Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:101114 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 3789 invoked from network); 9 Nov 2017 17:46:20 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 9 Nov 2017 17:46:20 -0000 Authentication-Results: pb1.pair.com smtp.mail=thruska@cubiclesoft.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=thruska@cubiclesoft.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain cubiclesoft.com designates 149.56.142.28 as permitted sender) X-PHP-List-Original-Sender: thruska@cubiclesoft.com X-Host-Fingerprint: 149.56.142.28 28.ip-149-56-142.net Received: from [149.56.142.28] ([149.56.142.28:42158] helo=28.ip-149-56-142.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 1D/2C-15386-664940A5 for ; Thu, 09 Nov 2017 12:46:15 -0500 Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: thruska@cubiclesoft.com) with ESMTPSA id B81173E880 To: Sara Golemon , PHP internals References: Message-ID: Date: Thu, 9 Nov 2017 10:46:09 -0700 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:11.0) Gecko/20120327 Thunderbird/11.0.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] PHP 7.2.0 RC6 Released From: thruska@cubiclesoft.com (Thomas Hruska) On 11/9/2017 7:36 AM, Sara Golemon wrote: > The sixth (and likely final) release candidate for 7.2.0 was just > released and can be > downloaded from: > https://downloads.php.net/~pollita/ > Or using the git tag: php-7.2.0RC6 > > Barring unforeseen calamity, everyone should expect 7.2.0-final on > Thursday, November 30th. Issue #73535? I consider letting a known security vulnerability that goes largely unaddressed but persists into the next major version of a software product to be quantifiable as a calamity of sorts. It's fast approaching a full year without any resolution in sight. Many people would have zero day-ed the issue by this point at whatever conferences have come and gone (Black Hat, DEF CON, etc.) to grab some quick notoriety. I don't believe that zero day-ing a vulnerability on a stage is the right solution for a garden variety of reasons. Regardless, we can all agree that the ball was seriously dropped here and that there's certainly room for improvement in the release process. Ideally, someone should be specifically assigned to interact with the global team pre-RC1 of any major release where their sole responsibility is to walk through the bugs queue in order to identify and properly triage vulnerabilities in the software that might require a BC-break so that by the time -final happens, the relevant patches are fully tested and ready to go out with the release. I'd wager that #73535 isn't the only reported unpatched vulnerability in the issue tracker. I still think that there's time to apply a reasonable-ish patch to make it into 7.2 and maybe prepare a similar patch for 7.1 and 5.6. What those patches should be, I don't know. My original suggestion was shot down since I missed/overlooked something. The only options I can think of are a slightly hacky solution or a cleaner solution that requires a BC-break. -- Thomas Hruska CubicleSoft President I've got great, time saving software that you will find useful. http://cubiclesoft.com/ And once you find my software useful: http://cubiclesoft.com/donate/