Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [tinydtls-dev] Vulnerability report against Eclipse TinyDTLS

AFAICT, there's been no engagement from the project team on Issue 574327. Since we've exceeded the three month deadline, I've removed the confidentiality flag.

Can somebody from the project team have a look, please?

Wayne

On Mon, Aug 16, 2021 at 4:33 PM Wayne Beaton <wayne.beaton@xxxxxxxxxxxxxxxxxxxxxx> wrote:
Thanks for your response.

When you do get a chance to respond to this, please make a point of referencing the GitHub issue from the Bugzilla record (so that I can make the linkage between the two in the CVE).

There's a second issue that needs attention as well. https://bugs.eclipse.org/bugs/show_bug.cgi?id=574327

Enjoy your vacation.

Wayne

On Mon, Aug 16, 2021 at 3:11 PM Olaf Bergmann <bergmann@xxxxxxx> wrote:
Hi Wayne,

On 2021-08-16, Wayne Beaton <wayne.beaton@xxxxxxxxxxxxxxxxxxxxxx> wrote:

> There is an open vulnerability report registered against the project
> code. Note that the issue is currently marked confidential and so is
> only accessible by committers.

Thanks for pointing this out. At a quick glance, this is one of the
issues raised in the Github issue tracker as well (and addressed through
PR). So much for confidentiality.

> I need project committers to have a look at the report and determine
> if it correctly identifies a vulnerability. If yes, then you need to
> determine when the correct time is to assign a CVE and disclose the
> vulnerability. The Eclipse Foundation's practices regarding mitigation
> of vulnerabilities is captured in the handbook.

Yes, will do. Currently I am on vacation and will handle it after my
return.

Grüße
Olaf


--

Wayne Beaton

Director of Open Source Projects | Eclipse Foundation



--

Wayne Beaton

Director of Open Source Projects | Eclipse Foundation


Back to the top