Skip to content

Security: WinterKi1ler/californium

Security

SECURITY.md

Security Policy

Reporting a Vulnerability

Californium supports the use of GitHub security advisories as pilot for eclipse projects.

To report a vulnerability, go directly to the form. Alternatively, switch to the Security tab, then click "Report a vulnerability" and another "Report a vulnerability" button again.

You may also report a vulnerability opening a bugzilla ticket.

For more details, please look at https://www.eclipse.org/security.

Supported Versions

Version Supported
3.12.0-SNAPSHOT (main) ✔️
3.11.0 ✔️
3.10.0, 3.9.1, 3.9.0,
3.8.0, 3.7.0, 3.6.0,
3.5.0, 3.4.0, 3.3.1,
3.2.0, 3.1.0, 3.0.0
2.8.0
2.7.4, 2.6.6, 2.5.0,
2.4.1, 2.3.1, 2.2.3,
2.1.0, 2.0.0
before 2.0.0

✔️ development version / current release - all bugfixes will be applied

❓ the previous (bugfix-)releases - update to the current release is recommended. On exceptions, specific bugfixes may be applied on request. (Create a vulnerability report with the requested vulnerability fix and the (bugfix-)version.)

❌ old releases, milestone releases - usually no bugfixes are applied there.

Known Vulnerabilities

Californium Version Vulnerability
< 3.7
< 2.7.4
Failing DTLS handshake CVE-2022-39368
< 3.6
< 2.7.3
DTLS resumption handshake CVE-2022-2576
< 3.0-M3
< 2.6.5
DTLS certificates verification bypass CVE-2021-34433
< 2.6.0 DTLS certificates verification fails sticky CVE-2020-27222

See also NIST database of known Californium vulnerabilities

Known Vulnerabilities Of Dependencies

Californium Version Dependency Affected Version Usage Vulnerability
< 3.6
< 2.7.3
com.google.code.gson < 2.8.9 demo-apps CVE 2022-25647
< 3.3
< 2.7.2
com.upokecenter.cbor 4.0 - 4.5.0 cf-oscore
demo-apps
GHSA-fj2w-wfgv-mwq6
< 3.2
< 2.7.1
ch.qos.logback.logback-classic < 1.2.9 demo-apps CVE-2021-42550

Known Vulnerabilities Of Runtime Dependencies

Californium Version Dependency Affected Version Usage Vulnerability
< 3.5 JDK / JCE <= 15.0.2?
<= 16.0.2?
< 17.0.3
< 18.0.1
execution environment ECDSA CVE-2022-21449
< 3.10 logback < 1.2.13 logging implementation Remote appender CVE-2023-6378
CVE-2023-6481

There aren’t any published security advisories