- security issues
  . CVE-2018-10545 FPM: Dumpable FPM child processes allow bypassing opcache access controls (#75605)
  . CVE-2018-10546 iconv: stream filter convert.iconv leads to infinite loop on invalid sequence (#76249)
  . CVE-2018-10548 LDAP: Malicious LDAP-Server Response causes Crash (#76248)
  . CVE-2018-10547 Phar: fix for CVE-2018-5712 may not be complete (#76129)

- security issues
  . CVE-2017-7890 GD: Buffer over-read from unitialized data in gdImageCreateFromGifCtx function
  . CVE-2018-7584 Standard: tack-buffer-overflow while parsing HTTP response (#75981)

- security issues
  . CVE-2017-9224 fixed mbstring Oniguruma
  . CVE-2017-9226 fixed mbstring Oniguruma
  . CVE-2017-9227 fixed mbstring Oniguruma
  . CVE-2017-9228 fixed mbstring Oniguruma
  . CVE-2017-9229 fixed mbstring Oniguruma
- fixed execdir bugs
  . fixed #15 But when using "2>&1" in exec command
  . fixed #16 error "NULL byte detected."

- security issues
  . CVE-2016-9934 WDDX: NULL Pointer Dereference in WDDX Packet Deserialization with PDORow (#73331)
  . CVE-2016-9933 GD: imagefilltoborder stackoverflow on truecolor images (#72696)
  . CVE-2016-9935 WDDX: Invalid read when wddx decodes empty boolean elemen (#73631)
  . CVE-2016-10161 Standard: Heap out of bounds read on unserialize in finish_nested_data() (#73825)
  . CVE-2016-10159 Crash while loading hostile phar archive (#73764)
  . CVE-2016-10160 Memory corruption when loading hostile phar (#73768)
  . CVE-2016-10167 GD: DOS vulnerability in gdImageCreateFromGd2Ctx() (#73868)
  . CVE-2016-10168 GD: Signed Integer Overflow gd_io.c (#73869)
  . CVE-2016-10158 EXIF: FPE when parsing a tag format (#73737)

- security issues
  . execdir: backtics and $() syntax weakness after semi colon #8
    https://github.com/OOPS-ORG-PHP/mod_execdir/issues/8

- security issues
  . CVE-2016-7416 Intl: add locale length check (#73007)
  . CVE-2016-7412 Mysqlnd: Heap overflow in mysqlnd related to BIT fields (#72293)
  . CVE-2016-7414 Phar: Out of bound when verify signature of zip phar in phar_parse_zipfile (#72928)
  . CVE-2016-7417 SPL: Missing type check when unserializing SplArray (#73029)
  . CVE-2016-7413 WDDX: wddx_deserialize use-after-free (#72860)
  . CVE-2016-7418 WDDX: Out-Of-Bounds Read in php_wddx_push_element (#73065)
  . CVE-2016-7124 Core: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization (#72663)
  . CVE-2016-7125 Core: PHP Session Data Injection Vulnerability (#72681)
  . CVE-2016-7128 Exif: Memory Leakage In exif_process_IFD_in_TIFF (#72627)
  . CVE-2016-7126 GD: select_colors write out-of-bounds (#72697)
  . CVE-2016-7127 GD: imagegammacorrect allows arbitrary write access (#72730)
  . CVE-2016-7129 WDDX: wddx_deserialize allows illegal memory access (#72749)
  . CVE-2016-7130 WDDX: wddx_deserialize null dereference (#72750)
  . CVE-2016-7131 WDDX: wddx_deserialize null dereference with invalid xml (#72790)
  . CVE-2016-7132 WDDX: wddx_deserialize null dereference in php_wddx_pop_element (#72799)

- update 5.5.38
- update libevent extension to 0.1.1
- refix #71889 DateInterval::format Segmentation fault (missing 5.5.36-1)
- security issues
  . CVE-2016-5385 HTTP_PROXY is improperly trusted by some PHP libraries and applications (#72573)

- update 5.5.38
- security issues
  . Fixed bug #70480 Core: php_url_parse_ex() buffer overflow read
  . Fixed bug #69975 ODBC: PHP segfaults when accessing nvarchar(max) defined columns

- update 5.5.36
- fixed zend_mm_heap corrupted problems of exec_dir pathc
- security issues
  . CVE-2015-8874 Fixed bug #66387 Stack overflow with imagefilltoborder
  . CVE-2016-5096 Fixed bug #72114 Core: Integer underflow / arbitrary null write in fread/gzread
  . CVE-2016-5094 Fixed bug #72135 Core: Integer Overflow in php_html_entities
  . CVE-2013-7456 Fixed bug #72227 GD: imagescale out-of-bounds read
  . CVE-2016-5093 Fixed bug #72241 Intl: get_icu_value_internal out-of-bounds read
  . CVE-2016-4343 Fixed bug #71331 Phar: Uninitialized pointer in phar_make_dirstream()
  . CVE-2016-4537, CVE-2016-4538
    Fixed bug #72093 BCMatch: bcpowmod accepts negative scale and corrupts _one_ definition
  . CVE-2016-4542, CVE-2016-4543, CVE-2016-4544
    Fixed bug #72094 Exif: Out of bounds heap read access in exif header processing
  . CVE-2016-3074 Fixed bug #71912 GD: libgd: signedness vulnerability
  . CVE-2016-4540, CVE-2016-4541
    Fixed bug #72061 Intl: Out-of-bounds reads in zif_grapheme_stripos with negative offset
  . CVE-2016-4539 Fixed bug #72099 XML: xml_parse_into_struct segmentation fault)

- update 5.5.34
  . fixed bug #71889 DateInterval::format Segmentation fault
  . fixed bug #71527 Fileinfo: Buffer over-write in finfo_open
    with malformed magic file
  . fixed bug #71906 Mbstring: AddressSanitizer: negative-size-param
    (-1) in mbfl_strcut
  . fixed bug #71860 ODBC: Invalid memory write in phar on filename
    with \0 in name
  . fixed bug #71704 SNMP: php_snmp_error() Format String Vulnerability
  . fixed bug #71798 Standard: Integer Overflow in php_raw_url_encode

- update 5.5.33
- fixed security isseus
  . fixed bug #71498 Phar: Out-of-Bound Read in phar_parse_zipfile()
  . fixed bug #71587 WDDX: Use-After-Free / Double-Free in WDDX Deserialize

- update 5.5.32
- fixed security issues
  . CVE-2015-8383
  . CVE-2015-8386
  . CVE-2015-8387
  . CVE-2015-8389
  . CVE-2015-8390
  . CVE-2015-8391
  . CVE-2015-8393
  . CVE-2015-8394
  . fixed bug #71039 Core: exec functions ignore length but look for NULL termination
  . fixed bug #71323 Core: Output of stream_get_meta_data can be falsified by its input
  . fixed bug #71459 Core: Integer overflow in iptcembed()
  . fixed bug #71354 Phar: Heap corruption in tar/zip/phar parser
  . fixed bug #71391 Phar: NULL Pointer Dereference in phar_tar_setupmetadata()
  . fixed bug #71488 Phar: Stack overflow when decompressing tar archives
  . fixed bug #71335 WDDX: Type Confusion in WDDX Packet Deserialization

- update 5.5.31
- fixed security issues
  . #70755 FPM: fpm_log.c memory leak and buffer overflow
  . #70976 GD: Memory Read via gdImageRotateInterpolated Array Index Out of Bounds
  . #70728 XMLRPC: Type Confusion Vulnerability in PHP_to_XMLRPC_worker()

- update 5.5.30

- update 5.5.29
- fixed security issues
  . CVE-2015-6834 core: Use After Free Vulnerability in unserialize()
  . CVE-2015-6835 core: Use after free vulnerability in session deserializer
  . CVE-2015-6836 soap: SOAP serialize_function_call() type confusion / RCE
  . CVE-2015-6834 SPL:  Use-after-free vulnerability in unserialize() with SplObjectStorage
                        and SplDoublyLinkedList
  . CVE-2015-6837, CVE-2015-6838 XSLT: NULL pointer dereference
  . Exif(#70385), hash(#70312), PCRE(#70345), ZIP(#70350)

- update 5.5.28
- fixed php-pgsql obsolete

- update 5.5.27
- fixed security issues
  . CVE-2015-4024 core: PHP Multipart/form-data remote dos Vulnerability (#69364)
  . CVE-2015-4025 core: CVE-2006-7243 fix regressions in 5.4+ (#69418)
  . CVE-2015-4022 ftp: Integer overflow in ftp_genlist() resulting in heap overflow (#69545)
  . CVE-2015-4026 pcntl: pcntl_exec() should not allow null char (#68598)
  . CVE-2015-4021 Memory Corruption in phar_parse_tarfile when entry filename starts with null (#69453)
  . CVE-2015-4643 core: Integer overflow in ftp_genlist() resulting in heap overflow (#69545)
  . CVE-2015-4642 core: OS command injection vulnerability in escapeshellarg (#69646)
  . CVE-2015-2325 pcre: upgrade pcrelib 8.37
  . CVE-2015-2326 pcre: upgrade pcrelib 8.37
  . CVE-2015-4644 postgres: segfault in php_pgsql_meta_data (#69667)
  . CVE-2015-3414 sqlite: Upgrade bundled sqlite to 3.8.10.2
  . CVE-2015-3415 sqlite: Upgrade bundled sqlite to 3.8.10.2
  . CVE-2015-3416 sqlite: Upgrade bundled sqlite to 3.8.10.2

- fixed 5.5.27 official bugs
  . Fixed bug #70002 core: TS issues with temporary dir handling

- fixed segfault with ioncube loader

- fixed security issues
  . CVE-2015-1351 opcache: use after free (#68677)
  . CVE-2015-1352 pgsql: Null pointer dereference (#68741)
  . CVE-2015-2787 core: Use After Free Vulnerability in unserialize() (#68976)
  . CVE-2015-2348 core: move_uploaded_file allows nulls in path (#69207)
  . CVE-2015-2305 ereg: heap overflow vulnerability in regcomp.c (#69248)
  . CVE-2015-2331 zip: ZIP Integer Overflow leads to writing past heap boundary (#69253)

- fixed 5.5.24 official bugs
  . Fixed bug #69467 core: Wrong checked for the interface by using Trait
  . Fixed bug #69420 core: Invalid read in zend_std_get_method
  . Fixed bug #60022 core: "use statement [...] has no effect" depends on leading backslash
  . Fixed bug #67314 core: Segmentation fault in gc_remove_zval_from_buffer
  . Fixed bug #69419 core: Returning compatible sub generator produces a warning
  . Fixed bug #69472 core: php_sys_readlink ignores misc errors from GetFinalPathNameByHandleA
  . Fixed bug #69381 odbc: out of memory with sage odbc driver
  . Fixed bug #69402 openssl: Reading empty SSL stream hangs until timeout

- fixed security issues
  . CVE-2015-0273 Use after free vulnerability in unserialize() with DateTimeZone (#68942)

- fixed 5.5.21 official bugs
  . Fixed bug #65199 Pgsql: pg_copy_from() modifies input array variable
  . Fixed bug #66623 Session: no EINTR check on flock
  . Fixed bug #68063 Session: Empty session IDs do still start sessions
  . Fixed bug #69033 Starndard: Request may get env. variables from previous requests if PHP works as FastCGI

- fixed 5.5.21 security issues
  . CVE-2014-3710 fileinfo: out-of-bounds read in elf note headers (#68283)
  . CVE-2014-8142 Use after free vulnerability in unserialize() (#68594)
  . CVE-2015-0232 Free called on unitialized pointer (#68799)
  . CVE-2014-9427 out of bounds read crashes php-cgi (#68618)
  . CVE-2015-0231 Use After Free Vulnerability in PHP's unserialize() (#68710)
  . CVE-2015-0235 Mitigation for glibc gethostbyname buffer overflow (#68925)


- fixed 5.5.21 offcial bugs
  . Fixed bug #67068 getClosure returns somethings that's not a closure

  . Fixed bug #45081 strtotime incorrectly interprets SGT time zone
  . Fixed bug #55407 Impossible to prototype DateTime::createFromFormat
  . Fixed bug #68711 useless comparisons
  . Fixed bug #68827 Double free with disabled ZMM
  . Fixed bug #66479 Wrong response to FCGI_GET_VALUES
  . Fixed bug #68571 core dump when webserver close the socket
  . Fixed bug #64938 libxml_disable_entity_loader setting is shared between threads
  . Fixed bug #55618 use case-insensitive cert name matching
  . Fixed bug #68750 PDOMysql with mysqlnd does not allow the usage of named pipes
  . Fixed bug #68901 use after free
  . Fixed bug #68260 SQLite3Result::fetchArray declares wrong required_num_args
  . Fixed bug #68114 linker error on some OS X machines with fixed width decimal support
  . Fixed bug #68657 Reading 4 byte floats with Mysqli and libmysqlclient has rounding errors
  . Fixed bug #68941 mod_files.sh is a bash-script
  . Fixed bug which caused call after final close on streams filter

- fixed 5.5.18 offcial bugs
  . #68118 $a->foo .= 'test'; can leave $a->foo undefined
  . #68129 parse_url() - incomplete support for empty usernames and passwords
  . #65171 imagescale() fails without height param
  . #68087 ODBC not correctly reading DATE column when preceded by a VARCHAR column
  . #68128 SPL: Regression in RecursiveRegexIterator
  . #68247 Add CURL_SSLVERSION_TLSv1_0, CURL_SSLVERSION_TLSv1_1,
           and CURL_SSLVERSION_TLSv1_2 constants if supported by libcurl

- security issues
  . CVE-2014-3669 Integer overflow in unserialize() (32-bits only)
  . CVE-2014-3670 Heap corruption in exif_thumbnail()
  . CVE-2014-3668 Global buffer overflow in mkgmtime() function

- fixed 5.5.15 offcial bug
  . #67716 Segfault in cdf.c in embeded libmagic
  . #67730 Null byte injection possible with imagexxx functions in embeded gd
  . #67878 program_prefix not honoured in man pages
  . #66036 Crash on SIGTERM in apache process
  . #47358 glob returns error, should be empty array()
  . #41577 DOTNET is successful once per server run
  . #67109 First uppercase letter breaks date string parsing
  . #66091 Memory leak in DateTime::createFromFormat()
  . #66985 Some timezones are no longer valid in PHP 5.5.10
  . #67606 FPM with mod_fastcgi/apache2.4 is broken
  . #67839 mysqli does not handle 4-byte floats correctly
  . #67850 extension won't build if openssl compiled without SSLv3
  . #67813 achingIterator::__construct InvalidArgumentException wrong message
  . #67724 chained zlib filters silently fail with large amounts of data
  . #67865 internal corruption phar error on zlib

- security issues
  . fixed CVE-2014-1571 #b67716
  . fixed CVE-2014-5120 #b67730

- Fixed 5.5.15 official bug
  . #67693 incorrect push to the empty array
  . #67724 chained zlib filters silently fail with large amounts of data
  . #60616 odbc_fetch_into returns junk data at end of multi-byte char fields
  . #55496 Interactive mode doesn't force a newline before the prompt
  . #67496 Save command history when exiting interactive shell with control-c
  . #67715 php-milter does not build and crashes randomly
  . #66901 php-gd 'c_color' NULL pointer dereference. CVE-2014-2497
  . #67635 php links to systemd libraries without using pkg-config
  . #67705 extensive backtracking in rule regular expression. CVE-2014-3538
  . Fix missing type checks in various functions (openssl/com/sessions)

- security issues
  . fixed CVE-2014-2497 #66901
  . fixed CVE-2014-3538 #67705
  . fixed CVE-2014-0185 #67060
  . fixed CVE-2014-0238 #67327
  . fixed CVE-2014-0237 #67328
  . fixed CVE-2014-4049 #67432
  . fixed CVE-2014-3981 #67390
  . fixed CVE-2014-4670 #67538

- security issues
  . fixed CVE-2013-7345 #66946

- update 5.5.10

- AnNyung patch
  . enhanced php 5.3 compatible mode
    . no print deprecated message about functions
    . no print static message about non static method
    . defualt charset to iso-8859-1 instead of utf-8
      about htmlspecialchars/htmlentities

- security isseus
  . fixed CVE-2014-2270 #66820
  . fixed CVE-2013-7327 #66815
  . fixed CVE-2014-1943 #66731

- Fixed offcial bug
  . Allow zero length comparison in substr_compare()
  . #60602 proc_open() changes environment array
  . #66109 Can't reset CURLOPT_CUSTOMREQUEST to default behaviour
  . #66714 imageconvolution breakage
  . #66869 Invalid 2nd argument crashes imageaffinematrixget
  . #66890 imagescale segfault
  . #66893 imagescale ignore method argument
  . #66887 imagescale - poor quality of scaled image
  . Fix hash_pbkdf2() with missing $length argument
  . #66535 Don't add newline after X-PHP-Originating-Script
  . #66762 Segfault in mysqli_stmt::bind_result() when link closed
  . Added function opcache_is_script_cached()
  . Added information about interned strings usage

- update 5.5.8
- AnNyung patch
  . See also http://annyung.oops.org/?m=white&p=php-guide
  . support allow_include_extension
  . support upload image file check
  . support realpath_cache_force
    prevent to use symlink, link function when realpath_cache_force is emabled
  . support php 5.3 compatible mode
    call time pass reference, magic quotes and so on.
- Fixed official bug
  . #66509 copy() arginfo has changed starting from 5.4
  . #66356 Heap Overflow Vulnerability in imagecrop()
  . #66474 Optimizer bug in constant string to boolean conversion
  . #66461 PHP crashes if opcache.interned_strings_buffer=0
  . #66298 ext/opcache/Optimizer/zend_optimizer.c has dos-style ^M as lineend
  . #66412 readline_clear_history() with libedit causes segfault after #65714
  . #66469 Session module is sending multiple set-cookie headers when
    session.use_strict_mode=1
  . #66481 Segfaults on session_name()
  . #66009 Failed compilation of PHP extension with C++ std library using VS 2012
  . #62479 PDO-psql cannot connect if password contains spaces
- add sqlite (sqlite2) extension

- update 5.4.24

- fixed official bugs
  . #66286 Incorrect object comparison with inheritance
  . #66509 copy() arginfo has changed starting from 5.4
  . #66481 Calls to session_name() segfault when session.name

- php 5.3 호환 모드 제공: php53_compatible ini 옵션 추가
  . On 설정시, 다음의 기능이 php 5.3 호환모드로 동작
  . allow_call_time_pass_reference 지시자 사용 가능 (Default: Off)
  . magic_quotes_gpc, magic_quotes_runtime, magic_quotes_sybase 지시자
    및 magic_quotes 관련 함수 사용 가능 (기본값: Off)
  . NULL, false, 빈문자열의 값을 가진 변수에 object property를 추가할
    경우에도 E_WARNING 에러 메시지 발생 하지 않음
  . TZ 환경 변수로 timezone 지정 가능
  . array_combine() 함수에서 key array가 비었을 경우 false 반환
  . 5.4에서 제거된 다음의 함수 사용 가능 (E_DEPRECATED level 에러 처리)
    session_is_registered(), session_register(), session_unregister()
    mysqli_bind_param(), mysqli_bind_result(), mysqli_client_encoding(),
    mysqli_fetch(), mysqli_param_count(), mysqli_get_metadata(),
    mysqli_send_long_data(), mysqli::client_encoding()

- fixed official bugs
  . Fixed SNMP_ERR_TOOBIG handling for bulk walk operations.

- update 5.5.23

- security issues
  . CVE-2013-6420 Fixed memory corruption in openssl_x509_parse()

- fixed offcial bugs
  . #49634 Segfault throwing an exception in a XSL registered function
  . #66321 ZipArchive::open() ze_obj->filename_len not real
  . #64405 Use freetype-config for determining freetype2 dir(s)
  . #66229 128.0.0.0/16 isn't reserved any longer
  . #65873 Integer overflow in exif_read_data()
  . #65196 Passing DOMDocumentFragment to DOMDocument::saveHTML() Produces invalid Markup
  . #63391 Incorrect/inconsistent day of week prior to the year 1600
  . #65199 Wrong Day of Week
  . #66060 Heap buffer over-read in DateInterval
  . #61645 fopen and O_NONBLOCK
  . #31131 Fixed invalid C code in zend_strtod

- fixed official bugs
  . #65108 is_callable() triggers Fatal Error
  . #62672 Error on serialize of ArrayObject
  . #60732 php_error_docref links to invalid pages
  . #65228 FTPs memory leak
  . #65227 Memory leak in gmp_cmp second parameter
  . #64467 Segmentation fault after imap_reopen failure
  . #35703 when session_name("123") consist only digits, should warning
  . #49175 mod_files.sh does not support hash bits
  . #62535 $_SESSION[$key]["cancel_upload"] doesn't work as documented
  . #64802 openssl_x509_parse fails to parse subject properly in some cases
  . #62964 Possible XSS on "Registered stream filters" info

- security issues
  . CVE-2013-4113 heap corruption in xml parser (#65236)
  . CVE-2013-4248 Fixed handling null bytes in subjectAltName

- revoke allow-call_time_pass_reference directive
- no warning creative default object
  allow object declear as '$k->data = 3' without stdClsss declear

- fixed official bugs
  . #55694 Expose attempted_completion_over variable from readline library

- update 5.4.16
- update pecl libevent 0.1.0
- update sqlite extension 5.3.26

- fixed official bugs
  . #64915 error_log ignored when daemonize=0
  . #64949 Buffer overflow in _pdo_pgsql_error
  . #64609 pg_convert enum type support
  . #64960 Segfault in gc_zval_possible_root
  . #64934 Apache2 TS crash with get_browser()
  . #64966 segfault in zend_do_fcall_common_helper_SPEC
  . #64997 Segfault while using RecursiveIteratorIterator on 64-bits systems
  . #64988 Class loading order affects E_STRICT warning
  . #53437 Crash when using unserialized DatePeriod instance
  . #63176 Segmentation fault when instantiate 2 persistent PDO to the same db server
  . #64936 doc comments picked up from previous scanner run
  . #64166 quoted-printable-encode stream filter incorrectly discarding whitespace
  . #64764 add support for FPM init.d script
  . #65066 Cli server not responsive when responding with 422 http status code
  . #64338 pdo_dblib can't connect to Azure SQL
  . #64808 FreeTDS PDO getColumnMeta on a prepared but not executed statement crashes
  . #63638 Cannot connect to SQL Server 2008 with PDO dblib
  . #48724 getColumnMeta() doesn't return native_type for BIT, TINYINT and YEAR

- security issues
  . CVE-2013-2110 Heap based buffer overflow in quoted_printable_encode (#64879)

- update 5.4.12
- add fpm server api
- Fixed bug #64124 (IPv6 malformed)
- Fixed bug #64106 (Segfault on SplFixedArray[][x] = y when extended)
- Fixed bug #60840 (undefined symbol: mysqlnd_debug_std_no_trace_funcs)
- Fixed bug #61930 (openssl corrupts ssl key resource when using
  openssl_get_publickey())
- New SSL stream context option to prevent CRIME attack vector.
- Fixed bug #63530 (mysqlnd_stmt::bind_one_parameter crashes, uses
  wrong alloc for stmt->param_bind).
- mb_split() can now handle empty matches like preg_split() does
- Fixed bug #64128 (buit-in web server is broken on ppc64)
- Fixed bug #64142 (dval to lval different behavior on ppc64)
- Fixed bug #64354 (Unserialize array of objects whose class can't
  be autoloaded fail)
- Implemented FR #64175 (Added HTTP codes as of RFC 6585)
- Fixed bug #64197 (_Offsetof() macro used but not defined on ARM/Clang)
- Fixed bug #64070 (Inheritance with Traits failed with error)
- Fixed bug #64235 (Insteadof not work for class method in 5.4.11)
- security issues
  . CVE-2013-1643
    The SOAP parser in PHP before 5.3.22 and 5.4.x before 5.4.13 allows
    remote attackers to read arbitrary files via a SOAP WSDL file
    containing an XML external entity declaration in conjunction with an
    entity reference, related to an XML External Entity (XXE) issue in the
    soap_xmlParseFile and soap_xmlParseMemory functions.
  . CVE-2013-1635
    ext/soap/soap.c in PHP before 5.3.22 and 5.4.x before 5.4.13 does not
    validate the relationship between the soap.wsdl_cache_dir directive
    and the open_basedir directive, which allows remote attackers to bypass
    intended access restrictions by triggering the creation of cached SOAP
    WSDL files in an arbitrary directory.

- Fixed bug #63235 (buffer overflow in use of SQLGetDiagRec).

- fixed missing #63399
- fixed bug #63241 PHP fails to open Windows deduplicated files.
- fixed bug #63447 max_input_vars doesn't filter variables when
  mbstring.encoding_translation = On
- set realpath_cache_force to enable, force enable realpath_cache_size
  and realpath_cache_ttl although safe_mode or open_basedir set enabled.

- Fixed official bug
  Fixed bug #63297 (Phar fails to write an openssl based signature).
  Fixed bug #63284 (Upgrade PCRE to 8.31).
  Fixed bug #63055 (Segfault in zend_gc with SF2 testsuite).
  Fixed bug #63180 (Corruption of hash tables).
  Fixed bug #63265 (Add ORA-00028 to the PHP_OCI_HANDLE_ERROR macro)
  Fixed bug #63389 (Missing context check on libxml_set_streams_context() causes memleak).
  Fixed bug #63248 (Load multiple magic files from a directory under Windows).
  Fixed bug #63363 (Curl silently accepts boolean true for SSL_VERIFYHOST).
  Fixed bug #63369 ((un)serialize() leaves dangling pointers, causes crashes).
  Fixed bug #63305 (zend_mm_heap corrupted with traits). (Dmitry, Laruence)
  Fixed bug #62593 (Emulate prepares behave strangely with PARAM_BOOL).
  Fixed bug #63399 (ReflectionClass::getTraitAliases() incorrectly resolves traitnames).
- add sqlite (sqlite2) extension

- security issues
  . CVE-2018-10545 FPM: Dumpable FPM child processes allow bypassing opcache access controls (#75605)
  . CVE-2018-10546 iconv: stream filter convert.iconv leads to infinite loop on invalid sequence (#76249)
  . CVE-2018-10548 LDAP: Malicious LDAP-Server Response causes Crash (#76248)
  . CVE-2018-10547 Phar: fix for CVE-2018-5712 may not be complete (#76129)

- security issues
  . CVE-2017-7890 Buffer over-read from unitialized data in gdImageCreateFromGifCtx function

- security issues
  . CVE-2017-9224 fixed mbstring Oniguruma
  . CVE-2017-9226 fixed mbstring Oniguruma
  . CVE-2017-9227 fixed mbstring Oniguruma
  . CVE-2017-9228 fixed mbstring Oniguruma
  . CVE-2017-9229 fixed mbstring Oniguruma
- fixed execdir bugs
  . fixed #15 But when using "2>&1" in exec command
  . fixed #16 error "NULL byte detected."

- security issues
  . CVE-2016-9933 GD: imagefilltoborder stackoverflow on truecolor images (#72696)
  . CVE-2016-10161 Standard: Heap out of bounds read on unserialize in finish_nested_data() (#73825)
  . CVE-2016-10159 Phar: Crash while loading hostile phar archive (#73764)
  . CVE-2016-10160 Phar: Memory corruption when loading hostile phar (#73768)
  . CVE-2016-10167 GD: DOS vulnerability in gdImageCreateFromGd2Ctx() (#73868)
  . CVE-2016-10168 GD: Signed Integer Overflow gd_io.c (#73869)
  . CVE-2016-10158 EXIF: FPE when parsing a tag format (#73737)

- security issues
  . nosafe_mode_exec_dir: backtics and $() syntax weakness after semi colon #8
    https://github.com/OOPS-ORG-PHP/mod_execdir/issues/8

- security issues
  . CVE-2016-5399 BZ2: do not treat negative returns from bz2 as size_t (#72613)
  . CVE-2016-5766 GD: Integer Overflow in _gd2GetHeader() resulting in heap overflow (#72339)
  . CVE-2016-5767 GD: Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow (#72446)

- security issues
  . CVE-2016-5385 Core: don't set environmental variable based on user supplied Proxy request header

- fixed zend_mm_heap corrupted problems of exec_dir patch
- security issues
  . CVE-2016-4070 Standard: Integer Overflow in php_raw_url_encode (#71798)
  . CVE-2016-4072 Phar: Invalid memory write in phar on filename with \0 in name (#71860)
  . CVE-2016-4073 Mbstring: AddressSanitizer: negative-size-param (-1) in mbfl_strcut (#71906)
  . CVE-2015-8865 Fileinfo: Buffer over-write in finfo_open with malformed magic file (#71527)
  . CVE-2016-3074 GD: libgd: signedness vulnerability (#71912)
  . fixed bug #72099 XML: xml_parse_into_struct segmentation fault
  . CVE-2016-4343 Phar: Uninitialized pointer in phar_make_dirstream() (#71331)
  . fixed bug #72135 Core: Integer Overflow in php_html_entities
  . fixed bug #72114 Core: Integer underflow / arbitrary null write in fread/gzread
  . CVE-2015-8874 GD: Stack overflow with imagefilltoborder (#66387)
  . CVE-2015-8383, CVE-2015-8386, CVE-2015-8387, CVE-2015-8389,
    CVE-2015-8390, CVE-2015-8391, CVE-2015-8393, CVE-2015-8394
    Upgraded pcrelib to 8.38

- security issues
  . fixed bug #71039 Core: exec functions ignore length but look for NULL termination
  . fixed bug #71323 Core: Output of stream_get_meta_data can be falsified by its input
  . fixed bug #71459 Core: Integer overflow in iptcembed()
  . fixed bug #71354 Phar: Heap corruption in tar/zip/phar parser
  . fixed bug #71391 Phar: NULL Pointer Dereference in phar_tar_setupmetadata()
  . fixed bug #71488 Phar: Stack overflow when decompressing tar archives

- security issues
  . fixed bug #69720 Phar: Null pointer dereference in phar_get_fp_offset()
  . fixed bug #70433 Phar: Uninitialized pointer in phar_make_dirstream when zip entry filename is "/"
  . fixed bug #70728 XMLRPC: Type Confusion Vulnerability in PHP_to_XMLRPC_worker()
  . fixed bug #70755 FPM: fpm_log.c memory leak and buffer overflow
  . fixed bug #70661 WDDX: Use After Free Vulnerability in WDDX Packet Deserialization
  . Fixed bug #70741 WDDX: Session WDDX Packet Deserialization Type Confusion Vulnerability

- security issues
  . CVE-2015-6834 core: Use After Free Vulnerability in unserialize() (#70172, #70365)
  . CVE-2015-6835 core: Use after free vulnerability in session deserializer (#70219)
  . CVE-2015-6836 soap: serialize_function_call() type confusion / RCE (#70388)
  . CVE-2015-6837 xslt: NULL pointer dereference (#69782)
  . CVE-2015-6838 xslt: NULL pointer dereference (#69782)
  . #70385 exif: Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes
  . #70312 hash: HAVAL gives wrong hashes in specific cases
  . #70345 pcre: Multiple vulnerabilities related to PCRE functions
  . #70350 zip:  ZipArchive::extractTo allows for directory traversal when creating directories

- fixed php-pgsql obsolete

- security issues
  . CVE-2014-9425
  . CVE-2014-9709
  . CVE-2014-9705
  . CVE-2015-2301
  . CVE-2015-2783
  . CVE-2015-3329
  . CVE-2015-4021
  . CVE-2015-4022
  . CVE-2015-4024
  . CVE-2015-4026

- official bug fix
  . #69353 Missing null byte checks for paths in various PHP extensions
  . #69152 Type Confusion Infoleak Vulnerability in unserialize() with SoapFault

- security issues
  . CVE-2015-2331 ZIP: Integer Overflow leads to writing past heap boundary (#69253)
  . CVE-2015-2305 Ereg: heap overflow vulnerability in regcomp.c (#69248)
  . CVE-2015-2787 Core: Use After Free Vulnerability in unserialize() (#68976)
  . CVE-2015-1352 pgsql: Null pointer deference (#68741)

- security issues
  . CVE-2015-0273 Use after free vulnerability in unserialize() (#68594)

- security issues
  . CVE-2014-8142 Use after free vulnerability in unserialize() (#68594)
  . CVE-2015-0232 Free called on unitialized pointer (#68799)
  . CVE-2015-0231 Use After Free Vulnerability in PHP's unserialize() (#68710)
  . CVE-2015-0235 Mitigation for glibc gethostbyname buffer overflow (#68925)

- security issues
  . CVE-2014-3668 (#68027) Global buffer overflow in mkgmtime() function
  . CVE-2014-3670 (#68113) Heap corruption in exif_thumbnail()
  . CVE-2014-3669 (#68044) Integer overflow in unserialize() (32-bits only)
  . CVE-2014-3710 (#68283) fileinfo: out-of-bounds read in elf note headers

- security issues
  . CVE-2014-3597 (#67717) segfault in dns_get_record
  . CVE-2014-5120 (#b67730) Null byte injection possible with imagexxx functions
  . CVE-2014-2497 (#66901) php-gd 'c_color' NULL pointer dereference
  . CVE-2014-3587 (#67716) Segfault in cdf.c

- Official bug fix
  . #66127 Segmentation fault with ArrayObject unset
  . #67247 spl_fixedarray_resize integer overflow
  . #67249 printf out-of-bounds read
  . #67250 iptcparse out-of-bounds read
  . #67252 convert_uudecode out-of-bounds read
  . #67359 Segfault in recursiveDirectoryIterator
  . #67390 insecure temporary file use in the configure script (CVE-2014-3981)
  . #67399 putenv with empty variable may lead to crash
  . #67492 unserialize() SPL ArrayObject / SPLObjectStorage Type Confusion (CVE-2014-3515)
  . #67498 phpinfo() Type Confusion Information Leak Vulnerability
  . #67251 date_parse_from_format out-of-bounds read
  . #67253 timelib_meridian_with_check out-of-bounds read
  . #66307 Fileinfo crashes with powerpoint files
  . #67326 fileinfo: cdf_read_short_sector insufficient boundary check (CVE-2014-0207)
  . #67327 fileinfo: CDF infinite loop in nelements DoS (CVE-2014-0238)
  . #67328 fileinfo: numerous file_printf calls resulting in performance degradation (CVE-2014-0237)
  . #67410 fileinfo: mconvert incorrect handling of truncated pascal string size.
  . #67411 fileinfo: cdf_check_stream_offset insufficient boundary check.
  . #67412 fileinfo: cdf_count_chain insufficient boundary check.
  . #67413 fileinfo: cdf_read_property_info insufficient boundary check.
  . #67349 Locale::parseLocale Double Free
  . #67397 Buffer overflow in locale_get_display_name and uloc_getDisplayName (libicu 4.8.1)
  . #67432 Fix potential segfault in dns_check_record()). (CVE-2014-4049)
  . Fix missing type checks in various functions

- security issues
  . CVE-2014-3981
  . CVE-2014-3515
  . CVE-2014-0207
  . CVE-2014-0238
  . CVE-2014-0237
  . CVE-2014-4049

- security issues
  . CVE-2013-7345 #66946 extensive backtracking in awk rule regular expression

- security issue
  . CVE-2014-2270 #66820 out-of-bounds memory access in fileinfo
  . CVE-2014-1943 #66731 file: infinite recursion

- Official bug fix
  . #66501 Add EC key support to php_openssl_is_private_key
  . #60602 proc_open() changes environment array
  . #66535 Don't add newline after X-PHP-Originating-Script
  . #66762i Segfault in mysqli_stmt::bind_result() when link closed

- fixed segfault in mysqlnd when doing long prepare from patch of 5.3.7
  news #72595 (http://news.php.net/php.cvs/72595)
  http://git.php.net/?p=php-src.git;a=commitdiff;h=9fc38183b707341b6eddb8c196d0ea2b7c13d6a9

- update 5.3.28

- security issue
  . CVE-2013-6420 Fixed memory corruption in openssl_x509_parse()

- Official bug fix
  . #62672 Error on serialize of ArrayObject
  . #60560 SplFixedArray un-/serialize, getSize(), count() return 0,
           keys are strings
  . #65328 Segfault when getting SplStack object Value
  . #64802 openssl_x509_parse fails to parse subject properly in some cases
  . #50308 session id not appended properly for empty anchor tags
  . #65564 stack-buffer-overflow in DateTimeZone stuff caught
  . #65554 createFromFormat broken when weekday name is followed
  . #65458 curl memory leak
  . #60598 cli/apache sapi segfault on objects manipulation
  . #61759 class_alias() should accept classes with leading backslashes
  . #62396 'make test' crashes starting with 5.3.14 (missing gzencode())
  . #61548 content-type must appear at the end of headers for 201 Location
           to work in htt
  . #64441 FILTER_VALIDATE_URL rejects fully qualified domain names
  . #65708 dba functions cast $key param to string in-place, bypassing copy
           on write
  . #64157 DateTime::createFromFormat() reports confusing error message
  . #51936 Crash with clone XMLReader
  . #64230 XMLReader does not suppress errors
  . #64760 var_export() does not use full precision for floating-point numbers
  . #66033 Segmentation Fault when constructor of PDO statement throws an exception
  . #65946 sql_parser permanently converts values bound to strings on PDO
  . #66124 mysqli under mysqlnd loses precision when bind_param with 'i'
  . #66141 mysqlnd quote function is wrong with NO_BACKSLASH_ESCAPES after
           failed query
  . #66043 Segfault calling bind_param() on mysqli
  . #64874 json_decode handles whitespace and case-sensitivity incorrectly
  . #66094 unregister_tick_function tries to cast a Closure to a string
  . #66321 ZipArchive::open() ze_obj->filename_len not real
  . #66229 128.0.0.0/16 isn't reserved any longer
  . #65873 Integer overflow in exif_read_data()
  . #65196 Passing DOMDocumentFragment to DOMDocument::saveHTML() Produces
           invalid Markup
  . #63391 Incorrect/inconsistent day of week prior to the year 1600
  . #61599 Wrong Day of Week
  . #66060 Heap buffer over-read in DateInterval
  . #61645 fopen and O_NONBLOCK

- security issues
  . CVE-2013-4073 Fixed handling null bytes in subjectAltName

- update 5.3.27

- security issues
  . CVE-2013-4113 #65236 heap corruption in xml parser

- update 5.3.26
- update pecl libevent extension 0.1.0
- update pecl ncurses extension 1.0.2

- Official bug fix
  . #53437 Crash when using unserialized DatePeriod instance
  . #64949 Buffer overflow in _pdo_pgsql_error.
  . #64609 pg_convert enum type support.
  . #64960 Segfault in gc_zval_possible_root.
  . #64934 Apache2 TS crash with get_browser()
  . #64966 segfault in zend_do_fcall_common_helper_SPEC
  . #64997 Segfault while using RecursiveIteratorIterator on 64-bits systems

- security issues
  . CVE 2013-2110 Heap based buffer overflow in quoted_printable_encode (#64879)

- add ldap pagenation patch from PHP 5.4
- build fpm sapi

- Fixed bug #62593 Emulate prepares behave strangely with PARAM_BOOL
- Fixed bug #63447 max_input_vars doesn't filter variables when
  mbstring.encoding_translation = On
- set realpath_cache_force to enable, force enable realpath_cache_size
  and realpath_cache_ttl although safe_mode or open_basedir set enabled.

- update 5.3.18
- Always support short tag with echo '<?='
- pecl memcache update to 2.2.7
- pecl libevent update to 0.0.5
- support system tz data option
- Fixed bug #63297 (Phar fails to write an openssl based signature).
- Fixed bug #63240 (stream_get_line() return contains delimiter string).
- Fixed bug #63235 (buffer overflow in use of SQLGetDiagRec).
- Fixed bug #63284 (Upgrade PCRE to 8.31).
- Fixed bug #63055 (Segfault in zend_gc with SF2 testsuite).
- Fixed bug #63265 (Add ORA-00028 to the PHP_OCI_HANDLE_ERROR macro)
- Fixed compilation failure on mixed 32/64 bit systems.
- Fixed bug #63389 (Missing context check on libxml_set_streams_context() causes memleak).

- fixed CVE-2012-1823
- fixed CVE-2012-2143
- fixed CVE-2012-2688
- fixed CVE-2012-3365
- fixed bug 61948 CURLOPT_COOKIFILE '' raises open_basedir restriction
- fixed bug 62885 mysqli_poll - Segmentation fault
- fixed bug 61367 open_basedir bypass using libxml RSHUTDOWN
                  Add open_basedir checks to readline_write_history and readline_read_history
                  open_basedir check for linkinfo

- fixed CVE-2012-1172
- fixed CVE-2012-0831

- add record, snmp, ldap, xml extension
- rename php-binary to php-cli