This is a security release.
Changelog: https://www.php.net/ChangeLog-8.php#8.5.1
Signed-off-by: Jason Schonberg <schonm@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Left to its own volition, configure goes on a hunt in
usual paths in /usr which means it pokes at build system
for sendmail existence. This could also be under different
paths e.g. /usr/lib or /usr/sbin depending upong build distro
The paths where sendmail will be installed on target is
usual paths e.g. /bin or /usr/bin on OE, which are added
to program search paths anyway.
This fixes reproducibility issues, since this string gets
its way into the PHP binaries.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
1. Changelog:
https://github.com/php/php-src/releases/tag/php-8.5.0
2. Remove opcache-related options as it was not in 8.5.0.
3. Fix FILES:${PN}-fpm to resolve following error:
ERROR: php-8.5.0-r0 do_package: QA Issue: php: Files/directories were installed but not shipped in any package:
/usr/share/php
/usr/share/php/fpm
/usr/share/php/fpm/status.html
Please set FILES such that these items are packaged. Alternatively if they are unneeded, avoid installing them or delete them within do_install.
Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This is a bug fix release.
Changelog: https://www.php.net/ChangeLog-8.php#8.4.15
Signed-off-by: Jason Schonberg <schonm@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
According to [1][2], generate phar.php during cross-compile can't be
done, but upstream test res of $(TEST_PHP_EXECUTABLE) is not suitable
for Yocto.
Explicitly set TEST_PHP_EXECUTABLE_RES = "1" to not generate phar.php
for target recipe
Drop 0005-sapi-cli-config.m4-fix-build-directory.patch which is obsolete
for generating phar.php
After apply this commit
...log.do_compile...
Generating phar.php
Skipping phar.php generating during cross compilation
Generating phar.phar
Skipping phar.phar generating during cross compilation
...log.do_compile...
Then php supports reproducible build
[1] https://github.com/php/php-src/issues/11099
[2] 93fa9613e1
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Add UPSTREAM_CHECK_URI and UPSTREAM_CHECK_REGEX to check the correct
latest stable verison.
Before the patch:
$ devtool latest-version php
INFO: Current version: 8.4.14
INFO: Latest version:
After the patch:
$ devtool latest-version php
INFO: Current version: 8.4.14
INFO: Latest version: 8.4.14
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This is a bug fix release.
Changelog: https://www.php.net/ChangeLog-8.php#8.4.14
Signed-off-by: Jason Schonberg <schonm@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This is a bugfix release. There are integer overflow and memory leak fixes included.
Changelog: https://www.php.net/ChangeLog-8.php#8.4.13
Signed-off-by: Jason Schonberg <schonm@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This is just a bug fix release.
Changelog: https://www.php.net/ChangeLog-8.php#8.4.12
Signed-off-by: Jason Schonberg <schonm@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This is just a bug fix release.
Integer overflows, segmentation faults and memory leaks.
Changelog: https://www.php.net/ChangeLog-8.php#8.4.11
Signed-off-by: Jason Schonberg <schonm@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
PHP has removed the --with-zlib-dir configure option since that is now
taken over by pkg-config, this breaks building PHP on Walnascar when zip
is enabled via PACKAGECONFIG.
So remove it.
Signed-off-by: Gijs Peskens <gijs.peskens@munisense.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This is a security update.
There are fixes for memory leaks, segfaults and CVEs.
CVE-2025-1735
CVE-2025-1220
CVE-2025-6491
Changelog: https://www.php.net/ChangeLog-8.php#8.4.10
Signed-off-by: Jason Schonberg <schonm@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Please see
https://git.yoctoproject.org/poky/commit/?id=4dd321f8b83afecd962393101b2a6861275b5265
for what changes are needed, and sed commands that can be used to make them en masse.
I've verified that bitbake -c patch world works with these, but did not run a world
build; the majority of recipes shouldn't need further fixups, but if there are
some that still fall out, they can be fixed in followups.
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
0001-ext-opcache-config.m4-enable-opcache.patch is dropped.
This patch could be dropped because the new version now uses
AC_CACHE_CHECK, and we can just pass ac_cv_xxx to it instead of
using a local patch.
0008-ext-imap-config.m4-fix-include-paths.patch is dropped.
ext/imap has been removed from php in this new version. See
https://github.com/php/php-src/pull/13190. As a result of this
removal, the corresponding PACKAGECONFIG is removed from this new
version.
0001-Change-whether-to-inline-XXH3_hashLong_withSecret-to.patch is
dropped. It has been merged in this new version.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Drop 0003-php-remove-host-specific-info-from-header-file.patch.
Instead we export PHP_UNAME = "Linux" to achieve the same effect.
Drop 0002-build-php.m4-don-t-unset-cache-variables.patch.
The related ac_cv_lib_xxx and ac_cv_func_xxx settings in this recipe
are also removed. This patch is not needed from the my build testing
result.
Drop 0009-php-don-t-use-broken-wrapper-for-mkdir.patch.
This patch says that the wrapper is broken, but does not say why.
Without this patch, things still build.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Includes fix for CVE-2024-5458 and other bugs
Changelog:
https://www.php.net/ChangeLog-8.php#PHP_8_2
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Replace references of WORKDIR with UNPACKDIR where it makes sense to do
so in preparation for changing the default value of UNPACKDIR.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Includes fixes for CVE-2024-3096, CVE-2024-2756 and other bugs.
Changelog:
https://www.php.net/ChangeLog-8.php#8.2.18
Rebase 0001-ext-opcache-config.m4-enable-opcache.patch to new version
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2848cc99a1 ("php-fpm: Add support for systemd") introduced a systemd
service file, where ExecStart and ExecStop uses /etc/init.d/php-fpm,
which does not exist if systemd is enabled. Consequently, the php-fpm
service fails to start even though it is correctly installed. This is
fixed by this commit in which the service file is identical to the one
from the PHP source code except for the use of BitBake variables. Also,
use ${systemd_system_unitdir} instead of ${systemd_unitdir}/system.
Signed-off-by: Emil Kronborg <emil.kronborg@protonmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This was required by the sqlite2 extension, which was removed from PHP
in 2010[1].
[1] 6c76f3606c
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
- Build:
. Fixed bug GH-11522 (PHP version check fails with '-' separator).
- CLI:
. Fix interrupted CLI output causing the process to exit.
- Core:
. Fixed oss-fuzz #60011 (Mis-compilation of by-reference nullsafe operator).
. Fixed line number of JMP instruction over else block.
. Fixed use-of-uninitialized-value with ??= on assert.
. Fixed oss-fuzz #60411 (Fix double-compilation of arrow-functions).
. Fixed build for FreeBSD before the 11.0 releases.
- Curl:
. Fix crash when an invalid callback function is passed to
CURLMOPT_PUSHFUNCTION.
- Date:
. Fixed bug GH-11368 (Date modify returns invalid datetime).
. Fixed bug GH-11600 (Can't parse time strings which include
non-breaking space characters).
. Fixed bug GH-11854 (DateTime:createFromFormat stopped parsing datetime with
extra space).
- DOM:
. Fixed bug GH-11625 (DOMElement::replaceWith() doesn't replace node with
DOMDocumentFragment but just deletes node or causes wrapping <></>
depending on libxml2 version).
- Fileinfo:
. Fixed bug GH-11298 (finfo returns wrong mime type for xz files).
- FTP:
. Fix context option check for "overwrite".
. Fixed bug GH-10562 (Memory leak and invalid state with consecutive
ftp_nb_fget).
- GD:
. Fix most of the external libgd test failures.
- Intl:
. Fix memory leak in MessageFormatter::format() on failure.
- Libxml:
. Fixed bug GHSA-3qrf-m4j2-pcrr (Security issue with external entity loading
in XML without enabling it). (CVE-2023-3823)
- MBString:
. Fix GH-11300 (license issue: restricted unicode license headers).
- Opcache:
. Fixed bug GH-10914 (OPCache with Enum and Callback functions results in
segmentation fault).
. Prevent potential deadlock if accelerated globals cannot be allocated.
- PCNTL:
. Fixed bug GH-11498 (SIGCHLD is not always returned from proc_open).
- PDO:
. Fix GH-11587 (After php8.1, when PDO::ATTR_EMULATE_PREPARES is true
and PDO::ATTR_STRINGIFY_FETCHES is true, decimal zeros are no longer
filled).
- PDO SQLite:
. Fix GH-11492 (Make test failure: ext/pdo_sqlite/tests/bug_42589.phpt).
- Phar:
. Add missing check on EVP_VerifyUpdate() in phar util.
. Fixed bug GHSA-jqcx-ccgc-xwhv (Buffer mismanagement in phar_dir_read()).
- PHPDBG:
. Fixed bug GH-9669 (phpdbg -h options doesn't list the -z option).
- Session:
. Removed broken url support for transferring session ID.
- Standard:
. Fix serialization of RC1 objects appearing in object graph twice.
- Streams:
. Fixed bug GH-11735 (Use-after-free when unregistering user stream wrapper
from itself).
- SQLite3:
. Fix replaced error handling in SQLite3Stmt::__construct.
- XMLReader:
. Fix GH-11548 (Argument corruption when calling XMLReader::open or
XMLReader::XML non-statically with observer active).
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
- Try to add convert and apply statuses for old CVEs
- Drop some obsolete ignores, while they are not relevant for current
version
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
- CLI:
. Fixed bug GH-11246 (cli/get_set_process_title fails on MacOS).
- Core:
. Fixed build for the riscv64 architecture/GCC 12.
- Curl:
. Fixed bug GH-11433 (Unable to set CURLOPT_ACCEPT_ENCODING to NULL).
- Date:
. Fixed bug GH-11455 (Segmentation fault with custom object date properties).
- DOM:
. Fixed bugs GH-11288 and GH-11289 and GH-11290 and GH-9142 (DOMExceptions
and segfaults with replaceWith).
. Fixed bug GH-10234 (Setting DOMAttr::textContent results in an empty
attribute value).
. Fix return value in stub file for DOMNodeList::item.
. Fix spec compliance error with '*' namespace for
DOMDocument::getElementsByTagNameNS.
. Fix DOMElement::append() and DOMElement::prepend() hierarchy checks.
. Fixed bug GH-11347 (Memory leak when calling a static method inside an
xpath query).
. Fixed bug #67440 (append_node of a DOMDocumentFragment does not reconcile
namespaces).
. Fixed bug #81642 (DOMChildNode::replaceWith() bug when replacing a node
with itself).
. Fixed bug #77686 (Removed elements are still returned by getElementById).
. Fixed bug #70359 (print_r() on DOMAttr causes Segfault in
php_libxml_node_free_list()).
. Fixed bug #78577 (Crash in DOMNameSpace debug info handlers).
. Fix lifetime issue with getAttributeNodeNS().
. Fix "invalid state error" with cloned namespace declarations.
. Fixed bug #55294 and #47530 and #47847 (various namespace reconciliation
issues).
. Fixed bug #80332 (Completely broken array access functionality with
DOMNamedNodeMap).
- Opcache:
. Fix allocation loop in zend_shared_alloc_startup().
. Access violation on smm_shared_globals with ALLOC_FALLBACK.
. Fixed bug GH-11336 (php still tries to unlock the shared memory ZendSem
with opcache.file_cache_only=1 but it was never locked).
- OpenSSL:
. Fixed bug GH-9356 Incomplete validation of IPv6 Address fields in
subjectAltNames
- PCRE:
. Fix preg_replace_callback_array() pattern validation.
- PGSQL:
. Fixed intermittent segfault with pg_trace.
- Phar:
. Fix cross-compilation check in phar generation for FreeBSD.
- SPL:
. Fixed bug GH-11338 (SplFileInfo empty getBasename with more than one
slash).
- Standard:
. Fix access on NULL pointer in array_merge_recursive().
. Fix exception handling in array_multisort().
- SQLite3:
. Fixed bug GH-11451 (Invalid associative array containing duplicate
keys).
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
There is new patch-status QA check in oe-core:
https://git.openembedded.org/openembedded-core/commit/?id=76a685bfcf927593eac67157762a53259089ea8a
This is temporary work around just to hide _many_ warnings from
optional patch-status (if you add it to WARN_QA).
This just added
Upstream-Status: Pending
everywhere without actually investigating what's the proper status.
This is just to hide current QA warnings and to catch new .patch files being
added without Upstream-Status, but the number of Pending patches is now terrible:
5 (26%) meta-xfce
6 (50%) meta-perl
15 (42%) meta-webserver
21 (36%) meta-gnome
25 (57%) meta-filesystems
26 (43%) meta-initramfs
45 (45%) meta-python
47 (55%) meta-multimedia
312 (63%) meta-networking
756 (61%) meta-oe
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
. Fixed bug GH-11152 (Unable to alias namespaces containing reserved class
names).
. Fixed bug GH-9068 (Conditional jump or move depends on uninitialised
value(s)).
. Fixed bug GH-11189 (Exceeding memory limit in zend_hash_do_resize leaves
the array in an invalid state).
. Fixed bug GH-11063 (Compilation error on old GCC versions).
. Fixed bug GH-11222 (foreach by-ref may jump over keys during a rehash).
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
If my git skills don't trick me, forcing ARM mode for PHP
dates back to year 2015 with commit e836f8f93.
I wondered whether the compile problem still persists and just
tested that it compiles fine for qemuarm nowaydays.
I also tested the binaries on a physical device, a
NXP iMX6ULL based one, and did not notice any problems
so far.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
Added optional support for max_execution_time in ZTS/Linux builds
Fixed use-after-free in recursive AST evaluation.
Fixed bug GH-8646 (Memory leak PHP FPM 8.1).
Re-add some CTE functions that were removed from being CTE by a mistake.
Remove CTE flag from array_diff_ukey(), which was added by mistake.
Fixed bug GH-10801 (Named arguments in CTE functions cause a segfault).
Fixed bug GH-8789 (PHP 8.0.20 (ZTS) zend_signal_handler_defer crashes on apache).
Fixed bug GH-10015 (zend_signal_handler_defer crashes on apache shutdown).
Fixed bug GH-10810 (Fix NUL byte terminating Exception::__toString()).
Fix potential memory corruption when mixing __callStatic() and FFI.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
- Core:
. Fixed incorrect check condition in type inference.
. Fix incorrect check in zend_internal_call_should_throw().
. Fixed overflow check in OnUpdateMemoryConsumption.
. Fixed bug GH-9916 (Entering shutdown sequence with a fiber suspended in a
Generator emits an unavoidable fatal error or crashes).
. Fixed bug GH-10437 (Segfault/assertion when using fibers in shutdown
function after bailout).
. Fixed SSA object type update for compound assignment opcodes.
. Fixed language scanner generation build.
. Fixed zend_update_static_property() calling zend_update_static_property_ex()
misleadingly with the wrong return type.
. Fix bug GH-10570 (Fixed unknown string hash on property fetch with integer
constant name).
. Fixed php_fopen_primary_script() call resulted on zend_destroy_file_handle()
freeing dangling pointers on the handle as it was uninitialized.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
-D_LARGEFILE64_SOURCE is needed for musl explicitly. Its added
indirectly via -D_GNU_SOURCE on glibc but not on musl feature macros
Signed-off-by: Khem Raj <raj.khem@gmail.com>
