reporting a vulnerability

Piru
Joined:: 2018-08-30
Posts:: 1

reporting a vulnerability

2018-08-30 23:15

How should a vulnerability in WinSCP be reported?

I would want to keep embargo on the issue while the authors triage the issue, so posting it to this forum likely isn't a good idea.

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 30,054
Location:: Prague, Czechia

Re: reporting a vulnerability

2018-08-31

Thanks for your post.
I'm sending you an email to the address you have used to register on this forum.

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 30,054
Location:: Prague, Czechia

2018-09-03

This issue has been added to the tracker:
https://winscp.net/tracker/1675

Reply with quote

MrPippin Guest

Fix for 5.13

2019-01-21 22:47

Any chance this is being backported to 5.13?

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 30,054
Location:: Prague, Czechia

Re: Fix for 5.13

2019-01-22

MrPippin wrote:

Any chance this is being backported to 5.13?

I'll consider it.
But to be honest, this is such a negligible problem.
Are you not trusting your server?
And are you actually using SCP protocol at all?

Reply with quote

slfields
Joined:: 2019-01-21
Posts:: 1
Location:: USA

Re: Fix for 5.13

2019-01-22 14:07

martin wrote:

MrPippin wrote:

Any chance this is being backported to 5.13?
I'll consider it.
But to be honest, this is such a negligible problem.
Are you not trusting your server?
And are you actually using SCP protocol at all?

The primary reason I ask is that version 14 is still considered a release candidate, and this is a product deployed widely in our organization. We can’t speak to what sites are users are connecting, or trusted.

Reply with quote