Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:57612
Return-Path: <stefan@nopiracy.de>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 10356 invoked from network); 2 Feb 2012 13:31:54 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 2 Feb 2012 13:31:54 -0000
Authentication-Results: pb1.pair.com smtp.mail=stefan@nopiracy.de; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=stefan@nopiracy.de; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain nopiracy.de from 81.169.146.162 cause and error)
X-PHP-List-Original-Sender: stefan@nopiracy.de
X-Host-Fingerprint: 81.169.146.162 mo-p00-ob.rzone.de Solaris 10 (beta)
Received: from [81.169.146.162] ([81.169.146.162:31055] helo=mo-p00-ob.rzone.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 3A/90-04454-8409A2F4 for <internals@lists.php.net>; Thu, 02 Feb 2012 08:31:53 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; t=1328189509; l=758;
	s=domk; d=nopiracy.de;
	h=To:References:Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:
	Content-Type:Mime-Version:Subject:X-RZG-CLASS-ID:X-RZG-AUTH;
	bh=1YgLXyQB6ssJ2qD6TbHdpr3GsrM=;
	b=DOlk4EUefo/Bik0CqmoT+0RB2vt39rrPQBq1favcVX8WPmpy2rPWxQCIvOWSzNVL6T2
	TW0dy/F7JQno5+jMuFtheXspn052q+bhg86VSTgNI3AdDfXw72IFq4Oc0JF4OMA0L87/f
	AY26+uTLIono8k4Vv97/kP4sLWjAA612A7I=
X-RZG-AUTH: :OH4FY0Wkd/plSHgwfKFIgHoVYx5SSathkA9OvI+ii+JXGfvQUzm/Ahii7iullNGyVg==
X-RZG-CLASS-ID: mo00
Received: from [10.23.17.42] (cable-78-34-71-151.netcologne.de [78.34.71.151])
	by smtp.strato.de (klopstock mo12) (RZmta 27.6 DYNA|AUTH)
	with (AES128-SHA encrypted) ESMTPA id N00075o12Cdsu1 ;
	Thu, 2 Feb 2012 14:31:08 +0100 (MET)
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: text/plain; charset=utf-8
In-Reply-To: <CALjhHG_wYvJn-Z+x9fJUi+dgmZ+Ha9BD54N5VwhneJM4sg1xBQ@mail.gmail.com>
Date: Thu, 2 Feb 2012 14:31:08 +0100
Cc: 657698 <657698@bugs.debian.org>,
 Christoph Anton Mitterer <calestyo@scientia.net>,
 Douglas Calvert <dfc@douglasfcalvert.net>,
 Jesse Molina <jesse@opendreams.net>,
 Carlos Alberto Lopez Perez <clopez@igalia.com>,
 PHP internals <internals@lists.php.net>,
 Debian Developers <debian-devel@lists.debian.org>,
 Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
Content-Transfer-Encoding: quoted-printable
Message-ID: <5FB5CFDA-6FE8-4C20-A9B9-7844ED96659B@nopiracy.de>
References: <CALjhHG_wYvJn-Z+x9fJUi+dgmZ+Ha9BD54N5VwhneJM4sg1xBQ@mail.gmail.com>
To: =?utf-8?Q?Ond=C5=99ej_Sur=C3=BD?= <ondrej@sury.org>
X-Mailer: Apple Mail (2.1251.1)
Subject: Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds
From: stefan@nopiracy.de (Stefan Esser)

Hello Ond=C5=99ej,

> My personal feeling is that most people see suhosin as "this is about
> security, thus it must be good". This combined with bad PHP security
> history makes everybody feel insecure when suhosin was removed, but
> the real question is if the suhosin is still really helping with PHP
> security or it is just a burden in the general installations now.

considering the fact that you write this email the very same day that a =
remote code execution vulnerability in PHP is found that is easy to =
exploit from remote and is greatly mitigated by the use of Suhosin you =
look pretty stupid. (In case of usage of Suhosin-Extension in default =
config, it is even completely killed).

Just saying.


Regards,
Stefan Esser