Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:27366 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 69832 invoked by uid 1010); 11 Jan 2007 16:27:36 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 69817 invoked from network); 11 Jan 2007 16:27:36 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 Jan 2007 16:27:36 -0000 Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass; domainkeys=bad Received-SPF: pass (pb1.pair.com: domain gmail.com designates 64.233.184.230 as permitted sender) DomainKey-Status: bad X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 X-PHP-List-Original-Sender: pierre.php@gmail.com X-Host-Fingerprint: 64.233.184.230 wr-out-0506.google.com Linux 2.4/2.6 Received: from [64.233.184.230] ([64.233.184.230:3934] helo=wr-out-0506.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 5F/A4-42349-87566A54 for ; Thu, 11 Jan 2007 11:27:36 -0500 Received: by wr-out-0506.google.com with SMTP id 68so394670wri for ; Thu, 11 Jan 2007 08:27:34 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ReNuLsfWkbV5Gop2Mms/SGvOcvuFKBL4gw+h0ThGPcg8sn/F3I/8Py5ufFXGMTOpuaX9cz9C0BPwN2c0PQ/kap/JxrD2ycmCSuUoSFsQqadnnMyxUawdYvPyhdEJIY5VmPhc5+cgfcMiLFmTzbDzebFPfnfVny2DIzpLXTUvBTI= Received: by 10.78.204.7 with SMTP id b7mr553613hug.1168532853151; Thu, 11 Jan 2007 08:27:33 -0800 (PST) Received: by 10.78.122.5 with HTTP; Thu, 11 Jan 2007 08:27:33 -0800 (PST) Message-ID: Date: Thu, 11 Jan 2007 17:27:33 +0100 To: "Stefan Esser" Cc: "Alain Williams" , internals@lists.php.net, kel@securityfocus.com, security@php.net In-Reply-To: <45A66391.1090302@hardened-php.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20070111144144.GV15998@mint.phcomp.co.uk> <45A65B19.40900@lerdorf.com> <45A6600D.1090500@hardened-php.net> <45A66391.1090302@hardened-php.net> Subject: Re: [PHP-DEV] Comments on PHP security From: pierre.php@gmail.com (Pierre) Hi Stefan, On 1/11/07, Stefan Esser wrote: > > > For your information, zip is not enabled by default. If you have a > > bug/issue about the specific zip:// URL, please let me know. Ilia and > > Tony already fixed some paths fixes and the fixes are available in > > zip-1.8.4. They will be in 5.2.1. > For your information Pierre: Security Bugs in PHP are usually found by > me. So guess twice WHO told security@php.net that there are > bufferoverflows in zip:// URLs and WHY there have been bugfixes to ext/zip. No idea who posted them or if someone posted something about zip. As you know I have no access to security@ and so far all I see are commits in my packages without much explanations. Not like I do not want you or anyone else to help or to do not give you the credits. But I did not know that someone else reported the issues, I apologize for that. > BTW: Last time I checked, popular packages like dotdeb PHP activate > ext/zip by default... > > And yes... Also prepare for the ***more than 30 vulnerabilities*** I > disclosed to security@php.net during the last 3 weeks. Nice, better later than never. Remember my numerous requests in the last months *BEFORE* the stable release (and you were still a PHP Securtiy member)? > Have fun... I have fun anyway, if not I will not bother to discuss that here. --Pierre