Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: CVE-2020-19909 possibly released without curl's authors ack (yet another NVD Critical)
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Sat, 26 Aug 2023 19:50:43 +0200 (CEST)
On Sat, 26 Aug 2023, Daniel Stenberg via curl-library wrote:
> Step one. A blog post with some details:
Other things I've done:
- I've pushed my blog post on social media to distribute awareness.
- I pull strings to get the CVE rejected. It is such a weird system so we
can't easily see which CNA that assigned the Id. Some language on the NVD
site made me think it was done by MITRE itself but I cannot find any public
way to contact MITRE to get a CVE rejected. For any reason.
- I wrote up an information page about this bogus CVE on the curl site:
https://curl.se/docs/CVE-2020-19909.html
Several people have told me that the only effective means that exist against
abusive CVE filings like this, is to become your own CNA as then you can
apparently "lock" your product to only be possible to get CVEs assigned from
your own CNA. I will look into this option.
Date: Sat, 26 Aug 2023 19:50:43 +0200 (CEST)
On Sat, 26 Aug 2023, Daniel Stenberg via curl-library wrote:
> Step one. A blog post with some details:
Other things I've done:
- I've pushed my blog post on social media to distribute awareness.
- I pull strings to get the CVE rejected. It is such a weird system so we
can't easily see which CNA that assigned the Id. Some language on the NVD
site made me think it was done by MITRE itself but I cannot find any public
way to contact MITRE to get a CVE rejected. For any reason.
- I wrote up an information page about this bogus CVE on the curl site:
https://curl.se/docs/CVE-2020-19909.html
Several people have told me that the only effective means that exist against
abusive CVE filings like this, is to become your own CNA as then you can
apparently "lock" your product to only be possible to get CVEs assigned from
your own CNA. I will look into this option.
-- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2023-08-26