hhvm (3.12.1+dfsg-1ubuntu1) yakkety; urgency=low * Merge from Debian unstable. Remaining changes: - d/p/libmysqlclient_r: build against libmysqlclient, not _r (LP: #1564871). -- Gianfranco Costamagna Sat, 23 Apr 2016 16:15:15 +0200 hhvm (3.12.1+dfsg-1) unstable; urgency=medium [ Faidon Liambotis ] * New upstream minor release, multiple security fixes: - XSLTProcessor NULL Pointer dereference (PHP bug #69782, CVE-2015-6838) - HAVAL gives wrong hashes in specific cases (PHP bug #70312) - ZipArchive::extractTo allows for directory traversal when creating directories (PHP bug #70350) - Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes (PHP bug #70385) - php_url_parse_ex() buffer overflow read (PHP bug #70480) - Make FileUitls::Canonicalize return the empty string if it encounters a path with a null byte (CVE-2016-1552) - Disallow null bytes in more path-type arguments (CVE-2016-1552) - Explicitly check for null bytes in more cases (CVE-2016-1552) - Run __wakeup() on unserialized objects at end of unserialization in iptcembed - Fix heap overflow(s) in iptcembed * Backport upstream fix for isnan/isinf that should fix an FTBFS with glibc 2.23 (currently in experimental). (Closes: #818831) [ Giuseppe Lavagetto ] * Trivial fix to the upstart script. -- Faidon Liambotis Wed, 23 Mar 2016 16:04:42 +0200 hhvm (3.12.0+dfsg-1) unstable; urgency=medium * New upstream release. * Refresh all debian/patches; drop: - typos: merged upstream - pass-DNDEBUG-to-RelWithDebInfo: merged upstream - fix-makeparser-bison3: merged upstream - reproducible-sort: merged upstream * Updated patch output-buffer-fix-flush with the latest from D51855. * Add patch revert-unbreak-cjson that reverts a couple of upstream commits new in 3.12 that broke builds with libjson-c (and without the embedded JSON parser). * Minor adjustment to the reproducible-hack-hhi patch, to make the build umask-agnostic as well. * Update Standards-Version to 3.9.7. -- Faidon Liambotis Fri, 26 Feb 2016 14:14:40 +0200 hhvm (3.11.1+dfsg-1ubuntu1) xenial; urgency=medium * Rebuild against libmysqlclient20. * d/p/libmysqlclient_r: build against libmysqlclient, not _r (LP: #1564871). * d/p/isnan: use std:: for isnan and isinf to fix FTBFS. -- Robie Basak Mon, 18 Apr 2016 13:54:43 +0000 hhvm (3.11.1+dfsg-1) unstable; urgency=medium * New minor upstream release. * Build-depend on libpng-dev instead of libpng12-dev for the upcoming libpng transition. (Closes: #809873) * More reproducible fixes: - Create Hack's HHI tarball in a reproducible way. - Statically set HHVM_REPO_SCHEMA from debian/rules. - Pass LC_ALL=C to sort as called by proxygen's header generation script. * Add patch output-buffer-fix-flush, copied straight from upstream's GitHub, to large output streaming. * Update Vcs-Git and Vcs-Browser URLs for HTTPS and cgit. -- Faidon Liambotis Wed, 03 Feb 2016 20:21:13 +0200 hhvm (3.11.0+dfsg-1) unstable; urgency=medium [ Faidon Liambotis ] * New upstream release. * Build with stock gcc again; folly's gcc 5.0 issues have been fixed. * Refresh all debian/patches; drop: - support-more-sql-stats: merged upstream - ezc-fix-z-type-in-zend_parse_parameters: was a backport - use_system_TZinfo: merged upstream - fix_freetype_include: unused/unneeded - hack_license.patch: obsolete - license_folly.patch: superfluous * Drop our own debian/-shipped manpages, as these have been merged into the upstream tree instead and enhanced since. * Add Build-depends on gawk, gperf, libboost-context-dev, libre2-dev, libgmp-dev. * Build-depend on libjpeg-dev instead of libjpeg62-dev. (Closes: #796932) * Build-depend on libvpx-dev to enable WebP support for gd. * Drop libiconv-hook-dev dependency and associated patch, libc6's iconv.h should be enough for HHVM and it doesn't appear like upstream's intention was ever to link against libiconv-hook. * Disable asynchronous MySQL support; it depends on the webscalesql fork of libmysqlclient-dev which is not packaged separately in Debian. Upstream bundles it under their third-party repository but it has been stripped from this packaging as the full forked MySQL 5.6 source is too big to be embedded into this package. * Drop patch enable_relro_hack, that enabled hardening (relro) for hh_client/hh_server. Current recommendation by the OCaml team is to not attempt to do any hardening until the OCaml runtime itself gets fixed first (#702349). * Add patch fix_stats_error to fix a MySQL statistics collection error. * Add patch fix-makeparser-bison3 to fix a make-parser.sh incompatibility when ran with Bison3. * Set HOME to debian/build when running the tests so that HHVM can write the HHBC even when $HOME does not exist, or to not leave garbage behind when it exists. * Switch our Provides: hhvm-api-$version to the major/minor HHVM released, based on upstream's recommendation of using HHVM_VERSION_BRANCH. * Remove sources of build variance to hopefully make the build reproducible: - Pass $COMPILER_ID to the compilation process, based on the package's version from debian/changelog. - Add patch reproducible-sort to pass LC_ALL=C to sort. - Add patch reproducible-hack-builddate to remove __DATE__/__TIME__. embedding from the Hack source code. - Add patch reproducible-hack-compilerid to force hack into using $COMPILER_ID instead of always using "git rev-parse". * Update debian/copyright with copyright information for files new in this version (mainly libraries shipped under third-party/). * Switch HHBC location path to /var/cache/hhvm, instead of /var/run/hhvm, since it can get large, there is little benefit from having it in memory and it can persist across reboots. * Switch default source root to /var/www/html. * Switch logging to syslog instead of custom, non-logrotated path in /var/log. * Ship /usr/bin/hh_format, the Hack formatter. * Ship hhvm-gdb and hhvm-leak-isolator in the hhvm-dbg package. This adds a Depends: python to the -dbg package, which is probably okay given hhvm-dbg's relative size to python, as well as its niche usage. * Recommend gdb from hhvm-dbg, as the symbols aren't very useful without gdb, and hhvm-gdb is a shell script that calls gdb. * Cleanup and update /etc/default/hhvm. * Update debian/watch. [ Giuseppe Lavagetto ] * Move the init script to using /lib/init/init-d-script. * Add upstart and systemd service files. -- Faidon Liambotis Tue, 29 Dec 2015 02:57:38 +0200 hhvm (3.3.5+dfsg-1) unstable; urgency=medium [ David Martínez Moreno ] * New upstream release. Release date was 2015-03-04. 3.3 is the first LTS version of HHVM ever, which will have support for six months until mid August 2015. The main features from 3.3.5 are: - Support for async lambda functions in Hack. - Destructors for objects that are still alive at the end of the request are now called by default. - Much more of XDebug is implemented (including remote debugging and profiling). - Implemented APCIterator. - INI settings are now more widely supported, and more consistent. - Added a <<__Memoize>> user attribute for non-static methods with 0 arguments. - Added the GMP extension. - It is now possible to load dynamic extensions from INI files. - Multiple ‘default’ blocks in a single switch are now a parse error. - Improved reflection compatibility. - Added typechecker support for interface requirements (similar to trait requirements). - Added support for PHP5.6-style argument unpacking: f($x, $y, ….$args). - Assorted performance and memory usage improvements. - Many extensions converted to HNI. - Improved HNI support for variadic functions. - hhvm-dev package added, making it possible to build some third-party extensions without rebuilding HHVM itself. - Many security fixes for PHP CVEs backported from PHP trunk and some of them from HHVM itself. In particular, CVE-2015-4663, CVE-2015-3413 and CVE-2015-4024 are fixed in this release. * debian/control: Depend on g++-4.9, as folly doesn't build on gcc-5.2. * debian/patches: - use_system_libzip: Merged. - use_system_libsqlite3: Merged. - use_system_lz4: Merged. - use_system_double_conversion: Merged. - fix_hphp_lexer: Merged. - disable_quicklz_code: Merged. - static_linking_against_libbfd: Merged. - add_additional_includes_imagemagick: Merged. - replace_obsolete_lz4_uncompress: Merged. - fix_freetype_include: Refreshed. - typos: Refreshed. - pass-DNDEBUG-to-RelWithDebInfo: Refreshed. - enable_relro_hack: The Hack binaries don't obey normal CFLAGS, so add manually the -z,relro option in the CMake config. - hack_license: Additional license for Hack tools. * debian/hhvm.{prerm,postrm}: Fix leftover alternatives (Closes: #793674). [ Giuseppe Lavagetto ] * First upgrade to 3.3.0. * debian/control: HHVM has a sort-of API/ABI compatibility number in the HHVM_API_VERSION define. To make it easier for extensions packagers to provide a correct dependency we add a Provides: hhvm-api-$version to the hhvm package. Also, changing the API_VERSION can allow packagers of hhvm itself to indicate extensions packagers when to forcibly rebuild their packages. * debian/hhvm-dev.install: Fix hhvm-dev install paths. * debian/patches: - Fixed the config file path that is broken in 3.3.0. - Backported some patches from upstream for stability/functionality. Specifically: - use_system_TZinfo: Use the system timezone information, backported from PHP in Debian/Redhat. - support-more-sql-stats: Support DDL and empty select statements in SQL stats collection. - ezc-fix-z-type-in-zend_parse_parameters: Fix segfault for 'Z' type in extensions using the Zend compatibility layer. -- David Martínez Moreno Wed, 19 Aug 2015 12:18:01 -0700 hhvm (3.2.0+dfsg1-2) unstable; urgency=medium [ Faidon Liambotis ] * Fix the build system to be able to build a release build but with debugging symbols (which we subsequently strip into hhvm-dbg), and pass -DCMAKE_BUILD_TYPE=RelWithDebInfo to configure. [ David Martínez Moreno ] * Remove the chmod 750 on /var/log/hhvm as it's really an error on the HHVM packaging. * debian/patches: - disable_quicklz_code: Disable the qlz* primitives, as they are GPL-licensed code linked to PHP-licensed one. - static_linking_against_libbfd: Static linking against libbfd per binutils-dev, backported from HEAD. - add_additional_includes_imagemagick: New ImageMagick broke the build, so add the arch includes to the build. - replace_obsolete_lz4_uncompress: In lz4 r122 or beyond, LZ4_uncompress() has been removed after being deprecaded. * debian/copyright: Fixed some mistakes discovered with latest lintian. * debian/control: Bumped Standards-Version to to 3.9.6 (no changes) * Added an additional override for lintian on PHP license, with comment. * Added a manpage for hphpize. -- David Martínez Moreno Tue, 21 Oct 2014 03:19:54 -0700 hhvm (3.2.0+dfsg1-1) unstable; urgency=low [ David Martínez Moreno ] * Initial release. Lots of thanks to Faidon Liambotis, without whom this would have been way worse than it was. This has been a many-month effort and he was pushing all over the place. Also I'm extending my thanks to my coworker at Facebook Paul Tarjan to make me not forget about HHVM. I can't believe it's done! (closes: #727085). * Prepared a new 3.2.0 release without libzip, lz4 and such, and update TODO. There's a script in debian/repack to make new tarballs from the upstream ones. * Added debian/repack to create DFSG-compliant tarballs. * Added debian/README.source to cover the above procedure. * debian/rules: Build the package with -Wl,--as-needed to remove a couple of bogus dependencies, * debian/patches: - fix_freetype_include: Bad include in libgd. - use_system_libzip: Use the system's libzip. - typos: Lots of typos, most of them detected by lintian. Added the false positives to a lintian override file. - use_system_libsqlite: Use the system's libsqlite3. - fix_hphp_lexer: Add a missing semicolon in the HPHP lexer, already merged upstream. - link_libiconv_hook: The iconv library in Debian is called libiconv_hook, so change the CMake detection script to account for that. - fix_ldflags: Fix LDFLAGS injection of hardening flags. * Copied from upstream git debian/hhvm.1.ronn and converted for now to troff, and imported manually too hh_client/hh_server into debian/. * debian/postinst: Make HHVM an alternative with score 40 for php. [ Faidon Liambotis ] * debian/patches: - use_system_lz4: Use the system's liblz4. - use_system_double-conversion: Use the system's double-conversion library and remove the one in third-party. - public_headers_system: add header files from hphp/system/ too as at least systemlib.h is needed to build an extension. -- David Martínez Moreno Fri, 05 Sep 2014 15:55:18 -0700