./security/php-suhosin, Advanced protection system for PHP installations

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 0.9.38, Package name: php56-suhosin-0.9.38, Maintainer: cg

Suhosin is an advanced protection system for PHP installations. It was
designed to protect servers and users from known and unknown flaws in
PHP applications and the PHP core. Suhosin comes in two independent
parts, that can be used separately or in combination. The first part is
a small patch against the PHP core, that implements a few low-level
protections against bufferoverflows or format string vulnerabilities and
the second part is a powerful PHP extension that implements all the other

Unlike our Hardening-Patch Suhosin is binary compatible to normal PHP
installation, which means it is compatible to 3rd party binary extension
like ZendOptimizer.

Required to run:

Required to build:

Master sites:

Version history: (Expand)

CVS history: (Expand)

   2016-09-11 19:03:29 by Takahiro Kambe | Files touched by this commit (53)
Log message:
Drop "55" (php55) from PHP_VERSIONS_ACCEPTED.
   2015-12-19 15:27:15 by Takahiro Kambe | Files touched by this commit (26)
Log message:
Restrict PHP_VERSIONS_ACCEPTED to 55 and 56.
   2015-11-04 02:18:12 by Alistair G. Crooks | Files touched by this commit (434)
Log message:
Add SHA512 digests for distfiles for security category

Problems found locating distfiles:
	Package f-prot-antivirus6-fs-bin: missing distfile fp-NetBSD.x86.32-fs-6.2.3.tar.gz
	Package f-prot-antivirus6-ws-bin: missing distfile fp-NetBSD.x86.32-ws-6.2.3.tar.gz
	Package libidea: missing distfile libidea-0.8.2b.tar.gz
	Package openssh: missing distfile openssh-7.1p1-hpn-20150822.diff.bz2
	Package uvscan: missing distfile vlp4510e.tar.Z

Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden).  All existing
SHA1 digests retained for now as an audit trail.
   2015-08-30 16:54:50 by Takahiro Kambe | Files touched by this commit (2) | Package updated
Log message:
Update php-suhosin to 0.9.38.

2015-05-21 - 0.9.38
    - removed code compatibility for PHP <5.4 (lots of code + ifdefs)
    - allow https location for suhosin.filter.action
    - fixed newline detection for suhosin.mail.protect
    - Added suhosin.upload.max_newlines to protect againt DOS attack via many
      MIME headers in RFC1867 uploads (CVE-2015-4024)
    - mail related test cases now work on linux
   2015-03-15 01:35:14 by Takahiro Kambe | Files touched by this commit (2) | Package updated
Log message:
Update php-suhosin to

* support for PHP 5.3 was dropped.

2014-12-12 -
    - Changed version string to (without -dev)
    - Relaxed array index blacklist (removed '-') due to wordpress incompatibility

2014-12-03 - 0.9.37

    - Added SQL injection protection for Mysqli and several test cases
    - Added wildcard matching for SQL username
    - Added check for SQL username to only contain valid characters (>= ASCII 32)
    - Test cases for user_prefix and user_postfix
    - Added experimental PDO support
    - SQL checks other than mysql (Mysqli + old-style) must be enabled with
      configure --enable-suhosin-experimental, e.g. MSSQL.
    - disallow_ws now matches all single-byte whitespace characters
    - remove_binary and disallow_binary now optionally allow UTF-8.
    - Introduced suhosin.upload.allow_utf8 (experimental)
    - Reimplemented suhosin_get_raw_cookies()
    - Fixed potential segfault for disable_display_errors=fail (only on ARM)
    - Fixed potential NULL-pointer dereference with func.blacklist and logging
    - Logging timestamps are localtime instead of gmt now (thanks to mkrokos)
    - Added new array index filter (character whitelist/blacklist)
    - Set default array index blacklist to '"+-<>;()
    - Added option to suppress date/time for suhosin file logging \ 
    - Added simple script to create binary Debian package
    - Fixed additional recursion problems with session handler
    - Suhosin now depends on php_session.h instead of version-specific struct code

2014-06-10 - 0.9.36

    - Added better handling of non existing/non executable shell scripts
    - Added protection against XSS/SQL/Other Injections through User-Agent HTTP \ 
    - Fix variable logging statistics outputting on every include - ticket: #37
    - Added more entropy from /dev/urandom to internal random seeding (64 bit \ 
=> 256 bit)
    - Added non initialized stack variables to random seeding
    - Added php_win32_get_random_bytes for windows compatibility in random seeding
    - Added suhosin.rand.seedingkey for INI supplied additional entropy string \ 
(idea DavisNT)
    - Added suhosin.rand.reseed_every_request to allow reseeding on every \ 
request (idea DavisNT)
    - Changed that calls to srand() / mt_srand() will trigger auto reseeding \ 
(idea DavisNT)
    - Fixed problems with SessionHandler() class and endless recursions
    - Added LICENSE file to make distributions happy

2014-02-24 - 0.9.35

    - From now only PHP >= 5.4 is officially supported
    - Fix problems with the hard memory_limit on 64 bit systems
    - Fix problems with user space session handler due to change in PHP 5.4.0
    - Add changes in PHP 5.5 session handlers structures for PHP 5.5 compability
    - Fix std post handler for PHP >= 5.3.11
    - Fix suhosin logo in phpinfo() for PHP 5.5
    - Change fileupload handling for PHP >= 5.4.0 to use an up to date \ 
RFC1867 replacement code
    - Adapted suhosin to PHP 5.5 executor
    - Added some test cases for various things
    - Added suhosin.log.stdout to log to stdout (for debugging purposes only)
    - Add ini_set() fail mode to suhosin.disable.display_errors
    - Fix suhosin.get/post/cookie.max_totalname_length filter
    - Refactor array index handling in filter to make it work always
    - Added support for PHP 5.6.0alpha2
< 5.5

2012-02-12 - 0.9.34

    - Added initial support for PHP 5.4.0
    - Fix include whitelist and blacklist to support shemes with dots in their names
    - Fix read after efree() that lets function_exists() malfunction
    - Fix build with clang compiler
    - Added a request variable drop statistic log message
   2013-12-08 23:34:33 by Joerg Sonnenberger | Files touched by this commit (1)
Log message:
Ignore missing return value when building against PHP 5.3.
   2013-04-08 13:17:26 by Blue Rats | Files touched by this commit (109)
Log message:
Remove "Trailing empty lines." and/or "Trailing white-space."
   2012-10-23 20:17:02 by Aleksej Saushev | Files touched by this commit (368)
Log message:
Drop superfluous PKG_DESTDIR_SUPPORT, "user-destdir" is default these days.