Skip to content

Latest commit

 

History

History
52 lines (35 loc) · 3.09 KB

SECURITY.md

File metadata and controls

52 lines (35 loc) · 3.09 KB

Security Policy

Reporting a Vulnerability

Californium supports the use of GitHub security advisories as pilot for eclipse projects. Please consider to use it for reporting vulnerabilities.

Alternatively may also report a vulnerability opening a bugzilla ticket.

For more details, please look at https://www.eclipse.org/security.

Supported Versions

Version Supported
3.8.0-SNAPSHOT (main) ✔️
3.7.0 ✔️
3.6.0, 3.5.0, 3.4.0, 3.3.1, 3.2.0, 3.1.0, 3.0.0
2.7.4
2.7.3, 2.6.6, 2.5.0, 2.4.1,
2.3.1, 2.2.3, 2.1.0,
2.0.0
before 2.0.0

✔️ development version / current release - all bugfixes will be applied

❓ the previous (bugfix-)releases - update to the current release is recommended. On exceptions, specific bugfixes may be applied on request. (Create a vulnerability report with the requested vulnerability fix and the (bugfix-)version.)

❌ old releases, milestone releases - usually no bugfixes are applied there.

Known Vulnerabilities

Californium Version Vulnerability
< 3.7
< 2.7.4
Failing DTLS handshake CVE-2022-39368
< 3.6
< 2.7.3
DTLS resumption handshake CVE-2022-2576
< 3.0-M3
< 2.6.5
DTLS certificates verification bypass CVE-2021-34433
< 2.6.0 DTLS certificates verification fails sticky CVE-2020-27222

See also NIST database of known Californium vulnerabilities

Known Vulnerabilities Of Dependencies

Californium Version Dependency Affected Version Usage Vulnerability
< 3.6
< 2.7.3
com.google.code.gson < 2.8.9 demo-apps CVE 2022-25647
< 3.3
< 2.7.2
com.upokecenter.cbor 4.0 - 4.5.0 cf-oscore
demo-apps
GHSA-fj2w-wfgv-mwq6
< 3.2
< 2.7.1
ch.qos.logback.logback-classic < 1.2.9 demo-apps CVE-2021-42550

Known Vulnerabilities Of Runtime Dependencies

Californium Version Dependency Affected Version Usage Vulnerability
< 3.5 JDK / JCE <= 15.0.2?
<= 16.0.2?
< 17.0.3
< 18.0.1
execution environment ECDSA CVE-2022-21449