On his blog today, Greg Beaver has posted a rather large security issue dealing with PEAR versions prior to 1.4.3 with the end result of someone being able to run just about anything on your remote machine.

As noted in the official announcement at http://pear.php.net/advisory-20051104.txt, a security vulnerability has been discovered in all existing PEAR versions (that's right: PEAR 1.0 through PEAR 1.4.2) prior to today's release of PEAR 1.4.3.

Although the risk of an exploit through this vulnerability is low, the vulnerability itself is quite severe, as it allows a malicious developer to execute arbitrary PHP code on your machine if you install an evil package.

It is recommended that you update as soon as possible to reduce your risks. Be sure you're all caught up to version 1.4.3 when you grab it...