Greg Beaver has an advisory message posted on his blog today about why it's imporatant to upgrade PEAR from 1.3.x to the latest, 1.4.6.
PEAR 1.4.6 was just released at pear.php.net (http://pear.php.net/PEAR). This is a minor bugfix release and complete details are available at pear.php.net, but I must stress two points with extreme seriousness:
- PEAR 1.4.6 fixes make install-pear INSTALL_ROOT=/rpm/packaging and introduces the --packagingroot option to install, which works like --installroot worked in PEAR 1.3.x
- PEAR 1.3.x has several serious bugs and at least 2 serious security vulnerabilities. Using PEAR 1.3.x on a production machine is EXTREMELY dangerous
He goes on to discuss further why that second point is particularly dangerous, including several unpublished serious bugs. You can download the latest PEAR packages from the main PEAR site...