Summary: | A null pointer reference exists in the wakaama project. | ||
---|---|---|---|
Product: | [IoT] Wakaama | Reporter: | L kerenl <736560763> |
Component: | Core | Assignee: | Simon Bernard <code> |
Status: | RESOLVED FIXED | QA Contact: | |
Severity: | normal | ||
Priority: | P3 | CC: | leif.sandstrom, sbertin, wayne.beaton |
Version: | unspecified | Keywords: | security |
Target Milestone: | --- | ||
Hardware: | PC | ||
OS: | Windows 10 | ||
Whiteboard: |
Description
L kerenl
2021-01-05 21:38:22 EST
Eclipse Wakaama project committers: You can use the GitHub infrastructure to resolve this issue, but you'll need a CVE issued by the Eclipse Foundation (should you decide that you need one). You may also need me to push an advisory (should you decide to create one). There is information regarding how to deal with vulnerability reports in the handbook. Please let me know if you require a CVE. Is it possible to continue the technical discussion on github ? Wakaama project is in reviving state and the team still don't have committer right and so I guess I am the only one to be able to see that. Is it possible to add people to this issue even if there are not committer on the project ? (maybe by adding them to CC list) I guess we are far to be able to release a v2.0 and I feel that 1.0 will not be maintained.[1][2] Just to say that I don't know when a release would be available with a fix for this. [1]: https://github.com/eclipse/wakaama/issues/487 [2]: https://github.com/eclipse/wakaama/issues/487#issuecomment-722259355 (In reply to Simon Bernard from comment #2) > Is it possible to continue the technical discussion on github ? Yes. I did try to state as much in Comment #1. > Wakaama project is in reviving state and the team still don't have committer > right and so I guess I am the only one to be able to see that. Is it > possible to add people to this issue even if there are not committer on the > project ? (maybe by adding them to CC list) If you're waiting on the EMO for something regarding the committers, please send a note to emo@eclipse.org. You can add anybody that you need in CC and they will be able to access this bug. I've been directed to ask about the CVE status of this bug. I initially asked for one and wasn't aware it one had been allocated or not. This problem can only be triggered locally, but I think he can cause some problems, right? My current understanding is that the issue concerns only the command line parsing of the server example. Considering this, for now I don't think a CVE or advisory is needed. Leif, Scott any thought about this ? The issue is fixed on master : https://github.com/eclipse/wakaama/issues/514 And FMPOV CVE is not needed as this just affect example command line input. So I guess we could close this. Scott, Leif, any thoughts about that ? I don't think a CVE is needed. I've removed the confidentiality flag and have marked this as FIXED based on the discussion in Comment #6. |