cockpit icon indicating copy to clipboard operation
cockpit copied to clipboard

Published 20 hours ago verified publisher icon agentejo

No release notes / mentions of vulnerabilities

Open eternalflamez opened this issue 3 years ago • 3 comments

Our cockpit instances were breached due to not running 0.11.2 yet.

There is no mention of any vulnerability or fix thereof except for in the commit messages (that only mention it being a "possible" vulnerability, implying it could also be safe). Is it possible to do some automatic release notes based on the git commit names that are part of the releases? Or at least put mentions of these breaches in the main readme.

For those interested, breach information: https://portswigger.net/daily-swig/cockpit-cms-flaws-exposed-web-servers-to-nosql-injection-exploits

eternalflamez avatar May 19 '21 15:05 eternalflamez

Thank you for bringing this issue up. I used cockpit on a couple of projects and was missing some kind of changelog or release notes as well. Maybe someone, who is more into the project, could give us his opinion on this.

I personally think of something like https://keepachangelog.com/en/1.0.0/

What do you think?

remluben avatar Nov 28 '21 14:11 remluben

@remluben there’s an open PR with the start of the changelog #1398

MarcoDaniels avatar Nov 28 '21 18:11 MarcoDaniels

@MarcoDaniels Thank you very much, I must have missed this one.

remluben avatar Nov 29 '21 19:11 remluben