Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Some question about vulnerability
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: 陈星杵 via curl-library <curl-library_at_lists.haxx.se>
Date: Fri, 7 Mar 2025 10:17:38 +0800 (GMT+08:00)
Good morning!
Sorry to bother you. I am conducting a study on determining the impact range of vulnerabilities. My research primarily uses the SZZ method to identify the affected versions of a vulnerability through patch analysis[1].
Previously, I had also emailed you to ask some questions. For example, regarding CVE-2022-43551[2], you mentioned that earlier versions might not be vulnerable due to HSTS feature was not enabled by default and was labled as experimental. So I'm wondering what the significance of doing this work is. For the reason,I would like to ask, how do you determine the impact range of a vulnerability? Do you rely on dynamic analysis by running a Proof-of-Concept (PoC) or static code review?
This would be an important contribution to open-source software, as it could significantly reduce the time required for manually determining affected versions!
Thanks!
[1] https://dl.acm.org/doi/10.1145/3510003.3510113
[2] https://curl.se/docs/CVE-2022-43551.html
Date: Fri, 7 Mar 2025 10:17:38 +0800 (GMT+08:00)
Good morning!
Sorry to bother you. I am conducting a study on determining the impact range of vulnerabilities. My research primarily uses the SZZ method to identify the affected versions of a vulnerability through patch analysis[1].
Previously, I had also emailed you to ask some questions. For example, regarding CVE-2022-43551[2], you mentioned that earlier versions might not be vulnerable due to HSTS feature was not enabled by default and was labled as experimental. So I'm wondering what the significance of doing this work is. For the reason,I would like to ask, how do you determine the impact range of a vulnerability? Do you rely on dynamic analysis by running a Proof-of-Concept (PoC) or static code review?
This would be an important contribution to open-source software, as it could significantly reduce the time required for manually determining affected versions!
Thanks!
[1] https://dl.acm.org/doi/10.1145/3510003.3510113
[2] https://curl.se/docs/CVE-2022-43551.html
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-03-07