From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-3.4 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, TVD_PH_BODY_ACCOUNTS_PRE,UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 15687 invoked from network); 25 Dec 2020 16:07:48 -0000 Received: from zero.zsh.org (2a02:898:31:0:48:4558:7a:7368) by inbox.vuxu.org with ESMTPUTF8; 25 Dec 2020 16:07:48 -0000 ARC-Seal: i=1; cv=none; a=rsa-sha256; d=zsh.org; s=rsa-20200801; t=1608912468; b=io5AXVUCmdNkuGpr+M35wqFvtUHVQPZdIb+6Zzy9lf9RMUnpqrPXrGlHsCQKfQ/USvrvtFOGO+ 2VwXQsl0RdgH/3okWjCcrNPI0770YDv+COYpBeSwXEJJijo1871/uiiSJAjOdbNW+bTezrw5PR tyRcuH5folLJNfUayVjTJxlKHRpN65Eg9TSHInxqe39KTd7LTGvJ2A+V256iVLvRI1uMcuE792 B2G7y5Ec1fm4vSgyqLrzdigrCel1cDP0zSjm5VRS0gqo57ze96y4sP3hgD0Z4pb7DCHrypzmE+ WtO+Jp0CDAkxv0SQkA0Z4FnjH8blMwekvraa4qFtc68qWA==; ARC-Authentication-Results: i=1; zsh.org; iprev=pass (wout2-smtp.messagingengine.com) smtp.remote-ip=64.147.123.25; dkim=pass header.d=daniel.shahaf.name header.s=fm2 header.a=rsa-sha256; dkim=pass header.d=messagingengine.com header.s=fm1 header.a=rsa-sha256; dmarc=none header.from=daniel.shahaf.name; arc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed; d=zsh.org; s=rsa-20200801; t=1608912468; bh=JJ+quCKXNh411LOM6CUOTq4QPPWtXPi2HIP4XqVh9dc=; h=List-Archive:List-Owner:List-Post:List-Unsubscribe:List-Subscribe:List-Help: List-Id:Sender:Content-Transfer-Encoding:Content-Type:Subject:Cc:To:From: Date:References:In-Reply-To:Message-ID:MIME-Version:DKIM-Signature: DKIM-Signature:DKIM-Signature; b=fxaSERszHXbbr7J2V+OskE5FCme2eKA8d4iNjcYJKzT6pFKuZuc5qJWyjFApMRbB43wDQvQoub U6FD5GGzsOx0/GkTyukzvmJHXScEaFVsJsCKN2vztq+V+QaqISsAquz4wDQNBnjgUuP/msAAS7 flJVUiNuqHM4rMNGiD8J1qUahbclWBbLAZtyD63pxEhk5unjQXw302TPZNw5KGhj5qx0lYPisW Q9TMU2QUyQmII13O8n/7nbrXuicuB6iBtxznpczUzi01bx0CCQ3tOhef60rtoUpbjfhL/UUAAf hgrZIHIW9S++WShOl0FNCQ7SNgvrnSKJjgosZ44DFb2ATQ==; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=zsh.org; s=rsa-20200801; h=List-Archive:List-Owner:List-Post:List-Unsubscribe: List-Subscribe:List-Help:List-Id:Sender:Content-Transfer-Encoding: Content-Type:Subject:Cc:To:From:Date:References:In-Reply-To:Message-Id: Mime-Version:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID; bh=B/ZB2p689cMVZ6z5fYDqSeS6bwVlbdHg430vlDeWH6k=; b=LlFeUtJPM6Fzz1tiloBUM/Xo68 bWlKMZXY0gCbmftPdnkTwhlcF6pB76NFGS58/A/qjkpsokI3Vrw5xbJet7WYWSopb0oceJpCEGpQR NMg4PhezvQ/SqE6FjmhZ6QP+ifp8G3Rx+uzE+ZxXYVljvVsUpao4FSL43Gp1ScTCuR82uQC4rqjEv jFRwIRG9RkweWoJVuJSjRM84nAlPxe5moF1T6q2Iq4SURDZBvgbHR0nt2R230pWtKA5H2W7IboekZ UaDkMMPvzElR1wgAk76ToEuy8bG8JyLg9wTqIRhjdE4qsxmzJhCFji8F2n37gm6I7yzTbbL+rceVf 2i2Rn4LQ==; Received: from authenticated user by zero.zsh.org with local id 1kspcz-00097a-Gn; Fri, 25 Dec 2020 16:07:41 +0000 Authentication-Results: zsh.org; iprev=pass (wout2-smtp.messagingengine.com) smtp.remote-ip=64.147.123.25; dkim=pass header.d=daniel.shahaf.name header.s=fm2 header.a=rsa-sha256; dkim=pass header.d=messagingengine.com header.s=fm1 header.a=rsa-sha256; dmarc=none header.from=daniel.shahaf.name; arc=none Received: from wout2-smtp.messagingengine.com ([64.147.123.25]:55077) by zero.zsh.org with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1kspcc-0008yy-6U; Fri, 25 Dec 2020 16:07:20 +0000 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id 7D1B486E; Fri, 25 Dec 2020 11:07:15 -0500 (EST) Received: from imap37 ([10.202.2.87]) by compute3.internal (MEProxy); Fri, 25 Dec 2020 11:07:15 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= daniel.shahaf.name; h=mime-version:message-id:in-reply-to :references:date:from:to:cc:subject:content-type :content-transfer-encoding; s=fm2; bh=B/ZB2p689cMVZ6z5fYDqSeS6bw VlbdHg430vlDeWH6k=; b=KQ8/Hkczk5VqilD9uaWAI0DmgcmWzhCqSxDFwT58Ds Qsm9DbE3gChSXhEuE0TushsrO4RFjW1xgaYKsQxy6arkqK3+tYzaoeYexBRoftM5 XqR1gRaQmNtli9/vxpmQmC9WZOfxJord2pPmILzIF+/hzw/Bf4aCS4JtABKIhcgO d+GT017euR5YKuJyI0sLvqIPM9gMW+rJtxLYOE6lgNmZNreW6Ac5q8mW60WGnCNI J2WfHhdMPv6GAAq/+OQU6nV1OGTQeNHGxH/Gyzx6XbsGQiDgcJ9oKXYuU1MrCrSN L6w7wa/sTcnmw69p7pCP0+ttyl5VafIM6a/ZEjkAYsrQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=B/ZB2p689cMVZ6z5fYDqSeS6bwVlbdHg430vlDeWH 6k=; b=Nj6wLb8oyycK3hPaB5BaI7oHobEa3vhXNEm6OBaE+dV2WKYBE3trsYcNB 4In/qyBSLRON0EuwpMTIekyA4aGJZJ62GwfPBBCcXEwd9RScTTGEBETXC3hiDobm 88JL0sn+c+vXOTYkyfH2/DcY/YjBnUAOU954mW0rYdRQHQ6H5vBuVr2lnnDW1+KI p5zOQQ+vR02Hti57TTZDniXp0NCjJc/JRUvtwoYfPLoNeChTW9gzVXcnfyvQAEkb 2ntNmrzlFlogBo/VUB2KoyN3v+DXe5vEFlsnLIrF+UWpCEWUtpaxtqighzwhulJt h8UR3LrYbOWX6BlLSzgC10Hk/WuPA== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrvdduuddgkeehucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtgfesth hqredtreerjeenucfhrhhomhepfdffrghnihgvlhcuufhhrghhrghffdcuoegurdhssegu rghnihgvlhdrshhhrghhrghfrdhnrghmvgeqnecuggftrfgrthhtvghrnhepfefhkeefve eileelheeiffdtkedujeelvdfhtdejtdeggedvuefffeelhefhvdfgnecuvehluhhsthgv rhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepugdrshesuggrnhhivghlrd hshhgrhhgrfhdrnhgrmhgv X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 501) id CF5D01900078; Fri, 25 Dec 2020 11:07:13 -0500 (EST) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.3.1-61-gb52c239-fm-20201210.001-gb52c2396 Mime-Version: 1.0 Message-Id: In-Reply-To: References: <9ukE0EnlTIntEcJ7b7nLSoq5E3XfeB-HtfyHk1Vmzoh_NojpSpL_amjhCixUBdb164pmStO4by1oduUBR0zCJpK0xGzrh2uz42flRXt96-8=@protonmail.com> Date: Fri, 25 Dec 2020 16:06:52 +0000 From: "Daniel Shahaf" To: reportyigit46@protonmail.com, gi1242+zsh@gmail.com Cc: zsh-workers@zsh.org Subject: Re: Security Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Seq: 47759 Archived-At: X-Loop: zsh-workers@zsh.org Errors-To: zsh-workers-owner@zsh.org Precedence: list Precedence: bulk Sender: zsh-workers-request@zsh.org X-no-archive: yes List-Id: List-Help: List-Subscribe: List-Unsubscribe: List-Post: List-Owner: List-Archive: Archived-At: Sorry for the delay. It sounds like you emailed _only_ Oliver, so he might simply be on holiday. In any case, to avoid a single point of failure, please email the details to zsh-infra@zsh.org. Thanks! Note to -workers@: Folks who have dealt with previous security issues (or are otherwise trusted) and aren't already on -infra@ are welcome to join. Just send a subscription request the usual way. (And yes, a separate -security@ list might be a good idea, or at least an alias.) Cheers, Daniel reportyigit46 wrote on Wed, 23 Dec 2020 18:50 +00:00: > Hello, > Thank you for contacting me. I was sent issue details. But i can't get= answer >=20 > Thank you, >=20 >=20 > Sent with ProtonMail Secure Email. >=20 > =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Origin= al Message =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90= > On Wednesday, 23 December 2020 20:18, wrote: >=20 > > On Wed, Dec 23, 2020 at 05:53:26AM +0000, reportyigit46 wrote: > > > > > I can=E2=80=99t get answer from Oliver. Which one can give me answ= er? > > > > Just FYI -- if you email the devs and tell them the security issue, = I'm > > sure they will handle it and respond. (They are responsive to > > inconsequential things like color changes; they will certainly respo= nd > > to security issues.) > > > > However, if you email them only saying "I have a security issue", th= ey > > will likely ignore your message thinking it's spam. I do get one suc= h > > email every day telling me my account has been suspended and I need = to > > respond "urgently". I usually delete such emails, unless it is comin= g > > from an official 100% real Nigerian prince... > > > > GI > > > > --------------------------------------------------------------------= ------------------------------------------------------------------------= ------------------------------------------------------------------------= ------------------------------------------------------------------------= ------------------------------------------------------------------------= ------------------------------------------------------------------------= ------------------------------------------------------------------------= ------------------------------------------------------------- > > > > Wife: "Go to the store and buy a loaf of bread. If they have eggs, b= uy a > > dozen." > > The programmer husband returns with 12 loaves of bread. >=20 >=20 >=20 >