Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: CVE-2020-19909 possibly released without curl's authors ack (yet another NVD Critical)
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: James Fuller via curl-library <curl-library_at_lists.haxx.se>
Date: Sat, 26 Aug 2023 19:58:23 +0200
'become your own CNA' - we can help with that ....
Jim
On Sat, 26 Aug 2023 at 19:50, Daniel Stenberg via curl-library
<curl-library_at_lists.haxx.se> wrote:
>
> On Sat, 26 Aug 2023, Daniel Stenberg via curl-library wrote:
>
> > Step one. A blog post with some details:
>
> Other things I've done:
>
> - I've pushed my blog post on social media to distribute awareness.
>
> - I pull strings to get the CVE rejected. It is such a weird system so we
> can't easily see which CNA that assigned the Id. Some language on the NVD
> site made me think it was done by MITRE itself but I cannot find any public
> way to contact MITRE to get a CVE rejected. For any reason.
>
> - I wrote up an information page about this bogus CVE on the curl site:
> https://curl.se/docs/CVE-2020-19909.html
>
> Several people have told me that the only effective means that exist against
> abusive CVE filings like this, is to become your own CNA as then you can
> apparently "lock" your product to only be possible to get CVEs assigned from
> your own CNA. I will look into this option.
>
> --
>
> / daniel.haxx.se
> | Commercial curl support up to 24x7 is available!
> | Private help, bug fixes, support, ports, new features
> | https://curl.se/support.html
> --
> Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
> Etiquette: https://curl.se/mail/etiquette.html
Date: Sat, 26 Aug 2023 19:58:23 +0200
'become your own CNA' - we can help with that ....
Jim
On Sat, 26 Aug 2023 at 19:50, Daniel Stenberg via curl-library
<curl-library_at_lists.haxx.se> wrote:
>
> On Sat, 26 Aug 2023, Daniel Stenberg via curl-library wrote:
>
> > Step one. A blog post with some details:
>
> Other things I've done:
>
> - I've pushed my blog post on social media to distribute awareness.
>
> - I pull strings to get the CVE rejected. It is such a weird system so we
> can't easily see which CNA that assigned the Id. Some language on the NVD
> site made me think it was done by MITRE itself but I cannot find any public
> way to contact MITRE to get a CVE rejected. For any reason.
>
> - I wrote up an information page about this bogus CVE on the curl site:
> https://curl.se/docs/CVE-2020-19909.html
>
> Several people have told me that the only effective means that exist against
> abusive CVE filings like this, is to become your own CNA as then you can
> apparently "lock" your product to only be possible to get CVEs assigned from
> your own CNA. I will look into this option.
>
> --
>
> / daniel.haxx.se
> | Commercial curl support up to 24x7 is available!
> | Private help, bug fixes, support, ports, new features
> | https://curl.se/support.html
> --
> Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
> Etiquette: https://curl.se/mail/etiquette.html
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2023-08-26