Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:77663 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 77289 invoked from network); 26 Sep 2014 11:37:16 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 26 Sep 2014 11:37:16 -0000 Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.174 as permitted sender) X-PHP-List-Original-Sender: tyra3l@gmail.com X-Host-Fingerprint: 209.85.217.174 mail-lb0-f174.google.com Received: from [209.85.217.174] ([209.85.217.174:49789] helo=mail-lb0-f174.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id C8/89-27411-AEF45245 for ; Fri, 26 Sep 2014 07:37:14 -0400 Received: by mail-lb0-f174.google.com with SMTP id l4so14451078lbv.33 for ; Fri, 26 Sep 2014 04:37:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=/fx8z1Ep811/Etef+hwRgCaGx6/JtVGHb2e7nQvCRSY=; b=KXUwP/KSSsIze6BBbHr8hh/qh5wSqvJfmvLZxbG8t1q7lz+bEnJCYS1GAuL/1IKs+3 ZOuvZUCfOk5A/6ceS7UkmYpBZvh8iHraiGIXwShRoOnCgdPI6/GrHwrN8ArQpzNs5gdM G6VjQONJ7YboIe2rrWLtmUX31HkaZlhHwvRW1IEnjZHfx/ykEbqnQ93O+Qnxyu2l5+Mi tlBIPEUmSbHiSiW+PjeV6ZneE4ZcozJl4SFpt3+RZpRwkbWOFIYmSvB8QXsVTzT1eCFf UEWpbb+PLtq63x4iDmRiXLClhWI4RxQR80Am9TPhDVV9iw3/CdtbiNShv3ZllsrQMuB5 AAfw== MIME-Version: 1.0 X-Received: by 10.112.130.226 with SMTP id oh2mr2375044lbb.100.1411731430862; Fri, 26 Sep 2014 04:37:10 -0700 (PDT) Received: by 10.112.199.36 with HTTP; Fri, 26 Sep 2014 04:37:10 -0700 (PDT) In-Reply-To: References: <44AEFF63-5705-44F1-98E6-1958CA0BB95D@ajf.me> Date: Fri, 26 Sep 2014 13:37:10 +0200 Message-ID: To: Peter Lind Cc: Andrea Faulds , marius adrian popa , PHP Developers Mailing List Content-Type: multipart/alternative; boundary=047d7b3a82b07473d70503f65615 Subject: Re: [PHP-DEV] Cases Where Bash Shellshock Does Not Apply (mod_php, php-fpm ) From: tyra3l@gmail.com (Ferenc Kovacs) --047d7b3a82b07473d70503f65615 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Fri, Sep 26, 2014 at 12:59 PM, Peter Lind wrote= : > On 26 September 2014 12:48, Andrea Faulds wrote: > > > > > On 26 Sep 2014, at 11:46, marius adrian popa wrote: > > > > > Maybe we need an official stance about shellshock > > > > Do we? As I understand it, this isn=E2=80=99t a PHP-level vulnerability= , and I=E2=80=99m > > not sure there=E2=80=99s much we can reasonably do about it. Similarly = to the > > Heartbleed bug, control is not in our hands here. > > > > > Informing people about the cases where they *might* be at risk when runni= ng > PHP doesn't seem a bad idea. Even though PHP itself is not at fault. > > I think we should only communicate when we have something definite to say, and currently our official stance is that we aren't aware any problems related to shellshock, but that doesn't mean that there is none, so I'm not sure that we have something definite to say. If we do end up finding something affecting significant amount of users (even if that requires some misconfiguration or lousy fastcgi wrapper) we could make an announcement. --=20 Ferenc Kov=C3=A1cs @Tyr43l - http://tyrael.hu --047d7b3a82b07473d70503f65615--