Old version (in the /etc/httpd/conf.d/php.conf file)

AddHandler php5-script .php

As written in Apache documentation, the suffix presence, anywhere in the file name, will activate the engine. This can raise a security problem, in a public upload space, when a lack of control will allow a user to send an image.php.png file and execute it.

New version, recommended (§8) by PHP project documentation:

<FilesMatch \.php$>
    SetHandler application/x-httpd-php
</FilesMatch>

Now, only a final suffix will activate the engine. So security is improved (even if I really think that giving the control on uploaded file name to the user is really a huge design error). I haven't notice any performance change.

Warning, this change may breaks some configurations.

In the case when you want to allow users to upload .php files in a public space, but deactivate the php engine (as on this blog).

With old configuration, you just have to remove the handler (and probably change the mime type):

<Directory /path/to/blog/public>
    RemoveHandler .php
<Files ~ "\.php$">
ForceType text/plain
</Files>
</Directory>

This configuration will not work anymore, and must be changed.

For example, I use (and also enable the colorized output of sources for this space) :

<Directory /path/to/blog/public>
<FilesMatch \.php$>
    SetHandler None
ForceType text/plain
</FilesMatch>
<FilesMatch \.phps$>
    SetHandler application/x-httpd-php-source
</FilesMatch>
</Directory>

Ex : twit.php ou twit.phps

So, if you upgrade from Fedora 17 to Fedora 18, or if you update from PHP 5.3 to PHP 5.4 using my repository, don't forget to check and fix all your httpd configuration files.