* Reporting security vulnerability
@ 2021-02-25 10:08 Evyatar Gerzi
2021-02-25 10:18 ` Adam Dinwoodie
2021-02-25 11:10 ` Evyatar Gerzi
0 siblings, 2 replies; 5+ messages in thread
From: Evyatar Gerzi @ 2021-02-25 10:08 UTC (permalink / raw)
To: cygwin
Hello,
I saw that you have a mailing list for bug reporting but the bug that I
found is a security vulnerability, to whom I need to report it?
I don't know if it is good that it will be "read by many people", but it's
your call.
Thanks,
Eviatar Gerzi
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Reporting security vulnerability
2021-02-25 10:08 Reporting security vulnerability Evyatar Gerzi
@ 2021-02-25 10:18 ` Adam Dinwoodie
2021-02-25 11:10 ` Evyatar Gerzi
1 sibling, 0 replies; 5+ messages in thread
From: Adam Dinwoodie @ 2021-02-25 10:18 UTC (permalink / raw)
To: Cygwin (cygwin@cygwin.com)
On Thu, 25 Feb 2021 at 10:12, Evyatar Gerzi via Cygwin wrote:
> Hello,
>
> I saw that you have a mailing list for bug reporting but the bug that I
> found is a security vulnerability, to whom I need to report it?
> I don't know if it is good that it will be "read by many people", but it's
> your call.
Hi Evyatar,
Can you narrow down where the security vulnerability is? Different
parts of Cygwin have different maintainers – each package has its own
maintainer, as well as separate ownership of the core Cygwin DLL and
things like the Cygwin website – and I expect different maintainers
might prefer different approaches.
Adam
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Reporting security vulnerability
2021-02-25 10:08 Reporting security vulnerability Evyatar Gerzi
2021-02-25 10:18 ` Adam Dinwoodie
@ 2021-02-25 11:10 ` Evyatar Gerzi
2021-02-25 12:57 ` Evyatar Gerzi
1 sibling, 1 reply; 5+ messages in thread
From: Evyatar Gerzi @ 2021-02-25 11:10 UTC (permalink / raw)
To: cygwin
Sorry, I just noticed that Thomas is one of the authors and he is already
familiar with this issue and fixed it.
I will send him separate mail and ask him if there is also a fix for Cygwin.
Thanks,
Eviatar
On Thu, Feb 25, 2021 at 12:08 PM Evyatar Gerzi <evyatar575@gmail.com> wrote:
> Hello,
>
> I saw that you have a mailing list for bug reporting but the bug that I
> found is a security vulnerability, to whom I need to report it?
> I don't know if it is good that it will be "read by many people", but it's
> your call.
>
> Thanks,
>
> Eviatar Gerzi
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Reporting security vulnerability
2021-02-25 11:10 ` Evyatar Gerzi
@ 2021-02-25 12:57 ` Evyatar Gerzi
2021-02-25 13:15 ` Thomas Wolff
0 siblings, 1 reply; 5+ messages in thread
From: Evyatar Gerzi @ 2021-02-25 12:57 UTC (permalink / raw)
To: cygwin
My apologies again, I am not sure to whom I should address the
vulnerability.
Because Thomas fixed it in MinTTY but I don't know who is responsible to
implement it inside Cygwin.
I appreciate your help, thanks,
Eviatar Gerzi
On Thu, Feb 25, 2021 at 1:10 PM Evyatar Gerzi <evyatar575@gmail.com> wrote:
> Sorry, I just noticed that Thomas is one of the authors and he is already
> familiar with this issue and fixed it.
> I will send him separate mail and ask him if there is also a fix for
> Cygwin.
>
> Thanks,
>
> Eviatar
>
> On Thu, Feb 25, 2021 at 12:08 PM Evyatar Gerzi <evyatar575@gmail.com>
> wrote:
>
>> Hello,
>>
>> I saw that you have a mailing list for bug reporting but the bug that I
>> found is a security vulnerability, to whom I need to report it?
>> I don't know if it is good that it will be "read by many people", but
>> it's your call.
>>
>> Thanks,
>>
>> Eviatar Gerzi
>>
>>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Reporting security vulnerability
2021-02-25 12:57 ` Evyatar Gerzi
@ 2021-02-25 13:15 ` Thomas Wolff
0 siblings, 0 replies; 5+ messages in thread
From: Thomas Wolff @ 2021-02-25 13:15 UTC (permalink / raw)
To: cygwin
Am 25.02.2021 um 13:57 schrieb Evyatar Gerzi via Cygwin:
> My apologies again, I am not sure to whom I should address the
> vulnerability.
> Because Thomas fixed it in MinTTY but I don't know who is responsible to
> implement it inside Cygwin.
The fix is included in 3.4.6, released as a Cygwin package.
Just not to worry too much, it was a denial-of-service style thing, not
an intrusion vulnerability.
Thomas
> I appreciate your help, thanks,
>
> Eviatar Gerzi
>
> On Thu, Feb 25, 2021 at 1:10 PM Evyatar Gerzi <evyatar575@gmail.com> wrote:
>
>> Sorry, I just noticed that Thomas is one of the authors and he is already
>> familiar with this issue and fixed it.
>> I will send him separate mail and ask him if there is also a fix for
>> Cygwin.
>>
>> Thanks,
>>
>> Eviatar
>>
>> On Thu, Feb 25, 2021 at 12:08 PM Evyatar Gerzi <evyatar575@gmail.com>
>> wrote:
>>
>>> Hello,
>>>
>>> I saw that you have a mailing list for bug reporting but the bug that I
>>> found is a security vulnerability, to whom I need to report it?
>>> I don't know if it is good that it will be "read by many people", but
>>> it's your call.
>>>
>>> Thanks,
>>>
>>> Eviatar Gerzi
>>>
>>>
> --
> Problem reports: https://cygwin.com/problems.html
> FAQ: https://cygwin.com/faq/
> Documentation: https://cygwin.com/docs.html
> Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-02-25 13:15 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-25 10:08 Reporting security vulnerability Evyatar Gerzi
2021-02-25 10:18 ` Adam Dinwoodie
2021-02-25 11:10 ` Evyatar Gerzi
2021-02-25 12:57 ` Evyatar Gerzi
2021-02-25 13:15 ` Thomas Wolff
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).