Re: [PHP-DEV] PHP 7.2.0 RC6 Released

[Sara Golemon]

On Thu, Nov 9, 2017 at 2:25 PM, Nikita Popov  wrote:
>> This is utterly disappointing considering that bug #73535 is marked as
>> private and I couldn't easily gather more information about this bug on
>> google. Since I have the feeling this is an open secret can you disclose
>> more information and proposed patches so that sysadmins can assess by
>> themselves the risks, mitigation techniques, and whether to patch their
>> own
>> installations?
>>
>> I guess the dev team wouldn't leave us with our pants down, so I expect
>> this to of difficult exploitability. Anyway, after a year it's time for
>> full disclosure, don't you think?
>
>
> So as to avoid unnecessary fearmongering, this refers to a denial-of-service
> vulnerability requiring specific application code. If your code implements a
> certain operation in a specific way, it may be possible to make it go into
> an infinite loop based on remote interaction. Apart from the increased
> server load, this is not dangerous. (Of course, if someone is actively using
> this against you, you'd notice...)
>
Agree with Niki that this isn't going to be commonly exploitable, and
has likely existed for a significant range of versions.  Given that,
I'm going to say it probably won't (by itself) merit pushing back GA
at this stage.  That said, it should be addressed sooner rather than
later as it looks like we're not surfacing good information to
userspace under these circumstances.

-Sara

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] PHP 7.2.0 RC6 Released

[Nikita Popov]

On Thu, Nov 9, 2017 at 7:07 PM, Giovanni Giacobbi 
wrote:

> On 9 November 2017 at 18:46, Thomas Hruska 
> wrote:
>
> > On 11/9/2017 7:36 AM, Sara Golemon wrote:
> >
> >> The sixth (and likely final) release candidate for 7.2.0 was just
> >> released and can be
> >> downloaded from:
> >> https://downloads.php.net/~pollita/
> >> Or using the git tag: php-7.2.0RC6
> >>
> >> Barring unforeseen calamity, everyone should expect 7.2.0-final on
> >> Thursday, November 30th.
> >>
> >
> > Issue #73535?  I consider letting a known security vulnerability that
> goes
> > largely unaddressed but persists into the next major version of a
> software
> > product to be quantifiable as a calamity of sorts.  It's fast
> approaching a
> > full year without any resolution in sight.  Many people would have zero
> > day-ed the issue by this point at whatever conferences have come and gone
> > (Black Hat, DEF CON, etc.) to grab some quick notoriety.  I don't believe
> > that zero day-ing a vulnerability on a stage is the right solution for a
> > garden variety of reasons.
> >
> >
> This is utterly disappointing considering that bug #73535 is marked as
> private and I couldn't easily gather more information about this bug on
> google. Since I have the feeling this is an open secret can you disclose
> more information and proposed patches so that sysadmins can assess by
> themselves the risks, mitigation techniques, and whether to patch their own
> installations?
>
> I guess the dev team wouldn't leave us with our pants down, so I expect
> this to of difficult exploitability. Anyway, after a year it's time for
> full disclosure, don't you think?
>

So as to avoid unnecessary fearmongering, this refers to a
denial-of-service vulnerability requiring specific application code. If
your code implements a certain operation in a specific way, it may be
possible to make it go into an infinite loop based on remote interaction.
Apart from the increased server load, this is not dangerous. (Of course, if
someone is actively using this against you, you'd notice...)

Nikita

Re: [PHP-DEV] PHP 7.2.0 RC6 Released

[Giovanni Giacobbi]

On 9 November 2017 at 18:46, Thomas Hruska  wrote:

> On 11/9/2017 7:36 AM, Sara Golemon wrote:
>
>> The sixth (and likely final) release candidate for 7.2.0 was just
>> released and can be
>> downloaded from:
>> https://downloads.php.net/~pollita/
>> Or using the git tag: php-7.2.0RC6
>>
>> Barring unforeseen calamity, everyone should expect 7.2.0-final on
>> Thursday, November 30th.
>>
>
> Issue #73535?  I consider letting a known security vulnerability that goes
> largely unaddressed but persists into the next major version of a software
> product to be quantifiable as a calamity of sorts.  It's fast approaching a
> full year without any resolution in sight.  Many people would have zero
> day-ed the issue by this point at whatever conferences have come and gone
> (Black Hat, DEF CON, etc.) to grab some quick notoriety.  I don't believe
> that zero day-ing a vulnerability on a stage is the right solution for a
> garden variety of reasons.
>
>
This is utterly disappointing considering that bug #73535 is marked as
private and I couldn't easily gather more information about this bug on
google. Since I have the feeling this is an open secret can you disclose
more information and proposed patches so that sysadmins can assess by
themselves the risks, mitigation techniques, and whether to patch their own
installations?

I guess the dev team wouldn't leave us with our pants down, so I expect
this to of difficult exploitability. Anyway, after a year it's time for
full disclosure, don't you think?

Kind regards
GG

Re: [PHP-DEV] PHP 7.2.0 RC6 Released

[Thomas Hruska]

On 11/9/2017 7:36 AM, Sara Golemon wrote:

The sixth (and likely final) release candidate for 7.2.0 was just
released and can be
downloaded from:
https://downloads.php.net/~pollita/
Or using the git tag: php-7.2.0RC6

Barring unforeseen calamity, everyone should expect 7.2.0-final on
Thursday, November 30th.


Issue #73535?  I consider letting a known security vulnerability that 
goes largely unaddressed but persists into the next major version of a 
software product to be quantifiable as a calamity of sorts.  It's fast 
approaching a full year without any resolution in sight.  Many people 
would have zero day-ed the issue by this point at whatever conferences 
have come and gone (Black Hat, DEF CON, etc.) to grab some quick 
notoriety.  I don't believe that zero day-ing a vulnerability on a stage 
is the right solution for a garden variety of reasons.


Regardless, we can all agree that the ball was seriously dropped here 
and that there's certainly room for improvement in the release process. 
Ideally, someone should be specifically assigned to interact with the 
global team pre-RC1 of any major release where their sole responsibility 
is to walk through the bugs queue in order to identify and properly 
triage vulnerabilities in the software that might require a BC-break so 
that by the time -final happens, the relevant patches are fully tested 
and ready to go out with the release.  I'd wager that #73535 isn't the 
only reported unpatched vulnerability in the issue tracker.


I still think that there's time to apply a reasonable-ish patch to make 
it into 7.2 and maybe prepare a similar patch for 7.1 and 5.6.  What 
those patches should be, I don't know.  My original suggestion was shot 
down since I missed/overlooked something.  The only options I can think 
of are a slightly hacky solution or a cleaner solution that requires a 
BC-break.


--
Thomas Hruska
CubicleSoft President

I've got great, time saving software that you will find useful.

http://cubiclesoft.com/

And once you find my software useful:

http://cubiclesoft.com/donate/

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] PHP 7.2.0 RC6 Released

[Sara Golemon]

The sixth (and likely final) release candidate for 7.2.0 was just
released and can be
downloaded from:
https://downloads.php.net/~pollita/
Or using the git tag: php-7.2.0RC6

The Windows binaries are available at: http://windows.php.net/qa/

Please test it carefully, and report any bugs in the bug system.
This is out last chance to catch bugs before the final release in three weeks.
Barring unforeseen calamity, everyone should expect 7.2.0-final on
Thusday, November 30th.

As a reminder to internals@, any bug fixes should be committed to the
PHP-7.2 branch as usual, but since we're in the final stretch for
release, you MUST notify Remi and I of fixes you wish us to
cherry-pick onto the 7.2.0 release.

Hash Values and GPG signatures can be found below and at:
https://gist.github.com/sgolemon/f6d308713c286a82f520091fc9dcf445

Thank you, happy testing, and yay 7.2!
-Sara

php-7.2.0RC6.tar.gz
SHA256 hash: ad528a8db319e444ce4ca259dec5afeb9d39287e9a6b214e11397cd985207b1d
PGP signature:
-BEGIN PGP SIGNATURE-
iQItBAABCAAXBQJaAaCcEBxwb2xsaXRhQHBocC5uZXQACgkQ29s5dHDRIXIqGhAA
3X55n7ODqp/uPFMpjKgyMtWB7kLVbxthZeai/Dvrsd35j2ZOPd9KNYjWFWV8fNWp
8jYj1LioW+FPpltlREaMxDXE7/cIZITRUX/k6jAfuafacLR5jy4OE5ghwDbyVnJ0
Sf6CA92chvnEEp3XTeS6XkPxJAi1H3zp/9KIGTlpFN5IIeaxqCl62hcc0+ikcYP0
dXm8j8hjqpXuOz2MEVKASmqKPayw27RaUfAE6lI/nuMdva++b7bKQL9tr7Tz+R/J
8Wl995Og5GKRhzTj65Uv/uv3cP5hGBqRYjybWIzA7y+offL+TFe12c2HHjBvAIFv
PtHuky4ZSNbLdarRfmdYs6bUoPx7GMIZDZ6mhGMXqJudh4I5rHt6g/zucZEAJRjk
V+h8J6pd80wNvoO7KtdnowGJtYjWQAwdr5KB0CmYpGrhogEjr62MvCjm2KvsiO+T
HTt4tKIkvjNSYwMApIxkNhxpRazEe6+goELoKACAZMwvLw2LLpV4Sg/BebdzAUFe
7odLVIDLgoG3OYxEMAzKDKTygRlfhGclxtQlRlmoP4u7Z+AruuGUA/L7n18iD093
lu0pksrkPIhQrQLydbNrgJfM54XxWBUCq5v3Ka2vJOzwrM+9ekZopPSkfiBfcAoM
6ptC0H1nNrlu6eF9xu+oDHsTMZL7HJMOABNdKy9TO5o=
=Aq+R
-END PGP SIGNATURE-

php-7.2.0RC6.tar.bz2
SHA256 hash: 906a13bafbec40a185208846195f11c8c5f6e8bc5672fd37862e95754b978de3
PGP signature:
-BEGIN PGP SIGNATURE-
iQItBAABCAAXBQJaAaCgEBxwb2xsaXRhQHBocC5uZXQACgkQ29s5dHDRIXISIA//
UOzi+RIfEBFNDsVBRhJQhBoM8eQTe8aHL+RstHmDL2tqakBi4HyvjRdRGMIExSyb
JCtx1y9KCPfJtPW4Xl/QTFJIslNhWEHsSFSxRVeozrA7tbpKVicW6xs7jr//EBqB
8SyoWjO+Rzr8Buvu8XvsxVxOmtNDgbssklcYMILIZHkaN1JGYy+u592W83anEGiv
H7Ysj/TY6i5YWsSwQVUV0DnkUJ2VeBBjeBQGSJ+SuQGV2dmrvx+k40O/DEysIF8U
SferVWGkB9NY/nkbxcC0oQRu6Eoh4SGtlUIl9qzPr8/qA6hEfAG3ftfJaQS2qKYv
gTbKniCr31oQeGeULa0zNZsMkvA15wjjoa6P/LFljr7X3OuJ+naCRB/pwlgnAjwL
LtNsxzXEnrTiVoSBU/jdG7acoEPmyixu6budROCs30QUnRYq4cCDUDZwqINkSDyI
rY5NC/O8BVuAiEtFv3alOcUgxmCYsbKDV6fqThSXpdP6aEF35/OgQH7WYp+9eYoE
mHpvWyIeeAGeAGASGoiuf0zftBEXfCrdgE034xr+/a744rYFakY54Wh3D/d26jc8
kaQoDNPws4GZwjkvp6EiFTg/1nhQ36SdhmKxnp3ZlZ96cNUUV0PNUnxsHqZms129
/K9iNMZGBH3pRPiwXoyZbkzLlVQncXp8iKTwaLOI/sk=
=gOX+
-END PGP SIGNATURE-

php-7.2.0RC6.tar.xz
SHA256 hash: be4df00ff5b66e9f13c83e1d08d1d5384ae7ccc820e26f7e5f9e660011496a9e
PGP signature:
-BEGIN PGP SIGNATURE-
iQItBAABCAAXBQJaAaCgEBxwb2xsaXRhQHBocC5uZXQACgkQ29s5dHDRIXJowxAA
2JpSoiECsGdsKGu1mBGRnKcFj+SsukSQ+VOeO5vysbrpKhBhc6ooJCRAydu+ez6/
rvxqzVQFX/aBOTJq878V+ysMs15kaqJsnUPHmqZ8NAubh3vSnXKsqzGEjherG7ju
t11tZ0lDTMRrM95y0Nrmkgv07UG+JDTBPJF1lVI7b16KezV7bsNKlASwWmIHpsCO
RyJJjCvaDEgm/rWGQBCdRJra1GjA9eoWVxujnpBztTtlwi+vP0e8KRMziXiv4RG7
Maj+0Vyni77x2bvAugpDbTmxQAVPwBYOjhBued19savcO51SnFVNJJPr/2KpQq/4
oOKK2ZHwRn4NBOQb9RK+gcY/KaDg2o1bvYbmUumagAaXjtBN1oRSvLhynVkj850R
Cobvo8+nAgEDJ9cd6TR6Zc9TOoAjA2fxcl4fknGDGnpZfajK5ISqZ0gqvkimeDIl
vsKlXdn0M3WhpdikozUjbHx23F15ug4IMGDvpoWh8aMLzxOsCjSszgNWj3QBObZr
7ujFtQ/8ryD4el34FlSumA0KBpWG6JBdTUp05VO3cmZELKTld9u7MPvdV/QSAVmo
HkdJjYQlY8rqk+DI52JJ84Dlj2cvY2PE46m/pUsKnVhesJ01FH5aG7gbBHSbM7I5
WKj2jbK1Geasw6X0q/ZxTwiNgUlPrlhbJugu7yiZpd0=
=EDtn
-END PGP SIGNATURE-

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] PHP 7.0.26RC1 is available for testing

[Anatol Belski]

Hi,

PHP 7.0.26 RC1 was just released and can be downloaded from:

https://downloads.php.net/~ab/

The Windows binaries are available at

http://windows.php.net/qa/

This release contains a number of bugfixes.
For the list of bugfixes that you can target in your testing, please refer to 
the NEWS file:

https://github.com/php/php-src/blob/php-7.0.26RC1/NEWS

Please test it carefully, and report any bugs in the bug system.

The stable release is planned for November 23rd, if no critical issues will be 
discovered in the RC.

Thank you for your support.

Regards,
Anatol Belski and Ferenc Kovacs


P.S. Below is the verification information for the downloads.

php-7.0.26RC1.tar.bz2
SHA256 hash: a502161e43dd8d01ecd3b781a5cef3197ddb429df65d59a0cf75544268f7a100
PGP signature:
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAABAgAGBQJaAb8mAAoJELyqMOqcDVdj3Z8H/jOxAWXAWeRrt5lk2+V0TWKU
pa/hW3FkndUid+EcvwE+igHj3+mbpl2Tteo9ssyI4BdzAgeIoK13zTGEBSzYSf+S
MsUzvldFNemDLbbxxKJZURLFw2dr9FoMjjyJpS3pjybqcfSWJWQjDhiazxbt/NoZ
/P29xLdM4j1aAUAkAo6s1sHp6wObN0e7AiN/IaGj1sUkdhZG2rqXiNdpxJVja0RN
Xn3X7VdpDrRmtovilMKHJ32uWAnYTH0jahgJTazmKiXOOkMt/9izqjyBGoStuuKh
ifRBfSG3XZ/XMivhyylficMhaaz3/Hblk0mWa051VOX9AE9q4VQY8HvhEwRUVCk=
=etUx
-END PGP SIGNATURE-


php-7.0.26RC1.tar.gz
SHA256 hash: 29f8c125314e28e1a625da7b5d4b01ae07d0bd24bb36893fffaee7e83240c9fb
PGP signature:
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAABAgAGBQJaAb8qAAoJELyqMOqcDVdjSvIIAIUd+Mq1/owy1KY4zDlGsebS
VQjMDr9hnSW8IaEmM1dQ1e9GFqK5q40aHyG1l9bSXjGWH6EoIwEE/Nj5TRJRuvl5
IByHvsI0dLTMi3O6uOMTWldUia1tiaHTiPCavhrpJFKxBz25ah+1HW+HsHJpJZNP
RWHvvtWlo4PKGS4MG2iyY4yJLSMyek3I11p1e0GDrpITWRLdL7Xk3FmbIJPp601R
OgB9UAzfxmxfZOcaJGn9koV3UQt3l2xCdvRzVUuKQBoAtM0nYjyxrVFGfgsPkSv+
S8iK+hTpFc+Yc6WL1JMPOX7uvFoAfV88EfQ6466OIgBWPusvnF2oLk1keVc4B6E=
=v1jd
-END PGP SIGNATURE-


php-7.0.26RC1.tar.xz
SHA256 hash: 5fbfdb2e5f1e8451f9a4728e35109e966d2354011ed3e1a6ee6c477db743e74a
PGP signature:
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAABAgAGBQJaAb8tAAoJELyqMOqcDVdjI6wH/jpz/l/z2/HRKenl0gygHLdB
gJ/lcWuzqWVO95tpclRH1mMgaciYhiiLZ+fhtul6+gP+zbo6Jw0X7PpY1tQ4zdJX
SbY8G2fZu0ilAFNekmKk6dMGF0WntLwKAbE4Aa/oe7+0WGierr1neBCbqLharCMl
1CGHKUKXx8g5lyWIzrgb6N3Q0I4G6mvc9bjFBHldBS0yaIeXcVlbo0LMJCpm6mRR
gLAhFK5CprsQdQnWnqNgYNxkl0M/XWrvUrFczcFQUUNmVxsqPHi1EkAM5DSil8/X
jBEutjWuk2eW68wIOEFGfdqxR0xXRRXZzHd7ZnSuTXEyAz2KIFW/jiXcmb14jeA=
=o9a3
-END PGP SIGNATURE-


--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php