Hi Nathan,discovered at some point after we release, it’s best not to publish which specific Zoom client version contains the vulnerability, as that essentially gives a roadmap to exploitation for hackers. That said, we can provide more specific lists by request,
I am coming back to you regarding your request about the open source software source code page, that were containing invalid links.
All links in the page should now be working correctly (https://explore.zoom.us/en/opensource/source/).
Regarding your comment, please find the following explanations that I have received from our Dev team:
"We provide our OSS attribution in this manner intentionally, which is to say, it’s legally permissible (as per OSS licensing requirements) and more secure to be vague about the OSS contents of a given Zoom client/version… if a critical CVE is
Also, I’m happy to talk to any customers with specific needs… a quick review of our policies/processes might alleviate the need to provide one-off lists. And the reality is that most of our clients are comprised of a number of shared projects, somost share a common core of OSS libraries, which is to say, most of our client OSS reports will look pretty similar except for a few environment-specific entries."
I hope the above answers your query. Please let me know if you have any questions.
Best regards,
Arnaud
if a critical CVE is discovered at some point after we release, it’s
best not to publish which specific Zoom client version contains the vulnerability, as that essentially gives a roadmap to exploitation
for hackers.
https://explore.zoom.us/en/opensource/source/
"We provide our OSS attribution in this manner intentionally, which
is to say, it’s legally permissible (as per OSS licensing
requirements)
- Is the stated legal assertion accurate?
- Does an open-ended request suffice
- Must references be made (more) concretely, and if so ... how?
On Fri, 2022-01-28 at 20:23 +0000, Zoom Video Communications wrote:
if a critical CVE is discovered at some point after we release, it’s
best not to publish which specific Zoom client version contains the vulnerability, as that essentially gives a roadmap to exploitation
for hackers.
This is misguided at best, hackers are able to compare binaries and
find out what changed. Some adversaries have this automated and there
is even work on automatically deriving exploits from those diffs.
https://explore.zoom.us/en/opensource/source/
"We provide our OSS attribution in this manner intentionally, which
is to say, it’s legally permissible (as per OSS licensing
requirements)
On Fri, 2022-01-28 at 20:23 +0000, nmschulte@desmas.net wrote:
- Is the stated legal assertion accurate?
It completely depends on what components they are using and what
licenses they are using those components under. If you suspect a
violation of one of those licenses, please verify the details and
contact the copyright holder for the components in question.
- Does an open-ended request suffice
Given their response, I expect that they will reject such a request.
- Must references be made (more) concretely, and if so ... how?
Looking at the referenced web page, I see components licensed under the
LGPL, which means that each time Zoom releases software containing
those components, they must also release the exact corresponding source
for the version used by their software, as well as complying with the relinking and other requirements of the LGPL.
--
bye,
pabs
https://wiki.debian.org/PaulWise
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 297 |
Nodes: | 16 (2 / 14) |
Uptime: | 11:41:44 |
Calls: | 6,666 |
Files: | 12,213 |
Messages: | 5,336,377 |