Where to report security vulnerabilities in git?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Where to report security vulnerabilities in git?

Guido Vranken
List,

I would like to report security vulnerabilities in git. Due to the
sensitive nature of security-impacting bugs I would like to know if
there's a dedicated e-mail address for this, so that the issues at
play can be patched prior to a coordinated public disclosure of the
germane exploitation details. I did find an older thread in the
archive addressing this question (
http://thread.gmane.org/gmane.comp.version-control.git/260328/ ), but
because I'm unsure if those e-mail addresses are still relevant, I'm
asking again.

Thanks.

Guido
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to [hidden email]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Reply | Threaded
Open this post in threaded view
|

Re: Where to report security vulnerabilities in git?

Stefan Beller-4
The addresses are still valid. (I think there was a plan to introduce
a git-security@...
but I am not sure if that happened.)

> Current practice is to contact Junio C Hamano <gitster <at> pobox.com>.
> Cc-ing Jeff King <peff <at> peff.net> isn't a bad idea while at it.

Just go for that.


On Fri, Aug 21, 2015 at 3:55 PM, Guido Vranken <[hidden email]> wrote:

> List,
>
> I would like to report security vulnerabilities in git. Due to the
> sensitive nature of security-impacting bugs I would like to know if
> there's a dedicated e-mail address for this, so that the issues at
> play can be patched prior to a coordinated public disclosure of the
> germane exploitation details. I did find an older thread in the
> archive addressing this question (
> http://thread.gmane.org/gmane.comp.version-control.git/260328/ ), but
> because I'm unsure if those e-mail addresses are still relevant, I'm
> asking again.
>
> Thanks.
>
> Guido
> --
> To unsubscribe from this list: send the line "unsubscribe git" in
> the body of a message to [hidden email]
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to [hidden email]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Reply | Threaded
Open this post in threaded view
|

Re: Where to report security vulnerabilities in git?

Junio C Hamano
In reply to this post by Guido Vranken
On Fri, Aug 21, 2015 at 3:55 PM, Guido Vranken <[hidden email]> wrote:
> germane exploitation details. I did find an older thread in the
> archive addressing this question (
> http://thread.gmane.org/gmane.comp.version-control.git/260328/ ), but
> because I'm unsure if those e-mail addresses are still relevant, I'm
> asking again.

Indeed that was an old advice. Recent releases of "A note from the
maintainer" has this paragraph:

If you think you found a security-sensitive issue and want to disclose
it to us without announcing it to wider public, please contact us at
our security mailing list <[hidden email]>.
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to [hidden email]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Reply | Threaded
Open this post in threaded view
|

Re: Where to report security vulnerabilities in git?

Sitaram Chamarty
In reply to this post by Guido Vranken
On 08/22/2015 04:25 AM, Guido Vranken wrote:

> List,
>
> I would like to report security vulnerabilities in git. Due to the
> sensitive nature of security-impacting bugs I would like to know if
> there's a dedicated e-mail address for this, so that the issues at
> play can be patched prior to a coordinated public disclosure of the
> germane exploitation details. I did find an older thread in the
> archive addressing this question (
> http://thread.gmane.org/gmane.comp.version-control.git/260328/ ), but
> because I'm unsure if those e-mail addresses are still relevant, I'm
> asking again.
If it has anything to do with remote access (via ssh or http) please
copy me also.  I wrote/write/maintain gitolite, which is a reasonably
successful access control system for git servers.

regards
sitaram



signature.asc (836 bytes) Download Attachment