http://www.php.net/ChangeLog-5.php#5.2.5 FIX: Fixed bug #42869 automatic session id insertion adds sessions id to non-local forms (CVE-2007-5899, Reported by mpub at meiners-online dot de) COMMENT: If either the output_add_rewrite_var() function, or the transparent session-ID configuration option are used for a page which includes a form with an action set to submit to third-party web site, the rewrite variable data or session ID may be leaked to that web site. AFFECTS: all; output_add_rewrite_var() is RHEL >= 3 only so only trans_sid issue affects RHEL2.1 (=> different text required)
php-5.2.6-2.fc8 has been pushed to the Fedora 8 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update php'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-3864
php-5.2.6-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This was addressed via: Red Hat Application Stack v2 for Enterprise Linux (v.5) (RHSA-2008:0505) Red Hat Enterprise Linux version 3 (RHSA-2008:0544) Red Hat Enterprise Linux version 5 (RHSA-2008:0544) Red Hat Enterprise Linux version 4 (RHSA-2008:0545) Red Hat Enterprise Linux version 2.1 (RHSA-2008:0546) Red Hat Application Stack v1 for Enterprise Linux AS (v.4) (RHSA-2008:0582)