Branches for Saucy

Author: Robie Basak
Revision Date: 2013-07-15 14:09:59 UTC

* Merge from Debian unstable. Remaining changes:
  - d/control: drop Build-Depends that are in universe: firebird-dev,
    libc-client-dev, libmcrypt-dev, libonig-dev, libqdbm-dev.
  - d/rules: drop configuration of packages that are in universe: qdgm,
    onig.
  - d/rules: drop CONFIGURE_APACHE_ARGS settings since now we don't build
    interbase or firebird.
  - d/rules: export DEB_HOST_MULTIARCH properly.
  - d/control: drop binary packages php5-imap, php5-interbase and
    php5-mcrypt since we have separate versions in universe.
  - d/modulelist: drop imap, interbase and mcrypt since we have separate
    versions in universe.
  - d/rules: drop configuration of imap and mcrypt since we have separate
    versions in universe.
  - d/source_php5.py, d/rules: add apport hook.
  - d/rules: stop mysql instance on clean just in case we failed in tests.
  - d/control, d/rules: re-enable libedit-dev.
* Remaining changes that were previously undocumented:
  - d/control: switch Build-Depends of netcat-traditional to netcat-openbsd
    as only the latter is in main.
* Drop changes:
  - Add build-dependency on lemon, which we now need. This is evidently no
    longer required, since there is no sign of it being used in
    5.4.15-1ubuntu3.
  - Dropped libcurl-dev not in the archive. libcurl-dev is a virtual
    alternative, so doesn't need to be dropped.
  - debian/control: replace build-depends on mysql-server with
    mysql-server-core-5.5 and mysql-client-5.5 to avoid upstart and
    mysql-server-5.5 postinst confusion with starting up multiple
    mysqlds listening on the same port. The test infrastructure in packaging
    has changed, and now breaks without the mysql-server-5.5 postinst having
    run and created the mysql user. However, it also finds an available port
    itself so no longer conflicts with our mysql-server-5.5 postinst.
  - Patches included upstream:
    + debian/patches/CVE-2013-2110.patch
    + debian/patches/fix_gd_210.patch
    + debian/patches/CVE-2013-4635.patch
    + debian/patches/CVE-2013-4636.patch
* Drop changes that were previously undocumented:
  - d/rules: adjust memory limits in .ini files. It appears that this was
    intended to be dropped back in 5.4.6-1ubuntu1, going by the old
    changelog entry.
  - d/rules: adjust openssl path in configure script. PHP still appears to
    configure, detect and build openssl-related components correctly
    regardless.
  - d/rules: disable parallel builds. There is no previous explanation as to
    why this was disabled, and having this in place is standard practice and
    in the Debian packaging.
  - d/rules: adjust PHP5_{HOST,BUILD}_GNU_TYPE. There is no previous
    explanation as to why this was present, and I can't find any regression
    that would be fixed by this change.
* New changes:
  - d/rules, d/control: drop use of dh_systemd as it is in universe.
  - d/control: relegate php5-json from Recommends to Suggests as it is in
    universe.

Author: Marc Deslauriers
Revision Date: 2013-06-28 08:20:11 UTC

* SECURITY UPDATE: denial of service via overflow in SdnToJewish
  - debian/patches/CVE-2013-4635.patch: check value in
    ext/calendar/jewish.c, add test to
    ext/calendar/tests/jdtojewish64.phpt.
  - CVE-2013-4635
* SECURITY UPDATE: denial of service via incorrect MIME type detection
  - debian/patches/CVE-2013-4636.patch: use efree in
    ext/fileinfo/libmagic/softmagic.c.
  - CVE-2013-4636