curl / Mailing Lists / curl-library / Single Mail


Re: The life of a curl security bug

From: Rich Gray <>
Date: Sat, 7 Oct 2017 11:16:58 -0400

Daniel Stenberg wrote:
> I wrote a blog post on exactly what we do when we receive and deal with a
> security problem in curl. From report to release.

[I tried to post this as a comment to your article, but it failed with:

"Replace this text with the error page you would like to serve to clients if
your origin is offline."]

Nice. I do wonder if you should spell out what a CVE is. Sometimes you
seem to use CVE as shorthand for CVE id, at other times for the CVE report

  The CVE

  Once we have an advisory and a patch, none of which needs to be
  their final versions, we can proceed and ask for a CVE ID. The
  Common Vulnerabilities and Exposures[1] (CVE) system provides a
  reference-method for publicly known cyber-security issues.

What sort of embargo does Mitre allow? (Every time I hear that name, I'm
reminded of Clifford Stoll's delightful 1989 book, The Cuckoo's Egg[2], in
which a hippie astrophysicist at Laurence Berkley National Laboratory in
California is thrust into the world of cyber spies and national security
agencies as he tracked down a hacker working for the KGB. The hacker was
connecting from Germany through Mitre via dial-up modem and getting onto
MILNET. The book inspired a 1990 PBS NOVA episode.[3] Even though the
technology is dated (1200 baud!) the security lessons are still quite valid.
  The book is a great read if you can find it.)


or other...
Received on 2017-10-07