You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Fixed zip-slip vulnerability in `ZipMisc`. This could have allowed a malicious zip file to extract itself into an arbitrary directory. The only file that Goomph extracts is the p2 bootstrapper and eclipse metadata files hosted at `eclipse.org`, which are not malicious, so the only way this vulnerability could have affected you is if you had set a custom bootstrap zip, and that zip was malicious. Unlikely! Defense in depth is important, so good to have this fixed, and thanks to @JLLeitschuh for reporting, and with a fix no less! ([#198](https://github.com/diffplug/goomph/pull/198))
- Fixed zip-slip vulnerability in `ZipMisc` ([CVE-2022-26049](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26049)). This could have allowed a malicious zip file to extract itself into an arbitrary directory. The only file that Goomph extracts is the p2 bootstrapper and eclipse metadata files hosted at `eclipse.org`, which are not malicious, so the only way this vulnerability could have affected you is if you had set a custom bootstrap zip, and that zip was malicious. Unlikely! Defense in depth is important, so good to have this fixed, and thanks to @JLLeitschuh for reporting, and with a fix no less! ([#198](https://github.com/diffplug/goomph/pull/198))
- Bumped all deps to latest. ([#199](https://github.com/diffplug/goomph/pull/199))
