php security and bug fix update

[5.4.16-36]

• fix more functions accept paths with NUL character #1213407
  [5.4.16-35]
• core: fix multipart/form-data request can use excessive
  amount of CPU usage CVE-2015-4024
• fix various functions accept paths with NUL character
  CVE-2015-4025, CVE-2015-4026, #1213407
• fileinfo: fix denial of service when processing a crafted
  file #1213442
• ftp: fix integer overflow leading to heap overflow when
  reading FTP file listing CVE-2015-4022
• phar: fix buffer over-read in metadata parsing CVE-2015-2783
• phar: invalid pointer free() in phar_tar_process_metadata()
  CVE-2015-3307
• phar: fix buffer overflow in phar_set_inode() CVE-2015-3329
• phar: fix memory corruption in phar_parse_tarfile caused by
  empty entry file name CVE-2015-4021
• soap: fix type confusion through unserialize #1222538
• apache2handler: fix pipelined request executed in deinitialized
  interpreter under httpd 2.4 CVE-2015-3330
  [5.4.16-34]
• fix memory corruption in fileinfo module on big endian
  machines #1082624
• fix segfault in pdo_odbc on x86_64 #1159892
• fix segfault in gmp allocator #1154760
  [5.4.16-33]
• core: use after free vulnerability in unserialize()
  CVE-2014-8142 and CVE-2015-0231
• core: fix use-after-free in unserialize CVE-2015-2787
• core: fix NUL byte injection in file name argument of
  move_uploaded_file() CVE-2015-2348
• date: use after free vulnerability in unserialize CVE-2015-0273
• enchant: fix heap buffer overflow in enchant_broker_request_dict
  CVE-2014-9705
• exif: free called on unitialized pointer CVE-2015-0232
• fileinfo: fix out of bounds read in mconvert CVE-2014-9652
• gd: fix buffer read overflow in gd_gif_in.c CVE-2014-9709
• phar: use after free in phar_object.c CVE-2015-2301
• soap: fix type confusion through unserialize
  [5.4.16-31]
• fileinfo: fix out-of-bounds read in elf note headers. CVE-2014-3710
  [5.4.16-29]
• xmlrpc: fix out-of-bounds read flaw in mkgmtime() CVE-2014-3668
• core: fix integer overflow in unserialize() CVE-2014-3669
• exif: fix heap corruption issue in exif_thumbnail() CVE-2014-3670
  [5.4.16-27]
• gd: fix NULL pointer dereference in gdImageCreateFromXpm().
  CVE-2014-2497
• gd: fix NUL byte injection in file names. CVE-2014-5120
• fileinfo: fix extensive backtracking in regular expression
  (incomplete fix for CVE-2013-7345). CVE-2014-3538
• fileinfo: fix mconvert incorrect handling of truncated
  pascal string size. CVE-2014-3478
• fileinfo: fix cdf_read_property_info
  (incomplete fix for CVE-2012-1571). CVE-2014-3587
• spl: fix use-after-free in ArrayIterator due to object
  change during sorting. CVE-2014-4698
• spl: fix use-after-free in SPL Iterators. CVE-2014-4670
• network: fix segfault in dns_get_record
  (incomplete fix for CVE-2014-4049). CVE-2014-3597
  [5.4.16-25]
• fix segfault after startup on aarch64 (#1107567)
• compile php with -O3 on ppc64le (#1123499)