PHP 7.2.0 RC6 Released

  101113
November 9, 2017 14:36 pollita@php.net (Sara Golemon)
The sixth (and likely final) release candidate for 7.2.0 was just
released and can be
downloaded from:
https://downloads.php.net/~pollita/
Or using the git tag: php-7.2.0RC6

The Windows binaries are available at: http://windows.php.net/qa/

Please test it carefully, and report any bugs in the bug system.
This is out last chance to catch bugs before the final release in three weeks.
Barring unforeseen calamity, everyone should expect 7.2.0-final on
Thusday, November 30th.

As a reminder to internals@, any bug fixes should be committed to the
PHP-7.2 branch as usual, but since we're in the final stretch for
release, you MUST notify Remi and I of fixes you wish us to
cherry-pick onto the 7.2.0 release.

Hash Values and GPG signatures can be found below and at:
https://gist.github.com/sgolemon/f6d308713c286a82f520091fc9dcf445

Thank you, happy testing, and yay 7.2!
-Sara

php-7.2.0RC6.tar.gz
SHA256 hash: ad528a8db319e444ce4ca259dec5afeb9d39287e9a6b214e11397cd985207b1d
PGP signature:
-----BEGIN PGP SIGNATURE-----
iQItBAABCAAXBQJaAaCcEBxwb2xsaXRhQHBocC5uZXQACgkQ29s5dHDRIXIqGhAA
3X55n7ODqp/uPFMpjKgyMtWB7kLVbxthZeai/Dvrsd35j2ZOPd9KNYjWFWV8fNWp
8jYj1LioW+FPpltlREaMxDXE7/cIZITRUX/k6jAfuafacLR5jy4OE5ghwDbyVnJ0
Sf6CA92chvnEEp3XTeS6XkPxJAi1H3zp/9KIGTlpFN5IIeaxqCl62hcc0+ikcYP0
dXm8j8hjqpXuOz2MEVKASmqKPayw27RaUfAE6lI/nuMdva++b7bKQL9tr7Tz+R/J
8Wl995Og5GKRhzTj65Uv/uv3cP5hGBqRYjybWIzA7y+offL+TFe12c2HHjBvAIFv
PtHuky4ZSNbLdarRfmdYs6bUoPx7GMIZDZ6mhGMXqJudh4I5rHt6g/zucZEAJRjk
V+h8J6pd80wNvoO7KtdnowGJtYjWQAwdr5KB0CmYpGrhogEjr62MvCjm2KvsiO+T
HTt4tKIkvjNSYwMApIxkNhxpRazEe6+goELoKACAZMwvLw2LLpV4Sg/BebdzAUFe
7odLVIDLgoG3OYxEMAzKDKTygRlfhGclxtQlRlmoP4u7Z+AruuGUA/L7n18iD093
lu0pksrkPIhQrQLydbNrgJfM54XxWBUCq5v3Ka2vJOzwrM+9ekZopPSkfiBfcAoM
6ptC0H1nNrlu6eF9xu+oDHsTMZL7HJMOABNdKy9TO5o=
=Aq+R
-----END PGP SIGNATURE-----

php-7.2.0RC6.tar.bz2
SHA256 hash: 906a13bafbec40a185208846195f11c8c5f6e8bc5672fd37862e95754b978de3
PGP signature:
-----BEGIN PGP SIGNATURE-----
iQItBAABCAAXBQJaAaCgEBxwb2xsaXRhQHBocC5uZXQACgkQ29s5dHDRIXISIA//
UOzi+RIfEBFNDsVBRhJQhBoM8eQTe8aHL+RstHmDL2tqakBi4HyvjRdRGMIExSyb
JCtx1y9KCPfJtPW4Xl/QTFJIslNhWEHsSFSxRVeozrA7tbpKVicW6xs7jr//EBqB
8SyoWjO+Rzr8Buvu8XvsxVxOmtNDgbssklcYMILIZHkaN1JGYy+u592W83anEGiv
H7Ysj/TY6i5YWsSwQVUV0DnkUJ2VeBBjeBQGSJ+SuQGV2dmrvx+k40O/DEysIF8U
SferVWGkB9NY/nkbxcC0oQRu6Eoh4SGtlUIl9qzPr8/qA6hEfAG3ftfJaQS2qKYv
gTbKniCr31oQeGeULa0zNZsMkvA15wjjoa6P/LFljr7X3OuJ+naCRB/pwlgnAjwL
LtNsxzXEnrTiVoSBU/jdG7acoEPmyixu6budROCs30QUnRYq4cCDUDZwqINkSDyI
rY5NC/O8BVuAiEtFv3alOcUgxmCYsbKDV6fqThSXpdP6aEF35/OgQH7WYp+9eYoE
mHpvWyIeeAGeAGASGoiuf0zftBEXfCrdgE034xr+/a744rYFakY54Wh3D/d26jc8
kaQoDNPws4GZwjkvp6EiFTg/1nhQ36SdhmKxnp3ZlZ96cNUUV0PNUnxsHqZms129
/K9iNMZGBH3pRPiwXoyZbkzLlVQncXp8iKTwaLOI/sk=
=gOX+
-----END PGP SIGNATURE-----

php-7.2.0RC6.tar.xz
SHA256 hash: be4df00ff5b66e9f13c83e1d08d1d5384ae7ccc820e26f7e5f9e660011496a9e
PGP signature:
-----BEGIN PGP SIGNATURE-----
iQItBAABCAAXBQJaAaCgEBxwb2xsaXRhQHBocC5uZXQACgkQ29s5dHDRIXJowxAA
2JpSoiECsGdsKGu1mBGRnKcFj+SsukSQ+VOeO5vysbrpKhBhc6ooJCRAydu+ez6/
rvxqzVQFX/aBOTJq878V+ysMs15kaqJsnUPHmqZ8NAubh3vSnXKsqzGEjherG7ju
t11tZ0lDTMRrM95y0Nrmkgv07UG+JDTBPJF1lVI7b16KezV7bsNKlASwWmIHpsCO
RyJJjCvaDEgm/rWGQBCdRJra1GjA9eoWVxujnpBztTtlwi+vP0e8KRMziXiv4RG7
Maj+0Vyni77x2bvAugpDbTmxQAVPwBYOjhBued19savcO51SnFVNJJPr/2KpQq/4
oOKK2ZHwRn4NBOQb9RK+gcY/KaDg2o1bvYbmUumagAaXjtBN1oRSvLhynVkj850R
Cobvo8+nAgEDJ9cd6TR6Zc9TOoAjA2fxcl4fknGDGnpZfajK5ISqZ0gqvkimeDIl
vsKlXdn0M3WhpdikozUjbHx23F15ug4IMGDvpoWh8aMLzxOsCjSszgNWj3QBObZr
7ujFtQ/8ryD4el34FlSumA0KBpWG6JBdTUp05VO3cmZELKTld9u7MPvdV/QSAVmo
HkdJjYQlY8rqk+DI52JJ84Dlj2cvY2PE46m/pUsKnVhesJ01FH5aG7gbBHSbM7I5
WKj2jbK1Geasw6X0q/ZxTwiNgUlPrlhbJugu7yiZpd0=
=EDtn
-----END PGP SIGNATURE-----
  101114
November 9, 2017 17:46 thruska@cubiclesoft.com (Thomas Hruska)
On 11/9/2017 7:36 AM, Sara Golemon wrote:
> The sixth (and likely final) release candidate for 7.2.0 was just > released and can be > downloaded from: > https://downloads.php.net/~pollita/ > Or using the git tag: php-7.2.0RC6 > > Barring unforeseen calamity, everyone should expect 7.2.0-final on > Thursday, November 30th.
Issue #73535? I consider letting a known security vulnerability that goes largely unaddressed but persists into the next major version of a software product to be quantifiable as a calamity of sorts. It's fast approaching a full year without any resolution in sight. Many people would have zero day-ed the issue by this point at whatever conferences have come and gone (Black Hat, DEF CON, etc.) to grab some quick notoriety. I don't believe that zero day-ing a vulnerability on a stage is the right solution for a garden variety of reasons. Regardless, we can all agree that the ball was seriously dropped here and that there's certainly room for improvement in the release process. Ideally, someone should be specifically assigned to interact with the global team pre-RC1 of any major release where their sole responsibility is to walk through the bugs queue in order to identify and properly triage vulnerabilities in the software that might require a BC-break so that by the time -final happens, the relevant patches are fully tested and ready to go out with the release. I'd wager that #73535 isn't the only reported unpatched vulnerability in the issue tracker. I still think that there's time to apply a reasonable-ish patch to make it into 7.2 and maybe prepare a similar patch for 7.1 and 5.6. What those patches should be, I don't know. My original suggestion was shot down since I missed/overlooked something. The only options I can think of are a slightly hacky solution or a cleaner solution that requires a BC-break. -- Thomas Hruska CubicleSoft President I've got great, time saving software that you will find useful. http://cubiclesoft.com/ And once you find my software useful: http://cubiclesoft.com/donate/
  101115
November 9, 2017 18:07 giovanni@giacobbi.net (Giovanni Giacobbi)
On 9 November 2017 at 18:46, Thomas Hruska <thruska@cubiclesoft.com> wrote:

> On 11/9/2017 7:36 AM, Sara Golemon wrote: > >> The sixth (and likely final) release candidate for 7.2.0 was just >> released and can be >> downloaded from: >> https://downloads.php.net/~pollita/ >> Or using the git tag: php-7.2.0RC6 >> >> Barring unforeseen calamity, everyone should expect 7.2.0-final on >> Thursday, November 30th. >> > > Issue #73535? I consider letting a known security vulnerability that goes > largely unaddressed but persists into the next major version of a software > product to be quantifiable as a calamity of sorts. It's fast approaching a > full year without any resolution in sight. Many people would have zero > day-ed the issue by this point at whatever conferences have come and gone > (Black Hat, DEF CON, etc.) to grab some quick notoriety. I don't believe > that zero day-ing a vulnerability on a stage is the right solution for a > garden variety of reasons. > > This is utterly disappointing considering that bug #73535 is marked as
private and I couldn't easily gather more information about this bug on google. Since I have the feeling this is an open secret can you disclose more information and proposed patches so that sysadmins can assess by themselves the risks, mitigation techniques, and whether to patch their own installations? I guess the dev team wouldn't leave us with our pants down, so I expect this to of difficult exploitability. Anyway, after a year it's time for full disclosure, don't you think? Kind regards GG
  101116
November 9, 2017 19:25 nikita.ppv@gmail.com (Nikita Popov)
On Thu, Nov 9, 2017 at 7:07 PM, Giovanni Giacobbi <giovanni@giacobbi.net>
wrote:

> On 9 November 2017 at 18:46, Thomas Hruska <thruska@cubiclesoft.com> > wrote: > > > On 11/9/2017 7:36 AM, Sara Golemon wrote: > > > >> The sixth (and likely final) release candidate for 7.2.0 was just > >> released and can be > >> downloaded from: > >> https://downloads.php.net/~pollita/ > >> Or using the git tag: php-7.2.0RC6 > >> > >> Barring unforeseen calamity, everyone should expect 7.2.0-final on > >> Thursday, November 30th. > >> > > > > Issue #73535? I consider letting a known security vulnerability that > goes > > largely unaddressed but persists into the next major version of a > software > > product to be quantifiable as a calamity of sorts. It's fast > approaching a > > full year without any resolution in sight. Many people would have zero > > day-ed the issue by this point at whatever conferences have come and gone > > (Black Hat, DEF CON, etc.) to grab some quick notoriety. I don't believe > > that zero day-ing a vulnerability on a stage is the right solution for a > > garden variety of reasons. > > > > > This is utterly disappointing considering that bug #73535 is marked as > private and I couldn't easily gather more information about this bug on > google. Since I have the feeling this is an open secret can you disclose > more information and proposed patches so that sysadmins can assess by > themselves the risks, mitigation techniques, and whether to patch their own > installations? > > I guess the dev team wouldn't leave us with our pants down, so I expect > this to of difficult exploitability. Anyway, after a year it's time for > full disclosure, don't you think? >
So as to avoid unnecessary fearmongering, this refers to a denial-of-service vulnerability requiring specific application code. If your code implements a certain operation in a specific way, it may be possible to make it go into an infinite loop based on remote interaction. Apart from the increased server load, this is not dangerous. (Of course, if someone is actively using this against you, you'd notice...) Nikita
  101117
November 9, 2017 21:50 pollita@php.net (Sara Golemon)
On Thu, Nov 9, 2017 at 2:25 PM, Nikita Popov ppv@gmail.com> wrote:
>> This is utterly disappointing considering that bug #73535 is marked as >> private and I couldn't easily gather more information about this bug on >> google. Since I have the feeling this is an open secret can you disclose >> more information and proposed patches so that sysadmins can assess by >> themselves the risks, mitigation techniques, and whether to patch their >> own >> installations? >> >> I guess the dev team wouldn't leave us with our pants down, so I expect >> this to of difficult exploitability. Anyway, after a year it's time for >> full disclosure, don't you think? > > > So as to avoid unnecessary fearmongering, this refers to a denial-of-service > vulnerability requiring specific application code. If your code implements a > certain operation in a specific way, it may be possible to make it go into > an infinite loop based on remote interaction. Apart from the increased > server load, this is not dangerous. (Of course, if someone is actively using > this against you, you'd notice...) > Agree with Niki that this isn't going to be commonly exploitable, and
has likely existed for a significant range of versions. Given that, I'm going to say it probably won't (by itself) merit pushing back GA at this stage. That said, it should be addressed sooner rather than later as it looks like we're not surfacing good information to userspace under these circumstances. -Sara
  101120
November 10, 2017 20:50 dzuelke@salesforce.com (David Zuelke)
Is it really going to be Nov 30, or Nov 23?

On Thu, Nov 9, 2017 at 2:36 PM, Sara Golemon <pollita@php.net> wrote:
> The sixth (and likely final) release candidate for 7.2.0 was just > released and can be > downloaded from: > https://downloads.php.net/~pollita/ > Or using the git tag: php-7.2.0RC6 > > The Windows binaries are available at: http://windows.php.net/qa/ > > Please test it carefully, and report any bugs in the bug system. > This is out last chance to catch bugs before the final release in three weeks. > Barring unforeseen calamity, everyone should expect 7.2.0-final on > Thusday, November 30th. > > As a reminder to internals@, any bug fixes should be committed to the > PHP-7.2 branch as usual, but since we're in the final stretch for > release, you MUST notify Remi and I of fixes you wish us to > cherry-pick onto the 7.2.0 release. > > Hash Values and GPG signatures can be found below and at: > https://gist.github.com/sgolemon/f6d308713c286a82f520091fc9dcf445 > > Thank you, happy testing, and yay 7.2! > -Sara > > php-7.2.0RC6.tar.gz > SHA256 hash: ad528a8db319e444ce4ca259dec5afeb9d39287e9a6b214e11397cd985207b1d > PGP signature: > -----BEGIN PGP SIGNATURE----- > iQItBAABCAAXBQJaAaCcEBxwb2xsaXRhQHBocC5uZXQACgkQ29s5dHDRIXIqGhAA > 3X55n7ODqp/uPFMpjKgyMtWB7kLVbxthZeai/Dvrsd35j2ZOPd9KNYjWFWV8fNWp > 8jYj1LioW+FPpltlREaMxDXE7/cIZITRUX/k6jAfuafacLR5jy4OE5ghwDbyVnJ0 > Sf6CA92chvnEEp3XTeS6XkPxJAi1H3zp/9KIGTlpFN5IIeaxqCl62hcc0+ikcYP0 > dXm8j8hjqpXuOz2MEVKASmqKPayw27RaUfAE6lI/nuMdva++b7bKQL9tr7Tz+R/J > 8Wl995Og5GKRhzTj65Uv/uv3cP5hGBqRYjybWIzA7y+offL+TFe12c2HHjBvAIFv > PtHuky4ZSNbLdarRfmdYs6bUoPx7GMIZDZ6mhGMXqJudh4I5rHt6g/zucZEAJRjk > V+h8J6pd80wNvoO7KtdnowGJtYjWQAwdr5KB0CmYpGrhogEjr62MvCjm2KvsiO+T > HTt4tKIkvjNSYwMApIxkNhxpRazEe6+goELoKACAZMwvLw2LLpV4Sg/BebdzAUFe > 7odLVIDLgoG3OYxEMAzKDKTygRlfhGclxtQlRlmoP4u7Z+AruuGUA/L7n18iD093 > lu0pksrkPIhQrQLydbNrgJfM54XxWBUCq5v3Ka2vJOzwrM+9ekZopPSkfiBfcAoM > 6ptC0H1nNrlu6eF9xu+oDHsTMZL7HJMOABNdKy9TO5o= > =Aq+R > -----END PGP SIGNATURE----- > > php-7.2.0RC6.tar.bz2 > SHA256 hash: 906a13bafbec40a185208846195f11c8c5f6e8bc5672fd37862e95754b978de3 > PGP signature: > -----BEGIN PGP SIGNATURE----- > iQItBAABCAAXBQJaAaCgEBxwb2xsaXRhQHBocC5uZXQACgkQ29s5dHDRIXISIA// > UOzi+RIfEBFNDsVBRhJQhBoM8eQTe8aHL+RstHmDL2tqakBi4HyvjRdRGMIExSyb > JCtx1y9KCPfJtPW4Xl/QTFJIslNhWEHsSFSxRVeozrA7tbpKVicW6xs7jr//EBqB > 8SyoWjO+Rzr8Buvu8XvsxVxOmtNDgbssklcYMILIZHkaN1JGYy+u592W83anEGiv > H7Ysj/TY6i5YWsSwQVUV0DnkUJ2VeBBjeBQGSJ+SuQGV2dmrvx+k40O/DEysIF8U > SferVWGkB9NY/nkbxcC0oQRu6Eoh4SGtlUIl9qzPr8/qA6hEfAG3ftfJaQS2qKYv > gTbKniCr31oQeGeULa0zNZsMkvA15wjjoa6P/LFljr7X3OuJ+naCRB/pwlgnAjwL > LtNsxzXEnrTiVoSBU/jdG7acoEPmyixu6budROCs30QUnRYq4cCDUDZwqINkSDyI > rY5NC/O8BVuAiEtFv3alOcUgxmCYsbKDV6fqThSXpdP6aEF35/OgQH7WYp+9eYoE > mHpvWyIeeAGeAGASGoiuf0zftBEXfCrdgE034xr+/a744rYFakY54Wh3D/d26jc8 > kaQoDNPws4GZwjkvp6EiFTg/1nhQ36SdhmKxnp3ZlZ96cNUUV0PNUnxsHqZms129 > /K9iNMZGBH3pRPiwXoyZbkzLlVQncXp8iKTwaLOI/sk= > =gOX+ > -----END PGP SIGNATURE----- > > php-7.2.0RC6.tar.xz > SHA256 hash: be4df00ff5b66e9f13c83e1d08d1d5384ae7ccc820e26f7e5f9e660011496a9e > PGP signature: > -----BEGIN PGP SIGNATURE----- > iQItBAABCAAXBQJaAaCgEBxwb2xsaXRhQHBocC5uZXQACgkQ29s5dHDRIXJowxAA > 2JpSoiECsGdsKGu1mBGRnKcFj+SsukSQ+VOeO5vysbrpKhBhc6ooJCRAydu+ez6/ > rvxqzVQFX/aBOTJq878V+ysMs15kaqJsnUPHmqZ8NAubh3vSnXKsqzGEjherG7ju > t11tZ0lDTMRrM95y0Nrmkgv07UG+JDTBPJF1lVI7b16KezV7bsNKlASwWmIHpsCO > RyJJjCvaDEgm/rWGQBCdRJra1GjA9eoWVxujnpBztTtlwi+vP0e8KRMziXiv4RG7 > Maj+0Vyni77x2bvAugpDbTmxQAVPwBYOjhBued19savcO51SnFVNJJPr/2KpQq/4 > oOKK2ZHwRn4NBOQb9RK+gcY/KaDg2o1bvYbmUumagAaXjtBN1oRSvLhynVkj850R > Cobvo8+nAgEDJ9cd6TR6Zc9TOoAjA2fxcl4fknGDGnpZfajK5ISqZ0gqvkimeDIl > vsKlXdn0M3WhpdikozUjbHx23F15ug4IMGDvpoWh8aMLzxOsCjSszgNWj3QBObZr > 7ujFtQ/8ryD4el34FlSumA0KBpWG6JBdTUp05VO3cmZELKTld9u7MPvdV/QSAVmo > HkdJjYQlY8rqk+DI52JJ84Dlj2cvY2PE46m/pUsKnVhesJ01FH5aG7gbBHSbM7I5 > WKj2jbK1Geasw6X0q/ZxTwiNgUlPrlhbJugu7yiZpd0= > =EDtn > -----END PGP SIGNATURE----- > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php >