We normally don't post security announcements, if you want these on a regular basis you should probably be following bugtrack or security focus.  But I found these ones to be of pretty important note, since there are some pretty large vulnerabilites here and since php is such a widely used language on a number of corporate and government, not to mention activist sites.  I hope that our readers will use the information here wisely in their pursuits.  Read on for the vulnerabilities...

Several vulnerabilitites were found in PHP:
- PHP ships a vulnerable version of the PCRE library
which allows for the circumvention of security
restrictions or even for remote code execution in case of
an application which accepts user-supplied regular
expressions (CVE-2008-0674).
- Multiple crash issues in several PHP functions have
been discovered.
- Ryan Permeh reported that the init_request_info()
function in sapi/cgi/cgi_main.c does not properly
consider operator precedence when calculating the length
of PATH_TRANSLATED (CVE-2008-0599).
- An off-by-one error in the metaphone() function may
lead to memory corruption.
- Maksymilian Arciemowicz of SecurityReason Research
reported an integer overflow, which is triggerable using
printf() and related functions (CVE-2008-1384).
- Andrei Nigmatulin reported a stack-based buffer
overflow in the FastCGI SAPI, which has unknown attack
vectors (CVE-2008-2050).
- Stefan Esser reported that PHP does not correctly
handle multibyte characters inside the escapeshellcmd()
function, which is used to sanitize user input before its
usage in shell commands (CVE-2008-2051).
- Stefan Esser reported that a short-coming in PHP's
algorithm of seeding the random number generator might
allow for predictible random numbers (CVE-2008-2107,
CVE-2008-2108).
- The IMAP extension in PHP uses obsolete c-client API
calls making it vulnerable to buffer overflows as no
bounds checking can be done (CVE-2008-2829).
- Tavis Ormandy reported a heap-based buffer overflow
in pcre_compile.c in the PCRE version shipped by PHP when
processing user-supplied regular expressions
(CVE-2008-2371).
- CzechSec reported that specially crafted font files
can lead to an overflow in the imageloadfont() function
in ext/gd/gd.c, which is part of the GD extension
(CVE-2008-3658).
- Maksymilian Arciemowicz of SecurityReason Research
reported that a design error in PHP's stream wrappers
allows to circumvent safe_mode checks in several
filesystem-related PHP functions (CVE-2008-2665,
CVE-2008-2666).
- Laurent Gaffie discovered a buffer overflow in the
internal memnstr() function, which is used by the PHP
function explode() (CVE-2008-3659).
- An error in the FastCGI SAPI when processing a
request with multiple dots preceding the extension
(CVE-2008-3660).