[SOLVED] No answer from security@archlinux.org

dcy3rka · 2024-02-29 08:17:42

Hi all

I've found a vulnerable default configuration in a package with which privilege escalation is possible. Since I don't want to open a public Gitlab issue, I sent an email to security@archlinux.org a few days ago. However, I have not yet received an answer.

How should I proceed?

Last edited by dcy3rka (2024-02-29 08:34:25)

schard · 2024-02-29 08:24:30

In the light of responsible disclosure, you took the right approach. I'd give the team at least one week to respond.
After that you can open an issue on the GitLab bug tracker.
Chances are that if the team does not deem it necessary to react after one week time, either
a) the issue isn't really that bad or
b) nobody's home and other bug-wrangling personnell should be informed that way.
I'd still refrain from publishing too much details if it's really that bad. I.e. I would not publish a POC right away.

Last edited by schard (2024-02-29 08:27:39)

dcy3rka · 2024-02-29 08:34:11

Ok, thanks. I will wait another few days. I thought, maybe it was the wrong way or at least a better way exists.

I close this issue for the moment.

loqs · 2024-02-29 09:08:51

You can create a confidential issue on the Arch gitlab instance which will only be visible to team members with at least Reporter access. You can view such access on the project member's tab (random package selected an example).

WorMzy · 2024-02-29 10:51:22

Mod note: moving to Arch Discussion.

Arch Linux

#1 2024-02-29 08:17:42

[SOLVED] No answer from security@archlinux.org

#2 2024-02-29 08:24:30

Re: [SOLVED] No answer from security@archlinux.org

#3 2024-02-29 08:34:11

Re: [SOLVED] No answer from security@archlinux.org

#4 2024-02-29 09:08:51

Re: [SOLVED] No answer from security@archlinux.org

#5 2024-02-29 10:51:22

Re: [SOLVED] No answer from security@archlinux.org

Board footer