In this new post from Christopher Kunz today on his blog, he talks a bit about the "lupii" attacks that have been happening and a suggestion for those maintaining the PEAR projects.
What if the PEAR project would introduce a flag for packets, say, "-security" and modify the PEAR installer accordingly. That flag should only be used for pure security fixes, without feature or BC breakage, so that it won't break anything at all (apart from the exploits).
The latest PHP worm (lupii) attacks systems that are vulnerable to a remote code execution hole in PEAR::XMLRPC (or phpxmlrpc). It can only propagate on systems whose administrators have neglected to update PHP (or PEAR) in the last 3 months.
He goes on mentioning that something like this would be a load off of your local web server admin's mind - just run a cron to look at a PEAR security channel and pick up the latest updates...