I've done PHP development for over 20 years, including some pretty large projects. I've never had a situation where a security flaw in PHP itself forced me to scramble to patch something before it got hacked.

On the other hand, for my Linux servers, I had to do that twice in the last month with CopyFail and DirtyFrag.

▲

diek 5 hours ago | parent | next [-]

CVE-2021-21703 [0] is a similar class of bug in the PHP interpreter itself that was pretty recent

https://www.sentinelone.com/vulnerability-database/cve-2021-...

▲

ipaddr 3 hours ago | parent [-]

This is not a PHP language interpreter bug this is a PHP FPM bug.

	▲	diek 2 hours ago \| parent [-]
		That's a fair point, using 'interpreter' specifically was imprecise language on my part. My main point was php-fpm is developed by the core PHP team and is often the default in how PHP projects deploy these days, and that CVE was very similar to the recent 'fail' LPE vulnerabilities in the kernel.

▲

ggallas 6 hours ago | parent | prev [-]

[dead]