Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [ecd-pmc] https://bugs.eclipse.org/bugs/show_bug.cgi?id=551596
CVEs are a means of responsibly disclosing a vulnerability to the larger community. The only general guidance I can provide is that, if this is a vulnerability that leaves adopters exposed, then we really should disclose via CVE. It's up to the project team (perhaps with assistance from the PMC) to decide whether or not a CVE is required. Unfortunately, I don't understand your community and adopters well enough to make that call.

I posted the mechanics of creating a CVE in a comment.

HTH,

Wayne

On Tue, Dec 10, 2019 at 7:51 AM Sergii Kabashniuk <skabashn@xxxxxxxxxx> wrote:


On Tue, Dec 10, 2019 at 12:39 PM Delchev, Nedelcho <nedelcho.delchev@xxxxxxx> wrote:
Hi Sergii,

Just a few questions:
1. Is it accepted by the team that this is a security issue and have to be fixed?

"accepted by the team that this is a security issue" - that is a "discussable" statement. 
Because it's intentionally made single-user(unsecured) version of Che public to the internet.
This mode is turned off by default. That mode left for the adopters who know what they are doing and understand the risks.

2. If so, is the patch applied in the latest release?
Yes. 

3. If so, is the CVE on place?
AFAIK we didn't make any activities around CVE. Or I don't understand what do you mean.

My understanding is that it have to be closed either with a patch + CVE or just with CVE, if considered security issue. @Wayne, is it correct?

Regards,
Nedelcho

On 10.12.19, 11:18, "ecd-pmc-bounces@xxxxxxxxxxx on behalf of Martin Lippert" <ecd-pmc-bounces@xxxxxxxxxxx on behalf of mlippert@xxxxxxxxx> wrote:

    @Wayne: Are you the right person to help here? I have no clue, to be honest…



    > Am 09.12.2019 um 19:03 schrieb Sergii Kabashniuk <skabashn@xxxxxxxxxx>:
    >
    > Hello PMC
    > Can you help me to understand how properly close this bug?
    > https://bugs.eclipse.org/bugs/show_bug.cgi?id=551596
    > If I wrote an explanation to public che-dev@xxxxxxxxxxx would it be enough?
    >
    > --
    > Sergii Kabashniuk
    > Principal Software Engineer, DevTools
    > Red Hat
    > skabashniuk@xxxxxxxxxx   
    > _______________________________________________
    > ecd-pmc mailing list
    > ecd-pmc@xxxxxxxxxxx
    > To change your delivery options, retrieve your password, or unsubscribe from this list, visit
    > https://www.eclipse.org/mailman/listinfo/ecd-pmc

    _______________________________________________
    ecd-pmc mailing list
    ecd-pmc@xxxxxxxxxxx
    To change your delivery options, retrieve your password, or unsubscribe from this list, visit
    https://www.eclipse.org/mailman/listinfo/ecd-pmc


_______________________________________________
ecd-pmc mailing list
ecd-pmc@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/ecd-pmc


--

Sergii Kabashniuk

Principal Software Engineer, DevTools 

Red Hat

skabashniuk@xxxxxxxxxx    

_______________________________________________
ecd-pmc mailing list
ecd-pmc@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/ecd-pmc


--
The Eclipse Management Organization
Eclipse Foundation

Back to the top