php7-7.4.6-3.3.1

- Use /run/php-fpm instead of /run/php
- modified sources
  % php-fpm.tmpfiles.d

- updated to 7.4.6: This is a security release which also contains
  several bug fixes. See https://www.php.net/ChangeLog-7.php#7.4.6

- added patches
  build fixes in SLE12
  + php7-arm-build-fixes.patch

- added to SLE-12 [jsc#SLE-12474]

- spec file usable under SLE12 again and better prepared for
  phpM -> phpMN transition

- added to SLE-15-SP2 [jsc#SLE-12482], including fixes for:
  CVE-2020-7063 [bsc#1165289]
  CVE-2020-7062 [bsc#1165280]
  CVE-2019-11046, CVE-2019-11050, CVE-2019-11047, CVE-2019-11045

- updated to 7.4.5: This is a security release which also contains
  several bug fixes. See https://www.php.net/ChangeLog-7.php#7.4.5

- remove Berkeley DB Database support [jsc#SLE-12210]

- build firebird extension in any case

- updated to 7.4.4: This is a security release which also contains
  several bug fixes. See https://www.php.net/ChangeLog-7.php#7.4.4

- Enable LTO as it works now (boo#1133275).

- updated to 7.4.3: This is a security release which also contains
  several bug fixes. See https://www.php.net/ChangeLog-7.php#7.4.3

- add %apache_rex_deps

- updated to 7.4.2: This is a security release which also contains
  several bug fixes. See https://www.php.net/ChangeLog-7.php#7.4.2

- updated to 7.4.1: This is a security release which also contains
  several bug fixes. See https://www.php.net/ChangeLog-7.php#7.4.1
- deleted patches
  - php-fix-mysqlnd-compression-library.patch
  - php-fpm-service-fails-to-start.patch

- php7-devel requires glibc-devel, libxml2-devel, pcre2-devel
  again

- relax systemd restrictions for FPM as they were too strict in
  some applications
- change leftover Requires php7-<extension> to php-<extension>
- remove external libraries from -devel subpackage
- added patches
  + php-fpm-service-fails-to-start.patch

- update to 7.4.0:
  * Typed Properties
  * Arrow Functions
  * Limited Return Type Covariance and Argument Type Contravariance
  * Unpacking Inside Arrays
  * Numeric Literal Separator
  * Weak References
  * Allow Exceptions from __toString()
  * Opcache Preloading
  * The interbase and wddx extensions are removed and now
    available through PECL
  * PEAR is now packaged separately in php7-pear source package
    (https://externals.io/message/103977)
  * See https://www.php.net/ChangeLog-7.php#7.4.0 for a complete
    list of changes
- deleted patches
  - php-suse-addons.tar.bz
  - php-systzdata-v18.patch
- added patches
  + php-fix-mysqlnd-compression-library.patch
  + php-systzdata-v19.patch
  + mod_php7.conf
- modified files/patches
  % php-no-build-date.patch
  % php-systemd-unit.patch
  % php7.keyring (use keys of the PHP-7.4 release managers)
  % php7.rpmlintrc

- security update
- added patches
  CVE-2025-14178 [bsc#1255711], heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE
  * php7-CVE-2025-14178.patch

- security update
- added patches
  CVE-2025-1220 [bsc#1246167], unprocessed null bytes in hostnames can lead to SSRF
  + php7-CVE-2025-1220.patch
  CVE-2025-1735 [bsc#1246146], pgsql extension does not properly handle errors within escape functions
  + php7-CVE-2025-1735.patch
  CVE-2025-6491 [bsc#1246148], NULL pointer dereference when processing a SoapVar with a fully qualified name that is longer than 2G
  + php7-CVE-2025-6491.patch

- security update
- modified patches
  % php-php-config.patch (-p1)
  % php-phpize.patch (-p1)
- added patches
  fix CVE-2024-11235 [bsc#1239666], Reference counting in php_request_shutdown causes Use-After-Free
  + php7-CVE-2024-11235.patch
  fix CVE-2025-1217 [bsc#1239664], Header parser of `http` stream wrapper does not handle folded headers
  + php7-CVE-2025-1217.patch
  fix CVE-2025-1734 [bsc#1239668], Streams HTTP wrapper does not fail for headers with invalid name and no colon
  + php7-CVE-2025-1734.patch
  fix CVE-2025-1736 [bsc#1239670], Stream HTTP wrapper header check might omit basic auth header
  + php7-CVE-2025-1736.patch
  fix CVE-2025-1861 [bsc#1239669], Stream HTTP wrapper truncate redirect location to 1024 bytes
  + php7-CVE-2025-1861.patch
  fix CVE-2025-1219 [bsc#1239667], libxml streams use wrong `content-type` header when requesting a redirected resource
  + php8-CVE-2025-1219.patch

- security update
- added patches
  fix CVE-2024-11233 [bsc#1233702], single-byte buffer overread due to missing bounds check when processing input with convert.quoted-printable-decode filters
  + php7-CVE-2024-11233.patch
  fix CVE-2024-11234 [bsc#1233703], configuring streams with a proxy and the 'request_fulluri' context option might allow for CRLF injection in URIs
  + php7-CVE-2024-11234.patch
  fix CVE-2024-8929 [bsc#1233651], In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, a hostile MySQL server can cause the client to disclose the content of its heap containing data from other SQL requests ...
  + php7-CVE-2024-8929.patch

- security update
- added patches
  fix CVE-2024-8925 [bsc#1231360], erroneous parsing of multipart form data in HTTP POST requests leads to legitimate data not being processed
  + php7-CVE-2024-8925.patch
  fix CVE-2024-8927 [bsc#1231358], cgi.force_redirect configuration is bypassable due to an environment variable collision
  + php7-CVE-2024-8927.patch
  fix CVE-2024-9026 [bsc#1231382], pollution of worker output logs in PHP-FPM
  + php7-CVE-2024-9026.patch

- security update
- added patches
  fix CVE-2024-5458 [bsc#1226073], filter bypass in filter_var FILTER_VALIDATE_URL
  + php7-CVE-2024-5458.patch

- security update
- added patches
  fix CVE-2024-2756 [bsc#1222857], host/secure cookie bypass due to partial fix
  + php7-CVE-2024-2756.patch
  fix CVE-2024-3096 [bsc#1222858], password_verify can erroneously return true, opening ATO risk
  + php7-CVE-2024-3096.patch

- ensure we are building against openssl-1_1

- security update
- added patches
  fix CVE-2023-3823 [bsc#1214106], XML loading external entity without being enabled
  + php7-CVE-2023-3823.patch
  fix CVE-2023-3824 [bsc#1214103], buffer overflows in phar_dir_read()
  + php7-CVE-2023-3824.patch

- security update
- added patches
  fix CVE-2023-3247 [bsc#1212349], Missing error check and insufficient random bytes in HTTP Digest authentication for SOAP
  + php7-CVE-2023-3247.patch

- security update
- added patches
  fix CVE-2022-4900 [bsc#1209537], potential buffer overflow via PHP_CLI_SERVER_WORKERS environment variable
  + php7-CVE-2022-4900.patch

- fix potential buffer overflow [bsc#1208199]
- modified patches
  % php-systzdata-v19.patch (refreshed)

- ensure extension=mysqlnd will be called before extension=mysqli
  [bsc#1205162]

- security update
- added patches
  fix CVE-2023-0568 [bsc#1208366], NULL byte off-by-one in php_check_specific_open_basedir
  + php7-CVE-2023-0568.patch
  fix CVE-2023-0662 [bsc#1208367], DoS vulnerability when parsing multipart request body
  + php7-CVE-2023-0662.patch
  https://github.com/php/php-src/commit/a92acbad873a05470af1a47cb785a18eadd827b5, relates to CVE-2023-0567 [bsc#1208388]
  + php7-crypt-possible-buffer-overread.patch

- security update
- added patches
  fix CVE-2022-31631 [bsc#1206958], Due to an integer overflow PDO:quote() may return unquoted string
  + php7-CVE-2022-31631.patch

- security update
- added patches
  fix CVE-2022-31626 [bsc#1200628], buffer overflow via user-supplied password when using pdo_mysql extension with mysqlnd driver
  + php7-CVE-2022-31626.patch

- security update
- added patches
  fix CVE-2021-21707 [bsc#1193041], special character breaks path in xml parsing
  + php7-CVE-2021-21707.patch

- security update
- added patches
  fix CVE-2021-21708 [bsc#1196252], Use after free due to php_filter_float() failing for ints
  + php7-CVE-2021-21708.patch

- security update
- added patches
  fix CVE-2017-8923 [bsc#1038980], denial of service (application crash) by using .= with a long string (zend_string_extend func in Zend/zend_string.h)
  + php7-CVE-2017-8923.patch

- security update
- added patches
  fix CVE-2021-21707 [bsc#1193041], special character breaks path in xml parsing
  + php7-CVE-2021-21707.patch

- security update
- added patches
  fix CVE-2021-21703 [bsc#1192050], Local privilege escalation via PHP-FPM
  + php7-CVE-2021-21703.patch

- added patches [bsc#1175508]
  fix https://github.com/php/php-src/pull/7428
  + php7-bsc1175508.patch

- security update
- added patches
  fix CVE-2021-21704 [bsc#1188035], security issues in pdo_firebase module
  + php7-CVE-2021-21704.patch

- security update
- added patches
  fix CVE-2021-21705 [bsc#1188037], SSRF bypass in FILTER_VALIDATE_URL
  + php7-CVE-2021-21705.patch

- security update
- added patches
  fix CVE-2021-21702 [bsc#1182049], NULL pointer dereference in SoapClient
  + php7-CVE-2021-21702.patch

- security update
- added patches
  fix CVE-2020-7071 [bsc#1180706], FILTER_VALIDATE_URL accepts URLs with invalid userinfo
  + php7-CVE-2020-7071.patch

- security update
- added patches
  fix CVE-2022-31625 [bsc#1200645], uninitialized pointers free in Postgres extension
  + php7-CVE-2022-31625.patch

- security update
- added patches
  fix CVE-2022-31625 [bsc#1200645], uninitialized pointers free in Postgres extension
  + php7-CVE-2022-31625.patch

- security update [bsc#1197644]
- added patches
  fix https://github.com/php/php-src/commit/771dbdb319fa7f90584f6b2cc2c54ccff570492d
  + php7-signedness-php_filter_validate_domain.patch

- version update to 7.4.33 [bsc#1204577][bsc#1204979]
    03 Nov 2022
    GD:
    Fixed bug #81739: OOB read due to insufficient input validation in imageloadfont(). (CVE-2022-31630)
    Hash:
    Fixed bug #81738: buffer overflow in hash_update() on long parameter. (CVE-2022-37454)

- version update to 7.4.32 [jsc#SLE-23639]
  Version 7.4.32
  29 Sep 2022
    Core:
    Fixed bug #81726: phar wrapper: DOS when using quine gzip file. (CVE-2022-31628)
    Fixed bug #81727: Don't mangle HTTP variable names that clash with ones that have a specific semantic meaning. (CVE-2022-31629)
  Version 7.4.30
  09 Jun 2022
    mysqlnd:
    Fixed bug #81719: mysqlnd/pdo password buffer overflow. (CVE-2022-31626)
    pgsql:
    Fixed bug #81720: Uninitialized array in pg_query_params(). (CVE-2022-31625)
  Version 7.4.29
  14 Apr 2022
    Core:
    No source changes to this release. This update allows for re-building the Windows binaries against upgraded dependencies which have received security updates.
    Date:
    Updated to latest IANA timezone database (2022a).
  Version 7.4.28
  17 Feb 2022
    Filter:
    Fix #81708: UAF due to php_filter_float() failing for ints (CVE-2021-21708)
  Version 7.4.27
  16 Dec 2021
    Core:
    Fixed bug #81626 (Error on use static:: in __сallStatic() wrapped to Closure::fromCallable()).
    FPM:
    Fixed bug #81513 (Future possibility for heap overflow in FPM zlog).
    GD:
    Fixed bug #71316 (libpng warning from imagecreatefromstring).
    OpenSSL:
    Fixed bug #75725 (./configure: detecting RAND_egd).
    PCRE:
    Fixed bug #74604 (Out of bounds in php_pcre_replace_impl).
    Standard:
    Fixed bug #81618 (dns_get_record fails on FreeBSD for missing type).
    Fixed bug #81659 (stream_get_contents() may unnecessarily overallocate).
  Version 7.4.26
  18 Nov 2021
    Core:
    Fixed bug #81518 (Header injection via default_mimetype / default_charset).
    Date:
    Fixed bug #81500 (Interval serialization regression since 7.3.14 / 7.4.2).
    MBString:
    Fixed bug #76167 (mbstring may use pointer from some previous request).
    MySQLi:
    Fixed bug #81494 (Stopped unbuffered query does not throw error).
    PCRE:
    Fixed bug #81424 (PCRE2 10.35 JIT performance regression).
    Streams:
    Fixed bug #54340 (Memory corruption with user_filter).
    XML:
    Fixed bug #79971 (special character is breaking the path in xml function). (CVE-2021-21707)
- fixes [bsc#1203867] and [bsc#1203870]
- deleted patches
  - php7-CVE-2021-21707.patch (upstreamed)
  - php7-CVE-2021-21708.patch (upstreamed)
  - php7-CVE-2022-31625.patch (upstreamed)
  - php7-CVE-2022-31626.patch (upstreamed)

- fix ghost name for /run/php-fpm [bsc#1173786]

- security update
- added patches
  fix CVE-2020-7069 [bsc#1177351], when AES-CCM mode is used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV is used
  + php7-CVE-2020-7069.patch
  fix CVE-2020-7070 [bsc#1177352], Percent-encoded cookies can be used to overwrite existing prefixed cookie names
  + php7-CVE-2020-7070.patch

- security update
- added patches
  fix CVE-2020-7068 [bsc#1175223], Use of freed hash key in the phar_parse_zipfile function
  + php7-CVE-2020-7068.patch

- do not install outdated README.SUSE [bsc#1174010]

- do not install %{_tmpfilesdir}, %{_tmpfilesdir}/php-fpm.conf in
  test favour

- added tmpfiles.d for php-fpm to provide a base base for a socket
  (boo#1173786)

- security update
- added patches
  fix CVE-2019-11048 [bsc#1171999], supplying overly long filenames or field names if HTTP file uploads are allowed could lead to exhausting disk space on the server
  + php7-CVE-2019-11048.patch

- security update
- added patches
  fix CVE-2020-7064 [bsc#1168326], read one byte of uninitialized memory via malicious data
  + php7-CVE-2020-7064.patch
  fix CVE-2020-7066 [bsc#1168352], URL truncation if the URL contains zero (\0) character
  + php7-CVE-2020-7066.patch

- security update
- added patches
  fix CVE-2020-7062 [bsc#1165280], null pointer dereference when using file upload functionality under specific circumstances
  + php7-CVE-2020-7062.patch
  fix CVE-2020-7063 [bsc#1165289], creating PHAR archive using PharData:buildFromIterator() function will add files with default permissions
  + php7-CVE-2020-7063.patch

- security update
- added patches
  CVE-2020-7059 [bsc#1162629]
  + php7-CVE-2020-7059.patch
  CVE-2020-7060 [bsc#1162632]
  + php7-CVE-2020-7060.patch

- security update
- added patches
  CVE-2019-11045 [bsc#1159923]
  + php7-CVE-2019-11045.patch
  CVE-2019-11046 [bsc#1159924]
  + php7-CVE-2019-11046.patch
  CVE-2019-11047 [bsc#1159922]
  + php7-CVE-2019-11047.patch
  CVE-2019-11050 [bsc#1159927]
  + php7-CVE-2019-11050.patch

- security update
- added patches
  CVE-2019-11043 [bsc#1154999]
  + php7-CVE-2019-11043.patch

- provide test results via multibuild :test [bsc#1119396]
- added sources
  + _multibuild

- drop -n from php invocation from pecl [bsc#1151793]
  https://github.com/pear/pear-core/commit/f94454a74785865cec50bf9d64c410efc29b587a

- turn off run of testsuite as we get Kernel panic on s390x

- security update
- added patches
  CVE-2019-11041 [bsc#1146360]
  + php7-CVE-2019-11041.patch
  CVE-2019-11042 [bsc#1145095]
  + php7-CVE-2019-11042.patch

- security update
- added patches
  CVE-2019-11039 [bsc#1138173]
  + php-CVE-2019-11039.patch
  CVE-2019-11040 [bsc#1138172]
  + php-CVE-2019-11040.patch

- security update
- added patches
  CVE-2019-11036 [bsc#1134322]
  + php-CVE-2019-11036.patch

- security update
- added patches
  CVE-2019-11034 [bsc#1132838]
  + php-CVE-2019-11034.patch
  CVE-2019-11035 [bsc#1132837]
  + php-CVE-2019-11035.patch

- security update
- added patches
  CVE-2019-9637 [bsc#1128892]
  + php-CVE-2019-9637.patch
  CVE-2019-9675 [bsc#1128886]
  + php-CVE-2019-9675.patch
  CVE-2019-9638 [bsc#1128889], CVE-2019-9639 [bsc#1128887]
  + php-CVE-2019-9638,9639.patch
  CVE-2019-9640 [bsc#1128883]
  + php-CVE-2019-9640.patch

- upstream bug #41631 is already fixed [bsc#1129032]
- deleted sources
  - README.default_socket_timeout (not needed)

- security update
  * CVE-2019-9024 [bsc#1126821]
    + php-CVE-2019-9024.patch
  * CVE-2019-9020 [bsc#1126711]
    + php-CVE-2019-9020.patch
  * CVE-2018-20783 [bsc#1127122]
    + php-CVE-2018-20783.patch
  * CVE-2019-9021 [bsc#1126713]
    + php-CVE-2019-9021.patch
  * CVE-2019-9022 [bsc#1126827]
    + php-CVE-2019-9022.patch
  * CVE-2019-9023 [bsc#1126823]
    + php-CVE-2019-9023.patch
  * CVE-2019-9641 [bsc#1128722]
    + php-CVE-2019-9641.patch

- asan_build: build ASAN included
- debug_build: build more suitable for debugging

- Enable testsuite during build time and save log to subpackage
   testresults (boo#1119396)

- add security patch of imap extension, which is currently disabled
  * CVE-2018-19935 [bsc#1118832]
    + php-CVE-2018-19935.patch

- security update
  * CVE-2018-17082 [bsc#1108753]
    + php-CVE-2018-17082.patch

- reenable php7-dba support of Berkeley DB [bsc#1108554]

- align patch names:
  php7-CVE-2018-14851.patch -> php-CVE-2018-14851.patch
  php7-CVE-2017-9120.patch -> php-CVE-2017-9120.patch
  php7-CVE-2018-1000222.patch -> php-CVE-2018-1000222.patch

- security update:
  * CVE-2018-1000222 [bsc#1105434]
    + php-CVE-2018-1000222.patch

- security update
  * CVE-2018-14851 [bsc#1103659]
    + php-CVE-2018-14851.patch
  * CVE-2017-9120 [bsc#1103661]
    + php-CVE-2017-9120.patch

- security update
  * CVE-2018-12882 [bsc#1099098]
    + php-CVE-2018-12882.patch

- main package requires wwwrun:www user [bsc#1093025]

- better workaround for [bsc#1089487]: build mod_phpN.so
  instead of libphpN.so

- rename freetype-pkgconfig.patch to php7-freetype-pkgconfig.patch
  to align with the rest of patch names

- Add freetype-pkgconfig.patch to fix build with new Freetype:
  use pkg-config to find Freetype libraries

- updated to 7.2.5: This is a security release which also contains
  several minor bug fixes.
  http://php.net/ChangeLog-7.php#7.2.5

- build-test.sh: generic spec file name