aheinze
commented
1 year ago Thanks for your input. I will consider your suggestion.
Closed 59e5aaf4 closed 1 year ago
aheinze
commented
1 year ago Thanks for your input. I will consider your suggestion.
Hello. You don't publish the list of historical vulnerabilities you had, and they're vaguely mentioned in your changelog. That makes identifying if a server can be compromised through an old version of cockpit. Let's say someone has a server somewhere acting weirdly, and that raised his or her EDR alerts, and he or she is checking the Cockpit source code & list of historical RCEs, well I can tell you that this very someone would be pretty much annoyed that the only location with mentions of Cockpit vulns would be the third-party CVE website. https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe%3A2.3%3Aa%3Aagentejo%3Acockpit%3A-%3A*%3A*%3A*%3A*%3A*%3A*%3A* .
Like, even https://github.com/search?q=repo%3ACockpit-HQ%2FCockpit%20CVE&type=code shows no output
Please start documenting your previous vulnerabilities, so that incident responders can quickly tell whether or not a specific version has an obvious RCE.
Muchas gracias :)