jazzm0
commented
2 years ago Hello,
sure, I would like to make the project as secure as possible, so please let me know if there are any security issues.
Kind Regards
Closed misterAnderson90 closed 2 years ago
jazzm0
commented
2 years ago Hello,
sure, I would like to make the project as secure as possible, so please let me know if there are any security issues.
Kind Regards
theAkito
commented
2 years ago Please, report this spammer. This is just a bot spamming the very same message to tons of open source repositories. The only things that are changed in the message are the repository's name and the amount of warnings.
misterAnderson90
commented
2 years ago Dear @jazzm0,
I'm sorry for not sending this message before. I have my account flagged as spamming and I lost its access. I'm sending the six warnings that the tool reported on ssh-daemon. 3 warnings are related to the third-party class Buffer.java
Gist 01 - KeyFactory Gist 02 - KeyPair Gist 03 - KeyPair Gist 04 - KeyPair Gist 05 - MessageDigest Gist 06 - KeyPair
For any doubts, you can comment directly in the gists and we can clarify the issues.
Best regards,
I'm a PhD student interested in finding security vulnerabilities in open source projects.
We found a total of 6 warnings (indicating potential vulnerabilities) when running the CogniCrypt static analyzer (*) on ssh-daemon (or its library dependencies). We documented each one of these issues in private gists for the sake of confidentiality (non-disclosure).
Can you please let us know whether we can share these gists with you? We are eager to evaluate the perception of developers (e.g. severity of these warnings) and improve ssh-daemon's security, and the quality of the reports of static analysis tools.
(*) https://github.com/CROSSINGTUD/CryptoAnalysis