Back to hhvm PTS page

Accepted hhvm 3.12.11+dfsg-1 (source) into unstable



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 18 Dec 2016 02:13:55 +0200
Source: hhvm
Binary: hhvm hhvm-dbg hhvm-dev
Architecture: source
Version: 3.12.11+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian HHVM packaging team <pkg-hhvm-team@lists.alioth.debian.org>
Changed-By: Faidon Liambotis <paravoid@debian.org>
Description:
 hhvm       - HipHop Virtual Machine, a JIT replacement for PHP - main runtime
 hhvm-dbg   - HipHop Virtual Machine, a JIT replacement for PHP - debugging sym
 hhvm-dev   - HipHop Virtual Machine, a JIT replacement for PHP - development f
Closes: 812023 825077 828340 835032 839303 843281 843439 845852
Changes:
 hhvm (3.12.11+dfsg-1) unstable; urgency=medium
 .
   [ Moritz Muehlenhoff ]
   * New upstream LTS releases, addressing multiple security issues.
     (Closes: #835032)
     From 3.12.2:
      - CVE-2015-8865 - Buffer overwrite in finfo_open with malformed magic
      - Integer overflow in iptcembed
      - CVE-2016-3074 - Fix signedness issue in libgd
      - CVE-2014-9709 - Fix a possible buffer read overflow in gd_gif_in.cpp
      - Prevent a potential nullptr dereference in ext_xsl
      - Don't segfault if you try to remove the last autoloader while
        adding a new one
      - CVE-2016-1903 - imagerotate information leak
      - FILTER_FLAG_STRIP_BACKTICK` was being ignored unless other flags
        are set
      - CVE-2016-4539 - Fix a segfault in xml_parse_into_struct
      - Fix a potential null dereference in ZipArchive::extractTo
      - CVE-2016-4070 - Integer Overflow in php_raw_url_encode
     From 3.12.3:
      - CVE-2016-1000004 - Type safety in simplexml import routines
      - CVE-2016-1000004 - Fix param types for mcrypt_get_block_size()
        to match PHP
      - CVE-2016-1000006 - Fix use-after-free in
        serialize_memoize_param() and ResourceBundle::__construct()
      - CVE-2016-6870 - Use req::strndup in php_mb_parse_encoding_list to
        prevent oob memory write.
      - HHVM-2016-11781481 - Fix nullptr dereference in
        f_mysqli_stmt_bind{param,result}
      - HHVM-2016-11791940 - Avoid invalid array access in JSON_decode()
      - PHP-2016-0072337 - Fix a segfault with invalid dimensions and
        imagescale out of bounds read in ext_gd
     From 3.12.5:
      - CVE-2016-1000109: Ignore Proxy HTTP header from fastcgi requests
     From 3.12.6:
      - CVE-2016-6871 - Fix buffer overrun due to integer overflow in bcmath
      - CVE-2016-6872 - Fix integer overflow in StringUtil::implode
      - CVE-2016-6873 - Fix self recursion in compact
      - CVE-2016-6874 - Fix recursion checks in array_*_recursive
      - CVE-2016-6875 - Fix infinite recursion in wddx
      - PHP-2015-0070345 - [HHVM][Security] 0003 pcre preg bug 70345
     From 3.12.8:
      - ext_gd: exif_process_IFD_TAG: Use the right offset if reading from
        stream
      - Fix some color related crashes in libgd
      - Don't allow smart_str to overflow int
      - Integer overflow in _gd2GetHeader
      - Fix objprof refcounting
      - Fix buffer overruns in mb_send_mail
      - Integer overflow in gdImagePaletteToTrueColor
      - Null pointer dereference in _gdScaleVert
      - pass2_no_dither out-of-bounds access
     From 3.12.9:
      - Fix off-by-one index check in ThreadSafeLocaleHandler::actuallySetLocale
      - Prevent an integer overflow in _gdContributionsAlloc
      - Fix a potential overflow in tsrm_virtual_file_ex
      - Invalid transparent index can result in OOB read or write
      - Do not treat negative return values from bz2 as size_t
      - Fix OOB read in exif_process_IFD_in_MAKERNOTE
      - Prevent an OOB access in locale_accept_from_http
      - Avoid possible OOB using imagegif
      - Disable bad zend test
      - Add an option to explicitly disable NUMA support.
     From 3.12.10:
      - Fix a bug in StringUtil::Explode
      - Fix a couple of bugs in libgd
     From 3.12.11:
      - Prevent integer overflow in gdImageWebpCtx
      - Check depth values in json_decode
      - Prevent negative gamma values being passed to imagegammacorrect
      - Fix crypt with over-long salts
      - Memory leak in exif_process_IFD_in_TIFF
      - 9da Fix getimagesize returning FALSE on valid jpg
 .
   [ Faidon Liambotis ]
   * Build against libmysqlclient, not libmysqlclient_r. Thanks to Robie Basak
     for the bug report and patch. (Closes: #825077)
   * Build-Depend on default-libmysqlclient-dev instead of libmysqlclient-dev.
     (Closes: #845852)
   * Add /bin/sh shebangs on maintainer scripts. (Closes: #843281)
   * Remove update-alternatives --remove from postrm, already included in prerm
     (and also causes a lintian warning).
   * Remove David Martínez Moreno from the Uploaders, at the request of the MIA
     team. (Closes: #843439)
   * Fix FTBFS with GCC 6, by backporting an upstream fix. (Closes: #812023)
   * Pass -fno-PIE/-no-pie to gcc to prevent a linking error with GCC 6's new
     configuration (--enable-default-pie) in combination with HHVM's
     hand-crafted assembly (translator-asm-helpers.S).
   * Build-Depend on libssl1.0-dev, as HHVM is not ready for OpenSSL 1.1.0 yet.
     (Closes: #828340)
   * Remove Build-Depends on libc-client2007e-dev and thus disable the IMAP
     extension. libc-client2007e-dev depends on libssl-dev 1.1.0, which
     conflicts with libssl1.0-dev and is thus impossible to satisfy.
   * Disable Folly's Fibers, as the current version is incompatible with Boost
     1.61 and thus FTBFS. The incompatibility has been fixed upstream but is
     too intrusive to backport, thus disable the functionality entirely.
     (Closes: #839303)
   * Temporarily disable the mcrouter extension as it requires Folly Fibers,
     that were disabled in this version (see above).
   * Backport an upstream fix to address an ICU Collation sort key
     incompatibility with PHP.
   * Backport an upstream fix to address a segfault when bzip2 and XMLReader
     are being used together.
   * Backport an upstream fix to address inconsistent regexp results when
     running with a newer PCRE version (8.38 instead of 8.32).
   * Disable test pcre_limit.php which now fails for unknown reasons;
     upstream seemingly has disabled the test as well for a while with no ill
     effects.
   * Add a Documentation line to the systemd service file.
   * Bump Standards-Version to 3.9.8, no changes needed.
Checksums-Sha1:
 748ed1098f7f990bad37b5e7a2b48e9e3a12ef06 2927 hhvm_3.12.11+dfsg-1.dsc
 21b4b84d038a866bd2f8cea8aca095778aa77fb2 19565736 hhvm_3.12.11+dfsg.orig.tar.xz
 e098c335c7bd718afda4d39df94223eb273a8745 33224 hhvm_3.12.11+dfsg-1.debian.tar.xz
Checksums-Sha256:
 8c7a9cecd3eb1f02330d104ae1c201509a4bbca90d73164d0fb125136633bb88 2927 hhvm_3.12.11+dfsg-1.dsc
 984f8f90ca31b87bbbf3808d5668e931e312c010adc0c989b3c18510206083c4 19565736 hhvm_3.12.11+dfsg.orig.tar.xz
 d096e5e6e7ebae32634c2a5c28c4dc447c8c605253ef83e45aebddc3daf46611 33224 hhvm_3.12.11+dfsg-1.debian.tar.xz
Files:
 2a88009ef274daf38a9d94b2095cb559 2927 php optional hhvm_3.12.11+dfsg-1.dsc
 4afb0cc4ce02240985b8f37110f9fd0a 19565736 php optional hhvm_3.12.11+dfsg.orig.tar.xz
 172ed92db912629c3e26b66a05ca20fa 33224 php optional hhvm_3.12.11+dfsg-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEqVksUhy5BAd9ZZgAnQteWx7sjw4FAlhV1hsACgkQnQteWx7s
jw6jkBAA1et6qJxexBetxAQfBQp+h+zbMPbfB3YWBgcfPLRgqr9tuWdk7K2pONfv
kvo7h4rHklVAVuq5U+mGz07qHnpfhAoW9CdoryfTMLc0TQHhAY0PANTHi1R3qGlg
ewFQv5z5ZDEn1RF3YvzW3j7cbhbkZlu3FHSuG4Jlr8K+SDUa7RkftRkEMYHt5PF0
LK1k2zCixQgiugSR2UAGcs1FV0eTl4KqH8lRlZujKJn8aAuMi9RE+6SarD+WN9BM
p3ttJ9/rvWhGsvAIiTd3UB454qOMbgchaF0nskpseTy+WrRkT2F/McC4La+woJC5
YU8vVW4vkNRp+mRhKNaeAhY0hCQr+SKYBi17AK3KHq9GBfRyMZ/ngGdHR8UR1ehA
SeuBMHCpfrHhSuD9xut1UwbYg3NWlVrI9BI6IxP1LoCue9uugVhiTifgt/vnuy36
HvPLljiEie6kcj0g32MZOvUzVWTa1S/5TouSthAVHm/m4xJfnKpo3jJPOn+Moj5H
zrsoZG+3gOUZZluoiFJn1BfihAKtcsXm86A87jETe8ps/Tg4OqV81Wzktu2doN1S
N/g/7Rx/e/PllFWlJrB3qFEAqHy1sj1fmgJHqviB++1eSmVRYTzlvS4oH3R8F62d
jZ/XRcJRRJG8WTLTS0W/Xx+6Chs6TP15xrUpO0FOCJhi43EEOKk=
=zLaQ
-----END PGP SIGNATURE-----