daniel:// stenberg://

1 month ago

daniel:// stenberg://
1 month ago

#curl security report number **eight** within the last seven days was just received. And as 8 out of 8 it will be closed as not applicable.

This is roughly 4x our normal average frequency. No clue as to why this peaks now.

We clearly need to raise the bar somehow to stop sand from getting into the machine.

#curl

in reply to daniel:// stenberg://

excds

in reply to daniel:// stenberg:// 1 month ago

For every slop report, send an invoice to openAI?

in reply to daniel:// stenberg://

Billy O'Neal

in reply to daniel:// stenberg:// 1 month ago

New AI acid test just dropped: finding legitimate curl CVE.

At least, that seems to be what grifters are thinking.

in reply to daniel:// stenberg://

the vessel of morganna

in reply to daniel:// stenberg:// 1 month ago

This one is really amusing.. "use after free" when the example code *literally* calls SSL_free then reuses the pointer. my brother in christ your "proof of concept" is literally just faulty code that has nothing to do with openssl

hackerone.com/reports/3242005

curl disclosed on HackerOne: Use-After-Free in OpenSSL Keylog...

Summary: A Use-After-Free (UAF) vulnerability exists in libcurl when the OpenSSL SSL_CTX_set_keylog_callback is set. The callback may be invoked after the associated SSL object has been freed via...

^HackerOne

in reply to the vessel of morganna

daniel:// stenberg://

in reply to the vessel of morganna 1 month ago

@astraleureka there's a whole range of issues with absolutely stunning stupidity shown. It's exhausting. We probably need to alter the setup soon.

@the vessel of morganna

daniel:// stenberg:// reshared this.

in reply to daniel:// stenberg://

the vessel of morganna

in reply to daniel:// stenberg:// 1 month ago

I'm reading through more of the recent history - my god, some of these are just staggeringly incomprehensible. I really hope you can figure out a good filtering mechanism, if curl is being slammed this bad a lot of other F/OSS projects are surely being inundated with this garbage as well

in reply to the vessel of morganna

Gregory

in reply to the vessel of morganna 1 month ago

@astraleureka this sort of problem has always existed in open-source. You would get trivial PRs like someone updating your dependencies for you or, my favorite — reformatting your code to their liking. As if I couldn't have done it myself in one minute if I felt the need to do this in my project. AI just lowers the barrier even more for these "I have to contribute something, anything" types.

@the vessel of morganna

in reply to Gregory

daniel:// stenberg://

in reply to Gregory 1 month ago

@grishka @astraleureka stupidity always existed and always will, sure but I don't think that helps us at all to know that...

@Gregory @the vessel of morganna

in reply to daniel:// stenberg://

mijenix

in reply to daniel:// stenberg:// 1 month ago

could it be that those posts attract trolls to just submit AI slop reports for "trolling"?

in reply to daniel:// stenberg://

Stephen Rosen

in reply to daniel:// stenberg:// 1 month ago

while everyone is sharing their outrage -- and it is outrageous -- your ending note here is spot on. How do we stop this?

This is going to burn maintainers out.

We're going to need to come up with something. Maybe it will look something like CLA-signing bots, but what could submitters sign? A statement that they've read the project policy on slop?
I can't say I'm confident that would help.

⇧

daniel:// stenberg:// 1 month ago • •

daniel:// stenberg://
1 month ago