> -----Original Message----- > From: Nikita Popov [mailto:nikita....@gmail.com] > Sent: Tuesday, November 1, 2016 10:32 AM > To: Stanislav Malyshev <smalys...@gmail.com> > Cc: Anatol Belski <anatol....@belski.net>; PHP Internals > <internals@lists.php.net>; Remi Collet <r...@fedoraproject.org> > Subject: Re: [PHP-DEV] bug classification discussion > > On Sun, Oct 30, 2016 at 6:21 AM, Stanislav Malyshev <smalys...@gmail.com> > wrote: > > > Hi! > > > > So I wrote a first version of the document Anatol mentioned: > > > > https://wiki.php.net/security > > > > Please comment. Fixes to the grammar and typos are especially welcome > > (you can just do them in the wiki without asking :) > > > > It would be nice to add specific examples (e.g. the string overflow case to > low). > > I'm also wondering under which category unserialize() issues would > (usually) fall. I'd assume "low" (because requires documented insecure code > + well known class of vulnerabilities). > Yet one thing seems to be missing - security issue, that only concerns an unstable branch. Those are probably can be handled as low severity, as any pre GA or master are not for production anyway. Still they should not be disclosed until fixed, but should be fine to fix at any point of time.
Regards Anatol -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
