Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
The CVE-2024-11053 Sunday shenanigans
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Mon, 16 Dec 2024 08:44:19 +0100 (CET)
Hi friends,
I just wanted to make you all aware of what happened over the weekend.
On Sunday afternoon, Harry Sintonenen made us aware that several security
related websites posted articles about the "CRITICAL curl security flaw".
We announced that as severity LOW earlier this week. How and why did this
massive severiy level bump happen?
The job that was done by NVD in the past, setting CVSS scores on published
CVEs, is nowadays done by CISA (Cybersecurity and Infrastructure Security
Agency) as they are now an "ADP" (Authorized Data Publisher) within the CVE
program.
They are the new know-it-all organization and will quickly fill in some values
in a CVSS caluculator and set that for CVEs. I presume for CVEs that are
lacking the score.
CISA has a github repository [2] with all their data and in there we can see
how they committed info for CVE-2024-11053 [1] on December 11.
15:01 yesterday I posted on Mastodon [3] that this CVE is certainly not a
critical security problem, and shortly thereafter at 15:42 I submitted a PR
[4] to CISA to update the metadata to something more reasonable. I figured 5.3
could possibly work.
At 18:13, CISA instead pushed an update [5] that was not my PR. It lowered the
score even further; all the way down to 3.4. I then closed my PR once I
realized this happened.
Unfortunately, few of those alarmist websites probably will update after this
update so I suspect we will see this CRITICAL label floating around for a
while. Now you know how it happened.
Now, enjoy your Monday!
[1] = https://github.com/cisagov/vulnrichment/blob/develop/2024/11xxx/CVE-2024-11053.json
[2] = https://github.com/cisagov/vulnrichment
[3] = https://mastodon.social/_at_bagder/113657205050547339
[4] = https://github.com/cisagov/vulnrichment/pull/151
[5] = https://github.com/cisagov/vulnrichment/commit/91fadb2bf6b461638c8155978b9f20cf17e51fe3
Date: Mon, 16 Dec 2024 08:44:19 +0100 (CET)
Hi friends,
I just wanted to make you all aware of what happened over the weekend.
On Sunday afternoon, Harry Sintonenen made us aware that several security
related websites posted articles about the "CRITICAL curl security flaw".
We announced that as severity LOW earlier this week. How and why did this
massive severiy level bump happen?
The job that was done by NVD in the past, setting CVSS scores on published
CVEs, is nowadays done by CISA (Cybersecurity and Infrastructure Security
Agency) as they are now an "ADP" (Authorized Data Publisher) within the CVE
program.
They are the new know-it-all organization and will quickly fill in some values
in a CVSS caluculator and set that for CVEs. I presume for CVEs that are
lacking the score.
CISA has a github repository [2] with all their data and in there we can see
how they committed info for CVE-2024-11053 [1] on December 11.
15:01 yesterday I posted on Mastodon [3] that this CVE is certainly not a
critical security problem, and shortly thereafter at 15:42 I submitted a PR
[4] to CISA to update the metadata to something more reasonable. I figured 5.3
could possibly work.
At 18:13, CISA instead pushed an update [5] that was not my PR. It lowered the
score even further; all the way down to 3.4. I then closed my PR once I
realized this happened.
Unfortunately, few of those alarmist websites probably will update after this
update so I suspect we will see this CRITICAL label floating around for a
while. Now you know how it happened.
Now, enjoy your Monday!
[1] = https://github.com/cisagov/vulnrichment/blob/develop/2024/11xxx/CVE-2024-11053.json
[2] = https://github.com/cisagov/vulnrichment
[3] = https://mastodon.social/_at_bagder/113657205050547339
[4] = https://github.com/cisagov/vulnrichment/pull/151
[5] = https://github.com/cisagov/vulnrichment/commit/91fadb2bf6b461638c8155978b9f20cf17e51fe3
-- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2024-12-16