Californium supports the use of GitHub security advisories as pilot for eclipse projects.
To report a vulnerability, go directly to the form. Alternatively, switch to the Security tab, then click "Report a vulnerability" and another "Report a vulnerability" button again.
You may also report a vulnerability opening a bugzilla ticket.
For more details, please look at https://www.eclipse.org/security.
| Version | Supported |
|---|---|
| 3.12.0-SNAPSHOT (main) | ✔️ |
| 3.11.0 | ✔️ |
| 3.10.0, 3.9.1, 3.9.0, 3.8.0, 3.7.0, 3.6.0, 3.5.0, 3.4.0, 3.3.1, 3.2.0, 3.1.0, 3.0.0 |
❓ |
| 2.8.0 | ❓ |
| 2.7.4, 2.6.6, 2.5.0, 2.4.1, 2.3.1, 2.2.3, 2.1.0, 2.0.0 |
❓ |
| before 2.0.0 | ❌ |
✔️ development version / current release - all bugfixes will be applied
❓ the previous (bugfix-)releases - update to the current release is recommended. On exceptions, specific bugfixes may be applied on request. (Create a vulnerability report with the requested vulnerability fix and the (bugfix-)version.)
❌ old releases, milestone releases - usually no bugfixes are applied there.
| Californium Version | Vulnerability |
|---|---|
| < 3.7 < 2.7.4 |
Failing DTLS handshake CVE-2022-39368 |
| < 3.6 < 2.7.3 |
DTLS resumption handshake CVE-2022-2576 |
| < 3.0-M3 < 2.6.5 |
DTLS certificates verification bypass CVE-2021-34433 |
| < 2.6.0 | DTLS certificates verification fails sticky CVE-2020-27222 |
See also NIST database of known Californium vulnerabilities
| Californium Version | Dependency | Affected Version | Usage | Vulnerability |
|---|---|---|---|---|
| < 3.6 < 2.7.3 |
com.google.code.gson | < 2.8.9 | demo-apps | CVE 2022-25647 |
| < 3.3 < 2.7.2 |
com.upokecenter.cbor | 4.0 - 4.5.0 | cf-oscore demo-apps |
GHSA-fj2w-wfgv-mwq6 |
| < 3.2 < 2.7.1 |
ch.qos.logback.logback-classic | < 1.2.9 | demo-apps | CVE-2021-42550 |
| Californium Version | Dependency | Affected Version | Usage | Vulnerability |
|---|---|---|---|---|
| < 3.5 | JDK / JCE | <= 15.0.2? <= 16.0.2? < 17.0.3 < 18.0.1 |
execution environment | ECDSA CVE-2022-21449 |
| < 3.10 | logback | < 1.2.13 | logging implementation | Remote appender CVE-2023-6378 CVE-2023-6481 |