1.14.1 security features CFG & DEP

21 views
Skip to first unread message

Alexander Zimmermann

unread,
Nov 26, 2021, 11:37:06 AM11/26/21
to TortoiseSVN
Hello all,

I'm in the process of an internal company application certification, one part of it is the TortoiseSVN client.
The test team got the latest official stable 1.14.1.29085-x64, they found 2 low and 1 medium "vulnerability".
I would like to kindly ask if you can have a look at them one by one (will do 3 separate posts, as suggested in the report FAQ), and if there is a possibility to adjust for this.

---
Severity: Low
Vulnerability: Security Feature not Enabled
Description: The test team observed that "CFG and/or "DEP" security feature are disabled for some of the DLLs.
Screenshot attached with a couple of examples of the bin installation directory.
---

The test team mentioned to me that low vulnerabilities can be justified if it cannot be managed to change or has been applied for specific reasons.
Any help is much appreciated.

Thank you
Alexander

TortoiseSVN-securityfeatures.png

Stefan

unread,
Nov 26, 2021, 1:05:49 PM11/26/21
to TortoiseSVN
On Friday, November 26, 2021 at 5:37:06 PM UTC+1 Alexander Zimmermann wrote:

---
Severity: Low
Vulnerability: Security Feature not Enabled
Description: The test team observed that "CFG and/or "DEP" security feature are disabled for some of the DLLs.
Screenshot attached with a couple of examples of the bin installation directory.
---

I'm not sure what you call a vulnerability here. Not having every security feature enabled is not a vulnerability.
Also, "control flow guard" is only available from Win 8.1 on, and TSVN is still compatible with Win7, so it simply can not be enabled in the binaries.

 

Alexander Zimmermann

unread,
Nov 29, 2021, 10:32:26 AM11/29/21
to TortoiseSVN
Your reply is much appreciated, I will justify with the Win7 compatibility. Thanks!
Reply all
Reply to author
Forward
0 new messages