PHP has had numerous security issues related to the parsing of things like HTTP headers, etc. This means that when you write your app in PHP, and do something simple you get security issues just for going along for the ride.
Put an empty PHP file on your server and you've got a vulnerability. If they can't figure out how to parse a URL correctly what else is lurking? Ironically, the issue is a fix for a DOS attack, so they traded a DOS attack for remote code exec, and then backported it.
This is the equivalent of
int main() { return 0; }
having security issues.
By the way, this issue is from two months ago, we're not even talking about the really bad ancient bugs.
Things like this: https://bugzilla.redhat.com/show_bug.cgi?id=786686
Put an empty PHP file on your server and you've got a vulnerability. If they can't figure out how to parse a URL correctly what else is lurking? Ironically, the issue is a fix for a DOS attack, so they traded a DOS attack for remote code exec, and then backported it.
This is the equivalent of
having security issues.By the way, this issue is from two months ago, we're not even talking about the really bad ancient bugs.