The PHP Group had to take this step to avoid a security issue that occurs because the 'magic_quotes_gpc' directive remains off even when set to on. Magic Quotes is a functionality in PHP that escapes incoming data to PHP scripts. PHP 5.2.7 was released earlier on December 4, fixing many bugs including some security vulnerabilities.

 

The PHP Group recommends using PHP 5.2.6 until PHP 5.2.8 is released. Customers are encouraged to keep installations of PHP 5.2.6. The fix for the issue introduced in in the 5.2.7 release has already be committed to the PHP CVS and PHP 5.2.8 will be released next week.

 

On a side note, because the PHP Group do not always document the security fixes it is highly recommended that to upgrade to new PHP versions instead of using distribution packages with security backports. This is a common option for Linux Distributions as they will backport fixes to the version of the software they released with a given release of their Linux Distribution.

 

The problem with security backports and incomplete changelogs is that security bugs not being mentioned in the changelog are unknown to the distributions and therefore the necessary fixes will not be backported.

 

For more on the 'magic_quotes_gpc' issue here and version 5.2.7 removal here.