Currently, GitHub security advisories is not activated on eclipse project.
To report a vulnerability, your need to open a bugzilla ticket.
For more details, please look at https://www.eclipse.org/security/.
Only Leshan library is concerned. The demos are not covered.
| Version | Supported |
|---|---|
| 2.0.0 (master) | ✔️ |
| 1.x | ✔️ |
Note: ℹ️ 1.x version depends on californium 2.x version where support is not clear.
See : https://github.com/eclipse/californium/security/policy
| Version | Safe | CVE | cause | |
|---|---|---|---|---|
| 2.0.0-M5 + | ✔️ | |||
| 2.0.0-M1 -> 2.0.0-M4 | ❌ | CVE-2021-34433 | dependency (californium/scandium) | affecting DTLS with x509 and/or RPK |
| 1.3.2 + | ✔️ | |||
| 1.1.0 -> 1.3.1 | ❌ | CVE-2020-27222 CVE-2021-34433 | dependency (californium/scandium) | affecting DTLS with x509 and/or RPK |
| 1.0.0 -> 1.0.2 | ❌ | CVE-2021-34433 | dependency (californium/scandium) | affecting DTLS with x509 and/or RPK |
Note: We strongly encourage you to switch last safe version, but for vulnerability caused by a dependency :
- if you want to be very conservative
- and the concerned library is uing semantic versioning
then you could try to just update the dependency to a safe compatible version without upgrading Leshan.