Update SECURITY.md to reflect supported versions, add new CVE, and improve vulnerability reporting guidelines
This commit is contained in:
Steve Karg
+26
-12
@@ -7,24 +7,38 @@ currently being supported with security updates.
|
|||||||
|
|
||||||
| Version | Supported |
|
| Version | Supported |
|
||||||
| ------- | ------------------ |
|
| ------- | ------------------ |
|
||||||
|
| 1.5.x | :white_check_mark: |
|
||||||
| 1.4.x | :white_check_mark: |
|
| 1.4.x | :white_check_mark: |
|
||||||
| 1.3.x | :white_check_mark: |
|
| 1.3.x | :x: |
|
||||||
| 1.2.x | :white_check_mark: |
|
| 1.2.x | :x: |
|
||||||
| 1.1.x | :white_check_mark: |
|
| 1.1.x | :x: |
|
||||||
| 1.0.x | :white_check_mark: |
|
| 1.0.x | :x: |
|
||||||
| 0.9.x | :x: |
|
| 0.9.x | :x: |
|
||||||
| 0.8.x | :white_check_mark: |
|
| 0.8.x | :x: |
|
||||||
| 0.7.x | :x: |
|
| 0.7.x | :x: |
|
||||||
| < 0.6.x | :x: |
|
| < 0.6.x | :x: |
|
||||||
|
|
||||||
|
|
||||||
## Coordinated Vulnerability Disclosure
|
## Coordinated Vulnerability Disclosure
|
||||||
|
|
||||||
From time to time a vulnerability is disclosed to [CVE](https://www.cve.org/)
|
Vulnerabilites are disclosed to [CVE](https://www.cve.org/)
|
||||||
|
or [GHSA](https://github.com/bacnet-stack/bacnet-stack/security/advisories?state=published)
|
||||||
and a record is created to identify, define, and catalog publicly disclosed
|
and a record is created to identify, define, and catalog publicly disclosed
|
||||||
cybersecurity vulnerabilities.
|
cybersecurity vulnerabilities. Here are the published vulnerability records:
|
||||||
|
|
||||||
Here are the known CVE records:
|
[CVE-2026-26264](https://www.cve.org/CVERecord?id=CVE-2026-26264) -
|
||||||
|
Undefined-behavior signed left shift in `decode_signed32()`
|
||||||
|
[GHSA-326g-j95f-gmxv](https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-326g-j95f-gmxv)
|
||||||
|
|
||||||
|
Out-of-Bounds Read in ReadPropertyMultiple Property Decoder via Deprecated Tag Parser
|
||||||
|
[GHSA-5w2v-mwqj-pr2c](https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-5w2v-mwqj-pr2c)
|
||||||
|
|
||||||
|
Off-by-One Out-of-Bounds Read in ReadPropertyMultiple Object ID Decoder
|
||||||
|
[GHSA-7545-3fpx-4xw3](https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-7545-3fpx-4xw3)
|
||||||
|
|
||||||
|
[CVE-2026-41475](https://www.cve.org/CVERecord?id=CVE-2026-41475) -
|
||||||
|
Out-of-Bounds Read in WritePropertyMultiple Decoder via Deprecated Tag Parser
|
||||||
|
[GHSA-cvv4-v3g6-4jmv](https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-cvv4-v3g6-4jmv)
|
||||||
|
|
||||||
[CVE-2026-26264](https://www.cve.org/CVERecord?id=CVE-2026-26264) -
|
[CVE-2026-26264](https://www.cve.org/CVERecord?id=CVE-2026-26264) -
|
||||||
WriteProperty decoding length underflow leads to OOB read and crash
|
WriteProperty decoding length underflow leads to OOB read and crash
|
||||||
@@ -64,9 +78,9 @@ Segmentation fault leading to denial of service
|
|||||||
|
|
||||||
## Reporting a Vulnerability
|
## Reporting a Vulnerability
|
||||||
|
|
||||||
Please use the "bugs" feature of Sourceforge.net to report a vulnerability,
|
Privately discuss, fix, and publish information about security
|
||||||
where it will be tracked until it is resolved.
|
vulnerabilities in this library using Github Security Advisories:
|
||||||
https://sourceforge.net/p/bacnet/bugs/
|
https://github.com/bacnet-stack/bacnet-stack/security/advisories/new
|
||||||
|
|
||||||
Vulnerabilities can also be reported using "issues" at Github.
|
Alternatively, vulnerabilities can be reported using "issues" at Github.
|
||||||
https://github.com/bacnet-stack/bacnet-stack/issues
|
https://github.com/bacnet-stack/bacnet-stack/issues
|
||||||
|
|||||||
Reference in New Issue
Block a user