On Thu, Nov 9, 2017 at 2:25 PM, Nikita Popov <[email protected]> wrote: >> This is utterly disappointing considering that bug #73535 is marked as >> private and I couldn't easily gather more information about this bug on >> google. Since I have the feeling this is an open secret can you disclose >> more information and proposed patches so that sysadmins can assess by >> themselves the risks, mitigation techniques, and whether to patch their >> own >> installations? >> >> I guess the dev team wouldn't leave us with our pants down, so I expect >> this to of difficult exploitability. Anyway, after a year it's time for >> full disclosure, don't you think? > > > So as to avoid unnecessary fearmongering, this refers to a denial-of-service > vulnerability requiring specific application code. If your code implements a > certain operation in a specific way, it may be possible to make it go into > an infinite loop based on remote interaction. Apart from the increased > server load, this is not dangerous. (Of course, if someone is actively using > this against you, you'd notice...) > Agree with Niki that this isn't going to be commonly exploitable, and has likely existed for a significant range of versions. Given that, I'm going to say it probably won't (by itself) merit pushing back GA at this stage. That said, it should be addressed sooner rather than later as it looks like we're not surfacing good information to userspace under these circumstances.
-Sara -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
