DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:subject:to:references:cc:from:message-id:date
	:mime-version:in-reply-to:content-type; q=dns; s=default; b=RumL
	2UEr8AFMRQxABqZGrCZM8Ss1MaRyOPzYV/3WqiiDnfXGvjUOhyikFzJ2TeJFG5/n
	ufw5HGtv7PVcwSqqvM8coruScUXylB61cgdLWGtkEFLG8o983ir8tkqNBJXDd14W
	ClY3q9Ld4o1cJqCSMIQUqgxNE+mMoPFZIzMn2/A=
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
Subject: Re: [PWNED/DOSSED] Cygwin's setup-x86.exe loads and executes rogue DLL from its application directory
To: Stefan Kanthak <stefan.kanthak@nexgo.de>
References: <EF7B6182B7C54BBAA5083C40EF14529D@W340> <568EA2DC.3020900@redhat.com> <34A2D15A19D247B4A46A173C41C73094@W340>
Cc: cygwin@cygwin.com
From: Eric Blake <eblake@redhat.com>
Openpgp: url=http://people.redhat.com/eblake/eblake.gpg
Message-ID: <56903672.7020307@redhat.com>
Date: Fri, 8 Jan 2016 15:21:38 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <34A2D15A19D247B4A46A173C41C73094@W340>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Ukxqt3fx9N66qVoOs42OWivnBuT2M5ptD"

--Ukxqt3fx9N66qVoOs42OWivnBuT2M5ptD
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

[I got this mail via cc; I don't see the original in the mail archives,
which means it probably got eaten by the spam trap for too many raw
email addresses or other heuristics.  I don't maintain cygwin.com, so
I'm only commenting as a side observer here...]

On 01/07/2016 02:59 PM, Stefan Kanthak wrote:

>> If this was your original off-list post, you just violated your own
>> policy since you included cygwin AT cygwin.com which is a public list
>> on the ping, and thereby made the issue public, without waiting 45 days.
>=20
> Simply wrong!
> Cygwin doesn't name a security mailbox on
> <https://cygwin.com/problems.html>, <https://cygwin.com/lists.html>
> states
>=20
> | cygwin: In general, you should send questions and bug reports here.
>=20
> (which I did), and all of <security@cygwin.com>, <security@cygwin.org>
> and <security@sourceware.org> bounce: see
> <http://www.ietf.org/rfc/rfc2142.txt> regarding this well-known role
> account (unfortunately RfC-ignorant.org closed).

Okay, maybe we should consider creating a closed-subscription
non-public-archives security@cygwin.com mailing list (however,
cygwin.org and sourceware.org are not the right domains).  Or at least
update the web page to mention secalert@redhat.com as a reasonable
alternative closed list to contact with potential Cygwin security flaws.
 I'll leave that up to others with actual admin rights on the cygwin.com
box, though.


> Next time: THINK BEFORE YOU POST!

Shouting at people is not the friendliest way to resolve security or
other issues.

--=20
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


--Ukxqt3fx9N66qVoOs42OWivnBuT2M5ptD
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Public key at http://people.redhat.com/eblake/eblake.gpg
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCAAGBQJWkDZyAAoJEKeha0olJ0Nq8rwH/1bZYXk7HZ6jrc6DKfhtFlw6
iDoEELJQYwhr6I7zIRgPs3BrL0DrQm8uONQ36939JbJf251xnHPFp1MhEBD55fFK
onbt9YNvQv/TDz9CWFu60h/18B2KObdXGCdYmQyvYJLzjZz8JUWXXmFeWyJaTk8r
bb2VcsIPZOAl3632k/ESlAbso80We1PIga0rYf1i+HgbQmDaqRyfa6q0IVHTbDyi
yGehYYI4JhkROtD1KtPZcH6UaUeMmhwktm4gj8EzauIDz/Gpn8t8QHOeptvi/1Le
bJ2dUvpqWYZxihCiMmpj+gr7obCFrn2BsysJSmw8jnsuwW231LecJM2/432d1E8=
=02Ds
-----END PGP SIGNATURE-----

--Ukxqt3fx9N66qVoOs42OWivnBuT2M5ptD--