php security and bug fix update

[5.4.16-42]

• bz2: fix improper error handling in bzread() CVE-2016-5399
  [5.4.16-41]
• gd: fix integer overflow in _gd2GetHeader() resulting in
  heap overflow CVE-2016-5766
• gd: fix integer overflow in gdImagePaletteToTrueColor()
  resulting in heap overflow CVE-2016-5767
• mbstring: fix double free in _php_mb_regex_ereg_replace_exec
  CVE-2016-5768
  [5.4.16-40]
• don’t set environmental variable based on user supplied Proxy
  request header CVE-2016-5385
  [5.4.16-39]
• fix segmentation fault in header_register_callback #1344578
  [5.4.16-38]
• curl: add options to enable TLS #1291667
• mysqli: fix segfault in mysqli_stmt::bind_result() when
  link is closed #1096800
• fpm: fix incorrectly defined SCRIPT_NAME variable when
  using Apache #1138563
• core: fix segfault when a zend_extension is loaded twice #1289457
• openssl: change default_md algo from MD5 to SHA1 #1073388
• wddx: fix segfault in php_wddx_serialize_var #1131979
  [5.4.16-37]
• session: fix segfault in session with rfc1867 #1297179