Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclipse?

Am 13.12.2021 um 18:03 schrieb Christoph Läubrich:

yep that's what I have had in mind, I think it would be cool to have
one global feature "CVE Mitigation" or something and this
requires/includes individual CVE features that ship with appropriate
p2.inf items.
Thus way, once added to an IDE this will enable us to make CVE fixes
available tor a broad audience and make people more aware of them
through the update capabilities of eclipse itself.

Sounds great. However, I would vote for one feature per CVE, given 2

Some companies are rather reluctant to change previously certified tool
chains, and might want to include fix A, but not fix B (because they can
explain why it does not affect them).

I would expect that there is a chance of such a feature not being
installable on some installations due to conflicting requirements. The
more CVEs (and requirements) included, the higher that chance. It would
be good if such conflict would not prohibit installing the other fixes.
I might be wrong about this item.

Back to the top