This security update of PHP fixes the following issues:
Security issues fixed:
- CVE-2015-4024 [bnc#931421]: Fixed multipart/form-data remote DOS
Vulnerability.
- CVE-2015-4026 [bnc#931776]: pcntl_exec() did not check path validity.
- CVE-2015-4022 [bnc#931772]: Fixed and overflow in ftp_genlist() that
resulted in a heap overflow.
- CVE-2015-4021 [bnc#931769]: Fixed memory corruption in
phar_parse_tarfile when entry filename starts with NULL.
- CVE-2015-4148 [bnc#933227]: Fixed SoapClient’s do_soap_call() type
confusion after unserialize() information disclosure.
- CVE-2015-4602 [bnc#935224]: Fixed an incomplete Class unserialization
type confusion.
- CVE-2015-4599, CVE-2015-4600, CVE-2015-4601 [bnc#935226]: Fixed type
confusion issues in unserialize() with various SOAP methods.
- CVE-2015-4603 [bnc#935234]: Fixed exception::getTraceAsString type
confusion issue after unserialize.
- CVE-2015-4644 [bnc#935274]: Fixed a crash in php_pgsql_meta_data.
- CVE-2015-4643 [bnc#935275]: Fixed an integer overflow in ftp_genlist()
that could result in a heap overflow.
- CVE-2015-3411, CVE-2015-3412, CVE-2015-4598 [bnc#935227], [bnc#935232]:
Added missing null byte checks for paths in various PHP extensions.
Bugs fixed:
- configure php-fpm with --localstatedir=/var [bnc#927147]
- fix timezone map [bnc#919080]