PHP 5.2.3 released…
PHP 5.2.3 was released with several security fixes.
Again not all security fixes are mentioned in the release announcement.
Again security bugs known to the developers were not correctly fixed.
More info here.
PS: Why does PHP.net always release security fixes just before the weekend?
PHP Releases have historically been packaged and tagged on Wednesday, and released on Thursday. This release is no different.
As far as the session_id() issue you did report it and even participated in the discussion regarding the problem with both Stas and I. As I am sure you know the patch to address the remote exploit of the problem via PATH_INFO was applied on May 15th. If you knew the problem was still there, it would’ve taken just a 2-3 line e-mail to security@php.net to identify that. For whatever reason you did not, so while the security team is at fault at not looking at the issue deeper, you must admit there was plenty of time to identify the error prior to the release.