php-5.3.3-40.AXS4

Description :
PHP is an HTML-embedded scripting language. PHP attempts to make it
easy for developers to write dynamically generated webpages. PHP also
offers built-in database integration for several commercial and
non-commercial database management systems, so writing a
database-enabled webpage with PHP is fairly simple. The most common
use of PHP coding is probably as a replacement for CGI scripts.

The php package contains the module which adds support for the PHP
language to Apache HTTP Server.

Security issues fixed with this release:
CVE-2014-3668
Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) via (1) a crafted first argument to the xmlrpc_set_type function or (2) a crafted argument to the xmlrpc_decode function, related to an out-of-bounds read operation.

CVE-2014-3669
Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function that triggers calculation of a large length value.

CVE-2014-3670
The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via a crafted JPEG image with TIFF thumbnail data that is improperly handled by the exif_thumbnail function.

CVE-2014-3710
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Fixed bugs:

* Previously, a mysql link could be closed even when prepared statements still existed. So, executing those statements caused a segmentation fault. With this update, fixed it.

* Previously, the host HTTP header was missing from soap calls. So, HTTP requests were not RFC2616 compliant. With this update, fixed it.

* Previously, the php packages contained a bug concerning the oci_lob_load() function. So, compiling the php OCI8 module failed. With this update, fixed it.

* Previously, dependency on the Spl extension for the Session extension was missing from the php packages. So, Spl was uninitialized before Session, which made the autoload feature unavailable. With this update, fixed it.

* Previously, the php packages contained an inconsistency in the behavior of a static call in a non-static method. So, a call from the context's class (name, static or self) inside a non-static method results in a static-call. With this update, fixed it.