Overnight new versions of php were released fixing over 20 bugs as below:
5.3.17
- Core
- Fixed bug (segfault while build with zts and GOTO vm-kind)
- Fixed bug #62955 (Only one directive is loaded from “Per Directory Values” Windows registry)
- Fixed bug #62763 (register_shutdown_function and extending class)
- Fixed bug #62744 (dangling pointers made by zend_disable_class)
- Fixed bug #62716 (munmap() is called with the incorrect length)
- Fixed bug ##62460 (php binaries installed as binary.dSYM)
- CURL
- Fixed bug #62839 (curl_copy_handle segfault with CURLOPT_FILE)
- DateTime
- Fixed bug #62852 (Unserialize invalid DateTime causes crash)
- Intl
- Fix null pointer dereferences in some classes of ext/intl
- MySQLnd
- Fixed bug #62885 (mysqli_poll – Segmentation fault)
- PDO
- Fixed bug #62685 (Wrong return datatype in PDO::inTransaction())
- Session
- Fixed bug (segfault due to retval is not initialized)
- SPL
- Fixed bug
- (Crash when cloning an object which inherits SplFixedArray)
- Enchant
- Fixed bug #62838 (enchant_dict_quick_check() destroys zval, but fails to initialize it)
5.4.7
- Core
- Fixed bug (segfault while build with zts and GOTO vm-kind)
- Fixed bug #62955 (Only one directive is loaded from “Per Directory Values” Windows registry)
- Fixed bug #62844 (parse_url() does not recognize //)
- Fixed bug #62829 (stdint.h included on platform where HAVE_STDINT_H is not set)
- Fixed bug #62763 (register_shutdown_function and extending class)
- Fixed bug #62725 (Calling exit() in a shutdown function does not return the exit value)
- Fixed bug #62744 (dangling pointers made by zend_disable_class)
- Fixed bug #62716 (munmap() is called with the incorrect length)
- Fixed bug #62358 (Segfault when using traits a lot)
- Fixed bug #62328 (implementing __toString and a cast to string fails)
- Fixed bug #51363 (Fatal error raised by var_export() not caught by error handler)
- Fixed bug #40459 (Stat and Dir stream wrapper methods do not call constructor)
- CURL
- DateTime
- Fixed bug #62852 (Unserialize invalid DateTime causes crash)
- Intl
- Fixed Spoofchecker not being registered on ICU 49.1
- Fix bug #62933 (ext/intl compilation error on icu 3.4.1)
- Fix bug #62915 (defective cloning in several intl classes)
- Installation
- Fixed bug #62460 (php binaries installed as binary.dSYM)
- PCRE
- Fixed bug #55856 (preg_replace should fail on trailing garbage)
- PDO
- Fixed bug #62685 (Wrong return datatype in PDO::inTransaction())
- Reflection
- Session
- Fixed bug (segfault due to retval is not initialized)
- Fixed bug (segfault due to PS(mod_user_implemented) not be reseted when close handler call exit)
- SPL
- Standard
- Fixed bug #62836 (Seg fault or broken object references on unserialize())
- FPM
- Merged PR 121 by minitux to add support for slow request counting on PHP FPM status page
We would recommend patching your server asap as hackers look at the bugs reported and start targeting old versions.