5.20 released fixing this issue:
http://php.net/ChangeLog-5.php#5.5.20

Comment 2 Ole Markus With (RETIRED) 2014-12-19 15:12:36 UTC

Bumped. Stabilise if necessary.

Comment 3 Kristian Fiskerstrand (RETIRED) 2014-12-19 22:55:53 UTC

Changing description to multiple vulnerabilities to also cover CVE-2014-8142: "Fixed bug #68594 (Use after free vulnerability in unserialize())(CVE-2014-8142)." described for the same updates

Comment 4 Kristian Fiskerstrand (RETIRED) 2014-12-19 23:21:44 UTC

Arches, please stabilize: 

=dev-lang/php-5.5.20
Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

=dev-lang/php-5.4.36
Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

Comment 5 Jeroen Roovers (RETIRED) 2014-12-21 09:25:58 UTC

Stable for HPPA.

Comment 6 Agostino Sarubbo 2014-12-21 11:38:17 UTC

amd64 stable

Comment 7 Agostino Sarubbo 2014-12-21 11:43:03 UTC

x86 stable

Comment 8 Agostino Sarubbo 2014-12-23 09:36:46 UTC

alpha stable

Comment 9 Markus Meier 2014-12-23 12:44:16 UTC

arm stable

Comment 10 Agostino Sarubbo 2014-12-24 14:36:48 UTC

ppc stable

Comment 11 Agostino Sarubbo 2014-12-24 14:46:53 UTC

ppc64 stable

Comment 12 Agostino Sarubbo 2014-12-25 11:28:23 UTC

ia64 stable

Comment 13 Agostino Sarubbo 2014-12-26 09:30:00 UTC

sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.

Comment 14 GLSAMaker/CVETool Bot 2014-12-29 01:48:12 UTC

CVE-2014-8142 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8142):
  Use-after-free vulnerability in the process_nested_data function in
  ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20,
  and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via
  a crafted unserialize call that leverages improper handling of duplicate
  keys within the serialized properties of an object, a different
  vulnerability than CVE-2004-1019.

Comment 15 Yury German 2014-12-29 01:50:34 UTC

Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version(s).

New GLSA Request filed.

Comment 16 GLSAMaker/CVETool Bot 2015-01-11 21:02:52 UTC

CVE-2014-9427 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9427):
  sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x
  through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a .php
  file, does not properly consider the mapping's length during processing of
  an invalid file that begins with a # character and lacks a newline
  character, which causes an out-of-bounds read and might (1) allow remote
  attackers to obtain sensitive information from php-cgi process memory by
  leveraging the ability to upload a .php file or (2) trigger unexpected code
  execution if a valid PHP script is present in memory locations adjacent to
  the mapping.

Comment 17 Yury German 2015-02-01 02:25:18 UTC

Maintainer(s), it has been 30 days since request for cleanup. 
Please drop the vulnerable versions.

Comment 18 Sergey Popov (RETIRED) 2015-03-07 09:25:55 UTC

Cleanup would be done in bug #533998

Comment 19 GLSAMaker/CVETool Bot 2015-03-08 14:38:09 UTC

This issue was resolved and addressed in
 GLSA 201503-03 at http://security.gentoo.org/glsa/glsa-201503-03.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).