Hi, Thank you for handling my report and fixing the vulnerability. As this finding was done as part of my job at SafeBreach, it is very important for us that SafeBreach will be mentioned in the patch. Could you please change the THANKS and NEWS.md file to say Ron Ben Yizhak@SafeBreach instead of Ron Ben Yizhak?
Also, when will a CVE be assigned for this vulnerability? Thank you, Ron Ben Yizhak On Sun, Feb 15, 2026 at 7:21 PM Erik Auerswald <[email protected]> wrote: > Hi Simon, > > On Sun, Feb 15, 2026 at 04:36:56PM +0100, Simon Josefsson wrote: > > Erik Auerswald <[email protected]> writes: > > > > > I plan to commit and push the attached patch in a few days to address > > > this vulnerability, unless there are reasonable objections. > > > > Thanks -- I wish we could implement the --accept-env approach and make > > the default not set any environment variables at all, but I don't have > > cycles to work on that. Anyone else? > > Me neither. > > > Your patch seems to close this vulnerability report in a most minimal > > way, so IMHO we should apply it. > > I have just applied it. > > Cheers, > Erik >
