Hello.
This is Frank from the PHP audit project.
Here are some clarifications.
We are working on PHP 4.1.2 because we want to quickly release a patch
with basic hardening. Because of the recent vulnerabilities discovered by
Stefan, chances are that a lot of kiddies are also auditing the source code
with other goals. So we want to release something against the current stable
release in order to decrease the chances of new immediate exploits.
We just have started the work. There are still plenty of things to be
done. As our patches are moving targets and as we don't have a CVS server to
work with, things aren't splitted in multiple simple patches yet. But as
soon as the 4.1.2 audit will be completed, we will split up everything as
small patches in order to submit them to PHP developpers. Then we will work
on -HEAD.
The goal is to help the PHP developpement, not to keep the patches
separate, only for OpenBSD. There are some OpenBSD enhancements, but they
are all surrounded with #ifdef __OpenBSD__ . We don't want to break
portability, nor to release something only for OpenBSD. The patches are
there to be shared by everyone. FYI, I'm working on them on my Linux laptop.
The PHP source code is great. We didn't find really bad things so far.
There are suspicious parts, but we don't have verified that they really are
vulnerable, because we only are at stage 1 of the audit, and we didn't
review these parts in their global context. If we verify a flaw, we _will_
immediately let you know.
Best regards,
-Frank.
--
__ /*- Frank DENIS (Jedi/Sector One) <[EMAIL PROTECTED]> -*\ __
\ '/ <a href="http://www.PureFTPd.Org/";> Secure FTP Server </a> \' /
\/ <a href="http://www.Jedi.Claranet.Fr/";> Misc. free software </a> \/
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
