I be totally confuzzled
Okay. The maintainers want us to stay away from the update, and the maintainers also released said update anyway. Can someone explain this to me, please?
Maintainers of the PHP scripting language are urging users to avoid an update released last week that introduces a serious bug affecting some cryptographic functions. The flaw in version 5.3.7 involves the crypt() function used to cryptographically hash a text string. When using the command with the MD5 algorithm and some salt …
If you don't use the crypt function, but need the other fixes included in the update, then it would be sensible to use the release. If you use the crypt function, or deploy it on shared hosts etc. where others may use it, then you should avoid the update.
I.E. it is still useful for some, so it shouldn't be pulled, just flagged as it has been.
Then I still think you're taking huge risks if you install such a version anyway. Just because /you/ don't use the broken crypt() function doesn't mean others won't try to exploit it either.
Have to agree with the comment above; I too think releasing anyway is a very doubtful move.
I'd be suprised if there were people so desperate for the other fixes that they couldn't wait "a few days" for the next release.
the PHP guys are from from alone in making screw-ups (lets not even go there on the amount of big names who have released updates that have properly screwed things up) but let's not pretend this is anything other than a clusterfuck.