hey all,
a quick introduction: i'm one of the folks maintaining the debian php4/php5 packages. we're currently on the cusp of cutting a new stable release "etch" (funny, i'd *swear* we've been saying that since december...), which will include the second-to-most-recent releases of 4.4.x and 5.2.x with the security fixes from the most recent releases backported. my first question: do you have a designated person/list for security related issues? it looks like i ended up becoming "point guy" for tackling the various security issues that come up from time to time, and it'd be nice if we could establish some lines of communication. specifically it would be nice to have someone to contact when a new vulnerability is reported who could point me at the relevant files/changesets for specific fixes so i don't have to spend an evening digging through CVS logs :) as i mentioned, the latest version of php5 in etch includes a bunch of fixes backported from the 5.2.1 release, but i believe that there are good number of the mopb issues that either were not fixed in 5.2.1 or were fixed but not backported by us. i'll probably start sending emails here (or to whoever steps up as a contact point) with questions in the near future for some of them. however, most pressing is mopb #44: http://php-security.org/MOPB/MOPB-44-2007.html the (long) cast mm bug. i think i've found the relevant fix, but i could use a verification from someone here as a quick sanity check: http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_alloc.c?r1=1.144.2.3.2.27&r2=1.144.2.3.2.28&view=patch is that it? thanks, sean ps - as per the list guidelines i'm not digitally signing this email with my pgp/gpg key. but if you need it, my keyid is 0x6e76d81d. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
