Tal y como lo había comentado Stefan Esser luego de su salida de PHP Security Response Team, él revela en una entrevista realizada en securityfocus.com, que en marzo se liberarán alrededor de 31 bugs presentes en el código de PHP.
We will disclose different types of bugs, mainly buffer overflows or double free(/destruction) vulnerabilities, some only local, but some remotely trigger-able (for example, because they are in functions usually exposed to user input). Additionally there are some trivial bypass vulnerabilities in PHP's own protection features. Only holes within the code shipped with the default distribution of PHP will be disclosed. That means we will not disclose holes in extensions that only exist in PECL, while we are sure that those contain vulnerabilities, too. Most of the holes were previously disclosed to the vendor, but not all.
Probablemente se generará mucha polémica por la liberación de estos bugs, habrá que ver como se desenvuelven las cosas.