[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [ide-dev] [eclipse.org-architecture-council] Security flaw in ADT is somehow presented as a flaw in Eclipse IDE
- From: Aleksandar Kurtakov <akurtako@xxxxxxxxxx>
- Date: Wed, 6 Dec 2017 11:01:08 +0200
- Delivered-to: email@example.com
On Wed, Dec 6, 2017 at 10:10 AM, Max Rydahl Andersen
>> See https://www.theregister.co.uk/2017/12/06/android_ides_vulnerable/
>> This piece of news is spreading very fast on social media. As far as I
>> understand (and I may be wrong), the security flaw mentioned here isn't in
>> Eclipse IDE itself but in ADT or some other piece of Android SDK.
>> So basically, Eclipse IDE has once again its image hurt by an issue in
> All IDE's was hurt. lets not make it more bleak than it is - also be aware
> issue of xml external entity leaks are not new; its been known for years to
> an issue if your xml parsing don't guard itself against relative paths.
> Now it seems android toolkit is affected by it too.
>> If this happens to be the case, it would be interesting to have the
>> Foundation sending a PR to explain that Eclipse IDE itself is fine, and is
>> open for extensions, and that security flaws in extensions are only the
>> responsibility of extension providers; and warn against this kind of
>> message which tends to blame the wrong layer.
> I'm sorry but the news seem to be all balanced on this - they state it is
> affected all major IDE's (which is true) and it needs fixing. Article states
> it has been fixed, but do we know if Eclipse ADT has been fixed ?
> On marketplace its listed as having no updates since 20160-11-07
> Question is now if like happened with Eclipse Class Decompiler - if Eclipse
> remove ADT from marketplace ? See
If there is no one to update ADT - it must be removed, I don't see other path.
> ide-dev mailing list
> To change your delivery options, retrieve your password, or unsubscribe from
> this list, visit
Red Hat Eclipse Team