It seems that all versions of PHP < 5.3.1 seem to have a critical vulnerability to remote attacks. See provided URL.
We need a 5.3 ebuild, and maybe also a backport? PHP herd, what's your opinion on this?
I cannot confirm crashes or a hanging apache on Gentoo, Debian and a version I self-compiled. The load just increases to something like ~12 but not further, no swapping or OOM-killing happens, it's just harddisk I/O. On a system with a fast SSD, I can't see any increase in the load, but I haven't tweaked the parameters yet.
PHP 5.2.11, and 5.3.x before 5.3.1, does not restrict the number of
temporary files created when handling a multipart/form-data POST
request, which allows remote attackers to cause a denial of service
(resource exhaustion), and makes it easier for remote attackers to
exploit local file inclusion vulnerabilities, via multiple requests,
related to lack of support for the max_file_uploads directive.
Fixed in 5.2.12.
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Stable for HPPA.
Stable on alpha.
The htmlspecialchars function in PHP before 5.2.12 does not properly
handle (1) overlong UTF-8 sequences, (2) invalid Shift_JIS sequences,
and (3) invalid EUC-JP sequences, which allows remote attackers to
conduct cross-site scripting (XSS) attacks by placing a crafted byte
sequence before a special character.
PHP before 5.2.12 does not properly handle session data, which has
unspecified impact and attack vectors related to (1) interrupt
corruption of the SESSION superglobal array and (2) the
Marked ppc stable.
Thank you everyone, sorry about the delay.