Handling a Cygwin-specific security vulnerability

public inbox for cygwin-apps@cygwin.com
 help / color / mirror / Atom feed

* Handling a Cygwin-specific security vulnerability
@ 2021-04-22 13:14 Adam Dinwoodie
  2021-04-22 15:32 ` Brian Inglis
  0 siblings, 1 reply; 2+ messages in thread
From: Adam Dinwoodie @ 2021-04-22 13:14 UTC (permalink / raw)
  To: cygwin-apps

Hello maintainers!

I've just been informed off-list that there's a Cygwin-specific
security vulnerability in one of the packages I maintain. I'm
reluctant to go into details on a public list, but I'd also appreciate
some support in the best way to manage this to get patches out without
exposing package users to unnecessary security risk.

I'm already working with the upstream to find an appropriate patch,
and I think I have at least a reasonable handle on best practices for
releasing this sort of patch, but I'd appreciate being able to talk
over the specifics with someone (singular or plural) with more
experience of handling this sort of situation.

Is there any way I can get that sort of support from the maintainer community?

Adam

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Handling a Cygwin-specific security vulnerability
  2021-04-22 13:14 Handling a Cygwin-specific security vulnerability Adam Dinwoodie
@ 2021-04-22 15:32 ` Brian Inglis
  0 siblings, 0 replies; 2+ messages in thread
From: Brian Inglis @ 2021-04-22 15:32 UTC (permalink / raw)
  To: cygwin-apps

On 2021-04-22 07:14, Adam Dinwoodie wrote:
> I've just been informed off-list that there's a Cygwin-specific
> security vulnerability in one of the packages I maintain. I'm
> reluctant to go into details on a public list, but I'd also appreciate
> some support in the best way to manage this to get patches out without
> exposing package users to unnecessary security risk.
> 
> I'm already working with the upstream to find an appropriate patch,
> and I think I have at least a reasonable handle on best practices for
> releasing this sort of patch, but I'd appreciate being able to talk
> over the specifics with someone (singular or plural) with more
> experience of handling this sort of situation.
> 
> Is there any way I can get that sort of support from the maintainer community?

Might want to repeat this on the cygwin-developers list.

Andrew Schulman recently released a security update to stunnel and has in the 
past, and some of the RedHatters may have experience: CV, YS, EB, JJ.

DM in this case is necessary and likely acceptable.

Avoid any J. Random Hacker who replies as being interested to help.
In general, trust only those whose keys you'd sign with ultimate trust. ;^>

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in binary units and prefixes, physical quantities in SI.]

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2021-04-22 15:32 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-22 13:14 Handling a Cygwin-specific security vulnerability Adam Dinwoodie
2021-04-22 15:32 ` Brian Inglis

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).