hhvm (3.21.0+dfsg-2) unstable; urgency=medium * Fix compatibility with glibc 2.26, thanks to Matthias Klose for the report (Closes: #875904) -- Moritz Muehlenhoff Wed, 27 Sep 2017 16:25:21 +0200 hhvm (3.21.0+dfsg-1) unstable; urgency=medium * New upstream release 3.21 (3.18 releases were not uploaded to the archive due to various stability problems) * Fix FTBFS with GCC 7 (Closes: #853442) * Back out broken upstream JSON test case (reported at https://github.com/facebook/hhvm/issues/7708) * Add ocamlbuild to build dependencies (reported in #868480, compatibility of 3.21 with ocaml 4.05 needs to be revisited) * Update copyright file for 3.12->3.21 period, taking most of the entries for webscalesqlclient from src:mysql-5.6's copyright file * Remove Upstart job * Bump standards version -- Moritz Muehlenhoff Mon, 07 Aug 2017 21:55:59 +0200 hhvm (3.18.1+dfsg-1) unstable; urgency=medium [ Faidon Liambotis ] * New upstream release 3.17.0+dfsg * Remove patches merged upstream: - libc6-223-isnan.patch - gcc6.patch - disable-folly-fibers.patch - pcre-838-limits.patch - pcre-disable-limit-test.patch - mysqlclient-r.patch - fix_stats_error.patch - output-buffer-fix-flush.patch - revert-unbreak-jsonc.patch - icu-getsortkey.patch - bzip2-segfault-sweep.patch - reproducible-proxygen-header.patch * Remove patches for code that was reworked upstream: - reproducible-hack-builddate.patch - reproducible-hack-compilerid.patch * Depend on ragel: - Add ragel to Build-Depends. - Remove ragel from third-party when repacking (debian/repack) - Add patch use-system-ragel.patch. * Add new third-party bundles brotli and fatal to debian/copyright. * Re-enable the mcrouter extension as it should build again now. [ Moritz Muehlenhoff ] * New upstream release 3.18.1+dfsg * Add missing build-dependency on libkrb5-dev * Add a versioned dependeny on lz4 >= 130, the lz4 extension in 3.18 uses the new LZ4_compress_default() function introduced there * No longer strip webscalesqlclient from dfsg tarball, with 3.18 the mysql extension requires it as well (transivitely via squangle, which in turn depends on webscalesql) * Add build dependency on libreadline-dev, required by webscalesqlclient * Reenable asynchronous MySQL support now that we're using webscalesqlclient again (even when adding webscalesqlclient back to the source try, squangle is only linked with DENABLE_ASYNC_MYSQL=ON, IOW DENABLE_ASYNC_MYSQL=OFF is entirely broken * Cherrypick f7a1dae3d90179c10c03e749875aa8a6a5015605 from upstream master to fix testsuite failure with DUSE_JSONC=ON * Run testsuite in LC_ALL=C.UTF-8, one of the tests is locale-sensitive (https://github.com/facebook/hhvm/issues/7708) * Cherrypick 5207b59eb88e2f9820efb74442245a4f5aa9eb17 from upstream master to fix crashes with hhvm.server.stat_cache enabled * Add myself to Uploaders -- Moritz Muehlenhoff Wed, 05 Apr 2017 09:46:19 +0200 hhvm (3.12.11+dfsg-1) unstable; urgency=medium [ Moritz Muehlenhoff ] * New upstream LTS releases, addressing multiple security issues. (Closes: #835032) From 3.12.2: - CVE-2015-8865 - Buffer overwrite in finfo_open with malformed magic - Integer overflow in iptcembed - CVE-2016-3074 - Fix signedness issue in libgd - CVE-2014-9709 - Fix a possible buffer read overflow in gd_gif_in.cpp - Prevent a potential nullptr dereference in ext_xsl - Don't segfault if you try to remove the last autoloader while adding a new one - CVE-2016-1903 - imagerotate information leak - FILTER_FLAG_STRIP_BACKTICK` was being ignored unless other flags are set - CVE-2016-4539 - Fix a segfault in xml_parse_into_struct - Fix a potential null dereference in ZipArchive::extractTo - CVE-2016-4070 - Integer Overflow in php_raw_url_encode From 3.12.3: - CVE-2016-1000004 - Type safety in simplexml import routines - CVE-2016-1000004 - Fix param types for mcrypt_get_block_size() to match PHP - CVE-2016-1000006 - Fix use-after-free in serialize_memoize_param() and ResourceBundle::__construct() - CVE-2016-6870 - Use req::strndup in php_mb_parse_encoding_list to prevent oob memory write. - HHVM-2016-11781481 - Fix nullptr dereference in f_mysqli_stmt_bind{param,result} - HHVM-2016-11791940 - Avoid invalid array access in JSON_decode() - PHP-2016-0072337 - Fix a segfault with invalid dimensions and imagescale out of bounds read in ext_gd From 3.12.5: - CVE-2016-1000109: Ignore Proxy HTTP header from fastcgi requests From 3.12.6: - CVE-2016-6871 - Fix buffer overrun due to integer overflow in bcmath - CVE-2016-6872 - Fix integer overflow in StringUtil::implode - CVE-2016-6873 - Fix self recursion in compact - CVE-2016-6874 - Fix recursion checks in array_*_recursive - CVE-2016-6875 - Fix infinite recursion in wddx - PHP-2015-0070345 - [HHVM][Security] 0003 pcre preg bug 70345 From 3.12.8: - ext_gd: exif_process_IFD_TAG: Use the right offset if reading from stream - Fix some color related crashes in libgd - Don't allow smart_str to overflow int - Integer overflow in _gd2GetHeader - Fix objprof refcounting - Fix buffer overruns in mb_send_mail - Integer overflow in gdImagePaletteToTrueColor - Null pointer dereference in _gdScaleVert - pass2_no_dither out-of-bounds access From 3.12.9: - Fix off-by-one index check in ThreadSafeLocaleHandler::actuallySetLocale - Prevent an integer overflow in _gdContributionsAlloc - Fix a potential overflow in tsrm_virtual_file_ex - Invalid transparent index can result in OOB read or write - Do not treat negative return values from bz2 as size_t - Fix OOB read in exif_process_IFD_in_MAKERNOTE - Prevent an OOB access in locale_accept_from_http - Avoid possible OOB using imagegif - Disable bad zend test - Add an option to explicitly disable NUMA support. From 3.12.10: - Fix a bug in StringUtil::Explode - Fix a couple of bugs in libgd From 3.12.11: - Prevent integer overflow in gdImageWebpCtx - Check depth values in json_decode - Prevent negative gamma values being passed to imagegammacorrect - Fix crypt with over-long salts - Memory leak in exif_process_IFD_in_TIFF - 9da Fix getimagesize returning FALSE on valid jpg [ Faidon Liambotis ] * Build against libmysqlclient, not libmysqlclient_r. Thanks to Robie Basak for the bug report and patch. (Closes: #825077) * Build-Depend on default-libmysqlclient-dev instead of libmysqlclient-dev. (Closes: #845852) * Add /bin/sh shebangs on maintainer scripts. (Closes: #843281) * Remove update-alternatives --remove from postrm, already included in prerm (and also causes a lintian warning). * Remove David Martínez Moreno from the Uploaders, at the request of the MIA team. (Closes: #843439) * Fix FTBFS with GCC 6, by backporting an upstream fix. (Closes: #812023) * Pass -fno-PIE/-no-pie to gcc to prevent a linking error with GCC 6's new configuration (--enable-default-pie) in combination with HHVM's hand-crafted assembly (translator-asm-helpers.S). * Build-Depend on libssl1.0-dev, as HHVM is not ready for OpenSSL 1.1.0 yet. (Closes: #828340) * Remove Build-Depends on libc-client2007e-dev and thus disable the IMAP extension. libc-client2007e-dev depends on libssl-dev 1.1.0, which conflicts with libssl1.0-dev and is thus impossible to satisfy. * Disable Folly's Fibers, as the current version is incompatible with Boost 1.61 and thus FTBFS. The incompatibility has been fixed upstream but is too intrusive to backport, thus disable the functionality entirely. (Closes: #839303) * Temporarily disable the mcrouter extension as it requires Folly Fibers, that were disabled in this version (see above). * Backport an upstream fix to address an ICU Collation sort key incompatibility with PHP. * Backport an upstream fix to address a segfault when bzip2 and XMLReader are being used together. * Backport an upstream fix to address inconsistent regexp results when running with a newer PCRE version (8.38 instead of 8.32). * Disable test pcre_limit.php which now fails for unknown reasons; upstream seemingly has disabled the test as well for a while with no ill effects. * Add a Documentation line to the systemd service file. * Bump Standards-Version to 3.9.8, no changes needed. -- Faidon Liambotis Sun, 18 Dec 2016 02:13:55 +0200 hhvm (3.12.1+dfsg-1) unstable; urgency=medium [ Faidon Liambotis ] * New upstream minor release, multiple security fixes: - XSLTProcessor NULL Pointer dereference (PHP bug #69782, CVE-2015-6838) - HAVAL gives wrong hashes in specific cases (PHP bug #70312) - ZipArchive::extractTo allows for directory traversal when creating directories (PHP bug #70350) - Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes (PHP bug #70385) - php_url_parse_ex() buffer overflow read (PHP bug #70480) - Make FileUitls::Canonicalize return the empty string if it encounters a path with a null byte (CVE-2016-1552) - Disallow null bytes in more path-type arguments (CVE-2016-1552) - Explicitly check for null bytes in more cases (CVE-2016-1552) - Run __wakeup() on unserialized objects at end of unserialization in iptcembed - Fix heap overflow(s) in iptcembed * Backport upstream fix for isnan/isinf that should fix an FTBFS with glibc 2.23 (currently in experimental). (Closes: #818831) [ Giuseppe Lavagetto ] * Trivial fix to the upstart script. -- Faidon Liambotis Wed, 23 Mar 2016 16:04:42 +0200 hhvm (3.12.0+dfsg-1) unstable; urgency=medium * New upstream release. * Refresh all debian/patches; drop: - typos: merged upstream - pass-DNDEBUG-to-RelWithDebInfo: merged upstream - fix-makeparser-bison3: merged upstream - reproducible-sort: merged upstream * Updated patch output-buffer-fix-flush with the latest from D51855. * Add patch revert-unbreak-cjson that reverts a couple of upstream commits new in 3.12 that broke builds with libjson-c (and without the embedded JSON parser). * Minor adjustment to the reproducible-hack-hhi patch, to make the build umask-agnostic as well. * Update Standards-Version to 3.9.7. -- Faidon Liambotis Fri, 26 Feb 2016 14:14:40 +0200 hhvm (3.11.1+dfsg-1) unstable; urgency=medium * New minor upstream release. * Build-depend on libpng-dev instead of libpng12-dev for the upcoming libpng transition. (Closes: #809873) * More reproducible fixes: - Create Hack's HHI tarball in a reproducible way. - Statically set HHVM_REPO_SCHEMA from debian/rules. - Pass LC_ALL=C to sort as called by proxygen's header generation script. * Add patch output-buffer-fix-flush, copied straight from upstream's GitHub, to large output streaming. * Update Vcs-Git and Vcs-Browser URLs for HTTPS and cgit. -- Faidon Liambotis Wed, 03 Feb 2016 20:21:13 +0200 hhvm (3.11.0+dfsg-1) unstable; urgency=medium [ Faidon Liambotis ] * New upstream release. * Build with stock gcc again; folly's gcc 5.0 issues have been fixed. * Refresh all debian/patches; drop: - support-more-sql-stats: merged upstream - ezc-fix-z-type-in-zend_parse_parameters: was a backport - use_system_TZinfo: merged upstream - fix_freetype_include: unused/unneeded - hack_license.patch: obsolete - license_folly.patch: superfluous * Drop our own debian/-shipped manpages, as these have been merged into the upstream tree instead and enhanced since. * Add Build-depends on gawk, gperf, libboost-context-dev, libre2-dev, libgmp-dev. * Build-depend on libjpeg-dev instead of libjpeg62-dev. (Closes: #796932) * Build-depend on libvpx-dev to enable WebP support for gd. * Drop libiconv-hook-dev dependency and associated patch, libc6's iconv.h should be enough for HHVM and it doesn't appear like upstream's intention was ever to link against libiconv-hook. * Disable asynchronous MySQL support; it depends on the webscalesql fork of libmysqlclient-dev which is not packaged separately in Debian. Upstream bundles it under their third-party repository but it has been stripped from this packaging as the full forked MySQL 5.6 source is too big to be embedded into this package. * Drop patch enable_relro_hack, that enabled hardening (relro) for hh_client/hh_server. Current recommendation by the OCaml team is to not attempt to do any hardening until the OCaml runtime itself gets fixed first (#702349). * Add patch fix_stats_error to fix a MySQL statistics collection error. * Add patch fix-makeparser-bison3 to fix a make-parser.sh incompatibility when ran with Bison3. * Set HOME to debian/build when running the tests so that HHVM can write the HHBC even when $HOME does not exist, or to not leave garbage behind when it exists. * Switch our Provides: hhvm-api-$version to the major/minor HHVM released, based on upstream's recommendation of using HHVM_VERSION_BRANCH. * Remove sources of build variance to hopefully make the build reproducible: - Pass $COMPILER_ID to the compilation process, based on the package's version from debian/changelog. - Add patch reproducible-sort to pass LC_ALL=C to sort. - Add patch reproducible-hack-builddate to remove __DATE__/__TIME__. embedding from the Hack source code. - Add patch reproducible-hack-compilerid to force hack into using $COMPILER_ID instead of always using "git rev-parse". * Update debian/copyright with copyright information for files new in this version (mainly libraries shipped under third-party/). * Switch HHBC location path to /var/cache/hhvm, instead of /var/run/hhvm, since it can get large, there is little benefit from having it in memory and it can persist across reboots. * Switch default source root to /var/www/html. * Switch logging to syslog instead of custom, non-logrotated path in /var/log. * Ship /usr/bin/hh_format, the Hack formatter. * Ship hhvm-gdb and hhvm-leak-isolator in the hhvm-dbg package. This adds a Depends: python to the -dbg package, which is probably okay given hhvm-dbg's relative size to python, as well as its niche usage. * Recommend gdb from hhvm-dbg, as the symbols aren't very useful without gdb, and hhvm-gdb is a shell script that calls gdb. * Cleanup and update /etc/default/hhvm. * Update debian/watch. [ Giuseppe Lavagetto ] * Move the init script to using /lib/init/init-d-script. * Add upstart and systemd service files. -- Faidon Liambotis Tue, 29 Dec 2015 02:57:38 +0200 hhvm (3.3.5+dfsg-1) unstable; urgency=medium [ David Martínez Moreno ] * New upstream release. Release date was 2015-03-04. 3.3 is the first LTS version of HHVM ever, which will have support for six months until mid August 2015. The main features from 3.3.5 are: - Support for async lambda functions in Hack. - Destructors for objects that are still alive at the end of the request are now called by default. - Much more of XDebug is implemented (including remote debugging and profiling). - Implemented APCIterator. - INI settings are now more widely supported, and more consistent. - Added a <<__Memoize>> user attribute for non-static methods with 0 arguments. - Added the GMP extension. - It is now possible to load dynamic extensions from INI files. - Multiple ‘default’ blocks in a single switch are now a parse error. - Improved reflection compatibility. - Added typechecker support for interface requirements (similar to trait requirements). - Added support for PHP5.6-style argument unpacking: f($x, $y, ….$args). - Assorted performance and memory usage improvements. - Many extensions converted to HNI. - Improved HNI support for variadic functions. - hhvm-dev package added, making it possible to build some third-party extensions without rebuilding HHVM itself. - Many security fixes for PHP CVEs backported from PHP trunk and some of them from HHVM itself. In particular, CVE-2015-4663, CVE-2015-3413 and CVE-2015-4024 are fixed in this release. * debian/control: Depend on g++-4.9, as folly doesn't build on gcc-5.2. * debian/patches: - use_system_libzip: Merged. - use_system_libsqlite3: Merged. - use_system_lz4: Merged. - use_system_double_conversion: Merged. - fix_hphp_lexer: Merged. - disable_quicklz_code: Merged. - static_linking_against_libbfd: Merged. - add_additional_includes_imagemagick: Merged. - replace_obsolete_lz4_uncompress: Merged. - fix_freetype_include: Refreshed. - typos: Refreshed. - pass-DNDEBUG-to-RelWithDebInfo: Refreshed. - enable_relro_hack: The Hack binaries don't obey normal CFLAGS, so add manually the -z,relro option in the CMake config. - hack_license: Additional license for Hack tools. * debian/hhvm.{prerm,postrm}: Fix leftover alternatives (Closes: #793674). [ Giuseppe Lavagetto ] * First upgrade to 3.3.0. * debian/control: HHVM has a sort-of API/ABI compatibility number in the HHVM_API_VERSION define. To make it easier for extensions packagers to provide a correct dependency we add a Provides: hhvm-api-$version to the hhvm package. Also, changing the API_VERSION can allow packagers of hhvm itself to indicate extensions packagers when to forcibly rebuild their packages. * debian/hhvm-dev.install: Fix hhvm-dev install paths. * debian/patches: - Fixed the config file path that is broken in 3.3.0. - Backported some patches from upstream for stability/functionality. Specifically: - use_system_TZinfo: Use the system timezone information, backported from PHP in Debian/Redhat. - support-more-sql-stats: Support DDL and empty select statements in SQL stats collection. - ezc-fix-z-type-in-zend_parse_parameters: Fix segfault for 'Z' type in extensions using the Zend compatibility layer. -- David Martínez Moreno Wed, 19 Aug 2015 12:18:01 -0700 hhvm (3.2.0+dfsg1-2) unstable; urgency=medium [ Faidon Liambotis ] * Fix the build system to be able to build a release build but with debugging symbols (which we subsequently strip into hhvm-dbg), and pass -DCMAKE_BUILD_TYPE=RelWithDebInfo to configure. [ David Martínez Moreno ] * Remove the chmod 750 on /var/log/hhvm as it's really an error on the HHVM packaging. * debian/patches: - disable_quicklz_code: Disable the qlz* primitives, as they are GPL-licensed code linked to PHP-licensed one. - static_linking_against_libbfd: Static linking against libbfd per binutils-dev, backported from HEAD. - add_additional_includes_imagemagick: New ImageMagick broke the build, so add the arch includes to the build. - replace_obsolete_lz4_uncompress: In lz4 r122 or beyond, LZ4_uncompress() has been removed after being deprecaded. * debian/copyright: Fixed some mistakes discovered with latest lintian. * debian/control: Bumped Standards-Version to to 3.9.6 (no changes) * Added an additional override for lintian on PHP license, with comment. * Added a manpage for hphpize. -- David Martínez Moreno Tue, 21 Oct 2014 03:19:54 -0700 hhvm (3.2.0+dfsg1-1) unstable; urgency=low [ David Martínez Moreno ] * Initial release. Lots of thanks to Faidon Liambotis, without whom this would have been way worse than it was. This has been a many-month effort and he was pushing all over the place. Also I'm extending my thanks to my coworker at Facebook Paul Tarjan to make me not forget about HHVM. I can't believe it's done! (closes: #727085). * Prepared a new 3.2.0 release without libzip, lz4 and such, and update TODO. There's a script in debian/repack to make new tarballs from the upstream ones. * Added debian/repack to create DFSG-compliant tarballs. * Added debian/README.source to cover the above procedure. * debian/rules: Build the package with -Wl,--as-needed to remove a couple of bogus dependencies, * debian/patches: - fix_freetype_include: Bad include in libgd. - use_system_libzip: Use the system's libzip. - typos: Lots of typos, most of them detected by lintian. Added the false positives to a lintian override file. - use_system_libsqlite: Use the system's libsqlite3. - fix_hphp_lexer: Add a missing semicolon in the HPHP lexer, already merged upstream. - link_libiconv_hook: The iconv library in Debian is called libiconv_hook, so change the CMake detection script to account for that. - fix_ldflags: Fix LDFLAGS injection of hardening flags. * Copied from upstream git debian/hhvm.1.ronn and converted for now to troff, and imported manually too hh_client/hh_server into debian/. * debian/postinst: Make HHVM an alternative with score 40 for php. [ Faidon Liambotis ] * debian/patches: - use_system_lz4: Use the system's liblz4. - use_system_double-conversion: Use the system's double-conversion library and remove the one in third-party. - public_headers_system: add header files from hphp/system/ too as at least systemlib.h is needed to build an extension. -- David Martínez Moreno Fri, 05 Sep 2014 15:55:18 -0700