usually people with some responsibility in mind won't disclose a bug that
might cause system to be penetrated, before the vendor had enough time to
respond with an answer to the bug. if the bug he found might be a bug that
would result in every server running PHP to be cracked, that's not good.
The better thing to be is that he'll contact the PHP security team, which
will fix the bug, roll out a new release which does not have the bug,
announce that there is a security bug and that everyone should upgrade,
and only something like a month afterwards, the author should post an
advisory about the bug to the world, after people had the chance to
protect themselves.
of course, it is possible that the bug he found can't do anything to php,
and in that case, i assume the security@ people will add it to the
bugs.php.net database or something like that...
On Thu, 26 Jun 2003, moshe doron wrote:
>
> > limited, so before a check, every segfault *might* have security issues
> > behind...
>
> in the bottom line, there were, there'll and probably there are such "security
> issues" where the dealing is publicly/
> in contrary there was in the past file uploading issue that cause to role pl. where
> is the difference? the size of the overriding memory?
>
> --
> moshe.
>
--
Best regards,
Shimi
----
"Outlook is a massive flaming horrid blatant security violation, which
also happens to be a mail reader."
"Sure UNIX is user friendly; it's just picky about who its friends are."
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
