Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 31 Jan 2011 12:00:54 +0100
From: Tomas Hoger <thoger@...hat.com>
To: strenholme.usenet@...il.com
Cc: oss-security@...ts.openwall.com, list@...adns.org, geissert@...ian.org,
        atomo64@...il.com, coley@...re.org
Subject: Re: MaraDNS 1.4.06 and 1.3.07.11 released

Hi Sam!

On Sat, 29 Jan 2011 22:21:08 -0700 Sam Trenholme wrote:

> I would like to thank Mr. Witold Baryluk for pointing out this issue,
> taking the time to backtrace the bug, and for bringing it to my
> attention by posting to the MaraDNS mailing list.  However, I need to
> let him know that making this public by filing a public Debian bug
> without first trying to contact me is not the appropriate way to
> handle a security problem with MaraDNS.  The appropriate way to do so
> is via private email.  My email address is here:
> 
> http://samiam.org/mailme.php

I think it may be a good idea to have this preferred way of receiving
security reports for MaraDNS documented on the project web site in a
way that does not make it hard to find.

I took a quick look at the maradns.org web to see what contact info I
can find as someone who may want to report a security flaw, but does
not have any closer relationship with project's upstream or community.

The main page suggests using mailing list for bug reports.  There is
the contact.html page that does document what to do when reporting
security issue, but the page does not seem to be linked from other pages
(I noticed it thanks to the web site copy bundled in the maradns source
tarball).  There's a link from sponsors.html, but that page is no longer
linked from the site menu.

So while the info is there, I don't see an easy way to find it by
following links from the main page.  Maybe that's something you may
want to change.

Just my 2c, HTH.

-- 
Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.