A potential server-side request forgery flaw was found in the way PHP accepted an fsockopen hostname argument with an expectation that the port number was constrained. Because :port syntax is recognized, fsockopen would use the port number that was specified in the hostname argument, instead of the port number in the second argument of the function. This could potentially allow a remote attacker to generate requests from a vulnerable PHP application that would target an application on the attacker-supplied port.
Created php tracking bugs for this issue:
Affects: fedora-all [bug 1437838]
Fixed in 7.0.18RC1 and 7.1.4RC1
Notice, the fix for this minor security issue create a minor behavior change (regression), at least noticed for "proxy" attribute of stream context.
guzzle/guzzle report https://github.com/guzzle/guzzle/issues/1790
guzzle/ringphp report https://github.com/guzzle/RingPHP/issues/41
Possible fix (probably not accepted)
while the patch was in 7.0.18/7.1.4 we discovered it breaks lot of applications relying on undocumented behavior.
So change have been reverted (in 7.0.19RC1 / 7.1.5R1)