Re: [PHP-DEV] 5.3.9, Hash DoS, release

2012-01-09 Thread Stefan Esser
Hello Pierre, > Not really the same, but yes. While the reasons you did it was not the > same. Also the length check is not related or cannot be used for this > fix. But nice self promotion ;-) Considering the fact that the HashDOS problem was originally discussed in a paper 2003, someone discus

Re: [PHP-DEV] 5.3.9, Hash DoS, release

2012-01-09 Thread Pierre Joye
On Mon, Jan 9, 2012 at 5:34 PM, Stefan Esser wrote: > Of course I am biased, because suhosin is one of the affected extensions. But > that said suhosin has a limit similar to max_input_vars for 7 years now. Not really the same, but yes. While the reasons you did it was not the same. Also the le

Re: [PHP-DEV] 5.3.9, Hash DoS, release

2012-01-09 Thread Pierre Joye
On Mon, Jan 9, 2012 at 5:18 PM, Stefan Esser wrote: > Dear Pierre and others, > >> I'd strongly suggest to release 5.3.9 (RC5 has been tested now) final >> this week using the max_input_vars fix, with the modification from >> Laruence (but with a larger limit). Laruence addition also fixes >> seri

Re: [PHP-DEV] 5.3.9, Hash DoS, release

2012-01-09 Thread Stefan Esser
Hey, > I think you accidentially sent this to me, not to the list ;) By the > way, I think you and Pierre are talking about different patches. We do > know that the hash size randomization will not work. Pierre is > referring to another patch that extends max_input_vars to > unserilized() and json

Re: [PHP-DEV] 5.3.9, Hash DoS, release

2012-01-09 Thread Stefan Esser
Dear Pierre and others, > I'd strongly suggest to release 5.3.9 (RC5 has been tested now) final > this week using the max_input_vars fix, with the modification from > Laruence (but with a larger limit). Laruence addition also fixes > serialize or json, which are parts that need this fix as well as

Re: [PHP-DEV] 5.3.9, Hash DoS, release

2012-01-09 Thread Nikita Popov
On Mon, Jan 9, 2012 at 4:41 PM, Pierre Joye wrote: > hi, > > Moving this discussion here as it makes little to non sense to discuss > that any longer on security@ > > We are now very late behind an acceptable delay to provide a fix for > the hash DoS, to say it nicely. > > I'd strongly suggest to

[PHP-DEV] 5.3.9, Hash DoS, release

2012-01-09 Thread Pierre Joye
hi, Moving this discussion here as it makes little to non sense to discuss that any longer on security@ We are now very late behind an acceptable delay to provide a fix for the hash DoS, to say it nicely. I'd strongly suggest to release 5.3.9 (RC5 has been tested now) final this week using the m