A vulnerability has been discovered and corrected in php-pear:

The installer in PEAR before 1.9.2 allows local users to overwrite
arbitrary files via a symlink attack on the package.xml file,
related to the (1) download_dir, (2) cache_dir, (3) tmp_dir, and
(4) pear-build-download directories, a different vulnerability than
CVE-2007-2519 (CVE-2011-1072).

This advisory provides PEAR 1.9.4 which is not vulnerable to this
issue.

Additionally for Mandriva Enterprise Server 5 many new or updated
PEAR packages is being provided with the latest versions of respective
packages as well as mitigating various dependency issues.