fix underflow in env_path_info in fpm_main.c CVE-2019-11043

fix stack-buffer-overflow while parsing HTTP response CVE-2018-7584
fix out-of-bounds read in base64_decode_xmlrpc CVE-2019-9024
fix reflected XSS in phar 404 page CVE-2018-5712
fix reflected XSS in phar 403 and 404 error pages CVE-2018-10547

load openssl configuration file on startup #1408301

gd: fix buffer over-read into uninitialized memory CVE-2017-7890

fix php should provide php(httpd) #1215429
fpm: backport PHP-FPM's clear_env option from 5.4.27 #1410010
openssl: fix default_socket_timeout does not work with SSL #1378196

gd: fix DoS vulnerability in gdImageCreateFromGd2Ctx() CVE-2016-10167
gd: Signed Integer Overflow gd_io.c CVE-2016-10168

bz2: fix improper error handling in bzread() CVE-2016-5399

gd: fix integer overflow in _gd2GetHeader() resulting in
2016-5766
gd: fix integer overflow in gdImagePaletteToTrueColor()
2016-5767
mbstring: fix double free in _php_mb_regex_ereg_replace_exec
2016-5768

don't set environmental variable based on user supplied Proxy
2016-5385

fix segmentation fault in header_register_callback #1344578

curl: add options to enable TLS #1291667
mysqli: fix segfault in mysqli_stmt::bind_result() when
fpm: fix incorrectly defined SCRIPT_NAME variable when
core: fix segfault when a zend_extension is loaded twice #1289457
openssl: change default_md algo from MD5 to SHA1 #1073388
wddx: fix segfault in php_wddx_serialize_var #1131979

session: fix segfault in session with rfc1867 #1297179

fix more functions accept paths with NUL character #1213407

core: fix multipart/form-data request can use excessive
2015-4024
fix various functions accept paths with NUL character
2015-4025, CVE-2015-4026, #1213407
fileinfo: fix denial of service when processing a crafted
ftp: fix integer overflow leading to heap overflow when
2015-4022
phar: fix buffer over-read in metadata parsing CVE-2015-2783
phar: invalid pointer free() in phar_tar_process_metadata()
2015-3307
phar: fix buffer overflow in phar_set_inode() CVE-2015-3329
phar: fix memory corruption in phar_parse_tarfile caused by
2015-4021
soap: fix type confusion through unserialize #1222538
apache2handler: fix pipelined request executed in deinitialized
2015-3330

fix memory corruption in fileinfo module on big endian
fix segfault in pdo_odbc on x86_64 #1159892
fix segfault in gmp allocator #1154760

core: use after free vulnerability in unserialize()
2014-8142 and CVE-2015-0231
core: fix use-after-free in unserialize CVE-2015-2787
core: fix NUL byte injection in file name argument of
2015-2348
date: use after free vulnerability in unserialize CVE-2015-0273
enchant: fix heap buffer overflow in enchant_broker_request_dict
2014-9705
exif: free called on unitialized pointer CVE-2015-0232
fileinfo: fix out of bounds read in mconvert CVE-2014-9652
gd: fix buffer read overflow in gd_gif_in.c CVE-2014-9709
phar: use after free in phar_object.c CVE-2015-2301
soap: fix type confusion through unserialize