Where to report security vulnerabilities in git?

Where to report security vulnerabilities in git?

[Guido Vranken]

List,

I would like to report security vulnerabilities in git. Due to the
sensitive nature of security-impacting bugs I would like to know if
there's a dedicated e-mail address for this, so that the issues at
play can be patched prior to a coordinated public disclosure of the
germane exploitation details. I did find an older thread in the
archive addressing this question (
http://thread.gmane.org/gmane.comp.version-control.git/260328/ ), but
because I'm unsure if those e-mail addresses are still relevant, I'm
asking again.

Thanks.

Guido

Re: Where to report security vulnerabilities in git?

[Stefan Beller]

The addresses are still valid. (I think there was a plan to introduce
a git-security@...
but I am not sure if that happened.)

> Current practice is to contact Junio C Hamano <gitster <at> pobox.com>.
> Cc-ing Jeff King <peff <at> peff.net> isn't a bad idea while at it.

Just go for that.


On Fri, Aug 21, 2015 at 3:55 PM, Guido Vranken <guidovranken@gmail.com> wrote:
> List,
>
> I would like to report security vulnerabilities in git. Due to the
> sensitive nature of security-impacting bugs I would like to know if
> there's a dedicated e-mail address for this, so that the issues at
> play can be patched prior to a coordinated public disclosure of the
> germane exploitation details. I did find an older thread in the
> archive addressing this question (
> http://thread.gmane.org/gmane.comp.version-control.git/260328/ ), but
> because I'm unsure if those e-mail addresses are still relevant, I'm
> asking again.
>
> Thanks.
>
> Guido
> --
> To unsubscribe from this list: send the line "unsubscribe git" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Where to report security vulnerabilities in git?

[Junio C Hamano]

On Fri, Aug 21, 2015 at 3:55 PM, Guido Vranken <guidovranken@gmail.com> wrote:
> germane exploitation details. I did find an older thread in the
> archive addressing this question (
> http://thread.gmane.org/gmane.comp.version-control.git/260328/ ), but
> because I'm unsure if those e-mail addresses are still relevant, I'm
> asking again.

Indeed that was an old advice. Recent releases of "A note from the
maintainer" has this paragraph:

If you think you found a security-sensitive issue and want to disclose
it to us without announcing it to wider public, please contact us at
our security mailing list <git-security@googlegroups.com>.

Re: Where to report security vulnerabilities in git?

[Sitaram Chamarty]

[-- Attachment #1: Type: text/plain, Size: 826 bytes --]

On 08/22/2015 04:25 AM, Guido Vranken wrote:
> List,
> 
> I would like to report security vulnerabilities in git. Due to the
> sensitive nature of security-impacting bugs I would like to know if
> there's a dedicated e-mail address for this, so that the issues at
> play can be patched prior to a coordinated public disclosure of the
> germane exploitation details. I did find an older thread in the
> archive addressing this question (
> http://thread.gmane.org/gmane.comp.version-control.git/260328/ ), but
> because I'm unsure if those e-mail addresses are still relevant, I'm
> asking again.

If it has anything to do with remote access (via ssh or http) please
copy me also.  I wrote/write/maintain gitolite, which is a reasonably
successful access control system for git servers.

regards
sitaram



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]