KnownVuln lacks information

Hi!
I noticed, that some apps are marked with the Known Vuln flag, when there are known vulnerabilities, which is great.
Still, I ended up often searching for those vulnerabilities without success. It would be nice to have some links with information about those vulnerabilities (eg. bug reports…) provided alongside the flag on a per-app basis.

This would help me to weigh out the risk of installing an affected app, as well as getting active (eg. by contributing patches to the project).

2 Likes

The explanation

Known Vulnerability
This Anti-Feature is applied to apps with a known security vulnerability, found by one of the scanners in fdroidserver.

is not very helpful. Why would F-Droid distribute apps having known vulnerability? How severe is the vulnerability? How concerned should users be? Where can more info’ be found?

Of the currently 6 apps with this, 4 have “web” links going to 404 errors, maybe the the “archived” issue.

Oh, the lack of info’ issue is another old, known issue

Of those 6, 4 are Archived, one is some other bug elsewhere, and one has never been rebuilt.

So basically we have none in the repo…

/PS: elsewhere: Should old pdf readers/readers using old libraries be tagged with KnownVuln antifeature? (#2672) · Issues · F-Droid / Data · GitLab