Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No notice about serious CVE #683

Open
tomchiverton opened this issue Sep 30, 2024 · 3 comments
Open

No notice about serious CVE #683

tomchiverton opened this issue Sep 30, 2024 · 3 comments

Comments

@tomchiverton
Copy link

tomchiverton commented Sep 30, 2024
edited
Loading

https://flatpak.org/blog-posts/ doesn't mention recent 10.0 CVE https://nvd.nist.gov/vuln/detail/CVE-2024-42472 ( see GHSA-7hgv-f2j8-xw87 )

Neither has a press release been added to https://flatpak.org/press/
@razzeee
Copy link
Contributor

razzeee commented Dec 12, 2024

I don't think that would fit very well into blog posts or press - it also seems to only have gotten a cve from github and doesn't seem checked by other databases, which makes me wonder about the level

@tomchiverton
Copy link
Author

tomchiverton commented Dec 15, 2024
edited
Loading

So what is the project's policy on publishing vulnerabilities so users / downstream can make informed choices ? Where do they get collected and published ? Do they get collected and published ?

@razzeee
Copy link
Contributor

razzeee commented Dec 15, 2024

I think https://github.com/flatpak/flatpak/blob/main/SECURITY.md#Security-Announcements is

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tomchiverton @razzeee