Multiple Vulnerability Reports and security email address issue

[byt3bl33d3r]

Heya,

I work for ProtectAI and we run a bug bounty platform Huntr. We received multiple reports for Gunicorn (the oldest one dating back to December 2023). W'eve been trying to contact the security@ email address since last year but it seems to be misconfigured and the email bounces with an error. I also sent an email to all of the core maintainers listed in the MAINTAINERS file with no response.

Just FYI that we'll be validating and making these reports public by the end of this week unless someone gets back to us as we've more than exceeded the timeline for responsible disclosure. You can either login to Huntr or check your email(s) (sender is [email protected]) to get access to the reports.

Thanks

[byt3bl33d3r]

I've also contacted benoitc on Twitter/X a few months ago about the security@ email address issue but it still isn't fixed.

[pajod]

Thank you for your efforts in securing Gunicorn. I understand your comment as the unilateral announcement of a preliminary disclosure date (at an unspecified time of the UTC day) 2024-05-24. As a non-maintainer I look forward to your report.

• please clarify whether you have:
  • shared advisory drafts using GitHub-provided button in the Security tab of the repository
    • if you did you should see a report identifier in the URL, sharing which (even while not accessible to everyone) may assist in avoiding duplicate or overlapping public advisories
  • utilized the private fork feature accessible through the aforementioned process to suggest specific remediation already
    • if you did and received no satisfactory response, I trust that you know how to resubmit those publicly, or otherwise would request assistance in how to do so here
• please ensure your public description is clear and references relevant existing issues, PRs and commits
  • everything that could assist non-maintainers in understanding, developing and validating mitigation strategies & patches
    • I have drafted a number of tests not yet submitted for review that I used to identify problems with security-relevant patches I recently helped reviewing & amending and intend put those to work as soon as you share your more recent finds
• if you find agreement on any new short-term disclosure timeline, please prefer the UTC Monday-Thursday range in consideration of typical commercial staff availability.

References:

• The primary author is sporadically responding to pings on GitHub, but the number of existing issues & PRs currently awaiting further input from very few active maintainers suggest that very limited review capacity for new reports is to be expected.
• The primary security contact was previously reported as not accepting messages: Security mailbox seems broken #3160
• GitHub has previously reviewed reports for this package, see: https://github.com/advisories

[benoitc]

email have been fixed. There was a dns misconfiguration.

Reports should be done there , please send those who have been created on your service using the security features that have bene opened in github. This ease the support and ensure all the info is collected on the project and would trigger some review.

@pajod would you be interrested to join the project to help me on this?

[pajod]

@benoitc I will be glad to assist. I suspect it is about fixing / continuing what Ben started (#3059/#3113) earlier anyway, I spent some time getting familiar with that code. Or if there are any other PRs you would like to see rebased, tested and/or reviewed - ping me.

I have recently tried the "private fork" feature myself recently, it is reasonably functional: you'll find buttons beneath submitted reports to add or revoke access. That way you can grant access to editing specific advisory drafts and private forks without granting project-level permissions or risking ambiguous/overlapping CVE assignment.

[benoitc]

I appears that these "vulnerabilities" requires me to open an account to the huntr website. I don't find this approach very useful. Reports should be made there or by mail and not force the authors to open an account. Can you forward me properly this report to my mail or open a private disclosure there? Otherwise I will just wait for the public release of these reports to read it myself. @sirkonst has opened an account tthough can you help him to figure how to use it?

[benoitc]

@pajod that is an interresting approach. Let me figure by the end of the day. Some vulnerabilities are indeed related to HTTP parsing. i will review the tickets above.

[byt3bl33d3r]

hey @benoitc , you don't need to open an account on Huntr to view the reports. We usually send automated magic links to maintainers to view reports without having to create an account. You didn't receive because of the email issues.

I just resent the magic link to the security@ address.

Thanks

[benoitc]

@byt3bl33d3r thanks. Looking at them now.