PGP key for vulnerability reports

Tomasz Wasilczyk twasilczyk at
Mon Nov 25 11:08:04 EST 2013

W dniu 25.11.2013 14:48, Ethan Blanton pisze:
> Tomasz Wasilczyk spake unto us the following wisdom:
>>> The four bugs are:
>>> 1. A bug in libgadu that has probably been fixed by Tomasz by this
>>>     point, although he'll have to verify that, and it might not yet be
>>>     included upstream (I have no idea).
>> I confirm the bug still exists, both in 2.x.y and 3.0.0 branches. A
>> simple patch is attached to this mail.
> OK, that's unfortunate, but it's great that it's patched now!

I've just committed it to private/main repository.

>> This bug is exploitable only by attacker with ability to spoof GG
>> service provider domains. Should I keep the non-disclosure procedure
>> for it (committing a patch only to /private/main/), or commit both
>> to public 2.x.y and upstream libgadu repository?
> Even though it requires spoofing the server, I would embargo it.  It's
> still a remote vulnerability.

Fine, I'll commit it upstream just after 2.10.8 release.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4225 bytes
Desc: Kryptograficzna sygnatura S/MIME
URL: <>

More information about the security mailing list