Reporting security vulnerability
Steve Dodier-Lazaro
sidnioulz at gmail.com
Sun Jun 2 22:51:40 CEST 2013
Hi Shuhao,
In these cases it's always better to not give any details about the bug on
a mailing list. If people were actively looking for ways to attack an XFCE
computer, they must have just been given a hint about something. I would
recommend you privately email the main developers of the concerned package.
Regards,
2013/6/2 Shuhao <shuhao at shuhaowu.com>
> Hi,
>
> I've discovered a medium level security vulnerability in XFCE and I'm not
> sure where I can safely report it. I don't see the option to mark the bug
> as confidential or as a security issue in Bugzilla.
>
> The bug is very easy to exploit (however only if you have access to the
> machine, which makes it non-critical) and is able to bypass the lock
> screen. There is a workaround available but it is uncommonly done (imo).
> The bug should also be relatively easy to fix though I do not know enough
> of the XFCE codebase to tell.
>
> Any pointers would be helpful.
>
> Cheers,
> Shuhao
> ______________________________**_________________
> Xfce4-dev mailing list
> Xfce4-dev at xfce.org
> https://mail.xfce.org/mailman/**listinfo/xfce4-dev<https://mail.xfce.org/mailman/listinfo/xfce4-dev>
>
--
Steve Dodier-Lazaro
PhD Student in Information Security
University College London
Free Software Developer
OpenPGP : 1B6B1670
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.xfce.org/pipermail/xfce4-dev/attachments/20130602/f6577c8a/attachment.html>
More information about the Xfce4-dev
mailing list