Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:29540 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 13504 invoked by uid 1010); 19 May 2007 08:00:53 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 13474 invoked from network); 19 May 2007 08:00:53 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 May 2007 08:00:53 -0000 Authentication-Results: pb1.pair.com header.from=sesser@hardened-php.net; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=sesser@hardened-php.net; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain hardened-php.net from 81.169.159.221 cause and error) X-PHP-List-Original-Sender: sesser@hardened-php.net X-Host-Fingerprint: 81.169.159.221 hardened-php.net Linux 2.4/2.6 Received: from [81.169.159.221] ([81.169.159.221:58698] helo=mail.hardened-php.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id EC/C3-00717-5BEAE464 for ; Sat, 19 May 2007 04:00:53 -0400 Received: from [192.168.1.77] (p5b006eac.dip.t-dialin.net [91.0.110.172]) by mail.hardened-php.net (Postfix) with ESMTP id 253D71202A6; Sat, 19 May 2007 08:37:11 +0200 (CEST) Message-ID: <464EAEB4.6010402@hardened-php.net> Date: Sat, 19 May 2007 10:00:52 +0200 User-Agent: Thunderbird 2.0.0.0 (Windows/20070326) MIME-Version: 1.0 To: Stanislav Malyshev Cc: internals@lists.php.net References: <464DCB8C.90803@chiaraquartet.net> <7d5a202f0705181813l221248cdu85197a82a1ee4227@mail.gmail.com> <464E5856.5000901@zend.com> <464EA287.5020605@hardened-php.net> <464EA816.20406@zend.com> In-Reply-To: <464EA816.20406@zend.com> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] potential solution to user streams + allow_url_include=off From: sesser@hardened-php.net (Stefan Esser) > If you are aware of some security problems in current PHP sources you > are as always welcome to report them and they will be fixed. I think > everybody here as always are thankful for any help we can get. Ohh BTW. I am aware of many security problems in current PHP, actually the whole world is, because there are still a lot of "local" vulnerabilities unfixed that were disclosed during the MOPB. The ext/filter email issue is also not fixed in 5.2.2 And yes I know a bunch of bugs in PHP that were not disclosed during the MOPB. But what sense does it make to release them now, while a bunch of MOPB bugs are not yet fixed or were marked as fixed in the release notes of 5.2.2 but were not actually fixed. Stefan