Multiple vulnerabilities has been identified and fixed in php:

The _zip_name_locate function in zip_name_locate.c in the Zip extension
in PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FL_UNCHANGED
argument, which might allow context-dependent attackers to cause
a denial of service (application crash) via an empty ZIP archive
that is processed with a (1) locateName or (2) statName operation
(CVE-2011-0421).

exif.c in the Exif extension in PHP before 5.3.6 on 64-bit platforms
performs an incorrect cast, which allows remote attackers to cause a
denial of service (application crash) via an image with a crafted Image
File Directory (IFD) that triggers a buffer over-read (CVE-2011-0708).

Integer overflow in ext/shmop/shmop.c in PHP before 5.3.6 allows
context-dependent attackers to cause a denial of service (crash)
and possibly read sensitive memory via a large third argument to the
shmop_read function (CVE-2011-1092).

Multiple format string vulnerabilities in phar_object.c in the phar
extension in PHP 5.3.5 and earlier allow context-dependent attackers
to obtain sensitive information from process memory, cause a denial of
service (memory corruption), or possibly execute arbitrary code via
format string specifiers in an argument to a class method, leading
to an incorrect zend_throw_exception_ex call (CVE-2011-1153).

Buffer overflow in the strval function in PHP before 5.3.6, when
the precision configuration option has a large value, might allow
context-dependent attackers to cause a denial of service (application
crash) via a small numerical value in the argument (CVE-2011-1464).

Integer overflow in the SdnToJulian function in the Calendar extension
in PHP before 5.3.6 allows context-dependent attackers to cause a
denial of service (application crash) via a large integer in the
first argument to the cal_from_jd function (CVE-2011-1466).

Unspecified vulnerability in the NumberFormatter::setSymbol (aka
numfmt_set_symbol) function in the Intl extension in PHP before 5.3.6
allows context-dependent attackers to cause a denial of service
(application crash) via an invalid argument, a related issue to
CVE-2010-4409 (CVE-2011-1467).

Unspecified vulnerability in the Streams component in PHP before
5.3.6 allows context-dependent attackers to cause a denial of service
(application crash) by accessing an ftp:// URL during use of an HTTP
proxy with the FTP wrapper (CVE-2011-1469).

The Zip extension in PHP before 5.3.6 allows context-dependent
attackers to cause a denial of service (application crash)
via a ziparchive stream that is not properly handled by the
stream_get_contents function (CVE-2011-1470).

Integer signedness error in zip_stream.c in the Zip extension in PHP
before 5.3.6 allows context-dependent attackers to cause a denial of
service (CPU consumption) via a malformed archive file that triggers
errors in zip_fread function calls (CVE-2011-1471).

The previous fix for #43486 got lost along the line and is now being
fixed again.

Note: the php-phar (CVE-2011-1153) and php-intl (CVE-2011-1467)
packages was shipped with Enterprise Server 5 only and is also being
fixed with this advisory.

Additionally sqlite3 was upgraded to 3.7.3 for Corporate Server 4 which
has numerous bug fixes and enhancements over the previous version.

Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been patched to correct these issues.