On Tue, 20 Feb 2007 18:59:24 -0500 csnyder <[EMAIL PROTECTED]> wrote:
> So apparently we're in for a treat in March (as if daylight savings > time wasn't enough) as Stefan Esser will be publicizing a laundry list > of active vulnerabilities in PHP, one or more for each day of the > month. > http://www.securityfocus.com/columnists/432/ > > Here's somebody who had been working with the core developers to try > to get these things fixed, but has been frustrated to the point of > resorting to a "Month of Bugs" style publicity stunt. If what he says > is true, about overflows and other bugs being ignored, that's a pretty > major breakdown in quality control. > > I don't know C, and I would have no idea what to look for in doing an > audit of PHP (the language) itself. But it seems (from Ilia's comments > anyway) that such an audit is long overdue. > > So now I have to wonder, do IBM and Yahoo deploy stock PHP binaries? > Or do they carry out their own internal audits to discover and patch > the sloppier parts of the codebase? > > -- > Chris Snyder > http://chxo.com/ Thanks for the heads up, Chris. It may be a good idea to have a look at his Suhosin patch.. before the March Madness. http://www.hardened-php.net/ -- michael (this address does not accept public email) _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
