Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:57291
Return-Path: <pierre.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 37447 invoked from network); 9 Jan 2012 15:42:10 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 9 Jan 2012 15:42:10 -0000
Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.42 as permitted sender)
X-PHP-List-Original-Sender: pierre.php@gmail.com
X-Host-Fingerprint: 209.85.213.42 mail-yw0-f42.google.com  
Received: from [209.85.213.42] ([209.85.213.42:43351] helo=mail-yw0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id B6/D1-24383-0DA0B0F4 for <internals@lists.php.net>; Mon, 09 Jan 2012 10:42:08 -0500
Received: by yhnn56 with SMTP id n56so45858yhn.29
        for <internals@lists.php.net>; Mon, 09 Jan 2012 07:42:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=rHMA4csAwgb81SlKlnzzwh6uXSSUhgjEMrsfF3EC1K0=;
        b=FC8FghzBWQpI6sn9BK5MhLn1JEU6gi38oyt/NBYmqs/E2p5zUt5P5rv5lDsJstpz13
         9GLIsweATNsuPyTWtz1k2XuDf+8NW817Z8PU0u3dUS9I3kFvkxcuUjo6rsSP0ZLa3JkF
         BIOrFuWH1SAHZ7+1tFeRvKsvjdvOSr9N5pOkQ=
MIME-Version: 1.0
Received: by 10.236.175.72 with SMTP id y48mr21078410yhl.17.1326123711662;
 Mon, 09 Jan 2012 07:41:51 -0800 (PST)
Received: by 10.146.238.8 with HTTP; Mon, 9 Jan 2012 07:41:51 -0800 (PST)
Date: Mon, 9 Jan 2012 16:41:51 +0100
Message-ID: <CAEZPtU44aag3z-oGAx+mF1dvr9qF0ZLpdW3pHFWEe0uwbchMBQ@mail.gmail.com>
To: PHP internals <internals@lists.php.net>, =?ISO-8859-1?Q?Johannes_Schl=FCter?= <johannes@schlueters.de>, 
	Laruence <laruence@php.net>
Content-Type: text/plain; charset=ISO-8859-1
Subject: 5.3.9, Hash DoS, release
From: pierre.php@gmail.com (Pierre Joye)

hi,

Moving this discussion here as it makes little to non sense to discuss
that any longer on security@

We are now very late behind an acceptable delay to provide a fix for
the hash DoS, to say it nicely.

I'd strongly suggest to release 5.3.9 (RC5 has been tested now) final
this week using the max_input_vars fix, with the modification from
Laruence (but with a larger limit). Laruence addition also fixes
serialize or json, which are parts that need this fix as well as it is
impossible to valid a string manually (length check only is not enough
or cannot work in all cases).

But 1st of all, the fix addition has to be applied and fully tested.
But if the addition is not desired yet, then we must at least release
5.3.9 with Dmitry's fix only and we can fix json&serialize later,
ideally within 2 weeks max.

Cheers,
-- 
Pierre

@pierrejoye | http://blog.thepimp.net | http://www.libgd.org