Fixed CVE-2007-1001, GD wbmp used with invalid image size Fixed a header injection via Subject and To parameters to the mail() function Fixed asciiz byte truncation inside mail() Fixed wrong length calculation in unserialize S type Fixed a bug in mb_parse_str() that can be used to activate register_globals Fixed unallocated memory access/double free in in array_user_key_compare() Fixed a double free inside session_regenerate_id() Added missing open_basedir & safe_mode checks to zip:// and bzip:// wrappers Fixed substr_compare and substr_count information leak Limit nesting level of input variables with max_input_nesting_level Fixed CRLF injection inside ftp_putcmd() Fixed a possible super-global overwrite inside import_request_variables() Fixed a remotely trigger-able buffer overflow inside make_http_soap_request() Fixed a buffer overflow inside user_filter_factory_create() Fixed a remotely trigger-able buffer overflow inside bundled libxmlrpc library
PHP version 5.2.2 has been released. This release continues to improve the security and the stability of the 5.X branch and all users are strongly encouraged to upgrade.