Does PHP 5.2 still receive security patches?

My server admin tells me PHP 5.2 has been EOLed and so receives no bug fixes. This is obviously the case. He also tells me that 5.2 receives no security patches, which suggests we should upgrade to 5.3 ASAP.

However, a programmer I respect tells me that while PHP 5.2 has been EOLed for bug fixes, it is still开发者_开发百科 very much supported insofar as security exploits are concerned - at least till 2012.

I've searched stackoverflow and google high and low but have come up with no answers to this elementary question.

Anyone care to inform my ignorance?

This type of information is usually posted as news on the php.net site. This is what I found in PHP 5.3.6 Released! from 2011:

All PHP users should note that the PHP 5.2 series is NOT supported anymore. All users are strongly encouraged to upgrade to PHP 5.3.6.

I also found this 2010 news: PHP 5.2.14 Released!

This release marks the end of the active support for PHP 5.2. Following this release the PHP 5.2 series will receive no further active bug maintenance. Security fixes for PHP 5.2 might be published on a case by cases basis. All users of PHP 5.2 are encouraged to upgrade to PHP 5.3.

Maybe your programmer have a distribution with guaranteed support, such as an Ubuntu LTS release or paid Red Hat support?

From: http://www.php.net/archive/2010.php#id2010-07-22-1

This release marks the end of the active support for PHP 5.2. Following this release the PHP 5.2 series will receive no further active bug maintenance. Security fixes for PHP 5.2 might be published on a case by cases basis.

Since then we've seen 3 more releases of 5.2 series focusing mostly on security patches. As far as I know there is no guarantee that such patches will be published until 2012.

on the PHP.net home page:

All PHP users should note that the PHP 5.2 series is NOT supported anymore. All users are strongly encouraged to upgrade to PHP 5.3.6.

I think that says everything you need to know.