Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72411
Return-Path: <padraic.brady@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 99647 invoked from network); 8 Feb 2014 17:23:25 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 8 Feb 2014 17:23:25 -0000
Authentication-Results: pb1.pair.com smtp.mail=padraic.brady@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=padraic.brady@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.173 as permitted sender)
X-PHP-List-Original-Sender: padraic.brady@gmail.com
X-Host-Fingerprint: 209.85.160.173 mail-yk0-f173.google.com  
Received: from [209.85.160.173] ([209.85.160.173:46359] helo=mail-yk0-f173.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D1/21-28087-C0866F25 for <internals@lists.php.net>; Sat, 08 Feb 2014 12:23:24 -0500
Received: by mail-yk0-f173.google.com with SMTP id 10so2606709ykt.4
        for <internals@lists.php.net>; Sat, 08 Feb 2014 09:23:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type:content-transfer-encoding;
        bh=n6OcJsiwgtGpT0tpgiCUQGH023tcPGPUgUC5rgZIOsI=;
        b=nZR+hlf7IsZPKiFlG8vE22isM2d0Vn9MbTQHwJvYYbxdrE+6gV7M2+hz+XVBqtD98K
         bJ0VRshEWlaB4Yh5eObikSxWOMkHWXW+CdQOOvkdiQic2bIurN49hbUlcI0Wpt/yD2Kj
         s7qcExhyRsuDEcG8nnRBCuN5Ki0D4LiCE8IF2S9F06as/YsVHkQj0vQLEmhViywzlKxn
         xGXIU3TNDHwIGqMgxQlNiG1LQ4M2SzUadc42VriSr41wJsyNo+/LcTbSczsIgdfaguQW
         1ZfgSu7tqvEjhHbXfiurAdtyhiVk1emFQ1HfxrSCuoKgklSWKYXaAEHYigKI3Gv5Giq3
         41nA==
MIME-Version: 1.0
X-Received: by 10.236.152.233 with SMTP id d69mr17132326yhk.11.1391880201231;
 Sat, 08 Feb 2014 09:23:21 -0800 (PST)
Received: by 10.170.84.138 with HTTP; Sat, 8 Feb 2014 09:23:21 -0800 (PST)
In-Reply-To: <52F65FCD.4060403@lsces.co.uk>
References: <52F61A78.1020401@lsces.co.uk>
	<CAF+90c9ZmeysC88ghHk50rpv_8T4jYhGCWEDwZxOR5EmPuDDLg@mail.gmail.com>
	<52F62B08.6050201@ajf.me>
	<52F63DDE.6090600@lsces.co.uk>
	<CAEZPtU5-DnNeFFJDGYG+YHjL_SOddNeiqcoJp_Ye2G+Lgdu2ow@mail.gmail.com>
	<52F657E4.4030603@cubiclesoft.com>
	<CALwr1GmBo6MswwMFABP-+X=eMCAke5DBv+d77D2y+d0BmxCT2g@mail.gmail.com>
	<52F65FCD.4060403@lsces.co.uk>
Date: Sat, 8 Feb 2014 17:23:21 +0000
Message-ID: <CALwr1G=M=vzJfTmCmQ5VjQfrZr7HVFjfVr+Y5twwUyvRurNcTg@mail.gmail.com>
To: Lester Caine <lester@lsces.co.uk>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] Security Diligence
From: padraic.brady@gmail.com (=?UTF-8?Q?P=C3=A1draic_Brady?=)

Hi,

On 8 February 2014 16:48, Lester Caine <lester@lsces.co.uk> wrote:
> P=C3=A1draic Brady wrote:
>>
>> The RFCs do imply some awareness of
>> security and that's largely unavoidable unless each and every RFC
>> needs to be a 1000 page masterwork;).
>
>
> Since 'security experts' tend not to wait for fixes to be produced before
> publishing exploits all I am looking for in this case is enough help in t=
he
> rfc's to assess if action is required before fixes ARE published!

Good security people will always await fixes before publishing
publicly so long as the wait is not unreasonable for the target sample
of cases. That's the tendency unless you have data to the contrary?
I'm pretty sure those references I provided earlier point at the
researchers in each case reporting to open source projects prior to
publishing their research. Obviously, researchers can't report to
every single open and closed source library and app that exists but
they do make a best effort to get the word out.

> And I hope that since these are security fixes that they are pushed back =
as
> far as PHP5.3 since this is still under support for security fixes? It is
> even more important if the fixes are not being rolled back that the exten=
t
> of the risk is recorded well enough for users to understand the risk?

These are not vulnerabilities within PHP but in userland code. The
RFCs will make it easier for userland code to be secure out of the
box, but userland code should already have such issues patched. I
don't see any reason to backport the RFCs unnecessarily - you can make
arguments for adding anything useful to older versions not just for
security.

Paddy

--
P=C3=A1draic Brady

http://blog.astrumfutura.com
http://www.survivethedeepend.com
Zend Framework Community Review Team
Zend Framework PHP-FIG Representative