PGP key for vulnerability reports
twasilczyk at pidgin.im
Mon Nov 25 11:08:04 EST 2013
W dniu 25.11.2013 14:48, Ethan Blanton pisze:
> Tomasz Wasilczyk spake unto us the following wisdom:
>>> The four bugs are:
>>> 1. A bug in libgadu that has probably been fixed by Tomasz by this
>>> point, although he'll have to verify that, and it might not yet be
>>> included upstream (I have no idea).
>> I confirm the bug still exists, both in 2.x.y and 3.0.0 branches. A
>> simple patch is attached to this mail.
> OK, that's unfortunate, but it's great that it's patched now!
I've just committed it to private/main repository.
>> This bug is exploitable only by attacker with ability to spoof GG
>> service provider domains. Should I keep the non-disclosure procedure
>> for it (committing a patch only to /private/main/), or commit both
>> to public 2.x.y and upstream libgadu repository?
> Even though it requires spoofing the server, I would embargo it. It's
> still a remote vulnerability.
Fine, I'll commit it upstream just after 2.10.8 release.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4225 bytes
Desc: Kryptograficzna sygnatura S/MIME
More information about the security