Not an april joke ;)
I just pushed out the fixed versions.
Arches, please test and mark stable: =dev-lang/php-5.5.34 =dev-lang/php-5.6.20 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
What about 7.0.5?
(In reply to Tomáš Mózes from comment #3) > What about 7.0.5? the slot 7 is not stable, the stabilization won't happen in a security bug.
amd64 stable
x86 stable
(In reply to Agostino Sarubbo from comment #4) > (In reply to Tomáš Mózes from comment #3) > > What about 7.0.5? > > the slot 7 is not stable, the stabilization won't happen in a security bug. That was more a question towards the php team.
Stable for PPC64.
Stable for HPPA.
arm stable
Alpha is skipping these in favor of =dev-lang/php-5.5.35/=dev-lang/php-5.6.21 from bug 581834.
CVE-2016-4073 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4073): Multiple integer overflows in the mbfl_strcut function in ext/mbstring/libmbfl/mbfl/mbfilter.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted mb_strcut call. CVE-2016-4072 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4072): The Phar extension in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to execute arbitrary code via a crafted filename, as demonstrated by mishandling of \0 characters by the phar_analyze_path function in ext/phar/phar.c. CVE-2016-4071 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4071): Format string vulnerability in the php_snmp_error function in ext/snmp/snmp.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to execute arbitrary code via format string specifiers in an SNMP::get call. CVE-2015-8865 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8865): The file_check_mem function in funcs.c in file before 5.23, as used in the Fileinfo component in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5, mishandles continuation-level jumps, which allows context-dependent attackers to cause a denial of service (buffer overflow and application crash) or possibly execute arbitrary code via a crafted magic file.
This issue was resolved and addressed in GLSA 201611-22 at https://security.gentoo.org/glsa/201611-22 by GLSA coordinator Aaron Bauman (b-man).