From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp-out-no.shaw.ca (smtp-out-no.shaw.ca [64.59.134.12]) by sourceware.org (Postfix) with ESMTPS id CD5313857012 for ; Thu, 22 Apr 2021 15:32:57 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org CD5313857012 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=SystematicSw.ab.ca Authentication-Results: sourceware.org; spf=none smtp.mailfrom=brian.inglis@systematicsw.ab.ca Received: from [192.168.1.104] ([68.147.0.90]) by shaw.ca with ESMTP id ZbK3l71HGMrQqZbK4lgoC6; Thu, 22 Apr 2021 09:32:56 -0600 X-Authority-Analysis: v=2.4 cv=Nv6yz+RJ c=1 sm=1 tr=0 ts=60819728 a=T+ovY1NZ+FAi/xYICV7Bgg==:117 a=T+ovY1NZ+FAi/xYICV7Bgg==:17 a=IkcTkHD0fZMA:10 a=94nOnFI1EgyDtX4ev68A:9 a=QEXdDO2ut3YA:10 Reply-To: cygwin-apps@cygwin.com To: cygwin-apps@cygwin.com References: From: Brian Inglis Organization: Systematic Software Subject: Re: Handling a Cygwin-specific security vulnerability Message-ID: <30809218-d5f1-ac2b-0a27-2b9ff257acd1@SystematicSw.ab.ca> Date: Thu, 22 Apr 2021 09:32:55 -0600 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.10.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-CA Content-Transfer-Encoding: 8bit X-CMAE-Envelope: MS4xfG74eIq3u8qX/SA4CoC9jMchfaGOkRxnXbB07VXCe3wdwcDmQ1njHQK7gNMHHAVaG+W4CrBdZhbjC4Q2HdLkMBWz7A8ucnTGaMywnB2IIdoWML/DIzrg 9RTyYSlWasdr00n9zV19b9an6G7wRyLluLaNmKSOvczvAU4iSZMqX593N6HIyxs0qmo5N+DjxAkzhgFPZ9Px8VE0lP40o7IpTF0= X-Spam-Status: No, score=0.5 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS, KAM_LAZY_DOMAIN_SECURITY, NICE_REPLY_A, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=no autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: cygwin-apps@cygwin.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Cygwin package maintainer discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Apr 2021 15:33:08 -0000 On 2021-04-22 07:14, Adam Dinwoodie wrote: > I've just been informed off-list that there's a Cygwin-specific > security vulnerability in one of the packages I maintain. I'm > reluctant to go into details on a public list, but I'd also appreciate > some support in the best way to manage this to get patches out without > exposing package users to unnecessary security risk. > > I'm already working with the upstream to find an appropriate patch, > and I think I have at least a reasonable handle on best practices for > releasing this sort of patch, but I'd appreciate being able to talk > over the specifics with someone (singular or plural) with more > experience of handling this sort of situation. > > Is there any way I can get that sort of support from the maintainer community? Might want to repeat this on the cygwin-developers list. Andrew Schulman recently released a security update to stunnel and has in the past, and some of the RedHatters may have experience: CV, YS, EB, JJ. DM in this case is necessary and likely acceptable. Avoid any J. Random Hacker who replies as being interested to help. In general, trust only those whose keys you'd sign with ultimate trust. ;^> -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised. [Data in binary units and prefixes, physical quantities in SI.]