hhvm (3.12.11+dfsg-1build2) artful; urgency=medium

  * No-change rebuild against libevent-2.1-6

 -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 31 Jul 2017 02:41:28 +0000

hhvm (3.12.11+dfsg-1build1) zesty; urgency=medium

  * Rebuild against new OCaml ABI.

 -- Bhavani Shankar <bhavi@ubuntu.com>  Mon, 16 Jan 2017 20:54:32 +0530

hhvm (3.12.11+dfsg-1) unstable; urgency=medium

  [ Moritz Muehlenhoff ]
  * New upstream LTS releases, addressing multiple security issues.
    (Closes: #835032)
    From 3.12.2:
     - CVE-2015-8865 - Buffer overwrite in finfo_open with malformed magic
     - Integer overflow in iptcembed
     - CVE-2016-3074 - Fix signedness issue in libgd
     - CVE-2014-9709 - Fix a possible buffer read overflow in gd_gif_in.cpp
     - Prevent a potential nullptr dereference in ext_xsl
     - Don't segfault if you try to remove the last autoloader while
       adding a new one
     - CVE-2016-1903 - imagerotate information leak
     - FILTER_FLAG_STRIP_BACKTICK` was being ignored unless other flags
       are set
     - CVE-2016-4539 - Fix a segfault in xml_parse_into_struct
     - Fix a potential null dereference in ZipArchive::extractTo
     - CVE-2016-4070 - Integer Overflow in php_raw_url_encode
    From 3.12.3:
     - CVE-2016-1000004 - Type safety in simplexml import routines
     - CVE-2016-1000004 - Fix param types for mcrypt_get_block_size()
       to match PHP
     - CVE-2016-1000006 - Fix use-after-free in
       serialize_memoize_param() and ResourceBundle::__construct()
     - CVE-2016-6870 - Use req::strndup in php_mb_parse_encoding_list to
       prevent oob memory write.
     - HHVM-2016-11781481 - Fix nullptr dereference in
       f_mysqli_stmt_bind{param,result}
     - HHVM-2016-11791940 - Avoid invalid array access in JSON_decode()
     - PHP-2016-0072337 - Fix a segfault with invalid dimensions and
       imagescale out of bounds read in ext_gd
    From 3.12.5:
     - CVE-2016-1000109: Ignore Proxy HTTP header from fastcgi requests
    From 3.12.6:
     - CVE-2016-6871 - Fix buffer overrun due to integer overflow in bcmath
     - CVE-2016-6872 - Fix integer overflow in StringUtil::implode
     - CVE-2016-6873 - Fix self recursion in compact
     - CVE-2016-6874 - Fix recursion checks in array_*_recursive
     - CVE-2016-6875 - Fix infinite recursion in wddx
     - PHP-2015-0070345 - [HHVM][Security] 0003 pcre preg bug 70345
    From 3.12.8:
     - ext_gd: exif_process_IFD_TAG: Use the right offset if reading from
       stream
     - Fix some color related crashes in libgd
     - Don't allow smart_str to overflow int
     - Integer overflow in _gd2GetHeader
     - Fix objprof refcounting
     - Fix buffer overruns in mb_send_mail
     - Integer overflow in gdImagePaletteToTrueColor
     - Null pointer dereference in _gdScaleVert
     - pass2_no_dither out-of-bounds access
    From 3.12.9:
     - Fix off-by-one index check in ThreadSafeLocaleHandler::actuallySetLocale
     - Prevent an integer overflow in _gdContributionsAlloc
     - Fix a potential overflow in tsrm_virtual_file_ex
     - Invalid transparent index can result in OOB read or write
     - Do not treat negative return values from bz2 as size_t
     - Fix OOB read in exif_process_IFD_in_MAKERNOTE
     - Prevent an OOB access in locale_accept_from_http
     - Avoid possible OOB using imagegif
     - Disable bad zend test
     - Add an option to explicitly disable NUMA support.
    From 3.12.10:
     - Fix a bug in StringUtil::Explode
     - Fix a couple of bugs in libgd
    From 3.12.11:
     - Prevent integer overflow in gdImageWebpCtx
     - Check depth values in json_decode
     - Prevent negative gamma values being passed to imagegammacorrect
     - Fix crypt with over-long salts
     - Memory leak in exif_process_IFD_in_TIFF
     - 9da Fix getimagesize returning FALSE on valid jpg

  [ Faidon Liambotis ]
  * Build against libmysqlclient, not libmysqlclient_r. Thanks to Robie Basak
    for the bug report and patch. (Closes: #825077)
  * Build-Depend on default-libmysqlclient-dev instead of libmysqlclient-dev.
    (Closes: #845852)
  * Add /bin/sh shebangs on maintainer scripts. (Closes: #843281)
  * Remove update-alternatives --remove from postrm, already included in prerm
    (and also causes a lintian warning).
  * Remove David Martínez Moreno from the Uploaders, at the request of the MIA
    team. (Closes: #843439)
  * Fix FTBFS with GCC 6, by backporting an upstream fix. (Closes: #812023)
  * Pass -fno-PIE/-no-pie to gcc to prevent a linking error with GCC 6's new
    configuration (--enable-default-pie) in combination with HHVM's
    hand-crafted assembly (translator-asm-helpers.S).
  * Build-Depend on libssl1.0-dev, as HHVM is not ready for OpenSSL 1.1.0 yet.
    (Closes: #828340)
  * Remove Build-Depends on libc-client2007e-dev and thus disable the IMAP
    extension. libc-client2007e-dev depends on libssl-dev 1.1.0, which
    conflicts with libssl1.0-dev and is thus impossible to satisfy.
  * Disable Folly's Fibers, as the current version is incompatible with Boost
    1.61 and thus FTBFS. The incompatibility has been fixed upstream but is
    too intrusive to backport, thus disable the functionality entirely.
    (Closes: #839303)
  * Temporarily disable the mcrouter extension as it requires Folly Fibers,
    that were disabled in this version (see above).
  * Backport an upstream fix to address an ICU Collation sort key
    incompatibility with PHP.
  * Backport an upstream fix to address a segfault when bzip2 and XMLReader
    are being used together.
  * Backport an upstream fix to address inconsistent regexp results when
    running with a newer PCRE version (8.38 instead of 8.32).
  * Disable test pcre_limit.php which now fails for unknown reasons;
    upstream seemingly has disabled the test as well for a while with no ill
    effects.
  * Add a Documentation line to the systemd service file.
  * Bump Standards-Version to 3.9.8, no changes needed.

 -- Faidon Liambotis <paravoid@debian.org>  Sun, 18 Dec 2016 02:13:55 +0200

hhvm (3.12.1+dfsg-1) unstable; urgency=medium

  [ Faidon Liambotis ]
  * New upstream minor release, multiple security fixes:
    - XSLTProcessor NULL Pointer dereference (PHP bug #69782, CVE-2015-6838)
    - HAVAL gives wrong hashes in specific cases (PHP bug #70312)
    - ZipArchive::extractTo allows for directory traversal when creating
      directories (PHP bug #70350)
    - Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32
      bytes (PHP bug #70385)
    - php_url_parse_ex() buffer overflow read (PHP bug #70480)
    - Make FileUitls::Canonicalize return the empty string if it encounters a
      path with a null byte (CVE-2016-1552)
    - Disallow null bytes in more path-type arguments (CVE-2016-1552)
    - Explicitly check for null bytes in more cases (CVE-2016-1552)
    - Run __wakeup() on unserialized objects at end of unserialization in
      iptcembed
    - Fix heap overflow(s) in iptcembed
  * Backport upstream fix for isnan/isinf that should fix an FTBFS with glibc
    2.23 (currently in experimental). (Closes: #818831)

  [ Giuseppe Lavagetto ]
  * Trivial fix to the upstart script.

 -- Faidon Liambotis <paravoid@debian.org>  Wed, 23 Mar 2016 16:04:42 +0200

hhvm (3.12.0+dfsg-1) unstable; urgency=medium

  * New upstream release.
  * Refresh all debian/patches; drop:
    - typos: merged upstream
    - pass-DNDEBUG-to-RelWithDebInfo: merged upstream
    - fix-makeparser-bison3: merged upstream
    - reproducible-sort: merged upstream
  * Updated patch output-buffer-fix-flush with the latest from D51855.
  * Add patch revert-unbreak-cjson that reverts a couple of upstream commits
    new in 3.12 that broke builds with libjson-c (and without the embedded
    JSON parser).
  * Minor adjustment to the reproducible-hack-hhi patch, to make the build
    umask-agnostic as well.
  * Update Standards-Version to 3.9.7.

 -- Faidon Liambotis <paravoid@debian.org>  Fri, 26 Feb 2016 14:14:40 +0200

hhvm (3.11.1+dfsg-1) unstable; urgency=medium

  * New minor upstream release.
  * Build-depend on libpng-dev instead of libpng12-dev for the upcoming libpng
    transition. (Closes: #809873)
  * More reproducible fixes:
    - Create Hack's HHI tarball in a reproducible way.
    - Statically set HHVM_REPO_SCHEMA from debian/rules.
    - Pass LC_ALL=C to sort as called by proxygen's header generation script.
  * Add patch output-buffer-fix-flush, copied straight from upstream's GitHub,
    to large output streaming.
  * Update Vcs-Git and Vcs-Browser URLs for HTTPS and cgit.

 -- Faidon Liambotis <paravoid@debian.org>  Wed, 03 Feb 2016 20:21:13 +0200

hhvm (3.11.0+dfsg-1) unstable; urgency=medium

  [ Faidon Liambotis ]
  * New upstream release.
  * Build with stock gcc again; folly's gcc 5.0 issues have been fixed.
  * Refresh all debian/patches; drop:
    - support-more-sql-stats: merged upstream
    - ezc-fix-z-type-in-zend_parse_parameters: was a backport
    - use_system_TZinfo: merged upstream
    - fix_freetype_include: unused/unneeded
    - hack_license.patch: obsolete
    - license_folly.patch: superfluous
  * Drop our own debian/-shipped manpages, as these have been merged into the
    upstream tree instead and enhanced since.
  * Add Build-depends on gawk, gperf, libboost-context-dev, libre2-dev,
    libgmp-dev.
  * Build-depend on libjpeg-dev instead of libjpeg62-dev. (Closes: #796932)
  * Build-depend on libvpx-dev to enable WebP support for gd.
  * Drop libiconv-hook-dev dependency and associated patch, libc6's iconv.h
    should be enough for HHVM and it doesn't appear like upstream's intention
    was ever to link against libiconv-hook.
  * Disable asynchronous MySQL support; it depends on the webscalesql fork of
    libmysqlclient-dev which is not packaged separately in Debian. Upstream
    bundles it under their third-party repository but it has been stripped
    from this packaging as the full forked MySQL 5.6 source is too big to be
    embedded into this package.
  * Drop patch enable_relro_hack, that enabled hardening (relro) for
    hh_client/hh_server. Current recommendation by the OCaml team is to not
    attempt to do any hardening until the OCaml runtime itself gets fixed
    first (#702349).
  * Add patch fix_stats_error to fix a MySQL statistics collection error.
  * Add patch fix-makeparser-bison3 to fix a make-parser.sh incompatibility
    when ran with Bison3.
  * Set HOME to debian/build when running the tests so that HHVM can write the
    HHBC even when $HOME does not exist, or to not leave garbage behind when
    it exists.
  * Switch our Provides: hhvm-api-$version to the major/minor HHVM released,
    based on upstream's recommendation of using HHVM_VERSION_BRANCH.
  * Remove sources of build variance to hopefully make the build reproducible:
    - Pass $COMPILER_ID to the compilation process, based on the
      package's version from debian/changelog.
    - Add patch reproducible-sort to pass LC_ALL=C to sort.
    - Add patch reproducible-hack-builddate to remove __DATE__/__TIME__.
      embedding from the Hack source code.
    - Add patch reproducible-hack-compilerid to force hack into using
      $COMPILER_ID instead of always using "git rev-parse".
  * Update debian/copyright with copyright information for files new in this
    version (mainly libraries shipped under third-party/).
  * Switch HHBC location path to /var/cache/hhvm, instead of /var/run/hhvm,
    since it can get large, there is little benefit from having it in memory
    and it can persist across reboots.
  * Switch default source root to /var/www/html.
  * Switch logging to syslog instead of custom, non-logrotated path in
    /var/log.
  * Ship /usr/bin/hh_format, the Hack formatter.
  * Ship hhvm-gdb and hhvm-leak-isolator in the hhvm-dbg package. This adds a
    Depends: python to the -dbg package, which is probably okay given
    hhvm-dbg's relative size to python, as well as its niche usage.
  * Recommend gdb from hhvm-dbg, as the symbols aren't very useful without
    gdb, and hhvm-gdb is a shell script that calls gdb.
  * Cleanup and update /etc/default/hhvm.
  * Update debian/watch.

  [ Giuseppe Lavagetto ]
  * Move the init script to using /lib/init/init-d-script.
  * Add upstart and systemd service files.

 -- Faidon Liambotis <paravoid@debian.org>  Tue, 29 Dec 2015 02:57:38 +0200

hhvm (3.3.5+dfsg-1) unstable; urgency=medium

  [ David Martínez Moreno ]
  * New upstream release.  Release date was 2015-03-04.  3.3 is the first LTS
    version of HHVM ever, which will have support for six months until mid
    August 2015.  The main features from 3.3.5 are:
    - Support for async lambda functions in Hack.
    - Destructors for objects that are still alive at the end of the request
      are now called by default.
    - Much more of XDebug is implemented (including remote debugging and
      profiling).
    - Implemented APCIterator.
    - INI settings are now more widely supported, and more consistent.
    - Added a <<__Memoize>> user attribute for non-static methods with 0
      arguments.
    - Added the GMP extension.
    - It is now possible to load dynamic extensions from INI files.
    - Multiple ‘default’ blocks in a single switch are now a parse error.
    - Improved reflection compatibility.
    - Added typechecker support for interface requirements (similar to trait
      requirements).
    - Added support for PHP5.6-style argument unpacking: f($x, $y, ….$args).
    - Assorted performance and memory usage improvements.
    - Many extensions converted to HNI.
    - Improved HNI support for variadic functions.
    - hhvm-dev package added, making it possible to build some third-party
      extensions without rebuilding HHVM itself.
    - Many security fixes for PHP CVEs backported from PHP trunk and some of
      them from HHVM itself.  In particular, CVE-2015-4663, CVE-2015-3413 and
      CVE-2015-4024 are fixed in this release.
  * debian/control: Depend on g++-4.9, as folly doesn't build on gcc-5.2.
  * debian/patches:
    - use_system_libzip: Merged.
    - use_system_libsqlite3: Merged.
    - use_system_lz4: Merged.
    - use_system_double_conversion: Merged.
    - fix_hphp_lexer: Merged.
    - disable_quicklz_code: Merged.
    - static_linking_against_libbfd: Merged.
    - add_additional_includes_imagemagick: Merged.
    - replace_obsolete_lz4_uncompress: Merged.
    - fix_freetype_include: Refreshed.
    - typos: Refreshed.
    - pass-DNDEBUG-to-RelWithDebInfo: Refreshed.
    - enable_relro_hack: The Hack binaries don't obey normal CFLAGS, so add
      manually the -z,relro option in the CMake config.
    - hack_license: Additional license for Hack tools.
  * debian/hhvm.{prerm,postrm}: Fix leftover alternatives (Closes: #793674).

  [ Giuseppe Lavagetto ]
  * First upgrade to 3.3.0.
  * debian/control: HHVM has a sort-of API/ABI compatibility number in the
    HHVM_API_VERSION define. To make it easier for extensions packagers to
    provide a correct dependency we add a Provides: hhvm-api-$version to the
    hhvm package. Also, changing the API_VERSION can allow packagers of hhvm
    itself to indicate extensions packagers when to forcibly rebuild their
    packages.
  * debian/hhvm-dev.install: Fix hhvm-dev install paths.
  * debian/patches:
    - Fixed the config file path that is broken in 3.3.0.
    - Backported some patches from upstream for stability/functionality.
      Specifically:
    - use_system_TZinfo: Use the system timezone information, backported from
      PHP in Debian/Redhat.
    - support-more-sql-stats: Support DDL and empty select statements in SQL
      stats collection.
    - ezc-fix-z-type-in-zend_parse_parameters: Fix segfault for 'Z' type in
      extensions using the Zend compatibility layer.

 -- David Martínez Moreno <ender@debian.org>  Wed, 19 Aug 2015 12:18:01 -0700

hhvm (3.2.0+dfsg1-2) unstable; urgency=medium

   [ Faidon Liambotis ]
   * Fix the build system to be able to build a release build but with
     debugging symbols (which we subsequently strip into hhvm-dbg), and pass
     -DCMAKE_BUILD_TYPE=RelWithDebInfo to configure.

  [ David Martínez Moreno ]
  * Remove the chmod 750 on /var/log/hhvm as it's really an error on the HHVM
    packaging.
  * debian/patches:
    - disable_quicklz_code: Disable the qlz* primitives, as they are
      GPL-licensed code linked to PHP-licensed one.
    - static_linking_against_libbfd: Static linking against libbfd per
      binutils-dev, backported from HEAD.
    - add_additional_includes_imagemagick: New ImageMagick broke the build,
      so add the arch includes to the build.
    - replace_obsolete_lz4_uncompress: In lz4 r122 or beyond, LZ4_uncompress()
      has been removed after being deprecaded.
  * debian/copyright: Fixed some mistakes discovered with latest lintian.
  * debian/control: Bumped Standards-Version to to 3.9.6 (no changes)
  * Added an additional override for lintian on PHP license, with comment.
  * Added a manpage for hphpize.

 -- David Martínez Moreno <ender@debian.org>  Tue, 21 Oct 2014 03:19:54 -0700

hhvm (3.2.0+dfsg1-1) unstable; urgency=low

  [ David Martínez Moreno ]
  * Initial release.  Lots of thanks to Faidon Liambotis, without whom this
    would have been way worse than it was.  This has been a many-month effort
    and he was pushing all over the place.  Also I'm extending my thanks to
    my coworker at Facebook Paul Tarjan to make me not forget about HHVM. I
    can't believe it's done! (closes: #727085).
  * Prepared a new 3.2.0 release without libzip, lz4 and such, and update
    TODO.  There's a script in debian/repack to make new tarballs from the
    upstream ones.
  * Added debian/repack to create DFSG-compliant tarballs.
  * Added debian/README.source to cover the above procedure.
  * debian/rules: Build the package with -Wl,--as-needed to remove a couple of
    bogus dependencies,
  * debian/patches:
    - fix_freetype_include: Bad include in libgd.
    - use_system_libzip: Use the system's libzip.
    - typos: Lots of typos, most of them detected by lintian. Added the
      false positives to a lintian override file.
    - use_system_libsqlite: Use the system's libsqlite3.
    - fix_hphp_lexer: Add a missing semicolon in the HPHP lexer, already
      merged upstream.
    - link_libiconv_hook: The iconv library in Debian is called libiconv_hook,
      so change the CMake detection script to account for that.
    - fix_ldflags: Fix LDFLAGS injection of hardening flags.
  * Copied from upstream git debian/hhvm.1.ronn and converted for now to
    troff, and imported manually too hh_client/hh_server into debian/.
  * debian/postinst: Make HHVM an alternative with score 40 for php.

  [ Faidon Liambotis ]
  * debian/patches:
    - use_system_lz4: Use the system's liblz4.
    - use_system_double-conversion: Use the system's double-conversion
      library and remove the one in third-party.
    - public_headers_system: add header files from hphp/system/ too as at
      least systemlib.h is needed to build an extension.

 -- David Martínez Moreno <ender@debian.org>  Fri, 05 Sep 2014 15:55:18 -0700
