|
|
Boost : |
From: Jeremy Murphy (jeremy.william.murphy_at_[hidden])
Date: 2024-04-13 09:41:04
Not sure if you didn't read my email carefully or I didn't explain it well,
but I don't have time to fix them, I'm asking for advice on how to balance
requesting help from the community to fix them with not divulging the
issues to the public.
The least cautious course of action might be: open bug reports for all the
security issues and explicitly mention them on this list.
The more cautious course of action would be to have a private discussion
with members of the community to resolve the issues without any public
discussion.
On that note, I guess I'll just start off cautious: if you have time to fix
some bugs and have at least some standing in the community so that I know
that you're not a bad actor, please contact me.
Thanks, cheers.
Jeremy
On Sat, 13 Apr 2024, 5:47 pm Artyom Beilis via Boost, <boost_at_[hidden]>
wrote:
> Fix them now. Security issues are ones you fix immediately.
> I assume the situation comes from some improper external files handling
> that can lead to potential exploits.
> If you can't try to work with projects that reported them on fixing.
>
> I had several urgent fixes, one in Boost.Locale due to improper UTF-8
> handling. It was actually
> taken very seriously and patched back to many distros.
>
> Artyom
>
>
> On Sat, Apr 13, 2024 at 9:59 AM Jeremy Murphy via Boost <
> boost_at_[hidden]> wrote:
>
> > What
> > should I do?
> >
> >
>
> _______________________________________________
> Unsubscribe & other changes:
> http://lists.boost.org/mailman/listinfo.cgi/boost
>
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk