reporting a vulnerability :: Support Forum

Piru
Joined:: 2018-08-30
Posts:: 1

reporting a vulnerability

2018-08-30 23:15

How should a vulnerability in WinSCP be reported?

I would want to keep embargo on the issue while the authors triage the issue, so posting it to this forum likely isn't a good idea.

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 40,564
Location:: Prague, Czechia

Re: reporting a vulnerability

2018-08-31

Thanks for your post.
I'm sending you an email to the address you have used to register on this forum.

Reply with quote

martin◆ Site Admin

2018-09-03

This issue has been added to the tracker:
https://winscp.net/tracker/1675

Reply with quote

MrPippin Guest

Fix for 5.13

2019-01-21 22:47

Any chance this is being backported to 5.13?

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 40,564
Location:: Prague, Czechia

Re: Fix for 5.13

2019-01-22

@MrPippin: I'll consider it.
But to be honest, this is such a negligible problem.
Are you not trusting your server?
And are you actually using SCP protocol at all?

Reply with quote

slfields
Joined:: 2019-01-21
Posts:: 2
Location:: USA

Re: Fix for 5.13

2019-01-22 14:07

The primary reason I ask is that version 14 is still considered a release candidate, and this is a product deployed widely in our organization. We can’t speak to what sites are users are connecting, or trusted.

Reply with quote

slfields

Re: Fix for 5.13

2019-02-04 16:20

Any update if this could possibly be released in 5.13?

Reply with quote

martin◆ Site Admin

Re: Fix for 5.13

2019-02-20

@slfields: I have fixed the problem in the 5.13 branch. WinSCP 5.13.8 will probably be released the next week.
https://winscp.net/eng/docs/history?a=5.13.8

Reply with quote