Updated php packages that fix three security issues, several bugs, and addvarious enhancements are now available for Red Hat Enterprise Linux 6.The Red Hat Security Response Team has rated this update as having moderatesecurity impact. Common Vulnerability Scoring System base scores,which give detailed severity ratings, are available for each vulnerabilityfrom the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the ApacheHTTP Server.It was found that PHP did not check for carriage returns in HTTP headers,allowing intended HTTP response splitting protections to be bypassed.Depending on the web browser the victim is using, a remote attacker coulduse this flaw to perform HTTP response splitting attacks. An integer signedness issue, leading to a heap-based buffer underflow, wasfound in the PHP scandir function. If a remote attacker could upload anexcessively large number of files to a directory the scandir functionruns on, it could cause the PHP interpreter to crash or, possibly, executearbitrary code. It was found that PHP did not correctly handle the magic_quotes_gpcconfiguration directive. This could result in magic_quotes_gpc inputescaping not being applied in all cases, possibly making it easier for aremote attacker to perform SQL injection attacks. These updated php packages also include numerous bug fixes andenhancements. Space precludes documenting all of these changes in thisadvisory. Users are directed to the Red Hat Enterprise Linux 6.4 TechnicalNotes, linked to in the References, for information on the most significantof these changes.All users of php are advised to upgrade to these updated packages, whichfix these issues and add these enhancements. After installing the updatedpackages, the httpd daemon must be restarted for the update to take effect.