Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:27379
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 66.249.92.175 as permitted sender)
DomainKey-Status: bad
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=beta;
        h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
        b=fam/1Ssb7Zkl9BqiBu75l7TZUiD82Cm7dHtWUKwIp+EnwMIm83CV8zq8+yRIMB+QzDpMDzLw5KSKcHXKNT6ke5aXOW+wpjexFWhzi2sj42PxBQy1Y8IyQezVlsnGnA5sv9MW1oYQrcoh7FhHJ4b+35Q134MiW2yfdPlbDZ/fNio=
Message-ID: <61504d990701111123t2ea8627cs829cd37f996ee3af@mail.gmail.com>
Date: Thu, 11 Jan 2007 11:23:19 -0800
To: internals@lists.php.net
In-Reply-To: <45A6891E.8070302@hardened-php.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <20070111144144.GV15998@mint.phcomp.co.uk>
	 <45A65B19.40900@lerdorf.com> <45A6600D.1090500@hardened-php.net>
	 <45A67E74.1080904@zend.com> <45A6891E.8070302@hardened-php.net>
Subject: Re: [PHP-DEV] Comments on PHP security
From: jordanryanmoore@gmail.com ("Jordan Moore")

This is pathetic. I thought most of you were adults, but I really
can't tell sometimes.

Why can't this be discussed without everyone getting upset and
snapping at each other? The biggest problem with PHP right now is how
thick-headed and cocky some of the posters to this list are. Grow up,
and then maybe PHP will have a chance to grow up.

It's only taken a couple months to realize how much time is wasted on
political crap on this list instead of bug-fixing.

On 1/11/07, Stefan Esser <sesser@hardened-php.net> wrote:
>
> > I wonder what do you mean by that - that PHP group should publish
> > press release "PHP is not secure, please do not use it anymore" or
> > what? I see PHP group is working quite well eliminating the security
> > issues. As far as I know, last year there was 7 remotely exploitable
> > issues in PHP (which is regrettable but that's the way of life to have
> > bugs), and all of them are fixed, IIRC, and within acceptable
> > timeframe (the last can be debatable, but PHP being opesource project
> > the only way to fix it is to get more participation from people in
> > submitting patches). I know of no remotely exploitable security issue
> > that is now in current PHP version.
> > So I wonder what would you like PHP Group to improve? What would you
> > mean by facing reality - what in your opinion the reality is and what
> > would you have PHP group to do to satisfy you on facing reality account?
> First of all PHP group is doing nothing. Neither do they improve PHP's
> security nor do they stop well known PHP license abusers (because they
> are friends).
> Secondly security patches are done by Ilia and maybe the Zend stuff by
> Dmitry. All the others are doing nothing in the sense of security.
>
> And do I need to remind you about a certain bug in the new super duper
> Zend Memory manager that results in a far too small buffer being allocated?
>
> Do I need to post an exploit that uses this bug to exploit for example
> the Soap HTTP client from ext/soap? This is a kind of remote exploit
> against PHP. And god knows how many other places are vulnerable because
> of the new "improved" Zend Memory Manager.
>
> And what about the heap underflow bug in ext/filter... Also not a remote
> exploit?
>
> The fact that you do not know about any remote exploit against PHP is
> quite irrelevant for reality.
>
> Stefan Esser
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>