A vulnerability was discovered and corrected in libmbfl (php):

* Fix bug #53273 (mb_strcut() returns garbage with the excessive
length parameter) (CVE-2010-4156).

The updated packages have been patched to correct these issues.

Update:

The MDVSA-2010:225 advisory used the wrong patch to address the
problem, however it did fix the issue. This advisory provides the
correct upstream patch.