diff --git a/SOURCES/php-5.4.16-CVE-2016-5399.patch b/SOURCES/php-5.4.16-CVE-2016-5399.patch
new file mode 100644
index 0000000..dcbce86
--- /dev/null
+++ b/SOURCES/php-5.4.16-CVE-2016-5399.patch
@@ -0,0 +1,47 @@
+Adapted for 5.4, binary patch removed, from:
+
+
+From f3feddb5b45b5abd93abb1a95044b7e099d51c84 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 18 Jul 2016 22:20:45 -0700
+Subject: [PATCH] Partial fix for bug #72613 - do not treat negative returns
+ from bz2 as size_t
+
+---
+ ext/bz2/bz2.c | 80 +++++++++++++++++++++++---------------------
+ ext/bz2/tests/72613.bz2 | Bin 0 -> 351 bytes
+ ext/bz2/tests/bug72613.phpt | 23 +++++++++++++
+ 3 files changed, 65 insertions(+), 38 deletions(-)
+ create mode 100644 ext/bz2/tests/72613.bz2
+ create mode 100644 ext/bz2/tests/bug72613.phpt
+
+diff --git a/ext/bz2/bz2.c b/ext/bz2/bz2.c
+index de3250e..7cfcaa8 100644
+--- a/ext/bz2/bz2.c
++++ b/ext/bz2/bz2.c
+@@ -137,16 +137,20 @@ struct php_bz2_stream_data_t {
+ static size_t php_bz2iop_read(php_stream *stream, char *buf, size_t count TSRMLS_DC)
+ {
+ struct php_bz2_stream_data_t *self = (struct php_bz2_stream_data_t *) stream->abstract;
+- size_t ret;
+-
+- ret = BZ2_bzread(self->bz_file, buf, count);
++ int bz2_ret;
++
++ bz2_ret = BZ2_bzread(self->bz_file, buf, count);
+
+- if (ret == 0) {
++ if (bz2_ret < 0) {
++ stream->eof = 1;
++ return -1;
++ }
++ if (bz2_ret == 0) {
+ stream->eof = 1;
+ }
+
+- return ret;
++ return (size_t)bz2_ret;
+ }
+
+ static size_t php_bz2iop_write(php_stream *stream, const char *buf, size_t count TSRMLS_DC)
+ {
diff --git a/SOURCES/php-5.4.16-CVE-2016-5766.patch b/SOURCES/php-5.4.16-CVE-2016-5766.patch
new file mode 100644
index 0000000..d7f83d5
--- /dev/null
+++ b/SOURCES/php-5.4.16-CVE-2016-5766.patch
@@ -0,0 +1,94 @@
+Backported from 5.5.37 for 5.4.16
+
+From 7722455726bec8c53458a32851d2a87982cf0eac Mon Sep 17 00:00:00 2001
+From: Pierre Joye <pajoye@php.net>
+Date: Sat, 18 Jun 2016 20:15:10 +0200
+Subject: [PATCH] Fixed #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow
+
+From 5f107ab8a66f8b36ac0c0b32e0231bf94e083c94 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 20 Jun 2016 22:54:55 -0700
+Subject: [PATCH] fix tests
+
+From 0c7250f260303061425d0d8a348d1a80fa0cc12e Mon Sep 17 00:00:00 2001
+From: Anatol Belski <ab@php.net>
+Date: Tue, 21 Jun 2016 09:42:38 +0200
+Subject: [PATCH] remove the huge test file, generate it on the fly instead
+
+
+diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c
+index 6726fee..63e3aef 100644
+--- php-5.4.16/ext/gd/libgd/gd_gd2.c.cve5766 2016-08-01 14:11:08.481345064 +0200
++++ php-5.4.16/ext/gd/libgd/gd_gd2.c 2016-08-01 14:15:39.679591854 +0200
+@@ -138,11 +138,18 @@ static int _gd2GetHeader(gdIOCtxPtr in,
+ if (gd2_compressed(*fmt)) {
+ nc = (*ncx) * (*ncy);
+ GD2_DBG(php_gd_error("Reading %d chunk index entries", nc));
++ if (overflow2(sizeof(t_chunk_info), nc)) {
++ goto fail1;
++ }
+ sidx = sizeof(t_chunk_info) * nc;
+ if (sidx <= 0) {
+ goto fail1;
+ }
+ cidx = gdCalloc(sidx, 1);
++ if (cidx == NULL) {
++ goto fail1;
++ }
++
+ for (i = 0; i < nc; i++) {
+ if (gdGetInt(&cidx[i].offset, in) != 1) {
+ goto fail1;
+diff --git a/ext/gd/tests/bug72339.phpt b/ext/gd/tests/bug72339.phpt
+new file mode 100644
+index 0000000..763ae71
+--- /dev/null
++++ b/ext/gd/tests/bug72339.phpt
+@@ -0,0 +1,11 @@
++--TEST--
++Bug #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow
++--SKIPIF--
++<?php if (!function_exists("imagecreatefromgd2")) print "skip"; ?>
++--FILE--
++<?php imagecreatefromgd2(dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug72339.gd"); ?>
++--EXPECTF--
++Warning: imagecreatefromgd2(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
++ in %sbug72339.php on line %d
++
++Warning: imagecreatefromgd2(): '%sbug72339.gd' is not a valid GD2 file in %sbug72339.php on line %d
+
+diff --git a/ext/gd/tests/bug72339.phpt b/ext/gd/tests/bug72339.phpt
+index 763ae71..2c30ee8 100644
+--- a/ext/gd/tests/bug72339.phpt
++++ b/ext/gd/tests/bug72339.phpt
+@@ -3,7 +3,29 @@ Bug #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow
+ --SKIPIF--
+ <?php if (!function_exists("imagecreatefromgd2")) print "skip"; ?>
+ --FILE--
+-<?php imagecreatefromgd2(dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug72339.gd"); ?>
++<?php
++$fname = dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug72339.gd";
++
++$fh = fopen($fname, "w");
++fwrite($fh, "gd2\x00");
++fwrite($fh, pack("n", 2));
++fwrite($fh, pack("n", 1));
++fwrite($fh, pack("n", 1));
++fwrite($fh, pack("n", 0x40));
++fwrite($fh, pack("n", 2));
++fwrite($fh, pack("n", 0x5AA0)); // Chunks Wide
++fwrite($fh, pack("n", 0x5B00)); // Chunks Vertically
++fwrite($fh, str_repeat("\x41\x41\x41\x41", 0x1000000)); // overflow data
++fclose($fh);
++
++$im = imagecreatefromgd2($fname);
++
++if ($im) {
++ imagedestroy($im);
++}
++unlink($fname);
++
++?>
+ --EXPECTF--
+ Warning: imagecreatefromgd2(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
+ in %sbug72339.php on line %d
diff --git a/SOURCES/php-5.4.16-CVE-2016-5767.patch b/SOURCES/php-5.4.16-CVE-2016-5767.patch
new file mode 100644
index 0000000..1990705
--- /dev/null
+++ b/SOURCES/php-5.4.16-CVE-2016-5767.patch
@@ -0,0 +1,30 @@
+Backported from 5.5.37 for 5.4 by Remi Collet
+
+
+From c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 20 Jun 2016 23:58:26 -0700
+Subject: [PATCH] iFixed bug #72446 - Integer Overflow in
+ gdImagePaletteToTrueColor() resulting in heap overflow
+
+---
+ NEWS | 2 ++
+ ext/gd/libgd/gd.c | 22 +++++++++++++---------
+ 2 files changed, 15 insertions(+), 9 deletions(-)
+
+diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c
+index 2c63aac..4dad95a 100644
+--- a/ext/gd/libgd/gd.c
++++ b/ext/gd/libgd/gd.c
+@@ -133,6 +133,10 @@ gdImagePtr gdImageCreate (int sx, int sy)
+ return NULL;
+ }
+
++ if (overflow2(sizeof(unsigned char *), sx)) {
++ return NULL;
++ }
++
+ im = (gdImage *) gdCalloc(1, sizeof(gdImage));
+
+ /* Row-major ever since gd 1.3 */
+
diff --git a/SOURCES/php-5.4.16-CVE-2016-5768.patch b/SOURCES/php-5.4.16-CVE-2016-5768.patch
new file mode 100644
index 0000000..5e7243f
--- /dev/null
+++ b/SOURCES/php-5.4.16-CVE-2016-5768.patch
@@ -0,0 +1,284 @@
+From 5b597a2e5b28e2d5a52fc1be13f425f08f47cb62 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 18 Jun 2016 21:48:39 -0700
+Subject: [PATCH] Fix bug #72402: _php_mb_regex_ereg_replace_exec - double free
+
+---
+ ext/mbstring/php_mbregex.c | 65 ++++++++++++++++++++--------------------
+ ext/mbstring/tests/bug72402.phpt | 17 +++++++++++
+ 2 files changed, 49 insertions(+), 33 deletions(-)
+ create mode 100644 ext/mbstring/tests/bug72402.phpt
+
+diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c
+index d73c848..6cdee23 100644
+--- a/ext/mbstring/php_mbregex.c
++++ b/ext/mbstring/php_mbregex.c
+@@ -32,7 +32,7 @@
+ #include "ext/standard/info.h"
+ #include "php_mbregex.h"
+ #include "mbstring.h"
+-
++
+ #include "php_onig_compat.h" /* must come prior to the oniguruma header */
+ #include <oniguruma.h>
+ #undef UChar
+@@ -55,7 +55,7 @@ struct _zend_mb_regex_globals {
+ #define MBREX(g) (MBSTRG(mb_regex_globals)->g)
+
+ /* {{{ static void php_mb_regex_free_cache() */
+-static void php_mb_regex_free_cache(php_mb_regex_t **pre)
++static void php_mb_regex_free_cache(php_mb_regex_t **pre)
+ {
+ onig_free(*pre);
+ }
+@@ -78,7 +78,7 @@ static int _php_mb_regex_globals_ctor(zend_mb_regex_globals *pglobals TSRMLS_DC)
+ /* }}} */
+
+ /* {{{ _php_mb_regex_globals_dtor */
+-static void _php_mb_regex_globals_dtor(zend_mb_regex_globals *pglobals TSRMLS_DC)
++static void _php_mb_regex_globals_dtor(zend_mb_regex_globals *pglobals TSRMLS_DC)
+ {
+ zend_hash_destroy(&pglobals->ht_rc);
+ }
+@@ -466,7 +466,7 @@ static php_mb_regex_t *php_mbregex_compile_pattern(const char *pattern, int patl
+ retval = *rc;
+ }
+ out:
+- return retval;
++ return retval;
+ }
+ /* }}} */
+
+@@ -483,7 +483,7 @@ static size_t _php_mb_regex_get_option_string(char *str, size_t len, OnigOptionT
+ --len_left;
+ *(p++) = 'i';
+ }
+- ++len_req;
++ ++len_req;
+ }
+
+ if ((option & ONIG_OPTION_EXTEND) != 0) {
+@@ -491,7 +491,7 @@ static size_t _php_mb_regex_get_option_string(char *str, size_t len, OnigOptionT
+ --len_left;
+ *(p++) = 'x';
+ }
+- ++len_req;
++ ++len_req;
+ }
+
+ if ((option & (ONIG_OPTION_MULTILINE | ONIG_OPTION_SINGLELINE)) ==
+@@ -500,14 +500,14 @@ static size_t _php_mb_regex_get_option_string(char *str, size_t len, OnigOptionT
+ --len_left;
+ *(p++) = 'p';
+ }
+- ++len_req;
++ ++len_req;
+ } else {
+ if ((option & ONIG_OPTION_MULTILINE) != 0) {
+ if (len_left > 0) {
+ --len_left;
+ *(p++) = 'm';
+ }
+- ++len_req;
++ ++len_req;
+ }
+
+ if ((option & ONIG_OPTION_SINGLELINE) != 0) {
+@@ -515,22 +515,22 @@ static size_t _php_mb_regex_get_option_string(char *str, size_t len, OnigOptionT
+ --len_left;
+ *(p++) = 's';
+ }
+- ++len_req;
++ ++len_req;
+ }
+- }
++ }
+ if ((option & ONIG_OPTION_FIND_LONGEST) != 0) {
+ if (len_left > 0) {
+ --len_left;
+ *(p++) = 'l';
+ }
+- ++len_req;
++ ++len_req;
+ }
+ if ((option & ONIG_OPTION_FIND_NOT_EMPTY) != 0) {
+ if (len_left > 0) {
+ --len_left;
+ *(p++) = 'n';
+ }
+- ++len_req;
++ ++len_req;
+ }
+
+ c = 0;
+@@ -566,7 +566,7 @@ static size_t _php_mb_regex_get_option_string(char *str, size_t len, OnigOptionT
+ --len_left;
+ *(p++) = '\0';
+ }
+- ++len_req;
++ ++len_req;
+ if (len < len_req) {
+ return len_req;
+ }
+@@ -577,11 +577,11 @@ static size_t _php_mb_regex_get_option_string(char *str, size_t len, OnigOptionT
+
+ /* {{{ _php_mb_regex_init_options */
+ static void
+-_php_mb_regex_init_options(const char *parg, int narg, OnigOptionType *option, OnigSyntaxType **syntax, int *eval)
++_php_mb_regex_init_options(const char *parg, int narg, OnigOptionType *option, OnigSyntaxType **syntax, int *eval)
+ {
+ int n;
+ char c;
+- int optm = 0;
++ int optm = 0;
+
+ *syntax = ONIG_SYNTAX_RUBY;
+
+@@ -636,13 +636,13 @@ _php_mb_regex_init_options(const char *parg, int narg, OnigOptionType *option, O
+ *syntax = ONIG_SYNTAX_POSIX_EXTENDED;
+ break;
+ case 'e':
+- if (eval != NULL) *eval = 1;
++ if (eval != NULL) *eval = 1;
+ break;
+ default:
+ break;
+ }
+ }
+- if (option != NULL) *option|=optm;
++ if (option != NULL) *option|=optm;
+ }
+ }
+ /* }}} */
+@@ -860,11 +860,11 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp
+ } else {
+ /* FIXME: this code is not multibyte aware! */
+ convert_to_long_ex(arg_pattern_zval);
+- pat_buf[0] = (char)Z_LVAL_PP(arg_pattern_zval);
++ pat_buf[0] = (char)Z_LVAL_PP(arg_pattern_zval);
+ pat_buf[1] = '\0';
+
+ arg_pattern = pat_buf;
+- arg_pattern_len = 1;
++ arg_pattern_len = 1;
+ }
+ /* create regex pattern buffer */
+ re = php_mbregex_compile_pattern(arg_pattern, arg_pattern_len, options, MBREX(current_mbctype), syntax TSRMLS_CC);
+@@ -934,7 +934,7 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp
+ }
+ }
+ }
+-
++
+ if (eval) {
+ zval v;
+ /* null terminate buffer */
+@@ -953,32 +953,31 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp
+ eval_buf.len = 0;
+ zval_dtor(&v);
+ } else if (is_callable) {
+- zval *retval_ptr;
++ zval *retval_ptr = NULL;
+ zval **args[1];
+ zval *subpats;
+ int i;
+-
++
+ MAKE_STD_ZVAL(subpats);
+ array_init(subpats);
+-
++
+ for (i = 0; i < regs->num_regs; i++) {
+ add_next_index_stringl(subpats, string + regs->beg[i], regs->end[i] - regs->beg[i], 1);
+- }
+-
++ }
++
+ args[0] = &subpats;
+ /* null terminate buffer */
+ smart_str_0(&eval_buf);
+-
++
+ arg_replace_fci.param_count = 1;
+ arg_replace_fci.params = args;
+ arg_replace_fci.retval_ptr_ptr = &retval_ptr;
+- if (zend_call_function(&arg_replace_fci, &arg_replace_fci_cache TSRMLS_CC) == SUCCESS && arg_replace_fci.retval_ptr_ptr) {
++ if (zend_call_function(&arg_replace_fci, &arg_replace_fci_cache TSRMLS_CC) == SUCCESS && arg_replace_fci.retval_ptr_ptr && retval_ptr) {
+ convert_to_string_ex(&retval_ptr);
+ smart_str_appendl(&out_buf, Z_STRVAL_P(retval_ptr), Z_STRLEN_P(retval_ptr));
+ eval_buf.len = 0;
+ zval_ptr_dtor(&retval_ptr);
+ } else {
+- efree(description);
+ if (!EG(exception)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to call custom replacement function");
+ }
+@@ -991,7 +990,7 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp
+ pos = (OnigUChar *)string + n;
+ } else {
+ if (pos < string_lim) {
+- smart_str_appendl(&out_buf, pos, 1);
++ smart_str_appendl(&out_buf, pos, 1);
+ }
+ pos++;
+ }
+@@ -1013,7 +1012,7 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp
+ smart_str_free(&eval_buf);
+
+ if (err <= -2) {
+- smart_str_free(&out_buf);
++ smart_str_free(&out_buf);
+ RETVAL_FALSE;
+ } else {
+ smart_str_appendc(&out_buf, '\0');
+@@ -1063,7 +1062,7 @@ PHP_FUNCTION(mb_split)
+
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss|l", &arg_pattern, &arg_pattern_len, &string, &string_len, &count) == FAILURE) {
+ RETURN_FALSE;
+- }
++ }
+
+ if (count > 0) {
+ count--;
+@@ -1317,7 +1316,7 @@ PHP_FUNCTION(mb_ereg_search_init)
+ if (zend_parse_parameters(argc TSRMLS_CC, "z|ss", &arg_str, &arg_pattern, &arg_pattern_len, &arg_options, &arg_options_len) == FAILURE) {
+ return;
+ }
+-
++
+ if (argc > 1 && arg_pattern_len == 0) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Empty pattern");
+ RETURN_FALSE;
+@@ -1416,7 +1415,7 @@ PHP_FUNCTION(mb_ereg_search_setpos)
+ /* }}} */
+
+ /* {{{ php_mb_regex_set_options */
+-static void _php_mb_regex_set_options(OnigOptionType options, OnigSyntaxType *syntax, OnigOptionType *prev_options, OnigSyntaxType **prev_syntax TSRMLS_DC)
++static void _php_mb_regex_set_options(OnigOptionType options, OnigSyntaxType *syntax, OnigOptionType *prev_options, OnigSyntaxType **prev_syntax TSRMLS_DC)
+ {
+ if (prev_options != NULL) {
+ *prev_options = MBREX(regex_default_options);
+diff --git a/ext/mbstring/tests/bug72402.phpt b/ext/mbstring/tests/bug72402.phpt
+new file mode 100644
+index 0000000..abb290b
+--- /dev/null
++++ b/ext/mbstring/tests/bug72402.phpt
+@@ -0,0 +1,17 @@
++--TEST--
++Bug #72402: _php_mb_regex_ereg_replace_exec - double free
++--SKIPIF--
++<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
++--FILE--
++<?php
++function throwit() {
++ throw new Exception('it');
++}
++$var10 = "throwit";
++try {
++ $var14 = mb_ereg_replace_callback("", $var10, "");
++} catch(Exception $e) {}
++?>
++DONE
++--EXPECT--
++DONE
+\ No newline at end of file
diff --git a/SOURCES/php-5.4.16-bug66762.patch b/SOURCES/php-5.4.16-bug66762.patch
new file mode 100644
index 0000000..eb5bffc
--- /dev/null
+++ b/SOURCES/php-5.4.16-bug66762.patch
@@ -0,0 +1,137 @@
+From 9137acc7ecdf1542fe6fda5056a0273359682735 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Thu, 27 Feb 2014 08:45:16 +0100
+Subject: [PATCH] Fixed Bug #66762 Segfault in mysqli_stmt::bind_result() when
+ link closed
+
+Each new mysqli_stmt now increase the refcount of the link object.
+So the link is really destroy after all statements.
+
+Only implemented with libmysqlclient, as mysqlnd already implement
+this internally.
+
+So, libmysqlclient and mysqlnd have the same behavior.
+---
+ ext/mysqli/mysqli.c | 9 ++++++++-
+ ext/mysqli/mysqli_api.c | 8 ++++++++
+ ext/mysqli/php_mysqli_structs.h | 4 ++++
+ 3 files changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/ext/mysqli/mysqli.c b/ext/mysqli/mysqli.c
+index 4e4ed5b..cbeb183 100644
+--- a/ext/mysqli/mysqli.c
++++ b/ext/mysqli/mysqli.c
+@@ -176,8 +176,11 @@ void php_clear_stmt_bind(MY_STMT *stmt TSRMLS_DC)
+ php_free_stmt_bind_buffer(stmt->param, FETCH_SIMPLE);
+ /* Clean output bind */
+ php_free_stmt_bind_buffer(stmt->result, FETCH_RESULT);
+-#endif
+
++ if (stmt->link_handle) {
++ zend_objects_store_del_ref_by_handle(stmt->link_handle TSRMLS_CC);
++ }
++#endif
+ if (stmt->query) {
+ efree(stmt->query);
+ }
+@@ -1055,6 +1058,10 @@ PHP_FUNCTION(mysqli_stmt_construct)
+ efree(stmt);
+ RETURN_FALSE;
+ }
++#ifndef MYSQLI_USE_MYSQLND
++ stmt->link_handle = Z_OBJ_HANDLE(*mysql_link);
++ zend_objects_store_add_ref_by_handle(stmt->link_handle TSRMLS_CC);
++#endif
+
+ mysqli_resource = (MYSQLI_RESOURCE *)ecalloc (1, sizeof(MYSQLI_RESOURCE));
+ mysqli_resource->ptr = (void *)stmt;
+diff --git a/ext/mysqli/mysqli_api.c b/ext/mysqli/mysqli_api.c
+index 1dbff87..0b28a43 100644
+--- a/ext/mysqli/mysqli_api.c
++++ b/ext/mysqli/mysqli_api.c
+@@ -1840,6 +1840,10 @@ PHP_FUNCTION(mysqli_prepare)
+ efree(stmt);
+ RETURN_FALSE;
+ }
++#ifndef MYSQLI_USE_MYSQLND
++ stmt->link_handle = Z_OBJ_HANDLE(*mysql_link);
++ zend_objects_store_add_ref_by_handle(stmt->link_handle TSRMLS_CC);
++#endif
+
+ mysqli_resource = (MYSQLI_RESOURCE *)ecalloc (1, sizeof(MYSQLI_RESOURCE));
+ mysqli_resource->ptr = (void *)stmt;
+@@ -2368,6 +2372,10 @@ PHP_FUNCTION(mysqli_stmt_init)
+ efree(stmt);
+ RETURN_FALSE;
+ }
++#ifndef MYSQLI_USE_MYSQLND
++ stmt->link_handle = Z_OBJ_HANDLE(*mysql_link);
++ zend_objects_store_add_ref_by_handle(stmt->link_handle TSRMLS_CC);
++#endif
+
+ mysqli_resource = (MYSQLI_RESOURCE *)ecalloc (1, sizeof(MYSQLI_RESOURCE));
+ mysqli_resource->status = MYSQLI_STATUS_INITIALIZED;
+diff --git a/ext/mysqli/php_mysqli_structs.h b/ext/mysqli/php_mysqli_structs.h
+index d652592..d2fb34b 100644
+--- a/ext/mysqli/php_mysqli_structs.h
++++ b/ext/mysqli/php_mysqli_structs.h
+@@ -116,6 +116,10 @@ typedef struct {
+ BIND_BUFFER param;
+ BIND_BUFFER result;
+ char *query;
++#ifndef MYSQLI_USE_MYSQLND
++ /* used to manage refcount with libmysql (already implement in mysqlnd) */
++ zend_object_handle link_handle;
++#endif
+ } MY_STMT;
+
+ typedef struct {
+--
+2.1.4
+
+From 816a5d207270556aa5a9d74cdd8629d1b06cc350 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Thu, 27 Feb 2014 08:48:01 +0100
+Subject: [PATCH] test for bug #66762
+
+---
+ ext/mysqli/tests/bug66762.phpt | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+ create mode 100644 ext/mysqli/tests/bug66762.phpt
+
+diff --git a/ext/mysqli/tests/bug66762.phpt b/ext/mysqli/tests/bug66762.phpt
+new file mode 100644
+index 0000000..2b8a92c
+--- /dev/null
++++ b/ext/mysqli/tests/bug66762.phpt
+@@ -0,0 +1,26 @@
++--TEST--
++Bug #66762 mysqli@libmysql segfault in mysqli_stmt::bind_result() when link closed
++--SKIPIF--
++<?php
++require_once('skipif.inc');
++require_once('skipifconnectfailure.inc');
++?>
++--FILE--
++<?php
++ require_once("connect.inc");
++
++ $mysqli = new mysqli($host, $user, $passwd, $db);
++
++ $read_stmt = $mysqli->prepare("SELECT 1");
++
++ var_dump($read_stmt->bind_result($data));
++
++ unset($mysqli);
++ var_dump($read_stmt->bind_result($data));
++
++?>
++done!
++--EXPECT--
++bool(true)
++bool(true)
++done!
+\ No newline at end of file
+--
+2.1.4
+
diff --git a/SOURCES/php-5.4.16-bug66833.patch b/SOURCES/php-5.4.16-bug66833.patch
new file mode 100644
index 0000000..dde6e50
--- /dev/null
+++ b/SOURCES/php-5.4.16-bug66833.patch
@@ -0,0 +1,40 @@
+From 17f6391bf8bc5e0e74ea981c795455a18826ed35 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Fri, 14 Mar 2014 09:50:15 +0100
+Subject: [PATCH] Fixed Bug #66833 Default digest algo is still MD5
+
+Switch to SHA1, which match internal openssl hardcoded algo.
+
+In most case, won't even be noticed
+- priority on user input (default_md)
+- fallback on system config
+- fallback on this default value
+
+Recent system reject MD5 digest, noticed in bug36732.phpt failure.
+
+While SHA1 is better than MD5, SHA256 is recommenced,
+and defined as default algo in provided configuration on
+recent system (Fedora 21, RHEL-7, ...). But the idea is to
+keep in sync with openssl internal value for PHP internal value.
+---
+ ext/openssl/openssl.c | 2 +-
+ ext/openssl/tests/openssl.cnf | 1 -
+ 2 files changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
+index b2ac712..88ad2ef 100755
+--- a/ext/openssl/openssl.c
++++ b/ext/openssl/openssl.c
+@@ -855,7 +855,7 @@ static int php_openssl_parse_config(struct php_x509_request * req, zval * option
+ req->digest = req->md_alg = EVP_get_digestbyname(req->digest_name);
+ }
+ if (req->md_alg == NULL) {
+- req->md_alg = req->digest = EVP_md5();
++ req->md_alg = req->digest = EVP_sha1();
+ }
+
+ PHP_SSL_CONFIG_SYNTAX_CHECK(extensions_section);
+
+--
+2.1.4
+
diff --git a/SOURCES/php-5.4.16-bug71089.patch b/SOURCES/php-5.4.16-bug71089.patch
new file mode 100644
index 0000000..6b730d6
--- /dev/null
+++ b/SOURCES/php-5.4.16-bug71089.patch
@@ -0,0 +1,31 @@
+From 410eacc1a9b50ec3cb6c5fc0ff252516d0c0a4f1 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Fri, 11 Dec 2015 13:21:24 +0100
+Subject: [PATCH] Fix Bug #71089 No check to duplicate zend_extension
+
+---
+ Zend/zend_extensions.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/Zend/zend_extensions.c b/Zend/zend_extensions.c
+index 8321f1c..fbf1f32 100644
+--- a/Zend/zend_extensions.c
++++ b/Zend/zend_extensions.c
+@@ -105,6 +105,14 @@ int zend_load_extension(const char *path)
+ #endif
+ DL_UNLOAD(handle);
+ return FAILURE;
++ } else if (zend_get_extension(new_extension->name)) {
++ fprintf(stderr, "Cannot load %s - extension already loaded\n", new_extension->name);
++/* See http://support.microsoft.com/kb/190351 */
++#ifdef PHP_WIN32
++ fflush(stderr);
++#endif
++ DL_UNLOAD(handle);
++ return FAILURE;
+ }
+
+ return zend_register_extension(new_extension, handle);
+--
+2.1.4
+
diff --git a/SOURCES/php-5.4.16-curltls.patch b/SOURCES/php-5.4.16-curltls.patch
new file mode 100644
index 0000000..1c35da5
--- /dev/null
+++ b/SOURCES/php-5.4.16-curltls.patch
@@ -0,0 +1,38 @@
+Backport from PHP 5.5.0 and 5.5.19
+
+Adapted from:
+
+From e69f987948982d4259a574ca824398c26153bf42 Mon Sep 17 00:00:00 2001
+From: Pierrick Charron <pierrick@php.net>
+Date: Thu, 1 Dec 2011 21:48:07 +0000
+Subject: [PATCH] Clean / Improve the curl extension # NEWS file will come soon
+
+From 2b5bffe6c70bc00ebe57390f48ef7569e401d2d3 Mon Sep 17 00:00:00 2001
+From: Rasmus Lerdorf <rasmus@php.net>
+Date: Thu, 16 Oct 2014 21:25:29 -0700
+Subject: [PATCH] TLS 1.0, 1.1 and 1.2 Curl constants - bug #68247
+
+Macro available in upstream curl > 7.34
+Macro available since curl-7.19.7-43.el6 see https://bugzilla.redhat.com/1012136
+
+
+diff -up a/ext/curl/interface.c.old b/ext/curl/interface.c
+--- a/ext/curl/interface.c.old 2015-12-14 11:29:34.591570003 +0100
++++ b/ext/curl/interface.c 2015-12-14 11:38:42.366016986 +0100
+@@ -595,6 +595,16 @@ PHP_MINIT_FUNCTION(curl)
+ REGISTER_CURL_CONSTANT(CURLOPT_SSL_VERIFYHOST);
+ REGISTER_CURL_CONSTANT(CURLOPT_COOKIEFILE);
+ REGISTER_CURL_CONSTANT(CURLOPT_SSLVERSION);
++
++ /* Curl SSL Version constants (CURLOPT_SSLVERSION) */
++ REGISTER_CURL_CONSTANT(CURL_SSLVERSION_DEFAULT);
++ REGISTER_CURL_CONSTANT(CURL_SSLVERSION_SSLv2);
++ REGISTER_CURL_CONSTANT(CURL_SSLVERSION_SSLv3);
++ REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1);
++ REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1_0);
++ REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1_1);
++ REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1_2);
++
+ REGISTER_CURL_CONSTANT(CURLOPT_TIMECONDITION);
+ REGISTER_CURL_CONSTANT(CURLOPT_TIMEVALUE);
+ REGISTER_CURL_CONSTANT(CURLOPT_CUSTOMREQUEST);
diff --git a/SOURCES/php-5.4.16-wddx.patch b/SOURCES/php-5.4.16-wddx.patch
new file mode 100644
index 0000000..9f36834
--- /dev/null
+++ b/SOURCES/php-5.4.16-wddx.patch
@@ -0,0 +1,41 @@
+From 95ea1e7ca787537a93c25c401dba010d51aa8d59 Mon Sep 17 00:00:00 2001
+From: Anatol Belski <ab@php.net>
+Date: Sat, 11 May 2013 02:47:48 +0200
+Subject: [PATCH] fixed variable corruption under win x64
+
+---
+ ext/wddx/wddx.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
+index 967da6a..afeca90 100644
+--- a/ext/wddx/wddx.c
++++ b/ext/wddx/wddx.c
+@@ -405,7 +405,7 @@ static void php_wddx_serialize_string(wddx_packet *packet, zval *var TSRMLS_DC)
+
+ if (Z_STRLEN_P(var) > 0) {
+ char *buf;
+- int buf_len;
++ size_t buf_len;
+
+ buf = php_escape_html_entities(Z_STRVAL_P(var), Z_STRLEN_P(var), &buf_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
+
+@@ -626,12 +626,12 @@ static void php_wddx_serialize_array(wddx_packet *packet, zval *arr)
+ */
+ void php_wddx_serialize_var(wddx_packet *packet, zval *var, char *name, int name_len TSRMLS_DC)
+ {
+- char *tmp_buf;
+- char *name_esc;
+- int name_esc_len;
+ HashTable *ht;
+
+ if (name) {
++ size_t name_esc_len;
++ char *tmp_buf, *name_esc;
++
+ name_esc = php_escape_html_entities(name, name_len, &name_esc_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
+ tmp_buf = emalloc(name_esc_len + sizeof(WDDX_VAR_S));
+ snprintf(tmp_buf, name_esc_len + sizeof(WDDX_VAR_S), WDDX_VAR_S, name_esc);
+--
+2.1.4
+
diff --git a/SOURCES/php-5.4.6-bug65641.patch b/SOURCES/php-5.4.6-bug65641.patch
new file mode 100644
index 0000000..6909439
--- /dev/null
+++ b/SOURCES/php-5.4.6-bug65641.patch
@@ -0,0 +1,118 @@
+From ee275e34c8b303945945c650d4bc90dcc2ac0b17 Mon Sep 17 00:00:00 2001
+From: David Zuelke <dzuelke@gmail.com>
+Date: Sat, 9 Aug 2014 08:26:33 +0200
+Subject: [PATCH] restore FPM compatibility with mod_fastcgi broken since #694
+ / 67541, fixes bug 67606
+
+---
+ sapi/fpm/fpm/fpm_main.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/sapi/fpm/fpm/fpm_main.c b/sapi/fpm/fpm/fpm_main.c
+index e879325..56a06f9 100644
+--- a/sapi/fpm/fpm/fpm_main.c
++++ b/sapi/fpm/fpm/fpm_main.c
+@@ -1142,13 +1142,16 @@ static void init_request_info(TSRMLS_D)
+ TRANSLATE_SLASHES(env_document_root);
+ }
+
+- if (env_path_translated != NULL && env_redirect_url != NULL &&
++ if (!apache_was_here && env_path_translated != NULL && env_redirect_url != NULL &&
+ env_path_translated != script_path_translated &&
+ strcmp(env_path_translated, script_path_translated) != 0) {
+ /*
+ * pretty much apache specific. If we have a redirect_url
+ * then our script_filename and script_name point to the
+ * php executable
++ * we don't want to do this for the new mod_proxy_fcgi approach,
++ * where redirect_url may also exist but the below will break
++ * with rewrites to PATH_INFO, hence the !apache_was_here check
+ */
+ script_path_translated = env_path_translated;
+ /* we correct SCRIPT_NAME now in case we don't have PATH_INFO */
+@@ -1323,7 +1326,7 @@ static void init_request_info(TSRMLS_D)
+ efree(pt);
+ }
+ } else {
+- /* make sure path_info/translated are empty */
++ /* make sure original values are remembered in ORIG_ copies if we've changed them */
+ if (!orig_script_filename ||
+ (script_path_translated != orig_script_filename &&
+ strcmp(script_path_translated, orig_script_filename) != 0)) {
+@@ -1332,7 +1335,9 @@ static void init_request_info(TSRMLS_D)
+ }
+ script_path_translated = _sapi_cgibin_putenv("SCRIPT_FILENAME", script_path_translated TSRMLS_CC);
+ }
+- if (env_redirect_url) {
++ if (!apache_was_here && env_redirect_url) {
++ /* if we used PATH_TRANSLATED to work around Apache mod_fastcgi (but not mod_proxy_fcgi,
++ * hence !apache_was_here) weirdness, strip info accordingly */
+ if (orig_path_info) {
+ _sapi_cgibin_putenv("ORIG_PATH_INFO", orig_path_info TSRMLS_CC);
+ _sapi_cgibin_putenv("PATH_INFO", NULL TSRMLS_CC);
+--
+2.1.4
+
+From 8cac75969e5abb2b6be5bbd489d851a4f9e50979 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Mon, 15 Sep 2014 13:29:55 +0200
+Subject: [PATCH] Fixed bug #65641 PHP-FPM incorrectly defines the SCRIPT_NAME
+ variable when using Apache
+
+ProxyPass is unable to provide correct PATH_INFO
+as it is not aware of file path (while SetHandler is).
+
+As we can extract PATH_INFO from PATH_TRANSLATED,
+we also need to check if present in SCRIPT_NAME
+and remove it.
+
+After applying this patch.
+With mod_php
+_SERVER["REQUEST_URI"] /info.php/foo/bar?q=1
+_SERVER["SCRIPT_NAME"] /info.php
+_SERVER["PATH_INFO"] /foor/bar
+_SERVER["PHP_SELF"] /info.php/foo/bar
+_SERVER["QUERY_STRING"] q=1
+
+With mod_proxy_fcgi + SetHandler
+_SERVER["REQUEST_URI"] /info.php/foo/bar?q=1
+_SERVER["SCRIPT_NAME"] /info.php
+_SERVER["PATH_INFO"] /foo/bar
+_SERVER["PHP_SELF"] /info.php/foo/bar
+_SERVER["QUERY_STRING"] q=1
+
+With mod_proxy_fcgi + ProxyPass
+_SERVER["REQUEST_URI"] /info.php/foo/bar?q=1
+_SERVER["SCRIPT_NAME"] /info.php
+_SERVER["PATH_INFO"] /foo/bar
+_SERVER["PHP_SELF"] /info.php/foo/bar
+_SERVER["QUERY_STRING"] q=1
+---
+ sapi/fpm/fpm/fpm_main.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/sapi/fpm/fpm/fpm_main.c b/sapi/fpm/fpm/fpm_main.c
+index 56a06f9..331342c 100644
+--- a/sapi/fpm/fpm/fpm_main.c
++++ b/sapi/fpm/fpm/fpm_main.c
+@@ -1231,6 +1231,17 @@ static void init_request_info(TSRMLS_D)
+ SG(request_info).request_uri = orig_script_name;
+ }
+ path_info[0] = old;
++ } else if (apache_was_here && env_script_name) {
++ /* Using mod_proxy_fcgi and ProxyPass, apache cannot set PATH_INFO
++ * As we can extract PATH_INFO from PATH_TRANSLATED
++ * it is probably also in SCRIPT_NAME and need to be removed
++ */
++ int snlen = strlen(env_script_name);
++ if (snlen>slen && !strcmp(env_script_name+snlen-slen, path_info)) {
++ _sapi_cgibin_putenv("ORIG_SCRIPT_NAME", orig_script_name TSRMLS_CC);
++ env_script_name[snlen-slen] = 0;
++ SG(request_info).request_uri = _sapi_cgibin_putenv("SCRIPT_NAME", env_script_name TSRMLS_CC);
++ }
+ }
+ env_path_info = _sapi_cgibin_putenv("PATH_INFO", path_info TSRMLS_CC);
+ }
+--
+2.1.4
+
diff --git a/SPECS/php.spec b/SPECS/php.spec
index 745b3eb..7024bf6 100644
--- a/SPECS/php.spec
+++ b/SPECS/php.spec
@@ -69,7 +69,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: php
Version: 5.4.16
-Release: 36.3%{?dist}
+Release: 42%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -115,6 +115,16 @@ Patch27: php-5.4.16-bug50444.patch
Patch28: php-5.4.16-bug63595.patch
# https://bugs.php.net/62129 session rfc1867
Patch29: php-5.4.16-bug62129.patch
+# https://bugs.php.net/66762 mysqli segfault
+Patch30: php-5.4.16-bug66762.patch
+# https://bugs.php.net/65641 fpm script name
+Patch31: php-5.4.6-bug65641.patch
+# https://bugs.php.net/71089 duplicate ext
+Patch32: php-5.4.16-bug71089.patch
+# https://bugs.php.net/66833 default digest algo
+Patch33: php-5.4.16-bug66833.patch
+# fixed variable corruption
+Patch34: php-5.4.16-wddx.patch
# bad logic in sapi header callback routine
Patch35: php-5.4.16-bug66375.patch
@@ -134,6 +144,7 @@ Patch46: php-5.4.9-fixheader.patch
Patch47: php-5.4.9-phpinfo.patch
# Fix php_select on aarch64 (http://bugs.php.net/67406)
Patch48: php-5.4.16-aarch64-select.patch
+Patch49: php-5.4.16-curltls.patch
# Fixes for tests
Patch60: php-5.4.16-pdotests.patch
@@ -189,6 +200,10 @@ Patch152: php-5.4.16-CVE-2015-3329.patch
Patch153: php-5.4.16-bug68819.patch
Patch154: php-5.4.16-bug69152.patch
Patch155: php-5.4.16-CVE-2016-5385.patch
+Patch156: php-5.4.16-CVE-2016-5766.patch
+Patch157: php-5.4.16-CVE-2016-5767.patch
+Patch158: php-5.4.16-CVE-2016-5768.patch
+Patch159: php-5.4.16-CVE-2016-5399.patch
BuildRequires: bzip2-devel, curl-devel >= 7.9, gmp-devel
@@ -684,6 +699,11 @@ support for using the enchant library to PHP.
%patch27 -p1 -b .bug50444
%patch28 -p1 -b .bug63595
%patch29 -p1 -b .bug62129
+%patch30 -p1 -b .bug66762
+%patch31 -p1 -b .bug65641
+%patch32 -p1 -b .bug71089
+%patch33 -p1 -b .bug66833
+%patch34 -p1 -b .fix
%patch35 -p1 -b .bug66375
%patch40 -p1 -b .dlopen
@@ -699,6 +719,7 @@ support for using the enchant library to PHP.
%patch46 -p1 -b .fixheader
%patch47 -p1 -b .phpinfo
%patch48 -p1 -b .aarch64select
+%patch49 -p1 -b .curltls
%patch60 -p1 -b .pdotests
@@ -752,6 +773,10 @@ support for using the enchant library to PHP.
%patch153 -p1 -b .bug68819
%patch154 -p1 -b .bug69152
%patch155 -p1 -b .cve5385
+%patch156 -p1 -b .cve5766
+%patch157 -p1 -b .cve5767
+%patch158 -p1 -b .cve5768
+%patch159 -p1 -b .cve5399
# Prevent %%doc confusion over LICENSE files
@@ -1523,15 +1548,36 @@ fi
%changelog
-* Fri Jul 22 2016 Remi Collet <rcollet@redhat.com> - 5.4.16-36.3
+* Fri Aug 5 2016 Remi Collet <rcollet@redhat.com> - 5.4.16-42
+- bz2: fix improper error handling in bzread() CVE-2016-5399
+
+* Mon Aug 1 2016 Remi Collet <rcollet@redhat.com> - 5.4.16-41
+- gd: fix integer overflow in _gd2GetHeader() resulting in
+ heap overflow CVE-2016-5766
+- gd: fix integer overflow in gdImagePaletteToTrueColor()
+ resulting in heap overflow CVE-2016-5767
+- mbstring: fix double free in _php_mb_regex_ereg_replace_exec
+ CVE-2016-5768
+
+* Fri Jul 22 2016 Remi Collet <rcollet@redhat.com> - 5.4.16-40
- don't set environmental variable based on user supplied Proxy
request header CVE-2016-5385
-* Wed Jun 15 2016 Remi Collet <rcollet@redhat.com> - 5.4.16-36.2
-- fix segmentation fault in header_register_callback #1346758
-
-* Mon Apr 4 2016 Remi Collet <rcollet@redhat.com> - 5.4.16-36.1
-- session: fix segfault in session with rfc1867 #1323643
+* Wed Jun 15 2016 Remi Collet <rcollet@redhat.com> - 5.4.16-39
+- fix segmentation fault in header_register_callback #1344578
+
+* Mon May 30 2016 Remi Collet <rcollet@redhat.com> - 5.4.16-38
+- curl: add options to enable TLS #1291667
+- mysqli: fix segfault in mysqli_stmt::bind_result() when
+ link is closed #1096800
+- fpm: fix incorrectly defined SCRIPT_NAME variable when
+ using Apache #1138563
+- core: fix segfault when a zend_extension is loaded twice #1289457
+- openssl: change default_md algo from MD5 to SHA1 #1073388
+- wddx: fix segfault in php_wddx_serialize_var #1131979
+
+* Mon Apr 4 2016 Remi Collet <rcollet@redhat.com> - 5.4.16-37
+- session: fix segfault in session with rfc1867 #1297179
* Wed Jun 10 2015 Remi Collet <rcollet@redhat.com> - 5.4.16-36
- fix more functions accept paths with NUL character #1213407