[nycphp-talk] Upcoming Month of PHP Bugs
michael
lists at genoverly.net
Tue Feb 20 19:05:28 EST 2007
On Tue, 20 Feb 2007 18:59:24 -0500
csnyder <chsnyder at gmail.com> wrote:
> So apparently we're in for a treat in March (as if daylight savings
> time wasn't enough) as Stefan Esser will be publicizing a laundry list
> of active vulnerabilities in PHP, one or more for each day of the
> month.
> http://www.securityfocus.com/columnists/432/
>
> Here's somebody who had been working with the core developers to try
> to get these things fixed, but has been frustrated to the point of
> resorting to a "Month of Bugs" style publicity stunt. If what he says
> is true, about overflows and other bugs being ignored, that's a pretty
> major breakdown in quality control.
>
> I don't know C, and I would have no idea what to look for in doing an
> audit of PHP (the language) itself. But it seems (from Ilia's comments
> anyway) that such an audit is long overdue.
>
> So now I have to wonder, do IBM and Yahoo deploy stock PHP binaries?
> Or do they carry out their own internal audits to discover and patch
> the sloppier parts of the codebase?
>
> --
> Chris Snyder
> http://chxo.com/
Thanks for the heads up, Chris.
It may be a good idea to have a look at his Suhosin patch.. before the
March Madness.
http://www.hardened-php.net/
--
michael
(this address does not accept public email)
More information about the talk
mailing list