daniel:// stenberg://

2 years ago

daniel:// stenberg://
2 years ago

I have no less than 72 old (2017 and earlier) #curl security advisories that I want to assign a severity: Low/Medium/High/Critical. It's a very manual labor but here is my initial take that could use more eyes: github.com/curl/curl-www/pull/…

docs: add Severity to sec advisories missing them by bagder · Pull Request #256 · curl/curl-www

This is a manual work and I am using my own "best effort" by manually reading the descriptions, checking the conditions for them to trigger and comparing with how other projects grade similar probl...

^GitHub

#curl

in reply to daniel:// stenberg://

Jimmy Sjölund

in reply to daniel:// stenberg:// 2 years ago

Wouldn't the age sort of imply they are Low/Medium at best?

in reply to Jimmy Sjölund

daniel:// stenberg://

in reply to Jimmy Sjölund 2 years ago

@jimmysjolund the severity is usually set at the time for the conditions when reported and using that version. So no, I think many of them are worse than Medium...

@Jimmy Sjölund

in reply to daniel:// stenberg://

MaMü

in reply to daniel:// stenberg:// 2 years ago

Security Archeology? Why?
@jimmysjolund

@Jimmy Sjölund

in reply to MaMü

daniel:// stenberg://

in reply to MaMü 2 years ago

@mamue @jimmysjolund by knowing the history we can learn more from it. Having more a detailed view of the past allows me to draw better graphs of development and changes over time. Also: more data draws a more complete picture and help educating users.

@Jimmy Sjölund @MaMü

⇧

daniel:// stenberg://

daniel:// stenberg:// 2 years ago • •

docs: add Severity to sec advisories missing them by bagder · Pull Request #256 · curl/curl-www

Jimmy Sjölund

daniel:// stenberg://

MaMü

daniel:// stenberg://

daniel:// stenberg://
2 years ago