Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is there a list of known Leshan vulnerabilities? #1481

Closed
Warmek opened this issue Jul 24, 2023 · 9 comments
Closed

Is there a list of known Leshan vulnerabilities? #1481

Warmek opened this issue Jul 24, 2023 · 9 comments
Labels
question Any question about leshan

Comments

@Warmek
Copy link
Contributor

Warmek commented Jul 24, 2023

Question

Is there a list of known Leshan vulnerabilities or a plan to create such? If so, how to access it?

Also, we would be interested in setting up a process to inform Orange when a new security issue is discovered
@Warmek Warmek added the question Any question about leshan label Jul 24, 2023
@sbernard31
Copy link
Contributor

sbernard31 commented Jul 24, 2023
edited
Loading

Is there a list of known Leshan vulnerabilities or a plan to create such?

You asked several time about security (#1449, #1439) and as you could guess with my previous answers all about security concerning Leshan is at Security Policy.

Currently there is not known vulnerabilities in Leshan code directly. (at least since v1.0.0, before It's hard to me to remember)
I list all security issues caused by dependencies that I am aware of in Security Policy. (I can not guarantee this is exhaustive)

If so, how to access it?

When some will be found/reported, of course this will be added to Security Policy

Also, we would be interested in setting up a process to inform Orange when a new security issue is discovered

Information will be public as soon as a release with a fix will be available (OR a workaround is possible). I think this is classic security process.
For leshan, a CVE will be created and so you can use tooling to be aware of security issue in your dependencies (and so in Leshan as you depend on it).

I'm not sure if you asked to be aware about vulnerability before it is public.
If this is what you want I'm not sure this is a good practice. I could ask for help from Eclipse Security Team about that. 🤔

@sbernard31
Copy link
Contributor

About disclosure, as indicated by Security Policy you could have a look at :

@mrybczyn
Copy link

@Warmek are you asking for a list of fixed issues? I think the list you're searching for is in: https://github.com/eclipse-leshan/leshan/blob/master/SECURITY.md

@Warmek
Copy link
Contributor Author

Warmek commented Aug 4, 2023

I'm not sure if you asked to be aware about vulnerability before it is public.
If this is what you want I'm not sure this is a good practice. I could ask for help from Eclipse Security Team about that. 🤔

We would be thankful if you did

@mrybczyn
Copy link

mrybczyn commented Aug 4, 2023

I'm not sure if you asked to be aware about vulnerability before it is public.
If this is what you want I'm not sure this is a good practice. I could ask for help from Eclipse Security Team about that. 🤔

We would be thankful if you did

The Security Team is there. We are unsure what you're exactly asking about @Warmek . Known fixed vulnerabilities?

@Warmek
Copy link
Contributor Author

Warmek commented Aug 8, 2023

To the Security Team, I have one question, on behalf of Orange:
If it would be possible for us to have access to a list of all known vulnerabilities, fixed as well as active?

@mrybczyn
Copy link

mrybczyn commented Aug 9, 2023

Hello @Warmek, from my records:

  • I see no direct fixed vulnerabilities in Leshan
  • Indirect (in dependencies) are listed in https://github.com/eclipse-leshan/leshan/blob/master/SECURITY.md
  • For active ones, we have none public. For information on non-public ones (so ones in the disclosure process), we won't post such information in a public place. The organization would need to have an extremely good reason to have such information. Also, so that you remember, we aim to make all security issues public. For more details on the Eclipse Foundation policy, you can check out https://www.eclipse.org/security/policy/

Hope that contains the information you need.

@sbernard31
Copy link
Contributor

@Warmek can we close this issue ?

@Warmek
Copy link
Contributor Author

Warmek commented Sep 4, 2023

For active ones, we have none public. For information on non-public ones (so ones in the disclosure process), we won't post such information in a public place. The organization would need to have an extremely good reason to have such information. Also, so that you remember, we aim to make all security issues public. For more details on the Eclipse Foundation policy, you can check out https://www.eclipse.org/security/policy/

The only reason would be to let us setting up a workaround on production directly on LiveObjects UNTIL a new Leshan Milestone is available.
But, as we have experienced last week with the “XXE Injection” issue, we saw that Leshan was very reactive and a Milestone M13 is already available to fix the issue. So we don't need, to be alerted in advance.

@Warmek Warmek closed this as completed Sep 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Any question about leshan
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sbernard31 @mrybczyn @Warmek