curl-library
Re: securityfocus.com inaccuracies
Date: Mon, 7 Mar 2005 10:08:08 -0800
On Mon, Mar 07, 2005 at 04:37:23PM +0100, Daniel Stenberg wrote:
> While we're on the subject of bad security advisories, a little amusement
> is this:
>
> http://www.securityfocus.com/bid/12616
>
> I would like to point out the list of "vulnerable" versions. The list
> includes numerous versions that was released before curl even had the
> features that the advisory is for. ;-)
>
> The list of affected versions also lack numerous versions. They could've
> just said vulnerable: curl 7.3 up to and including curl 7.13.0.
>
> I've mailed them about. I don't think it'll change anything. I've tried to
> have them correct the previous advisories they have on curl too in the
> past. They don't seem to care.
The NTLM entry was just as bad before I e-mailed them about it. To their
credit, they updated it pretty quickly, but I wonder where the initial list
came from. I made sure to reference specific pages on the curl web site
(e.g. CVS logs) to prove when the vulnerability was introduced, but this
whole experience makes me wonder about how accurate the vulnerability
reporting system really is.
>>> Dan
-- http://www.MoveAnnouncer.com The web change of address service Let webmasters know that your web site has movedReceived on 2005-03-07