oss-sec mailing list archives
Re: There is a curl "severity HIGH security problem" pre-announcement on GitHub
From: Fabian Keil <freebsd-listen () fabiankeil de>
Date: Thu, 5 Oct 2023 18:28:18 +0200
Shawn Webb <shawn.webb () hardenedbsd org> wrote on 2023-10-05 at 09:54:11:
On Thu, Oct 05, 2023 at 10:14:49AM +0200, Erik Auerswald wrote:
there is a pre-announcement of a curl security problem with high severity that can be found on GitHub: - https://github.com/curl/curl/discussions - https://github.com/curl/curl/discussions/12026I wonder if this could also be coordinated through CERT VINCE since there will be a wider impact than those on the distros mailing list.
I wondered what "CERT VINCE" is supposed to mean so I tried to search the English Wikipedia but was unsuccessful. Probably even the English Wikipedia can't keep up with all the "CERTS" that are available now. Anyway, after a proper web search I ended at [0] which says: | Welcome to the Vulnerability Information and Coordination | Environment (VINCE). If you are a vendor and would like to | communicate with us about a vulnerability or update your | contact information, please create an account or sign in. You | can also report a vulnerability to us, with or without a VINCE | account. For more information see the VINCE Documentation site There doesn't seem to be a period after the last sentence, but maybe that's art or the page is still under construction. Apparently they are "Sponsored by CISA." and apparently CISA is "America's Cyber Defence Agency" [1] which seems to be relying a bit too much on computers without lower caps, otherwise their website would probably look a bit more professional. Luckily I use ElectroBSD [2] so I was able to spell their name using lower caps anyway. I also briefly looked at the "VINCE" "Vulnerability Disclosure Guidance" [3] and read: | A vulnerability is difficult to define. It can be thought of as | a flaw in software or hardware components that allows an | attacker to perform actions that wouldn't normally be | allowed. The impact of such vulnerabilities varies | greatly. They may allow the attacker to learn someone's private | email address, take control of a computer, or even cause | physical damage and bodily injury. My first impression is that they may be targeting children below ten and I wish them the best of luck in their endeavors. I'm already a bit older than ten and I already have enough accounts for somewhat dubious sites that could leak my data at any minute. Anyway, I suppose nobody on this list will stop you, Shawn, from personally giving "CERT VINCE" a heads-up that a somewhat important curl [4] patch will probably be published around 2023-10-11. If they ask you what curl is you should probably use simple words when you explain it. Happy hacking Fabian [0] <https://kb.cert.org/vince/> [1] <https://www.cisa.gov/> [2] <https://www.fabiankeil.de/gehacktes/electrobsd/> [3] <https://kb.cert.org/vuls/guidance/> [4] <https://curl.se/>
Current thread:
- There is a curl "severity HIGH security problem" pre-announcement on GitHub Erik Auerswald (Oct 05)
- Re: There is a curl "severity HIGH security problem" pre-announcement on GitHub Shawn Webb (Oct 05)
- Re: There is a curl "severity HIGH security problem" pre-announcement on GitHub Fabian Keil (Oct 05)
- Re: There is a curl "severity HIGH security problem" pre-announcement on GitHub Shawn Webb (Oct 05)