From ${URL} : Common Vulnerabilities and Exposures assigned an identifier CVE-2013-3735 to the following vulnerability: ** DISPUTED ** The Zend Engine in PHP before 5.4.16 RC1, and 5.5.0 before RC2, does not properly determine whether a parser error occurred, which allows context-dependent attackers to cause a denial of service (memory consumption and application crash) via a crafted function definition, as demonstrated by an attack within a shared web-hosting environment. NOTE: the vendor's http://php.net/security-note.php page says "for critical security situations you should be using OS-level security by running multiple web servers each as their own user id." References: [1] https://bugs.php.net/bug.php?id=64660 [2] https://github.com/php/php-src/blob/php-5.4.16RC1/NEWS [3] https://github.com/php/php-src/blob/php-5.5.0RC2/NEWS [4] https://github.com/php/php-src/commit/fb58e69a84f4fde603a630d2c9df2fa3be16d846 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Will be stabilised as part of bug 472558. Removed the vulnerable rcs
Added to GLSA request.
This issue was resolved and addressed in GLSA 201408-11 at http://security.gentoo.org/glsa/glsa-201408-11.xml by GLSA coordinator Kristian Fiskerstrand (K_F).