If you haven’t already, be sure to upgrade to the latest PHP 5.3.10 release, as it contains fixes for several security vulnerabilities that have been recently reported. You can grab the tarballs here and Windows binaries here; be sure to check with your distro to make sure it is up to date as well.
We have lots of users still using PHP 5.2.x out there, and we strongly encourage you to upgrade your instances as soon as possible. Not only has there not been any bug fixes for the 5.2 line in the past year, but you are also missing out on all of these security issues that affect your version of PHP that are fixed in 5.3.10 ( taken from the PHP changelog at http://www.php.net/ChangeLog-5.php ):
- Fixed arbitrary remote code execution vulnerability reported by Stefan Esser, CVE-2012-0830.
- Updated crypt_blowfish to 1.2. (CVE-2011-2483) (Solar Designer) (more info)
- Fixed bug #54939 (File path injection vulnerability in RFC1867 File upload filename). (Felipe) Reported by Krzysztof Kotowicz. (CVE-2011-2202)
- Fixed bug #54238 (use-after-free in substr_replace()). (Stas) (CVE-2011-1148)
- Fixed stack buffer overflow in socket_connect(). (CVE-2011-1938) Found by Mateusz Kocielski, Marek Kroemeke and Filip Palian. (Felipe)
- Fixed bug #54002 (crash on crafted tag, reported by Luca Carettoni). (Pierre) (CVE-2011-0708)
- Fixed bug #54247 (format-string vulnerability on Phar). (Felipe) (CVE-2011-1153)
- Fixed bug #54193 (Integer overflow in shmop_read()). (Felipe) Reported by Jose Carlos Norte (CVE-2011-1092)
- Fixed bug #53885 (ZipArchive segfault with FL_UNCHANGED on empty archive). (Stas, Maksymilian Arciemowicz). (CVE-2011-0421)
This along with the numerous performance and stability gains in the the PHP 5.3 release are definitely good reasons to make the switch today.