I got an email from the PHP announcement list that version 5.2.6 is released. I have tested it today on Tiger and Leopard and I can tell you everything works as far as I can tell.
Security Enhancements in PHP 5.2.6:
- Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin.
- Fixed integer overflow in printf() identified by Maksymilian Aciemowicz.
- Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh.
- Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz.
- Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser.
- Upgraded bundled PCRE to version 7.6
For all the changes in 5.2.6 read the ChangeLog.