[Zachery]

If it didn't have any issues, the latest stable for 4.x would still be 4.3.11


http://www.php.net/release_4_4_0.php

Quote:

Bugfix release

• Memory corruptions with references.
• Small security problem with bundled shtool.

For a full list of changes in PHP 4.4.0, see the ChangeLog.

http://www.php.net/release_4_4_1.php

Quote:

This is a bug fix release, which addresses some security problems too. The security issues that this release fixes are:

• Fixed a Cross Site Scripting (XSS) vulnerability in phpinfo() that could lead f.e. to cookie exposure, when a phpinfo() script is accidently left on a production server.
• Fixed multiple safe_mode/open_basedir bypass vulnerabilities in ext/curl and ext/gd that could lead to exposure of files normally not accessible due to safe_mode or open_basedir restrictions.
• Fixed a possible $GLOBALS overwrite problem in file upload handling, extract() and import_request_variables() that could lead to unexpected security holes in scripts assumed secure. (For more information, see here).
• Fixed a problem when a request was terminated due to memory_limit constraints during certain parse_str() calls. In some cases this can result in register_globals being turned on.
• Fixed an issue with trailing slashes in allowed basedirs. They were ignored by open_basedir checks, so that specified basedirs were handled as prefixes and not as full directory names.
• Fixed an issue with calling virtual() on Apache 2. This allowed bypassing of certain configuration directives like safe_mode or open_basedir.
• Updated to the latest pcrelib to fix a possible integer overflow vulnerability announced in CAN-2005-2491.

This release also fixes 35 other defects, where the most important is the the fix that removes a notice when passing a by-reference result of a function as a by-reference value to another function. (Bug #33558).
For a full list of changes in PHP 4.4.1, see the ChangeLog.

http://www.php.net/release_4_4_2.php

Quote:

The PHP Development Team would like to announce the immediate release of PHP 4.4.2.

This is a bug fix release, which addresses some security problems too. The major points that this release corrects are:

• Prevent header injection by limiting each header to a single line.
• Possible XSS inside error reporting functionality.
• Missing safe_mode/open_basedir checks into cURL extension.
• Apache 2 regression with sub-request handling on non-Linux systems.
• key() and current() regression related to references.

This release also fixes about 30 other defects.
For a full list of changes in PHP 4.4.2, see the ChangeLog