Reporting security vulnerability

Shuhao shuhao at
Mon Jun 3 00:12:34 CEST 2013

That sounds good.


On 13-06-02 01:51 PM, Steve Dodier-Lazaro wrote:
> Hi Shuhao,
> In these cases it's always better to not give any details about the bug on
> a mailing list. If people were actively looking for ways to attack an XFCE
> computer, they must have just been given a hint about something. I would
> recommend you privately email the main developers of the concerned package.
> Regards,
> 2013/6/2 Shuhao <shuhao at>
>> Hi,
>> I've discovered a medium level security vulnerability in XFCE and I'm not
>> sure where I can safely report it. I don't see the option to mark the bug
>> as confidential or as a security issue in Bugzilla.
>> The bug is very easy to exploit (however only if you have access to the
>> machine, which makes it non-critical) and is able to bypass the lock
>> screen. There is a workaround available but it is uncommonly done (imo).
>> The bug should also be relatively easy to fix though I do not know enough
>> of the XFCE codebase to tell.
>> Any pointers would be helpful.
>> Cheers,
>> Shuhao
>> ______________________________**_________________
>> Xfce4-dev mailing list
>> Xfce4-dev at

More information about the Xfce4-dev mailing list