Philippe Höij
2020-Sep-02 03:43 UTC
Security issue: How to report it privately to the maintainers?
Hi, There is a security issue in rsync that needs to be disclosed to the team. Similar issues in other tools have CVEs of high severity assigned to them, and rsync has such an issue as well. I would like to enable the rsync maintainers to be aware of, and hopefully to fix the issue. I know of it since about 15 years back and assume it has been there more or less from the beginning, but I failed then to realize back then that it should have been reported and later disclosed as a CVE, so better late than never. It resurfaced in a discussion with a friend. I have looked at the homepage, GitHub repo and issues, bugzilla and could not find the issue in there. Also I didn't find how to securely and privately disclose security issues to the team. I would be happy to submit it through the security advisories function on GitHub for discussion if you could enable the function, or provide a different option to share the finding? I am in the process of doing a write-up of the issue to submit to you. Best regards Philippe -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.samba.org/pipermail/rsync/attachments/20200902/aa6cb3c7/attachment.htm>
Wayne Davison
2020-Sep-02 21:54 UTC
Security issue: How to report it privately to the maintainers?
On Tue, Sep 1, 2020 at 8:43 PM Philippe H?ij wrote:> There is a security issue in rsync that needs to be disclosed to the team. >I added a security policy to the repo which indicates that security issues can be emailed to me. ..wayne.. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.samba.org/pipermail/rsync/attachments/20200902/f4e62330/attachment.htm>