This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PWNED/DOSSED] Cygwin's setup-x86.exe loads and executes rogue DLL from its application directory

[I got this mail via cc; I don't see the original in the mail archives,
which means it probably got eaten by the spam trap for too many raw
email addresses or other heuristics.  I don't maintain, so
I'm only commenting as a side observer here...]

On 01/07/2016 02:59 PM, Stefan Kanthak wrote:

>> If this was your original off-list post, you just violated your own
>> policy since you included cygwin AT which is a public list
>> on the ping, and thereby made the issue public, without waiting 45 days.
> Simply wrong!
> Cygwin doesn't name a security mailbox on
> <>, <>
> states
> | cygwin: In general, you should send questions and bug reports here.
> (which I did), and all of <>, <>
> and <> bounce: see
> <> regarding this well-known role
> account (unfortunately closed).

Okay, maybe we should consider creating a closed-subscription
non-public-archives mailing list (however, and are not the right domains).  Or at least
update the web page to mention as a reasonable
alternative closed list to contact with potential Cygwin security flaws.
 I'll leave that up to others with actual admin rights on the
box, though.


Shouting at people is not the friendliest way to resolve security or
other issues.

Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library

Attachment: signature.asc
Description: OpenPGP digital signature

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]