- Issue created by @aangel
- 🇺🇸United States greggles Denver, Colorado, USA
Thanks aangel. Moving status. And let's give this a few days for review.
- 🇮🇹Italy bigbabert Milano, Italy
Hi why there is link to security private issue? should not remain private? https://security.drupal.org/node/162249
- 🇺🇸United States cmlara
Question:
It appears from the description the vulnerability was in a 3rd party product that was copied into the the module.Would the module hosted on D.O. actually be the supplier of the vulnerable product in this case?
Would section 4.3 of the CNA v4.1.0 rules come into play here?
4.3.2 If a CNA is considering an assignment, and the CNA is not the Supplier of the vulnerable Product, then the CNA SHOULD make a reasonable and good faith effort to notify the Supplier. For example, if an operating system Supplier discovers a Vulnerability in a library from an upstream Supplier, in addition to assigning the CVE ID to the upstream Vulnerability, the operating system Supplier SHOULD attempt to notify the upstream library Supplier. This reduces duplicate CVE ID assignments and helps alert others that may be affected by the Vulnerability.This is an interesting grey area, I'm not 100% sure on this one way or the other, bringing this up for discussion since Drupal actively publishing CVE's is a relatively new development and the procedures appear to be still being developed.