diff options
Diffstat (limited to 'php74.spec')
| -rw-r--r-- | php74.spec | 71 |
1 files changed, 51 insertions, 20 deletions
@@ -24,17 +24,10 @@ %global mysql_sock %(mysql_config --socket 2>/dev/null || echo /var/lib/mysql/mysql.sock) -%ifarch aarch64 -%global oraclever 19.25 -%global oraclemax 20 -%global oraclelib 19.1 -%global oracledir 19.25 -%else -%global oraclever 23.7 +%global oraclever 23.8 %global oraclemax 24 %global oraclelib 23.1 %global oracledir 23 -%endif # Build for LiteSpeed Web Server (LSAPI) %global with_lsws 1 @@ -116,7 +109,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: %{upver}%{?rcver:~%{rcver}} -Release: 22%{?dist} +Release: 24%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -155,8 +148,6 @@ Source53: 20-ffi.ini Patch1: php-7.4.0-httpd.patch Patch5: php-7.2.0-includedir.patch Patch6: php-7.4.0-embed.patch -# For libxml 2.12 from 8.1 -Patch7: php-7.4.33-libxml212.patch Patch8: php-7.2.0-libdb.patch Patch10: php-7.4.33-gcc14.patch # For recent ICU from 8.2 @@ -206,6 +197,14 @@ Patch216: php-cve-2024-8932.patch Patch217: php-cve-2024-11233.patch Patch218: php-ghsa-4w77-75f9-2c8w.patch Patch219: php-cve-2024-8929.patch +Patch220: php-cve-2025-1217.patch +Patch221: php-cve-2025-1734.patch +Patch222: php-cve-2025-1861.patch +Patch223: php-cve-2025-1736.patch +Patch224: php-cve-2025-1219.patch +Patch225: php-cve-2025-6491.patch +Patch226: php-cve-2025-1220.patch +Patch227: php-cve-2025-1735.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -214,6 +213,8 @@ Patch300: php-7.0.10-datetests.patch Patch301: php-7.4.33-tests.patch # For zlib-ng Patch302: php-7.4.33-zlib-tests.patch +# for pcre2 10.45 +Patch303: php-7.4.33-pcretests.patch # WIP @@ -755,14 +756,7 @@ Summary: A module for PHP applications that use OCI8 databases Group: Development/Languages # All files licensed under PHP version 3.01 License: PHP -%ifarch aarch64 -BuildRequires: oracle-instantclient%{oraclever}-devel -# Should requires libclntsh.so.19.1()(aarch-64), but it's not provided by Oracle RPM. -Requires: libclntsh.so.%{oraclelib} -AutoReq: 0 -%else BuildRequires: (oracle-instantclient-devel >= %{oraclever} with oracle-instantclient-devel < %{oraclemax}) -%endif Requires: php-pdo%{?_isa} = %{version}-%{release} Provides: php_database Provides: php-pdo_oci @@ -1194,10 +1188,9 @@ in pure PHP. %patch -P1 -p1 -b .mpmcheck %patch -P5 -p1 -b .includedir %patch -P6 -p1 -b .embed -%patch -P7 -p1 -b .libxml212 %patch -P8 -p1 -b .libdb %patch -P10 -p1 -b .gcc14 -%patch -P11 -p1 -b .icu +%patch -P11 -p1 -b .icu74 %patch -P12 -p1 -b .proto %patch -P42 -p1 -b .systzdata @@ -1236,11 +1229,20 @@ rm ext/openssl/tests/p12_with_extra_certs.p12 %patch -P217 -p1 -b .cve11233 %patch -P218 -p1 -b .ghsa4w77 %patch -P219 -p1 -b .cve8929 +%patch -P220 -p1 -b .cve1217 +%patch -P221 -p1 -b .cve1734 +%patch -P222 -p1 -b .cve1861 +%patch -P223 -p1 -b .cve1736 +%patch -P224 -p1 -b .cve1219 +%patch -P225 -p1 -b .cve6491 +%patch -P226 -p1 -b .cve1220 +%patch -P227 -p1 -b .cve1735 # Fixes for tests related to tzdata %patch -P300 -p1 -b .datetests %patch -P301 -p1 -b .tests %patch -P302 -p1 -b .zlibng +%patch -P303 -p1 -b .pcretests # WIP patch @@ -1282,6 +1284,13 @@ rm Zend/tests/bug68412.phpt rm sapi/cli/tests/upload_2G.phpt # tar issue rm ext/zlib/tests/004-mb.phpt +# Known to fail +%if 0%{?rhel} == 8 +rm ext/openssl/tests/openssl_error_string_basic.phpt +rm ext/openssl/tests/openssl_open_basic.phpt +%endif +rm ext/openssl/tests/openssl_private_decrypt_basic.phpt +rm ext/openssl/tests/openssl_x509_parse_basic.phpt # avoid issue when 2 builds run simultaneously (keep 64321 for the SCL) %ifarch x86_64 sed -e 's/64321/64322/' -i ext/openssl/tests/*.phpt @@ -2255,8 +2264,30 @@ EOF %changelog +* Thu Jul 3 2025 Remi Collet <remi@remirepo.net> - 7.4.33-24 +- Fix pgsql extension does not check for errors during escaping + CVE-2025-1735 +- Fix NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix + CVE-2025-6491 +- Fix Null byte termination in hostnames + CVE-2025-1220 + +* Mon Mar 17 2025 Remi Collet <remi@remirepo.net> - 7.4.33-23 +- Fix libxml streams use wrong `content-type` header when requesting a redirected resource + CVE-2025-1219 +- Fix Stream HTTP wrapper header check might omit basic auth header + CVE-2025-1736 +- Fix Stream HTTP wrapper truncate redirect location to 1024 bytes + CVE-2025-1861 +- Fix Streams HTTP wrapper does not fail for headers without colon + CVE-2025-1734 +- Fix Header parser of `http` stream wrapper does not handle folded headers + CVE-2025-1217 +- use oracle client library version 23.7 on x86_64 and aarch64 + * Thu Feb 13 2025 Remi Collet <remi@remirepo.net> - 7.4.33-22 - backport fix for ICU 74+ +- backport fix strict prototypes * Wed Nov 27 2024 Remi Collet <remi@remirepo.net> - 7.4.33-21 - Fix Leak partial content of the heap through heap buffer over-read |