Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:77664 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 78814 invoked from network); 26 Sep 2014 11:41:52 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 26 Sep 2014 11:41:52 -0000 Authentication-Results: pb1.pair.com smtp.mail=peter.e.lind@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=peter.e.lind@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.180 as permitted sender) X-PHP-List-Original-Sender: peter.e.lind@gmail.com X-Host-Fingerprint: 209.85.217.180 mail-lb0-f180.google.com Received: from [209.85.217.180] ([209.85.217.180:57236] helo=mail-lb0-f180.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id FF/D9-27411-EF055245 for ; Fri, 26 Sep 2014 07:41:51 -0400 Received: by mail-lb0-f180.google.com with SMTP id f15so841865lbj.11 for ; Fri, 26 Sep 2014 04:41:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=qdGBVn0uYjqdkeAIzmYJxRE0HAfm92Rg7hBF7c/fESM=; b=cR7N9uNb7nvhXYWs3leWLSNYLYXaGnaMigsOTjjKLWVe0wRSXEpj1hAKfcfkGZO06i bh4HmmkkC5QwyUEIq/RTG0LtQpZBRimT0tWwqqSbfmx/MgztDbYnjbf4ecq54YO9va0f qE6Dw5tgLmWGiLwLsKknMIj4f7IzigK7tgwRvxLcyKs2+dQS0FNJpb+b0e53HYs4IXx4 Dg/Ju+MHvs6XMr+tE+VYvQQJG4zhCDJ5lbrz3VlJQMVRfBKF+/V+HQyDNOOsBoCJypq5 8h3HHZbS3AJiN8Mozy2sfYALNGKZ20zs156b9iiJ/QIgCVzVwUkHB8Y5DlQrJxId3rnV GLUA== X-Received: by 10.152.87.193 with SMTP id ba1mr19994635lab.83.1411731706707; Fri, 26 Sep 2014 04:41:46 -0700 (PDT) MIME-Version: 1.0 Received: by 10.112.48.107 with HTTP; Fri, 26 Sep 2014 04:41:26 -0700 (PDT) In-Reply-To: References: <44AEFF63-5705-44F1-98E6-1958CA0BB95D@ajf.me> Date: Fri, 26 Sep 2014 13:41:26 +0200 Message-ID: To: Ferenc Kovacs Cc: Andrea Faulds , marius adrian popa , PHP Developers Mailing List Content-Type: multipart/alternative; boundary=001a11c345c2e5839c0503f66690 Subject: Re: [PHP-DEV] Cases Where Bash Shellshock Does Not Apply (mod_php, php-fpm ) From: peter.e.lind@gmail.com (Peter Lind) --001a11c345c2e5839c0503f66690 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 26 September 2014 13:37, Ferenc Kovacs wrote: > > > On Fri, Sep 26, 2014 at 12:59 PM, Peter Lind > wrote: > >> On 26 September 2014 12:48, Andrea Faulds wrote: >> >> > >> > On 26 Sep 2014, at 11:46, marius adrian popa wrote: >> > >> > > Maybe we need an official stance about shellshock >> > >> > Do we? As I understand it, this isn=E2=80=99t a PHP-level vulnerabilit= y, and I=E2=80=99m >> > not sure there=E2=80=99s much we can reasonably do about it. Similarly= to the >> > Heartbleed bug, control is not in our hands here. >> > >> > >> Informing people about the cases where they *might* be at risk when >> running >> PHP doesn't seem a bad idea. Even though PHP itself is not at fault. >> >> > I think we should only communicate when we have something definite to say= , > and currently our official stance is that we aren't aware any problems > related to shellshock, but that doesn't mean that there is none, so I'm n= ot > sure that we have something definite to say. > If we do end up finding something affecting significant amount of users > (even if that requires some misconfiguration or lousy fastcgi wrapper) we > could make an announcement. > > I think it's worth communicating what Redhat is: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environme= nt-variables-code-injection-attack/ As a PHP dev I'd love to be able to find information like that on php.net, not having to figure out from other sources if it pertains to me or not. --=20 WWW: plphp.dk / plind.dk CV: careers.stackoverflow.com/peterlind LinkedIn: plind Twitter: kafe15 --001a11c345c2e5839c0503f66690--