So apparently we're in for a treat in March (as if daylight savings time wasn't enough) as Stefan Esser will be publicizing a laundry list of active vulnerabilities in PHP, one or more for each day of the month. http://www.securityfocus.com/columnists/432/
Here's somebody who had been working with the core developers to try to get these things fixed, but has been frustrated to the point of resorting to a "Month of Bugs" style publicity stunt. If what he says is true, about overflows and other bugs being ignored, that's a pretty major breakdown in quality control. I don't know C, and I would have no idea what to look for in doing an audit of PHP (the language) itself. But it seems (from Ilia's comments anyway) that such an audit is long overdue. So now I have to wonder, do IBM and Yahoo deploy stock PHP binaries? Or do they carry out their own internal audits to discover and patch the sloppier parts of the codebase? -- Chris Snyder http://chxo.com/ _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
