> I wonder what do you mean by that - that PHP group should publish > press release "PHP is not secure, please do not use it anymore" or > what? I see PHP group is working quite well eliminating the security > issues. As far as I know, last year there was 7 remotely exploitable > issues in PHP (which is regrettable but that's the way of life to have > bugs), and all of them are fixed, IIRC, and within acceptable > timeframe (the last can be debatable, but PHP being opesource project > the only way to fix it is to get more participation from people in > submitting patches). I know of no remotely exploitable security issue > that is now in current PHP version. > So I wonder what would you like PHP Group to improve? What would you > mean by facing reality - what in your opinion the reality is and what > would you have PHP group to do to satisfy you on facing reality account? First of all PHP group is doing nothing. Neither do they improve PHP's security nor do they stop well known PHP license abusers (because they are friends). Secondly security patches are done by Ilia and maybe the Zend stuff by Dmitry. All the others are doing nothing in the sense of security.
And do I need to remind you about a certain bug in the new super duper Zend Memory manager that results in a far too small buffer being allocated? Do I need to post an exploit that uses this bug to exploit for example the Soap HTTP client from ext/soap? This is a kind of remote exploit against PHP. And god knows how many other places are vulnerable because of the new "improved" Zend Memory Manager. And what about the heap underflow bug in ext/filter... Also not a remote exploit? The fact that you do not know about any remote exploit against PHP is quite irrelevant for reality. Stefan Esser -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
