From: Raspbian automatic forward porter Date: Thu, 21 May 2026 06:14:59 +0000 (+0100) Subject: Merge version 8.4.16-1~deb13u1+rpi1 and 8.4.21-1~deb13u1 to produce 8.4.21-1~deb13u1... X-Git-Tag: archive/raspbian/8.4.21-1_deb13u1+rpi1^0 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=e41f7cb2ad66b117c8f579c8e07305e99a9eb3e6;p=php8.4.git Merge version 8.4.16-1~deb13u1+rpi1 and 8.4.21-1~deb13u1 to produce 8.4.21-1~deb13u1+rpi1 --- e41f7cb2ad66b117c8f579c8e07305e99a9eb3e6 diff --cc debian/changelog index b827506c,0f211e4a..4155ecab --- a/debian/changelog +++ b/debian/changelog @@@ -1,9 -1,22 +1,29 @@@ - php8.4 (8.4.16-1~deb13u1+rpi1) trixie-staging; urgency=medium ++php8.4 (8.4.21-1~deb13u1+rpi1) trixie-staging; urgency=medium + + [changes brought forward from 8.4.11-1+rpi1 by Peter Michael Green at Fri, 17 Oct 2025 01:23:38 +0000] + * Fix fpu setting for raspbian. + - -- Raspbian forward porter Fri, 09 Jan 2026 21:25:00 +0000 ++ -- Raspbian forward porter Thu, 21 May 2026 06:14:58 +0000 ++ + php8.4 (8.4.21-1~deb13u1) trixie-security; urgency=high + + * New upstream version 8.4.21 + + [CVE-2026-7263]: Dom\XMLDocument::C14N() emits duplicate xmlns + declarations after setAttributeNS() + + [CVE-2026-29078, CVE-2026-29079]: Upgrade to lexbor v2.7.0 + + [CVE-2026-6735]: XSS within status endpoint + + [CVE-2026-7259]: Null pointer dereference in php_mb_check_encoding() + via mb_ereg_search_init() + + [CVE-2026-6104]: Out-of-bounds access in mbfl_name2encoding_ex() + + [CVE-2025-14179]: SQL injection via NUL bytes in quoted strings + + [CVE-2026-6722]: Stale SOAP_GLOBAL(ref_map) pointer with Apache Map + + [CVE-2026-7261]: Use-after-free after header parsing failure with + SOAP_PERSISTENCE_SESSION + + [CVE-2026-7262]: Broken Apache map value NULL check + + [CVE-2026-7568]: Signed integer overflow of char array offset + + [CVE-2026-7258]: Consistently pass unsigned char to ctype.h functions + + -- Ondřej Surý Fri, 08 May 2026 07:56:48 +0200 php8.4 (8.4.16-1~deb13u1) trixie-security; urgency=high