-
Notifications
You must be signed in to change notification settings - Fork 555
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Oqtane 6.0 Security Warnings #4941
Comments
@iJungleboy 6.0.1 was released on Friday, Dec 20 (coincidentally on the same date that these CVEs appear to have been created) |
Apparently the Security workflow on GitHub does not function as expected. GitHub repos have a Private Vulnerability Reporting feature which "Allows users to privately report potential security vulnerabilities" and it includes the following information:
The idea behind this is that people can report potential issues to the maintainer so they can be investigated. Investigation is required because many issues which are reported are not actually security issues - they are a misunderstanding of the functionality of the application. The maintainer is supposed to have the ability to manage these issues so that they do not raise false alarms. Unfortunately it appears that the process is not being followed. Either GitHub is broadcasting issues BEFORE they are confirmed or published (not likely), or security researchers are trying to claim credit for the (non-validated) vulnerabilities they reported and publishing their claims in the public domain... which are then indexed and shared by CVE aggregators (more likely). If it is the latter, then it is just another example of stakeholders trying to take advantage of open source projects for their own personal gain. The CVEs which are currently being surfaced through GitHub Dependabot are not accurate. However it is not clear how anyone is supposed to resolve these inaccuracies once they are published through the CVE aggregator networks. I have now disabled the Private Vulnerability Reporting feature for the Oqtane repo as it appears to cause more harm than good. Very disappointing. |
Added a comment to PR #4878 for clarification about the CVE. |
All my current projects somehow tied in with Oqtane are getting
High Severity
security warnings issued by GitHub.I would claim we're not affected, since the presumed vector requires some user login, which all our sites don't have.
But I think it will give many a scare, especially right before the holidays where they are off.
Pls release 6.1. asap ❤️🩹
The text was updated successfully, but these errors were encountered: