Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:88212
Return-Path: <thruska@cubiclesoft.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 33780 invoked from network); 15 Sep 2015 13:04:03 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 15 Sep 2015 13:04:03 -0000
Authentication-Results: pb1.pair.com smtp.mail=thruska@cubiclesoft.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=thruska@cubiclesoft.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain cubiclesoft.com designates 74.208.222.236 as permitted sender)
X-PHP-List-Original-Sender: thruska@cubiclesoft.com
X-Host-Fingerprint: 74.208.222.236 u17593298.onlinehome-server.com  
Received: from [74.208.222.236] ([74.208.222.236:41242] helo=u17593298.onlinehome-server.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 0A/25-28087-14718F55 for <internals@lists.php.net>; Tue, 15 Sep 2015 09:04:02 -0400
Received: from [127.0.0.1] (localhost [127.0.0.1])	(Authenticated sender: thruska@cubiclesoft.com)	with ESMTPSA id 2B8902060F
To: Jakub Zelenka <bukka@php.net>,
 PHP internals list <internals@lists.php.net>,
 Anatol Belski <anatol.php@belski.net>
References: <CAEKnhAHGBdx_DZO-Fn5ABan821V_aDFvVDwZDEcSfzfaqTPKqw@mail.gmail.com>
Message-ID: <55F81737.5030507@cubiclesoft.com>
Date: Tue, 15 Sep 2015 06:03:51 -0700
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:11.0) Gecko/20120327
 Thunderbird/11.0.1
MIME-Version: 1.0
In-Reply-To: <CAEKnhAHGBdx_DZO-Fn5ABan821V_aDFvVDwZDEcSfzfaqTPKqw@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Bumping minimal OpenSSL version to 0.9.8
From: thruska@cubiclesoft.com (Thomas Hruska)

On 9/14/2015 5:03 AM, Jakub Zelenka wrote:
> Hi,
>
> At the moment the minimal OpenSSL version is 0.9.6.
>
> I realised yesterday that there are some types changes between 0.9.7 and
> 0.9.8 that would have to be address in overflow checks (EVP_DigestUpdate
> and related). I also noticed that 0.9.6 might not even compile without
> warnings as it's checking return type for some function that did not return
> anything in 0.9.6. We also have few other old places where we don't check
> retval because of that.
>
> The thing is that the last update for 0.9.7 stable branch is in 2008 and
> 0.9.6 in 2005. Both of them have been long time EOL so I don't think that
> it makes any sense to spend any time on making them compatible for PHP 7.
> So I think we should bump minimal version to 0.9.8.
>
> Anatol would you be ok if this is done for 7.0? I don't think that anyone
> would ever use PHP 7 and such an old version of OpenSSL together so there
> should be no issue IMHO.
>
> Cheers
>
> Jakub

No one should be using anything less than 0.9.8 latest.  Allowing 
anything less than 0.9.8 should be considered a security vulnerability 
in PHP.

-- 
Thomas Hruska
CubicleSoft President

I've got great, time saving software that you will find useful.

http://cubiclesoft.com/