Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:76881
Return-Path: <are.you.winning@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 89902 invoked from network); 26 Aug 2014 10:18:00 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 26 Aug 2014 10:18:00 -0000
Authentication-Results: pb1.pair.com smtp.mail=are.you.winning@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=are.you.winning@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.182 as permitted sender)
X-PHP-List-Original-Sender: are.you.winning@gmail.com
X-Host-Fingerprint: 209.85.216.182 mail-qc0-f182.google.com  
Received: from [209.85.216.182] ([209.85.216.182:61881] helo=mail-qc0-f182.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 49/31-16612-7DE5CF35 for <internals@lists.php.net>; Tue, 26 Aug 2014 06:18:00 -0400
Received: by mail-qc0-f182.google.com with SMTP id i8so14929337qcq.41
        for <internals@lists.php.net>; Tue, 26 Aug 2014 03:17:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:date:message-id:subject
         :from:to:cc:content-type;
        bh=cwE4UyZm5nxrKHA3WZVarXZN38wXexDSIXjYQkalWJY=;
        b=LZc1t6MvFYfn5GpRaxTuOFrD47lzX+ABGTEIhRKUr2kw4O6QdetES9LkyGlQc14nFT
         eqZpkBANVC3hsyGF5Tv9xHDPitimvL3gqmxroFeaefUNvaNh+Jscw+ZzEQO0CwrPV5dc
         PPGpEAF58ywi/sEXgC+n9ZY/Bng12BqEsHsXhapT6k6dBcr0CEZL/4BQT8myNKhpHy3d
         lR4cOZ3R3MYNfvgdaY5j3qZjLkkgCuT5jjQ7Pjhh7PYJ6Ah34tujOV7v3ooP34bCxdHm
         XJzeIulQiNGcmefuIAR4BDP2Cb+tDfqK2Dl3P8YJ3nEbOZWBiinC+LULs5+fUejkX988
         k/9g==
MIME-Version: 1.0
X-Received: by 10.140.37.181 with SMTP id r50mr5974932qgr.100.1409048277484;
 Tue, 26 Aug 2014 03:17:57 -0700 (PDT)
Sender: are.you.winning@gmail.com
Received: by 10.141.28.193 with HTTP; Tue, 26 Aug 2014 03:17:57 -0700 (PDT)
In-Reply-To: <53F29345.40607@sugarcrm.com>
References: <53F29345.40607@sugarcrm.com>
Date: Tue, 26 Aug 2014 11:17:57 +0100
X-Google-Sender-Auth: yFhmW9Iw2ekZa8AnNL7dulBbNHA
Message-ID: <CAGAGxbY4utnoC2BHefWenVeK5oT2yToKSsTsh3RHgks_iMHmAA@mail.gmail.com>
To: Stas Malyshev <smalyshev@sugarcrm.com>
Cc: PHP Internals <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] 5.4 security only
From: daverandom@php.net (Chris Wright)

Hi Stas

On 19 August 2014 00:59, Stas Malyshev <smalyshev@sugarcrm.com> wrote:
> Hi!
>
> Moving this out of other topics into its own: according to the release
> RFC, we should have 5.4 have 2 years of bugfixes & one year of security
> fixes. Since 5.4 was released in March 2012, we're already past 2 year
> mark. However, we're still have some bugfixes in 5.4, so I'd like to do
> this:
>
> - 5.4.32 is released as planned this week, nothing changes there.
>
> - 5.4 branch that is to be 5.4.33 will be the last release that has any
> non-security bugfixes. We hope that by the time 5.4.33 is out 5.6.0 is
> out too, so that would play nice with the "two stable branches, one
> security branch" theme. Starting from that release forward, 5.4 would be
> purely security fixes only branch.
>
> - EFFECTIVE IMMEDIATELY, we do not accept new non-security bugfixes into
> 5.4 branch unless they are very important ones (and that is only because
> people may, in theory, have pending patches and we didn't give advance
> notice). Importance would have to be determined somewhat arbitrarily,
> but basically if it works without it, then it's not in, if there's
> serious doubt if it should be in, it's not in, etc. Security issues, of
> course, still allowed in.
>
> This means if somebody has some pending non-security fixes that have to
> be in 5.4, the following two weeks are the last call, provided that the
> fixes really must be in 5.4.
>
> Any objections/suggested modifications to this plan?

A bug has been discovered in SSL-enabled streams, ideally the fix
would go into 5.4.

While the bug touches OpenSSL, it's not a security fix in the
strictest sense, however it is known to cause problems with
non-blocking SSL/TLS-enabled streams in the real world (it's also
theoretically possible, though unlikely, for this to cause issues with
blocking streams).

I have created a trivial patch to fix the bug [1], an explanation of
the nature of the bug and how the fix resolves the problem can be seen
in the commit message and comments in the code. The patch contains no
tests, as it's not possible to reproduce the bug in a reliable manner
due to a dependency on external factors for the bug to appear - things
such as the OS packet scheduler, network latency, MTU may all affect
whether the buggy behaviour occurs.

Does anyone have any objections to this being included in 5.4?

Thanks, Chris

[1] https://github.com/DaveRandom/php-src/commit/d4da5d8c1dae152f7aa5f0dd09b1f29b51f48c89