On 9 November 2017 at 18:46, Thomas Hruska <thru...@cubiclesoft.com> wrote:
> On 11/9/2017 7:36 AM, Sara Golemon wrote: > >> The sixth (and likely final) release candidate for 7.2.0 was just >> released and can be >> downloaded from: >> https://downloads.php.net/~pollita/ >> Or using the git tag: php-7.2.0RC6 >> >> Barring unforeseen calamity, everyone should expect 7.2.0-final on >> Thursday, November 30th. >> > > Issue #73535? I consider letting a known security vulnerability that goes > largely unaddressed but persists into the next major version of a software > product to be quantifiable as a calamity of sorts. It's fast approaching a > full year without any resolution in sight. Many people would have zero > day-ed the issue by this point at whatever conferences have come and gone > (Black Hat, DEF CON, etc.) to grab some quick notoriety. I don't believe > that zero day-ing a vulnerability on a stage is the right solution for a > garden variety of reasons. > > This is utterly disappointing considering that bug #73535 is marked as private and I couldn't easily gather more information about this bug on google. Since I have the feeling this is an open secret can you disclose more information and proposed patches so that sysadmins can assess by themselves the risks, mitigation techniques, and whether to patch their own installations? I guess the dev team wouldn't leave us with our pants down, so I expect this to of difficult exploitability. Anyway, after a year it's time for full disclosure, don't you think? Kind regards GG
