diff --git a/SOURCES/php-5.4.16-CVE-2016-5385.patch b/SOURCES/php-5.4.16-CVE-2016-5385.patch
new file mode 100644
index 0000000..fd9826f
--- /dev/null
+++ b/SOURCES/php-5.4.16-CVE-2016-5385.patch
@@ -0,0 +1,134 @@
+Adapted for 5.4 from:
+
+
+From 98b9dfaec95e6f910f125ed172cdbd25abd006ec Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 10 Jul 2016 16:17:54 -0700
+Subject: [PATCH] Fix for HTTP_PROXY issue.
+
+The following changes are made:
+- _SERVER/_ENV only has HTTP_PROXY if the local environment has it,
+  and only one from the environment.
+- getenv('HTTP_PROXY') only returns one from the local environment
+- getenv has optional second parameter, telling it to only consider
+  local environment
+---
+ UPGRADING                      |  3 +++
+ ext/standard/basic_functions.c | 17 +++++++------
+ main/SAPI.c                    | 48 +++++++++++++++++++-----------------
+ main/php_variables.c           | 56 ++++++++++++++++++++++++++++--------------
+ 4 files changed, 76 insertions(+), 48 deletions(-)
+
+diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c
+index 50b6bc7..8cbba14 100644
+--- a/ext/standard/basic_functions.c
++++ b/ext/standard/basic_functions.c
+@@ -3953,21 +3953,24 @@ PHP_FUNCTION(long2ip)
+  * System Functions *
+  ********************/
+ 
+-/* {{{ proto string getenv(string varname)
++/* {{{ proto string getenv(string varname[, bool local_only])
+    Get the value of an environment variable */
+ PHP_FUNCTION(getenv)
+ {
+ 	char *ptr, *str;
+ 	int str_len;
++	zend_bool local_only = 0;
+ 
+-	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &str, &str_len) == FAILURE) {
++	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|b", &str, &str_len, &local_only) == FAILURE) {
+ 		RETURN_FALSE;
+ 	}
+ 
+-	/* SAPI method returns an emalloc()'d string */
+-	ptr = sapi_getenv(str, str_len TSRMLS_CC);
+-	if (ptr) {
+-		RETURN_STRING(ptr, 0);
++	if (!local_only) {
++		/* SAPI method returns an emalloc()'d string */
++		ptr = sapi_getenv(str, str_len TSRMLS_CC);
++		if (ptr) {
++			RETURN_STRING(ptr, 0);
++		}
+ 	}
+ #ifdef PHP_WIN32
+ 	{
+diff --git a/main/SAPI.c b/main/SAPI.c
+index 0dd0b55..8a56c6d 100644
+--- a/main/SAPI.c
++++ b/main/SAPI.c
+@@ -1016,7 +1016,11 @@ SAPI_API struct stat *sapi_get_stat(TSRMLS_D)
+ 
+ SAPI_API char *sapi_getenv(char *name, size_t name_len TSRMLS_DC)
+ {
+-	if (sapi_module.getenv) { 
++	if (!strncasecmp(name, "HTTP_PROXY", name_len)) {
++		/* Ugly fix for HTTP_PROXY issue */
++		return NULL;
++	}
++	if (sapi_module.getenv) {
+ 		char *value, *tmp = sapi_module.getenv(name, name_len TSRMLS_CC);
+ 		if (tmp) {
+ 			value = estrdup(tmp);
+diff --git a/main/php_variables.c b/main/php_variables.c
+index bf6b9f3..bbe57d3 100644
+--- a/main/php_variables.c
++++ b/main/php_variables.c
+@@ -735,10 +735,26 @@ static zend_bool php_auto_globals_create_files(const char *name, uint name_len T
+ 
+ 	zend_hash_update(&EG(symbol_table), name, name_len + 1, &vars, sizeof(zval *), NULL);
+ 	Z_ADDREF_P(vars);
+-	
++
+ 	return 0; /* don't rearm */
+ }
+ 
++/* Upgly hack to fix HTTP_PROXY issue */
++static void check_http_proxy(HashTable *var_table) {
++	if (zend_hash_exists(var_table, "HTTP_PROXY", sizeof("HTTP_PROXY"))) {
++		char *local_proxy = getenv("HTTP_PROXY");
++
++		if (!local_proxy) {
++			zend_hash_del(var_table, "HTTP_PROXY", sizeof("HTTP_PROXY"));
++		} else {
++			zval *local_zval;
++			ALLOC_INIT_ZVAL(local_zval);
++			ZVAL_STRING(local_zval, local_proxy, 1);
++			zend_hash_update(var_table, "HTTP_PROXY", sizeof("HTTP_PROXY"), &local_zval, sizeof(zval **), NULL);
++		}
++	}
++}
++
+ static zend_bool php_auto_globals_create_server(const char *name, uint name_len TSRMLS_DC)
+ {
+ 	if (PG(variables_order) && (strchr(PG(variables_order),'S') || strchr(PG(variables_order),'s'))) {
+@@ -771,9 +787,10 @@ static zend_bool php_auto_globals_create_server(const char *name, uint name_len
+ 		PG(http_globals)[TRACK_VARS_SERVER] = server_vars;
+ 	}
+ 
++	check_http_proxy(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_SERVER]));
+ 	zend_hash_update(&EG(symbol_table), name, name_len + 1, &PG(http_globals)[TRACK_VARS_SERVER], sizeof(zval *), NULL);
+ 	Z_ADDREF_P(PG(http_globals)[TRACK_VARS_SERVER]);
+-	
++
+ 	return 0; /* don't rearm */
+ }
+ 
+@@ -787,11 +807,12 @@ static zend_bool php_auto_globals_create_env(const char *name, uint name_len TSR
+ 		zval_ptr_dtor(&PG(http_globals)[TRACK_VARS_ENV]);
+ 	}
+ 	PG(http_globals)[TRACK_VARS_ENV] = env_vars;
+-	
++
+ 	if (PG(variables_order) && (strchr(PG(variables_order),'E') || strchr(PG(variables_order),'e'))) {
+ 		php_import_environment_variables(PG(http_globals)[TRACK_VARS_ENV] TSRMLS_CC);
+ 	}
+ 
++	check_http_proxy(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_ENV]));
+ 	zend_hash_update(&EG(symbol_table), name, name_len + 1, &PG(http_globals)[TRACK_VARS_ENV], sizeof(zval *), NULL);
+ 	Z_ADDREF_P(PG(http_globals)[TRACK_VARS_ENV]);
+ 
+-- 
+2.1.4
+
diff --git a/SOURCES/php-5.4.16-bug66375.patch b/SOURCES/php-5.4.16-bug66375.patch
new file mode 100644
index 0000000..fbeec64
--- /dev/null
+++ b/SOURCES/php-5.4.16-bug66375.patch
@@ -0,0 +1,84 @@
+From 3c3ff434329d2f505b00a79bacfdef95ca96f0d2 Mon Sep 17 00:00:00 2001
+From: krakjoe <joe.watkins@live.co.uk>
+Date: Wed, 1 Jan 2014 12:58:18 +0000
+Subject: [PATCH] fix #66375 bad logic in sapi header callback routine
+
+---
+ main/SAPI.c | 43 +++++++++++++++++++++++++------------------
+ 1 file changed, 25 insertions(+), 18 deletions(-)
+
+diff --git a/main/SAPI.c b/main/SAPI.c
+index dcb2da6..9ffc258 100644
+--- a/main/SAPI.c
++++ b/main/SAPI.c
+@@ -137,6 +137,7 @@ PHP_FUNCTION(header_register_callback)
+ 		efree(callback_name);
+ 		RETURN_FALSE;
+ 	}
++
+ 	efree(callback_name);
+ 
+ 	if (SG(callback_func)) {
+@@ -144,10 +145,10 @@ PHP_FUNCTION(header_register_callback)
+ 		SG(fci_cache) = empty_fcall_info_cache;
+ 	}
+ 
+-	Z_ADDREF_P(callback_func);
+-
+ 	SG(callback_func) = callback_func;
+-	
++
++	Z_ADDREF_P(SG(callback_func));
++
+ 	RETURN_TRUE;
+ }
+ /* }}} */
+@@ -156,24 +157,30 @@ static void sapi_run_header_callback(TSRMLS_D)
+ {
+ 	int   error;
+ 	zend_fcall_info fci;
++	char *callback_name = NULL;
++	char *callback_error = NULL;
+ 	zval *retval_ptr = NULL;
+-
+-	fci.size = sizeof(fci);
+-	fci.function_table = EG(function_table);
+-	fci.object_ptr = NULL;
+-	fci.function_name = SG(callback_func);
+-	fci.retval_ptr_ptr = &retval_ptr;
+-	fci.param_count = 0;
+-	fci.params = NULL;
+-	fci.no_separation = 0;
+-	fci.symbol_table = NULL;
+-
+-	error = zend_call_function(&fci, &SG(fci_cache) TSRMLS_CC);
+-	if (error == FAILURE) {
++	
++	if (zend_fcall_info_init(SG(callback_func), 0, &fci, &SG(fci_cache), &callback_name, &callback_error TSRMLS_CC) == SUCCESS) {
++		fci.retval_ptr_ptr = &retval_ptr;
++		
++		error = zend_call_function(&fci, &SG(fci_cache) TSRMLS_CC);
++		if (error == FAILURE) {
++			goto callback_failed;
++		} else if (retval_ptr) {
++			zval_ptr_dtor(&retval_ptr);
++		}
++	} else {
++callback_failed:
+ 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Could not call the sapi_header_callback");
+-	} else if (retval_ptr) {
+-		zval_ptr_dtor(&retval_ptr);
+ 	}
++	
++	if (callback_name) {
++		efree(callback_name);
++	}
++	if (callback_error) {
++		efree(callback_error);
++	}	
+ }
+ 
+ SAPI_API void sapi_handle_post(void *arg TSRMLS_DC)
+-- 
+2.1.4
+
diff --git a/SPECS/php.spec b/SPECS/php.spec
index b886eb2..745b3eb 100644
--- a/SPECS/php.spec
+++ b/SPECS/php.spec
@@ -69,7 +69,7 @@
 Summary: PHP scripting language for creating dynamic web sites
 Name: php
 Version: 5.4.16
-Release: 36.1%{?dist}.1
+Release: 36.3%{?dist}
 # All files licensed under PHP version 3.01, except
 # Zend is licensed under Zend
 # TSRM is licensed under BSD
@@ -115,6 +115,8 @@ Patch27: php-5.4.16-bug50444.patch
 Patch28: php-5.4.16-bug63595.patch
 # https://bugs.php.net/62129 session rfc1867
 Patch29: php-5.4.16-bug62129.patch
+# bad logic in sapi header callback routine
+Patch35: php-5.4.16-bug66375.patch
 
 # Functional changes
 Patch40: php-5.4.0-dlopen.patch
@@ -186,6 +188,7 @@ Patch151: php-5.4.16-CVE-2015-2783.patch
 Patch152: php-5.4.16-CVE-2015-3329.patch
 Patch153: php-5.4.16-bug68819.patch
 Patch154: php-5.4.16-bug69152.patch
+Patch155: php-5.4.16-CVE-2016-5385.patch
 
 
 BuildRequires: bzip2-devel, curl-devel >= 7.9, gmp-devel
@@ -681,6 +684,7 @@ support for using the enchant library to PHP.
 %patch27 -p1 -b .bug50444
 %patch28 -p1 -b .bug63595
 %patch29 -p1 -b .bug62129
+%patch35 -p1 -b .bug66375
 
 %patch40 -p1 -b .dlopen
 %patch41 -p1 -b .easter
@@ -747,6 +751,7 @@ support for using the enchant library to PHP.
 %patch152 -p1 -b .cve3329
 %patch153 -p1 -b .bug68819
 %patch154 -p1 -b .bug69152
+%patch155 -p1 -b .cve5385
 
 
 # Prevent %%doc confusion over LICENSE files
@@ -1518,6 +1523,13 @@ fi
 
 
 %changelog
+* Fri Jul 22 2016 Remi Collet <rcollet@redhat.com> - 5.4.16-36.3
+- don't set environmental variable based on user supplied Proxy
+  request header CVE-2016-5385
+
+* Wed Jun 15 2016 Remi Collet <rcollet@redhat.com> - 5.4.16-36.2
+- fix segmentation fault in header_register_callback #1346758
+
 * Mon Apr  4 2016 Remi Collet <rcollet@redhat.com> - 5.4.16-36.1
 - session: fix segfault in session with rfc1867 #1323643