Maybe the question I should be asking is, is there a private Boost mailing
list exactly for dealing with security issues before they're made public?
If so, I need to get on it!
On Sat, 13 Apr 2024, 7:41 pm Jeremy Murphy,
Not sure if you didn't read my email carefully or I didn't explain it well, but I don't have time to fix them, I'm asking for advice on how to balance requesting help from the community to fix them with not divulging the issues to the public. The least cautious course of action might be: open bug reports for all the security issues and explicitly mention them on this list. The more cautious course of action would be to have a private discussion with members of the community to resolve the issues without any public discussion. On that note, I guess I'll just start off cautious: if you have time to fix some bugs and have at least some standing in the community so that I know that you're not a bad actor, please contact me. Thanks, cheers. Jeremy
On Sat, 13 Apr 2024, 5:47 pm Artyom Beilis via Boost, < boost@lists.boost.org> wrote:
Fix them now. Security issues are ones you fix immediately. I assume the situation comes from some improper external files handling that can lead to potential exploits. If you can't try to work with projects that reported them on fixing.
I had several urgent fixes, one in Boost.Locale due to improper UTF-8 handling. It was actually taken very seriously and patched back to many distros.
Artyom
On Sat, Apr 13, 2024 at 9:59 AM Jeremy Murphy via Boost < boost@lists.boost.org> wrote:
What should I do?
_______________________________________________ Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost