Multiple serious vulnerabilities have been found in PHP and extensions. Malicious users can exploit these vulnerabilities to cause denial of service or inject code.

Below is a complete list of vulnerabilities

1. Multiple integer overflows can be exploited remotely via a specially designed year value;
2. Lack of tokens validation can be exploited remotely via a specially designed name;
3. Improper tmp drectory addres containing can be exploited locally via a file manipulations.

PHP versions 5.6.7 and possibly earlier
PHP extensions calendar and pgsql

These vulnerabilities aren’t mitigated by vendor. You can protect yourself with disabling some functionality.