This week started
the Month of PHP Bugs. The goal of this project is described
here. I personally feel the manner this is being conducted is irresponsible, just as all the month of bug projects have been. I don't understand what is gained by dumping one (or more) vulnerabilities a day onto the public. If the researcher wanted to report a number of security bugs in a full disclosure manner, it would make more sense to release all information at the same time, not as a trickle. By trickling the flaws over the span of a month, the users are placed at the maximum level of risk, while hopefully drawing as much attention to the project as possible.
Red Hat is currently following this project as closely as possible with the goal of minimizing the risk to our users. Our PHP maintainer, Joe Orton, is publishing his technical analysis of the flaws in bugzilla:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=mopb
Security Updates
That's it for this week. We will keep an eye on the Month of PHP Bugs project and deal with the new flaws as appropriate.
