Discussion:
some help on a security related thing?
Daniel Stenberg
2017-02-11 23:20:01 UTC
Permalink
Hi,

We recently received an email about a libssh2 security problem, but it turns
out basically none of us old "maintainers" of this project (me and Alexander
Lamaison at least) feel that we have enough time and energy to handle it.

This is ultimately a cry for help that this project needs more hands on deck
to function, but to at least handle this immediate short-term crisis I would
like you call for volunteers to help us work on this specific problem now. To
investigate it and work on a fix, or fixes together with the person who has
found the issue.

Failing to deal with it will eventually end up with the issue getting
published without any action from our end prior to that, and that would be
very unfortunate.

Any takers?
--
/ daniel.haxx.se
_______________________________________________
libssh2-devel https://cool.haxx.se/cgi
Peter Stuge
2017-02-12 00:23:46 UTC
Permalink
Post by Daniel Stenberg
Any takers?
I can take a look at it.


//Peter
_______________________________________________
libssh2-devel https://cool.haxx.se/cgi-bin/mailman
bch
2017-02-11 23:50:47 UTC
Permalink
I may be able to contribute if you're taking the lead Peter. If you want
other build environment, independent verification, etc, don't hesitate to
ping me.
Post by Peter Stuge
Post by Daniel Stenberg
Any takers?
I can take a look at it.
//Peter
_______________________________________________
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
w***@panic.com
2017-02-12 00:04:09 UTC
Permalink
I can also help out as needed.

Will

From: bch
Sent: Saturday, February 11, 2017 3:53 PM
To: libssh2 development
Subject: Re: some help on a security related thing?

I may be able to contribute if you're taking the lead Peter. If you want other build environment, independent verification, etc, don't hesitate to ping me.
Post by Daniel Stenberg
Any takers?
I can take a look at it.


//Peter
_______________________________________________
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Sara Golemon
2017-02-12 01:45:57 UTC
Permalink
Post by Daniel Stenberg
We recently received an email about a libssh2 security problem, but it
turns out basically none of us old "maintainers" of this project (me and
Alexander Lamaison at least) feel that we have enough time and energy to
handle it.
This is ultimately a cry for help that this project needs more hands on
deck to function, but to at least handle this immediate short-term crisis I
would like you call for volunteers to help us work on this specific problem
now. To investigate it and work on a fix, or fixes together with the person
who has found the issue.
Failing to deal with it will eventually end up with the issue getting
published without any action from our end prior to that, and that would be
very unfortunate.
Any takers?
I'm not really up on most of the changes since handing over the project a
decade ago, but I'm more than happy to have something to get my hands dirty
taking a look at.

-Sara
Amirul Islam
2017-02-12 02:12:15 UTC
Permalink
I can try my level best. But my limitation is in experience.

Regards,

Mark
Hi,
We recently received an email about a libssh2 security problem, but it turns out basically none of us old "maintainers" of this project (me and Alexander Lamaison at least) feel that we have enough time and energy to handle it.
This is ultimately a cry for help that this project needs more hands on deck to function, but to at least handle this immediate short-term crisis I would like you call for volunteers to help us work on this specific problem now. To investigate it and work on a fix, or fixes together with the person who has found the issue.
Failing to deal with it will eventually end up with the issue getting published without any action from our end prior to that, and that would be very unfortunate.
Any takers?
--
/ daniel.haxx.se
_______________________________________________
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
_______________________________________________
libssh2-devel https://cool.haxx
Wesley Witt
2017-02-13 00:51:08 UTC
Permalink
Thanks everyone for the responses. The help is awesome.

I finally got back to this today and got this working. I built my own libssh2 DLL and it works. Lesson here is that DLLs built by others may not be very trustworthy.

-Wes

-----Original Message-----
From: libssh2-devel [mailto:libssh2-devel-***@cool.haxx.se] On Behalf Of Amirul Islam
Sent: Saturday, February 11, 2017 6:12 PM
To: libssh2 development <libssh2-***@cool.haxx.se>
Subject: Re: some help on a security related thing?

I can try my level best. But my limitation is in experience.

Regards,

Mark
Hi,
We recently received an email about a libssh2 security problem, but it turns out basically none of us old "maintainers" of this project (me and Alexander Lamaison at least) feel that we have enough time and energy to handle it.
This is ultimately a cry for help that this project needs more hands on deck to function, but to at least handle this immediate short-term crisis I would like you call for volunteers to help us work on this specific problem now. To investigate it and work on a fix, or fixes together with the person who has found the issue.
Failing to deal with it will eventually end up with the issue getting published without any action from our end prior to that, and that would be very unfortunate.
Any takers?
--
/ daniel.haxx.se
_______________________________________________
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
_______________________________________________
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

_______________________________________________
libssh2-devel https://cool.haxx.se/cgi-b
Marc Hoersken via libssh2-devel
2017-02-13 06:09:34 UTC
Permalink
Post by Wesley Witt
I finally got back to this today and got this working. I built my own libssh2 DLL and it works. Lesson here is that DLLs built by others may not be very trustworthy.
Since you are probably referring to the DLLs I built and since I helped
you via personal e-mail, I am really interested what you mean with
"trustworthy".

Did you use OpenSSL to build a new DLL or still WinCNG?
_______________________________________________
libssh2-devel https://cool.haxx.se/cgi-bin/

Daniel Stenberg
2017-02-12 09:45:15 UTC
Permalink
Post by Daniel Stenberg
We recently received an email about a libssh2 security problem, but it turns
out basically none of us old "maintainers" of this project (me and Alexander
Lamaison at least) feel that we have enough time and energy to handle it.
Thank you for all the (offers to) stepping up. It warms my heart to see that
there are many friends around prepared to help out!

Since both Peter Stuge and Sara Golemon spoke up, I decided to hand over
details to them to let them persue this. Sara of course started this project
and Peter has been pariticpating since many years. They should have the
perfect background and set of skills to handle this. And my trust.

Let's see how things develop and what Peter and Sara think of it.

Again, thanks for responses.
--
/ daniel.haxx.se
_______________________________________________
libssh2-devel https://cool.haxx.se/cg
Loading...