Version 5.6.17 Core: Fixed bug #66909 (configure fails utf8_to_mutf7 test). Fixed bug #70958 (Invalid opcode while using ::class as trait method paramater default value). Fixed bug #70957 (self::class can not be resolved with reflection for abstract class). Fixed bug #70944 (try{ } finally{} can create infinite chains of exceptions). Fixed bug #61751 (SAPI build problem on AIX: Undefined symbol: php_register_internal_extensions). FPM: Fixed bug #70755 (fpm_log.c memory leak and buffer overflow). GD: Fixed bug #70976 (Memory Read via gdImageRotateInterpolated Array Index Out of Bounds). Mysqlnd: Fixed bug #68077 (LOAD DATA LOCAL INFILE / open_basedir restriction). SOAP: Fixed bug #70900 (SoapClient systematic out of memory error). Standard: Fixed bug #70960 (ReflectionFunction for array_unique returns wrong number of parameters). PDO_Firebird: Fixed bug #60052 (Integer returned as a 64bit integer on X64_86). WDDX: Fixed bug #70661 (Use After Free Vulnerability in WDDX Packet Deserialization). Fixed bug #70741 (Session WDDX Packet Deserialization Type Confusion Vulnerability). XMLRPC: Fixed bug #70728 (Type Confusion Vulnerability in PHP_to_XMLRPC_worker()). Version 5.5.31 FPM: Fixed bug #70755 (fpm_log.c memory leak and buffer overflow). GD: Fixed bug #70976 (Memory Read via gdImageRotateInterpolated Array Index Out of Bounds). WDDX: Fixed bug #70661 (Use After Free Vulnerability in WDDX Packet Deserialization). Fixed bug #70741 (Session WDDX Packet Deserialization Type Confusion Vulnerability). XMLRPC: Fixed bug #70728 (Type Confusion Vulnerability in PHP_to_XMLRPC_worker()).
*** Bug 565808 has been marked as a duplicate of this bug. ***
Both fixed versions are now in the tree: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d3cbb58f7b708c7457e823a84e8f0c70e9a5efd9 https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e949cd002a24b94279b4b563f438bfff2c67c755
Arches, please stabilize =dev-lang/php-5.5.31 =dev-lang/php-5.6.17 Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
amd64 : ok (builds) Have built both with: USE="apache2 bcmath berkdb bzip2 calendar cdb cgi cjk cli crypt ctype curl debug embed enchant exif fileinfo filter flatfile fpm ftp gd gdbm gmp hash iconv inifile intl iodbc ipv6 json kerberos ldap ldap-sasl libmysqlclient mhash mssql nls odbc opcache pcntl pdo phar posix postgres readline recode session sharedmem simplexml snmp soap sockets spell sqlite ssl sybase-ct systemd sysvipc tidy tokenizer truetype unicode vpx wddx xml xmlreader xmlrpc xmlwriter xpm xslt zip zlib (-firebird) (-frontbase) -imap -libedit -mysql -mysqli -oci8-instant-client -qdbm (-selinux) -threads"
amd64 stable
x86 stable
arm stable
Both stable on alpha.
ppc stable
Stable for HPPA PPC64.
sparc stable
ia64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
I've removed the affected versions. Just waiting on arm stabilization over in bug #577376 and then I'll get rid of a few more.
This issue was resolved and addressed in GLSA 201606-10 at https://security.gentoo.org/glsa/201606-10 by GLSA coordinator Kristian Fiskerstrand (K_F).