Community
Participate
Working Groups
Request for a new CVE. project: Eclipse Xtext & Xtend version: all version prior to 2.18.0 cwe: CWE-829: Inclusion of Functionality from Untrusted Control Sphere cwe: CWE-494: Download of Code Without Integrity Check All Xtext & Xtend versions prior to 2.18.0 were built using HTTP instead of HTTPS file transfer and thus the built artifacts may have been compromised.
Request for a new CVE. project: Eclipse Xtext & Xtend version: all versions prior to 2.18.0 cwe: CWE-829: Inclusion of Functionality from Untrusted Control Sphere cwe: CWE-494: Download of Code Without Integrity Check All Xtext & Xtend versions prior to 2.18.0 were built using HTTP instead of HTTPS file transfer and thus the built artifacts may have been compromised.
original report was https://bugs.eclipse.org/bugs/show_bug.cgi?id=544852 respectively https://github.com/eclipse/xtext-xtend/issues/759
Is this a duplicate of Bug 544852, or do we need both? By way of process, I have not responded to the CVE assignment request on Bug 544852 because a project committer has not confirmed the request. If you put Comment 0 on Bug 544852, I will take it from there. As a matter of practice, we assign the CVE only at the request of a committer. > When all of the information is assembled and the vulnerability > is ready for disclosure, a project team member must send a > message to the Security Team with a request to assign a CVE > Number and send the report to the central authority. The bug also needs to be marked FIXED and the committers-only flag removed. There's more here: https://www.eclipse.org/projects/handbook/#vulnerability-cve
i dont know if this is the name CVE or NOT i created this one because you obviously didt no want everything to be handled in https://bugs.eclipse.org/bugs/show_bug.cgi?id=544852 which is why you told jonas to create public github issues in the first place instead of dealing with the problem in https://bugs.eclipse.org/bugs/show_bug.cgi?id=544852 > The bug also needs to be marked FIXED and the committers-only flag removed. which bug do you refer to
btw https://github.com/eclipse/xtext-xtend/issues/759 is a public issue what the committers only flag is irrelevant. and its closed as fixed
Okay. I see where this went off the rails. This is certainly related to Bug 544852, but it is not the same. That bug concerns the general issue, this one is specific to Xtext. My apologies for being thick-headed. I think that I'm fully caught up. Per the process, this bug needs to be marked fixed and the committer-only flag removed before I can create the CVE. Given that this issue has been publicly disclosed via the GitHub Issue, I'll mark it fixed and remove the committer-only flag for disclosure to the central authority.
+1
Pull request (to promote to central authority): https://github.com/CVEProject/cvelist/pull/2010