Subject: CVS commit: pkgsrc/lang
From: Takahiro Kambe
Date: 2024-06-07 15:57:24
Message id: 20240607135724.94A51FC74@cvs.NetBSD.org
Log Message:
lang/php83: update to 8.3.8

pkgsrc change:

Instead of patch configure, patch m4 files and use autoconf to generate
configure.

PHP 8.3.8 (2024-06-06)

- CGI:
  . Fixed buffer limit on Windows, replacing read call usage by _read.
    (David Carlier)
  . Fixed bug GHSA-3qgc-jrrr-25jv (Bypass of CVE-2012-1823, Argument Injection
    in PHP-CGI). (CVE-2024-4577) (nielsdos)

- CLI:
  . Fixed bug GH-14189 (PHP Interactive shell input state incorrectly handles
    quoted heredoc literals.). (nielsdos)

- Core:
  . Fixed bug GH-13970 (Incorrect validation of #[Attribute] flags type for
    non-compile-time expressions). (ilutov)

- DOM:
  . Fix crashes when entity declaration is removed while still having entity
    references. (nielsdos)
  . Fix references not handled correctly in C14N. (nielsdos)
  . Fix crash when calling childNodes next() when iterator is exhausted.
    (nielsdos)
  . Fix crash in ParentNode::append() when dealing with a fragment
    containing text nodes. (nielsdos)

- Filter:
  . Fixed bug GHSA-w8qr-v226-r27w (Filter bypass in filter_var FILTER_VALIDATE_URL).
    (CVE-2024-5458) (nielsdos)

- FPM:
  . Fix bug GH-14175 (Show decimal number instead of scientific notation in
    systemd status). (Benjamin Cremer)

- Hash:
  . ext/hash: Swap the checking order of `__has_builtin` and `__GNUC__`
    (Saki Takamachi)

- Intl:
  . Fixed build regression on systems without C++17 compilers. (Calvin Buckley,
    Peter Kokot)

- MySQLnd:
  . Fix bug GH-14255 (mysqli_fetch_assoc reports error from
    nested query). (Kamil Tekiela)

- Opcache:
  . Fixed bug GH-14109 (Fix accidental persisting of internal class constant in
    shm). (ilutov)

- OpenSSL:
  . The openssl_private_decrypt function in PHP, when using PKCS1 padding
    (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack
    unless it is used with an OpenSSL version that includes the changes from \ 
this pull
    request: https://github.com/openssl/openssl/pull/13817 \ 
(rsa_pkcs1_implicit_rejection).
    These changes are part of OpenSSL 3.2 and have also been backported to stable
    versions of various Linux distributions, as well as to the PHP builds \ 
provided for
    Windows since the previous release. All distributors and builders should \ 
ensure that
    this version is used to prevent PHP from being vulnerable. (CVE-2024-2408)

- Standard:
  . Fixed bug GHSA-9fcc-425m-g385 (Bypass of CVE-2024-1874).
    (CVE-2024-5585) (nielsdos)

- XML:
  . Fixed bug GH-14124 (Segmentation fault with XML extension under certain
    memory limit). (nielsdos)

- XMLReader:
  . Fixed bug GH-14183 (XMLReader::open() can't be overridden). (nielsdos)
Files:
RevisionActionfile
1.3modifypkgsrc/lang/php83/Makefile
1.8modifypkgsrc/lang/php83/distinfo
1.1addpkgsrc/lang/php83/patches/patch-build_php.m4
1.1addpkgsrc/lang/php83/patches/patch-sapi_apache2handler_config.m4
1.5removepkgsrc/lang/php83/patches/patch-configure