Re: [PHP-DEV] PHP 7.2.0 RC6 Released
On Thu, Nov 9, 2017 at 2:25 PM, Nikita Popovwrote: >> This is utterly disappointing considering that bug #73535 is marked as >> private and I couldn't easily gather more information about this bug on >> google. Since I have the feeling this is an open secret can you disclose >> more information and proposed patches so that sysadmins can assess by >> themselves the risks, mitigation techniques, and whether to patch their >> own >> installations? >> >> I guess the dev team wouldn't leave us with our pants down, so I expect >> this to of difficult exploitability. Anyway, after a year it's time for >> full disclosure, don't you think? > > > So as to avoid unnecessary fearmongering, this refers to a denial-of-service > vulnerability requiring specific application code. If your code implements a > certain operation in a specific way, it may be possible to make it go into > an infinite loop based on remote interaction. Apart from the increased > server load, this is not dangerous. (Of course, if someone is actively using > this against you, you'd notice...) > Agree with Niki that this isn't going to be commonly exploitable, and has likely existed for a significant range of versions. Given that, I'm going to say it probably won't (by itself) merit pushing back GA at this stage. That said, it should be addressed sooner rather than later as it looks like we're not surfacing good information to userspace under these circumstances. -Sara -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] PHP 7.2.0 RC6 Released
On Thu, Nov 9, 2017 at 7:07 PM, Giovanni Giacobbiwrote: > On 9 November 2017 at 18:46, Thomas Hruska > wrote: > > > On 11/9/2017 7:36 AM, Sara Golemon wrote: > > > >> The sixth (and likely final) release candidate for 7.2.0 was just > >> released and can be > >> downloaded from: > >> https://downloads.php.net/~pollita/ > >> Or using the git tag: php-7.2.0RC6 > >> > >> Barring unforeseen calamity, everyone should expect 7.2.0-final on > >> Thursday, November 30th. > >> > > > > Issue #73535? I consider letting a known security vulnerability that > goes > > largely unaddressed but persists into the next major version of a > software > > product to be quantifiable as a calamity of sorts. It's fast > approaching a > > full year without any resolution in sight. Many people would have zero > > day-ed the issue by this point at whatever conferences have come and gone > > (Black Hat, DEF CON, etc.) to grab some quick notoriety. I don't believe > > that zero day-ing a vulnerability on a stage is the right solution for a > > garden variety of reasons. > > > > > This is utterly disappointing considering that bug #73535 is marked as > private and I couldn't easily gather more information about this bug on > google. Since I have the feeling this is an open secret can you disclose > more information and proposed patches so that sysadmins can assess by > themselves the risks, mitigation techniques, and whether to patch their own > installations? > > I guess the dev team wouldn't leave us with our pants down, so I expect > this to of difficult exploitability. Anyway, after a year it's time for > full disclosure, don't you think? > So as to avoid unnecessary fearmongering, this refers to a denial-of-service vulnerability requiring specific application code. If your code implements a certain operation in a specific way, it may be possible to make it go into an infinite loop based on remote interaction. Apart from the increased server load, this is not dangerous. (Of course, if someone is actively using this against you, you'd notice...) Nikita
Re: [PHP-DEV] PHP 7.2.0 RC6 Released
On 9 November 2017 at 18:46, Thomas Hruskawrote: > On 11/9/2017 7:36 AM, Sara Golemon wrote: > >> The sixth (and likely final) release candidate for 7.2.0 was just >> released and can be >> downloaded from: >> https://downloads.php.net/~pollita/ >> Or using the git tag: php-7.2.0RC6 >> >> Barring unforeseen calamity, everyone should expect 7.2.0-final on >> Thursday, November 30th. >> > > Issue #73535? I consider letting a known security vulnerability that goes > largely unaddressed but persists into the next major version of a software > product to be quantifiable as a calamity of sorts. It's fast approaching a > full year without any resolution in sight. Many people would have zero > day-ed the issue by this point at whatever conferences have come and gone > (Black Hat, DEF CON, etc.) to grab some quick notoriety. I don't believe > that zero day-ing a vulnerability on a stage is the right solution for a > garden variety of reasons. > > This is utterly disappointing considering that bug #73535 is marked as private and I couldn't easily gather more information about this bug on google. Since I have the feeling this is an open secret can you disclose more information and proposed patches so that sysadmins can assess by themselves the risks, mitigation techniques, and whether to patch their own installations? I guess the dev team wouldn't leave us with our pants down, so I expect this to of difficult exploitability. Anyway, after a year it's time for full disclosure, don't you think? Kind regards GG
Re: [PHP-DEV] PHP 7.2.0 RC6 Released
On 11/9/2017 7:36 AM, Sara Golemon wrote: The sixth (and likely final) release candidate for 7.2.0 was just released and can be downloaded from: https://downloads.php.net/~pollita/ Or using the git tag: php-7.2.0RC6 Barring unforeseen calamity, everyone should expect 7.2.0-final on Thursday, November 30th. Issue #73535? I consider letting a known security vulnerability that goes largely unaddressed but persists into the next major version of a software product to be quantifiable as a calamity of sorts. It's fast approaching a full year without any resolution in sight. Many people would have zero day-ed the issue by this point at whatever conferences have come and gone (Black Hat, DEF CON, etc.) to grab some quick notoriety. I don't believe that zero day-ing a vulnerability on a stage is the right solution for a garden variety of reasons. Regardless, we can all agree that the ball was seriously dropped here and that there's certainly room for improvement in the release process. Ideally, someone should be specifically assigned to interact with the global team pre-RC1 of any major release where their sole responsibility is to walk through the bugs queue in order to identify and properly triage vulnerabilities in the software that might require a BC-break so that by the time -final happens, the relevant patches are fully tested and ready to go out with the release. I'd wager that #73535 isn't the only reported unpatched vulnerability in the issue tracker. I still think that there's time to apply a reasonable-ish patch to make it into 7.2 and maybe prepare a similar patch for 7.1 and 5.6. What those patches should be, I don't know. My original suggestion was shot down since I missed/overlooked something. The only options I can think of are a slightly hacky solution or a cleaner solution that requires a BC-break. -- Thomas Hruska CubicleSoft President I've got great, time saving software that you will find useful. http://cubiclesoft.com/ And once you find my software useful: http://cubiclesoft.com/donate/ -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DEV] PHP 7.2.0 RC6 Released
The sixth (and likely final) release candidate for 7.2.0 was just released and can be downloaded from: https://downloads.php.net/~pollita/ Or using the git tag: php-7.2.0RC6 The Windows binaries are available at: http://windows.php.net/qa/ Please test it carefully, and report any bugs in the bug system. This is out last chance to catch bugs before the final release in three weeks. Barring unforeseen calamity, everyone should expect 7.2.0-final on Thusday, November 30th. As a reminder to internals@, any bug fixes should be committed to the PHP-7.2 branch as usual, but since we're in the final stretch for release, you MUST notify Remi and I of fixes you wish us to cherry-pick onto the 7.2.0 release. Hash Values and GPG signatures can be found below and at: https://gist.github.com/sgolemon/f6d308713c286a82f520091fc9dcf445 Thank you, happy testing, and yay 7.2! -Sara php-7.2.0RC6.tar.gz SHA256 hash: ad528a8db319e444ce4ca259dec5afeb9d39287e9a6b214e11397cd985207b1d PGP signature: -BEGIN PGP SIGNATURE- iQItBAABCAAXBQJaAaCcEBxwb2xsaXRhQHBocC5uZXQACgkQ29s5dHDRIXIqGhAA 3X55n7ODqp/uPFMpjKgyMtWB7kLVbxthZeai/Dvrsd35j2ZOPd9KNYjWFWV8fNWp 8jYj1LioW+FPpltlREaMxDXE7/cIZITRUX/k6jAfuafacLR5jy4OE5ghwDbyVnJ0 Sf6CA92chvnEEp3XTeS6XkPxJAi1H3zp/9KIGTlpFN5IIeaxqCl62hcc0+ikcYP0 dXm8j8hjqpXuOz2MEVKASmqKPayw27RaUfAE6lI/nuMdva++b7bKQL9tr7Tz+R/J 8Wl995Og5GKRhzTj65Uv/uv3cP5hGBqRYjybWIzA7y+offL+TFe12c2HHjBvAIFv PtHuky4ZSNbLdarRfmdYs6bUoPx7GMIZDZ6mhGMXqJudh4I5rHt6g/zucZEAJRjk V+h8J6pd80wNvoO7KtdnowGJtYjWQAwdr5KB0CmYpGrhogEjr62MvCjm2KvsiO+T HTt4tKIkvjNSYwMApIxkNhxpRazEe6+goELoKACAZMwvLw2LLpV4Sg/BebdzAUFe 7odLVIDLgoG3OYxEMAzKDKTygRlfhGclxtQlRlmoP4u7Z+AruuGUA/L7n18iD093 lu0pksrkPIhQrQLydbNrgJfM54XxWBUCq5v3Ka2vJOzwrM+9ekZopPSkfiBfcAoM 6ptC0H1nNrlu6eF9xu+oDHsTMZL7HJMOABNdKy9TO5o= =Aq+R -END PGP SIGNATURE- php-7.2.0RC6.tar.bz2 SHA256 hash: 906a13bafbec40a185208846195f11c8c5f6e8bc5672fd37862e95754b978de3 PGP signature: -BEGIN PGP SIGNATURE- iQItBAABCAAXBQJaAaCgEBxwb2xsaXRhQHBocC5uZXQACgkQ29s5dHDRIXISIA// UOzi+RIfEBFNDsVBRhJQhBoM8eQTe8aHL+RstHmDL2tqakBi4HyvjRdRGMIExSyb JCtx1y9KCPfJtPW4Xl/QTFJIslNhWEHsSFSxRVeozrA7tbpKVicW6xs7jr//EBqB 8SyoWjO+Rzr8Buvu8XvsxVxOmtNDgbssklcYMILIZHkaN1JGYy+u592W83anEGiv H7Ysj/TY6i5YWsSwQVUV0DnkUJ2VeBBjeBQGSJ+SuQGV2dmrvx+k40O/DEysIF8U SferVWGkB9NY/nkbxcC0oQRu6Eoh4SGtlUIl9qzPr8/qA6hEfAG3ftfJaQS2qKYv gTbKniCr31oQeGeULa0zNZsMkvA15wjjoa6P/LFljr7X3OuJ+naCRB/pwlgnAjwL LtNsxzXEnrTiVoSBU/jdG7acoEPmyixu6budROCs30QUnRYq4cCDUDZwqINkSDyI rY5NC/O8BVuAiEtFv3alOcUgxmCYsbKDV6fqThSXpdP6aEF35/OgQH7WYp+9eYoE mHpvWyIeeAGeAGASGoiuf0zftBEXfCrdgE034xr+/a744rYFakY54Wh3D/d26jc8 kaQoDNPws4GZwjkvp6EiFTg/1nhQ36SdhmKxnp3ZlZ96cNUUV0PNUnxsHqZms129 /K9iNMZGBH3pRPiwXoyZbkzLlVQncXp8iKTwaLOI/sk= =gOX+ -END PGP SIGNATURE- php-7.2.0RC6.tar.xz SHA256 hash: be4df00ff5b66e9f13c83e1d08d1d5384ae7ccc820e26f7e5f9e660011496a9e PGP signature: -BEGIN PGP SIGNATURE- iQItBAABCAAXBQJaAaCgEBxwb2xsaXRhQHBocC5uZXQACgkQ29s5dHDRIXJowxAA 2JpSoiECsGdsKGu1mBGRnKcFj+SsukSQ+VOeO5vysbrpKhBhc6ooJCRAydu+ez6/ rvxqzVQFX/aBOTJq878V+ysMs15kaqJsnUPHmqZ8NAubh3vSnXKsqzGEjherG7ju t11tZ0lDTMRrM95y0Nrmkgv07UG+JDTBPJF1lVI7b16KezV7bsNKlASwWmIHpsCO RyJJjCvaDEgm/rWGQBCdRJra1GjA9eoWVxujnpBztTtlwi+vP0e8KRMziXiv4RG7 Maj+0Vyni77x2bvAugpDbTmxQAVPwBYOjhBued19savcO51SnFVNJJPr/2KpQq/4 oOKK2ZHwRn4NBOQb9RK+gcY/KaDg2o1bvYbmUumagAaXjtBN1oRSvLhynVkj850R Cobvo8+nAgEDJ9cd6TR6Zc9TOoAjA2fxcl4fknGDGnpZfajK5ISqZ0gqvkimeDIl vsKlXdn0M3WhpdikozUjbHx23F15ug4IMGDvpoWh8aMLzxOsCjSszgNWj3QBObZr 7ujFtQ/8ryD4el34FlSumA0KBpWG6JBdTUp05VO3cmZELKTld9u7MPvdV/QSAVmo HkdJjYQlY8rqk+DI52JJ84Dlj2cvY2PE46m/pUsKnVhesJ01FH5aG7gbBHSbM7I5 WKj2jbK1Geasw6X0q/ZxTwiNgUlPrlhbJugu7yiZpd0= =EDtn -END PGP SIGNATURE- -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DEV] PHP 7.0.26RC1 is available for testing
Hi, PHP 7.0.26 RC1 was just released and can be downloaded from: https://downloads.php.net/~ab/ The Windows binaries are available at http://windows.php.net/qa/ This release contains a number of bugfixes. For the list of bugfixes that you can target in your testing, please refer to the NEWS file: https://github.com/php/php-src/blob/php-7.0.26RC1/NEWS Please test it carefully, and report any bugs in the bug system. The stable release is planned for November 23rd, if no critical issues will be discovered in the RC. Thank you for your support. Regards, Anatol Belski and Ferenc Kovacs P.S. Below is the verification information for the downloads. php-7.0.26RC1.tar.bz2 SHA256 hash: a502161e43dd8d01ecd3b781a5cef3197ddb429df65d59a0cf75544268f7a100 PGP signature: -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAABAgAGBQJaAb8mAAoJELyqMOqcDVdj3Z8H/jOxAWXAWeRrt5lk2+V0TWKU pa/hW3FkndUid+EcvwE+igHj3+mbpl2Tteo9ssyI4BdzAgeIoK13zTGEBSzYSf+S MsUzvldFNemDLbbxxKJZURLFw2dr9FoMjjyJpS3pjybqcfSWJWQjDhiazxbt/NoZ /P29xLdM4j1aAUAkAo6s1sHp6wObN0e7AiN/IaGj1sUkdhZG2rqXiNdpxJVja0RN Xn3X7VdpDrRmtovilMKHJ32uWAnYTH0jahgJTazmKiXOOkMt/9izqjyBGoStuuKh ifRBfSG3XZ/XMivhyylficMhaaz3/Hblk0mWa051VOX9AE9q4VQY8HvhEwRUVCk= =etUx -END PGP SIGNATURE- php-7.0.26RC1.tar.gz SHA256 hash: 29f8c125314e28e1a625da7b5d4b01ae07d0bd24bb36893fffaee7e83240c9fb PGP signature: -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAABAgAGBQJaAb8qAAoJELyqMOqcDVdjSvIIAIUd+Mq1/owy1KY4zDlGsebS VQjMDr9hnSW8IaEmM1dQ1e9GFqK5q40aHyG1l9bSXjGWH6EoIwEE/Nj5TRJRuvl5 IByHvsI0dLTMi3O6uOMTWldUia1tiaHTiPCavhrpJFKxBz25ah+1HW+HsHJpJZNP RWHvvtWlo4PKGS4MG2iyY4yJLSMyek3I11p1e0GDrpITWRLdL7Xk3FmbIJPp601R OgB9UAzfxmxfZOcaJGn9koV3UQt3l2xCdvRzVUuKQBoAtM0nYjyxrVFGfgsPkSv+ S8iK+hTpFc+Yc6WL1JMPOX7uvFoAfV88EfQ6466OIgBWPusvnF2oLk1keVc4B6E= =v1jd -END PGP SIGNATURE- php-7.0.26RC1.tar.xz SHA256 hash: 5fbfdb2e5f1e8451f9a4728e35109e966d2354011ed3e1a6ee6c477db743e74a PGP signature: -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAABAgAGBQJaAb8tAAoJELyqMOqcDVdjI6wH/jpz/l/z2/HRKenl0gygHLdB gJ/lcWuzqWVO95tpclRH1mMgaciYhiiLZ+fhtul6+gP+zbo6Jw0X7PpY1tQ4zdJX SbY8G2fZu0ilAFNekmKk6dMGF0WntLwKAbE4Aa/oe7+0WGierr1neBCbqLharCMl 1CGHKUKXx8g5lyWIzrgb6N3Q0I4G6mvc9bjFBHldBS0yaIeXcVlbo0LMJCpm6mRR gLAhFK5CprsQdQnWnqNgYNxkl0M/XWrvUrFczcFQUUNmVxsqPHi1EkAM5DSil8/X jBEutjWuk2eW68wIOEFGfdqxR0xXRRXZzHd7ZnSuTXEyAz2KIFW/jiXcmb14jeA= =o9a3 -END PGP SIGNATURE- -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php