First of all, *most* of FOSS security reports nowadays (that I see in #curl and #apache httpd) are non-threatening.
-
First of all, *most* of FOSS security reports nowadays (that I see in #curl and #apache httpd) are non-threatening.
They are edge cases under highly constructed preconditions. Yes, not impossible, but unlikely to be ever encountered.
Before LLMs, no researcher would have invested the time to explore those scenarios. my guess.
Yes, we fix them. But, they could also have been a bug report.
️ -
First of all, *most* of FOSS security reports nowadays (that I see in #curl and #apache httpd) are non-threatening.
They are edge cases under highly constructed preconditions. Yes, not impossible, but unlikely to be ever encountered.
Before LLMs, no researcher would have invested the time to explore those scenarios. my guess.
Yes, we fix them. But, they could also have been a bug report.
️ -
@icing after twenty or thirty years, the really scary stuff has probably already been found in anything popular. (Probably.)
@swelljoe @icing eh… either way, it used to be every time a new developer looked at a corner of a code base that hasn't been touched in 10, 20, 30 years we get, at the very least a bug fix a refactoring
and at least one new person who's now familiar with that code…
️ and the loss of this is perhaps the most frustrating part -
@harry_wood What? Stefan is literally on the curl team.
Why are you like this?
-
First of all, *most* of FOSS security reports nowadays (that I see in #curl and #apache httpd) are non-threatening.
They are edge cases under highly constructed preconditions. Yes, not impossible, but unlikely to be ever encountered.
Before LLMs, no researcher would have invested the time to explore those scenarios. my guess.
Yes, we fix them. But, they could also have been a bug report.
️ -
@harry_wood What? Stefan is literally on the curl team.
Why are you like this?
@holsta Ah yes. Sorry. I saw two separate posts drifting onto my timeline (which isn't normally about curl or security stuff). They seemed related in an interesting way which I thought I would comment on it. But maybe I should've noticed they're both from people who are well aware of eachother.
-
First of all, *most* of FOSS security reports nowadays (that I see in #curl and #apache httpd) are non-threatening.
They are edge cases under highly constructed preconditions. Yes, not impossible, but unlikely to be ever encountered.
Before LLMs, no researcher would have invested the time to explore those scenarios. my guess.
Yes, we fix them. But, they could also have been a bug report.
️ -
@icing at libssh we're considering the policy of filing all bugs under a certain CVSS threshold (5 or 6) as regular bug reports in bug tracking and fix them without any embargo to avoid clogging up the security pipeline
-
@stevel @icing There's more than RCE, e.g. heartbleed had a 8.6 cvss w/o RCE, but had aggravating factors that aren't evaluated by the CVSS scale, like how widespread the vulnerable configuration is.
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
In comparison, we have a 4-bytes uninitialized stack value leak in application logs bug to be reported soon. CVSS 3.1 Low
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N -
First of all, *most* of FOSS security reports nowadays (that I see in #curl and #apache httpd) are non-threatening.
They are edge cases under highly constructed preconditions. Yes, not impossible, but unlikely to be ever encountered.
Before LLMs, no researcher would have invested the time to explore those scenarios. my guess.
Yes, we fix them. But, they could also have been a bug report.
️ -
First of all, *most* of FOSS security reports nowadays (that I see in #curl and #apache httpd) are non-threatening.
They are edge cases under highly constructed preconditions. Yes, not impossible, but unlikely to be ever encountered.
Before LLMs, no researcher would have invested the time to explore those scenarios. my guess.
Yes, we fix them. But, they could also have been a bug report.
️ -
M monkee@chaos.social shared this topic