Comments (7)
bukka
commented on May 28, 2024
4
Stas is already looking into it.
from php-src.
dkarlovi
commented on May 28, 2024
3
It seems the correct procedure is what's outlined in this document, PHP foundation or PHP CNA would start a dispute with the CVE owner CNA.
https://www.cve.org/Resources/General/Policies/CVE-Record-Dispute-Policy.pdf
from php-src.
nielsdos
commented on May 28, 2024
None of those CVEs were assigned by the PHP CNA, and so we don't have control over them. One is not even a security issue and is disputed, and the last one also isn't considered a security issue as it would require a user to knowingly trigger an overflow on their own local machine.
from php-src.
dkarlovi
commented on May 28, 2024
@nielsdos the idea is to reach out to somebody who can close them then. This way, PHP is perpetually "on the list" and shows up whenever anyone does a CVE based scan, fixing this is PHP's best interest.
from php-src.
bukka
commented on May 28, 2024
There isn't anything that can be done here about it I'm afraid.
from php-src.
javiereguiluz
commented on May 28, 2024
I agree with @dkarlovi. This (unfairly) hurts PHP project reputation. Maybe Roman (@pronskiy) from the PHP Foundation can look into this and start a dispute over these CVEs (or assign this task to somewhere else in the Foundation?) Thanks!
from php-src.
pronskiy
commented on May 28, 2024
Thank you for bringing this up. Let me check what we can do and get back to you.
from php-src.
Related Issues (20)
- Implement ED25519 auth for mysqlnd HOT 3
- PHP 8.2.19: segfault at 7f377e872428 (sp 00007ffcd580fec0 error 4) HOT 32
- opcache.jit=off does not behave as documented
- Has PHP added support for generics, similar to Java's generics HOT 5
- Can't cross-compile with external libcrypt HOT 1
- ffi enum type (when enum has no name) make memory leak HOT 2
- Can the final PHP code be compiled into binary and run on the server, which is more secure on the server side and less likely to cause code intrusion? Currently, the traditional deployment method is through source code, which is easily exposed and tampered with. We deploy more security. Java like jar packages are not even more secure. HOT 1
- Member access within null pointer in extension spl
- PHP 8 Compile with GD Help needed HOT 1
- Indexing an array with a persistent string triggers an assertion failure during destruction HOT 4
- Seeing seg fault while using zend_disable_functions during shutdown HOT 10
- Preg unicode different results depending on if in character class or separate HOT 1
- Test curl_basic_024 fails with curl 8.8.0 HOT 3
- PHP 8.1.28 curl_exec crash with no error on first request after second request is made (fast F5) HOT 3
- Magic URL param to disable output buffering HOT 7
- Deprecation messages are often not helpful
- `number_format` no longer round properly big float HOT 6
- segmentation fault in spl_perform_autoload HOT 4
- Memory leak in xml and dom HOT 1
- Zero decimals must not affect casting to int precision
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from php-src.