CVE-2009-0754 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0754): PHP 4.4.4, 5.1.6, and other versions, when running on Apache, allows local users to modify behavior of other sites hosted on the same web server by modifying the mbstring.func_overload setting within .htaccess, which causes this setting to be applied to other virtual hosts on the same server.
We also have that code in php-5.2.8-r2 /ext/mbstring/mbstring.c, but on line 1067. Patch: http://www.dfoerster.de/misc/php-27421.diff rbu, why did you set whiteboard to "B3 [glsa?]" ?!
From my understanding, this might lead to data disclosure or denial of service, but does not allow for inejection of code into other contexts of apache. Maybe I am mistaken there?
Seems to be fixed in recent PHP versions.
GLSA 201001-03. Thank you everyone, sorry about the delay.