABLE: - Remove libc5 reference from /etc/ld.so.conf, shlibs5 is no longer supported [#181947] - Fix name of a dummy ia64 header from offsets.h to asm-offsets.h [#191394] - Update to current CVS snapshot (highlight: support for .gnu.hash fast linking support) - pthread_mutexattr_getprioceiling() was returning prioceiling out of range [#182782] - Fix the HTML documentation missing an index [#190585] - Update to version 2008c (Marocco, Mongolia, Pakistan DST changes) [bnc#396308] - Update to version 2008b (esp. Chile, Cuba, Iraq, Syria DST changes) [bnc#368760] - Update to version 2007k (esp. Argentina DST change) [#350489] - Use RPM_OPT_FLAGS. - Update to version 2007j (esp. Venezuela time shift) - Update to version 2007h - Fix %post script to work in patch RPMs as well - Update to version 2007g - Fix %post if /etc/localtime doesn't exist yet - Split timezone package to a separate physical package - Use fdupes to reduce timezone data size. - Update to head of glibc-2.6 branch. - Fix update on ppc. - Add a provide for "rtld(GNU_HASH)". - Fix section selection in crt objects. - Backport fix for crashing printf() of some invalid ldouble values - Added few fixes from 2.6 CVS before 2.6.1 gets released - Update glibc to version 2.6 - Update tzdata to version 2007f - Update build checks. - only keep symtab for libpthread* - Fix strtod() exponent limit calculations [#230909] - Fix random nscd crashes under very heavy passwd/group queries load [#192391] - Add some enums from CVS to sys/personality.h [#253710] - Fix pthread_atfork()-induced hangs in threaded programs [#256237] - Fix llrintl() on ppc64 [#241183] - Fix makecontext() segfault [#249780] - Fix potential dladdr() breakage [#241464] - Fix some races in client programs with nscd garbage collection [#252138] - Update localtime during timezone update [#239888] - temporary disable powerpc cputuned libs to reduce turnaround time - Update to the latest upstream timezone data [#231833] - Remove -ffortify. - Remove -fstack-protector. - Removed references to /opt/gnome. - link power4 to ppc970, link power6 to power6x - Update the powerpc cpu-tuned environment to v0.05 - Update ppc build check. - Fix for Brazilian and Wester Australia timezone DSTs [#213375,#223196] - Disable power6 optimization for 10.2, not all pieces are there [#219962] - Change ld.so madvise() call to posix_fadvise() - Fix mallopt(M_MXFAST,0) behaviour [#198760] - Update the powerpc cpu-tuned environment to v0.04 [#215117] - Update the powerpc cpu-tuned environment to v0.03 [#212549] - Improve glibc powerpc optimization [#212548,#212580,#214282] - add ldconfig-old-cache patch to speed up ldconfig - dont use uninitialized (and wrong) variable in glibc-2.4.90-bdirect.diff [#212470] - Update to the latest 2.5 CVS - More friendly -Bdirect behaviour in case of missing libraries - Fix 2.4.90-nscd patch wrt. new gcc - Fix warnings in testsuite (patch from CVS). - Update to 2.5 CVS - official release (only minimal changes in CVS since the last update) - Fix a thinko in the -Bdirect patch - fix devel requires - Make the dynamic linker support direct bindings (Michael Meeks' Solaris-like -Bdirect with minor changes by me) - Split the kernel headers to a new package (linux-kernel-headers) - Fix broken assertion [#208189]. - Fix mistake when removing some patches - Update to current CVS - Fix 64bit-cleanliness gcc warnings - Add /usr/lib{,64}/Xaw3d to /etc/ld.so.conf (by schwab@suse.de, from original STABLE) [#205169] - Fix chown() instead of lchown() called in fchownat() emulation [#201751] - Fix glob() overflowing stack when producing massive number of matches [#190458] - Update to current CVS - Fix cut'n'paste error in a last-minute change - Update to current CVS - Fix powerpc-cpu tarball extension - Move crypt-blowfish to a patch so that quilt works on the tree - Use asm-powerpc for ppc and ppc64. - Fix chroot check in glibc_post_upgrade. - Update to current CVS, should fix false positive heap overflow trigger from malloc() causing gcc to hang [#201724] - Update the powerpc cpu-tuned environment to v0.02 [#199274] - Update to current CVS - Drop pthread_mutexattr_getprioceiling() out of range fix Ported from STABLE: - Remove libc5 reference from /etc/ld.so.conf, shlibs5 is no longer supported [#181947] - Fix name of a dummy ia64 header from offsets.h to asm-offsets.h [#191394] - Update to current CVS snapshot (highlight: support for .gnu.hash fast linking support) - pthread_mutexattr_getprioceiling() was returning prioceiling out of range [#182782] - Fix the HTML documentation missing an index [#190585] - Security update 0.93.1 (bnc#399302, CVE-2008-2713) - Improved clamav-milter configuration and init script (bnc#382907) - Convert the database to the new format instead of running freshclam to re-fetch it (bnc#380787). - Added main.cld and daily.cld as %ghost - Refined the logic in %post of clamav-db as to when the dist files need to get copied over. - Security update 0.93 (bnc#350987, bnc#368963). - CVE-2007-6595: symlink attack on temporary files - CVE-2007-6596: recognize Base64 UUEncoded archives - CVE-2008-1100: Buffer overflow in the cli_scanpe function. - Remove bogus dependencies from libclamav.pc (bnc#196236) - Run freshclam on update before restarting clamd to convert the database into the new format. - Security update 0.92.1: (bnc#361374) * CVE-2008-0318: libclamav PE File Integer Overflow Vulnerability * CVE-2008-0728: heap corruption - Fix open call to build again. - Security update 0.92 (#343277): * CVE-2007-6335 - MEW PE File Integer Overflow * CVE-2007-6336 - Off-by-one error in LZX_READ_HUFFSYM() * CVE-2007-6337 - bzlib issue - Make clamd error out if /dev/null can't be opened (#300019). - Added sendmail and sendmail-devel to BuildRequires. - Enabled clamav-milter and added an init script for it. (fate#302362) - Bugfix update 0.91.2. - Fixes some NULL dereferences and variable initialisation problems - Fix some rpmlint warnings in init scripts. - Inform the user that to use Clamuko, clamd needs to run as root, so that it can read the files it needs to scan (#201730). - Stability and bugfix update: 0.91.1 (#292297) - Run ldconfig on (un)installation. - Make %check conditional to fix building on SLES8. - add zlib-devel to build requires - suppress some false positives from rpmlint - added %check section and remove unneeded INSTALL file from %doc - Update to version 0.91 (#289830) - improved handling of .mdb files (fixes long startup times) - Adds anti-phishing support - unpacker for NSIS (Nullsoft Scriptable Install System) self-extracting archives - unpacker for ASPack 2.12 - new implementation of the Aho-Corasick pattern matcher providing better detection for wildcard enabled signatures - support for nibble matching and floating offsets - extraction of PE files embedded into other executables - better handling of PE & UPX - removed dependency on libcurl (improves stability) - many other improvements and bugfixes - Security update: 0.90.3 (#279536) - libclamav/unsp.c: fix end of buffer calculation (bb#464) - libclamav/others.c: use strict permissions (0600) for temporary files created in cli_gentempstream() (bb#517). - libclamav/unrar/unrar.c: heap corruption causing DoS with corrupted rar archive, better handle truncated files - libclamav/phishcheck.c: isURL() regex execution hangs on Solaris - libclamav/ole2_extract.c: detect block list loop (bb#466) - Security update: 0.90.2 (#264189) - CVE-2007-1997: CAB File Unstore Buffer Overflow Vulnerability - CVE-2007-1745: file descriptor leak in CHM handler - File descriptor leaks in libclamav/pdf.c and libclamav/lockdb.c - Extended the database presence check in rcclamd to accept the main.inc directory in addition to the main.cvd file, because freshclam can delete the file during a scripted update. - Update to version 0.90.1 (#250566) - Some bug fixes and code improvements - Bumps the version of libclamav's soname, which should have been done in 0.90 already. - Update to version 0.90 (#246214) to fix two Vulnerabilities: - CAB File Denial of Service (CVE-2007-0897) - MIME Parsing Directory Traversal (CVE-2007-0898) - Other changes of 0.90 include: - Changed config file syntax (automatic conversion is done by the RPM on update) - New unpacker for RAR3, RAR2 and RAR1 - Rewritten unpackers for Zip and CAB files - Support for RAR-SFX, Zip-SFX and CAB-SFX archives - New PE parsing model - Support for PE32+ (64-bit) executables - Support for MD5 signatures based on PE sections (.mdb) - ELF file parser - Support for Sensory Networks' NodalCore hardware acceleration technology - Algorithmic detection can be controlled with CL_SCAN_ALGORITHMIC - Support for new obfuscators: SUE, Y0da Cryptor, CryptFF - Support for new packers: NsPack, wwpack32, MEW, Upack - Support for SIS files (SymbianOS packages) - Support for PDF and RTF files - TCP and local sockets can be operated simultaneously - New command: MULTISCAN (scan directory with multiple threads) - There where also some API/ABI changes which might affect packages that link against libclamav. Affected functions are: cl_loaddb, cl_loaddir and cl_scanbuff. - Cleaned up daemonizing of clamd and freshclam. - Security update: 0.88.7 (#227827, CVE-2006-5874) - handle consecutive errors in base64 decoding - honour recursion limit when scanning email messages - clamscan: new option --mail-max-recursion - libclamav/untar.c: honour archive limits - Add homedir of user vscan to the package (FATE300731). - Bugfix release: 0.88.6 (#218313) - freshclam: apply timeout patch from Everton da Silva Marques (new options: ConnectTimeout and ReceiveTimeout) - clamd: change stack size at the right place (closes bug#103) - libclamav/petite.c: sanity check the number of rebuilt sections (speeds up handling of malformed files) - Bugfix release 0.88.5 fixes two serious security issues. [#212898], CVE-2006-4182, CVE-2006-5295 - New version 0.88.4 fixes heap overflow in UPX decoder - Bugfix release 0.88.3: - fix possible false matches of alternatives - Large binhex files were not being handled gracefully. - fix zero allocation warning - Added bc and pkgconfig to BuildRequires to fix curl version detection. - Prevent a file conflict on the database files when main and db packages of different versions are installed. - Renamed clamav.conf to clamd.conf for SLES9. - Added the db subpackage to SLES9. - Bugzilla: 190647 - Security update 0.93.1 (bnc#399302, CVE-2008-2713) - Improved clamav-milter configuration and init script (bnc#382907) - Convert the database to the new format instead of running freshclam to re-fetch it (bnc#380787). - Added main.cld and daily.cld as %ghost - Refined the logic in %post of clamav-db as to when the dist files need to get copied over. - Security update 0.93 (bnc#350987, bnc#368963). - CVE-2007-6595: symlink attack on temporary files - CVE-2007-6596: recognize Base64 UUEncoded archives - CVE-2008-1100: Buffer overflow in the cli_scanpe function. - Remove bogus dependencies from libclamav.pc (bnc#196236) - Run freshclam on update before restarting clamd to convert the database into the new format. - Security update 0.92.1: (bnc#361374) * CVE-2008-0318: libclamav PE File Integer Overflow Vulnerability * CVE-2008-0728: heap corruption - Fix open call to build again. - Security update 0.92 (#343277): * CVE-2007-6335 - MEW PE File Integer Overflow * CVE-2007-6336 - Off-by-one error in LZX_READ_HUFFSYM() * CVE-2007-6337 - bzlib issue - Make clamd error out if /dev/null can't be opened (#300019). - Added sendmail and sendmail-devel to BuildRequires. - Enabled clamav-milter and added an init script for it. (fate#302362) - Bugfix update 0.91.2. - Fixes some NULL dereferences and variable initialisation problems - Fix some rpmlint warnings in init scripts. - Inform the user that to use Clamuko, clamd needs to run as root, so that it can read the files it needs to scan (#201730). - Stability and bugfix update: 0.91.1 (#292297) - Run ldconfig on (un)installation. - Make %check conditional to fix building on SLES8. - add zlib-devel to build requires - suppress some false positives from rpmlint - added %check section and remove unneeded INSTALL file from %doc - Update to version 0.91 (#289830) - improved handling of .mdb files (fixes long startup times) - Adds anti-phishing support - unpacker for NSIS (Nullsoft Scriptable Install System) self-extracting archives - unpacker for ASPack 2.12 - new implementation of the Aho-Corasick pattern matcher providing better detection for wildcard enabled signatures - support for nibble matching and floating offsets - extraction of PE files embedded into other executables - better handling of PE & UPX - removed dependency on libcurl (improves stability) - many other improvements and bugfixes - Security update: 0.90.3 (#279536) - libclamav/unsp.c: fix end of buffer calculation (bb#464) - libclamav/others.c: use strict permissions (0600) for temporary files created in cli_gentempstream() (bb#517). - libclamav/unrar/unrar.c: heap corruption causing DoS with corrupted rar archive, better handle truncated files - libclamav/phishcheck.c: isURL() regex execution hangs on Solaris - libclamav/ole2_extract.c: detect block list loop (bb#466) - Security update: 0.90.2 (#264189) - CVE-2007-1997: CAB File Unstore Buffer Overflow Vulnerability - CVE-2007-1745: file descriptor leak in CHM handler - File descriptor leaks in libclamav/pdf.c and libclamav/lockdb.c - Extended the database presence check in rcclamd to accept the main.inc directory in addition to the main.cvd file, because freshclam can delete the file during a scripted update. - Update to version 0.90.1 (#250566) - Some bug fixes and code improvements - Bumps the version of libclamav's soname, which should have been done in 0.90 already. - Update to version 0.90 (#246214) to fix two Vulnerabilities: - CAB File Denial of Service (CVE-2007-0897) - MIME Parsing Directory Traversal (CVE-2007-0898) - Other changes of 0.90 include: - Changed config file syntax (automatic conversion is done by the RPM on update) - New unpacker for RAR3, RAR2 and RAR1 - Rewritten unpackers for Zip and CAB files - Support for RAR-SFX, Zip-SFX and CAB-SFX archives - New PE parsing model - Support for PE32+ (64-bit) executables - Support for MD5 signatures based on PE sections (.mdb) - ELF file parser - Support for Sensory Networks' NodalCore hardware acceleration technology - Algorithmic detection can be controlled with CL_SCAN_ALGORITHMIC - Support for new obfuscators: SUE, Y0da Cryptor, CryptFF - Support for new packers: NsPack, wwpack32, MEW, Upack - Support for SIS files (SymbianOS packages) - Support for PDF and RTF files - TCP and local sockets can be operated simultaneously - New command: MULTISCAN (scan directory with multiple threads) - There where also some API/ABI changes which might affect packages that link against libclamav. Affected functions are: cl_loaddb, cl_loaddir and cl_scanbuff. - Cleaned up daemonizing of clamd and freshclam. - Security update: 0.88.7 (#227827, CVE-2006-5874) - handle consecutive errors in base64 decoding - honour recursion limit when scanning email messages - clamscan: new option --mail-max-recursion - libclamav/untar.c: honour archive limits - Add homedir of user vscan to the package (FATE300731). - Bugfix release: 0.88.6 (#218313) - freshclam: apply timeout patch from Everton da Silva Marques (new options: ConnectTimeout and ReceiveTimeout) - clamd: change stack size at the right place (closes bug#103) - libclamav/petite.c: sanity check the number of rebuilt sections (speeds up handling of malformed files) - Bugfix release 0.88.5 fixes two serious security issues. [#212898], CVE-2006-4182, CVE-2006-5295 - New version 0.88.4 fixes heap overflow in UPX decoder - Bugfix release 0.88.3: - fix possible false matches of alternatives - Large binhex files were not being handled gracefully. - fix zero allocation warning - Added bc and pkgconfig to BuildRequires to fix curl version detection. - Prevent a file conflict on the database files when main and db packages of different versions are installed. - Renamed clamav.conf to clamd.conf for SLES9. - Added the db subpackage to SLES9. - Bugzilla: 190647 - Security update 0.93.1 (bnc#399302, CVE-2008-2713) - Improved clamav-milter configuration and init script (bnc#382907) - Convert the database to the new format instead of running freshclam to re-fetch it (bnc#380787). - Added main.cld and daily.cld as %ghost - Refined the logic in %post of clamav-db as to when the dist files need to get copied over. - Security update 0.93 (bnc#350987, bnc#368963). - CVE-2007-6595: symlink attack on temporary files - CVE-2007-6596: recognize Base64 UUEncoded archives - CVE-2008-1100: Buffer overflow in the cli_scanpe function. - Remove bogus dependencies from libclamav.pc (bnc#196236) - Run freshclam on update before restarting clamd to convert the database into the new format. - Security update 0.92.1: (bnc#361374) * CVE-2008-0318: libclamav PE File Integer Overflow Vulnerability * CVE-2008-0728: heap corruption - Fix open call to build again. - Security update 0.92 (#343277): * CVE-2007-6335 - MEW PE File Integer Overflow * CVE-2007-6336 - Off-by-one error in LZX_READ_HUFFSYM() * CVE-2007-6337 - bzlib issue - Make clamd error out if /dev/null can't be opened (#300019). - Added sendmail and sendmail-devel to BuildRequires. - Enabled clamav-milter and added an init script for it. (fate#302362) - Bugfix update 0.91.2. - Fixes some NULL dereferences and variable initialisation problems - Fix some rpmlint warnings in init scripts. - Inform the user that to use Clamuko, clamd needs to run as root, so that it can read the files it needs to scan (#201730). - Stability and bugfix update: 0.91.1 (#292297) - Run ldconfig on (un)installation. - Make %check conditional to fix building on SLES8. - add zlib-devel to build requires - suppress some false positives from rpmlint - added %check section and remove unneeded INSTALL file from %doc - Update to version 0.91 (#289830) - improved handling of .mdb files (fixes long startup times) - Adds anti-phishing support - unpacker for NSIS (Nullsoft Scriptable Install System) self-extracting archives - unpacker for ASPack 2.12 - new implementation of the Aho-Corasick pattern matcher providing better detection for wildcard enabled signatures - support for nibble matching and floating offsets - extraction of PE files embedded into other executables - better handling of PE & UPX - removed dependency on libcurl (improves stability) - many other improvements and bugfixes - Security update: 0.90.3 (#279536) - libclamav/unsp.c: fix end of buffer calculation (bb#464) - libclamav/others.c: use strict permissions (0600) for temporary files created in cli_gentempstream() (bb#517). - libclamav/unrar/unrar.c: heap corruption causing DoS with corrupted rar archive, better handle truncated files - libclamav/phishcheck.c: isURL() regex execution hangs on Solaris - libclamav/ole2_extract.c: detect block list loop (bb#466) - Security update: 0.90.2 (#264189) - CVE-2007-1997: CAB File Unstore Buffer Overflow Vulnerability - CVE-2007-1745: file descriptor leak in CHM handler - File descriptor leaks in libclamav/pdf.c and libclamav/lockdb.c - Extended the database presence check in rcclamd to accept the main.inc directory in addition to the main.cvd file, because freshclam can delete the file during a scripted update. - Update to version 0.90.1 (#250566) - Some bug fixes and code improvements - Bumps the version of libclamav's soname, which should have been done in 0.90 already. - Update to version 0.90 (#246214) to fix two Vulnerabilities: - CAB File Denial of Service (CVE-2007-0897) - MIME Parsing Directory Traversal (CVE-2007-0898) - Other changes of 0.90 include: - Changed config file syntax (automatic conversion is done by the RPM on update) - New unpacker for RAR3, RAR2 and RAR1 - Rewritten unpackers for Zip and CAB files - Support for RAR-SFX, Zip-SFX and CAB-SFX archives - New PE parsing model - Support for PE32+ (64-bit) executables - Support for MD5 signatures based on PE sections (.mdb) - ELF file parser - Support for Sensory Networks' NodalCore hardware acceleration technology - Algorithmic detection can be controlled with CL_SCAN_ALGORITHMIC - Support for new obfuscators: SUE, Y0da Cryptor, CryptFF - Support for new packers: NsPack, wwpack32, MEW, Upack - Support for SIS files (SymbianOS packages) - Support for PDF and RTF files - TCP and local sockets can be operated simultaneously - New command: MULTISCAN (scan directory with multiple threads) - There where also some API/ABI changes which might affect packages that link against libclamav. Affected functions are: cl_loaddb, cl_loaddir and cl_scanbuff. - Cleaned up daemonizing of clamd and freshclam. - Security update: 0.88.7 (#227827, CVE-2006-5874) - handle consecutive errors in base64 decoding - honour recursion limit when scanning email messages - clamscan: new option --mail-max-recursion - libclamav/untar.c: honour archive limits - Add homedir of user vscan to the package (FATE300731). - Bugfix release: 0.88.6 (#218313) - freshclam: apply timeout patch from Everton da Silva Marques (new options: ConnectTimeout and ReceiveTimeout) - clamd: change stack size at the right place (closes bug#103) - libclamav/petite.c: sanity check the number of rebuilt sections (speeds up handling of malformed files) - Bugfix release 0.88.5 fixes two serious security issues. [#212898], CVE-2006-4182, CVE-2006-5295 - New version 0.88.4 fixes heap overflow in UPX decoder - Bugfix release 0.88.3: - fix possible false matches of alternatives - Large binhex files were not being handled gracefully. - fix zero allocation warning - Added bc and pkgconfig to BuildRequires to fix curl version detection. - Prevent a file conflict on the database files when main and db packages of different versions are installed. - Renamed clamav.conf to clamd.conf for SLES9. - Added the db subpackage to SLES9. - Bugzilla: 190647 - Security update 0.93.1 (bnc#399302, CVE-2008-2713) - Improved clamav-milter configuration and init script (bnc#382907) - Convert the database to the new format instead of running freshclam to re-fetch it (bnc#380787). - Added main.cld and daily.cld as %ghost - Refined the logic in %post of clamav-db as to when the dist files need to get copied over. - Security update 0.93 (bnc#350987, bnc#368963). - CVE-2007-6595: symlink attack on temporary files - CVE-2007-6596: recognize Base64 UUEncoded archives - CVE-2008-1100: Buffer overflow in the cli_scanpe function. - Remove bogus dependencies from libclamav.pc (bnc#196236) - Run freshclam on update before restarting clamd to convert the database into the new format. - Security update 0.92.1: (bnc#361374) * CVE-2008-0318: libclamav PE File Integer Overflow Vulnerability * CVE-2008-0728: heap corruption - Fix open call to build again. - Security update 0.92 (#343277): * CVE-2007-6335 - MEW PE File Integer Overflow * CVE-2007-6336 - Off-by-one error in LZX_READ_HUFFSYM() * CVE-2007-6337 - bzlib issue - Make clamd error out if /dev/null can't be opened (#300019). - Added sendmail and sendmail-devel to BuildRequires. - Enabled clamav-milter and added an init script for it. (fate#302362) - Bugfix update 0.91.2. - Fixes some NULL dereferences and variable initialisation problems - Fix some rpmlint warnings in init scripts. - Inform the user that to use Clamuko, clamd needs to run as root, so that it can read the files it needs to scan (#201730). - Stability and bugfix update: 0.91.1 (#292297) - Run ldconfig on (un)installation. - Make %check conditional to fix building on SLES8. - add zlib-devel to build requires - suppress some false positives from rpmlint - added %check section and remove unneeded INSTALL file from %doc - Update to version 0.91 (#289830) - improved handling of .mdb files (fixes long startup times) - Adds anti-phishing support - unpacker for NSIS (Nullsoft Scriptable Install System) self-extracting archives - unpacker for ASPack 2.12 - new implementation of the Aho-Corasick pattern matcher providing better detection for wildcard enabled signatures - support for nibble matching and floating offsets - extraction of PE files embedded into other executables - better handling of PE & UPX - removed dependency on libcurl (improves stability) - many other improvements and bugfixes - Security update: 0.90.3 (#279536) - libclamav/unsp.c: fix end of buffer calculation (bb#464) - libclamav/others.c: use strict permissions (0600) for temporary files created in cli_gentempstream() (bb#517). - libclamav/unrar/unrar.c: heap corruption causing DoS with corrupted rar archive, better handle truncated files - libclamav/phishcheck.c: isURL() regex execution hangs on Solaris - libclamav/ole2_extract.c: detect block list loop (bb#466) - Security update: 0.90.2 (#264189) - CVE-2007-1997: CAB File Unstore Buffer Overflow Vulnerability - CVE-2007-1745: file descriptor leak in CHM handler - File descriptor leaks in libclamav/pdf.c and libclamav/lockdb.c - Extended the database presence check in rcclamd to accept the main.inc directory in addition to the main.cvd file, because freshclam can delete the file during a scripted update. - Update to version 0.90.1 (#250566) - Some bug fixes and code improvements - Bumps the version of libclamav's soname, which should have been done in 0.90 already. - Update to version 0.90 (#246214) to fix two Vulnerabilities: - CAB File Denial of Service (CVE-2007-0897) - MIME Parsing Directory Traversal (CVE-2007-0898) - Other changes of 0.90 include: - Changed config file syntax (automatic conversion is done by the RPM on update) - New unpacker for RAR3, RAR2 and RAR1 - Rewritten unpackers for Zip and CAB files - Support for RAR-SFX, Zip-SFX and CAB-SFX archives - New PE parsing model - Support for PE32+ (64-bit) executables - Support for MD5 signatures based on PE sections (.mdb) - ELF file parser - Support for Sensory Networks' NodalCore hardware acceleration technology - Algorithmic detection can be controlled with CL_SCAN_ALGORITHMIC - Support for new obfuscators: SUE, Y0da Cryptor, CryptFF - Support for new packers: NsPack, wwpack32, MEW, Upack - Support for SIS files (SymbianOS packages) - Support for PDF and RTF files - TCP and local sockets can be operated simultaneously - New command: MULTISCAN (scan directory with multiple threads) - There where also some API/ABI changes which might affect packages that link against libclamav. Affected functions are: cl_loaddb, cl_loaddir and cl_scanbuff. - Cleaned up daemonizing of clamd and freshclam. - Security update: 0.88.7 (#227827, CVE-2006-5874) - handle consecutive errors in base64 decoding - honour recursion limit when scanning email messages - clamscan: new option --mail-max-recursion - libclamav/untar.c: honour archive limits - Add homedir of user vscan to the package (FATE300731). - Bugfix release: 0.88.6 (#218313) - freshclam: apply timeout patch from Everton da Silva Marques (new options: ConnectTimeout and ReceiveTimeout) - clamd: change stack size at the right place (closes bug#103) - libclamav/petite.c: sanity check the number of rebuilt sections (speeds up handling of malformed files) - Bugfix release 0.88.5 fixes two serious security issues. [#212898], CVE-2006-4182, CVE-2006-5295 - New version 0.88.4 fixes heap overflow in UPX decoder - Bugfix release 0.88.3: - fix possible false matches of alternatives - Large binhex files were not being handled gracefully. - fix zero allocation warning - Added bc and pkgconfig to BuildRequires to fix curl version detection. - Prevent a file conflict on the database files when main and db packages of different versions are installed. - Renamed clamav.conf to clamd.conf for SLES9. - Added the db subpackage to SLES9. - Bugzilla: 190647 - Security update 0.93.1 (bnc#399302, CVE-2008-2713) - Improved clamav-milter configuration and init script (bnc#382907) - Convert the database to the new format instead of running freshclam to re-fetch it (bnc#380787). - Added main.cld and daily.cld as %ghost - Refined the logic in %post of clamav-db as to when the dist files need to get copied over. - Security update 0.93 (bnc#350987, bnc#368963). - CVE-2007-6595: symlink attack on temporary files - CVE-2007-6596: recognize Base64 UUEncoded archives - CVE-2008-1100: Buffer overflow in the cli_scanpe function. - Remove bogus dependencies from libclamav.pc (bnc#196236) - Run freshclam on update before restarting clamd to convert the database into the new format. - Security update 0.92.1: (bnc#361374) * CVE-2008-0318: libclamav PE File Integer Overflow Vulnerability * CVE-2008-0728: heap corruption - Fix open call to build again. - Security update 0.92 (#343277): * CVE-2007-6335 - MEW PE File Integer Overflow * CVE-2007-6336 - Off-by-one error in LZX_READ_HUFFSYM() * CVE-2007-6337 - bzlib issue - Make clamd error out if /dev/null can't be opened (#300019). - Added sendmail and sendmail-devel to BuildRequires. - Enabled clamav-milter and added an init script for it. (fate#302362) - Bugfix update 0.91.2. - Fixes some NULL dereferences and variable initialisation problems - Fix some rpmlint warnings in init scripts. - Inform the user that to use Clamuko, clamd needs to run as root, so that it can read the files it needs to scan (#201730). - Stability and bugfix update: 0.91.1 (#292297) - Run ldconfig on (un)installation. - Make %check conditional to fix building on SLES8. - add zlib-devel to build requires - suppress some false positives from rpmlint - added %check section and remove unneeded INSTALL file from %doc - Update to version 0.91 (#289830) - improved handling of .mdb files (fixes long startup times) - Adds anti-phishing support - unpacker for NSIS (Nullsoft Scriptable Install System) self-extracting archives - unpacker for ASPack 2.12 - new implementation of the Aho-Corasick pattern matcher providing better detection for wildcard enabled signatures - support for nibble matching and floating offsets - extraction of PE files embedded into other executables - better handling of PE & UPX - removed dependency on libcurl (improves stability) - many other improvements and bugfixes - Security update: 0.90.3 (#279536) - libclamav/unsp.c: fix end of buffer calculation (bb#464) - libclamav/others.c: use strict permissions (0600) for temporary files created in cli_gentempstream() (bb#517). - libclamav/unrar/unrar.c: heap corruption causing DoS with corrupted rar archive, better handle truncated files - libclamav/phishcheck.c: isURL() regex execution hangs on Solaris - libclamav/ole2_extract.c: detect block list loop (bb#466) - Security update: 0.90.2 (#264189) - CVE-2007-1997: CAB File Unstore Buffer Overflow Vulnerability - CVE-2007-1745: file descriptor leak in CHM handler - File descriptor leaks in libclamav/pdf.c and libclamav/lockdb.c - Extended the database presence check in rcclamd to accept the main.inc directory in addition to the main.cvd file, because freshclam can delete the file during a scripted update. - Update to version 0.90.1 (#250566) - Some bug fixes and code improvements - Bumps the version of libclamav's soname, which should have been done in 0.90 already. - Update to version 0.90 (#246214) to fix two Vulnerabilities: - CAB File Denial of Service (CVE-2007-0897) - MIME Parsing Directory Traversal (CVE-2007-0898) - Other changes of 0.90 include: - Changed config file syntax (automatic conversion is done by the RPM on update) - New unpacker for RAR3, RAR2 and RAR1 - Rewritten unpackers for Zip and CAB files - Support for RAR-SFX, Zip-SFX and CAB-SFX archives - New PE parsing model - Support for PE32+ (64-bit) executables - Support for MD5 signatures based on PE sections (.mdb) - ELF file parser - Support for Sensory Networks' NodalCore hardware acceleration technology - Algorithmic detection can be controlled with CL_SCAN_ALGORITHMIC - Support for new obfuscators: SUE, Y0da Cryptor, CryptFF - Support for new packers: NsPack, wwpack32, MEW, Upack - Support for SIS files (SymbianOS packages) - Support for PDF and RTF files - TCP and local sockets can be operated simultaneously - New command: MULTISCAN (scan directory with multiple threads) - There where also some API/ABI changes which might affect packages that link against libclamav. Affected functions are: cl_loaddb, cl_loaddir and cl_scanbuff. - Cleaned up daemonizing of clamd and freshclam. - Security update: 0.88.7 (#227827, CVE-2006-5874) - handle consecutive errors in base64 decoding - honour recursion limit when scanning email messages - clamscan: new option --mail-max-recursion - libclamav/untar.c: honour archive limits - Add homedir of user vscan to the package (FATE300731). - Bugfix release: 0.88.6 (#218313) - freshclam: apply timeout patch from Everton da Silva Marques (new options: ConnectTimeout and ReceiveTimeout) - clamd: change stack size at the right place (closes bug#103) - libclamav/petite.c: sanity check the number of rebuilt sections (speeds up handling of malformed files) - Bugfix release 0.88.5 fixes two serious security issues. [#212898], CVE-2006-4182, CVE-2006-5295 - New version 0.88.4 fixes heap overflow in UPX decoder - Bugfix release 0.88.3: - fix possible false matches of alternatives - Large binhex files were not being handled gracefully. - fix zero allocation warning - Added bc and pkgconfig to BuildRequires to fix curl version detection. - Prevent a file conflict on the database files when main and db packages of different versions are installed. - Renamed clamav.conf to clamd.conf for SLES9. - Added the db subpackage to SLES9. - Bugzilla: 190647 - Security update 0.93.1 (bnc#399302, CVE-2008-2713) - Improved clamav-milter configuration and init script (bnc#382907) - Convert the database to the new format instead of running freshclam to re-fetch it (bnc#380787). - Added main.cld and daily.cld as %ghost - Refined the logic in %post of clamav-db as to when the dist files need to get copied over. - Security update 0.93 (bnc#350987, bnc#368963). - CVE-2007-6595: symlink attack on temporary files - CVE-2007-6596: recognize Base64 UUEncoded archives - CVE-2008-1100: Buffer overflow in the cli_scanpe function. - Remove bogus dependencies from libclamav.pc (bnc#196236) - Run freshclam on update before restarting clamd to convert the database into the new format. - Security update 0.92.1: (bnc#361374) * CVE-2008-0318: libclamav PE File Integer Overflow Vulnerability * CVE-2008-0728: heap corruption - Fix open call to build again. - Security update 0.92 (#343277): * CVE-2007-6335 - MEW PE File Integer Overflow * CVE-2007-6336 - Off-by-one error in LZX_READ_HUFFSYM() * CVE-2007-6337 - bzlib issue - Make clamd error out if /dev/null can't be opened (#300019). - Added sendmail and sendmail-devel to BuildRequires. - Enabled clamav-milter and added an init script for it. (fate#302362) - Bugfix update 0.91.2. - Fixes some NULL dereferences and variable initialisation problems - Fix some rpmlint warnings in init scripts. - Inform the user that to use Clamuko, clamd needs to run as root, so that it can read the files it needs to scan (#201730). - Stability and bugfix update: 0.91.1 (#292297) - Run ldconfig on (un)installation. - Make %check conditional to fix building on SLES8. - add zlib-devel to build requires - suppress some false positives from rpmlint - added %check section and remove unneeded INSTALL file from %doc - Update to version 0.91 (#289830) - improved handling of .mdb files (fixes long startup times) - Adds anti-phishing support - unpacker for NSIS (Nullsoft Scriptable Install System) self-extracting archives - unpacker for ASPack 2.12 - new implementation of the Aho-Corasick pattern matcher providing better detection for wildcard enabled signatures - support for nibble matching and floating offsets - extraction of PE files embedded into other executables - better handling of PE & UPX - removed dependency on libcurl (improves stability) - many other improvements and bugfixes - Security update: 0.90.3 (#279536) - libclamav/unsp.c: fix end of buffer calculation (bb#464) - libclamav/others.c: use strict permissions (0600) for temporary files created in cli_gentempstream() (bb#517). - libclamav/unrar/unrar.c: heap corruption causing DoS with corrupted rar archive, better handle truncated files - libclamav/phishcheck.c: isURL() regex execution hangs on Solaris - libclamav/ole2_extract.c: detect block list loop (bb#466) - Security update: 0.90.2 (#264189) - CVE-2007-1997: CAB File Unstore Buffer Overflow Vulnerability - CVE-2007-1745: file descriptor leak in CHM handler - File descriptor leaks in libclamav/pdf.c and libclamav/lockdb.c - Extended the database presence check in rcclamd to accept the main.inc directory in addition to the main.cvd file, because freshclam can delete the file during a scripted update. - Update to version 0.90.1 (#250566) - Some bug fixes and code improvements - Bumps the version of libclamav's soname, which should have been done in 0.90 already. - Update to version 0.90 (#246214) to fix two Vulnerabilities: - CAB File Denial of Service (CVE-2007-0897) - MIME Parsing Directory Traversal (CVE-2007-0898) - Other changes of 0.90 include: - Changed config file syntax (automatic conversion is done by the RPM on update) - New unpacker for RAR3, RAR2 and RAR1 - Rewritten unpackers for Zip and CAB files - Support for RAR-SFX, Zip-SFX and CAB-SFX archives - New PE parsing model - Support for PE32+ (64-bit) executables - Support for MD5 signatures based on PE sections (.mdb) - ELF file parser - Support for Sensory Networks' NodalCore hardware acceleration technology - Algorithmic detection can be controlled with CL_SCAN_ALGORITHMIC - Support for new obfuscators: SUE, Y0da Cryptor, CryptFF - Support for new packers: NsPack, wwpack32, MEW, Upack - Support for SIS files (SymbianOS packages) - Support for PDF and RTF files - TCP and local sockets can be operated simultaneously - New command: MULTISCAN (scan directory with multiple threads) - There where also some API/ABI changes which might affect packages that link against libclamav. Affected functions are: cl_loaddb, cl_loaddir and cl_scanbuff. - Cleaned up daemonizing of clamd and freshclam. - Security update: 0.88.7 (#227827, CVE-2006-5874) - handle consecutive errors in base64 decoding - honour recursion limit when scanning email messages - clamscan: new option --mail-max-recursion - libclamav/untar.c: honour archive limits - Add homedir of user vscan to the package (FATE300731). - Bugfix release: 0.88.6 (#218313) - freshclam: apply timeout patch from Everton da Silva Marques (new options: ConnectTimeout and ReceiveTimeout) - clamd: change stack size at the right place (closes bug#103) - libclamav/petite.c: sanity check the number of rebuilt sections (speeds up handling of malformed files) - Bugfix release 0.88.5 fixes two serious security issues. [#212898], CVE-2006-4182, CVE-2006-5295 - New version 0.88.4 fixes heap overflow in UPX decoder - Bugfix release 0.88.3: - fix possible false matches of alternatives - Large binhex files were not being handled gracefully. - fix zero allocation warning - Added bc and pkgconfig to BuildRequires to fix curl version detection. - Prevent a file conflict on the database files when main and db packages of different versions are installed. - Renamed clamav.conf to clamd.conf for SLES9. - Added the db subpackage to SLES9. - Bugzilla: 190647 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Don't try to replace libtool. - Fix alignment violation. - Don't define feature test macros after system headers. - update to PHP 5.2.6 * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Fixed two possible crashes inside the posix extension. * Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) * Fixed bug #44141 (private parent constructor callable through static function). * Fixed bug #43589 (a possible infinite loop in bz2_filter.c). * Fixed bug #43450 (Memory leak on some functions with implicit object __toString() call). * Fixed bug #43201 (Crash on using uninitialized vals and __get/__set). * Fixed bug #42978 (mismatch between number of bound params and values causes a crash in pdo_pgsql). * Fixed bug #42937 (__call() method not invoked when methods are called on parent from child class). * Fixed bug #42736 (xmlrpc_server_call_method() crashes). * Fixed bug #42369 (Implicit conversion to string leaks memory). * Fixed bug #41562 (SimpleXML memory issue). * Fixed bug #43606 (define missing depencies of the exif extension). (crrodriguez at suse dot de) * Fixed bug #43498 (file_exists() on a proftpd server got SIZE not allowed in ASCII mode). (Ilia, crrodriguez at suse dot de) * Over 120 bug fixes. - update suhosin extension to version 0.9.23 - Fixed suhosin extension now compiles with snapshots of PHP 5.3 - Fixed crypt() behaves like normal again when there is no salt supplied - wrong Obsoletes causes upgrade trouble [bnc #355618] - use %_with_ming and %_with_qdbm instead of %opensuse_bs, enables building in the bs in other projects than server:php (bnc#357917) - Try patch recently published by Redhat that allows PHP to use the system timezone database instead of the bundled one. - Do not hard require php5-timezonedb, instead provide a capability php(tzdatabase) = builtin_tz_ver so it gets installed via rpm Supplements only when needed. - PHP is leaking file descriptors badly on relative includes (php-5.2.5-fdleak.patch) - suhosin 0.9.22 - Fixed function_exists() now checks the Suhosin permissions - Fixed crypt() salt no longer uses Blowfish by default - Fixed .htaccess/perdir support - Fixed compilation problem on OS/X - Added protection against some attacks through _SERVER variables - Added suhosin.server.strip and suhosin.server.encode - use /dev/urandom for generating session-IDs [#337005] - L3: PHP: Venezuela Time Zone Update starting date changed to December 9 [#345548] - update to PHP 5.2.5 * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()). * Upgraded PCRE to version 7.3 (Nuno) * Added optional parameter $provide_object to debug_backtrace(). (Sebastian) * Added alpha support for imagefilter() IMG_FILTER_COLORIZE. (Pierre) * Added ability to control memory consumption between request using ZEND_MM_COMPACT environment variable. (Dmitry) * Improved speed of array_intersect_key(), array_intersect_assoc(), array_uintersect_assoc(), array_diff_key(), array_diff_assoc() and array_udiff_assoc(). (Dmitry) * Fixed move_uploaded_file() to always set file permissions of resulting file according to UMASK. (Andrew Sitnikov) * Fixed possible crash in ext/soap because of uninitialized value. (Zdash Urf) * Fixed regression in glob() when enforcing safe_mode/open_basedir checks on paths containing '*'. (Ilia) * Fixed PDO crash when driver returns empty LOB stream. (Stas) * Fixed iconv_*() functions to limit argument sizes as workaround to libc bug (CVE-2007-4783, CVE-2007-4840 by Laurent Gaffie). (Christian Hoffmann, Stas) * Fixed missing brackets leading to build warning and error in the log. Win32 code. (Andrey) * Fixed leaks with multiple connects on one mysqli object. (Andrey) * Fixed imagerectangle regression with 1x1 rectangle (libgd #106). (Pierre) * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #43139 (PDO ignores ATTR_DEFAULT_FETCH_MODE in some cases with fetchAll()). (Ilia) * Fixed bug #43137 (rmdir() and rename() do not clear statcache). (Jani) * Fixed bug #43130 (Bound parameters cannot have - in their name). (Ilia) * Fixed bug #43099 (XMLWriter::endElement() does not check # of params). (Ilia) * Fixed bug #43020 (Warning message is missing with shuffle() and more than one argument). (Scott) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42917 (PDO::FETCH_KEY_PAIR doesn't work with setFetchMode). (Ilia) * Fixed bug #42890 (Constant "LIST" defined by mysqlclient and c-client). (Andrey) * Fixed bug #42818 ($foo = clone(array()); leaks memory). (Dmitry) * Fixed bug #42817 (clone() on a non-object does not result in a fatal error). (Ilia) * Fixed bug #42785 (json_encode() formats doubles according to locale rather then following standard syntax). (Ilia) * Fixed bug #42783 (pg_insert() does not accept an empty list for insertion). (Ilia) * Fixed bug #42773 (WSDL error causes HTTP 500 Response). (Dmitry) * Fixed bug #42772 (Storing $this in a static var fails while handling a cast to string). (Dmitry) * Fixed bug #42767 (highlight_string() truncates trailing comment). (Ilia) * Fixed bug #42739 (mkdir() doesn't like a trailing slash when safe_mode is enabled). (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) * Fixed bug #42699 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42654 (RecursiveIteratorIterator modifies only part of leaves) (Marcus) * Fixed bug #42643 (CLI segfaults if using ATTR_PERSISTENT). (Ilia) * Fixed bug #42637 (SoapFault : Only http and https are allowed). (Bill Moran) * Fixed bug #42627 (bz2 extension fails to build with -fno-common). (dolecek at netbsd dot org) * Fixed bug #42596 (session.save_path MODE option does not work). (Ilia) * Fixed bug #42590 (Make the engine recognize \v and \f escape sequences). (Ilia) * Fixed bug #42587 (behavior change regarding symlinked .php files). (Dmitry) * Fixed bug #42579 (apache_reset_timeout() does not exist). (Jani) * Fixed bug #42549 (ext/mysql failed to compile with libmysql 3.23). (Scott) * Fixed bug #42523 (PHP_SELF duplicates path). (Dmitry) * Fixed bug #42512 (ip2long('255.255.255.255') should return 4294967295 on 64-bit PHP). (Derick) * Fixed bug #42506 (php_pgsql_convert() timezone parse bug) (nonunnet at gmail dot com, Ilia) * Fixed bug #42462 (Segmentation when trying to set an attribute in a DOMElement). (Rob) * Fixed bug #42453 (CGI SAPI does not shut down cleanly with -i/-m/-v cmdline options). (Dmitry) * Fixed bug #42452 (PDO classes do not expose Reflection API information). (Hannes) * Fixed bug #42468 (Write lock on file_get_contents fails when using a compression stream). (Ilia) * Fixed bug #42488 (SoapServer reports an encoding error and the error itself breaks). (Dmitry) * Fixed bug #42378 (mysqli_stmt_bind_result memory exhaustion). (Andrey) * Fixed bug #42359 (xsd:list type not parsed). (Dmitry) * Fixed bug #42326 (SoapServer crash). (Dmitry) * Fixed bug #42214 (SoapServer sends clients internal PHP errors). (Dmitry) * Fixed bug #42189 (xmlrpc_set_type() crashes php on invalid datetime values). (Ilia) * Fixed bug #42139 (XMLReader option constants are broken using XML()). (Rob) * Fixed bug #42086 (SoapServer return Procedure '' not present for WSIBasic compliant wsdl). (Dmitry) * Fixed bug #41822 (Relative includes broken when getcwd() fails). (Ab5602, Jani) * Fixed bug #39651 (proc_open() append mode doesn't work on windows). (Nuno) - update to PHP 5.2.4, no relevant changes since RC3. - PHP 5.2.4RC3 - Fixed version_compare() to support "rc" as well as "RC" for release candidate version numbers. - Fixed bug #42368 (Incorrect error message displayed by pg_escape_string). (Ilia) - Fixed phpbug #42365 and Novell bugzilla #292998 (glob() crashes and/or accepts way too many flags). (Jani) - Fixed bug #42183 (classmap causes crash in non-wsdl mode). (Dmitry) - Fixed bug #42009 (is_a() and is_subclass_of() should NOT call autoload, in the same way as "instanceof" operator). (Dmitry) - Fixed bug #41904 (proc_open(): empty env array should cause empty environment to be passed to process). (Jani) - Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) - remove wrong hardcoded requirement on libedit - devel package at least does not need libtool the php build enviroment uses a private copy. - drop no longer needed patches already in upstream - updated to version 5.2.4RC2 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client libraries. (Chris Jones) - Fixed bug #42292 ($PHP_CONFIG not set for phpized builds). (Jani) - Fixed bug #42261 (header wrong for date field). (roberto at spadim dot com dot br, Ilia) - Fixed bug #42259 (SimpleXMLIterator loses ancestry). (Rob) - Fixed bug #42247 (ldap_parse_result() not defined under win32). (Jani) - Fixed bug #42243 (copy() does not output an error when the first arg is a dir). (Ilia) - Fixed bug #42242 (sybase_connect() crashes). (Ilia) - Fixed bug #42237 (stream_copy_to_stream returns invalid values for mmaped streams). (andrew dot minerd at sellingsource dot com, Ilia) - Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) - Fixed bug #42211 (property_exists() fails to find protected properties from a parent class). (Dmitry) - Fixed bug #42208 (substr_replace() crashes when the same array is passed more than once). (crrodriguez at suse dot de, Ilia) - Fixed bug #42198 (SCRIPT_NAME and PHP_SELF truncated when inside a userdir and using PATH_INFO). (Dmitry) - Fixed bug #42195 (C++ compiler required always). (Jani) - Fixed bug #42117 (bzip2.compress loses data in internal buffer). (Philip, Ilia) - Fixed bug #42082 (NodeList length zero should be empty). (Hannes) - Fixed bug #36492 (Userfilters can leak buckets). (Sara) - Fixed bug #31892 (PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO). (Dmitry) - updated to version 5.2.4RC1 - dropped obsoleted PHP_5_2-CVS-2007-07-30.patch.bz2 - updated to latest state of PHP_5_2 branch; highlights from the NEWS file: - Upgraded PCRE to version 7.2 (Nuno) - Updated timezone database to version 2007.6. (Derick) - Improved openssl_x509_parse() to return extensions in readable form. (Dmitry) - Changed "display_errors" php.ini option to accept "stderr" as value which makes the error messages to be outputted to STDERR instead of STDOUT with CGI and CLI SAPIs (FR #22839). (Jani) - Changed error handler to send HTTP 500 instead of blank page on PHP errors. (Dmitry, Andrei Nigmatulin) - Added check for unknown options passed to configure. (Jani) - Added persistent connection status checker to pdo_pgsql. (Elvis Pranskevichus, Ilia) - Added support for ATTR_TIMEOUT inside pdo_pgsql driver. (Ilia) - Added php_ini_loaded_file() function which returns the path to the actual php.ini in use. (Jani) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING. (Pierre) - Added missing open_basedir checks to CGI. (anight at eyelinkmedia dot com, Tony) - Added missing format validator to unpack() function. (Ilia) - Added missing error check inside bcpowmod(). (Ilia) - Added CURLOPT_PRIVATE & CURLINFO_PRIVATE constants. (Andrey A. Belashkov, Tony) - Added missing MSG_EOR and MSG_EOF constants to sockets extension. (Jani) - Added PCRE_VERSION constant. (Tony) - Added ReflectionExtension::info() function to print the phpinfo() block for an extension. (Johannes) - Implemented FR #41884 (ReflectionClass::getDefaultProperties() does not handle static attributes). (Tony) - plus lots of bugfixes - fixed the pear phar archive to run with 5.2.4 [http://bugs.php.net/bug.php?id=42146] - added /var/lib/pear to php5-pear.rpm - fix nasty deadlock in pear - update php5-ze2-fixes.patch and actually apply it. - fixed YOU honors Recommends, breaks php update [#291551] (moved php-suhosin from Recommends to Suggests) - provide /srv/www/cgi-bin/php5 compat symlink instead of patching config files - fixed a mess with update-alternatives PreReq uncovered by newer build versions. actually every subpackage that uses update-alternatives should PreReq it. - fix some ZE2 bugs. - drop php5.xpm and the Icon: line from the specfile (the icon is not used at all and it breaks rpm -q --specfile php5.spec) - PHP version 5.2.3 see http://www.php.net/releases/5_2_3.php - important: PHP-cgi now lives in /usr, package attempts to fix both lighttpd and apache2 fastcgi config files. - use system re2c in factory. - enable support for qbdm in the dba extension (build service only) - enable the ming extension (build service only) - fixed the dba extension adding -ldb-4.x to global LDFLAGS, causing unnecessary dependency in /usr/bin/php5 [http://bugs.php.net/bug.php?id=41455] - updated suhosin to version 0.9.20, security fix + bugfixes see http://www.hardened-php.net/suhosin/changelog.html for more detail. - fix devel package, in the reality PHP does not currenly require expat. headers provides a expat compatibility layer but it is no longer in use by our packages as libxml2 is always prefered, (and HAVE_LIBEXPAT is not defined) - update php5-test-fixes fixing another bug in zend_compile.c - use rpm macros in the spec file - when removing apache2-mod_php5, unload it from apache first. - when updating apache2-mod_php5 restart apache with restart on update macro. - HTTP_RAW_POST_DATA superglobal broken (php5-phpbug-41293.patch) - better fix for MOPB 41. - remove --enable-memory-limit configure flag, it disappeared in 5.2.1, nowdays memory_limit is always enabled. - changed expat to libexpat-devel in Requires of devel subpackage - add php5-test-fixes.patch fixing a test case that wont pass on i586 as well a real fix for Zend/tests/bug41117_1.phpt problem, that was commited after the release was done. there is another test case that fails in 10.2 ext/pcre/tests/bug40195.phpt but this is not a PHP problem but a bug in PCRE. - added missing fix for PMOPB-45-2007 PHP ext/filter Email Validation Vulnerability (minor) - php5-devel package now requires pcre-devel for > 10.1 as 5.2.2 installs php_pcre.h header that needs it. - fixed some new compiler warnings - upgrade to PHP 5.2.2, fixed hundreds of bugs including MOPB ones if you need the complete changes see http://www.php.net/ChangeLog-5.php#5.2.2 - Upgrade suhosin extension to version 0.9.19 see http://www.hardened-php.net/suhosin/changelog.html for details - added bison to BuildRequires, removed update-desktop-files - fixed unpack() on big-endian 64bit (revert-phpbug38770.patch) - blacklist more env variables when safe_mode is on (php5-config.patch) - fix Requires of -devel package to include only what is really needed for operation of the pecl tool as well the neccesary headers to compile php extensions. - Fix MOPB 24 "PHP array_user_key_compare() Double DTOR Vulnerability" - note that fix for MOPB 23 was included in the previous patchset. - add security fixes for MOPB 20, 21 and 22. - RPM_BUILD_ROOT is never defined in %post. - fix/workaround for php5-gd problem with typo3 [#236680] - add fix for MOPB-14-2007 PHP substr_compare() Information Leak Vulnerability. - add secfix for import_request_variables() ancient problem, users of suhosin extension are not affected. - Run the test suite here - Update suhosin extension to version 0.9.18 fixing a session problem. - Update suhosin extension to version 0.9.17. see http://www.hardened-php.net/suhosin/changelog.html for details. - add t1lib support in php5-gd (10.3 and up only) - an off-by-one in str_replace may cause a crash. - PHP 5.2.1. for a full list of changes see http://www.php.net/ChangeLog-5.php#5.2.1 - add Obsoletes for extensions we dont ship anymore - fix getenv() modifing $_POST, breaks suhosin badly when register_* is On and variables orde is "GPCS" (default). - change/remove obsoleted patches - synced with BuildService * file "session_mm_apache2handler0.sem" written at boot [#229200] (php5-config.patch) * for certain functionality php5-exif requires php5-mbstring * php5-ldap requires php5-openssl * remove LDAP_DEPRECATED from CFLAGS, module already takes care of this. * patch potential HTTP_SESSION_VARS et all hijack when register_globals is On users from suhosin extension are not affected.(php5-session-rgon-hijack.patch) * on 10.2 and up php5-devel should require pcre-devel sqlite-devel sqlite2-devel * php5-devel is mostly useless without autoconf automake libtool bison make gcc. * added patches: phpbug-39350.patch oldhat-phpinputdata-secfix.patch ze2-fixes.patch filter.patch ext-lib64again.patch - fixed string comparison in xmlrpc module (strcmp.patch) - allways apply %patch9 - updated the curl module from cvs to fix build with curl-7.16 (curl-cvs-fix.patch, dropped gcc.patch) - fixed VUL-0: php session.save_path open_basedir bypass [#227569] (save_path-secfix.patch) - synced with BuildService * updated Suhosin patch to 0.9.6.2 * updated Suhosin extension to 0.9.16 * fixed php5-devel should provide PECL tool [#204006] * use bundled sqlite in suse versions =< 10.1 (pdo_sqlite stopped working properly with older sqlite3 libs) * do not use zend-multibyte anymore, please refer to phpbug #36711 and associated links, no applications uses this feature in the real world since it is disabled in all other distributions/OS.seems to cause more problems than solutions. * change php.ini, back to short_open_tag =off (the default) the package that depended on this setting no longer does. Also explicitely set the upload_tmp_dir in php.ini to deal with open_basedir recent changes (please refer to phpbug #39123) for the details. * suhosin.ini uses just the default recommended settings - created symlinks /usr/bin/php and /usr/bin/pear [#216166] - fixed implicit function decls in suhosin patch (keep the original patch intact and put fixes into separate patch) - updated to 5.2.0 final - merged changes from buildservice (by soporte@onfocus.cl): - updated suhosin to 0.9.10 - added suhosin patch - build with system PCRE if suse_release > 10.1 only [#215610] - suhosin extension does not require PDO - suhosin added to the reccommended list - php5-pspell to require at least aspell-en otherwise is useless [#217272] - php5-sqlite now uses our sqlite and sqlite2 packages to build and not bundled ones [#201440] - updated suhosin to 0.9.9 - update to 5.2.0RC6 - reset right path in extension_dir (php5-php-config.patch) - update to version 5.2.0RC5 - added suhosin extension (the hardened php replacement) [#210886] - update to version 5.2.0RC4 * added DSA key generation support to openssl_pkey_new() * updated PCRE to version 6.7 * increased default memory limit to 16 megabytes to accommodate for a more accurate memory utilization measurement * added support for httpOnly flag for session extension and cookie setting functions * added version specific registry keys to allow different configurations for different php version * added "PHPINIDir" Apache directive to apache and apache_hooks SAPIs * added an optional boolean parameter to memory_get_usage() and memory_get_peak_usage() to get memory size allocated by emalloc() or real size of memory allocated from system * moved extensions to PECL (filepro and hwapi) * improved SNMP, OpenSSL extension * improved the Zend memory manager, FastCGI SAPI, CURL, PCRE, PDO, SPL, xmlReader - merged changes from openSUSE build service * build without --enable-sigchild [#206533, php#28294, php#38342] * build CLI with libedit support (really-with-libedit.patch) * tweaked the default config a bit, to make it more secure * removed ini entries related to extensions we don't ship * t1lib is not currently needed for build, we need t1lib5 to do something useful * removeed --enable-ucd-snmp-hack (needed for ucd-snmp, but we use net-snmp) * pdo_odbc provided by php-odbc * php-suse-addons : o PHP5 is unlikely to parse php3 code, remove the file association o corrected apache directive is AddHandler not AddType * dropped extensions: o mysql, mysqli and pdo_mysql provided by php-mysql (reduce package count) o php-pdo_sqlite provided by php-sqlite o php-pdo_pgsql provided by php-pgsql o filepro dropped by upstream * new extension: o filter (kept static and cannot be unloaded, due security reasons) o json (added as Recommended) o zip (it uses a bundled library) - fixed gcc issues (gcc.patch) - droped obsoleted patches: include_path.patch, bug-37720.patch, bug-37306.patch, cgi_bugs.patch, bug-37587.patch, gd-fixes.patch, bug-37416.patch, main_bugs.patch, soap.patch, standard.patch, mbstring_bugs.patch, ze2_bugs.patch, xsl_bugs.patch, curl.patch - fixed build with X11R7 - updated to version 5.1.4 * FastCGI interface was completely reimplemented * multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions * support for many additional date formats added to the strtotime() * a performance improvements added to the engine and core extensions * added imap_savebody() that allows message body to be written to a file * added lchown() and lchgrp() to change user/group ownership of symlinks * upgraded bundled PCRE library to version 6.6 - merged changes from openSUSE build service * removed unneeded sablot-devel,sqlite-devel,pcre-devel,fam-devel and libmcal from BuildRequires * added php-ctype,php-dom,php-iconv,php-pdo,php-pdo_sqlite,php-sqlite, php-tokenizer,php-xmlreader,php-xmlwriter to Recommends * added php-mbstring php-gd php-pear php-gettext php-mysqli to Suggests * added support for optional readline(libedit) for CLI (disabled by default) * patches for zendengine (ze2_bugs.patch), xsl (xsl_bugs.patch), curl (curl.patch) and mbstring bugs (mbstring_bugs.patch), big soap patch (soap.patch) * removed obsoleted patches * fixed Safe Mode Bypass [#188243] (standard.patch) * upstream patches [php#37306, php#37416, php#37587, php#37720] [php#37576, php#37496, php#37341, php#37313, php#37256] (cgi_bugs.patch) [php#37346, php#37360] (gd-fixes.patch) * fixed build inconsistences, added php-hash module [#173023] * added pdo_odbc.so to php-odbc module [#190614] * build without explicit safe_mode and magic_quotes (unneeded) * removed useless GD --with-ttf configure option, only suitable for freetype 1 - Back out nautilus-bnc376669-always-update-thumbnail.patch (bnc#376669). - Add nautilus-bnc397852-huge-memory-leak.patch (bnc#397852) - Add nautilus-bnc393226-dont-move-to-burn.patch (bnc#393226). - Add nautilus-bnc376669-always-update-thumbnail.patch (bnc#376669). - Removed previously disabled patches that were made obsolete by upstream changes: * nautilus-default-thumbnail-size.diff * nautilus-6014-network-servers-in-places-sidebar.diff - Added nautilus-bnc376070-null-exifdata-crash, which fixes crashes when showing the properties of a picture (bnc#376070). - Rebased these patches: nautilus-bgo364843-name-copy-dont-overflow-max-path-len.diff nautilus-bgo350950-search-desktop.diff nautilus-bnc117333-bgo350962-folder-icon-for-menus-and-windows.diff - Rename nautilus-docpath.patch to nautilus-genericname.patch and drop the part of the patch adding a DocPath. - Do not add DocPath to desktop files with %suse_update_desktop_file - Rationale: since the desktop files use the Core category, adding DocPath means putting the items in the yelp toc, which we don't want. - Add nautilus-bnc368446-network-in-places.patch to add network:// in the places sidebar. Fix bnc#368446 (backported from upstream 2.23.1). - Update to version 2.22.2: + Add NautilusFileInfo APIs: can_write(), get_mount(), get_parent_info() + Do not try to autorun autorun.exe and autorun.inf + Automount in idle callback rather than at startup to improve user experience + Properly inhibit automount on startup, or for long login procedures + Do not automount directories in hidden hierarchies + Fix scrollbar display bug in "text besides icon" icon view mode + Do not thumbnail unreadable files + Correctly display bookmark icons + Fix blurry property window icon + Fix bookmark editing window. - added baselibs.conf file to build xxbit packages for multilib support - Upgraded to version 2.22.1: * Fix crashes and leaks. * Fix emblem display in property page. * Fix mime choosing to not always create application/x-ext-<extension> type. * Actually mount location in external connect to server dialog. * Fix thumbnail size limit checks. * Fix "show hidden" to also show backup files (was broken in some situations). * Verify that tracker is running before using it. * Fix desktop file icon handling with absolute filenames. * Use GDesktopAppInfos to launch desktop files. * Don't follow symlinks for deep file count. * Fix audio preview with later gstreamer. * Make "move file over directory" overwrite case work. * Sometimes we failed to ask for overwrite when move operations falled back to copy + delete. * Make sure we correctly transcode filenames when merging directories if the directory is on another filesystem. * Some moves were reported as copies, not moves in the ui which could cause not up-to-date directory displays. * Don't center file progress dialog if its already displayed. - Remove obsolete patch nautilus-bnc366455-change-ownership.patch. - Removed nautilus-158158-ignore-foreign-desktop-files.diff; it is obsolete. - Added nautilus-bnc366100-bgo338933-ignore-foreign-desktop-files.diff to fix https://bugzilla.novell.com/show_bug.cgi?id=366100 - Desktop links with "OnlyShowIn=KDE" are now ignored. - Add back gtk2-devel to the devel requires - Add a gnome-desktop-devel buildrequires to fix the build. - Remove obsolete -devel package requries - Remove medusa obsoletes, not relevant to any shipping distros - Custom look'n'feel gconf keys moved to gconf2-branding-openSUSE. - Update to version 2.22.0: + Fix typo in strings + Fix crashes + Use a better icon for the progress dialog + Have a mount menu for mountable files, not an unmount one + Handle broken bookmark files bette + Sniff x-content type asynchronously + Don't look for autorun stuff on non-local files + Allow setting permissions on remote shares + Fix "delete all" button in delete dialog + Show custom icons at right size + Fix some performance issues on nonlocal mounts - Drop nautilus-onlyshowin.patch, fix upstream. - Use %suse_update_desktop_file for nautilus-autorun-software and nautilus-folder-handler to mark them as translatable. - Add nautilus-bnc366455-change-ownership.patch to fix bnc#366455. - Update to version 2.21.92: + Build fixes + Fix crashes and leaks + Fix handling of desktop file launchers + Better handling of desktop file icons + Semitransparent DnD icon support (when composited) + Avoid showing progress info when dialogs are shown + Allow minimize of progress window + Handle beagle >= 0.3.0 + Close properties dialog on escape + Make custom icons work again + Fix fuzzy icons + Duplicate file if copies to the source directory + Support open with dialog for multiple selected files + Ressurect connect to server dialog + Allow theming of free diskspace chart colors. - Added tags for all upstreamed patches, as well as bug numbers for all patches - Added nautilus-bnc363122-lockdown-disable-context-menus.diff to implement https://bugzilla.novell.com/show_bug.cgi?id=363122 - have a way to disable context menus in file views for quick-and-dirty kiosk setups. - Update to version 2.21.91: + String cleanups + Inhibit autorun for things we mount ourselves + Fix crashes and leaks + Only show selinux context if selinux is detected + Default to move, not copying, when dragging from the trash + Don't autorun/automount non-local mounts + Fix case where we could run out of file descriptors + Handle drop of files on the desktop + Fix sensitivity of delete from the trash menu item + Fix open w/ context menu in always-use-browser mode. - Explicitly require gvfs (bnc#358748). - Add XMP support (bnc #310430) - Add extensions-2.0 directory. - Update to version 2.21.90: + Regenerate thumbnails when files change + Fix crashes + New autorun and automount support + Allow unmount of current location if its a mountpoint + Use thousand separators in all numbers (if used by locale) + Fix leaks + Performance improvements + Update to latest glib APIs + Fix bug that lost metadata from older versions + Fix crashes + Enable paste into folder for desktop icons + Better finding of autorun files on case sensitive media - Remove libtool archives. - Update to version 2.21.5: + Totally replaced gnome-vfs use with gio + New implementation of file operations like copy/move with a shared progress dialog + Update pkg-config files with new extensions dir + Handle dnd of desktop icons + Implement some missing unmount/eject operations + Add autorun/automount feature + Better handling of sensitivity of delete menu items + Better handling of mount/unmount/eject in many places + Fix for extensions with submenus. - Updated nautilus-drives-and-volumes-on-desktop.diff to fix https://bugzilla.novell.com/show_bug.cgi?id=335411 - Nautilus crashes when it gets a "volume-mounted" signal for a volume that is already mounted. This also adds two new logging domains to Nautilus: "drives-volumes" and "desktop-links". - Removed bogus dependency on mDNSResponder. - Updated to version 2.20.0: * Load thumbnails asynchronously * Support direct save DnD (XDS) * Fix up octal permission display * Store window keep-above and stickines state across sessions - Don't require gnome2-user-docs, which now supplements nautilus (#297833). - Update to version 2.19.91: * Be more robust against broken extensions * Set current working directory right on desktop when running scripts * Fix crash on file:///# * Update to cope with the new size of emblem icons * Auto-size list view filename column again * New message for service unavailable error * UI terminology consistency fix * Build fix - Refresh nautilus-search-desktop.patch. - Updated nautilus-drives-and-volumes-on-desktop.diff to fix https://bugzilla.novell.com/show_bug.cgi?id=298802 - after burning a CD and re-mounting the CD, Nautilus uses 100% CPU. This simply includes the last patch from https://bugzilla.novell.com/show_bug.cgi?id=276193#c42 - Added nautilus-330298-297983-fix-overlapping-desktop-icons.diff to fix https://bugzilla.novell.com/show_bug.cgi?id=297983 - desktop icons would overlap when inserting removable media, if the previously-saved location for the corresponding icon now has a different icon nearby. - Split out -lang subpackage - Use %fdupes. - Update to version 2.19.6 - Memory leaks plugged - Crashes fixed - Fixes to UI manager usage - Better string ellipsation - Consistent focus behaviour for toolbar buttons - Support for XMP image metadata - Improved keyboard handling in connect to server dialog - I18n fixes and string clarifications - Add more tooltips and use new gtk+ tootips API - Better handling of unreadable directories during search - Updated translations. - Update to version 2.19.4 - Fix crashes and leaks - Fix hang with recursive symlinks - Disk free piechart in properties dialogue - Fix typos in warning and error messages - Use new desktop capplet - Better handling of unicode search terms - Allow activating the zoom context menu by keyboard - Allow renaming network servers' icons - Do not overwrite auto-generated files. - Removed invalid desktop Category "Application" (#254654). - Fixed BuildRequires. - Update to version 2.18.0.1 - intltool is now a build requirement - Several code cleanups - Bug fixes, including p.g.o 408155, 333151, 358172, 408155, 409276, 407150, 407618, and 368661. - Update to version 2.17.91 - Bug fixes, including bugzilla.gnome.org #364466, #403255, [#138058], #340495, #357955, #403565, #357955, #362034, [#385382], #394328, #329920, #320020, #327249, #389467, #376291, [#374623], #382207, #376952, #384078, #383840, #45953, #350579, [#318373], #132326, #372550, #338353, #372471, #330298, #155337, [#174766], #122688, #321175, #349840, #356124, #351713, #348161. - adjust BuildRequires: libexif->libexif-devel - Fixed Categories (#242053). - Added nautilus-181941-i18n.patch to mark for translation a previously unmarked string (marked in other locations in the app, sparing the need for further l10n). Fixes https://bugzilla.novell.com/show_bug.cgi?id=181941 and sent upstream at http://bugzilla.gnome.org/show_bug.cgi?id=394328 - Prefix changed to /usr. - Spec file cleanup. - Do not explicitly require mDNSResponder-lib blocking avahi compat package. - Updated nautilus-drives-and-volumes-on-desktop.diff to fix https://bugzilla.novell.com/show_bug.cgi?id=215351. Floppy icons disappeared from the desktop after unmounting the floppy. This also fixes https://bugzilla.novell.com/show_bug.cgi?id=218910, where there was a race condition when mounting drives. This caused the activation URIs of the corresponding NautilusFiles not to be updated correctly. - Removed nautilus-hide-desktop-files.patch. This was used for the old "applications://" VFS scheme, which is deprecated now. - Removed nautilus-submount.patch, since we no longer use submount (subfs). - Removed nautilus-142860-vfs-drive-for-extensions.diff, since that feature appeared upstream since Nautilus 2.14. This is what lets Nautilus extensions look at the GnomeVFSDrive for a file, so that they can install menu items specific to drives (e.g. like nautilus-cd-burner). - Removed nautilus-172870-support-drives-and-volumes.diff and nautilus-155010-desktop-volume-policy.diff, since they need to be reworked for the code in Nautilus-2.16. - Added nautilus-6014-network-servers-in-places-sidebar.diff, to fix the part of https://bugzilla.novell.com/show_bug.cgi?id=6014 that is not yet in Nautilus 2.16. This adds a "Network Servers" item in the Places sidebar. - Added nautilus-206369-desktop-icon-overlap.diff as an updated and consolidated version of nautilus-155337-icon-positioning-on-reload.diff and nautilus-174766-fix-lazy-positioning.diff. This is to fix the bug where desktop icons get overlapped or rearranged when a new volume icon appears, or when the desktop is reloaded. - Added nautilus-drives-and-volumes-on-desktop.diff as a partly updated version of nautilus-172870-support-drives-and-volumes.diff. - Added nautilus-debug-log.diff. This provides logging functionality to aid debugging. - Updated descriptions inside the rest of the patches. - Renumbered patches. - Add a patch to ensure that the search entry bar is displayed when navigating to the x-nautilus-search:/// URI. (bnc #212649) - Remove dead patches - update to version 2.16.1 - Default to search in current directory for non-indexed search - Fix clash with symbol names in gtk+ - Update MIME database in scriptlets (#201729). - update to version 2.16.0 - Handle enter activation when using typeahead search - Avoid using gnome_vfs_is_local in wrong places - Translations - update to version 2.15.92.1 - Fix crash on startup - Fix crash on changing owner/group of file - Fix double free - Make sure all strings are displayed translated - update to version 2.15.91 - Use gtk recent files code - Fix file change notification regression - Don't display raw form of selinux contexts - Import lates EggSequence with bugfixes - DnD fixes - Read .hidden symlinks - Fix down navigation in last column, next to last row - Submenu support for extensions - Improved beagle daemon detection - Enable D'n'D reordering in the places sidebar - New icons for trash operations - Add a button/text toggle button to the location bar - Fix leak - Update to version 2.15.4 - Remove upstreamed patches * New permission dialog with recursion and selinx support * Improve extension interface * Add complete session management * Handle removal of the displayed location more elegantly * Support dropping uris, urls and text to subfolders * Don't allow formating of mounted floppies * Perfomance fixes * Don't use deprecated eel features * Improve startup performance * Use GOption * Fix selection box width calculation * Improve file permission handling * Add volume operations to the file menu, tree and places sidebar * New po/LINGUAS handling * Smarter date handling for images * HIG fixes * Fix crashes * Fixes for icons and thumbnailing * Show network volumes in the places sidebar * Fix progress dialog showing the wrong file * Translation updates * Use --no-desktop option for all desktop files * Startup performance improvements * Make files copied from read-only source writeable * Don't allow bookmarking x-desktop:/// * Add help buttons to several dialogs * Fix SVG file identification * Properly break down URIs for connect to server ui * Show unmounted but user-visible drives in the places sidebar * Display more info in the progress dialog when preparing * Smarter DnD target selection * GnomeGoals: Use po/LINGUAS * Fix deadlock when dragging over list view in some conditions * Don't show folder count for smb shares * Close window when folder moves to trash * Fix deep count in properties dialog in some cases * Avoid calculating mime lists for activation * Remove blank error dialog on mount when using gnome-mount * Better filename linebreaking at punctuation marks. * List view: If a rename moves the file in the view, scroll to the new position * Better handling of broken filename encoding for link targets * Browser mode: don't close window on up if current directory has been removed * Pass original files, not target files to property page providers. This allows property page extensions to look at desktop files and symlinks. * Fix opening saved searches file from outside nautilus * Add option to always use the location bar to the preferences dialog * Show detailed file size in the properties dialog * Open modules with BIND_LOCAL * Add Network to places menu * Fix sort by atime * Add support for searching for custom mime type * Much better activation of multiple files * Handle new background image zooming mode * Add optional support for Tracker indexer * Added initial support for search * Better handling of opening multiple files * View update optimizations * No titles for alert dialogs * Use access() to determine permissions * Fix mime list problem introduced with sort change * Finally fix tree sidebar crash * ctrl-shift-g goes backwards in typeahead * Add Skip all button in copy/move conflict dialog * Position new files/folders correctly in manual layout mode * Fix desktop redraw issues on non-100% zoom levels * Adds volume/drive api for modules * GtkTreeView style typeahead * '/' opens location dialog/entry * middle click in browser mode opens new window * Handle cancellation of authentication better * Add format menu item for floppy drives - Back out nautilus-bnc376669-always-update-thumbnail.patch (bnc#376669). - Add nautilus-bnc397852-huge-memory-leak.patch (bnc#397852) - Add nautilus-bnc393226-dont-move-to-burn.patch (bnc#393226). - Add nautilus-bnc376669-always-update-thumbnail.patch (bnc#376669). - Removed previously disabled patches that were made obsolete by upstream changes: * nautilus-default-thumbnail-size.diff * nautilus-6014-network-servers-in-places-sidebar.diff - Added nautilus-bnc376070-null-exifdata-crash, which fixes crashes when showing the properties of a picture (bnc#376070). - Rebased these patches: nautilus-bgo364843-name-copy-dont-overflow-max-path-len.diff nautilus-bgo350950-search-desktop.diff nautilus-bnc117333-bgo350962-folder-icon-for-menus-and-windows.diff - Rename nautilus-docpath.patch to nautilus-genericname.patch and drop the part of the patch adding a DocPath. - Do not add DocPath to desktop files with %suse_update_desktop_file - Rationale: since the desktop files use the Core category, adding DocPath means putting the items in the yelp toc, which we don't want. - Add nautilus-bnc368446-network-in-places.patch to add network:// in the places sidebar. Fix bnc#368446 (backported from upstream 2.23.1). - Update to version 2.22.2: + Add NautilusFileInfo APIs: can_write(), get_mount(), get_parent_info() + Do not try to autorun autorun.exe and autorun.inf + Automount in idle callback rather than at startup to improve user experience + Properly inhibit automount on startup, or for long login procedures + Do not automount directories in hidden hierarchies + Fix scrollbar display bug in "text besides icon" icon view mode + Do not thumbnail unreadable files + Correctly display bookmark icons + Fix blurry property window icon + Fix bookmark editing window. - added baselibs.conf file to build xxbit packages for multilib support - Upgraded to version 2.22.1: * Fix crashes and leaks. * Fix emblem display in property page. * Fix mime choosing to not always create application/x-ext-<extension> type. * Actually mount location in external connect to server dialog. * Fix thumbnail size limit checks. * Fix "show hidden" to also show backup files (was broken in some situations). * Verify that tracker is running before using it. * Fix desktop file icon handling with absolute filenames. * Use GDesktopAppInfos to launch desktop files. * Don't follow symlinks for deep file count. * Fix audio preview with later gstreamer. * Make "move file over directory" overwrite case work. * Sometimes we failed to ask for overwrite when move operations falled back to copy + delete. * Make sure we correctly transcode filenames when merging directories if the directory is on another filesystem. * Some moves were reported as copies, not moves in the ui which could cause not up-to-date directory displays. * Don't center file progress dialog if its already displayed. - Remove obsolete patch nautilus-bnc366455-change-ownership.patch. - Removed nautilus-158158-ignore-foreign-desktop-files.diff; it is obsolete. - Added nautilus-bnc366100-bgo338933-ignore-foreign-desktop-files.diff to fix https://bugzilla.novell.com/show_bug.cgi?id=366100 - Desktop links with "OnlyShowIn=KDE" are now ignored. - Add back gtk2-devel to the devel requires - Add a gnome-desktop-devel buildrequires to fix the build. - Remove obsolete -devel package requries - Remove medusa obsoletes, not relevant to any shipping distros - Custom look'n'feel gconf keys moved to gconf2-branding-openSUSE. - Update to version 2.22.0: + Fix typo in strings + Fix crashes + Use a better icon for the progress dialog + Have a mount menu for mountable files, not an unmount one + Handle broken bookmark files bette + Sniff x-content type asynchronously + Don't look for autorun stuff on non-local files + Allow setting permissions on remote shares + Fix "delete all" button in delete dialog + Show custom icons at right size + Fix some performance issues on nonlocal mounts - Drop nautilus-onlyshowin.patch, fix upstream. - Use %suse_update_desktop_file for nautilus-autorun-software and nautilus-folder-handler to mark them as translatable. - Add nautilus-bnc366455-change-ownership.patch to fix bnc#366455. - Update to version 2.21.92: + Build fixes + Fix crashes and leaks + Fix handling of desktop file launchers + Better handling of desktop file icons + Semitransparent DnD icon support (when composited) + Avoid showing progress info when dialogs are shown + Allow minimize of progress window + Handle beagle >= 0.3.0 + Close properties dialog on escape + Make custom icons work again + Fix fuzzy icons + Duplicate file if copies to the source directory + Support open with dialog for multiple selected files + Ressurect connect to server dialog + Allow theming of free diskspace chart colors. - Added tags for all upstreamed patches, as well as bug numbers for all patches - Added nautilus-bnc363122-lockdown-disable-context-menus.diff to implement https://bugzilla.novell.com/show_bug.cgi?id=363122 - have a way to disable context menus in file views for quick-and-dirty kiosk setups. - Update to version 2.21.91: + String cleanups + Inhibit autorun for things we mount ourselves + Fix crashes and leaks + Only show selinux context if selinux is detected + Default to move, not copying, when dragging from the trash + Don't autorun/automount non-local mounts + Fix case where we could run out of file descriptors + Handle drop of files on the desktop + Fix sensitivity of delete from the trash menu item + Fix open w/ context menu in always-use-browser mode. - Explicitly require gvfs (bnc#358748). - Add XMP support (bnc #310430) - Add extensions-2.0 directory. - Update to version 2.21.90: + Regenerate thumbnails when files change + Fix crashes + New autorun and automount support + Allow unmount of current location if its a mountpoint + Use thousand separators in all numbers (if used by locale) + Fix leaks + Performance improvements + Update to latest glib APIs + Fix bug that lost metadata from older versions + Fix crashes + Enable paste into folder for desktop icons + Better finding of autorun files on case sensitive media - Remove libtool archives. - Update to version 2.21.5: + Totally replaced gnome-vfs use with gio + New implementation of file operations like copy/move with a shared progress dialog + Update pkg-config files with new extensions dir + Handle dnd of desktop icons + Implement some missing unmount/eject operations + Add autorun/automount feature + Better handling of sensitivity of delete menu items + Better handling of mount/unmount/eject in many places + Fix for extensions with submenus. - Updated nautilus-drives-and-volumes-on-desktop.diff to fix https://bugzilla.novell.com/show_bug.cgi?id=335411 - Nautilus crashes when it gets a "volume-mounted" signal for a volume that is already mounted. This also adds two new logging domains to Nautilus: "drives-volumes" and "desktop-links". - Removed bogus dependency on mDNSResponder. - Updated to version 2.20.0: * Load thumbnails asynchronously * Support direct save DnD (XDS) * Fix up octal permission display * Store window keep-above and stickines state across sessions - Don't require gnome2-user-docs, which now supplements nautilus (#297833). - Update to version 2.19.91: * Be more robust against broken extensions * Set current working directory right on desktop when running scripts * Fix crash on file:///# * Update to cope with the new size of emblem icons * Auto-size list view filename column again * New message for service unavailable error * UI terminology consistency fix * Build fix - Refresh nautilus-search-desktop.patch. - Updated nautilus-drives-and-volumes-on-desktop.diff to fix https://bugzilla.novell.com/show_bug.cgi?id=298802 - after burning a CD and re-mounting the CD, Nautilus uses 100% CPU. This simply includes the last patch from https://bugzilla.novell.com/show_bug.cgi?id=276193#c42 - Added nautilus-330298-297983-fix-overlapping-desktop-icons.diff to fix https://bugzilla.novell.com/show_bug.cgi?id=297983 - desktop icons would overlap when inserting removable media, if the previously-saved location for the corresponding icon now has a different icon nearby. - Split out -lang subpackage - Use %fdupes. - Update to version 2.19.6 - Memory leaks plugged - Crashes fixed - Fixes to UI manager usage - Better string ellipsation - Consistent focus behaviour for toolbar buttons - Support for XMP image metadata - Improved keyboard handling in connect to server dialog - I18n fixes and string clarifications - Add more tooltips and use new gtk+ tootips API - Better handling of unreadable directories during search - Updated translations. - Update to version 2.19.4 - Fix crashes and leaks - Fix hang with recursive symlinks - Disk free piechart in properties dialogue - Fix typos in warning and error messages - Use new desktop capplet - Better handling of unicode search terms - Allow activating the zoom context menu by keyboard - Allow renaming network servers' icons - Do not overwrite auto-generated files. - Removed invalid desktop Category "Application" (#254654). - Fixed BuildRequires. - Update to version 2.18.0.1 - intltool is now a build requirement - Several code cleanups - Bug fixes, including p.g.o 408155, 333151, 358172, 408155, 409276, 407150, 407618, and 368661. - Update to version 2.17.91 - Bug fixes, including bugzilla.gnome.org #364466, #403255, [#138058], #340495, #357955, #403565, #357955, #362034, [#385382], #394328, #329920, #320020, #327249, #389467, #376291, [#374623], #382207, #376952, #384078, #383840, #45953, #350579, [#318373], #132326, #372550, #338353, #372471, #330298, #155337, [#174766], #122688, #321175, #349840, #356124, #351713, #348161. - adjust BuildRequires: libexif->libexif-devel - Fixed Categories (#242053). - Added nautilus-181941-i18n.patch to mark for translation a previously unmarked string (marked in other locations in the app, sparing the need for further l10n). Fixes https://bugzilla.novell.com/show_bug.cgi?id=181941 and sent upstream at http://bugzilla.gnome.org/show_bug.cgi?id=394328 - Prefix changed to /usr. - Spec file cleanup. - Do not explicitly require mDNSResponder-lib blocking avahi compat package. - Updated nautilus-drives-and-volumes-on-desktop.diff to fix https://bugzilla.novell.com/show_bug.cgi?id=215351. Floppy icons disappeared from the desktop after unmounting the floppy. This also fixes https://bugzilla.novell.com/show_bug.cgi?id=218910, where there was a race condition when mounting drives. This caused the activation URIs of the corresponding NautilusFiles not to be updated correctly. - Removed nautilus-hide-desktop-files.patch. This was used for the old "applications://" VFS scheme, which is deprecated now. - Removed nautilus-submount.patch, since we no longer use submount (subfs). - Removed nautilus-142860-vfs-drive-for-extensions.diff, since that feature appeared upstream since Nautilus 2.14. This is what lets Nautilus extensions look at the GnomeVFSDrive for a file, so that they can install menu items specific to drives (e.g. like nautilus-cd-burner). - Removed nautilus-172870-support-drives-and-volumes.diff and nautilus-155010-desktop-volume-policy.diff, since they need to be reworked for the code in Nautilus-2.16. - Added nautilus-6014-network-servers-in-places-sidebar.diff, to fix the part of https://bugzilla.novell.com/show_bug.cgi?id=6014 that is not yet in Nautilus 2.16. This adds a "Network Servers" item in the Places sidebar. - Added nautilus-206369-desktop-icon-overlap.diff as an updated and consolidated version of nautilus-155337-icon-positioning-on-reload.diff and nautilus-174766-fix-lazy-positioning.diff. This is to fix the bug where desktop icons get overlapped or rearranged when a new volume icon appears, or when the desktop is reloaded. - Added nautilus-drives-and-volumes-on-desktop.diff as a partly updated version of nautilus-172870-support-drives-and-volumes.diff. - Added nautilus-debug-log.diff. This provides logging functionality to aid debugging. - Updated descriptions inside the rest of the patches. - Renumbered patches. - Add a patch to ensure that the search entry bar is displayed when navigating to the x-nautilus-search:/// URI. (bnc #212649) - Remove dead patches - update to version 2.16.1 - Default to search in current directory for non-indexed search - Fix clash with symbol names in gtk+ - Update MIME database in scriptlets (#201729). - update to version 2.16.0 - Handle enter activation when using typeahead search - Avoid using gnome_vfs_is_local in wrong places - Translations - update to version 2.15.92.1 - Fix crash on startup - Fix crash on changing owner/group of file - Fix double free - Make sure all strings are displayed translated - update to version 2.15.91 - Use gtk recent files code - Fix file change notification regression - Don't display raw form of selinux contexts - Import lates EggSequence with bugfixes - DnD fixes - Read .hidden symlinks - Fix down navigation in last column, next to last row - Submenu support for extensions - Improved beagle daemon detection - Enable D'n'D reordering in the places sidebar - New icons for trash operations - Add a button/text toggle button to the location bar - Fix leak - Update to version 2.15.4 - Remove upstreamed patches * New permission dialog with recursion and selinx support * Improve extension interface * Add complete session management * Handle removal of the displayed location more elegantly * Support dropping uris, urls and text to subfolders * Don't allow formating of mounted floppies * Perfomance fixes * Don't use deprecated eel features * Improve startup performance * Use GOption * Fix selection box width calculation * Improve file permission handling * Add volume operations to the file menu, tree and places sidebar * New po/LINGUAS handling * Smarter date handling for images * HIG fixes * Fix crashes * Fixes for icons and thumbnailing * Show network volumes in the places sidebar * Fix progress dialog showing the wrong file * Translation updates * Use --no-desktop option for all desktop files * Startup performance improvements * Make files copied from read-only source writeable * Don't allow bookmarking x-desktop:/// * Add help buttons to several dialogs * Fix SVG file identification * Properly break down URIs for connect to server ui * Show unmounted but user-visible drives in the places sidebar * Display more info in the progress dialog when preparing * Smarter DnD target selection * GnomeGoals: Use po/LINGUAS * Fix deadlock when dragging over list view in some conditions * Don't show folder count for smb shares * Close window when folder moves to trash * Fix deep count in properties dialog in some cases * Avoid calculating mime lists for activation * Remove blank error dialog on mount when using gnome-mount * Better filename linebreaking at punctuation marks. * List view: If a rename moves the file in the view, scroll to the new position * Better handling of broken filename encoding for link targets * Browser mode: don't close window on up if current directory has been removed * Pass original files, not target files to property page providers. This allows property page extensions to look at desktop files and symlinks. * Fix opening saved searches file from outside nautilus * Add option to always use the location bar to the preferences dialog * Show detailed file size in the properties dialog * Open modules with BIND_LOCAL * Add Network to places menu * Fix sort by atime * Add support for searching for custom mime type * Much better activation of multiple files * Handle new background image zooming mode * Add optional support for Tracker indexer * Added initial support for search * Better handling of opening multiple files * View update optimizations * No titles for alert dialogs * Use access() to determine permissions * Fix mime list problem introduced with sort change * Finally fix tree sidebar crash * ctrl-shift-g goes backwards in typeahead * Add Skip all button in copy/move conflict dialog * Position new files/folders correctly in manual layout mode * Fix desktop redraw issues on non-100% zoom levels * Adds volume/drive api for modules * GtkTreeView style typeahead * '/' opens location dialog/entry * middle click in browser mode opens new window * Handle cancellation of authentication better * Add format menu item for floppy drives - Back out nautilus-bnc376669-always-update-thumbnail.patch (bnc#376669). - Add nautilus-bnc397852-huge-memory-leak.patch (bnc#397852) - Add nautilus-bnc393226-dont-move-to-burn.patch (bnc#393226). - Add nautilus-bnc376669-always-update-thumbnail.patch (bnc#376669). - Removed previously disabled patches that were made obsolete by upstream changes: * nautilus-default-thumbnail-size.diff * nautilus-6014-network-servers-in-places-sidebar.diff - Added nautilus-bnc376070-null-exifdata-crash, which fixes crashes when showing the properties of a picture (bnc#376070). - Rebased these patches: nautilus-bgo364843-name-copy-dont-overflow-max-path-len.diff nautilus-bgo350950-search-desktop.diff nautilus-bnc117333-bgo350962-folder-icon-for-menus-and-windows.diff - Rename nautilus-docpath.patch to nautilus-genericname.patch and drop the part of the patch adding a DocPath. - Do not add DocPath to desktop files with %suse_update_desktop_file - Rationale: since the desktop files use the Core category, adding DocPath means putting the items in the yelp toc, which we don't want. - Add nautilus-bnc368446-network-in-places.patch to add network:// in the places sidebar. Fix bnc#368446 (backported from upstream 2.23.1). - Update to version 2.22.2: + Add NautilusFileInfo APIs: can_write(), get_mount(), get_parent_info() + Do not try to autorun autorun.exe and autorun.inf + Automount in idle callback rather than at startup to improve user experience + Properly inhibit automount on startup, or for long login procedures + Do not automount directories in hidden hierarchies + Fix scrollbar display bug in "text besides icon" icon view mode + Do not thumbnail unreadable files + Correctly display bookmark icons + Fix blurry property window icon + Fix bookmark editing window. - added baselibs.conf file to build xxbit packages for multilib support - Upgraded to version 2.22.1: * Fix crashes and leaks. * Fix emblem display in property page. * Fix mime choosing to not always create application/x-ext-<extension> type. * Actually mount location in external connect to server dialog. * Fix thumbnail size limit checks. * Fix "show hidden" to also show backup files (was broken in some situations). * Verify that tracker is running before using it. * Fix desktop file icon handling with absolute filenames. * Use GDesktopAppInfos to launch desktop files. * Don't follow symlinks for deep file count. * Fix audio preview with later gstreamer. * Make "move file over directory" overwrite case work. * Sometimes we failed to ask for overwrite when move operations falled back to copy + delete. * Make sure we correctly transcode filenames when merging directories if the directory is on another filesystem. * Some moves were reported as copies, not moves in the ui which could cause not up-to-date directory displays. * Don't center file progress dialog if its already displayed. - Remove obsolete patch nautilus-bnc366455-change-ownership.patch. - Removed nautilus-158158-ignore-foreign-desktop-files.diff; it is obsolete. - Added nautilus-bnc366100-bgo338933-ignore-foreign-desktop-files.diff to fix https://bugzilla.novell.com/show_bug.cgi?id=366100 - Desktop links with "OnlyShowIn=KDE" are now ignored. - Add back gtk2-devel to the devel requires - Add a gnome-desktop-devel buildrequires to fix the build. - Remove obsolete -devel package requries - Remove medusa obsoletes, not relevant to any shipping distros - Custom look'n'feel gconf keys moved to gconf2-branding-openSUSE. - Update to version 2.22.0: + Fix typo in strings + Fix crashes + Use a better icon for the progress dialog + Have a mount menu for mountable files, not an unmount one + Handle broken bookmark files bette + Sniff x-content type asynchronously + Don't look for autorun stuff on non-local files + Allow setting permissions on remote shares + Fix "delete all" button in delete dialog + Show custom icons at right size + Fix some performance issues on nonlocal mounts - Drop nautilus-onlyshowin.patch, fix upstream. - Use %suse_update_desktop_file for nautilus-autorun-software and nautilus-folder-handler to mark them as translatable. - Add nautilus-bnc366455-change-ownership.patch to fix bnc#366455. - Update to version 2.21.92: + Build fixes + Fix crashes and leaks + Fix handling of desktop file launchers + Better handling of desktop file icons + Semitransparent DnD icon support (when composited) + Avoid showing progress info when dialogs are shown + Allow minimize of progress window + Handle beagle >= 0.3.0 + Close properties dialog on escape + Make custom icons work again + Fix fuzzy icons + Duplicate file if copies to the source directory + Support open with dialog for multiple selected files + Ressurect connect to server dialog + Allow theming of free diskspace chart colors. - Added tags for all upstreamed patches, as well as bug numbers for all patches - Added nautilus-bnc363122-lockdown-disable-context-menus.diff to implement https://bugzilla.novell.com/show_bug.cgi?id=363122 - have a way to disable context menus in file views for quick-and-dirty kiosk setups. - Update to version 2.21.91: + String cleanups + Inhibit autorun for things we mount ourselves + Fix crashes and leaks + Only show selinux context if selinux is detected + Default to move, not copying, when dragging from the trash + Don't autorun/automount non-local mounts + Fix case where we could run out of file descriptors + Handle drop of files on the desktop + Fix sensitivity of delete from the trash menu item + Fix open w/ context menu in always-use-browser mode. - Explicitly require gvfs (bnc#358748). - Add XMP support (bnc #310430) - Add extensions-2.0 directory. - Update to version 2.21.90: + Regenerate thumbnails when files change + Fix crashes + New autorun and automount support + Allow unmount of current location if its a mountpoint + Use thousand separators in all numbers (if used by locale) + Fix leaks + Performance improvements + Update to latest glib APIs + Fix bug that lost metadata from older versions + Fix crashes + Enable paste into folder for desktop icons + Better finding of autorun files on case sensitive media - Remove libtool archives. - Update to version 2.21.5: + Totally replaced gnome-vfs use with gio + New implementation of file operations like copy/move with a shared progress dialog + Update pkg-config files with new extensions dir + Handle dnd of desktop icons + Implement some missing unmount/eject operations + Add autorun/automount feature + Better handling of sensitivity of delete menu items + Better handling of mount/unmount/eject in many places + Fix for extensions with submenus. - Updated nautilus-drives-and-volumes-on-desktop.diff to fix https://bugzilla.novell.com/show_bug.cgi?id=335411 - Nautilus crashes when it gets a "volume-mounted" signal for a volume that is already mounted. This also adds two new logging domains to Nautilus: "drives-volumes" and "desktop-links". - Removed bogus dependency on mDNSResponder. - Updated to version 2.20.0: * Load thumbnails asynchronously * Support direct save DnD (XDS) * Fix up octal permission display * Store window keep-above and stickines state across sessions - Don't require gnome2-user-docs, which now supplements nautilus (#297833). - Update to version 2.19.91: * Be more robust against broken extensions * Set current working directory right on desktop when running scripts * Fix crash on file:///# * Update to cope with the new size of emblem icons * Auto-size list view filename column again * New message for service unavailable error * UI terminology consistency fix * Build fix - Refresh nautilus-search-desktop.patch. - Updated nautilus-drives-and-volumes-on-desktop.diff to fix https://bugzilla.novell.com/show_bug.cgi?id=298802 - after burning a CD and re-mounting the CD, Nautilus uses 100% CPU. This simply includes the last patch from https://bugzilla.novell.com/show_bug.cgi?id=276193#c42 - Added nautilus-330298-297983-fix-overlapping-desktop-icons.diff to fix https://bugzilla.novell.com/show_bug.cgi?id=297983 - desktop icons would overlap when inserting removable media, if the previously-saved location for the corresponding icon now has a different icon nearby. - Split out -lang subpackage - Use %fdupes. - Update to version 2.19.6 - Memory leaks plugged - Crashes fixed - Fixes to UI manager usage - Better string ellipsation - Consistent focus behaviour for toolbar buttons - Support for XMP image metadata - Improved keyboard handling in connect to server dialog - I18n fixes and string clarifications - Add more tooltips and use new gtk+ tootips API - Better handling of unreadable directories during search - Updated translations. - Update to version 2.19.4 - Fix crashes and leaks - Fix hang with recursive symlinks - Disk free piechart in properties dialogue - Fix typos in warning and error messages - Use new desktop capplet - Better handling of unicode search terms - Allow activating the zoom context menu by keyboard - Allow renaming network servers' icons - Do not overwrite auto-generated files. - Removed invalid desktop Category "Application" (#254654). - Fixed BuildRequires. - Update to version 2.18.0.1 - intltool is now a build requirement - Several code cleanups - Bug fixes, including p.g.o 408155, 333151, 358172, 408155, 409276, 407150, 407618, and 368661. - Update to version 2.17.91 - Bug fixes, including bugzilla.gnome.org #364466, #403255, [#138058], #340495, #357955, #403565, #357955, #362034, [#385382], #394328, #329920, #320020, #327249, #389467, #376291, [#374623], #382207, #376952, #384078, #383840, #45953, #350579, [#318373], #132326, #372550, #338353, #372471, #330298, #155337, [#174766], #122688, #321175, #349840, #356124, #351713, #348161. - adjust BuildRequires: libexif->libexif-devel - Fixed Categories (#242053). - Added nautilus-181941-i18n.patch to mark for translation a previously unmarked string (marked in other locations in the app, sparing the need for further l10n). Fixes https://bugzilla.novell.com/show_bug.cgi?id=181941 and sent upstream at http://bugzilla.gnome.org/show_bug.cgi?id=394328 - Prefix changed to /usr. - Spec file cleanup. - Do not explicitly require mDNSResponder-lib blocking avahi compat package. - Updated nautilus-drives-and-volumes-on-desktop.diff to fix https://bugzilla.novell.com/show_bug.cgi?id=215351. Floppy icons disappeared from the desktop after unmounting the floppy. This also fixes https://bugzilla.novell.com/show_bug.cgi?id=218910, where there was a race condition when mounting drives. This caused the activation URIs of the corresponding NautilusFiles not to be updated correctly. - Removed nautilus-hide-desktop-files.patch. This was used for the old "applications://" VFS scheme, which is deprecated now. - Removed nautilus-submount.patch, since we no longer use submount (subfs). - Removed nautilus-142860-vfs-drive-for-extensions.diff, since that feature appeared upstream since Nautilus 2.14. This is what lets Nautilus extensions look at the GnomeVFSDrive for a file, so that they can install menu items specific to drives (e.g. like nautilus-cd-burner). - Removed nautilus-172870-support-drives-and-volumes.diff and nautilus-155010-desktop-volume-policy.diff, since they need to be reworked for the code in Nautilus-2.16. - Added nautilus-6014-network-servers-in-places-sidebar.diff, to fix the part of https://bugzilla.novell.com/show_bug.cgi?id=6014 that is not yet in Nautilus 2.16. This adds a "Network Servers" item in the Places sidebar. - Added nautilus-206369-desktop-icon-overlap.diff as an updated and consolidated version of nautilus-155337-icon-positioning-on-reload.diff and nautilus-174766-fix-lazy-positioning.diff. This is to fix the bug where desktop icons get overlapped or rearranged when a new volume icon appears, or when the desktop is reloaded. - Added nautilus-drives-and-volumes-on-desktop.diff as a partly updated version of nautilus-172870-support-drives-and-volumes.diff. - Added nautilus-debug-log.diff. This provides logging functionality to aid debugging. - Updated descriptions inside the rest of the patches. - Renumbered patches. - Add a patch to ensure that the search entry bar is displayed when navigating to the x-nautilus-search:/// URI. (bnc #212649) - Remove dead patches - update to version 2.16.1 - Default to search in current directory for non-indexed search - Fix clash with symbol names in gtk+ - Update MIME database in scriptlets (#201729). - update to version 2.16.0 - Handle enter activation when using typeahead search - Avoid using gnome_vfs_is_local in wrong places - Translations - update to version 2.15.92.1 - Fix crash on startup - Fix crash on changing owner/group of file - Fix double free - Make sure all strings are displayed translated - update to version 2.15.91 - Use gtk recent files code - Fix file change notification regression - Don't display raw form of selinux contexts - Import lates EggSequence with bugfixes - DnD fixes - Read .hidden symlinks - Fix down navigation in last column, next to last row - Submenu support for extensions - Improved beagle daemon detection - Enable D'n'D reordering in the places sidebar - New icons for trash operations - Add a button/text toggle button to the location bar - Fix leak - Update to version 2.15.4 - Remove upstreamed patches * New permission dialog with recursion and selinx support * Improve extension interface * Add complete session management * Handle removal of the displayed location more elegantly * Support dropping uris, urls and text to subfolders * Don't allow formating of mounted floppies * Perfomance fixes * Don't use deprecated eel features * Improve startup performance * Use GOption * Fix selection box width calculation * Improve file permission handling * Add volume operations to the file menu, tree and places sidebar * New po/LINGUAS handling * Smarter date handling for images * HIG fixes * Fix crashes * Fixes for icons and thumbnailing * Show network volumes in the places sidebar * Fix progress dialog showing the wrong file * Translation updates * Use --no-desktop option for all desktop files * Startup performance improvements * Make files copied from read-only source writeable * Don't allow bookmarking x-desktop:/// * Add help buttons to several dialogs * Fix SVG file identification * Properly break down URIs for connect to server ui * Show unmounted but user-visible drives in the places sidebar * Display more info in the progress dialog when preparing * Smarter DnD target selection * GnomeGoals: Use po/LINGUAS * Fix deadlock when dragging over list view in some conditions * Don't show folder count for smb shares * Close window when folder moves to trash * Fix deep count in properties dialog in some cases * Avoid calculating mime lists for activation * Remove blank error dialog on mount when using gnome-mount * Better filename linebreaking at punctuation marks. * List view: If a rename moves the file in the view, scroll to the new position * Better handling of broken filename encoding for link targets * Browser mode: don't close window on up if current directory has been removed * Pass original files, not target files to property page providers. This allows property page extensions to look at desktop files and symlinks. * Fix opening saved searches file from outside nautilus * Add option to always use the location bar to the preferences dialog * Show detailed file size in the properties dialog * Open modules with BIND_LOCAL * Add Network to places menu * Fix sort by atime * Add support for searching for custom mime type * Much better activation of multiple files * Handle new background image zooming mode * Add optional support for Tracker indexer * Added initial support for search * Better handling of opening multiple files * View update optimizations * No titles for alert dialogs * Use access() to determine permissions * Fix mime list problem introduced with sort change * Finally fix tree sidebar crash * ctrl-shift-g goes backwards in typeahead * Add Skip all button in copy/move conflict dialog * Position new files/folders correctly in manual layout mode * Fix desktop redraw issues on non-100% zoom levels * Adds volume/drive api for modules * GtkTreeView style typeahead * '/' opens location dialog/entry * middle click in browser mode opens new window * Handle cancellation of authentication better * Add format menu item for floppy drives - Back out nautilus-bnc376669-always-update-thumbnail.patch (bnc#376669). - Add nautilus-bnc397852-huge-memory-leak.patch (bnc#397852) - Add nautilus-bnc393226-dont-move-to-burn.patch (bnc#393226). - Add nautilus-bnc376669-always-update-thumbnail.patch (bnc#376669). - Removed previously disabled patches that were made obsolete by upstream changes: * nautilus-default-thumbnail-size.diff * nautilus-6014-network-servers-in-places-sidebar.diff - Added nautilus-bnc376070-null-exifdata-crash, which fixes crashes when showing the properties of a picture (bnc#376070). - Rebased these patches: nautilus-bgo364843-name-copy-dont-overflow-max-path-len.diff nautilus-bgo350950-search-desktop.diff nautilus-bnc117333-bgo350962-folder-icon-for-menus-and-windows.diff - Rename nautilus-docpath.patch to nautilus-genericname.patch and drop the part of the patch adding a DocPath. - Do not add DocPath to desktop files with %suse_update_desktop_file - Rationale: since the desktop files use the Core category, adding DocPath means putting the items in the yelp toc, which we don't want. - Add nautilus-bnc368446-network-in-places.patch to add network:// in the places sidebar. Fix bnc#368446 (backported from upstream 2.23.1). - Update to version 2.22.2: + Add NautilusFileInfo APIs: can_write(), get_mount(), get_parent_info() + Do not try to autorun autorun.exe and autorun.inf + Automount in idle callback rather than at startup to improve user experience + Properly inhibit automount on startup, or for long login procedures + Do not automount directories in hidden hierarchies + Fix scrollbar display bug in "text besides icon" icon view mode + Do not thumbnail unreadable files + Correctly display bookmark icons + Fix blurry property window icon + Fix bookmark editing window. - added baselibs.conf file to build xxbit packages for multilib support - Upgraded to version 2.22.1: * Fix crashes and leaks. * Fix emblem display in property page. * Fix mime choosing to not always create application/x-ext-<extension> type. * Actually mount location in external connect to server dialog. * Fix thumbnail size limit checks. * Fix "show hidden" to also show backup files (was broken in some situations). * Verify that tracker is running before using it. * Fix desktop file icon handling with absolute filenames. * Use GDesktopAppInfos to launch desktop files. * Don't follow symlinks for deep file count. * Fix audio preview with later gstreamer. * Make "move file over directory" overwrite case work. * Sometimes we failed to ask for overwrite when move operations falled back to copy + delete. * Make sure we correctly transcode filenames when merging directories if the directory is on another filesystem. * Some moves were reported as copies, not moves in the ui which could cause not up-to-date directory displays. * Don't center file progress dialog if its already displayed. - Remove obsolete patch nautilus-bnc366455-change-ownership.patch. - Removed nautilus-158158-ignore-foreign-desktop-files.diff; it is obsolete. - Added nautilus-bnc366100-bgo338933-ignore-foreign-desktop-files.diff to fix https://bugzilla.novell.com/show_bug.cgi?id=366100 - Desktop links with "OnlyShowIn=KDE" are now ignored. - Add back gtk2-devel to the devel requires - Add a gnome-desktop-devel buildrequires to fix the build. - Remove obsolete -devel package requries - Remove medusa obsoletes, not relevant to any shipping distros - Custom look'n'feel gconf keys moved to gconf2-branding-openSUSE. - Update to version 2.22.0: + Fix typo in strings + Fix crashes + Use a better icon for the progress dialog + Have a mount menu for mountable files, not an unmount one + Handle broken bookmark files bette + Sniff x-content type asynchronously + Don't look for autorun stuff on non-local files + Allow setting permissions on remote shares + Fix "delete all" button in delete dialog + Show custom icons at right size + Fix some performance issues on nonlocal mounts - Drop nautilus-onlyshowin.patch, fix upstream. - Use %suse_update_desktop_file for nautilus-autorun-software and nautilus-folder-handler to mark them as translatable. - Add nautilus-bnc366455-change-ownership.patch to fix bnc#366455. - Update to version 2.21.92: + Build fixes + Fix crashes and leaks + Fix handling of desktop file launchers + Better handling of desktop file icons + Semitransparent DnD icon support (when composited) + Avoid showing progress info when dialogs are shown + Allow minimize of progress window + Handle beagle >= 0.3.0 + Close properties dialog on escape + Make custom icons work again + Fix fuzzy icons + Duplicate file if copies to the source directory + Support open with dialog for multiple selected files + Ressurect connect to server dialog + Allow theming of free diskspace chart colors. - Added tags for all upstreamed patches, as well as bug numbers for all patches - Added nautilus-bnc363122-lockdown-disable-context-menus.diff to implement https://bugzilla.novell.com/show_bug.cgi?id=363122 - have a way to disable context menus in file views for quick-and-dirty kiosk setups. - Update to version 2.21.91: + String cleanups + Inhibit autorun for things we mount ourselves + Fix crashes and leaks + Only show selinux context if selinux is detected + Default to move, not copying, when dragging from the trash + Don't autorun/automount non-local mounts + Fix case where we could run out of file descriptors + Handle drop of files on the desktop + Fix sensitivity of delete from the trash menu item + Fix open w/ context menu in always-use-browser mode. - Explicitly require gvfs (bnc#358748). - Add XMP support (bnc #310430) - Add extensions-2.0 directory. - Update to version 2.21.90: + Regenerate thumbnails when files change + Fix crashes + New autorun and automount support + Allow unmount of current location if its a mountpoint + Use thousand separators in all numbers (if used by locale) + Fix leaks + Performance improvements + Update to latest glib APIs + Fix bug that lost metadata from older versions + Fix crashes + Enable paste into folder for desktop icons + Better finding of autorun files on case sensitive media - Remove libtool archives. - Update to version 2.21.5: + Totally replaced gnome-vfs use with gio + New implementation of file operations like copy/move with a shared progress dialog + Update pkg-config files with new extensions dir + Handle dnd of desktop icons + Implement some missing unmount/eject operations + Add autorun/automount feature + Better handling of sensitivity of delete menu items + Better handling of mount/unmount/eject in many places + Fix for extensions with submenus. - Updated nautilus-drives-and-volumes-on-desktop.diff to fix https://bugzilla.novell.com/show_bug.cgi?id=335411 - Nautilus crashes when it gets a "volume-mounted" signal for a volume that is already mounted. This also adds two new logging domains to Nautilus: "drives-volumes" and "desktop-links". - Removed bogus dependency on mDNSResponder. - Updated to version 2.20.0: * Load thumbnails asynchronously * Support direct save DnD (XDS) * Fix up octal permission display * Store window keep-above and stickines state across sessions - Don't require gnome2-user-docs, which now supplements nautilus (#297833). - Update to version 2.19.91: * Be more robust against broken extensions * Set current working directory right on desktop when running scripts * Fix crash on file:///# * Update to cope with the new size of emblem icons * Auto-size list view filename column again * New message for service unavailable error * UI terminology consistency fix * Build fix - Refresh nautilus-search-desktop.patch. - Updated nautilus-drives-and-volumes-on-desktop.diff to fix https://bugzilla.novell.com/show_bug.cgi?id=298802 - after burning a CD and re-mounting the CD, Nautilus uses 100% CPU. This simply includes the last patch from https://bugzilla.novell.com/show_bug.cgi?id=276193#c42 - Added nautilus-330298-297983-fix-overlapping-desktop-icons.diff to fix https://bugzilla.novell.com/show_bug.cgi?id=297983 - desktop icons would overlap when inserting removable media, if the previously-saved location for the corresponding icon now has a different icon nearby. - Split out -lang subpackage - Use %fdupes. - Update to version 2.19.6 - Memory leaks plugged - Crashes fixed - Fixes to UI manager usage - Better string ellipsation - Consistent focus behaviour for toolbar buttons - Support for XMP image metadata - Improved keyboard handling in connect to server dialog - I18n fixes and string clarifications - Add more tooltips and use new gtk+ tootips API - Better handling of unreadable directories during search - Updated translations. - Update to version 2.19.4 - Fix crashes and leaks - Fix hang with recursive symlinks - Disk free piechart in properties dialogue - Fix typos in warning and error messages - Use new desktop capplet - Better handling of unicode search terms - Allow activating the zoom context menu by keyboard - Allow renaming network servers' icons - Do not overwrite auto-generated files. - Removed invalid desktop Category "Application" (#254654). - Fixed BuildRequires. - Update to version 2.18.0.1 - intltool is now a build requirement - Several code cleanups - Bug fixes, including p.g.o 408155, 333151, 358172, 408155, 409276, 407150, 407618, and 368661. - Update to version 2.17.91 - Bug fixes, including bugzilla.gnome.org #364466, #403255, [#138058], #340495, #357955, #403565, #357955, #362034, [#385382], #394328, #329920, #320020, #327249, #389467, #376291, [#374623], #382207, #376952, #384078, #383840, #45953, #350579, [#318373], #132326, #372550, #338353, #372471, #330298, #155337, [#174766], #122688, #321175, #349840, #356124, #351713, #348161. - adjust BuildRequires: libexif->libexif-devel - Fixed Categories (#242053). - Added nautilus-181941-i18n.patch to mark for translation a previously unmarked string (marked in other locations in the app, sparing the need for further l10n). Fixes https://bugzilla.novell.com/show_bug.cgi?id=181941 and sent upstream at http://bugzilla.gnome.org/show_bug.cgi?id=394328 - Prefix changed to /usr. - Spec file cleanup. - Do not explicitly require mDNSResponder-lib blocking avahi compat package. - Updated nautilus-drives-and-volumes-on-desktop.diff to fix https://bugzilla.novell.com/show_bug.cgi?id=215351. Floppy icons disappeared from the desktop after unmounting the floppy. This also fixes https://bugzilla.novell.com/show_bug.cgi?id=218910, where there was a race condition when mounting drives. This caused the activation URIs of the corresponding NautilusFiles not to be updated correctly. - Removed nautilus-hide-desktop-files.patch. This was used for the old "applications://" VFS scheme, which is deprecated now. - Removed nautilus-submount.patch, since we no longer use submount (subfs). - Removed nautilus-142860-vfs-drive-for-extensions.diff, since that feature appeared upstream since Nautilus 2.14. This is what lets Nautilus extensions look at the GnomeVFSDrive for a file, so that they can install menu items specific to drives (e.g. like nautilus-cd-burner). - Removed nautilus-172870-support-drives-and-volumes.diff and nautilus-155010-desktop-volume-policy.diff, since they need to be reworked for the code in Nautilus-2.16. - Added nautilus-6014-network-servers-in-places-sidebar.diff, to fix the part of https://bugzilla.novell.com/show_bug.cgi?id=6014 that is not yet in Nautilus 2.16. This adds a "Network Servers" item in the Places sidebar. - Added nautilus-206369-desktop-icon-overlap.diff as an updated and consolidated version of nautilus-155337-icon-positioning-on-reload.diff and nautilus-174766-fix-lazy-positioning.diff. This is to fix the bug where desktop icons get overlapped or rearranged when a new volume icon appears, or when the desktop is reloaded. - Added nautilus-drives-and-volumes-on-desktop.diff as a partly updated version of nautilus-172870-support-drives-and-volumes.diff. - Added nautilus-debug-log.diff. This provides logging functionality to aid debugging. - Updated descriptions inside the rest of the patches. - Renumbered patches. - Add a patch to ensure that the search entry bar is displayed when navigating to the x-nautilus-search:/// URI. (bnc #212649) - Remove dead patches - update to version 2.16.1 - Default to search in current directory for non-indexed search - Fix clash with symbol names in gtk+ - Update MIME database in scriptlets (#201729). - update to version 2.16.0 - Handle enter activation when using typeahead search - Avoid using gnome_vfs_is_local in wrong places - Translations - update to version 2.15.92.1 - Fix crash on startup - Fix crash on changing owner/group of file - Fix double free - Make sure all strings are displayed translated - update to version 2.15.91 - Use gtk recent files code - Fix file change notification regression - Don't display raw form of selinux contexts - Import lates EggSequence with bugfixes - DnD fixes - Read .hidden symlinks - Fix down navigation in last column, next to last row - Submenu support for extensions - Improved beagle daemon detection - Enable D'n'D reordering in the places sidebar - New icons for trash operations - Add a button/text toggle button to the location bar - Fix leak - Update to version 2.15.4 - Remove upstreamed patches * New permission dialog with recursion and selinx support * Improve extension interface * Add complete session management * Handle removal of the displayed location more elegantly * Support dropping uris, urls and text to subfolders * Don't allow formating of mounted floppies * Perfomance fixes * Don't use deprecated eel features * Improve startup performance * Use GOption * Fix selection box width calculation * Improve file permission handling * Add volume operations to the file menu, tree and places sidebar * New po/LINGUAS handling * Smarter date handling for images * HIG fixes * Fix crashes * Fixes for icons and thumbnailing * Show network volumes in the places sidebar * Fix progress dialog showing the wrong file * Translation updates * Use --no-desktop option for all desktop files * Startup performance improvements * Make files copied from read-only source writeable * Don't allow bookmarking x-desktop:/// * Add help buttons to several dialogs * Fix SVG file identification * Properly break down URIs for connect to server ui * Show unmounted but user-visible drives in the places sidebar * Display more info in the progress dialog when preparing * Smarter DnD target selection * GnomeGoals: Use po/LINGUAS * Fix deadlock when dragging over list view in some conditions * Don't show folder count for smb shares * Close window when folder moves to trash * Fix deep count in properties dialog in some cases * Avoid calculating mime lists for activation * Remove blank error dialog on mount when using gnome-mount * Better filename linebreaking at punctuation marks. * List view: If a rename moves the file in the view, scroll to the new position * Better handling of broken filename encoding for link targets * Browser mode: don't close window on up if current directory has been removed * Pass original files, not target files to property page providers. This allows property page extensions to look at desktop files and symlinks. * Fix opening saved searches file from outside nautilus * Add option to always use the location bar to the preferences dialog * Show detailed file size in the properties dialog * Open modules with BIND_LOCAL * Add Network to places menu * Fix sort by atime * Add support for searching for custom mime type * Much better activation of multiple files * Handle new background image zooming mode * Add optional support for Tracker indexer * Added initial support for search * Better handling of opening multiple files * View update optimizations * No titles for alert dialogs * Use access() to determine permissions * Fix mime list problem introduced with sort change * Finally fix tree sidebar crash * ctrl-shift-g goes backwards in typeahead * Add Skip all button in copy/move conflict dialog * Position new files/folders correctly in manual layout mode * Fix desktop redraw issues on non-100% zoom levels * Adds volume/drive api for modules * GtkTreeView style typeahead * '/' opens location dialog/entry * middle click in browser mode opens new window * Handle cancellation of authentication better * Add format menu item for floppy drives - Back out nautilus-bnc376669-always-update-thumbnail.patch (bnc#376669). - Add nautilus-bnc397852-huge-memory-leak.patch (bnc#397852) - Add nautilus-bnc393226-dont-move-to-burn.patch (bnc#393226). - Add nautilus-bnc376669-always-update-thumbnail.patch (bnc#376669). - Removed previously disabled patches that were made obsolete by upstream changes: * nautilus-default-thumbnail-size.diff * nautilus-6014-network-servers-in-places-sidebar.diff - Added nautilus-bnc376070-null-exifdata-crash, which fixes crashes when showing the properties of a picture (bnc#376070). - Rebased these patches: nautilus-bgo364843-name-copy-dont-overflow-max-path-len.diff nautilus-bgo350950-search-desktop.diff nautilus-bnc117333-bgo350962-folder-icon-for-menus-and-windows.diff - Rename nautilus-docpath.patch to nautilus-genericname.patch and drop the part of the patch adding a DocPath. - Do not add DocPath to desktop files with %suse_update_desktop_file - Rationale: since the desktop files use the Core category, adding DocPath means putting the items in the yelp toc, which we don't want. - Add nautilus-bnc368446-network-in-places.patch to add network:// in the places sidebar. Fix bnc#368446 (backported from upstream 2.23.1). - Update to version 2.22.2: + Add NautilusFileInfo APIs: can_write(), get_mount(), get_parent_info() + Do not try to autorun autorun.exe and autorun.inf + Automount in idle callback rather than at startup to improve user experience + Properly inhibit automount on startup, or for long login procedures + Do not automount directories in hidden hierarchies + Fix scrollbar display bug in "text besides icon" icon view mode + Do not thumbnail unreadable files + Correctly display bookmark icons + Fix blurry property window icon + Fix bookmark editing window. - added baselibs.conf file to build xxbit packages for multilib support - Upgraded to version 2.22.1: * Fix crashes and leaks. * Fix emblem display in property page. * Fix mime choosing to not always create application/x-ext-<extension> type. * Actually mount location in external connect to server dialog. * Fix thumbnail size limit checks. * Fix "show hidden" to also show backup files (was broken in some situations). * Verify that tracker is running before using it. * Fix desktop file icon handling with absolute filenames. * Use GDesktopAppInfos to launch desktop files. * Don't follow symlinks for deep file count. * Fix audio preview with later gstreamer. * Make "move file over directory" overwrite case work. * Sometimes we failed to ask for overwrite when move operations falled back to copy + delete. * Make sure we correctly transcode filenames when merging directories if the directory is on another filesystem. * Some moves were reported as copies, not moves in the ui which could cause not up-to-date directory displays. * Don't center file progress dialog if its already displayed. - Remove obsolete patch nautilus-bnc366455-change-ownership.patch. - Removed nautilus-158158-ignore-foreign-desktop-files.diff; it is obsolete. - Added nautilus-bnc366100-bgo338933-ignore-foreign-desktop-files.diff to fix https://bugzilla.novell.com/show_bug.cgi?id=366100 - Desktop links with "OnlyShowIn=KDE" are now ignored. - Add back gtk2-devel to the devel requires - Add a gnome-desktop-devel buildrequires to fix the build. - Remove obsolete -devel package requries - Remove medusa obsoletes, not relevant to any shipping distros - Custom look'n'feel gconf keys moved to gconf2-branding-openSUSE. - Update to version 2.22.0: + Fix typo in strings + Fix crashes + Use a better icon for the progress dialog + Have a mount menu for mountable files, not an unmount one + Handle broken bookmark files bette + Sniff x-content type asynchronously + Don't look for autorun stuff on non-local files + Allow setting permissions on remote shares + Fix "delete all" button in delete dialog + Show custom icons at right size + Fix some performance issues on nonlocal mounts - Drop nautilus-onlyshowin.patch, fix upstream. - Use %suse_update_desktop_file for nautilus-autorun-software and nautilus-folder-handler to mark them as translatable. - Add nautilus-bnc366455-change-ownership.patch to fix bnc#366455. - Update to version 2.21.92: + Build fixes + Fix crashes and leaks + Fix handling of desktop file launchers + Better handling of desktop file icons + Semitransparent DnD icon support (when composited) + Avoid showing progress info when dialogs are shown + Allow minimize of progress window + Handle beagle >= 0.3.0 + Close properties dialog on escape + Make custom icons work again + Fix fuzzy icons + Duplicate file if copies to the source directory + Support open with dialog for multiple selected files + Ressurect connect to server dialog + Allow theming of free diskspace chart colors. - Added tags for all upstreamed patches, as well as bug numbers for all patches - Added nautilus-bnc363122-lockdown-disable-context-menus.diff to implement https://bugzilla.novell.com/show_bug.cgi?id=363122 - have a way to disable context menus in file views for quick-and-dirty kiosk setups. - Update to version 2.21.91: + String cleanups + Inhibit autorun for things we mount ourselves + Fix crashes and leaks + Only show selinux context if selinux is detected + Default to move, not copying, when dragging from the trash + Don't autorun/automount non-local mounts + Fix case where we could run out of file descriptors + Handle drop of files on the desktop + Fix sensitivity of delete from the trash menu item + Fix open w/ context menu in always-use-browser mode. - Explicitly require gvfs (bnc#358748). - Add XMP support (bnc #310430) - Add extensions-2.0 directory. - Update to version 2.21.90: + Regenerate thumbnails when files change + Fix crashes + New autorun and automount support + Allow unmount of current location if its a mountpoint + Use thousand separators in all numbers (if used by locale) + Fix leaks + Performance improvements + Update to latest glib APIs + Fix bug that lost metadata from older versions + Fix crashes + Enable paste into folder for desktop icons + Better finding of autorun files on case sensitive media - Remove libtool archives. - Update to version 2.21.5: + Totally replaced gnome-vfs use with gio + New implementation of file operations like copy/move with a shared progress dialog + Update pkg-config files with new extensions dir + Handle dnd of desktop icons + Implement some missing unmount/eject operations + Add autorun/automount feature + Better handling of sensitivity of delete menu items + Better handling of mount/unmount/eject in many places + Fix for extensions with submenus. - Updated nautilus-drives-and-volumes-on-desktop.diff to fix https://bugzilla.novell.com/show_bug.cgi?id=335411 - Nautilus crashes when it gets a "volume-mounted" signal for a volume that is already mounted. This also adds two new logging domains to Nautilus: "drives-volumes" and "desktop-links". - Removed bogus dependency on mDNSResponder. - Updated to version 2.20.0: * Load thumbnails asynchronously * Support direct save DnD (XDS) * Fix up octal permission display * Store window keep-above and stickines state across sessions - Don't require gnome2-user-docs, which now supplements nautilus (#297833). - Update to version 2.19.91: * Be more robust against broken extensions * Set current working directory right on desktop when running scripts * Fix crash on file:///# * Update to cope with the new size of emblem icons * Auto-size list view filename column again * New message for service unavailable error * UI terminology consistency fix * Build fix - Refresh nautilus-search-desktop.patch. - Updated nautilus-drives-and-volumes-on-desktop.diff to fix https://bugzilla.novell.com/show_bug.cgi?id=298802 - after burning a CD and re-mounting the CD, Nautilus uses 100% CPU. This simply includes the last patch from https://bugzilla.novell.com/show_bug.cgi?id=276193#c42 - Added nautilus-330298-297983-fix-overlapping-desktop-icons.diff to fix https://bugzilla.novell.com/show_bug.cgi?id=297983 - desktop icons would overlap when inserting removable media, if the previously-saved location for the corresponding icon now has a different icon nearby. - Split out -lang subpackage - Use %fdupes. - Update to version 2.19.6 - Memory leaks plugged - Crashes fixed - Fixes to UI manager usage - Better string ellipsation - Consistent focus behaviour for toolbar buttons - Support for XMP image metadata - Improved keyboard handling in connect to server dialog - I18n fixes and string clarifications - Add more tooltips and use new gtk+ tootips API - Better handling of unreadable directories during search - Updated translations. - Update to version 2.19.4 - Fix crashes and leaks - Fix hang with recursive symlinks - Disk free piechart in properties dialogue - Fix typos in warning and error messages - Use new desktop capplet - Better handling of unicode search terms - Allow activating the zoom context menu by keyboard - Allow renaming network servers' icons - Do not overwrite auto-generated files. - Removed invalid desktop Category "Application" (#254654). - Fixed BuildRequires. - Update to version 2.18.0.1 - intltool is now a build requirement - Several code cleanups - Bug fixes, including p.g.o 408155, 333151, 358172, 408155, 409276, 407150, 407618, and 368661. - Update to version 2.17.91 - Bug fixes, including bugzilla.gnome.org #364466, #403255, [#138058], #340495, #357955, #403565, #357955, #362034, [#385382], #394328, #329920, #320020, #327249, #389467, #376291, [#374623], #382207, #376952, #384078, #383840, #45953, #350579, [#318373], #132326, #372550, #338353, #372471, #330298, #155337, [#174766], #122688, #321175, #349840, #356124, #351713, #348161. - adjust BuildRequires: libexif->libexif-devel - Fixed Categories (#242053). - Added nautilus-181941-i18n.patch to mark for translation a previously unmarked string (marked in other locations in the app, sparing the need for further l10n). Fixes https://bugzilla.novell.com/show_bug.cgi?id=181941 and sent upstream at http://bugzilla.gnome.org/show_bug.cgi?id=394328 - Prefix changed to /usr. - Spec file cleanup. - Do not explicitly require mDNSResponder-lib blocking avahi compat package. - Updated nautilus-drives-and-volumes-on-desktop.diff to fix https://bugzilla.novell.com/show_bug.cgi?id=215351. Floppy icons disappeared from the desktop after unmounting the floppy. This also fixes https://bugzilla.novell.com/show_bug.cgi?id=218910, where there was a race condition when mounting drives. This caused the activation URIs of the corresponding NautilusFiles not to be updated correctly. - Removed nautilus-hide-desktop-files.patch. This was used for the old "applications://" VFS scheme, which is deprecated now. - Removed nautilus-submount.patch, since we no longer use submount (subfs). - Removed nautilus-142860-vfs-drive-for-extensions.diff, since that feature appeared upstream since Nautilus 2.14. This is what lets Nautilus extensions look at the GnomeVFSDrive for a file, so that they can install menu items specific to drives (e.g. like nautilus-cd-burner). - Removed nautilus-172870-support-drives-and-volumes.diff and nautilus-155010-desktop-volume-policy.diff, since they need to be reworked for the code in Nautilus-2.16. - Added nautilus-6014-network-servers-in-places-sidebar.diff, to fix the part of https://bugzilla.novell.com/show_bug.cgi?id=6014 that is not yet in Nautilus 2.16. This adds a "Network Servers" item in the Places sidebar. - Added nautilus-206369-desktop-icon-overlap.diff as an updated and consolidated version of nautilus-155337-icon-positioning-on-reload.diff and nautilus-174766-fix-lazy-positioning.diff. This is to fix the bug where desktop icons get overlapped or rearranged when a new volume icon appears, or when the desktop is reloaded. - Added nautilus-drives-and-volumes-on-desktop.diff as a partly updated version of nautilus-172870-support-drives-and-volumes.diff. - Added nautilus-debug-log.diff. This provides logging functionality to aid debugging. - Updated descriptions inside the rest of the patches. - Renumbered patches. - Add a patch to ensure that the search entry bar is displayed when navigating to the x-nautilus-search:/// URI. (bnc #212649) - Remove dead patches - update to version 2.16.1 - Default to search in current directory for non-indexed search - Fix clash with symbol names in gtk+ - Update MIME database in scriptlets (#201729). - update to version 2.16.0 - Handle enter activation when using typeahead search - Avoid using gnome_vfs_is_local in wrong places - Translations - update to version 2.15.92.1 - Fix crash on startup - Fix crash on changing owner/group of file - Fix double free - Make sure all strings are displayed translated - update to version 2.15.91 - Use gtk recent files code - Fix file change notification regression - Don't display raw form of selinux contexts - Import lates EggSequence with bugfixes - DnD fixes - Read .hidden symlinks - Fix down navigation in last column, next to last row - Submenu support for extensions - Improved beagle daemon detection - Enable D'n'D reordering in the places sidebar - New icons for trash operations - Add a button/text toggle button to the location bar - Fix leak - Update to version 2.15.4 - Remove upstreamed patches * New permission dialog with recursion and selinx support * Improve extension interface * Add complete session management * Handle removal of the displayed location more elegantly * Support dropping uris, urls and text to subfolders * Don't allow formating of mounted floppies * Perfomance fixes * Don't use deprecated eel features * Improve startup performance * Use GOption * Fix selection box width calculation * Improve file permission handling * Add volume operations to the file menu, tree and places sidebar * New po/LINGUAS handling * Smarter date handling for images * HIG fixes * Fix crashes * Fixes for icons and thumbnailing * Show network volumes in the places sidebar * Fix progress dialog showing the wrong file * Translation updates * Use --no-desktop option for all desktop files * Startup performance improvements * Make files copied from read-only source writeable * Don't allow bookmarking x-desktop:/// * Add help buttons to several dialogs * Fix SVG file identification * Properly break down URIs for connect to server ui * Show unmounted but user-visible drives in the places sidebar * Display more info in the progress dialog when preparing * Smarter DnD target selection * GnomeGoals: Use po/LINGUAS * Fix deadlock when dragging over list view in some conditions * Don't show folder count for smb shares * Close window when folder moves to trash * Fix deep count in properties dialog in some cases * Avoid calculating mime lists for activation * Remove blank error dialog on mount when using gnome-mount * Better filename linebreaking at punctuation marks. * List view: If a rename moves the file in the view, scroll to the new position * Better handling of broken filename encoding for link targets * Browser mode: don't close window on up if current directory has been removed * Pass original files, not target files to property page providers. This allows property page extensions to look at desktop files and symlinks. * Fix opening saved searches file from outside nautilus * Add option to always use the location bar to the preferences dialog * Show detailed file size in the properties dialog * Open modules with BIND_LOCAL * Add Network to places menu * Fix sort by atime * Add support for searching for custom mime type * Much better activation of multiple files * Handle new background image zooming mode * Add optional support for Tracker indexer * Added initial support for search * Better handling of opening multiple files * View update optimizations * No titles for alert dialogs * Use access() to determine permissions * Fix mime list problem introduced with sort change * Finally fix tree sidebar crash * ctrl-shift-g goes backwards in typeahead * Add Skip all button in copy/move conflict dialog * Position new files/folders correctly in manual layout mode * Fix desktop redraw issues on non-100% zoom levels * Adds volume/drive api for modules * GtkTreeView style typeahead * '/' opens location dialog/entry * middle click in browser mode opens new window * Handle cancellation of authentication better * Add format menu item for floppy drives - Back out nautilus-bnc376669-always-update-thumbnail.patch (bnc#376669).