- security issues
  . CVE-2016-4473  Phar: invalid free in phar_extract_file() (#72321)
  . CVE-2019-9021  Phar: heap buffer overflow in phar_detect_phar_fname_ext (#77247)
  . CVE-2017-11147 Phar: Seg fault when loading hostile phar (#73773)
  . CVE-2018-20783 Phar: Heap Buffer Overflow (READ: 4) in phar_parse_pharfile (#77143)
  . CVE-2016-7411  Standard: Memory Corruption in During Deserialized-object Destruction (#73052)
  . CVE-2017-11145 Core: wddx_deserialize() heap out-of-bound read via php_parse_date() (#74819)
  . CVE-2017-11628 Core: PHP INI Parsing Stack Buffer Overflow Vulnerability (#74603)
  . CVE-2017-12933 Core: Heap buffer overread (READ: 1) finish_nested_data from unserialize (#74111)
  . CVE-2017-11144 OpenSSL: negative-size-param (-1) in memcpy in zif_openssl_seal() (#74651)
  . CVE-2017-16642 Date: Out-Of-Bounds Read in timelib_meridian() (#75055)
  . CVE-2016-1283  PCRE: applied upstream patch for (#75207)
  . CVE-2018-17082 Apache2: XSS due to the header Transfer-Encoding: chunked (#76582)
  . CVE-2018-19518 IMAP: imap_open allows to run arbitrary shell commands via mailbox parameter (#77153)
  . CVE-2019-9023  Mbstring: Buffer overflow on mb regex functions - fetch_token (#77370)
  . CVE-2019-9023  Mbstring: heap buffer overflow in mb regex functions - compile_string_node (#77371)
  . CVE-2019-9023  Mbstring: heap buffer overflow in multibyte match_at (#77381)
  . CVE-2019-9023  Mbstring: heap buffer overflow due to incorrect length in expand_case_fold_string (#77382)
  . CVE-2019-9023  Mbstring: buffer overflow in fetch_token (#77385)
  . CVE-2019-9023  Mbstring: Buffer overflow in multibyte case folding - unicode (#77394)
  . CVE-2019-9023  Mbstring: Heap overflow in utf32be_mbc_to_code (#77418)
  . CVE-2019-9020  Xmlrpc: heap out of bounds read in xmlrpc_decode() (#77242)
  . CVE-2019-9024  Xmlrpc: Global out of bounds read in xmlrpc base64 code (#77380)
  . CVE-2019-11034 EXIF: Heap-buffer-overflow in php_ifd_get32s (#77753)
  . CVE-2019-11035 EXIF: Heap-buffer-overflow in exif_iif_add_value (#77831)
  . CVE-2019-11036 EXIF: Heap-buffer-overflow in _estrndup via exif_process_IFD_TAG (#77950)
  . CVE-2019-11040 EXIF: heap-buffer-overflow on php_jpg_get16 (#77988)
  . CVE-2018-14883 EXIF: Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c (#76423)
  . CVE-2018-14851 EXIF: heap-buffer-overflow (READ of size 48) while reading exif data (#76557)
  . CVE-2018-5711  GD: Potential infinite loop in gdImageCreateFromGifCtx (#75571)
  . CVE-2019-6977  GD: imagecolormatch Out Of Bounds Write on Heap (#77270)
  . CVE-2016-10166 GD: efree() on uninitialized Heap data in imagescale leads to use-after-free (#77269)
  . CVE-2019-11038 GD: Uninitialized read in gdImageCreateFromXbm (#77973)
  . CVE-2019-11039 Iconv: Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to int overflow (#78069)
  . CVE-2017-11143 WDDX: wddx parsing empty boolean tag leads to SIGSEGV (#74145)

- security issues
  . CVE-2018-10545 FPM: Dumpable FPM child processes allow bypassing opcache access controls (#75605)
  . CVE-2018-10546 iconv: stream filter convert.iconv leads to infinite loop on invalid sequence (#76249)
  . CVE-2018-10548 LDAP: Malicious LDAP-Server Response causes Crash (#76248)
  . CVE-2018-10547 Phar: fix for CVE-2018-5712 may not be complete (#76129)

- security issues
  . CVE-2017-7890 GD: Buffer over-read from unitialized data in gdImageCreateFromGifCtx function
  . CVE-2018-7584 Standard: tack-buffer-overflow while parsing HTTP response (#75981)

- security issues
  . CVE-2017-9224 fixed mbstring Oniguruma
  . CVE-2017-9226 fixed mbstring Oniguruma
  . CVE-2017-9227 fixed mbstring Oniguruma
  . CVE-2017-9228 fixed mbstring Oniguruma
  . CVE-2017-9229 fixed mbstring Oniguruma
- fixed execdir bugs
  . fixed #15 But when using "2>&1" in exec command
  . fixed #16 error "NULL byte detected."

- security issues
  . CVE-2016-9934 WDDX: NULL Pointer Dereference in WDDX Packet Deserialization with PDORow (#73331)
  . CVE-2016-9933 GD: imagefilltoborder stackoverflow on truecolor images (#72696)
  . CVE-2016-9935 WDDX: Invalid read when wddx decodes empty boolean elemen (#73631)
  . CVE-2016-10161 Standard: Heap out of bounds read on unserialize in finish_nested_data() (#73825)
  . CVE-2016-10159 Crash while loading hostile phar archive (#73764)
  . CVE-2016-10160 Memory corruption when loading hostile phar (#73768)
  . CVE-2016-10167 GD: DOS vulnerability in gdImageCreateFromGd2Ctx() (#73868)
  . CVE-2016-10168 GD: Signed Integer Overflow gd_io.c (#73869)
  . CVE-2016-10158 EXIF: FPE when parsing a tag format (#73737)

- security issues
  . execdir: backtics and $() syntax weakness after semi colon #8
    https://github.com/OOPS-ORG-PHP/mod_execdir/issues/8

- security issues
  . CVE-2016-7416 Intl: add locale length check (#73007)
  . CVE-2016-7412 Mysqlnd: Heap overflow in mysqlnd related to BIT fields (#72293)
  . CVE-2016-7414 Phar: Out of bound when verify signature of zip phar in phar_parse_zipfile (#72928)
  . CVE-2016-7417 SPL: Missing type check when unserializing SplArray (#73029)
  . CVE-2016-7413 WDDX: wddx_deserialize use-after-free (#72860)
  . CVE-2016-7418 WDDX: Out-Of-Bounds Read in php_wddx_push_element (#73065)
  . CVE-2016-7124 Core: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization (#72663)
  . CVE-2016-7125 Core: PHP Session Data Injection Vulnerability (#72681)
  . CVE-2016-7128 Exif: Memory Leakage In exif_process_IFD_in_TIFF (#72627)
  . CVE-2016-7126 GD: select_colors write out-of-bounds (#72697)
  . CVE-2016-7127 GD: imagegammacorrect allows arbitrary write access (#72730)
  . CVE-2016-7129 WDDX: wddx_deserialize allows illegal memory access (#72749)
  . CVE-2016-7130 WDDX: wddx_deserialize null dereference (#72750)
  . CVE-2016-7131 WDDX: wddx_deserialize null dereference with invalid xml (#72790)
  . CVE-2016-7132 WDDX: wddx_deserialize null dereference in php_wddx_pop_element (#72799)

- update 5.5.38
- update libevent extension to 0.1.1
- refix #71889 DateInterval::format Segmentation fault (missing 5.5.36-1)
- security issues
  . CVE-2016-5385 HTTP_PROXY is improperly trusted by some PHP libraries and applications (#72573)

- update 5.5.38
- security issues
  . Fixed bug #70480 Core: php_url_parse_ex() buffer overflow read
  . Fixed bug #69975 ODBC: PHP segfaults when accessing nvarchar(max) defined columns

- update 5.5.36
- fixed zend_mm_heap corrupted problems of exec_dir pathc
- security issues
  . CVE-2015-8874 Fixed bug #66387 Stack overflow with imagefilltoborder
  . CVE-2016-5096 Fixed bug #72114 Core: Integer underflow / arbitrary null write in fread/gzread
  . CVE-2016-5094 Fixed bug #72135 Core: Integer Overflow in php_html_entities
  . CVE-2013-7456 Fixed bug #72227 GD: imagescale out-of-bounds read
  . CVE-2016-5093 Fixed bug #72241 Intl: get_icu_value_internal out-of-bounds read
  . CVE-2016-4343 Fixed bug #71331 Phar: Uninitialized pointer in phar_make_dirstream()
  . CVE-2016-4537, CVE-2016-4538
    Fixed bug #72093 BCMatch: bcpowmod accepts negative scale and corrupts _one_ definition
  . CVE-2016-4542, CVE-2016-4543, CVE-2016-4544
    Fixed bug #72094 Exif: Out of bounds heap read access in exif header processing
  . CVE-2016-3074 Fixed bug #71912 GD: libgd: signedness vulnerability
  . CVE-2016-4540, CVE-2016-4541
    Fixed bug #72061 Intl: Out-of-bounds reads in zif_grapheme_stripos with negative offset
  . CVE-2016-4539 Fixed bug #72099 XML: xml_parse_into_struct segmentation fault)

- update 5.5.34
  . fixed bug #71889 DateInterval::format Segmentation fault
  . fixed bug #71527 Fileinfo: Buffer over-write in finfo_open
    with malformed magic file
  . fixed bug #71906 Mbstring: AddressSanitizer: negative-size-param
    (-1) in mbfl_strcut
  . fixed bug #71860 ODBC: Invalid memory write in phar on filename
    with \0 in name
  . fixed bug #71704 SNMP: php_snmp_error() Format String Vulnerability
  . fixed bug #71798 Standard: Integer Overflow in php_raw_url_encode

- update 5.5.33
- fixed security isseus
  . fixed bug #71498 Phar: Out-of-Bound Read in phar_parse_zipfile()
  . fixed bug #71587 WDDX: Use-After-Free / Double-Free in WDDX Deserialize

- update 5.5.32
- fixed security issues
  . CVE-2015-8383
  . CVE-2015-8386
  . CVE-2015-8387
  . CVE-2015-8389
  . CVE-2015-8390
  . CVE-2015-8391
  . CVE-2015-8393
  . CVE-2015-8394
  . fixed bug #71039 Core: exec functions ignore length but look for NULL termination
  . fixed bug #71323 Core: Output of stream_get_meta_data can be falsified by its input
  . fixed bug #71459 Core: Integer overflow in iptcembed()
  . fixed bug #71354 Phar: Heap corruption in tar/zip/phar parser
  . fixed bug #71391 Phar: NULL Pointer Dereference in phar_tar_setupmetadata()
  . fixed bug #71488 Phar: Stack overflow when decompressing tar archives
  . fixed bug #71335 WDDX: Type Confusion in WDDX Packet Deserialization

- update 5.5.31
- fixed security issues
  . #70755 FPM: fpm_log.c memory leak and buffer overflow
  . #70976 GD: Memory Read via gdImageRotateInterpolated Array Index Out of Bounds
  . #70728 XMLRPC: Type Confusion Vulnerability in PHP_to_XMLRPC_worker()

- update 5.5.30

- update 5.5.29
- fixed security issues
  . CVE-2015-6834 core: Use After Free Vulnerability in unserialize()
  . CVE-2015-6835 core: Use after free vulnerability in session deserializer
  . CVE-2015-6836 soap: SOAP serialize_function_call() type confusion / RCE
  . CVE-2015-6834 SPL:  Use-after-free vulnerability in unserialize() with SplObjectStorage
                        and SplDoublyLinkedList
  . CVE-2015-6837, CVE-2015-6838 XSLT: NULL pointer dereference
  . Exif(#70385), hash(#70312), PCRE(#70345), ZIP(#70350)

- update 5.5.28
- fixed php-pgsql obsolete

- update 5.5.27
- fixed security issues
  . CVE-2015-4024 core: PHP Multipart/form-data remote dos Vulnerability (#69364)
  . CVE-2015-4025 core: CVE-2006-7243 fix regressions in 5.4+ (#69418)
  . CVE-2015-4022 ftp: Integer overflow in ftp_genlist() resulting in heap overflow (#69545)
  . CVE-2015-4026 pcntl: pcntl_exec() should not allow null char (#68598)
  . CVE-2015-4021 Memory Corruption in phar_parse_tarfile when entry filename starts with null (#69453)
  . CVE-2015-4643 core: Integer overflow in ftp_genlist() resulting in heap overflow (#69545)
  . CVE-2015-4642 core: OS command injection vulnerability in escapeshellarg (#69646)
  . CVE-2015-2325 pcre: upgrade pcrelib 8.37
  . CVE-2015-2326 pcre: upgrade pcrelib 8.37
  . CVE-2015-4644 postgres: segfault in php_pgsql_meta_data (#69667)
  . CVE-2015-3414 sqlite: Upgrade bundled sqlite to 3.8.10.2
  . CVE-2015-3415 sqlite: Upgrade bundled sqlite to 3.8.10.2
  . CVE-2015-3416 sqlite: Upgrade bundled sqlite to 3.8.10.2

- fixed 5.5.27 official bugs
  . Fixed bug #70002 core: TS issues with temporary dir handling

- fixed segfault with ioncube loader

- fixed security issues
  . CVE-2015-1351 opcache: use after free (#68677)
  . CVE-2015-1352 pgsql: Null pointer dereference (#68741)
  . CVE-2015-2787 core: Use After Free Vulnerability in unserialize() (#68976)
  . CVE-2015-2348 core: move_uploaded_file allows nulls in path (#69207)
  . CVE-2015-2305 ereg: heap overflow vulnerability in regcomp.c (#69248)
  . CVE-2015-2331 zip: ZIP Integer Overflow leads to writing past heap boundary (#69253)

- fixed 5.5.24 official bugs
  . Fixed bug #69467 core: Wrong checked for the interface by using Trait
  . Fixed bug #69420 core: Invalid read in zend_std_get_method
  . Fixed bug #60022 core: "use statement [...] has no effect" depends on leading backslash
  . Fixed bug #67314 core: Segmentation fault in gc_remove_zval_from_buffer
  . Fixed bug #69419 core: Returning compatible sub generator produces a warning
  . Fixed bug #69472 core: php_sys_readlink ignores misc errors from GetFinalPathNameByHandleA
  . Fixed bug #69381 odbc: out of memory with sage odbc driver
  . Fixed bug #69402 openssl: Reading empty SSL stream hangs until timeout

- fixed security issues
  . CVE-2015-0273 Use after free vulnerability in unserialize() with DateTimeZone (#68942)

- fixed 5.5.21 official bugs
  . Fixed bug #65199 Pgsql: pg_copy_from() modifies input array variable
  . Fixed bug #66623 Session: no EINTR check on flock
  . Fixed bug #68063 Session: Empty session IDs do still start sessions
  . Fixed bug #69033 Starndard: Request may get env. variables from previous requests if PHP works as FastCGI

- fixed 5.5.21 security issues
  . CVE-2014-3710 fileinfo: out-of-bounds read in elf note headers (#68283)
  . CVE-2014-8142 Use after free vulnerability in unserialize() (#68594)
  . CVE-2015-0232 Free called on unitialized pointer (#68799)
  . CVE-2014-9427 out of bounds read crashes php-cgi (#68618)
  . CVE-2015-0231 Use After Free Vulnerability in PHP's unserialize() (#68710)
  . CVE-2015-0235 Mitigation for glibc gethostbyname buffer overflow (#68925)


- fixed 5.5.21 offcial bugs
  . Fixed bug #67068 getClosure returns somethings that's not a closure

  . Fixed bug #45081 strtotime incorrectly interprets SGT time zone
  . Fixed bug #55407 Impossible to prototype DateTime::createFromFormat
  . Fixed bug #68711 useless comparisons
  . Fixed bug #68827 Double free with disabled ZMM
  . Fixed bug #66479 Wrong response to FCGI_GET_VALUES
  . Fixed bug #68571 core dump when webserver close the socket
  . Fixed bug #64938 libxml_disable_entity_loader setting is shared between threads
  . Fixed bug #55618 use case-insensitive cert name matching
  . Fixed bug #68750 PDOMysql with mysqlnd does not allow the usage of named pipes
  . Fixed bug #68901 use after free
  . Fixed bug #68260 SQLite3Result::fetchArray declares wrong required_num_args
  . Fixed bug #68114 linker error on some OS X machines with fixed width decimal support
  . Fixed bug #68657 Reading 4 byte floats with Mysqli and libmysqlclient has rounding errors
  . Fixed bug #68941 mod_files.sh is a bash-script
  . Fixed bug which caused call after final close on streams filter

- fixed 5.5.18 offcial bugs
  . #68118 $a->foo .= 'test'; can leave $a->foo undefined
  . #68129 parse_url() - incomplete support for empty usernames and passwords
  . #65171 imagescale() fails without height param
  . #68087 ODBC not correctly reading DATE column when preceded by a VARCHAR column
  . #68128 SPL: Regression in RecursiveRegexIterator
  . #68247 Add CURL_SSLVERSION_TLSv1_0, CURL_SSLVERSION_TLSv1_1,
           and CURL_SSLVERSION_TLSv1_2 constants if supported by libcurl

- security issues
  . CVE-2014-3669 Integer overflow in unserialize() (32-bits only)
  . CVE-2014-3670 Heap corruption in exif_thumbnail()
  . CVE-2014-3668 Global buffer overflow in mkgmtime() function

- fixed 5.5.15 offcial bug
  . #67716 Segfault in cdf.c in embeded libmagic
  . #67730 Null byte injection possible with imagexxx functions in embeded gd
  . #67878 program_prefix not honoured in man pages
  . #66036 Crash on SIGTERM in apache process
  . #47358 glob returns error, should be empty array()
  . #41577 DOTNET is successful once per server run
  . #67109 First uppercase letter breaks date string parsing
  . #66091 Memory leak in DateTime::createFromFormat()
  . #66985 Some timezones are no longer valid in PHP 5.5.10
  . #67606 FPM with mod_fastcgi/apache2.4 is broken
  . #67839 mysqli does not handle 4-byte floats correctly
  . #67850 extension won't build if openssl compiled without SSLv3
  . #67813 achingIterator::__construct InvalidArgumentException wrong message
  . #67724 chained zlib filters silently fail with large amounts of data
  . #67865 internal corruption phar error on zlib

- security issues
  . fixed CVE-2014-1571 #b67716
  . fixed CVE-2014-5120 #b67730

- Fixed 5.5.15 official bug
  . #67693 incorrect push to the empty array
  . #67724 chained zlib filters silently fail with large amounts of data
  . #60616 odbc_fetch_into returns junk data at end of multi-byte char fields
  . #55496 Interactive mode doesn't force a newline before the prompt
  . #67496 Save command history when exiting interactive shell with control-c
  . #67715 php-milter does not build and crashes randomly
  . #66901 php-gd 'c_color' NULL pointer dereference. CVE-2014-2497
  . #67635 php links to systemd libraries without using pkg-config
  . #67705 extensive backtracking in rule regular expression. CVE-2014-3538
  . Fix missing type checks in various functions (openssl/com/sessions)

- security issues
  . fixed CVE-2014-2497 #66901
  . fixed CVE-2014-3538 #67705
  . fixed CVE-2014-0185 #67060
  . fixed CVE-2014-0238 #67327
  . fixed CVE-2014-0237 #67328
  . fixed CVE-2014-4049 #67432
  . fixed CVE-2014-3981 #67390
  . fixed CVE-2014-4670 #67538

- security issues
  . fixed CVE-2013-7345 #66946

- update 5.5.10

- AnNyung patch
  . enhanced php 5.3 compatible mode
    . no print deprecated message about functions
    . no print static message about non static method
    . defualt charset to iso-8859-1 instead of utf-8
      about htmlspecialchars/htmlentities

- security isseus
  . fixed CVE-2014-2270 #66820
  . fixed CVE-2013-7327 #66815
  . fixed CVE-2014-1943 #66731

- Fixed offcial bug
  . Allow zero length comparison in substr_compare()
  . #60602 proc_open() changes environment array
  . #66109 Can't reset CURLOPT_CUSTOMREQUEST to default behaviour
  . #66714 imageconvolution breakage
  . #66869 Invalid 2nd argument crashes imageaffinematrixget
  . #66890 imagescale segfault
  . #66893 imagescale ignore method argument
  . #66887 imagescale - poor quality of scaled image
  . Fix hash_pbkdf2() with missing $length argument
  . #66535 Don't add newline after X-PHP-Originating-Script
  . #66762 Segfault in mysqli_stmt::bind_result() when link closed
  . Added function opcache_is_script_cached()
  . Added information about interned strings usage

- update 5.5.8
- AnNyung patch
  . See also http://annyung.oops.org/?m=white&p=php-guide
  . support allow_include_extension
  . support upload image file check
  . support realpath_cache_force
    prevent to use symlink, link function when realpath_cache_force is emabled
  . support php 5.3 compatible mode
    call time pass reference, magic quotes and so on.
- Fixed official bug
  . #66509 copy() arginfo has changed starting from 5.4
  . #66356 Heap Overflow Vulnerability in imagecrop()
  . #66474 Optimizer bug in constant string to boolean conversion
  . #66461 PHP crashes if opcache.interned_strings_buffer=0
  . #66298 ext/opcache/Optimizer/zend_optimizer.c has dos-style ^M as lineend
  . #66412 readline_clear_history() with libedit causes segfault after #65714
  . #66469 Session module is sending multiple set-cookie headers when
    session.use_strict_mode=1
  . #66481 Segfaults on session_name()
  . #66009 Failed compilation of PHP extension with C++ std library using VS 2012
  . #62479 PDO-psql cannot connect if password contains spaces
- add sqlite (sqlite2) extension