On Wed, Feb 23, 2011 at 07:47:52PM +0200, Andrew W. Nosenko wrote: > On Wed, Feb 23, 2011 at 18:36, Rodrigo Rubira Branco (BSDaemon) > <[email protected]> wrote: > > Dear All, > > > > I would like to know what is the best way to report security issues > > affecting libxml. > > > > I tried the communication thru some Linux Vendors, but it seemed > > impossible to move forward. The issue affects mainly libxml-ruby. > > > > Daniel Veillard <[email protected]> is maintainer of libxml2. > Therefore, the most conservative route is to send private e-mail to him.
Actually, the best way is usually to report the problem to the vendor-sec mailing-list http://en.wikipedia.org/wiki/Vendor-sec and sure put me in copy, but ultimately if this is really about libxml2 I end up getting it (and often providing the fix, at least verifying it). In the case of libxml-ruby, it's unclear, a problem could be with the bindings code, or in libxml2 itself, I would also contact the author(s) of the ruby bindings too. In any case providing a reproducer (even if not systematic) is really critical, unless it was spotted by code analysis. thanks ! Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ [email protected] | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/ _______________________________________________ xml mailing list, project page http://xmlsoft.org/ [email protected] http://mail.gnome.org/mailman/listinfo/xml
