Stuck

On the left hand side, we have multiple vulnerabilities with PHP release 5.2.1 or less.

Remote attackers might be able to exploit these issues in PHP applications making use of the affected functions, potentially resulting in the execution of arbitrary code, Denial of Service, execution of scripted contents in the context of the affected site, security bypass or information leak.

On the right hand side, we have HTTP_RAW_POST_DATA bug in PHP 5.2.2.

So $GLOBALS['HTTP_RAW_POST_DATA'] is not set. The PEAR::XML_RPC package actually uses $HTTP_RAW_POST_DATA on the receiving end, but that doesn't appear to be set either. And the always_populate_raw_post_data option in php.ini doesn't make a difference.

That means, any PHP code that assumes the existence of $HTTP_RAW_POST_DATA will simply fail as that variable is no longer populated. With all the API, web services, etc, there are actually many applications that use raw post data, which could be XML, JSON, or any other package formats. Pingbacks simply won't work in WordPress, although WP 2.2 has a work around on this PHP 5.2.2 bug.

So I basically upgraded all my servers to PHP 5.2.2 early last week. found many web services code I wrote were broken, and was forced to revert back to vulnerable PHP 5.2.1. The bug has been fixed and there's a work around, but I would rather wait for 5.2.3 to hit the street, which I hope to be sooner than later.