This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PWNED/DOSSED] Cygwin's setup-x86.exe loads and executes rogue DLL from its application directory


[I got this mail via cc; I don't see the original in the mail archives,
which means it probably got eaten by the spam trap for too many raw
email addresses or other heuristics.  I don't maintain cygwin.com, so
I'm only commenting as a side observer here...]

On 01/07/2016 02:59 PM, Stefan Kanthak wrote:

>> If this was your original off-list post, you just violated your own
>> policy since you included cygwin AT cygwin.com which is a public list
>> on the ping, and thereby made the issue public, without waiting 45 days.
> 
> Simply wrong!
> Cygwin doesn't name a security mailbox on
> <https://cygwin.com/problems.html>, <https://cygwin.com/lists.html>
> states
> 
> | cygwin: In general, you should send questions and bug reports here.
> 
> (which I did), and all of <security@cygwin.com>, <security@cygwin.org>
> and <security@sourceware.org> bounce: see
> <http://www.ietf.org/rfc/rfc2142.txt> regarding this well-known role
> account (unfortunately RfC-ignorant.org closed).

Okay, maybe we should consider creating a closed-subscription
non-public-archives security@cygwin.com mailing list (however,
cygwin.org and sourceware.org are not the right domains).  Or at least
update the web page to mention secalert@redhat.com as a reasonable
alternative closed list to contact with potential Cygwin security flaws.
 I'll leave that up to others with actual admin rights on the cygwin.com
box, though.


> Next time: THINK BEFORE YOU POST!

Shouting at people is not the friendliest way to resolve security or
other issues.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]