php7.2 (7.2.24-0ubuntu0.18.04.3) bionic-security; urgency=medium

  * SECURITY UPDATE: Out of bounds read
    - debian/patches/CVE-2020-7059.patch: fix OOB read in
      php_strip_tags_ex in ext/standard/string.c and added test
      ext/standard/tests/file/bug79099.phpt.
    - CVE-2020-7059
  * SECURITY UPDATE: Buffer-overflow
    - debian/patches/CVE-2020-7060.patch: fix adding a check function
      is_in_cp950_pua in  ext/mbstring/libmbfl/filters/mbfilter_big5.c
      and added test ext/mbstring/tests/bug79037.phpt.
    - CVE-2020-7060

 -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Tue, 11 Feb 2020 12:55:52 -0300

php7.2 (7.2.24-0ubuntu0.18.04.2) bionic-security; urgency=medium

  * SECURITY UPDATE: silently truncates
    a class after a null byte
    - debian/patches/CVE-2019-11045.patch:  not accept
      arbitrary strings in ext/spl/spl_directory.c,
      ext/spl/tests/bug78863.phpt.
    - CVE-2019-11045
  * SECURITY UPDATE: Buffer underflow
    - debian/patches/CVE-2019-11046.patch: not rely on `isdigit()`
      to detect digits in ext/bcmath/libbcmath/src/str2num.c,
      ext/bcmath/tests/bug78878.phpt.
    - CVE-2019-11046
  * SECURITY UPDATE: Heap-buffer-overflow
    - debian/patches/CVE-2019-11047.patch: fix in ext/exif/exif.c,
      ext/exif/tests/bug78910.phpt.
    - CVE-2019-11047
  * SECURITY UPDATE: Use-after-free
    - debian/patches/CVE-2019-11050.patch: fix in
      ext/exif/exif.c, ext/exif/tests/bug78793.phpt.
    - CVE-2019-11050

 -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Mon, 13 Jan 2020 15:39:59 -0300

php7.2 (7.2.24-0ubuntu0.18.04.1) bionic-security; urgency=medium

  * SECURITY UPDATE: updated to 7.2.24 to fix security issue
    - CVE-2019-11043
  * Rebased patches:
    - debian/patches/0022-lp564920-fix-big-files.patch
  * Removed patches no longer required:
    - debian/patches/CVE-2019-11041.patch
    - debian/patches/CVE-2019-11042.patch

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 28 Oct 2019 08:07:07 -0400

php7.2 (7.2.19-0ubuntu0.18.04.2) bionic-security; urgency=medium

  * SECURITY UPDATE: Heap-buffer-overflow
    - debian/patches/CVE-2019-11041.patch: check Thumbnail.size in order
      to avoid an overflow in ext/exif.exif.c and adding test to
      ext/exif/tests/bug78222.phpt.
    - CVE-2019-11041
  * SECURITY UPDATE: Heap-buffer-overflow
    - debian/patches/CVE-2019-11042.patch: check ByteCount in order to
      avoid an overflow in ext/exif/exif.c and adding tests to
      ext/exif/tests/bug78256.phpt.
    - CVE-2019-11042

 -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Mon, 12 Aug 2019 16:34:28 -0300

php7.2 (7.2.19-0ubuntu0.18.04.1) bionic-security; urgency=medium

  * Updated to 7.2.19 to fix multiple security issues.
    - CVE-2019-11036
    - CVE-2019-11039
    - CVE-2019-11040
  * Refreshed patches:
    - debian/patches/0039-hack-phpdbg-to-explicitly-link-with-libedit.patch

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 04 Jun 2019 10:48:12 -0400

php7.2 (7.2.17-0ubuntu0.18.04.1) bionic-security; urgency=medium

  * Updated to 7.2.17 to fix multiple security issues.
    - CVE-2019-11034
    - CVE-2019-11035
  * Refreshed patches:
    - debian/patches/0013-Add-support-for-use-of-the-system-timezone-database.patch
  * Removed patches included in new version:
    - debian/patches/CVE-2019-9637.patch
    - debian/patches/CVE-2019-9638-and-CVE-2019-9639-1.patch
    - debian/patches/CVE-2019-9638-and-CVE-2019-9639-2.patch
    - debian/patches/CVE-2019-9640.patch
    - debian/patches/CVE-2019-9641.patch
    - debian/patches/CVE-2019-9675.patch

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 18 Apr 2019 10:12:38 -0400

php7.2 (7.2.15-0ubuntu0.18.04.2) bionic-security; urgency=medium

  * SECURITY UPDATE: Unauthorized users access
    - debian/patches/CVE-2019-9637.patch: fix in
      main/streams/plain_wrapper.c.
    - CVE-2019-9637
  * SECURITY UPDATE: Invalid read in exif_process_IFD_MAKERNOTE
    - debian/patches/CVE-2019-9638-and-CVE-2019-9639-*.patch: fix in
      ext/exif/exif.c, added tests in ext/exif/tests/bug77563.jpg,
      ext/exif/tests/bug77563.phpt.
    - CVE-2019-9638
    - CVE-2019-9639
  * SECURITY UPDATE: Invalid read
    - debian/patches/CVE-2019-9640.patch: fix in
      ext/exif/exif.c, added tests in ext/exif/tests/bug77540.jpg,
      ext/exif/tests/bug77540.phpt.
    - CVE-2019-9640
  * SECURITY UPDATE: Unitialized read
    - debian/patches/CVE-2019-9641.patch: fix in ext/exif/exif.c.
    - CVE-2019-9641
  * SECURITY UPDATE: Buffer overflow
    - debian/patches/CVE-2019-9675.patch: fix in
      ext/phar/tar.c, added tests in ext/phar/tests/bug71488.phpt,
      ext/phar/tests/bug77586,phpt, ext/phar/tests/bug77586/files/*.

 -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Fri, 22 Mar 2019 14:05:14 -0300

php7.2 (7.2.15-0ubuntu0.18.04.1) bionic-security; urgency=medium

  * SECURITY UPDATE: Update to 7.2.15 to fix security issues
    - CVE-2018-19935
    - CVE-2018-19518

 -- Mike Salvatore <mike.salvatore@canonical.com>  Fri, 08 Feb 2019 09:54:22 -0500

php7.2 (7.2.10-0ubuntu0.18.04.1) bionic-security; urgency=medium

  * SECURITY UPDATE: Update to 7.2.10 to fix security issues
    - CVE-2015-9253
    - CVE-2018-14851
    - CVE-2018-14883

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 13 Sep 2018 09:45:02 -0400

php7.2 (7.2.7-0ubuntu0.18.04.2) bionic-security; urgency=medium

  * SECURITY UPDATE: 7.2.7 did not actually include the fix for the
    CVE-2018-12882 exif security issue. This release adds backported
    patches to fix the issue.
    - debian/patches/CVE-2018-12882-1.patch: fix heap use after free in
      _php_stream_free in ext/exif/exif.c, ext/exif/tests/bug76409.phpt.
    - debian/patches/CVE-2018-12882-2.patch: fix test portability in
      ext/exif/tests/bug76409.phpt.
    - CVE-2018-12882

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 04 Jul 2018 12:55:24 -0400

php7.2 (7.2.7-0ubuntu0.18.04.1) bionic-security; urgency=medium

  * SECURITY UPDATE: Update to 7.2.7 to fix security issue
    - CVE-2018-12882

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 03 Jul 2018 11:16:52 -0400

php7.2 (7.2.5-0ubuntu0.18.04.1) bionic-security; urgency=medium

  * SECURITY UPDATE: Update to 7.2.5 to fix security issues
    - CVE-2018-10545, CVE-2018-10546, CVE-2018-10547, CVE-2018-10548,
      CVE-2018-10549
  * d/p/0036-php-5.4.9-fixheader.patch: updated for new version.

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 09 May 2018 13:21:02 -0400

php7.2 (7.2.3-1ubuntu1) bionic; urgency=medium

  * Merge with Debian unstable (LP: #1744148). Remaining changes:
    - Drop dh-php from Recommends to Suggests so it can be demoted to
      universe as it depends on xml2/universe.

 -- Nishanth Aravamudan <nish.aravamudan@canonical.com>  Wed, 14 Mar 2018 15:03:58 -0700

php7.2 (7.2.3-1) unstable; urgency=medium

  * New upstream version 7.2.3
  * Rebase patches on top of new upstream release.

 -- Ondřej Surý <ondrej@debian.org>  Tue, 06 Mar 2018 11:15:04 +0000

php7.2 (7.2.2-3) unstable; urgency=medium

  * Add explicit libpcre3 >= 2:8.35 dependency as dh_genshlibs is failing
    to add versioned dependency for some reason.

 -- Ondřej Surý <ondrej@debian.org>  Tue, 06 Feb 2018 16:07:40 +0000

php7.2 (7.2.2-2) unstable; urgency=medium

  * Remove explicit libpcre3 dependency and let dh_genshlibs do its magic

 -- Ondřej Surý <ondrej@debian.org>  Tue, 06 Feb 2018 13:00:04 +0000

php7.2 (7.2.2-1ubuntu2) bionic; urgency=medium

  * No-change rebuild against libcurl4

 -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 28 Feb 2018 08:43:55 +0000

php7.2 (7.2.2-1ubuntu1) bionic; urgency=low

  * Merge from Debian unstable.  Remaining changes:
    - Drop dh-php from Recommends to Suggests so it can be demoted to
      universe as it depends on xml2/universe.

 -- Dimitri John Ledkov <xnox@ubuntu.com>  Fri, 09 Feb 2018 21:18:55 +0000

php7.2 (7.2.2-1) unstable; urgency=medium

  * New upstream version 7.2.2
  * Rebase patches on top of new upstream release
  * Regenerate d/control to finish php7.2-sodium removal

 -- Ondřej Surý <ondrej@debian.org>  Thu, 01 Feb 2018 15:19:04 +0000

php7.2 (7.2.1-1ubuntu2) bionic; urgency=medium

  * d/control.in: also needs update to keep dh-php in universe.

 -- Nishanth Aravamudan <nish.aravamudan@canonical.com>  Wed, 31 Jan 2018 10:36:35 -0800

php7.2 (7.2.1-1ubuntu1) bionic; urgency=medium

  * Drop dh-php from Recommends to Suggests so it can be demoted to
    universe (LP #1590623).
    + dh-php has gained a dependency on xml2 which is in universe. 

 -- Nishanth Aravamudan <nish.aravamudan@canonical.com>  Thu, 25 Jan 2018 11:32:42 -0800

php7.2 (7.2.1-1) unstable; urgency=medium

  * Update the Vcs-* to salsa.d.o
  * Slightly update debian/copyright (most changes were already in)
  * New upstream version 7.2.1
  * Rebase patches on top of new upstream release

 -- Ondřej Surý <ondrej@debian.org>  Fri, 05 Jan 2018 11:21:04 +0000

php7.2 (7.2.0-2) unstable; urgency=medium

  * Get rid of extra php7.2-sodium module

 -- Ondřej Surý <ondrej@debian.org>  Wed, 06 Dec 2017 14:15:47 +0000

php7.2 (7.2.0-1) unstable; urgency=low

  * Update PHP 7.2 signing keys
  * New upstream version 7.2.0
  * Rebase patches for new upstream release.

 -- Ondřej Surý <ondrej@debian.org>  Thu, 30 Nov 2017 13:55:57 +0000

php7.2 (7.2.0~rc6-1) unstable; urgency=medium

  * New upstream version 7.2.0~rc6
  * Rebase patches for new upstream version.

 -- Ondřej Surý <ondrej@debian.org>  Sun, 12 Nov 2017 03:30:05 +0000

php7.2 (7.2.0~rc5-1) unstable; urgency=medium

  * New upstream version 7.2.0~rc5
  * Rebase patches for new upstream release

 -- Ondřej Surý <ondrej@debian.org>  Fri, 27 Oct 2017 13:33:55 +0000

php7.2 (7.2.0~rc4-2) unstable; urgency=medium

  * Fix the usage of internal allocator in xmlrpc extension

 -- Ondřej Surý <ondrej@debian.org>  Tue, 24 Oct 2017 18:54:46 +0000

php7.2 (7.2.0~rc4-1) unstable; urgency=medium

  * New upstream version 7.2.0~rc4
  * Rebase patches on top of new upstream version 7.2.0~rc4

 -- Ondřej Surý <ondrej@debian.org>  Sun, 22 Oct 2017 13:07:11 +0000

php7.2 (7.2.0~rc3-1) unstable; urgency=medium

  * New upstream version 7.2.0~rc3
  * Refresh patches for PHP 7.2.0~rc3

 -- Ondřej Surý <ondrej@debian.org>  Thu, 28 Sep 2017 18:26:49 +0200

php7.2 (7.2.0~rc2-1) unstable; urgency=medium

  * New upstream version 7.2.0~rc2
  * Rebase patches on top of PHP 7.2.0~rc2

 -- Ondřej Surý <ondrej@debian.org>  Mon, 18 Sep 2017 11:24:14 +0200

php7.2 (7.2.0~rc1-1) unstable; urgency=medium

  * New upstream version 7.2.0~rc1
  * Rebase patches on top of PHP 7.2.0~rc1
  * Update d/copyright (License check courtesy of Luca Falavigna)
  * Rewrap the files in d/ with wrap-and-sort -a

 -- Ondřej Surý <ondrej@debian.org>  Thu, 31 Aug 2017 14:00:16 +0200

php7.2 (7.2.0~beta3-2) unstable; urgency=medium

  * Enable Argon2 support for password hashing functions
  * Enable shared libsodium extension

 -- Ondřej Surý <ondrej@debian.org>  Fri, 25 Aug 2017 11:35:23 +0200

php7.2 (7.2.0~beta3-1) unstable; urgency=medium

  * Allow libgcrypt11-dev when it's not a transitional package
  * New upstream version 7.2.0~beta3
  * Refresh patches on top of PHP 7.2.0~beta3

 -- Ondřej Surý <ondrej@debian.org>  Fri, 18 Aug 2017 15:00:36 +0200

php7.2 (7.2.0~beta2-2) experimental; urgency=medium

  * Update Vcs-* links to https://gitlab.com/deb.sury.org/...
  * Stop depending on obsolete automake1.11
  * Switch build-depends to libgcrypt20-dev

 -- Ondřej Surý <ondrej@debian.org>  Fri, 04 Aug 2017 11:56:09 +0200

php7.2 (7.2.0~beta2-1) experimental; urgency=medium

  * Update d/watch for PHP 7.2
  * New upstream version 7.2.0~beta2
  * Rebase patches for PHP 7.2.0~beta2

 -- Ondřej Surý <ondrej@debian.org>  Thu, 03 Aug 2017 20:42:38 +0200

php7.2 (7.2.0~beta1-1) experimental; urgency=medium

  * New upstream version 7.2.0~beta1
  * Enable support for libsodium crypto
  * Rebase patches on top of PHP 7.2.0~beta1
  * Update phpapi for PHP 7.2 to 20170718

 -- Ondřej Surý <ondrej@debian.org>  Thu, 27 Jul 2017 13:29:34 +0200

php7.2 (7.2.0~alpha3-1) experimental; urgency=medium

  * New upstream version 7.2.0~alpha3
  * Rebase patches on top of PHP 7.2.0~alpha3
  * Update d/rules with configure.in -> configure.ac rename
  * Remove mcrypt extension that has been removed upstream
  * Update phpapi to 20160731

 -- Ondřej Surý <ondrej@debian.org>  Thu, 06 Jul 2017 13:50:44 +0200

