summaryrefslogtreecommitdiffstats
path: root/php.spec
diff options
context:
space:
mode:
Diffstat (limited to 'php.spec')
-rw-r--r--php.spec152
1 files changed, 137 insertions, 15 deletions
diff --git a/php.spec b/php.spec
index 5f07455..da48921 100644
--- a/php.spec
+++ b/php.spec
@@ -56,10 +56,19 @@
%global mysql_sock %(mysql_config --socket 2>/dev/null || echo /var/lib/mysql/mysql.sock)
%if 0%{?rhel} == 6
+%ifarch x86_64
+%global oraclever 18.5
+%else
%global oraclever 18.3
+%endif
%global oraclelib 18.1
+
+%else
+%ifarch x86_64
+%global oraclever 19.8
%else
-%global oraclever 19.3
+%global oraclever 19.6
+%endif
%global oraclelib 19.1
%endif
@@ -77,12 +86,7 @@
# Optional components; pass "--with mssql" etc to rpmbuild.
%global with_oci8 %{?_with_oci8:1}%{!?_with_oci8:0}
%global with_imap 1
-# until firebird available in EPEL
-%if 0%{?rhel} == 8
-%global with_interbase 0
-%else
%global with_interbase 1
-%endif
%global with_mcrypt 1
%global with_freetds 1
%global with_tidy 1
@@ -137,7 +141,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: %{?scl_prefix}php
Version: %{upver}%{?rcver:~%{rcver}}
-Release: 13%{?dist}
+Release: 23%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -198,7 +202,6 @@ Patch91: php-5.6.3-oci8conf.patch
# Upstream fixes (100+)
Patch100: https://github.com/php/php-src/commit/be50a72715c141befe6f34ece660745da894aaf3.patch
Patch101: https://github.com/php/php-src/commit/2ef8809ef3beb5f58b81dcff49bdcde4d2cb8426.patch
-Patch102: php-openssl-cert.patch
Patch103: php-bug76846.patch
# Security fixes (200+)
@@ -229,12 +232,34 @@ Patch223: php-bug78256.patch
Patch224: php-bug77919.patch
Patch225: php-bug75457.patch
Patch226: php-bug78380.patch
+Patch227: php-bug78599.patch
+Patch228: php-bug78878.patch
+Patch229: php-bug78862.patch
+Patch230: php-bug78863.patch
+Patch231: php-bug78793.patch
+Patch232: php-bug78910.patch
+Patch233: php-bug79099.patch
+Patch234: php-bug79037.patch
+Patch235: php-bug77569.patch
+Patch236: php-bug79221.patch
+Patch237: php-bug79082.patch
+Patch238: php-bug79282.patch
+Patch239: php-bug79329.patch
+Patch240: php-bug79330.patch
+Patch241: php-bug79465.patch
+Patch242: php-bug78875.patch
+Patch243: php-bug78876.patch
+Patch244: php-bug79797.patch
+Patch245: php-bug79877.patch
+Patch246: php-bug79699.patch
# Fixes for tests (300+)
# Factory is droped from system tzdata
Patch300: php-7.0.10-datetests.patch
# Revert changes for pcre < 8.34
Patch301: php-7.0.0-oldpcre.patch
+# Renew openssl certs
+Patch302: php-openssl-cert.patch
# WIP
@@ -945,7 +970,7 @@ support for JavaScript Object Notation (JSON) to PHP.
%if 0%{?rhel}
%patch9 -p1 -b .curltls
%endif
-%if 0%{?fedora} >= 29 || 0%{?rhel} >= 8
+%if 0%{?fedora} >= 29 || 0%{?rhel} >= 7
%patch10 -p1 -b .icu62
%endif
@@ -966,7 +991,6 @@ sed -e 's/php-devel/%{?scl_prefix}php-devel/' -i scripts/phpize.in
# upstream patches
%patch100 -p1 -b .up1
%patch101 -p1 -b .up2
-%patch102 -p1 -b .up3
%patch103 -p1 -b .bug76846
# security patches
@@ -997,6 +1021,26 @@ sed -e 's/php-devel/%{?scl_prefix}php-devel/' -i scripts/phpize.in
%patch224 -p1 -b .bug77919
%patch225 -p1 -b .bug75457
%patch226 -p1 -b .bug78380
+%patch227 -p1 -b .bug78599
+%patch228 -p1 -b .bug78878
+%patch229 -p1 -b .bug78862
+%patch230 -p1 -b .bug78863
+%patch231 -p1 -b .bug78793
+%patch232 -p1 -b .bug78910
+%patch233 -p1 -b .bug79099
+%patch234 -p1 -b .bug79037
+%patch235 -p1 -b .bug77569
+%patch236 -p1 -b .bug79221
+%patch237 -p1 -b .bug79082
+%patch238 -p1 -b .bug79282
+%patch239 -p1 -b .bug79329
+%patch240 -p1 -b .bug79330
+%patch241 -p1 -b .bug79465
+%patch242 -p1 -b .bug78875
+%patch243 -p1 -b .bug78876
+%patch244 -p1 -b .bug79797
+%patch245 -p1 -b .bug79877
+%patch246 -p1 -b .bug79699
: ---------------------------
#exit 1
@@ -1008,6 +1052,9 @@ if ! pkg-config libpcre --atleast-version 8.34 ; then
%patch301 -p1 -b .pcre834
fi
%endif
+# New openssl certs
+%patch302 -p1 -b .renewcert
+rm ext/openssl/tests/bug65538_003.phpt
# WIP patch
@@ -1145,6 +1192,12 @@ exit 1
%build
+# This package fails to build with LTO due to undefined symbols. LTO
+# was disabled in OpenSuSE as well, but with no real explanation why
+# beyond the undefined symbols. It really shold be investigated further.
+# Disable LTO
+%define _lto_cflags %{nil}
+
# aclocal workaround - to be improved
cat $(aclocal --print-ac-dir)/{libtool,ltoptions,ltsugar,ltversion,lt~obsolete}.m4 >>aclocal.m4
@@ -1389,6 +1442,7 @@ cd build-apache
# Run tests, using the CLI SAPI
export NO_INTERACTION=1 REPORT_EXIT_STATUS=1 MALLOC_CHECK_=2
export SKIP_ONLINE_TESTS=1
+export SKIP_SLOW_TESTS=1
unset TZ LANG LC_ALL
if ! make test; then
set +x
@@ -1761,13 +1815,9 @@ cat << EOF
WARNING : PHP 7.0 have reached its "End of Life" in
December 2018. Even, if this package includes some of
- the important security fix, backported from 7.1, the
+ the important security fix, backported from 7.2, the
UPGRADE to a maintained version is very strongly RECOMMENDED.
-%if %{?fedora}%{!?fedora:99} < 28
- WARNING : Fedora %{fedora} is now EOL :
- You should consider upgrading to a supported release
-%endif
=====================================================================
EOF
@@ -1949,6 +1999,78 @@ EOF
%changelog
+* Tue Sep 29 2020 Remi Collet <remi@remirepo.net> - 7.0.33-23
+- Core:
+ Fix #79699 PHP parses encoded cookie names so malicious `__Host-` cookies can be sent
+ CVE-2020-7070
+
+* Tue Aug 4 2020 Remi Collet <remi@remirepo.net> - 7.0.33-22
+- Core:
+ Fix #79877 getimagesize function silently truncates after a null byte
+- Phar:
+ Fix #79797 use of freed hash key in the phar_parse_zipfile function
+ CVE-2020-7068
+
+* Tue May 12 2020 Remi Collet <remi@remirepo.net> - 7.0.33-21
+- Core:
+ Fix #78875 Long filenames cause OOM and temp files are not cleaned
+ CVE-2019-11048
+ Fix #78876 Long variables in multipart/form-data cause OOM and temp
+ files are not cleaned
+
+* Tue Apr 14 2020 Remi Collet <remi@remirepo.net> - 7.0.33-20
+- standard:
+ Fix #79330 shell_exec silently truncates after a null byte
+ Fix #79465 OOB Read in urldecode
+ CVE-2020-7067
+
+* Tue Mar 17 2020 Remi Collet <remi@remirepo.net> - 7.0.33-19
+- standard:
+ Fix #79329 get_headers() silently truncates after a null byte
+ CVE-2020-7066
+- exif:
+ Fix #79282 Use-of-uninitialized-value in exif
+ CVE-2020-7064
+- use oracle client library version 19.6 (18.5 on EL-6)
+
+* Tue Feb 18 2020 Remi Collet <remi@remirepo.net> - 7.0.33-18
+- dom:
+ Fix #77569 Write Access Violation in DomImplementation
+- phar:
+ Fix #79082 Files added to tar with Phar::buildFromIterator have all-access permissions
+ CVE-2020-7063
+- session:
+ Fix #79221 Null Pointer Dereference in PHP Session Upload Progress
+ CVE-2020-7062
+
+* Thu Jan 23 2020 Remi Collet <remi@remirepo.net> - 7.0.33-17
+- mbstring:
+ Fix #79037 global buffer-overflow in mbfl_filt_conv_big5_wchar
+ CVE-2020-7060
+- standard:
+ Fix #79099 OOB read in php_strip_tags_ex
+ CVE-2020-7059
+
+* Tue Dec 17 2019 Remi Collet <remi@remirepo.net> - 7.0.33-15
+- bcmath:
+ Fix #78878 Buffer underflow in bc_shift_addsub
+ CVE-2019-11046
+- core:
+ Fix #78862 link() silently truncates after a null byte on Windows
+ CVE-2019-11044
+ Fix #78863 DirectoryIterator class silently truncates after a null byte
+ CVE-2019-11045
+- exif
+ Fix #78793 Use-after-free in exif parsing under memory sanitizer
+ CVE-2019-11050
+ Fix #78910 Heap-buffer-overflow READ in exif
+ CVE-2019-11047
+- use oracle client library version 19.5 (18.5 on EL-6)
+
+* Tue Oct 22 2019 Remi Collet <remi@remirepo.net> - 7.0.33-14
+- FPM:
+ Fix CVE-2019-11043 env_path_info underflow in fpm_main.c
+
* Wed Aug 28 2019 Remi Collet <remi@remirepo.net> - 7.0.33-13
- mbstring:
Fix CVE-2019-13224 don't allow different encodings for onig_new_deluxe