After 6 months of waiting PHP 4 users finally can install an update that fixes the critical unset() vulnerability that I have disclosed to php.net at the end of January.

Because there are meanwhile a lot of rumours about this vulnerability in the underground and because the PHP 4.4.3 release announcement does not mention this critical hole at all I wrote up a little article about it, which you can read here.

PS: This is the long awaited hole that allows PHP code execution in latest patched phpBB.