Through an interview on SecurityFocusStefan Esser has just announced his plans for the "Month of PHP Bugs" (MOPB?) during March 2007.
It would be interesting to see what issues he discovers, hopefully most of them have already been reported to the PHP Security Team, in which case the upcoming 5.2.1 release will provide a resolution path for affected users. Hopefuly, unlike the MOAB and MOKB, the reported issues are not going to be infamous 0-day vulnerabilities. If they are however, which would be unfortunate, I think we'd be looking at a security fix only release in April, while releasing patches to address individual issues on a daily basis.
Either way, I have to look at this as a free security audit of PHP by someone with a clue about security and ultimately, in the long run it will only make PHP better, even if March is going to be rather busy
Month of PHP Bugs
Gerade kam eine E-Mail von Stefan Esser auf der Köln/Bonn PHP UG Mailingliste:
ich bin diesmal auch wieder dabei... Vorrausgesetzt ich lebe am 2. Tag
des Month of PHP Bugs noch
Morgen geht es los, Stefan Esser möchte an jedem Tag des März einen
Weblog: rumtun blog Tracked: Feb 28, 15:51
Month of PHP Bugs gestartet
Heute hat der Month of PHP Bugs (MOPB) begonnen.
Die Mitglieder des Hardened-PHP (u.a. Stefan Esser), wollen einen Monat lang täglich Sicherheitslücken in PHP veröffentlichen.
Dabei wird es nicht um Bugs in PHP-Anwendungen, sondern um Sicherheitslücke
Weblog: handcode.de :: blog Tracked: Mar 01, 16:29
I fear that the issues will not be disclosed to the PHP dev team in advance. They will probably be fixed by the Suhosin patch so that you could also call it the "Month of Suhosin Promotion" (MOSP). Just speculating, of course.
Except for the fact that he WAS part of the PHP dev team, and he's reported almost all of the 31 issues, many of which have been known for YEARS. His security concerns have been largely ignored by them, which is why he resigned. What else is there to do but start publicly reporting the bugs? I think it's great; it'll pressure the devs into fixing their code like they should've done the first time the bugs were reported.
Hopefully he'll post patches along with the reports.