First of all, most of FOSS security reports nowadays (that I see in #curl and #apache httpd) are non-threatening.

Reply to First of all, most of FOSS security reports nowadays (that I see in #curl and #apache httpd) are non-threatening. on Fri, 15 May 2026 11:39:37 GMT

[[global:guest]] — Fri, 15 May 2026 11:39:37 GMT

@icing I like to think we're closing the back doors and zero days nation state actors had found and not reported.

Reply to First of all, most of FOSS security reports nowadays (that I see in #curl and #apache httpd) are non-threatening. on Fri, 15 May 2026 10:25:31 GMT

[[global:guest]] — Fri, 15 May 2026 10:25:31 GMT

@icing And then people observe the changes required to fix the problem and can use them to create their exploit right away, even before the fix is released.

Reply to First of all, most of FOSS security reports nowadays (that I see in #curl and #apache httpd) are non-threatening. on Fri, 15 May 2026 09:46:49 GMT

[[global:guest]] — Fri, 15 May 2026 09:46:49 GMT

@stevel @icing There's more than RCE, e.g. heartbleed had a 8.6 cvss w/o RCE, but had aggravating factors that aren't evaluated by the CVSS scale, like how widespread the vulnerable configuration is.

https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

In comparison, we have a 4-bytes uninitialized stack value leak in application logs bug to be reported soon. CVSS 3.1 Low
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Reply to First of all, most of FOSS security reports nowadays (that I see in #curl and #apache httpd) are non-threatening. on Fri, 15 May 2026 09:37:37 GMT

[[global:guest]] — Fri, 15 May 2026 09:37:37 GMT

@aris @icing if its not RCE in a normal deployment - it's just a normal bug. Makes sense,

Reply to First of all, most of FOSS security reports nowadays (that I see in #curl and #apache httpd) are non-threatening. on Fri, 15 May 2026 08:52:09 GMT

[[global:guest]] — Fri, 15 May 2026 08:52:09 GMT

@icing at libssh we're considering the policy of filing all bugs under a certain CVSS threshold (5 or 6) as regular bug reports in bug tracking and fix them without any embargo to avoid clogging up the security pipeline

Reply to First of all, most of FOSS security reports nowadays (that I see in #curl and #apache httpd) are non-threatening. on Fri, 15 May 2026 08:49:34 GMT

[[global:guest]] — Fri, 15 May 2026 08:49:34 GMT

@holsta Ah yes. Sorry. I saw two separate posts drifting onto my timeline (which isn't normally about curl or security stuff). They seemed related in an interesting way which I thought I would comment on it. But maybe I should've noticed they're both from people who are well aware of eachother.

Reply to First of all, most of FOSS security reports nowadays (that I see in #curl and #apache httpd) are non-threatening. on Fri, 15 May 2026 08:43:07 GMT

[[global:guest]] — Fri, 15 May 2026 08:43:07 GMT

@icing I suspect the Linux kernel is an exception.

Reply to First of all, most of FOSS security reports nowadays (that I see in #curl and #apache httpd) are non-threatening. on Fri, 15 May 2026 08:41:18 GMT

[[global:guest]] — Fri, 15 May 2026 08:41:18 GMT

@harry_wood What? Stefan is literally on the curl team.

Why are you like this?

Reply to First of all, most of FOSS security reports nowadays (that I see in #curl and #apache httpd) are non-threatening. on Fri, 15 May 2026 08:11:33 GMT

[[global:guest]] — Fri, 15 May 2026 08:11:33 GMT

@swelljoe @icing eh… either way, it used to be every time a new developer looked at a corner of a code base that hasn't been touched in 10, 20, 30 years we get, at the very least a bug fix a refactoring

and at least one new person who's now familiar with that code… ️ and the loss of this is perhaps the most frustrating part

Reply to First of all, most of FOSS security reports nowadays (that I see in #curl and #apache httpd) are non-threatening. on Fri, 15 May 2026 06:38:01 GMT

[[global:guest]] — Fri, 15 May 2026 06:38:01 GMT

@icing after twenty or thirty years, the really scary stuff has probably already been found in anything popular. (Probably.)

First of all, *most* of FOSS security reports nowadays (that I see in #curl and #apache httpd) are non-threatening.

Reply to First of all, *most* of FOSS security reports nowadays (that I see in #curl and #apache httpd) are non-threatening. on Fri, 15 May 2026 11:39:37 GMT

Reply to First of all, *most* of FOSS security reports nowadays (that I see in #curl and #apache httpd) are non-threatening. on Fri, 15 May 2026 10:25:31 GMT

Reply to First of all, *most* of FOSS security reports nowadays (that I see in #curl and #apache httpd) are non-threatening. on Fri, 15 May 2026 09:46:49 GMT

Reply to First of all, *most* of FOSS security reports nowadays (that I see in #curl and #apache httpd) are non-threatening. on Fri, 15 May 2026 09:37:37 GMT

Reply to First of all, *most* of FOSS security reports nowadays (that I see in #curl and #apache httpd) are non-threatening. on Fri, 15 May 2026 08:52:09 GMT

Reply to First of all, *most* of FOSS security reports nowadays (that I see in #curl and #apache httpd) are non-threatening. on Fri, 15 May 2026 08:49:34 GMT

Reply to First of all, *most* of FOSS security reports nowadays (that I see in #curl and #apache httpd) are non-threatening. on Fri, 15 May 2026 08:43:07 GMT

Reply to First of all, *most* of FOSS security reports nowadays (that I see in #curl and #apache httpd) are non-threatening. on Fri, 15 May 2026 08:41:18 GMT

Reply to First of all, *most* of FOSS security reports nowadays (that I see in #curl and #apache httpd) are non-threatening. on Fri, 15 May 2026 08:11:33 GMT

Reply to First of all, *most* of FOSS security reports nowadays (that I see in #curl and #apache httpd) are non-threatening. on Fri, 15 May 2026 06:38:01 GMT