![[BACK]](/icons/back.gif){kind=icon}
Up to [cvs.NetBSD.org] / pkgsrc / security / php-suhosin
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.15 / (download) - annotate - [select for diffs], Sun Jan 26 17:32:06 2020 UTC (3 years, 4 months ago) by rillig
Branch: MAIN
CVS Tags: pkgsrc-2023Q1-base,
pkgsrc-2023Q1,
pkgsrc-2022Q4-base,
pkgsrc-2022Q4,
pkgsrc-2022Q3-base,
pkgsrc-2022Q3,
pkgsrc-2022Q2-base,
pkgsrc-2022Q2,
pkgsrc-2022Q1-base,
pkgsrc-2022Q1,
pkgsrc-2021Q4-base,
pkgsrc-2021Q4,
pkgsrc-2021Q3-base,
pkgsrc-2021Q3,
pkgsrc-2021Q2-base,
pkgsrc-2021Q2,
pkgsrc-2021Q1-base,
pkgsrc-2021Q1,
pkgsrc-2020Q4-base,
pkgsrc-2020Q4,
pkgsrc-2020Q3-base,
pkgsrc-2020Q3,
pkgsrc-2020Q2-base,
pkgsrc-2020Q2,
pkgsrc-2020Q1-base,
pkgsrc-2020Q1,
HEAD
Changes since 1.14: +2 -2
lines
Diff to previous 1.14 (colored)
all: migrate homepages from http to https pkglint -r --network --only "migrate" As a side-effect of migrating the homepages, pkglint also fixed a few indentations in unrelated lines. These and the new homepages have been checked manually.
Revision 1.14 / (download) - annotate - [select for diffs], Sun Sep 11 17:03:27 2016 UTC (6 years, 8 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2019Q4-base,
pkgsrc-2019Q4,
pkgsrc-2019Q3-base,
pkgsrc-2019Q3,
pkgsrc-2019Q2-base,
pkgsrc-2019Q2,
pkgsrc-2019Q1-base,
pkgsrc-2019Q1,
pkgsrc-2018Q4-base,
pkgsrc-2018Q4,
pkgsrc-2018Q3-base,
pkgsrc-2018Q3,
pkgsrc-2018Q2-base,
pkgsrc-2018Q2,
pkgsrc-2018Q1-base,
pkgsrc-2018Q1,
pkgsrc-2017Q4-base,
pkgsrc-2017Q4,
pkgsrc-2017Q3-base,
pkgsrc-2017Q3,
pkgsrc-2017Q2-base,
pkgsrc-2017Q2,
pkgsrc-2017Q1-base,
pkgsrc-2017Q1,
pkgsrc-2016Q4-base,
pkgsrc-2016Q4,
pkgsrc-2016Q3-base,
pkgsrc-2016Q3
Changes since 1.13: +2 -2
lines
Diff to previous 1.13 (colored)
Drop "55" (php55) from PHP_VERSIONS_ACCEPTED.
Revision 1.13 / (download) - annotate - [select for diffs], Sat Dec 19 14:27:14 2015 UTC (7 years, 5 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2016Q2-base,
pkgsrc-2016Q2,
pkgsrc-2016Q1-base,
pkgsrc-2016Q1,
pkgsrc-2015Q4-base,
pkgsrc-2015Q4
Changes since 1.12: +3 -1
lines
Diff to previous 1.12 (colored)
Restrict PHP_VERSIONS_ACCEPTED to 55 and 56.
Revision 1.12 / (download) - annotate - [select for diffs], Sun Aug 30 14:54:49 2015 UTC (7 years, 9 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2015Q3-base,
pkgsrc-2015Q3
Changes since 1.11: +3 -2
lines
Diff to previous 1.11 (colored)
Update php-suhosin to 0.9.38.
2015-05-21 - 0.9.38
- removed code compatibility for PHP <5.4 (lots of code + ifdefs)
- allow https location for suhosin.filter.action
- fixed newline detection for suhosin.mail.protect
- Added suhosin.upload.max_newlines to protect againt DOS attack via many
MIME headers in RFC1867 uploads (CVE-2015-4024)
- mail related test cases now work on linux
Revision 1.11 / (download) - annotate - [select for diffs], Sun Mar 15 00:35:14 2015 UTC (8 years, 2 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2015Q2-base,
pkgsrc-2015Q2,
pkgsrc-2015Q1-base,
pkgsrc-2015Q1
Changes since 1.10: +6 -13
lines
Diff to previous 1.10 (colored)
Update php-suhosin to 0.9.37.1
* support for PHP 5.3 was dropped.
2014-12-12 - 0.9.37.1
- Changed version string to 0.9.37.1 (without -dev)
- Relaxed array index blacklist (removed '-') due to wordpress incompatibility
2014-12-03 - 0.9.37
- Added SQL injection protection for Mysqli and several test cases
- Added wildcard matching for SQL username
- Added check for SQL username to only contain valid characters (>= ASCII 32)
- Test cases for user_prefix and user_postfix
- Added experimental PDO support
- SQL checks other than mysql (Mysqli + old-style) must be enabled with
configure --enable-suhosin-experimental, e.g. MSSQL.
- disallow_ws now matches all single-byte whitespace characters
- remove_binary and disallow_binary now optionally allow UTF-8.
- Introduced suhosin.upload.allow_utf8 (experimental)
- Reimplemented suhosin_get_raw_cookies()
- Fixed potential segfault for disable_display_errors=fail (only on ARM)
- Fixed potential NULL-pointer dereference with func.blacklist and logging
- Logging timestamps are localtime instead of gmt now (thanks to mkrokos)
- Added new array index filter (character whitelist/blacklist)
- Set default array index blacklist to '"+-<>;()
- Added option to suppress date/time for suhosin file logging (suhosin.log.file.time=0)
- Added simple script to create binary Debian package
- Fixed additional recursion problems with session handler
- Suhosin now depends on php_session.h instead of version-specific struct code
2014-06-10 - 0.9.36
- Added better handling of non existing/non executable shell scripts
- Added protection against XSS/SQL/Other Injections through User-Agent HTTP header
- Fix variable logging statistics outputting on every include - ticket: #37
- Added more entropy from /dev/urandom to internal random seeding (64 bit => 256 bit)
- Added non initialized stack variables to random seeding
- Added php_win32_get_random_bytes for windows compatibility in random seeding
- Added suhosin.rand.seedingkey for INI supplied additional entropy string (idea DavisNT)
- Added suhosin.rand.reseed_every_request to allow reseeding on every request (idea DavisNT)
- Changed that calls to srand() / mt_srand() will trigger auto reseeding (idea DavisNT)
- Fixed problems with SessionHandler() class and endless recursions
- Added LICENSE file to make distributions happy
2014-02-24 - 0.9.35
- From now only PHP >= 5.4 is officially supported
- Fix problems with the hard memory_limit on 64 bit systems
- Fix problems with user space session handler due to change in PHP 5.4.0
- Add changes in PHP 5.5 session handlers structures for PHP 5.5 compability
- Fix std post handler for PHP >= 5.3.11
- Fix suhosin logo in phpinfo() for PHP 5.5
- Change fileupload handling for PHP >= 5.4.0 to use an up to date RFC1867 replacement code
- Adapted suhosin to PHP 5.5 executor
- Added some test cases for various things
- Added suhosin.log.stdout to log to stdout (for debugging purposes only)
- Add ini_set() fail mode to suhosin.disable.display_errors
- Fix suhosin.get/post/cookie.max_totalname_length filter
- Refactor array index handling in filter to make it work always
- Added support for PHP 5.6.0alpha2
- WARNING: FUNCTION WHITELISTS/BLACKLISTS NEVER WORKED CORRECTLY WITH PHP < 5.5
2012-02-12 - 0.9.34
- Added initial support for PHP 5.4.0
- Fix include whitelist and blacklist to support shemes with dots in their names
- Fix read after efree() that lets function_exists() malfunction
- Fix build with clang compiler
- Added a request variable drop statistic log message
Revision 1.10 / (download) - annotate - [select for diffs], Sun Dec 8 22:34:33 2013 UTC (9 years, 5 months ago) by joerg
Branch: MAIN
CVS Tags: pkgsrc-2014Q4-base,
pkgsrc-2014Q4,
pkgsrc-2014Q3-base,
pkgsrc-2014Q3,
pkgsrc-2014Q2-base,
pkgsrc-2014Q2,
pkgsrc-2014Q1-base,
pkgsrc-2014Q1,
pkgsrc-2013Q4-base,
pkgsrc-2013Q4
Changes since 1.9: +7 -1
lines
Diff to previous 1.9 (colored)
Ignore missing return value when building against PHP 5.3.
Revision 1.9 / (download) - annotate - [select for diffs], Mon Apr 8 11:17:21 2013 UTC (10 years, 1 month ago) by rodent
Branch: MAIN
CVS Tags: pkgsrc-2013Q3-base,
pkgsrc-2013Q3,
pkgsrc-2013Q2-base,
pkgsrc-2013Q2
Changes since 1.8: +2 -2
lines
Diff to previous 1.8 (colored)
Remove "Trailing empty lines." and/or "Trailing white-space."
Revision 1.8 / (download) - annotate - [select for diffs], Tue Oct 23 18:16:50 2012 UTC (10 years, 7 months ago) by asau
Branch: MAIN
CVS Tags: pkgsrc-2013Q1-base,
pkgsrc-2013Q1,
pkgsrc-2012Q4-base,
pkgsrc-2012Q4
Changes since 1.7: +1 -3
lines
Diff to previous 1.7 (colored)
Drop superfluous PKG_DESTDIR_SUPPORT, "user-destdir" is default these days.
Revision 1.7 / (download) - annotate - [select for diffs], Sat Jun 16 22:34:23 2012 UTC (10 years, 11 months ago) by dholland
Branch: MAIN
CVS Tags: pkgsrc-2012Q3-base,
pkgsrc-2012Q3,
pkgsrc-2012Q2-base,
pkgsrc-2012Q2
Changes since 1.6: +2 -2
lines
Diff to previous 1.6 (colored)
Remove 52 from PHP_VERSIONS_ACCEPTED.
Revision 1.6 / (download) - annotate - [select for diffs], Sat Jun 16 02:59:48 2012 UTC (10 years, 11 months ago) by taca
Branch: MAIN
Changes since 1.5: +4 -1
lines
Diff to previous 1.5 (colored)
Restrict to PHP 5.2.x and 5.3.x since there is no PHP 5.4.x officialy yet.
Revision 1.4.2.1 / (download) - annotate - [select for diffs], Sat Jan 21 09:02:46 2012 UTC (11 years, 4 months ago) by sbd
Branch: pkgsrc-2011Q4
Changes since 1.4: +2 -3
lines
Diff to previous 1.4 (colored) next main 1.5 (colored)
Pullup ticket #3658 - requested by taca
security/php-suhosin security fix
Revisions pulled up:
- security/php-suhosin/Makefile 1.5
- security/php-suhosin/distinfo 1.4
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Jan 20 03:23:34 UTC 2012
Modified Files:
pkgsrc/security/php-suhosin: Makefile distinfo
Log Message:
Update php-suhosin package to 0.9.33 to fix security problem.
SektionEins GmbH
www.sektioneins.de
-= Security Advisory =-
Advisory: Suhosin PHP Extension Transparent Cookie Encryption Stack
Buffer Overflow
Release Date: 2012/01/19
Last Modified: 2012/01/19
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: Suhosin Extension <= 0.9.32.1
Severity: A possible stack buffer overflow in Suhosin extension's
transparent cookie encryption that can only be triggered
in an uncommon and weakened Suhosin configuration can lead
to arbitrary remote code execution, if the FORTIFY_SOURCE
compile option was not used when Suhosin was compiled.
Risk: Medium
Vendor Status: Suhosin Extension 0.9.33 was released which fixes this
vulnerability
Reference: http://www.suhosin.org/
https://github.com/stefanesser/suhosin
Revision 1.5 / (download) - annotate - [select for diffs], Fri Jan 20 03:23:34 2012 UTC (11 years, 4 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2012Q1-base,
pkgsrc-2012Q1
Changes since 1.4: +2 -3
lines
Diff to previous 1.4 (colored)
Update php-suhosin package to 0.9.33 to fix security problem.
SektionEins GmbH
www.sektioneins.de
-= Security Advisory =-
Advisory: Suhosin PHP Extension Transparent Cookie Encryption Stack
Buffer Overflow
Release Date: 2012/01/19
Last Modified: 2012/01/19
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: Suhosin Extension <= 0.9.32.1
Severity: A possible stack buffer overflow in Suhosin extension's
transparent cookie encryption that can only be triggered
in an uncommon and weakened Suhosin configuration can lead
to arbitrary remote code execution, if the FORTIFY_SOURCE
compile option was not used when Suhosin was compiled.
Risk: Medium
Vendor Status: Suhosin Extension 0.9.33 was released which fixes this
vulnerability
Reference: http://www.suhosin.org/
https://github.com/stefanesser/suhosin
Revision 1.4 / (download) - annotate - [select for diffs], Sat Dec 17 13:46:28 2011 UTC (11 years, 5 months ago) by obache
Branch: MAIN
CVS Tags: pkgsrc-2011Q4-base
Branch point for: pkgsrc-2011Q4
Changes since 1.3: +2 -1
lines
Diff to previous 1.3 (colored)
Change default PKGNAME scheme for PECL packages.
Drop ${PHP_BASE_VARS} from PKGVERSION by default.
It used to be required to support multiple php version.
But after PHP version based ${PHP_PKG_PREFIX} was introduced,
such trick is not required anymore.
In addition to this, such version name schme invokes unwanted version bump
when base php version is bumped, plus, such version scheme is hard to
use for DEPENDS pattern.
To avoid downgrading of package using such legacy version scheme,
PECL_LEGACY_VERSION_SCHEME is introduced.
If it is defined, current version scheme is still used for currently
supported PHP version (5 and 53), but instead of ${PHP_BASE_VARS},
current fixed PHP base version in pkgsrc is used to avoid unwanted version bump
from update of PHP base package.
With newer PHP (54, or so on), new version scheme will be used if
it is defined.
This trick will not be required and should be removed after php5 and php53 will
be gone away from pkgsrc.
Revision 1.3 / (download) - annotate - [select for diffs], Sun Dec 19 02:22:15 2010 UTC (12 years, 5 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2011Q3-base,
pkgsrc-2011Q3,
pkgsrc-2011Q2-base,
pkgsrc-2011Q2,
pkgsrc-2011Q1-base,
pkgsrc-2011Q1,
pkgsrc-2010Q4-base,
pkgsrc-2010Q4
Changes since 1.2: +3 -3
lines
Diff to previous 1.2 (colored)
Update php-suhosin pacakge to 0.9.32.1.
2010-07-23 - 0.9.32.1
- Fixed missing header file resulting in compile errors
2010-07-23 - 0.9.32
- Added support for memory_limit > 2GB
- Fixed missing header file resulting in wrong php_combined_lcg()
prototype being used
- Improved random number seed generation more by adding /dev/urandom juice
2010-03-28 - 0.9.31
- Fix ZTS build of session.c
- Increased session identifier entropy by using /dev/urandom if available
2010-03-25 - 0.9.30
- Added line ending characters %0a and %0d to the list of
dangerous characters handled
by suhosin.server.encode and suhosin.server.strip
- Fixed crash bug with PHP 5.3.x and session module (due to
changed session globals struct)
- Added ! protection to PHP session serializer
- Fixed simulation mode now also affects (dis)allowed functions
- Fixed missing return (1); in random number generator replacements
- Fixed random number generator replacement error case behaviour
in PHP 5.3.x
- Fixed error case handling in function_exists() PHP 5.3.x
- Merged changes/fixes in import_request_variables()/extract()
from upstream PHP
- Fixed suhosin_header_handler to be PHP 5.3.x compatible
- Merge fixes and new features of PHP's file upload code to suhosin
Revision 1.2 / (download) - annotate - [select for diffs], Thu Mar 4 15:38:53 2010 UTC (13 years, 3 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2010Q3-base,
pkgsrc-2010Q3,
pkgsrc-2010Q2-base,
pkgsrc-2010Q2,
pkgsrc-2010Q1-base,
pkgsrc-2010Q1
Changes since 1.1: +2 -2
lines
Diff to previous 1.1 (colored)
Update php-suhosin package to 0.9.29.
2009-08-15 - 0.9.29
- Fixing crash bugs with PHP 5.3.0 caused by unexpected NULL in
EG(active_symbol_table)
- Added more compatible way to retrieve ext/session globals
- Increased default length and count limit for POST variables (for
people not reading docu)
2009-08-14 - 0.9.28
- Fixed crash bug with PHP 5.2.10 caused by a change in extension
load order of ext/session
- Fixed harmless parameter order error in a bogus memset()
- Disable suhosin.session.cryptua by default because of Internet
Explorer 8 "features"
- Added suhosin.executor.include.allow_writable_files which can be
disabled to disallow inclusion of files writable by the webserver
Revision 1.1.1.1 / (download) - annotate - [select for diffs] (vendor branch), Tue Feb 17 23:16:14 2009 UTC (14 years, 3 months ago) by adrianp
Branch: TNF
CVS Tags: pkgsrc-base,
pkgsrc-2009Q4-base,
pkgsrc-2009Q4,
pkgsrc-2009Q3-base,
pkgsrc-2009Q3,
pkgsrc-2009Q2-base,
pkgsrc-2009Q2,
pkgsrc-2009Q1-base,
pkgsrc-2009Q1
Changes since 1.1: +0 -0
lines
Diff to previous 1.1 (colored)
Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections.
Revision 1.1 / (download) - annotate - [select for diffs], Tue Feb 17 23:16:14 2009 UTC (14 years, 3 months ago) by adrianp
Branch: MAIN
Initial revision