For all those that have not yet learned about my two new advisories through the usual channels. PHP 5.1.2 was released today, fixing among other things a serious HTTP Response Splitting vulnerability in the PHP5 session extension. The fix was implemented in a way similar to the SAPI hook in our Hardening-Patch and is the first move to get some of the Hardening-Patch features into the plain PHP. It is also merged into the PHP4 code tree.
This means: once PHP 4.4.2 is out (which will be very soon) HTTP Response Splitting Vulnerabilities in PHP applications are history. From now on, all new PHP versions will no longer support multiple headers in the header() call and therefore all vulnerable applications will only be exploitable on hosts with old PHP versions.
And yes you are brave if you do not use the latest PHP version, because of all the secretly fixed security holes in older versions.