Comment 3 for bug 94891

from debian/changelog:

+ * Backport security-related changes from 2.9.2-rc1:
+ * CVE-2007-0203: Multiple unspecified vulnerabilities;
+ this turns out to be (1) cross site scripting and
+ (2) the same as CVE-2006-6374. (Closes: #406332, #406486)
+ * CVE-2006-6374: the vulnerability only applies to
+ PHP < 5.1.2 and < 4.4.2, so strictly speaking current
+ Debian is not vulnerable. Include it anyway, to not expose
+ those using older PHP versions. (Closes: #404744)

so PMASA-2007-2 *seems* to be already included with our current version. I'd like to have a second look, though.