On 26 September 2014 13:37, Ferenc Kovacs <tyr...@gmail.com> wrote: > > > On Fri, Sep 26, 2014 at 12:59 PM, Peter Lind <peter.e.l...@gmail.com> > wrote: > >> On 26 September 2014 12:48, Andrea Faulds <a...@ajf.me> wrote: >> >> > >> > On 26 Sep 2014, at 11:46, marius adrian popa <map...@gmail.com> wrote: >> > >> > > Maybe we need an official stance about shellshock >> > >> > Do we? As I understand it, this isn’t a PHP-level vulnerability, and I’m >> > not sure there’s much we can reasonably do about it. Similarly to the >> > Heartbleed bug, control is not in our hands here. >> > >> > >> Informing people about the cases where they *might* be at risk when >> running >> PHP doesn't seem a bad idea. Even though PHP itself is not at fault. >> >> > I think we should only communicate when we have something definite to say, > and currently our official stance is that we aren't aware any problems > related to shellshock, but that doesn't mean that there is none, so I'm not > sure that we have something definite to say. > If we do end up finding something affecting significant amount of users > (even if that requires some misconfiguration or lousy fastcgi wrapper) we > could make an announcement. > >
I think it's worth communicating what Redhat is: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/ As a PHP dev I'd love to be able to find information like that on php.net, not having to figure out from other sources if it pertains to me or not. -- <hype> WWW: plphp.dk / plind.dk CV: careers.stackoverflow.com/peterlind LinkedIn: plind Twitter: kafe15 </hype>
