A vulnerability was found in the SplObjectStorage unserializer. If the PHP unserialize() function is used by a script on untrusted data provided by a remote attacker the attacker may be able to force an information leak or remote execution of code on the server. This was reported by Stefan Esser at the SyScan'10 Conference in Singapore.
Created php tracking bugs for this issue Affects: fedora-all [bug 605645]
Based on the information we have on this issue so far, it does not affect the versions of php as supplied with Red Hat Enterprise Linux 3, 4, or 5.
Stefan released an advisory for this vulnerability: http://php-security.org/2010/06/25/mops-2010-061-php-splobjectstorage-deserialization-use-after-free-vulnerability/
Upstream committed the following fix for this issue: http://svn.php.net/viewvc?view=revision&revision=300843
Blog post with additional information: http://nibbles.tuxfamily.org/?p=1837
Fixed upstream in 5.3.3: http://www.php.net/releases/5_3_3.php
Statement: Not vulnerable. This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 3, 4, or 5.
Looks like it's safe to close this bug as "RESOLVED" or "NOTABUG" or somesuch.