php security update

CentOS Errata and Security Advisory CESA-2007:0349

PHP is an HTML-embedded scripting language commonly used with the Apache
HTTP Web server.

A heap buffer overflow flaw was found in the PHP ‘xmlrpc’ extension. A
PHP script which implements an XML-RPC server using this extension could
allow a remote attacker to execute arbitrary code as the ‘apache’ user.
Note that this flaw does not affect PHP applications using the pure-PHP
XML_RPC class provided in /usr/share/pear. (CVE-2007-1864)

A flaw was found in the PHP ‘ftp’ extension. If a PHP script used this
extension to provide access to a private FTP server, and passed untrusted
script input directly to any function provided by this extension, a remote
attacker would be able to send arbitrary FTP commands to the server.
(CVE-2007-2509)

Users of PHP should upgrade to these updated packages which contain
backported patches to correct these issues.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2007-May/075901.html
https://lists.centos.org/pipermail/centos-announce/2007-May/075902.html

Affected packages:
php
php-devel
php-domxml
php-gd
php-imap
php-ldap
php-mbstring
php-mysql
php-ncurses
php-odbc
php-pear
php-pgsql
php-snmp
php-xmlrpc

Upstream details at:
https://access.redhat.com/errata/RHSA-2007:0349