X-Recipient: archive-cygwin AT delorie DOT com
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 30CC53865C2D
Authentication-Results: sourceware.org;
 dmarc=none (p=none dis=none) header.from=dinwoodie.org
Authentication-Results: sourceware.org;
 spf=pass smtp.mailfrom=adam AT dinwoodie DOT org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=dinwoodie.org; s=google;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :content-transfer-encoding;
 bh=xol6r48YPtRE2hmLFdAunCXbYJyU5DoXFSDu506vnPE=;
 b=P2JKyJUPQ0VAzp8CSR2yKjFpLvHpGWxdAmLTqmVAHCUqyKKmQeqXd7Hgp1mtEK+Uuq
 U1iMLLg8XBs3eAY2ygF+SwwwvkKDBATc5X3OS7I7WFSwFKg+KBwdP55D2laGhqeuqTcJ
 KiQNVeeNMhs0z5uhRdVMFTHRiBY6eI83qHens=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:content-transfer-encoding;
 bh=xol6r48YPtRE2hmLFdAunCXbYJyU5DoXFSDu506vnPE=;
 b=tR+OsuPukmhO7eGeOSvpWn4KCl2CIs1dT7YBrUHBC3echyXa4gKyF94t8Wn6O4TxjZ
 75F/OKoTP2p6HkcDAdYzW+rg1dzoix2Fajpe9A20PzWiQTwTy4tes3xj5r/jzfvbj29S
 Bj4dyQnoTPDmap9ZmLqRfD/wZK9vBmVmNFmPrq3tsvzMRIGSvWRYp0Q2dSTaqLe/nnm/
 LSRZTaDiizmDBSA2ThV/eKQuPlk0D7R7U40mILDha8gpTn9P+Yis0ROV8+fS0j/sc0Bk
 Dmm6RhTtrz/DHy5/Z53RyJGW9Yu3KFqt3IUH10dWGhN5TJD/OASSkJ5vZPLG7H2VI/vJ
 pcqA==
X-Gm-Message-State: AOAM531ikoQezm30NxbjSl6kRbHZsvh1yu67+0D3jxCAQU5rvgcS4IJc
 ToZxKZMFApaXu7qy/PKfRCfaVPTE97JUoKNtnyTVp65lBSw=
X-Google-Smtp-Source: ABdhPJyiVCGHDtth3cfzzMbp8pDB+kFI/jSbKUvhDAKx1jazF0F/3DKVodTjse0isfjgfvDolXRsidO1djFhCq7iEOk=
X-Received: by 2002:a37:6ca:: with SMTP id 193mr1925835qkg.436.1614248332685; 
 Thu, 25 Feb 2021 02:18:52 -0800 (PST)
MIME-Version: 1.0
References: <CAPeYm4iBym4M=ioB+o4DXnu+iF2dvyKZXB3NpipEbMDJ6Ke-VA AT mail DOT gmail DOT com>
In-Reply-To: <CAPeYm4iBym4M=ioB+o4DXnu+iF2dvyKZXB3NpipEbMDJ6Ke-VA@mail.gmail.com>
From: Adam Dinwoodie <adam AT dinwoodie DOT org>
Date: Thu, 25 Feb 2021 10:18:16 +0000
Message-ID: <CA+kUOa==j2r4DA+v+u9Se0N6_3YWgS788Ovs3VbsnUJwLjjCcA@mail.gmail.com>
Subject: Re: Reporting security vulnerability
To: "Cygwin (cygwin AT cygwin DOT com)" <cygwin AT cygwin DOT com>
X-Spam-Status: No, score=-2.4 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,
 SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.29
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
Content-Type: text/plain; charset="utf-8"
Sender: "Cygwin" <cygwin-bounces AT cygwin DOT com>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by delorie.com id 11PAIvKk032317

On Thu, 25 Feb 2021 at 10:12, Evyatar Gerzi via Cygwin wrote:
> Hello,
>
> I saw that you have a mailing list for bug reporting but the bug that I
> found is a security vulnerability, to whom I need to report it?
> I don't know if it is good that it will be "read by many people", but it's
> your call.

Hi Evyatar,

Can you narrow down where the security vulnerability is? Different
parts of Cygwin have different maintainers – each package has its own
maintainer, as well as separate ownership of the core Cygwin DLL and
things like the Cygwin website – and I expect different maintainers
might prefer different approaches.


Adam
--
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple