Hi! [ I'm not a maintainer, so I'll leave parts of the questions for them. ]
On Thu, 2026-03-12 at 08:51:31 +0000, Adiel Sol wrote: > A couple of questions about disclosure: > > 1. Are you planning to request a CVE for this issue (e.g. through > the GNU project or another CNA), or would you prefer that we > request it from our side? Getting one assigned (from whoever) would be great for tracking purposes (talking from Debian's PoV). I'm not sure what's the usual process here though. > 3. What is your preferred process from here until public > disclosure (e.g. embargo period, coordinated advisory, or > anything we should avoid doing until a certain date)? I'm afraid this is already public by way of the initial mail hitting the publicly archived mailing list and the PR: https://lists.gnu.org/r/bug-inetutils/2026-03/msg00031.html https://codeberg.org/inetutils/inetutils/pulls/17 I'm wondering whether the contact address might mislead reporters into thinking this is a private contact instead of a public mailing list (because it does not have "lists" anywhere in its name)? And perhaps that might need to be clarified in the documentation? Thanks, Guillem
