Security fixes are provided for the latest code on the main branch.
Please do not open public GitHub issues for security vulnerabilities.
Report privately with:
- A clear description of the issue
- Affected configuration or deployment assumptions
- Reproduction steps and proof-of-concept if available
- Impact assessment (confidentiality, integrity, availability)
If your repository hosting supports private security advisories, use that channel. Otherwise, report privately via:
- Initial acknowledgment: within 72 hours
- Triage decision: within 7 days
- Fix or mitigation plan: as soon as practical based on severity
Please include whether your report involves any of the following areas, since
they are security sensitive in mod_dynssl:
- TLS handshake callback behavior and fallback semantics
- Certificate/key parsing and in-memory handling
- Shared cache integrity and flush endpoint behavior
- Store authentication (
DynSSLStoreToken) and TLS transport controls (DynSSLStoreSSLVerify,DynSSLStoreCAFile)