NYCPHP Meetup

NYPHP.org

[nycphp-talk] Upcoming Month of PHP Bugs

csnyder chsnyder at gmail.com
Tue Feb 20 18:59:24 EST 2007


So apparently we're in for a treat in March (as if daylight savings
time wasn't enough) as Stefan Esser will be publicizing a laundry list
of active vulnerabilities in PHP, one or more for each day of the
month.
http://www.securityfocus.com/columnists/432/

Here's somebody who had been working with the core developers to try
to get these things fixed, but has been frustrated to the point of
resorting to a "Month of Bugs" style publicity stunt. If what he says
is true, about overflows and other bugs being ignored, that's a pretty
major breakdown in quality control.

I don't know C, and I would have no idea what to look for in doing an
audit of PHP (the language) itself. But it seems (from Ilia's comments
anyway) that such an audit is long overdue.

So now I have to wonder, do IBM and Yahoo deploy stock PHP binaries?
Or do they carry out their own internal audits to discover and patch
the sloppier parts of the codebase?

-- 
Chris Snyder
http://chxo.com/



More information about the talk mailing list