[llvm] Add security group 2023 transparency report. (PR #80272)
George Burgess IV via llvm-commits
llvm-commits at lists.llvm.org
Thu Feb 1 08:32:10 PST 2024
================
@@ -76,3 +76,42 @@ the time of writing this transparency report.
No dedicated LLVM releases were made for any of the above issues.
+2023
+----
+
+In this section we report on the issues the group received in 2023, or on issues
+that were received earlier, but were disclosed in 2023.
+
+9 of these were judged to be security issues:
+
+https://bugs.chromium.org/p/llvm/issues/detail?id=36 reports the presence of
+.git folder in https://llvm.org/.git.
+
+https://bugs.chromium.org/p/llvm/issues/detail?id=66 reports the presence of
+a GitHub Personal Access token in a DockerHub imaage.
+
+https://bugs.chromium.org/p/llvm/issues/detail?id=42 reports a potential gap
+in the Armv8.1-m BTI protection, involving a combination of large switch statements
+and __builtin_unreachable() in the default case.
+
+https://bugs.chromium.org/p/llvm/issues/detail?id=43 reports a dependency
+on an old version of xml2js with a CVE filed against it.
+
+https://bugs.chromium.org/p/llvm/issues/detail?id=45 reports a number of
+dependencies that have had vulnerabilities reported against them.
+
+https://bugs.chromium.org/p/llvm/issues/detail?id=46 is related to issue 43
----------------
gburgessiv wrote:
nit: Missing trailing `.`
https://github.com/llvm/llvm-project/pull/80272
More information about the llvm-commits
mailing list