Reporting security vulnerability

Thomas Wolff towo@towo.net
Thu Feb 25 13:15:39 GMT 2021


Am 25.02.2021 um 13:57 schrieb Evyatar Gerzi via Cygwin:
> My apologies again, I am not sure to whom I should address the
> vulnerability.
> Because Thomas fixed it in MinTTY but I don't know who is responsible to
> implement it inside Cygwin.
The fix is included in 3.4.6, released as a Cygwin package.
Just not to worry too much, it was a denial-of-service style thing, not 
an intrusion vulnerability.
Thomas

> I appreciate your help, thanks,
>
> Eviatar Gerzi
>
> On Thu, Feb 25, 2021 at 1:10 PM Evyatar Gerzi <evyatar575@gmail.com> wrote:
>
>> Sorry, I just noticed that Thomas is one of the authors and he is already
>> familiar with this issue and fixed it.
>> I will send him separate mail and ask him if there is also a fix for
>> Cygwin.
>>
>> Thanks,
>>
>> Eviatar
>>
>> On Thu, Feb 25, 2021 at 12:08 PM Evyatar Gerzi <evyatar575@gmail.com>
>> wrote:
>>
>>> Hello,
>>>
>>> I saw that you have a mailing list for bug reporting but the bug that I
>>> found is a security vulnerability, to whom I need to report it?
>>> I don't know if it is good that it will be "read by many people", but
>>> it's your call.
>>>
>>> Thanks,
>>>
>>> Eviatar Gerzi
>>>
>>>
> --
> Problem reports:      https://cygwin.com/problems.html
> FAQ:                  https://cygwin.com/faq/
> Documentation:        https://cygwin.com/docs.html
> Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple



More information about the Cygwin mailing list