On Fri 01 Mar 2002 (11:00 -0800), Rasmus Lerdorf wrote: > On Fri, 1 Mar 2002, Jim Segrave wrote: > > > > Guys, I fixed this memchr()+1 issue a couple of days ago. See > > > http://cvs.php.net/diff.php/php4/main/rfc1867.c?r1=1.71.2.2&r2=1.71.2.3&ty=u > > > > > It's a crash-bug, not an exploitable buffer problem. If we need a 4.1.3 > > > for some reason, it will be in there. > > > > > -Rasmus > > > > But it's not fixed in the 4.1.2 release being downloaded *today*. The > > one all the security advisories offer as a fix. > > Well, we don't change already released versions. It would take a new > version. > > > And if it's a crash bug, it's a potential DOS bug. > > Sure, but it is one of many known crash bugs in that version. We > typically only rush a release out for urgent security issues. Walk > through the 4.2.0-dev changelog and you will see all sorts of crash bugs > which have been fixed. If you want to run the latest bleeding-edge code, > grab a snapshot from snaps.php.net. > > All this stuff has been completely rewritten for 4.2. It would be a bit > more productive if you could go through the 4.2 code instead and look for > issues there so we can get that version pushed out in a reasonable amount > of time.
I'm not a devloper per-se. I'm part of an ISP, trying to keep a service secure. I can't run bleeding edge code in production. Which is why I need to look at the released code base. And the current 4.1.2, which is being touted as the fix for a serious security bug (I've seen 4 different announces today saying download this RPM to get a fix), is broken. And, from my looking at the code, there are several more gaping holes in it. I would have posted my (proposed) fixes to the bugs list, but there's no published e-mail address, simply a submit form which is unsuitable for posting diffs (or much of anything else). -- Jim Segrave [EMAIL PROTECTED] -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
