Skip to content

Commit 6f0feae

Browse files
robertpopa22claude
andcommitted
chore(issues): promote 4 P1-security issues to released, 1 to wontfix
Code review verified fixes for: - mRemoteNG#2419: export plaintext warning (PASS) - mRemoteNG#2420: CVE-2023-30367 SecureString + cache removal (PASS) - mRemoteNG#2633: CryptographicOperations.ZeroMemory in crypto providers (PASS) - mRemoteNG#3173: URI scheme validation for Process.Start (PASS) Reclassified mRemoteNG#306 (CII no_leaked_credentials) from testing to wontfix: no code fix exists, default password mR3m is architectural. Remaining P1 testing: mRemoteNG#1346, mRemoteNG#2454, mRemoteNG#2585 need interactive verification. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 parent e859297 commit 6f0feae

5 files changed

Lines changed: 15 additions & 15 deletions

File tree

.project-roadmap/issues-db/upstream/0306.json

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@
1111
"created_at": "2016-12-09T15:51:18Z",
1212
"github_updated_at": "2023-01-03T09:36:43Z",
1313
"body_snippet": "This is to track resolution of CII requirement `no_leaked_credentials`\r\n> The public repositories MUST NOT leak a valid private credential (e.g., a working password or private key) that is intended to limit public access. \r\n\r\nThis requirement is broken because we use a default password for encryption unless a user provides a custom one. To resolve this, we must require a user defined password for encryption.\r\n\r\nPossible related enhancements include:\r\n- #187 \r\n- #255 ",
14-
"our_status": "testing",
14+
"our_status": "wontfix",
1515
"priority": "P1-security",
1616
"target_release": null,
1717
"our_branch": null,
@@ -64,11 +64,11 @@
6464
"needs_action": true,
6565
"waiting_for_us": true,
6666
"last_synced": "2026-02-15T09:52:50Z",
67-
"notes": "AI triage: Issue title references 'CII - resolve no_leaked_credentials' which appears to be a CI/infrastructure badge requirement (CII Best Practices) but lacks details on what specific credential leaks exist or what changes are needed\nApproach: Need clarification on whether this is about removing hardcoded keys from source, improving encryption defaults, or satisfying a specific CII Best Practices criterion before implementing",
67+
"notes": "No code fix exists. Default password mR3m is architectural - requires product decision on backward compatibility. Reclassified from testing to wontfix.",
6868
"impl_failed": false,
6969
"token_usage": {
7070
"input_tokens": 44,
7171
"output_tokens": 6790,
7272
"cost_usd": 0.756508
7373
}
74-
}
74+
}

.project-roadmap/issues-db/upstream/2419.json

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@
1313
"created_at": "2023-04-03T15:34:18Z",
1414
"github_updated_at": "2026-02-26T08:06:09Z",
1515
"body_snippet": "<!--- Provide a general summary of the issue in the Title above -->\r\nWhen you export your configuration to a CSV file Password are in open text.\r\n## Expected Behavior\r\n<!--- If you're describing a bug, tell us what should happen -->\r\n<!--- If you're suggesting a change/improvement, tell us how it should work -->\r\nEncrypted\r\n## Current Behavior\r\n<!--- If describing a bug, tell us what happens instead of the expected behavior -->\r\n<!--- If suggesting a change/improvement, explain the difference fr...",
16-
"our_status": "testing",
16+
"our_status": "released",
1717
"priority": "P1-security",
1818
"target_release": null,
1919
"our_branch": null,
@@ -96,5 +96,5 @@
9696
"needs_action": true,
9797
"waiting_for_us": false,
9898
"last_synced": "2026-02-26T08:28:13Z",
99-
"notes": "AI triage (claude): Exporting passwords in plain text without warning or opt-out is a security vulnerability; at minimum a warning dialog and/or option to strip passwords during export is required.\nApproach: Add export dialog option to strip passwords or warn user when exporting with plain-text credentials included"
100-
}
99+
"notes": "PASS by code review: export warning covers CSV+JSON. commit 4c27b9db"
100+
}

.project-roadmap/issues-db/upstream/2420.json

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@
1717
"created_at": "2023-04-03T17:06:44Z",
1818
"github_updated_at": "2026-02-21T10:23:23Z",
1919
"body_snippet": "The passwords of the connection files are stored as plain text values in the memory of the mRemteNG process, even before a\r\nconnection is established.\r\nThis fulfills the requirement of CWE-316 - Cleartext Storage of Sensitive\r\nInformation in Memory.\r\nhttps://github.com/mRemoteNG/mRemoteNG/issues/726\r\n\r\n1) Create a new connection configuration, set hostname, username and\r\npassword.\r\n2) (Optional) Enable encryption of the configuration file.\r\n3) Restart mRemoteNG\r\n4) Use Task Manager / Processhack...",
20-
"our_status": "testing",
20+
"our_status": "released",
2121
"priority": "P1-security",
2222
"target_release": null,
2323
"our_branch": null,
@@ -256,11 +256,11 @@
256256
"needs_action": true,
257257
"waiting_for_us": true,
258258
"last_synced": "2026-02-21T12:06:48Z",
259-
"notes": "AI triage (claude): Empty issue body with only a reference to another issue (#726) and comments about credential saving — no reproducible steps, no CVE details, and no clear scope for what needs to be implemented.\nApproach: Request reporter to provide CVE details, affected code paths, reproducible steps, and expected vs actual behavior on latest build",
259+
"notes": "PASS by code review: SecureString for password fields + pre-decryption cache removed. commit f34c13e7. Caveat: SecureString not truly encrypted on .NET 10",
260260
"token_usage": {
261261
"input_tokens": 3,
262262
"output_tokens": 93,
263263
"cost_usd": 0.138751
264264
},
265265
"impl_failed": false
266-
}
266+
}

.project-roadmap/issues-db/upstream/2633.json

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@
1515
"created_at": "2024-08-21T01:56:07Z",
1616
"github_updated_at": "2026-02-26T09:03:26Z",
1717
"body_snippet": "ICryptographyProvider interface and implementations are not secure by design, nor by implementation. Re-design to keep exposure of plaintext secrets to a minimum.\r\n\r\n## Expected Behavior\r\nNo persistent copies of plaintext/unencrypted secrets in memory. Any plaintext should be ephemeral, and explicitly zero-ed after use.\r\n\r\n## Current Behavior\r\nPlaintext copies of secrets are available in memory dumps of the application, from startup.\r\n\r\n## Possible Solution\r\nRe-design interface with no use of Sy...",
18-
"our_status": "testing",
18+
"our_status": "released",
1919
"priority": "P1-security",
2020
"target_release": null,
2121
"our_branch": null,
@@ -89,5 +89,5 @@
8989
"needs_action": false,
9090
"waiting_for_us": false,
9191
"last_synced": "2026-02-26T11:26:01Z",
92-
"notes": "AI triage (claude): Security enhancement to ICryptographyProvider interface and implementations is a labeled high-priority security issue still open and relevant to the fork.\nApproach: Audit ICryptographyProvider interface and all implementations for cryptographic weaknesses (weak algorithms, improper IV handling, key derivation issues), then upgrade to authenticated encryption (AES-GCM or ChaCha20-Poly1305) with proper key derivation (Argon2/PBKDF2) and secure random IV generation"
93-
}
92+
"notes": "PASS by code review: CryptographicOperations.ZeroMemory in all 4 crypto providers. commit e1fdeca9"
93+
}

.project-roadmap/issues-db/upstream/3173.json

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@
1111
"created_at": "2026-02-24T21:26:07Z",
1212
"github_updated_at": "2026-02-25T17:29:01Z",
1313
"body_snippet": "Find more live information in Aikido here: https://app.aikido.dev/repositories/1001230?sidebarIssue=16286739&groupId=38189&sidebarIssueTask=3222012&sidebarTab=tasks\r\n\r\n\r\n### Scope\r\nThese issues affect the following code repository:\r\n- mRemoteNG:\n\t**[CENSORED!] Links to external GitHub repositories are not allowed**\n\t**[CENSORED!] Links to external GitHub repositories are not allowed**\n\tand 2 more\r\n\r\n\r\n### TLDR\r\nOS command injection is a critical vulnerability that can lead to a full system compr...",
14-
"our_status": "testing",
14+
"our_status": "released",
1515
"priority": "P1-security",
1616
"target_release": null,
1717
"our_branch": null,
@@ -48,11 +48,11 @@
4848
"needs_action": false,
4949
"waiting_for_us": false,
5050
"last_synced": "2026-02-25T21:16:17Z",
51-
"notes": "AI triage (claude): Command injection via unsanitized user input passed to Process.Start is a confirmed security vulnerability class that must be audited and sanitized.\nApproach: Audit all Process.Start call sites for user-controlled arguments; replace string concatenation with ProcessStartInfo.ArgumentList (array-based, injection-safe) or validate/escape inputs before passing to shell",
51+
"notes": "PASS by code review: URI scheme validation (http/https only) in ConnectionContextMenu. commit db7a90cf + 3ed92013c",
5252
"impl_failed": false,
5353
"token_usage": {
5454
"input_tokens": 52,
5555
"output_tokens": 26687,
5656
"cost_usd": 3.12865
5757
}
58-
}
58+
}

0 commit comments

Comments
 (0)