The latest batch of PHP releases (5.4.43, 5.5.27, 5.6.11) all fix security vulns. CVE-2015-3152 affects all of them (also known as BACKRONYM, TLS stripping for mysql connections, which was originally found in libmysql, but affects PHP's mysqlnd in the same way). The 5.6.11 release notes mention 5 security fixes, from the changelog these look like security: Fixed bug #69972 (Use-after-free vulnerability in sqlite3SafetyCheckSickOrOk()). Fixed bug #69737 (Segfault when SplMinHeap::compare produces fatal error). Fixed bug #69970 (Use-after-free vulnerability in spl_recursive_it_move_forward_ex()). Fixed bug #69864 (Segfault in preg_replace_callback). 5.5.43 and 5.5.27 also fix CVE-2015-{5589,5590}, these are not in 5.6, they are already tracked in #555576. All fixed versions are already in the tree, can we proceed with stabilization?
The new versions are all stable and the old ones have been removed.
All packages in the tree have fixes for this vulnerability. Please advise on GLSA.
Added to GLSA cc9dae4d6.
This issue was resolved and addressed in GLSA 201606-10 at https://security.gentoo.org/glsa/201606-10 by GLSA coordinator Kristian Fiskerstrand (K_F).