Handling a Cygwin-specific security vulnerability

Brian Inglis Brian.Inglis@SystematicSw.ab.ca
Thu Apr 22 15:32:55 GMT 2021

On 2021-04-22 07:14, Adam Dinwoodie wrote:
> I've just been informed off-list that there's a Cygwin-specific
> security vulnerability in one of the packages I maintain. I'm
> reluctant to go into details on a public list, but I'd also appreciate
> some support in the best way to manage this to get patches out without
> exposing package users to unnecessary security risk.
> I'm already working with the upstream to find an appropriate patch,
> and I think I have at least a reasonable handle on best practices for
> releasing this sort of patch, but I'd appreciate being able to talk
> over the specifics with someone (singular or plural) with more
> experience of handling this sort of situation.
> Is there any way I can get that sort of support from the maintainer community?

Might want to repeat this on the cygwin-developers list.

Andrew Schulman recently released a security update to stunnel and has in the 
past, and some of the RedHatters may have experience: CV, YS, EB, JJ.

DM in this case is necessary and likely acceptable.

Avoid any J. Random Hacker who replies as being interested to help.
In general, trust only those whose keys you'd sign with ultimate trust. ;^>

Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in binary units and prefixes, physical quantities in SI.]

More information about the Cygwin-apps mailing list