Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I'm assuming that's a typo (s/PGP/PHP/).

There isn't such an analysis yet, but I intend to do one in the near future. We have a similar analysis for out-of-box security features of popular open source CMS: https://paragonie.com/blog/2016/08/on-insecurity-popular-ope...

Our security page has some of the audits we've done (at least, the ones we were permitted to publish) as well as our security advisories. https://paragonie.com/security

I'm pretty active in the PHP community and get looped into a lot of pull request discussions (e.g. https://github.com/facebook/php-graph-sdk/pull/552#issuecomm... for Facebook's SDK), but it's possible I've missed a few.



I'm curious why you submit CVEs for development repositories of code that is not supposed to be run in production?

SMF 2.1 for instance is purely development releases that are _not_ supposed to be used in production.

http://www.simplemachines.org/community/index.php?topic=5354...

> As always, keep in mind that Beta Releases are NOT recommended for production sites.

It is just the first time I've ever seen someone create a CVE for what is essentially a do-not-run-this-in-production code branch for an open source project. I'm used to people waiting until at least a Release Candidate version before doing that.


In the case of SMF, the same vulnerabilities were present in the production versions.

Do you have any other instances you'd like to inquire about?


> In the case of SMF, the same vulnerabilities were present in the production versions.

I'm just curious which production version you are talking about now since 2.1.X has 0 of those?

It doesn't really impact me one way or the other, so feel free to ignore me if you prefer. Its just odd.


The vulnerability is also present in the v2.0.x branch.

The development 2.1.x branch (which is what was on Github) had the vulnerability, and that's where I reported it, but it's not only in the new code.

I think maybe you're confused somewhere?




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: