Post AafIV2fdJypuBTqLUO by msw@mstdn.social
(DIR) More posts by msw@mstdn.social
(DIR) Post #AafIUyuNJEFeW2i3ua by msw@mstdn.social
2023-10-10T17:47:01Z
0 likes, 1 repeats
This is your regular reminder that CVSSv3 base scores are information-poor, and taken alone are not fit for the purpose of evaluating appropriate actions to take for a given security vulnerability.I am hoping that CVSSv4 helps improve industry practices. It's badly needed.#InfoSec #CVSS #CVEhttps://csrc.nist.gov/csrc/media/Presentations/2023/update-on-cvss-4-0/jan-25-2023-ssca-dugal-rich.pdf
(DIR) Post #AafIV0vVnyLim9Fzxg by msw@mstdn.social
2023-10-10T17:53:07Z
0 likes, 0 repeats
If you use #curl or #libcurl and are worried about the pending "High" CVE that's coming out, @bagder said..."Every security flaw requires a set of conditions to apply for the problem to trigger. The pending security vulnerabilities are no different. I cannot comment on what that set is ahead of time.The severity level is a blunt tool. This is a HIGH severity problem but there is still going to be a large chunk of users who will not be affected by these problems."https://github.com/curl/curl/discussions/12026#discussioncomment-7195449
(DIR) Post #AafIV2fdJypuBTqLUO by msw@mstdn.social
2023-10-10T17:56:09Z
0 likes, 0 repeats
The "High" rating for this bulletin, like "CVSSv3 base score >= 7.0", is information-poor.For open source libraries in particular, there are many potential mitigating circumstances.I really want for the #InfoSec community and industry practice to improve so that we don't blindly look at base scores or vendor ratings for #FOSS libraries in particular, and then panic.
(DIR) Post #AafIV4RWjOjzgJG6mO by msw@mstdn.social
2023-10-11T02:46:01Z
0 likes, 0 repeats
Over on the bad place, it looks like an embargoed patch leaked?#curl #libcurl #cve202338545 #InfoSechttps://twitter.com/_JohnHammond/status/1711913166165463220