PHP version 5.27 was officially released and quickly replaced with 5.28. The regression errors introduced in 5.27 affects configurations where magic_quotes_gpc is enabled. So skip 5.27 and go straight to 5.28.
It has been announced that PHP4 support is to cease with only critical support fixes to be made. The details are that new releases on the PHP 4 line will cease at the end of 2007, and security fixes may be made available until August 8, 2008. They encourage all users to upgrade to PHP5.
PHP6 is on the horizon but no definite timeframe is given.
From XSS News comes a link to an application called Pixy. It is a java app that takes PHP code and warns of potential cross site scripting and/or SQL injection vulnerabilities.
There is plenty of documentation, with good explanations of what Pixy can and cannot achieve. For example you cannoy throw it a directory of code, and have it find problems. If your PHP code has multiple entry points, then it needs to be run once for each of these.
A web version is available to do XSS test on single pieces of PHP code. There is a requirement to have Perl installed on your system for the download version.
A new PHP version has been released: 5.2.3. The development team states “This release continues to improve the security and the stability of the 5.X branch as well as addressing two regressions introduced by the previous 5.2 releases.” Nothing earth shattering but security updates are always a good thing.
Release notes and change log available.
No upgrade on the 4.4.x line.
Core PHP developer on security. Covers both PHP 4 & 5.