Description
I think it is worth having a discussion on what constitutes a security vulnerability in PHP.
It has been said countless times when reporting vulnerabilities in php-src which can lead to compromising the entire server that PHP does not consider specially crafted PHP that requires either an upload or eval() that can not be generically triggered as vulnerabilities.
Yet this got a CVE I assume which was requested by the PHP team?
GHSA-h96m-rvf9-jgm2
Yet https://ssd-disclosure.com/ssd-advisory-extract-double-free5-x-use-after-free7-x-8-x/
was never requested a CVE by the php team even though it has public exploits available that can compromise the security of an entire server.
I think some clarification is needed on when/why some bugs are "vulnerabilities" which gets a CVE requested while others are not.
Wrong section - I do not care.
PHP Version
Operating System
ALL
Description
I think it is worth having a discussion on what constitutes a security vulnerability in PHP.
It has been said countless times when reporting vulnerabilities in php-src which can lead to compromising the entire server that PHP does not consider specially crafted PHP that requires either an upload or eval() that can not be generically triggered as vulnerabilities.
Yet this got a CVE I assume which was requested by the PHP team?
GHSA-h96m-rvf9-jgm2
Yet https://ssd-disclosure.com/ssd-advisory-extract-double-free5-x-use-after-free7-x-8-x/
was never requested a CVE by the php team even though it has public exploits available that can compromise the security of an entire server.
I think some clarification is needed on when/why some bugs are "vulnerabilities" which gets a CVE requested while others are not.
Wrong section - I do not care.
PHP Version
Operating System
ALL