A vulnerability has been identified and fixed in libzip: The _zip_name_locate function in zip_name_locate.c in the Zip extension in PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FL_UNCHANGED argument, which might allow context-dependent attackers to cause a denial of service via an empty ZIP archive that is processed with a locateName or statName operation . Packages for 2009.0 are provided as of the Extended Maintenance Program