- security issues
  . #79812 Pcntl: Potential integer overflow in pcntl_exec()
  . CVE-2020-7071 Standard: FILTER_VALIDATE_URL accepts URLs with invalid userinfo (#77423)
  . CVE-2021-21706 Zip: ZipArchive::extractTo extracts outside of destinatio (#81420)
  . CVE-2021-21703 FPM; PHP-FPM oob R/W in root process leading to privilege escalation (#81026)
  . CVE-2021-21707 XML: special character is breaking the path in xml function (#79971)

- security issues
  . CVE-2020-7070 PHP parses encoded cookie names so malicious `__Host-` cookies can be sent (#79699)

- security issues
  . CVE-2019-11048 Core: Long filenames cause OOM and temp files are not cleaned (#78875)
  . CVE-2019-11048 Core: Long variables in multipart/form-data cause OOM and temp files are not cleaned (#78876)
  . CVE-2020-7064 EXIF: Use-of-uninitialized-value in exif (#79282)
  . CVE-2020-7066 Standard: get_headers() silently truncates after a null byte (#79329)
  . CVE-2020-7063 Phar: Files added to tar with Phar::buildFromIterator have all-access permissions (#79082)
  . CVE-2020-7062 Sessions: Null Pointer Dereference in PHP Session Upload Progress (#79221)

- security issues
  . CVE-2019-13224 #78380 MBString: don't allow different encodings for onig_new_deluxe
  . CVE-2019-11050 #78793 EXIF: Use-after-free in exif parsing under memory sanitizer
  . CVE-2019-11047 #78910 EXIF: Heap-buffer-overflow READ in exif
  . CVE-2019-11046 #78878 Bcmath: Buffer underflow in bc_shift_addsub
  . CVE-2019-11045 #78863 Core: DirectoryIterator class silently truncates after a null byte
  . CVE-2019-11043 #78599 FPM: env_path_info underflow in fpm_main.c can lead to RCE
  . CVE-2019-11042 #78256 EXIF: heap-buffer-overflow on exif_process_user_comment
  . CVE-2019-11041 #78222 EXIF: heap-buffer-overflow on exif_scan_thumbnail
  . CVE-2020-7060  #79037 Mbstring: global buffer-overflow in 'mbfl_filt_conv_big5_wchar'
  . CVE-2020-7059  #79099 Standard: OOB read in php_strip_tags_ex

- security issues
. CVE-2019-11040 EXIF: heap-buffer-overflow on php_jpg_get16 (#77988)
. CVE-2019-11039 Iconv: Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow (#78069)
. CVE-2019-11038 GD: Uninitialized read in gdImageCreateFromXbm (#77973)
. CVE-2019-11036 EXIF: Heap-buffer-overflow in _estrndup via exif_process_IFD_TAG (#77950)
. CVE-2019-11035 EXIF: Heap-buffer-overflow in exif_iif_add_value (#77831)
. CVE-2019-11034 EXIF: Heap-buffer-overflow in php_ifd_get32s (#77753)

- update 5.6.40
  . http://kr.php.net/ChangeLog-5.php#5.6.40

- security issues
  . fixed #77269 GD: efree() on uninitialized Heap data in imagescale leads to use-after-free.
  . fixed #77270 GD: imagecolormatch Out Of Bounds Write on Heap.
  . fixed #77370 Mbstring: Buffer overflow on mb regex functions - fetch_token.
  . fixed #77371 Mbstring: heap buffer overflow in mb regex functions - compile_string_node.
  . fixed #77381 Mbstring: heap buffer overflow in multibyte match_at.
  . fixed #77382 Mbstring: heap buffer overflow due to incorrect length in expand_case_fold_string.
  . fixed #77385 Mbstring: buffer overflow in fetch_token.
  . fixed #77394 Mbstring: Buffer overflow in multibyte case folding - unicode.
  . fixed #77418 Mbstring: Heap overflow in utf32be_mbc_to_code.
  . fixed #77247 Phar: heap buffer overflow in phar_detect_phar_fname_ext.
  . fixed #77242 Xmlrpc: heap out of bounds read in xmlrpc_decode().
  . fixed #77380 Xmlrpc: Global out of bounds read in xmlrpc base64 code.

- update 5.6.39
  . http://kr.php.net/ChangeLog-5.php#5.6.39

- security issues
  . CVE-2018-17082 Apache2: XSS due to the header Transfer-Encoding: chunked (#76582)
  . CVE-2018-14883 EXIF: Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c (#76423)
  . CVE-2018-14851 EXIF: heap-buffer-overflow (READ of size 48) while reading exif data (#76557)

- update 5.6.36
  . http://kr.php.net/ChangeLog-5.php#5.6.36

- security issues
  . CVE-2018-10545 FPM: Dumpable FPM child processes allow bypassing opcache access controls (#75605)
  . CVE-2018-10549 Exif: Heap Buffer Overflow (READ: 1786) in exif_iif_add_value (#76130)
  . CVE-2018-10546 iconv: stream filter convert.iconv leads to infinite loop on invalid sequence (#76249)
  . CVE-2018-10548 LDAP: Malicious LDAP-Server Response causes Crash (#76248)
  . CVE-2018-10547 Phar: fix for CVE-2018-5712 may not be complete (#76129)

- update 5.6.34
  . http://kr.php.net/ChangeLog-5.php#5.6.34
- security issues
  . CVE-2018-7584 Standard: stack-buffer-overflow while parsing HTTP response (#75981)

- update 5.6.33
  . http://kr.php.net/ChangeLog-5.php#5.6.33
- if upload_image_check is on, only add sec and secstr member of $_FILES

- update 5.6.32
  . http://kr.php.net/ChangeLog-5.php#5.6.32
- security issues
  . CVE-2016-1283 PCRE preg_match double free

- update 5.6.31
- fixed exec_dir bug
  . fixed #15 But when using "2>&1" in exec command
  . fixed #16 error "NULL byte detected."

- security issues
  . CVE-2017-9224 mbstring
  . CVE-2017-9226 mbstring
  . CVE-2017-9227 mbstring
  . CVE-2017-9228 mbstring
  . CVE-2017-9229 mbstring

- update 5.6.30

- fixed 5.6.29 official bug
  . fixed #73737 Exif: FPE when parsing a tag format
  . fixed #73530 Sqlite3: Unsetting result set may reset other result set
  . fixed #70213 Standard: Unserialize context shared on double class lookup
  . fixed #73825 (Heap out of bounds read on unserialize in finish_nested_data()
  . fixed #73764 Phar: Crash while loading hostile phar archive
  . fixed #73768 Phar: Memory corruption when loading hostile phar
  . fixed #73773 Phar: Seg fault when loading hostile phar

- security issues
  . exec_dir: #8 backquote and $() syntax weakness after semi colon
    https://github.com/OOPS-ORG-PHP/mod_execdir/issues/8

- fixed 5.6.29 official bug
  . fixed #73549 GD: Use after free when stream is passed to imagepng
  . fixed #68447 Intl: grapheme_extract take an extra trailing character
- security issues
  . fixed #73505 string length overflow in mbfl_memory_device_output function
  . fixed #73402 Opcache segfault when using class constant to call a method
  . fixed #72776 Invalid parameter in memcpy function trough openssl_pbkdf2
  . fixed #73452 Soap segfault (Regression for #69152)
  . fixed #73213 Integer overflow in imageline() with antialiasing
  . fixed #73279 Integer overflow in gdImageScaleBilinearPalette()
  . fixed #73280 Stack Buffer Overflow in GD dynamicGetbuf
  . fixed #72482 Illegal write/read access caused by gdImageAALine overflow
  . fixed #72696 imagefilltoborder stackoverflow on truecolor images
  . fixed #73418 Integer Overflow in "_php_imap_mail" leads Heap Overflow
  . fixed #73331 NULL Pointer Dereference in WDDX Packet Deserialization with PDORow

- fixed 5.6.27 official bug
  . fixed #73025 Core: Heap Buffer Overflow in virtual_popen of zend_virtual_cwd.c
  . fixed #73058 Core: crypt broken when salt is 'too' long
  . fixed #72703 Core: Out of bounds global memory read in BF_crypt triggered by password_verify
  . fixed #72972 Filter: Bad filter for the flags FILTER_FLAG_NO_RES_RANGE and FILTER_FLAG_NO_PRIV_RANGE
  . fixed #67167 Filter: Wrong return value from FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE
  . fixed #73054 Filter: default option ignored when object passed to int filter
  . fixed #67325 GD: imagetruecolortopalette: white is duplicated in palette
  . fixed #50194 GD: imagettftext broken on transparent background w/o alphablending
  . fixed #73003 GD: Integer Overflow in gdImageWebpCtx of gd_webp.c (CVE-2016-7568)
  . fixed #53504 GD: imagettfbbox gives incorrect values for bounding box
  . fixed #73157 GD: imagegd2() ignores 3rd param if 4 are given
  . fixed #73155 GD: imagegd2() writes wrong chunk sizes on boundaries
  . fixed #73159 GD: imagegd2(): unrecognized formats may result in corrupted files
  . fixed #73161 GD: imagecreatefromgd2() may leak memory
  . fixed #72994 Mbstring: mbc_to_code() out of bounds read
  . fixed #66964 Mbstring: mb_convert_variables() cannot detect recursion
  . fixed #72992 Mbstring: mbstring.internal_encoding doesn't inherit default_charset
  . fixed #72590 Opcache: Opcache restart with kill_all_lockers does not work
  . fixed #73072 Openssl: Invalid path SNI_server_certs causes segfault
  . fixed #68015 Session: Session does not report invalid uid for files save handler
  . fixed #73100 Session: session_destroy null dereference in ps_files_path_create
  . fixed #73069 Stream: readfile() mangles files larger than 2G
  . fixed #70752 Zip: Depacking with wrong password leaves 0 length files

- fixed 5.6.28 official bug
  . fixed bug #73203 Standard: passing additional_parameters causes mail to fail
  . fixed bug #73213 GD: Integer overflow in imageline() with antialiasing

- security issues
  . CVE-2016-7568 GD: Integer Overflow in gdImageWebpCtx of gd_webp.c (#73003)
  . CVE-2016-5385 Core: HTTP_PROXY is improperly trusted by some PHP libraries and applications (#72573)
  . CVE-2016-6207 GD: Integer overflow error within _gdContributionsAlloc() (#72558)
  . CVE-2015-8874 GD: Stack overflow with imagefilltoborder (#66387)
  . CVE-2016-5766 GD: Integer Overflow in _gd2GetHeader() resulting in heap overflow (#72339)
  . CVE-2016-5767 GD: Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow (#72446)
  . CVE-2016-5768 Mbstring: _php_mb_regex_ereg_replace_exec - double free (#72402)
  . CVE-2016-5769 Mcrypt: Heap Overflow due to integer overflows (#72455)
  . CVE-2016-5770 SPL: int/size_t confusion in SplFileObject::fread (#72262)
  . CVE-2016-5771 SPL: Use After Free Vulnerability in PHP's GC algorithm and unserialize (#72433)
  . CVE-2016-5772 WDDX: Double Free Courruption in wddx_deserialize (#72340)
  . CVE-2016-5773 Zip: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize (#72434)

- fixed conflict obsolate and provides with php 7 package

- fixed zend_mm_heap corrupted problems of exec_dir patch
- security isseus
  . CVE-2016-3074 libgd: signedness vulnerability (#71912)
  . CVE-2015-8865 Buffer over-write in finfo_open with malformed magic file (#71527)
  . CVE-2016-4073 AddressSanitizer: negative-size-param (-1) in mbfl_strcut (#71906)
  . CVE-2016-4072 Invalid memory write in phar on filename with \0 in name (#71860)
  . CVE-2016-4071 php_snmp_error() Format String Vulnerability (#71704)
  . CVE-2016-4070 Integer Overflow in php_raw_url_encode (#71798)

- fixed 5.6.22 Official bug
  . fixed #72140 OpenSSL: segfault after calling ERR_free_strings()
  . fixed #70484 Intl: selectordinal doesn't work with named parameters
  . fixed #72337 GD: invalid dimensions can lead to crash

- fixed 5.6.23 Official bug
  . fixed #72439 Stream: tream socket with remote address leads to a segmentation fault
  . fixed #72336 OpenSSL: openssl_pkey_new does not fail for invalid DSA params
  . fixed #72915 OpenSSL: openssl_random_pseudo_bytes is not fork-safe
  . fixed #50854 EXIF: exif_read_data() returns corrupted exif headers
  . fixed #72138 Core: Integer Overflow in Length of String-typed ZVAL
  . fixed #72447 bz2: Type Confusion in php_bz2_filter_create()
  . fixed #43475 GD: Thick styled lines have scrambled patterns
  . fixed #53640 GD: XBM images require width to be multiple of 8
  . fixed #64641 GD: imagefilledpolygon doesn't draw horizontal line

- update 5.6.20
- fixed 5.6.20 official bugs
  . Fixed bug #71841 Core: EG(error_zval) is not handled well
  . Fixed bug #71831 Curl: CURLOPT_NOPROXY applied as long instead of string
  . Fixed bug #63171 ODBC: Script hangs after max_execution_time
  . Fixed bug #71843 Opcache: null ptr deref ZEND_RETURN_SPEC_CONST_HANDLER
  . Fixed bug #52098 PDO: Own PDOStatement implementation ignore __call()
  . Fixed bug #71820 Postgres: pg_fetch_object binds parameters before
    call constructor
  . Fixed bug #67582 SPL: Cloned SplObjectStorage with overwritten getHash fails
    offsetExists()
  . Fixed bug #71840 Standard: Unserialize accepts wrongly data
  . fixed bug #71744 PDO: an query may return bad result or error
    "Invalid parameter number"
  . fixed bug #69537 Core: __debugInfo with empty string for key gives error
  . fixed bug #67512 Standard: php_crypt() crashes if crypt_r() does not
    exist or _REENTRANT is not defined
  . fixed bug #71889 Date: DateInterval::format Segmentation fault

- fixed 5.6.19 official bugs
  . Fixed bug #69953 CLI Server: Support MKCALENDAR request method
  . Fixed bug #71596 Core:Segmentation fault on ZTS with date function (setlocale)
  . Fixed bug #71694 Curl: Support constant CURLM_ADDED_ALREADY
  . Fixed bug #71635 Date: DatePeriod::getEndDate segfault
  . fixed bug #47803, #69526 ODBC: Executing prepared statements is succesfull
    only for the first two statements
  . fixed bug #54648 PDO_DBlib: PDO::MSSQL forces format of datetime fields
  . fixed bug #71625 Phar: Crash in php7.dll with bad phar filename
  . fixed bug #71504 Phar: Parsing of tar file with duplicate filenames
    causes memory leak

- fixed 5.6.20 official bugs
  . Fixed bug #71841 Core: EG(error_zval) is not handled well
  . Fixed bug #71831 Curl: CURLOPT_NOPROXY applied as long instead of string
  . Fixed bug #63171 ODBC: Script hangs after max_execution_time
  . Fixed bug #71843 Opcache: null ptr deref ZEND_RETURN_SPEC_CONST_HANDLER
  . Fixed bug #52098 PDO: Own PDOStatement implementation ignore __call()
  . Fixed bug #71820 Postgres: pg_fetch_object binds parameters before
    call constructor
  . Fixed bug #67582 SPL: Cloned SplObjectStorage with overwritten getHash fails
    offsetExists()
  . Fixed bug #71840 Standard: Unserialize accepts wrongly data

- fixed official bugs
  . fixed bug #71523 CURL: Copied handle with new option CURLOPT_HTTPHEADER crashes while curl_multi_exec
  . fixed bug #68078 Date: Datetime comparisons ignore microseconds
  . fixed bug #71525 Date: Calls to date_modify will mutate timelib_rel_time, causing date_date_set issues
  . fixed bug #71434 Fileinfo: finfo throws notice for specific python file
  . fixed bug #62172 FRPM: FPM not working with Apache httpd 2.4 balancer/fcgi setup
  . fixed bug #71584 Opcache: Possible use-after-free of ZCG(cwd) in Zend Opcache
  . fixed bug #71569 #70389 PDO MySQL: fix causes segmentation fault
  . fixed bug #70720 Standard: strip_tags improper php code parsing
  . fixed bug #71540 XSL: NULL pointer dereference in xsl_ext_function_php()
  . fixed bug #71561 Zip: NULL pointer dereference in Zip::ExtractTo

- 5.6.17 compat package