The (1) rand and (2) mt_rand functions in PHP 5.2.6 do not produce cryptographically strong random numbers, which allows attackers to leverage exposures in products that rely on these functions for security-relevant functionality, as demonstrated by the password-reset functionality in Joomla! 1.5.x and WordPress before 2.6.2, a different vulnerability than CVE-2008-2107, CVE-2008-2108, and CVE-2008-4102. Note, wordpress 2.6.2 has been pushed for Fedora 8 and 9
This blog entry explains this problem in more details: http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/ The bits that are relevant to PHP are this: Implementation Bugs In PHP 4 and PHP <= 5.2.5 the automatic seed of rand() and mt_srand() is buggy. Whenever the lowest 26 bits of the timestamp are zero the internal seed will become zero (or 1 due to the forced bit) on 32 bit systems because of an overflow of the 32 bit register. On 64 bit systems there is a precision loss when the seed is casted from a double to int that results in a seed about 24 bit strong.
So this is obviously not ideal, but I question if it's worth fixing this in our old versions of PHP. We risk screwing up something else as doing random numbers properly is very hard to do. The lowest 26 bits of the timestamp are all zero for one second about once per year (slightly more). This is an extremely small window of opportunity, and that presumes that a remote attacker can cause PHP to seed at exactly that moment, which is unlikely. For affected versions of PHP, we will WONTFIX this bug.
Wordpress upstream announcement related to weak random number generator: http://wordpress.org/development/2008/09/wordpress-262/ (Marking bug closed based on comment #2)