Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:101115
Return-Path: <giovanni.g@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 5911 invoked from network); 9 Nov 2017 18:07:10 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 9 Nov 2017 18:07:10 -0000
Authentication-Results: pb1.pair.com smtp.mail=giovanni.g@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=giovanni.g@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.182 as permitted sender)
X-PHP-List-Original-Sender: giovanni.g@gmail.com
X-Host-Fingerprint: 209.85.217.182 mail-ua0-f182.google.com  
Received: from [209.85.217.182] ([209.85.217.182:57103] helo=mail-ua0-f182.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id FE/8C-15386-D49940A5 for <internals@lists.php.net>; Thu, 09 Nov 2017 13:07:09 -0500
Received: by mail-ua0-f182.google.com with SMTP id 21so2242370uas.13
        for <internals@lists.php.net>; Thu, 09 Nov 2017 10:07:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=3WVSOKvmDbvjtTUIsUqX4yn+jbovRwBlb2lf12hK0MI=;
        b=X+YxG6RUFvyhTkzuvJ5D9kyn6Yd89NLNC0mJApm1DngW0GU93N6dHy226+dUmdoomz
         SnIWVqFdifR2/404UulFhvyJXyEvN4GrLsn6mDviPTUdZw97OfnQYiX24P8zlQ0nqHqW
         SS0FNuG1Sz7CO2RHP3uK41rmxf6g8NpQqBvw4ndVpqtE3lACIfWfA1whqR4PmyQpCtJp
         GZgGUjIBFugvMjd3/kHwZgXZOVneu33whqpNlF3pfGyNR8FVK9gAlRX7XAIDf+CVyU1b
         CuWCKgsx+G9zbQ8UOt5bkukSNlSvGzFrk0cLb+QwkBraVxkS3EzZZBuu+Fsze6rk9Il/
         WlSg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=3WVSOKvmDbvjtTUIsUqX4yn+jbovRwBlb2lf12hK0MI=;
        b=Lf3UzmTpNlaEwc9h36gUWAcfLdvVMN/dGw45nuP/pnnGzFfkofLFtdzjOhR5EaMY6d
         TgMG8Bwwqu6WKQW5mJsXbu7mP8ZGxSkjVBG7E7Fps4nt9JIzUZMqXvalGOm3i4+3E5vr
         YxyVKC+AfvXuyYSiQgKUldMc/1W3em6GvUgE2x2gRd9XmgLKIZrPSToxJoGDWp8dCt/s
         ICee14wKiP7pCuH0egvSJAJ9UpAZ9te9kb1tU1D5IyfJNtCBhXekY9NtAf1hXapCmn/w
         pXL34MOV7PxAxT8nCfzWkNm0pqCs8Cy3KLeHnwefNbEYmPhmr5uHDlf5qOTjNSM/YMl2
         JmoA==
X-Gm-Message-State: AJaThX4Ki+/KP3gG6FGRH63ezlLbx30jz9sEmUKKJLQTSK7U3RULaDG5
	5OVwCwMZUutKXK5XA230pfwRPieQaKlHt/d1kjlcCA==
X-Google-Smtp-Source: AGs4zMYz69LiE33Sy4mLlmnEk/wGSIpupVgx9IifO4YdXkddE/dAImJicAayKdfugh/u+7fAK/7mOid7a4BIS4WTI4s=
X-Received: by 10.159.60.132 with SMTP id s4mr1193086uai.36.1510250826920;
 Thu, 09 Nov 2017 10:07:06 -0800 (PST)
MIME-Version: 1.0
Sender: giovanni.g@gmail.com
Received: by 10.103.197.9 with HTTP; Thu, 9 Nov 2017 10:07:06 -0800 (PST)
In-Reply-To: <eabb8265-c82b-16da-82af-e9d9669fe7ac@cubiclesoft.com>
References: <CAESVnVodb3=ANb-5ZY5p5_SpLsbE7JQJ7+BEzmX-A8U=TbBYnw@mail.gmail.com>
 <eabb8265-c82b-16da-82af-e9d9669fe7ac@cubiclesoft.com>
Date: Thu, 9 Nov 2017 19:07:06 +0100
X-Google-Sender-Auth: pS5oDcm685LX7iQYwYHPEa3FOHU
Message-ID: <CAML1Pf7_WZJOo3Hma7Qdi3wztoi6RNw_C-YmNRJaL54r7n5SjA@mail.gmail.com>
To: Thomas Hruska <thruska@cubiclesoft.com>
Cc: Sara Golemon <pollita@php.net>, PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="f40304363e280f7747055d90ac00"
Subject: Re: [PHP-DEV] PHP 7.2.0 RC6 Released
From: giovanni@giacobbi.net (Giovanni Giacobbi)

--f40304363e280f7747055d90ac00
Content-Type: text/plain; charset="UTF-8"

On 9 November 2017 at 18:46, Thomas Hruska <thruska@cubiclesoft.com> wrote:

> On 11/9/2017 7:36 AM, Sara Golemon wrote:
>
>> The sixth (and likely final) release candidate for 7.2.0 was just
>> released and can be
>> downloaded from:
>> https://downloads.php.net/~pollita/
>> Or using the git tag: php-7.2.0RC6
>>
>> Barring unforeseen calamity, everyone should expect 7.2.0-final on
>> Thursday, November 30th.
>>
>
> Issue #73535?  I consider letting a known security vulnerability that goes
> largely unaddressed but persists into the next major version of a software
> product to be quantifiable as a calamity of sorts.  It's fast approaching a
> full year without any resolution in sight.  Many people would have zero
> day-ed the issue by this point at whatever conferences have come and gone
> (Black Hat, DEF CON, etc.) to grab some quick notoriety.  I don't believe
> that zero day-ing a vulnerability on a stage is the right solution for a
> garden variety of reasons.
>
>
This is utterly disappointing considering that bug #73535 is marked as
private and I couldn't easily gather more information about this bug on
google. Since I have the feeling this is an open secret can you disclose
more information and proposed patches so that sysadmins can assess by
themselves the risks, mitigation techniques, and whether to patch their own
installations?

I guess the dev team wouldn't leave us with our pants down, so I expect
this to of difficult exploitability. Anyway, after a year it's time for
full disclosure, don't you think?

Kind regards
GG

--f40304363e280f7747055d90ac00--