RE: Credentials held unencrypted in memory during runtime

From: Feldhacker, Chris <Feldhacker.Chris_at_principal.com>
Date: Wed, 13 Apr 2011 07:55:21 -0500

http://www.wandisco.com/subversion/tortoisesvn-support
"Stefan Küng, the TortoiseSVN project's lead developer since 2003, heads WANdisco's team of professionals dedicated to the support, development and enhancement of this widely used Subversion client. This enables us to deliver critical fixes without any delay."

I'd be curious if Stefan's views of secure coding best practices is also the official position of WANdisco...
Anybody out there with an official support contract with WANdisco want to report this issue through official channels and see where it leads? It's always interesting to gauge just how much vendors selling support for open source products really can/cannot have an influence... Would WANdisco's response also be "go away"?

-----Original Message-----
From: Andrew [mailto:agaspar_at_odecee.com.au]
Sent: Wednesday, April 13, 2011 12:42 AM
To: users_at_tortoisesvn.tigris.org; Annamalai
Subject: RE: Credentials held unencrypted in memory during runtime

The organisation that I am currently working for has also found this security issue, and being a financial organisation we are considering not allowing our developers to use tortoise SVN.

This should be fixed, as it is a security flaw.

-----Message Disclaimer-----

This e-mail message is intended only for the use of the individual or
entity to which it is addressed, and may contain information that is
privileged, confidential and exempt from disclosure under applicable law.
If you are not the intended recipient, any dissemination, distribution or
copying of this communication is strictly prohibited. If you have
received this communication in error, please notify us immediately by
reply email to Connect_at_principal.com and delete or destroy all copies of
the original message and attachments thereto. Email sent to or from the
Principal Financial Group or any of its member companies may be retained
as required by law or regulation.

Nothing in this message is intended to constitute an Electronic signature
for purposes of the Uniform Electronic Transactions Act (UETA) or the
Electronic Signatures in Global and National Commerce Act ("E-Sign")
unless a specific statement to the contrary is included in this message.

While this communication may be used to promote or market a transaction
or an idea that is discussed in the publication, it is intended to provide
general information about the subject matter covered and is provided with
the understanding that The Principal is not rendering legal, accounting,
or tax advice. It is not a marketed opinion and may not be used to avoid
penalties under the Internal Revenue Code. You should consult with
appropriate counsel or other advisors on all matters pertaining to legal,
tax, or accounting obligations and requirements.

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2719429

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2011-04-13 14:55:26 CEST

This message: [ Message body ]
Next message: Pablo M. Dotro: "Re: Credentials held unencrypted in memory during runtime"
Previous message: Alexander: "Re: SubWCRev and ternary keywords and $WCRANGE$ colon"
In reply to: Andrew: "RE: Credentials held unencrypted in memory during runtime"
Next in thread: Pablo M. Dotro: "Re: Credentials held unencrypted in memory during runtime"
Reply: Pablo M. Dotro: "Re: Credentials held unencrypted in memory during runtime"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]