Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:28668 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 46990 invoked by uid 1010); 3 Apr 2007 22:33:48 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 46975 invoked from network); 3 Apr 2007 22:33:48 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 3 Apr 2007 22:33:48 -0000 Authentication-Results: pb1.pair.com header.from=seanius@debian.org; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=seanius@debian.org; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain debian.org from 66.93.22.232 cause and error) X-PHP-List-Original-Sender: seanius@debian.org X-Host-Fingerprint: 66.93.22.232 cobija.connexer.com Linux 2.5 (sometimes 2.4) (4) Received: from [66.93.22.232] ([66.93.22.232:45865] helo=cobija.connexer.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E5/C6-18035-846D2164 for ; Tue, 03 Apr 2007 18:33:46 -0400 Received: from mini-me.local (h-234-204.A189.cust.bahnhof.se [81.170.234.204]) by cobija.connexer.com (Postfix) with ESMTP id D8C4A17C380 for ; Tue, 3 Apr 2007 18:33:41 -0400 (EDT) To: internals@lists.php.net Content-Type: text/plain Date: Wed, 04 Apr 2007 00:33:15 +0200 Message-ID: <1175639595.3804.26.camel@localhost> Mime-Version: 1.0 X-Mailer: Evolution 2.6.3 Content-Transfer-Encoding: 7bit Subject: point of contact for security? and hi btw From: seanius@debian.org (sean finney) hey all, a quick introduction: i'm one of the folks maintaining the debian php4/php5 packages. we're currently on the cusp of cutting a new stable release "etch" (funny, i'd *swear* we've been saying that since december...), which will include the second-to-most-recent releases of 4.4.x and 5.2.x with the security fixes from the most recent releases backported. my first question: do you have a designated person/list for security related issues? it looks like i ended up becoming "point guy" for tackling the various security issues that come up from time to time, and it'd be nice if we could establish some lines of communication. specifically it would be nice to have someone to contact when a new vulnerability is reported who could point me at the relevant files/changesets for specific fixes so i don't have to spend an evening digging through CVS logs :) as i mentioned, the latest version of php5 in etch includes a bunch of fixes backported from the 5.2.1 release, but i believe that there are good number of the mopb issues that either were not fixed in 5.2.1 or were fixed but not backported by us. i'll probably start sending emails here (or to whoever steps up as a contact point) with questions in the near future for some of them. however, most pressing is mopb #44: http://php-security.org/MOPB/MOPB-44-2007.html the (long) cast mm bug. i think i've found the relevant fix, but i could use a verification from someone here as a quick sanity check: http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_alloc.c?r1=1.144.2.3.2.27&r2=1.144.2.3.2.28&view=patch is that it? thanks, sean ps - as per the list guidelines i'm not digitally signing this email with my pgp/gpg key. but if you need it, my keyid is 0x6e76d81d.