It seems to be https://bugs.eclipse.org/bugs/show_bug.cgi?id=519169 (see the mention of XXE and the name of the reporter matching to the cited post)
Since this bug is restricted, let me know if I should add anyone to Cc: to be able to read it, or should I remove the restriction as the vulnerability is public now?
Dave Carver had analyzed this for Andmore and saw only low risk.
This is independent of the PR aspect.
best, Stephan
Am 2017-12-06 08:37, schrieb Mickael Istria:
This piece of news is spreading very fast on social media. As far as I understand (and I may be wrong), the security flaw mentioned here isn't in Eclipse IDE itself but in ADT or some other piece of Android SDK.
So basically, Eclipse IDE has once again its image hurt by an issue in ADT...
If this happens to be the case, it would be interesting to have the Eclipse Foundation sending a PR to explain that Eclipse IDE itself is fine, and is open for extensions, and that security flaws in extensions are only the responsibility of extension providers; and warn against this kind of message which tends to blame the wrong layer.
Cheers,
|