[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [gnurl] 173/208: BUGS: clarify how to report security relat
From: |
gnunet |
Subject: |
[GNUnet-SVN] [gnurl] 173/208: BUGS: clarify how to report security related bugs |
Date: |
Wed, 09 Aug 2017 17:36:10 +0200 |
This is an automated email from the git hooks/post-receive script.
ng0 pushed a commit to annotated tag gnurl-7.55.0
in repository gnurl.
commit 821a0854f67cf8b4544613c1b8c1bb2d4c9e2194
Author: Daniel Stenberg <address@hidden>
AuthorDate: Tue Aug 1 14:39:13 2017 +0200
BUGS: clarify how to report security related bugs
---
docs/BUGS | 47 ++++++++++++++++++++++++++++++++---------------
1 file changed, 32 insertions(+), 15 deletions(-)
diff --git a/docs/BUGS b/docs/BUGS
index 12714cc17..f3c9f9833 100644
--- a/docs/BUGS
+++ b/docs/BUGS
@@ -9,12 +9,13 @@ BUGS
1. Bugs
1.1 There are still bugs
1.2 Where to report
- 1.3 What to report
- 1.4 libcurl problems
- 1.5 Who will fix the problems
- 1.6 How to get a stack trace
- 1.7 Bugs in libcurl bindings
- 1.8 Bugs in old versions
+ 1.3 Security bugs
+ 1.4 What to report
+ 1.5 libcurl problems
+ 1.6 Who will fix the problems
+ 1.7 How to get a stack trace
+ 1.8 Bugs in libcurl bindings
+ 1.9 Bugs in old versions
2. Bug fixing procedure
2.1 What happens on first filing
@@ -30,9 +31,8 @@ BUGS
1.1 There are still bugs
- Curl and libcurl have grown substantially since the beginning. At the time
- of writing (January 2013), there are about 83,000 lines of source code, and
- by the time you read this it has probably grown even more.
+ Curl and libcurl keep being developed. Adding features and changing code
+ means that bugs will sneak in, no matter how hard we try not to.
Of course there are lots of bugs left. And lots of misfeatures.
@@ -53,7 +53,24 @@ BUGS
If you feel you need to ask around first, find a suitable mailing list and
post there. The lists are available on https://curl.haxx.se/mail/
-1.3 What to report
+1.3 Security bugs
+
+ If you find a bug or problem in curl or libcurl that you think has a
+ security impact. A bug that can put users in danger or make them vulnerable
+ if the bug becomes public knowledge, then please report that bug using our
+ security development process.
+
+ Security related bugs or bugs that are suspected to have a security impact,
+ should be reported by email to address@hidden so that they first can
+ be dealt with away from the public to minimize the harm and impact it will
+ have on existing users out there who might be using the vulernable versions.
+
+ The curl project's process for handling security related issues is
+ documented here:
+
+ https://curl.haxx.se/dev/security.html
+
+1.4 What to report
When reporting a bug, you should include all information that will help us
understand what's wrong, what you expected to happen and how to repeat the
@@ -85,7 +102,7 @@ BUGS
The address and how to subscribe to the mailing lists are detailed in the
MANUAL file.
-1.4 libcurl problems
+1.5 libcurl problems
When you've written your own application with libcurl to perform transfers,
it is even more important to be specific and detailed when reporting bugs.
@@ -105,7 +122,7 @@ BUGS
valgrind or similar before you post memory-related or "crashing" problems to
us.
-1.5 Who will fix the problems
+1.6 Who will fix the problems
If the problems or bugs you describe are considered to be bugs, we want to
have the problems fixed.
@@ -124,7 +141,7 @@ BUGS
We get reports from many people every month and each report can take a
considerable amount of time to really go to the bottom with.
-1.6 How to get a stack trace
+1.7 How to get a stack trace
First, you must make sure that you compile all sources with -g and that you
don't 'strip' the final executable. Try to avoid optimizing the code as
@@ -144,7 +161,7 @@ BUGS
crashed. Include the stack trace with your detailed bug report. It'll help a
lot.
-1.7 Bugs in libcurl bindings
+1.8 Bugs in libcurl bindings
There will of course pop up bugs in libcurl bindings. You should then
primarily approach the team that works on that particular binding and see
@@ -154,7 +171,7 @@ BUGS
please convert your program over to plain C and follow the steps outlined
above.
-1.8 Bugs in old versions
+1.9 Bugs in old versions
The curl project typically releases new versions every other month, and we
fix several hundred bugs per year. For a huge table of releases, number of
--
To stop receiving notification emails like this one, please contact
address@hidden
- [GNUnet-SVN] [gnurl] 198/208: file: output the correct buffer to the user, (continued)
- [GNUnet-SVN] [gnurl] 198/208: file: output the correct buffer to the user, gnunet, 2017/08/09
- [GNUnet-SVN] [gnurl] 171/208: curl_setup: Define CURL_NO_OLDIES for building libcurl, gnunet, 2017/08/09
- [GNUnet-SVN] [gnurl] 192/208: RELEASE-NOTES: synced with 561e9217c, gnunet, 2017/08/09
- [GNUnet-SVN] [gnurl] 189/208: travis: explicitly specify dist, gnunet, 2017/08/09
- [GNUnet-SVN] [gnurl] 178/208: travis: build osx with libressl too, gnunet, 2017/08/09
- [GNUnet-SVN] [gnurl] 187/208: travis: add osx build with darwinssl, gnunet, 2017/08/09
- [GNUnet-SVN] [gnurl] 139/208: ISSUE_TEMPLATE: Add a comment not to file security issues on github, gnunet, 2017/08/09
- [GNUnet-SVN] [gnurl] 164/208: AppVeyor: now really use CURL_WERROR, gnunet, 2017/08/09
- [GNUnet-SVN] [gnurl] 79/208: progress: prevent resetting t_starttransfer, gnunet, 2017/08/09
- [GNUnet-SVN] [gnurl] 201/208: curl: detect and bail out early on parameter integer overflows, gnunet, 2017/08/09
- [GNUnet-SVN] [gnurl] 173/208: BUGS: clarify how to report security related bugs,
gnunet <=
- [GNUnet-SVN] [gnurl] 85/208: test1450: fix up DICT server in torture mode, gnunet, 2017/08/09
- [GNUnet-SVN] [gnurl] 166/208: cmake: support make uninstall, gnunet, 2017/08/09
- [GNUnet-SVN] [gnurl] 170/208: configure: fix the check for IdnToUnicode, gnunet, 2017/08/09
- [GNUnet-SVN] [gnurl] 60/208: CONTRIBUTE.md: mention the out-of-tree build test too, gnunet, 2017/08/09
- [GNUnet-SVN] [gnurl] 92/208: timeval.c: Use long long constant type for timeval assignment, gnunet, 2017/08/09
- [GNUnet-SVN] [gnurl] 107/208: inet_pton: fix include on windows to get prototype, gnunet, 2017/08/09
- [GNUnet-SVN] [gnurl] 102/208: smb: add support for CURLOPT_FILETIME, gnunet, 2017/08/09
- [GNUnet-SVN] [gnurl] 103/208: RELEASE-NOTES: synced with 596cfb6c0, gnunet, 2017/08/09
- [GNUnet-SVN] [gnurl] 71/208: tool_getparam: fix memory leak on test 1147 OOM (torture tests), gnunet, 2017/08/09
- [GNUnet-SVN] [gnurl] 146/208: winbuild: re-enable warning C4127 for curl tool, gnunet, 2017/08/09