Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [ide-dev] Security flaw in ADT is somehow presented as a flaw in Eclipse IDE

It seems to be https://bugs.eclipse.org/bugs/show_bug.cgi?id=519169
(see the mention of XXE and the name of the reporter matching to the cited post)

Since this bug is restricted, let me know if I should add anyone to Cc: to be able to read it,
or should I remove the restriction as the vulnerability is public now?

Dave Carver had analyzed this for Andmore and saw only low risk.

This is independent of the PR aspect.

best,
Stephan

Am 2017-12-06 08:37, schrieb Mickael Istria:

This piece of news is spreading very fast on social media. As far as I understand (and I may be wrong), the security flaw mentioned here isn't in Eclipse IDE itself but in ADT or some other piece of Android SDK.
So basically, Eclipse IDE has once again its image hurt by an issue in ADT...
If this happens to be the case, it would be interesting to have the Eclipse Foundation sending a PR to explain that Eclipse IDE itself is fine, and is open for extensions, and that security flaws in extensions are only the responsibility of extension providers; and warn against this kind of message which tends to blame the wrong layer.

Cheers,
--
Mickael Istria
Eclipse IDE developer, at Red Hat Developers community
Elected Committer Representative at the Eclipse Foundation board of directors

_______________________________________________
ide-dev mailing list
ide-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/ide-dev



Back to the top