Hi, > firewall project running on stock hardware with a stripped-down > RedHat Linux. Are you speaking of RootHat? Any admin (of the people I know) running a RedHat distribution, switched to Debian because RedHat systems are target #1 for script kiddies.
> A bone of contention is, obviously, the security reputation of PHP. Hmmm security reputation of PHP? Should we add up the number of remote vulnerabilites in OpenSSH compared to the one remote flaw in PHP? OpenSSH 3.1 has still 2 remote vulnerabilities that got meanwhile fixed in the cvs (because of me and some other guy). > The team is willing to concede that bad installation accounts for > most of the problems -- But are still concerned about buffer overflow > attacks. If you are sooo concerned about buffer overflow attacks than chroot your apache. > I'd love to hear that there are no known buffer overflow attacks in > PHP core (the Zend Engine) nor in the XML/RPC extension, and both If there is such an attack, it would be fixed in cvs. > personnel, preferably somebody with a verifiable reputation in > security. Are you speaking of SANS? The guys telling the world that the PHP flaw is too hard to realisticly exploit it? The guys who are responsible for lot of admins not upgrading because they believe "that it is too hard to exploit?" Stefan Esser PS: anything written in this mail is my personal opinion and I do not speak for the rest of the php developers. -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
