Multiple cross-site scripting (XSS) vulnerabilities in PHP 5.1.1, when display_errors and html_errors are on, allow remote attackers to inject arbitrary web script or HTML via inputs to PHP applications that are not filtered when they are included in the resulting error message. Note: Gentoo's default config file for PHP has display_errors=on and html_errors=off making a default-configured system not vulnerable. --akraut CVE-2006-0208
The same issue can be found in dev-lang/php-4.4.1-r3, PHP 4.4.2 fixes this (see http://www.php.net/release_4_4_2.php for details), the other "big issues" mentioned in the release announcement were already fixed by 4.4.1-r3, the security issues will be fixed by adding dev-lang/php-4.4.2 to the tree today/tomorrow (depends on your timezone :P), will update the bug once it's done. Best regards, CHTEKK.
Grouping bugs *** This bug has been marked as a duplicate of 125878 ***