Subject: CVS commit: [pkgsrc-2018Q2] pkgsrc/lang
From: Benny Siegert
Date: 2018-08-17 18:04:01
Message id: 20180817160401.1B3AAFBEC@cvs.NetBSD.org

Log Message:
Pullup ticket #5797 - requested by taca
lang/php71: security fix

Revisions pulled up:
- lang/php/phpversion.mk                                        1.222
- lang/php71/Makefile                                           1.14-1.15
- lang/php71/Makefile.php                                       1.7-1.8
- lang/php71/distinfo                                           1.39-1.40
- lang/php71/patches/patch-disable-filter-url                   1.1

---
   Module Name:	pkgsrc
   Committed By:	maya
   Date:		Mon Jul 16 10:58:50 UTC 2018

   Modified Files:
   	pkgsrc/lang/php70: Makefile Makefile.php
   	pkgsrc/lang/php71: Makefile Makefile.php
   	pkgsrc/lang/php72: Makefile Makefile.php

   Log Message:
   php*: disable global regs on i386.
   Fixes PR pkg/53222 that resurfaced

   Remove the previous workaround to add GCC_REQD, which isn't sufficient
   any more, possibly due to enabling ssp/fortify?

   XXX bumping PKGREVISION might not be sufficient, for the same reason the
   GCC_REQD had to be moved to Makefile.php, it affects modules too.

---
   Module Name:	pkgsrc
   Committed By:	manu
   Date:		Wed Jul 18 07:33:12 UTC 2018

   Modified Files:
   	pkgsrc/lang/php56: Makefile.php distinfo
   	pkgsrc/lang/php70: Makefile.php distinfo
   	pkgsrc/lang/php71: Makefile.php distinfo
   	pkgsrc/lang/php72: Makefile.php distinfo
   Added Files:
   	pkgsrc/lang/php56/patches: patch-disable-filter-url
   	pkgsrc/lang/php70/patches: patch-disable-filter-url
   	pkgsrc/lang/php71/patches: patch-disable-filter-url
   	pkgsrc/lang/php72/patches: patch-disable-filter-url

   Log Message:
   Add pkgsrc build option disable-filter-url to disable php://filter URL

   php://filter URL is a feature documented here:
   http://php.net/manual/en/wrappers.php.php

   Unfortunately, it allows remote control of include() behavior
   beyond what many developpers expected, enabling easy dump of
   PHP source files. The administrator may want to disable the
   feature for security sake, and this option makes that possible.

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Fri Jul 20 13:23:47 UTC 2018

   Modified Files:
   	pkgsrc/lang/php: phpversion.mk
   	pkgsrc/lang/php71: Makefile distinfo

   Log Message:
   lang/php71: update to 7.1.20

   19 Jul 2018, PHP 7.1.20

   - Core:
     . Fixed bug #76534 (PHP hangs on 'illegal string offset on string references
       with an error handler). (Laruence)
     . Fixed bug #76502 (Chain of mixed exceptions and errors does not serialize
       properly). (Nikita)

   - Date:
     . Fixed bug #76462 (Undefined property: DateInterval::$f). (Anatol)

   - exif:
     . Fixed bug #76423 (Int Overflow lead to Heap OverFlow in
       exif_thumbnail_extract of exif.c). (Stas)
    . Fixed bug #76557 (heap-buffer-overflow (READ of size 48) while reading exif
       data). (Stas)

   - FPM:
     . Fixed bug #73342 (Vulnerability in php-fpm by changing stdin to
       non-blocking). (Nikita)

   - GMP:
     . Fixed bug #74670 (Integer Underflow when unserializing GMP and possible
       other classes). (Nikita)

   - intl:
     . Fixed bug #76556 (get_debug_info handler for BreakIterator shows wrong
       type). (cmb)

   - mbstring:
     . Fixed bug #76532 (Integer overflow and excessive memory usage
       in mb_strimwidth). (MarcusSchwarz)

   - PGSQL:
     . Fixed bug #76548 (pg_fetch_result did not fetch the next row). (Anatol)

   - phpdbg:
     . Fix arginfo wrt. optional/required parameters. (cmb)

   - Reflection:
     . Fixed bug #76536 (PHP crashes with core dump when throwing exception in
       error handler). (Laruence)
     . Fixed bug #75231 (ReflectionProperty#getValue() incorrectly works with
       inherited classes). (Nikita)

   - Standard:
     . Fixed bug #76505 (array_merge_recursive() is duplicating sub-array keys).
       (Laruence)
     . Fixed bug #71848 (getimagesize with $imageinfo returns false). (cmb)

   - Win32:
     . Fixed bug #76459 (windows linkinfo lacks openbasedir check). (Anatol)

Files:
RevisionActionfile
1.13.6.1modifypkgsrc/lang/php71/Makefile
1.6.10.1modifypkgsrc/lang/php71/Makefile.php
1.38.2.1modifypkgsrc/lang/php71/distinfo
1.1.2.2addpkgsrc/lang/php71/patches/patch-disable-filter-url