Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:96696
Return-Path: <anatol.php@belski.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 8010 invoked from network); 1 Nov 2016 13:38:06 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 1 Nov 2016 13:38:06 -0000
Authentication-Results: pb1.pair.com header.from=anatol.php@belski.net; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=anatol.php@belski.net; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain belski.net from 85.214.73.107 cause and error)
X-PHP-List-Original-Sender: anatol.php@belski.net
X-Host-Fingerprint: 85.214.73.107 klapt.com  
Received: from [85.214.73.107] ([85.214.73.107:42202] helo=h1123647.serverkompetenz.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 03/00-07653-9BA98185 for <internals@lists.php.net>; Tue, 01 Nov 2016 08:38:02 -0500
Received: by h1123647.serverkompetenz.net (Postfix, from userid 1006)
	id 02627784AC8; Tue,  1 Nov 2016 14:27:34 +0100 (CET)
Received: from w530phpdev (p54A77791.dip0.t-ipconnect.de [84.167.119.145])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by h1123647.serverkompetenz.net (Postfix) with ESMTPSA id B8F52784AC5;
	Tue,  1 Nov 2016 14:27:31 +0100 (CET)
To: "'Nikita Popov'" <nikita.ppv@gmail.com>,
	"'Stanislav Malyshev'" <smalyshev@gmail.com>
Cc: "'PHP Internals'" <internals@lists.php.net>,
	"'Remi Collet'" <remi@fedoraproject.org>
References: <1ae4bea0-d62b-fd61-f6b6-55762e97df6e@gmail.com> <017b01d22dfc$cbead8e0$63c08aa0$@belski.net> <1079b404-e133-685f-9a22-ff7444da04f5@gmail.com> <CAF+90c9ZVd40pX1R6t3EVzFE9tFPDMhHbGzBSoiYG9S_RcqaWg@mail.gmail.com>
In-Reply-To: <CAF+90c9ZVd40pX1R6t3EVzFE9tFPDMhHbGzBSoiYG9S_RcqaWg@mail.gmail.com>
Date: Tue, 1 Nov 2016 14:27:28 +0100
Message-ID: <021c01d23443$b312e9a0$1938bce0$@belski.net>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQGoROuhyhG09wpdFsCUAeRJuSqPfQHhnPwWAUpOsD0CA8TszqDufncA
Content-Language: en-us
Subject: RE: [PHP-DEV] bug classification discussion
From: anatol.php@belski.net ("Anatol Belski")



> -----Original Message-----
> From: Nikita Popov [mailto:nikita.ppv@gmail.com]
> Sent: Tuesday, November 1, 2016 10:32 AM
> To: Stanislav Malyshev <smalyshev@gmail.com>
> Cc: Anatol Belski <anatol.php@belski.net>; PHP Internals
> <internals@lists.php.net>; Remi Collet <remi@fedoraproject.org>
> Subject: Re: [PHP-DEV] bug classification discussion
>=20
> On Sun, Oct 30, 2016 at 6:21 AM, Stanislav Malyshev =
<smalyshev@gmail.com>
> wrote:
>=20
> > Hi!
> >
> > So I wrote a first version of the document Anatol mentioned:
> >
> > https://wiki.php.net/security
> >
> > Please comment. Fixes to the grammar and typos are especially =
welcome
> > (you can just do them in the wiki without asking :)
> >
>=20
> It would be nice to add specific examples (e.g. the string overflow =
case to low).
>=20
> I'm also wondering under which category unserialize() issues would
> (usually) fall. I'd assume "low" (because requires documented insecure =
code
> + well known class of vulnerabilities).
>=20
Yet one thing seems to be missing - security issue, that only concerns =
an unstable branch. Those are probably can be handled as low severity, =
as any pre GA or master are not for production anyway. Still they should =
not be disclosed until fixed, but should be fine to fix at any point of =
time.

Regards

Anatol