Security issue: How to report it privately to the maintainers?

[Philippe Höij]

Hi,

There is a security issue in rsync that needs to be disclosed to the team. Similar issues in other tools have CVEs of high severity assigned to them, and rsync has such an issue as well.

I would like to enable the rsync maintainers to be aware of, and hopefully to fix the issue. I know of it since about 15 years back and assume it has been there more or less from the beginning, but I failed then to realize back then that it should have been reported and later disclosed as a CVE, so better late than never. It resurfaced in a discussion with a friend.

I have looked at the homepage, GitHub repo and issues, bugzilla and could not find the issue in there. Also I didn't find how to securely and privately disclose security issues to the team. I would be happy to submit it through the security advisories function on GitHub for discussion if you could enable the function, or provide a different option to share the finding?

I am in the process of doing a write-up of the issue to submit to you.

Best regards
Philippe

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/rsync/attachments/20200902/aa6cb3c7/attachment.htm>