Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57296 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 52746 invoked from network); 9 Jan 2012 16:41:00 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 9 Jan 2012 16:41:00 -0000 Authentication-Results: pb1.pair.com smtp.mail=johannes@schlueters.de; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=johannes@schlueters.de; sender-id=unknown Received-SPF: error (pb1.pair.com: domain schlueters.de from 217.114.211.66 cause and error) X-PHP-List-Original-Sender: johannes@schlueters.de X-Host-Fingerprint: 217.114.211.66 config.schlueters.de Received: from [217.114.211.66] ([217.114.211.66:53858] helo=config.schlueters.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 38/51-46289-A981B0F4 for ; Mon, 09 Jan 2012 11:40:59 -0500 Received: from [192.168.2.230] (ppp-93-104-4-15.dynamic.mnet-online.de [93.104.4.15]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by config.schlueters.de (Postfix) with ESMTPSA id D60FB5F794; Mon, 9 Jan 2012 17:40:55 +0100 (CET) To: Pierre Joye Cc: PHP internals , Laruence In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Date: Mon, 09 Jan 2012 17:40:51 +0100 Message-ID: <1326127251.6916.8.camel@guybrush> Mime-Version: 1.0 X-Mailer: Evolution 2.30.3 Content-Transfer-Encoding: 7bit Subject: Re: 5.3.9, Hash DoS, release From: johannes@schlueters.de (Johannes =?ISO-8859-1?Q?Schl=FCter?=) I was under the impression that somebody worked on the information disclosure issue in the error message and the error message spamming. This seems not to be the case. If you, Pierre, are ready for Windows builds tomorrow morning I'd like to release tomorrow as is. johannes On Mon, 2012-01-09 at 16:41 +0100, Pierre Joye wrote: > hi, > > Moving this discussion here as it makes little to non sense to discuss > that any longer on security@ > > We are now very late behind an acceptable delay to provide a fix for > the hash DoS, to say it nicely. > > I'd strongly suggest to release 5.3.9 (RC5 has been tested now) final > this week using the max_input_vars fix, with the modification from > Laruence (but with a larger limit). Laruence addition also fixes > serialize or json, which are parts that need this fix as well as it is > impossible to valid a string manually (length check only is not enough > or cannot work in all cases). > > But 1st of all, the fix addition has to be applied and fully tested. > But if the addition is not desired yet, then we must at least release > 5.3.9 with Dmitry's fix only and we can fix json&serialize later, > ideally within 2 weeks max. > > Cheers,