According to http://php.net/supported-versions.php :
Active support for php 5.4 ended 14 Sep 2014
Security updates for php 5.4 ended 14 Sep 2015
As of writing, that was 21 days ago.
The PHP developers categorize PHP 5.4 as "End of Life" which is defined as "A release that is no longer supported. Users of this release should upgrade as soon as possible, as they may be exposed to unpatched security vulnerabilities."
I suggest immediate deprecation with expiration date set for early 2016 (e.g. Jan 15 or Feb 1)
Adding feld@ to get the attention of somebody on the security team since PR has no response so far.
A commit references this bug:
Date: Wed Oct 14 20:04:44 UTC 2015
New revision: 399292
lang/php5 mark as deprecated
PHP 5.4 has reached End of Life status