search

jvinet / knock

A port-knocking daemon
http://www.zeroflux.org/projects/knock
GNU General Public License v2.0
549 stars 113 forks source link

knockd Security Disclosure #91

Open secdefect opened 4 months ago

secdefect commented 4 months ago

Hi all,

I've found a significant vulnerability in knockd, how should I report this. I emailed Judd last week but haven't had a response, understandable as he's probably a busy guy.

Can anyone advise on a different email address or a different contributor that I can disclose the issue to.

Cheers now

TDFKAOlli commented 4 months ago

Hi,

Judd indicated he doesn't have much time for the project any longer here. Either you wait a bit until he answers, or you disclose here so people can patch their own builds. Not sure whats the best way to go. I do have a fork, but I'm also not using knockd actively anymore, nor I'm developing or adding features to my fork. Anyhow I would apply a patch just in case someone use the fork. Still I'm not sure if it is good to disclose if this root repo is not patched.

Cheers

secdefect commented 4 months ago

Cheers for the reply

We will fork and propose a fix. If anyone can review and merge then that will be great. Having it marked as a published bug may help people decide if they build with the fix or use something else.

evoke0 commented 4 months ago

Hello @secdefect, have you received an answer from Judd? If not, have you disclosed the vulnerability?