Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bugfix release 2.7.4 - Available ❗❗❗ Fixes CVE-2022-39368 ❗❗❗ #2071

Closed
boaks opened this issue Sep 19, 2022 · 12 comments
Closed

Comments

@boaks
Copy link
Contributor

boaks commented Sep 19, 2022

See 2.7.4 for details.

@boaks boaks pinned this issue Sep 19, 2022
@boaks boaks changed the title Bugfix release 2.7.4 -Scheduled for Wednesday 21.9. Bugfix release 2.7.4 - Available Sep 23, 2022
@boaks
Copy link
Contributor Author

boaks commented Sep 23, 2022

The 2.7.4 bugfix release is available on Maven Central and the Eclipse Repository. The tools and actinium are not released for 2.7.4, please use the 3.6.0 release of them.

@boaks
Copy link
Contributor Author

boaks commented Nov 17, 2022

❗❗❗ Important Note: ❗❗❗

This bugfix is required for all users of Californium 2.0.0 - 2.7.3, which are using DTLS! It provides the fix for

CVE-2022-39368

@boaks boaks changed the title Bugfix release 2.7.4 - Available Bugfix release 2.7.4 - Available / :exclamation::exclamation::exclamation: **Fixes CVE-2022-39368** :exclamation::exclamation::exclamation: Nov 17, 2022
@boaks boaks changed the title Bugfix release 2.7.4 - Available / :exclamation::exclamation::exclamation: **Fixes CVE-2022-39368** :exclamation::exclamation::exclamation: Bugfix release 2.7.4 - Available / :exclamation::exclamation::exclamation: Fixes CVE-2022-39368 :exclamation::exclamation::exclamation: Nov 17, 2022
@boaks boaks changed the title Bugfix release 2.7.4 - Available / :exclamation::exclamation::exclamation: Fixes CVE-2022-39368 :exclamation::exclamation::exclamation: Bugfix release 2.7.4 - Available ❗❗❗ Fixes CVE-2022-39368 ❗❗❗ Nov 17, 2022
@JimmyBaize
Copy link

https://mvnrepository.com/artifact/org.eclipse.californium/element-connector-tcp-netty
image
Why does element-connector-tcp-netty 2.7.4 not exist in the central repository?

@boaks
Copy link
Contributor Author

boaks commented Dec 29, 2022

Thanks for reporting that, the deploy job doesn't contain it.
I added it there, the next 2.7.5 will contain it, but that may take some time.

Californium users are requested long ago to update to 3.x.y, current version is 3.7.0

Just to mention:
Also in 2.7 using the Exchange without Executoris for unit-tests only.
If you like to do some TCP experiments with that, please use the 2.7.2.
The later fixed CVEs are related to DTLS, so TCP/TLS should work, at least for such tests.

@JimmyBaize
Copy link

Okay, thanks.
Due to the SerialExecutor of Exchange, We can't upgrade to 3.X temporarily.
How long will 2.7.X be maintained?

@boaks
Copy link
Contributor Author

boaks commented Dec 30, 2022

Due to the SerialExecutor of Exchange, We can't upgrade to 3.X temporarily.

You can't use the 2.7 either. Using Exchange without SerialExecutor is not supported!
What you can do is, providing the results of the requested test in your other issue.
I'm not sure, if the "cf-extplugtest-client/cf-extplugtest-server" benchmark still works for the 2.7.
It works on the 3.7.0 and 3.8.0-SNAPSHOT. Using 3.8.0-SNAPSHOT requires then to patch the
Exchange in order to do the test.

How long will 2.7.X be maintained?

2.7.x is not maintained (see security policy).
It's mainly tried to backport some CVE fixes, if leshan 1.x is affected. All other users and projects are recommended to use 3.7.0.

@JimmyBaize
Copy link

Thanks for reporting that, the deploy job doesn't contain it. I added it there, the next 2.7.5 will contain it, but that may take some time.

Californium users are requested long ago to update to 3.x.y, current version is 3.7.0

Just to mention: Also in 2.7 using the Exchange without Executoris for unit-tests only. If you like to do some TCP experiments with that, please use the 2.7.2. The later fixed CVEs are related to DTLS, so TCP/TLS should work, at least for such tests.

Version 2.7.5 has not been released.
Can you help release element-connector-tcp-netty 2.7.4 to the central repository?

@boaks
Copy link
Contributor Author

boaks commented Jun 26, 2023

I will try to update the netty dependency and if successful, I can release a 2.7.5 with that tcp-modul.

@boaks
Copy link
Contributor Author

boaks commented Jun 26, 2023

Let me try again, that you give us more information about your experience with the approach replacing the executor.

My arguments not open the 3.x API is, that I don't go to test that with quite a lot of different scenarios.
But if that already works "for you", and open the API with some warning and hints will help, then I can also open the 3.x API to replace the executor.

@boaks boaks unpinned this issue Jun 26, 2023
@JimmyBaize
Copy link

Yes, it works for me. I've been using californium for over 6 years in a CoAP over TCP scenario for my project. Without this API, it's hard for me to upgrade to version 3.X

It would be nice for me to open up the API to allow setting null to Exchange.executor. You can add comments or annotation to these APIs to warn users not to use them unless necessary.So I can upgrade to version 3.X

@boaks
Copy link
Contributor Author

boaks commented Jun 27, 2023

Thanks for that feedback.
I will do so.

@boaks
Copy link
Contributor Author

boaks commented Jun 28, 2023

See PR #2153 about null as Executor for Exchanges.

@boaks boaks closed this as completed Jun 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants