Multiple vulnerabilities has been identified and fixed in php: The _zip_name_locate function in zip_name_locate.c in the Zip extension in PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FL_UNCHANGED argument, which might allow context-dependent attackers to cause a denial of service via an empty ZIP archive that is processed with a locateName or statName operation . exif.c in the Exif extension in PHP before 5.3.6 on 64-bit platforms performs an incorrect cast, which allows remote attackers to cause a denial of service via an image with a crafted Image File Directory that triggers a buffer over-read . Integer overflow in ext/shmop/shmop.c in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service and possibly read sensitive memory via a large third argument to the shmop_read function . Multiple format string vulnerabilities in phar_object.c in the phar extension in PHP 5.3.5 and earlier allow context-dependent attackers to obtain sensitive information from process memory, cause a denial of service , or possibly execute arbitrary code via format string specifiers in an argument to a class method, leading to an incorrect zend_throw_exception_ex call . Buffer overflow in the strval function in PHP before 5.3.6, when the precision configuration option has a large value, might allow context-dependent attackers to cause a denial of service via a small numerical value in the argument . Integer overflow in the SdnToJulian function in the Calendar extension in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service via a large integer in the first argument to the cal_from_jd function . Unspecified vulnerability in the NumberFormatter::setSymbol function in the Intl extension in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service via an invalid argument, a related issue to CVE-2010-4409 . Unspecified vulnerability in the Streams component in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service by accessing an ftp:// URL during use of an HTTP proxy with the FTP wrapper . The Zip extension in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service via a ziparchive stream that is not properly handled by the stream_get_contents function . Integer signedness error in zip_stream.c in the Zip extension in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service via a malformed archive file that triggers errors in zip_fread function calls . The previous fix for #43486 got lost along the line and is now being fixed again. Note: the php-phar and php-intl packages was shipped with Enterprise Server 5 only and is also being fixed with this advisory. Additionally sqlite3 was upgraded to 3.7.3 for Corporate Server 4 which has numerous bug fixes and enhancements over the previous version. Packages for 2009.0 are provided as of the Extended Maintenance Program