CVE-2016-6288
The php_url_parse_ex function in ext/standard/url.c in PHP before 5.5.38 allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via vectors involving the smart_str data type.
Date published : 2016-07-25
http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html