On Fri, Sep 26, 2014 at 12:59 PM, Peter Lind <peter.e.l...@gmail.com> wrote:
> On 26 September 2014 12:48, Andrea Faulds <a...@ajf.me> wrote: > > > > > On 26 Sep 2014, at 11:46, marius adrian popa <map...@gmail.com> wrote: > > > > > Maybe we need an official stance about shellshock > > > > Do we? As I understand it, this isn’t a PHP-level vulnerability, and I’m > > not sure there’s much we can reasonably do about it. Similarly to the > > Heartbleed bug, control is not in our hands here. > > > > > Informing people about the cases where they *might* be at risk when running > PHP doesn't seem a bad idea. Even though PHP itself is not at fault. > > I think we should only communicate when we have something definite to say, and currently our official stance is that we aren't aware any problems related to shellshock, but that doesn't mean that there is none, so I'm not sure that we have something definite to say. If we do end up finding something affecting significant amount of users (even if that requires some misconfiguration or lousy fastcgi wrapper) we could make an announcement. -- Ferenc Kovács @Tyr43l - http://tyrael.hu
