PHP 5.2.3 was released with several security fixes.

Again not all security fixes are mentioned in the release announcement.

Again security bugs known to the developers were not correctly fixed.

More info here.

PS: Why does PHP.net always release security fixes just before the weekend?

UPDATE: Antony Dogval from Zend meanwhile wrote a blog entry where he comments on this blog entry. He claims that I did not tell the PHP developers how to fix the issue. I love it how members of the PHP development team that do not receive the mails to security@php.net try to convince the world that I never sent those mails. I wrote atleast 2 times in the conversation about the described bug that the problem is because the session id is not encoded. I am not the php.net babysitter. I repeated myself and got ignored, I am not begging PHP.net to listen to reason.