You might have heard about it from different places already. The Month for the "Month of PHP bugs" was choosen and it will be March. This means I will post every day in March information about one or more vulnerabilities within PHP.
Today PHP 5.2.1 was released which fixes some (but not all) of the bugs I will cover in the "Month of PHP bugs". Actually the release announcement already gives a list of bugs that were fixed. As usual the release announcement gives too little information about the bugs, does describe several bugs wrongly, forgets some security bugs that were fixed, downplays the seriousness of the bugs and does not give a single line of credit.
You will not find any hint anywhere that the security bugs listed were as usual reported by third parties. The release announcement as usual tries to make it look like all of the bugs where found by the PHP developers themself, who have no problem to credit themself in the Changelog for the little fixes they commited. But the original reporters that actually did the work of finding and reporting the vulnerability and that are therefore responsible for the additional security of the PHP community are not mentioned with a single line.
The later is by the way the reason why most of the security vulnerabilities in PHP are found by the "Hardened-PHP Project". There is absolutely no benefit for a security researcher to disclose vulnerabilities in PHP. Security vulnerabilities in PHP are far more worth when kept private and sold to 3rd parties. Actually if the list in the PHP 5.2.1 release announcement would be complete and woule give proper credit it would be quite obvious to everyone that nearly all vulnerabilities in the list were actually reported by the Hardened-PHP Project and are not the work of the PHP developers.
Ah and before I forget. During the "Month of PHP bugs" it will be demonstrated that the "Added internal heap protection" in PHP 5.2.1 (unlike the one within the Suhosin-Patch) does not stop the exploitability of lots of vulnerabilities at all.