Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [tinydtls-dev] Vulnerability report against Eclipse TinyDTLS

Hi Wayne,

If nobody from this project can have a look, could I get one CVE ID for this vulnerability?


On Tue, 21 Sept 2021 at 04:04, Wayne Beaton <wayne.beaton@xxxxxxxxxxxxxxxxxxxxxx> wrote:
AFAICT, there's been no engagement from the project team on Issue 574327. Since we've exceeded the three month deadline, I've removed the confidentiality flag.

Can somebody from the project team have a look, please?


On Mon, Aug 16, 2021 at 4:33 PM Wayne Beaton <wayne.beaton@xxxxxxxxxxxxxxxxxxxxxx> wrote:
Thanks for your response.

When you do get a chance to respond to this, please make a point of referencing the GitHub issue from the Bugzilla record (so that I can make the linkage between the two in the CVE).

There's a second issue that needs attention as well.

Enjoy your vacation.


On Mon, Aug 16, 2021 at 3:11 PM Olaf Bergmann <bergmann@xxxxxxx> wrote:
Hi Wayne,

On 2021-08-16, Wayne Beaton <wayne.beaton@xxxxxxxxxxxxxxxxxxxxxx> wrote:

> There is an open vulnerability report registered against the project
> code. Note that the issue is currently marked confidential and so is
> only accessible by committers.

Thanks for pointing this out. At a quick glance, this is one of the
issues raised in the Github issue tracker as well (and addressed through
PR). So much for confidentiality.

> I need project committers to have a look at the report and determine
> if it correctly identifies a vulnerability. If yes, then you need to
> determine when the correct time is to assign a CVE and disclose the
> vulnerability. The Eclipse Foundation's practices regarding mitigation
> of vulnerabilities is captured in the handbook.

Yes, will do. Currently I am on vacation and will handle it after my



Wayne Beaton

Director of Open Source Projects | Eclipse Foundation


Wayne Beaton

Director of Open Source Projects | Eclipse Foundation

tinydtls-dev mailing list
To unsubscribe from this list, visit

Back to the top