User: Password:
|
|
Subscribe / Log in / New account

[PHP-DEV] 5.3.9, Hash DoS, release

From:  Pierre Joye <pierre.php-AT-gmail.com>
To:  PHP internals <internals-AT-lists.php.net>, Johannes Schl├╝ter <johannes-AT-schlueters.de>, Laruence <laruence-AT-php.net>
Subject:  [PHP-DEV] 5.3.9, Hash DoS, release
Date:  Mon, 9 Jan 2012 16:41:51 +0100
Message-ID:  <CAEZPtU44aag3z-oGAx+mF1dvr9qF0ZLpdW3pHFWEe0uwbchMBQ@mail.gmail.com>
Archive-link:  Article

hi,

Moving this discussion here as it makes little to non sense to discuss
that any longer on security@

We are now very late behind an acceptable delay to provide a fix for
the hash DoS, to say it nicely.

I'd strongly suggest to release 5.3.9 (RC5 has been tested now) final
this week using the max_input_vars fix, with the modification from
Laruence (but with a larger limit). Laruence addition also fixes
serialize or json, which are parts that need this fix as well as it is
impossible to valid a string manually (length check only is not enough
or cannot work in all cases).

But 1st of all, the fix addition has to be applied and fully tested.
But if the addition is not desired yet, then we must at least release
5.3.9 with Dmitry's fix only and we can fix json&serialize later,
ideally within 2 weeks max.

Cheers,
-- 
Pierre

@pierrejoye | http://blog.thepimp.net | http://www.libgd.org

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php




(Log in to post comments)


Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds