Things from the php5 Debian changelog which changed between
5.3.3-7+squeeze18 and 5.3.3-7+squeeze26:

  * CVE-2014-9705.patch
    Heap-based buffer overflow in the enchant_broker_request_dict 
    function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x 
    before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers 
    to execute arbitrary code via vectors that trigger creation of 
    multiple dictionaries.
  * CVE-2015-0232.patch
    The exif_process_unicode function in ext/exif/exif.c in PHP 
    before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 
    allows remote attackers to execute arbitrary code or cause a 
    denial of service (uninitialized pointer free and application 
    crash) via crafted EXIF data in a JPEG image.
  * CVE-2015-2301.patch
    Use-after-free vulnerability in the phar_rename_archive function  
    in phar_object.c in PHP before 5.5.22 and 5.6.x before 5.6.6
    allows remote attackers to cause a denial of service or possibly
    have unspecified other impact via vectors that trigger an attempted
    renaming of a Phar archive to the name of an existing file.
  * CVE-2015-2331.patch
    Integer overflow in the _zip_cdir_new function in zip_dirent.c 
    in libzip 0.11.2 and earlier, as used in the ZIP extension in PHP 
    before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 and 
    other products, allows remote attackers to cause a denial of 
    service (application crash) or possibly execute arbitrary code 
    via a ZIP archive that contains many entries, leading to a 
    heap-based buffer overflow.
  * CVE-2015-2783.patch
    Buffer Over-read in unserialize when parsing Phar
  * CVE-2015-2787.patch
    Use-after-free vulnerability in the process_nested_data function 
    in ext/standard/var_unserializer.re in PHP before 5.4.39, 5.5.x 
    before 5.5.23, and 5.6.x before 5.6.7 allows remote attackers to 
    execute arbitrary code via a crafted unserialize call that 
    leverages use of the unset function within an __wakeup function, 
    a related issue to CVE-2015-0231.
  * CVE-2015-3329.patch
    Buffer Overflow when parsing tar/zip/phar in phar_set_inode)
  * CVE-2015-3330.patch
    PHP potential remote code execution with apache 2.4 apache2handler
  * CVE-2015-temp-68819.patch
    denial of service when processing a crafted file with Fileinfo

  * add patches provided by Univention (Janek Walkenhorst) for:
    CVE-2014-0238:
       The cdf_read_property_info function in cdf.c in the Fileinfo 
       component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows 
       remote attackers to cause a denial of service (infinite loop 
       or out-of-bounds memory access) via a vector that (1) has zero 
       length or (2) is too long.
    CVE-2014-0237:
       The cdf_unpack_summary_info function in cdf.c in the Fileinfo 
       component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows 
       remote attackers to cause a denial of service (performance 
       degradation) by triggering many file_printf calls.
    CVE-2014-2270:
       softmagic.c in file before 5.17 and libmagic allows context
       dependent attackers to cause a denial of service (out-of-bounds 
       memory access and crash) via crafted offsets in the softmagic 
       of a PE executable.
  * add patches for CVE-2014-8117
    - Stop reporting bad capabilities after the first few. 
    - limit the number of program and section header number of sections
    - limit recursion level

  * [CVE-2014-3668]: Fix bug #68027 - fix date parsing in XMLRPC lib
  * [CVE-2014-3669]: Fixed bug #68044: Integer overflow in unserialize() 
                     (32-bits only)
  * [CVE-2014-3670]: Fix bug #68113 (Heap corruption in exif_thumbnail())
  * [CVE-2014-3710]: Fix bug #68283: fileinfo: out-of-bounds read in 
                     elf note headers

  * [CVE-2014-3538]: extensive backtracking in rule regular expression  
  * [CVE-2014-3597]: Segfault in dns_get_record (PHP#67717)
  * [CVE-2014-3587]: Segfault in cdf.c (PHP#67716)

  * [CVE-2014-3515]: fix unserialize() SPL ArrayObject / SPLObjectStorage
                     Type Confusion
  * [CVE-2014-0207]: fileinfo: cdf_read_short_sector insufficient
                     boundary check
  * [CVE-2014-3480]: fileinfo: cdf_count_chain insufficient boundary check
  * [CVE-2014-4721]: The phpinfo implementation in ext/standard/info.c in
                     PHP before 5.4.30 and 5.5.x before 5.5.14 does not
                     ensure use of the string data type for the PHP_AUTH_PW,
                     PHP_AUTH_TYPE, PHP_AUTH_USER, and PHP_SELF variables,
                     which might allow context-dependent attackers to obtain
                     sensitive information from process memory by using the
                     integer data type with crafted values, related to a
                     "type confusion" vulnerability, as demonstrated by
                     reading a private SSL key in an Apache HTTP Server
                     web-hosting environment with mod_ssl and a
                     PHP 5.3.x mod_php.

  * CVE-2014-4029

  * [CVE-2014-1943]: Fix segmentation fault in libmagic (Closes: #739012)