On 7/10/10 4:00 PM, Reindl Harald wrote: > Am 11.07.2010 00:39, schrieb Rasmus Lerdorf: > >> We do fix them, but we don't have the capacity to do point releases for >> every local exploit fix. We simply don't have enough people to do that. >> A shared host who is worried about local exploits need to take other >> measures because most of the software in the stack is in the same boat >> as PHP on exploits of this nature. Most don't even worry about them >> actually. It is only because we took some steps towards trying to >> secure the local environment that it is an "issue" with PHP. > > I understand this well > > But between 4 and 6 months feels way too long and sometimes > there are even openbase-dir-bugs vulnerable for some months > and remember it takes a time until releases are included in > distributions. > ____________________________ > > As examle (which needs a force downgrade to 4.x or disable open-basedir): > - Fixed bug #48880 (Random Appearing open_basedir problem). (Rasmus, Gwynne) > > * 5.3.0 to 5.3.1 took 5 months > * http://bugs.php.net/bug.php?id=48880 > * Reported 2009-07-10
Well, 6.0 was a separate issue. At various times we had between 0 and 3 developers doing anything at all with the 6.0 code which is why we killed it. But this particular bug was hard to find. In general as soon as a CVE is assigned to a security issue, the distros are aware of it and they will release their own point releases if they find it necessary. Sometimes issues are OS-specific or specific to certain versions of underlying libraries so while one vendor may release a point release another may not. Like I said, we don't have the capacity to do this. That's what distro maintainers are for. And yes, sometimes legitimate bugs are closed too quickly as bogus, but 90% of the submitted bugs are either completely bogus or don't contain anywhere near enough information to make them useful. -Rasmus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
