On Thu, Nov 9, 2017 at 7:07 PM, Giovanni Giacobbi <giova...@giacobbi.net> wrote:
> On 9 November 2017 at 18:46, Thomas Hruska <thru...@cubiclesoft.com> > wrote: > > > On 11/9/2017 7:36 AM, Sara Golemon wrote: > > > >> The sixth (and likely final) release candidate for 7.2.0 was just > >> released and can be > >> downloaded from: > >> https://downloads.php.net/~pollita/ > >> Or using the git tag: php-7.2.0RC6 > >> > >> Barring unforeseen calamity, everyone should expect 7.2.0-final on > >> Thursday, November 30th. > >> > > > > Issue #73535? I consider letting a known security vulnerability that > goes > > largely unaddressed but persists into the next major version of a > software > > product to be quantifiable as a calamity of sorts. It's fast > approaching a > > full year without any resolution in sight. Many people would have zero > > day-ed the issue by this point at whatever conferences have come and gone > > (Black Hat, DEF CON, etc.) to grab some quick notoriety. I don't believe > > that zero day-ing a vulnerability on a stage is the right solution for a > > garden variety of reasons. > > > > > This is utterly disappointing considering that bug #73535 is marked as > private and I couldn't easily gather more information about this bug on > google. Since I have the feeling this is an open secret can you disclose > more information and proposed patches so that sysadmins can assess by > themselves the risks, mitigation techniques, and whether to patch their own > installations? > > I guess the dev team wouldn't leave us with our pants down, so I expect > this to of difficult exploitability. Anyway, after a year it's time for > full disclosure, don't you think? > So as to avoid unnecessary fearmongering, this refers to a denial-of-service vulnerability requiring specific application code. If your code implements a certain operation in a specific way, it may be possible to make it go into an infinite loop based on remote interaction. Apart from the increased server load, this is not dangerous. (Of course, if someone is actively using this against you, you'd notice...) Nikita
