reporting a vulnerability :: Support Forum

Piru
Joined:: 2018-08-30
Posts:: 1

reporting a vulnerability

2018-08-30 23:15

How should a vulnerability in WinSCP be reported?

I would want to keep embargo on the issue while the authors triage the issue, so posting it to this forum likely isn't a good idea.

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 33,467
Location:: Prague, Czechia

Re: reporting a vulnerability

2018-08-31

Thanks for your post.
I'm sending you an email to the address you have used to register on this forum.

Reply with quote

martin◆ Site Admin

2018-09-03

This issue has been added to the tracker:
https://winscp.net/tracker/1675

Reply with quote

MrPippin Guest

Fix for 5.13

2019-01-21 22:47

Any chance this is being backported to 5.13?

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 33,467
Location:: Prague, Czechia

Re: Fix for 5.13

2019-01-22

MrPippin wrote:

Any chance this is being backported to 5.13?

I'll consider it.
But to be honest, this is such a negligible problem.
Are you not trusting your server?
And are you actually using SCP protocol at all?

Reply with quote

slfields
Joined:: 2019-01-21
Posts:: 2
Location:: USA

Re: Fix for 5.13

2019-01-22 14:07

martin wrote:

MrPippin wrote:

Any chance this is being backported to 5.13?
I'll consider it.
But to be honest, this is such a negligible problem.
Are you not trusting your server?
And are you actually using SCP protocol at all?

The primary reason I ask is that version 14 is still considered a release candidate, and this is a product deployed widely in our organization. We can’t speak to what sites are users are connecting, or trusted.

Reply with quote

slfields
Joined:: 2019-01-21
Posts:: 2
Location:: USA

Re: Fix for 5.13

2019-02-04 16:20

slfields wrote:

martin wrote:

MrPippin wrote:

Any chance this is being backported to 5.13?
I'll consider it.
But to be honest, this is such a negligible problem.
Are you not trusting your server?
And are you actually using SCP protocol at all?

The primary reason I ask is that version 14 is still considered a release candidate, and this is a product deployed widely in our organization. We can’t speak to what sites are users are connecting, or trusted.

Any update if this could possibly be released in 5.13?

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 33,467
Location:: Prague, Czechia

Re: Fix for 5.13

2019-02-20

slfields wrote:

Any update if this could possibly be released in 5.13?

I have fixed the problem in the 5.13 branch. WinSCP 5.13.8 will probably be released the next week.
https://winscp.net/eng/docs/history?a=5.13.8

Reply with quote

Guest

Re: Fix for 5.13

2019-02-20 12:16

martin wrote:

slfields wrote:

Any update if this could possibly be released in 5.13?
I have fixed the problem in the 5.13 branch. WinSCP 5.13.8 will probably be released the next week.
https://winscp.net/eng/docs/history?a=5.13.8

Thank you.

Reply with quote