One of the worst things in PHP security is the fact that vulnerabilities in PHP are usually patched in the CVS and then wait for months until they are disclosed to the public. Time enough for everyone to grab the fixes from CVS and develop exploits for the vulnerabilities. Therefore PHP vulnerabilities are usually already known to the bad guys for weeks or months when a new PHP version comes out and the public is notified about the vulnerability.

However sometimes even after a release the general public does not know about some vulnerabilities, because it somehow happens that they are forgotten to be mentioned in the release announcement. This happened before and has happened once again with the release of PHP 5.2.2

A while ago a bug in the mcrypt_create_iv() function was reported and fixed that caused the IV generator to create always the same IV. The bug itself is the result of calling php_rand_r() with an unitialised variable as seed. Depending on the stack layout of the system this results in the same IV being generated again and again. In some cases the stack layout might result in a totally predictable seed, which will result in a predictable IV. While this is not a completely dramatic problem, a non random IV will results in a weaker encryption. The bug is therefore a security problem that is NOT mentioned at all in the PHP 5.2.2 and PHP 4.4.7 release notes.

Oh yeah... Why the same bug in the soap extension that can be found by a simple grep for php_rand_r was not found and fixed actually beats me...