572767 – verify that bittorrent is not vulnerable to CVEs

Bug 572767 - verify that bittorrent is not vulnerable to CVEs

Summary: verify that bittorrent is not vulnerable to CVEs

Status:	NEW

Alias:	None

Product:	ECF
Classification:	RT
Component:	ecf.protocols (show other bugs)
Version:	3.14.0
Hardware:	PC Mac OS X

Importance:	P3 normal (vote)
Target Milestone:	---
Assignee:	ecf.core-inbox
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2021-04-11 16:35 EDT by Tony Homer
Modified:	2021-04-11 16:35 EDT (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tony Homer

2021-04-11 16:35:20 EDT

My compositional analysis tool reports that ECF 3.14.21.v20210410-0052 is vulnerable to several CVEs via plugins/org.eclipse.ecf.protocol.bittorrent_0.3.201.v20210320-0245.jar.

Here are the CVEs identified:
https://nvd.nist.gov/vuln/detail/CVE-2008-4434
https://nvd.nist.gov/vuln/detail/CVE-2008-7166
https://nvd.nist.gov/vuln/detail/CVE-2008-0364
https://nvd.nist.gov/vuln/detail/CVE-2008-0071

I believe these apply to bittorrent binaries which are not included with ECF, so this finding is a false positive, but due to my lack of familiarity with ECF I am not confident in my assessment, so it would be great for someone on the team to review and verify.