Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57770 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 13445 invoked from network); 6 Feb 2012 16:22:13 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 6 Feb 2012 16:22:13 -0000 Authentication-Results: pb1.pair.com smtp.mail=h.reindl@thelounge.net; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=h.reindl@thelounge.net; sender-id=pass Received-SPF: pass (pb1.pair.com: domain thelounge.net designates 91.118.73.15 as permitted sender) X-PHP-List-Original-Sender: h.reindl@thelounge.net X-Host-Fingerprint: 91.118.73.15 mail.thelounge.net Received: from [91.118.73.15] ([91.118.73.15:54925] helo=mail.thelounge.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 77/F3-28299-23EFF2F4 for ; Mon, 06 Feb 2012 11:22:11 -0500 Received: from rh.thelounge.net (rh.thelounge.net [10.0.0.99]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.thelounge.net (Postfix) with ESMTPSA id 5A0639A; Mon, 6 Feb 2012 17:22:08 +0100 (CET) Message-ID: <4F2FFE2E.4060102@thelounge.net> Date: Mon, 06 Feb 2012 17:22:06 +0100 Organization: the lounge interactive design User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20120131 Thunderbird/10.0 MIME-Version: 1.0 To: Michael Morris , Mailing-List php References: <4F2CEA7E.9010906@sugarcrm.com> <9684A843-5A7F-43BB-BFC2-86F34E27EC3B@nopiracy.de> <90A22109-8267-4C6F-B35C-0A3612213915@nopiracy.de> <4F2FEE7A.9030309@thelounge.net> <4F2FF2A5.7000906@thelounge.net> In-Reply-To: X-Enigmail-Version: 1.3.5 OpenPGP: id=7F780279; url=http://arrakis.thelounge.net/gpg/h.reindl_thelounge.net.pub.txt Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig77AA5D27BFB4FE540B67FF4C" Subject: Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds From: h.reindl@thelounge.net (Reindl Harald) --------------enig77AA5D27BFB4FE540B67FF4C Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Am 06.02.2012 17:10, schrieb Michael Morris: >=20 >=20 > On Mon, Feb 6, 2012 at 10:32 AM, Reindl Harald > wrote: >=20 > first: do not top-post if you get a reply below >=20 > second: > in the context of suhosin "when mistakes get made by such a person,= > they are hidden away rather than honestly reported" is bullshit > at it's best >=20 > * look at the disclosure below > * look at the author > * look at the way it was made >=20 > if only 10% of developers would work like Stefan most software > out there would be much better as it is and was all the last years > and if someone has this attitude and knowledge is see no single > problem and understand fully that he is frustrated > _______________ >=20 > Author: Stefan Esser [stefan.esser[at]sektioneins.de ] >=20 > Disclosure Timeline: > 12. January 2012 - Vulnerability was found during an internal audi= t > 14. January 2012 - Vulnerability was fixed in the source code > 19. January 2012 - Public Disclosure >=20 >=20 > This underscores my fears. Public disclosure was only made once the fix= was composed seven days after > discovery, and that's presuming the stated date of discovery is honest.= As it is an "internal" audit, who knows > other than Stefan? You can take his word. I won't. if you anwer to a list mail answer to the list and not private damend! would it have been better to make a full disclosure before having a fix to help attackers? if this is your opinion you are a foolsih idiot, sorry but no other words for that this does even not happen if the one found a exploit notifies the vendor of the software and especially not if the one who found IS the vendor and the one who will fix it you said "when mistakes get made by such a person, they are hidden away rather than honestly reported" which is NOT underscored because if it would be the truth the disclosure from Stefan would not exist and he only had released a new version with a "fixed some small bugs" comments and not more --------------enig77AA5D27BFB4FE540B67FF4C Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8v/i4ACgkQhmBjz394AnnjfgCePZ2oBOQSJmW2SWyOSd69aRIY hX4AnRKCa94n8y20OeaFXNVfpxucWJ6o =W2GD -----END PGP SIGNATURE----- --------------enig77AA5D27BFB4FE540B67FF4C--