daniel:// stenberg://

9 months ago

daniel:// stenberg://
9 months ago

CVE-2024-5535 is an #OpenSSL problem that cannot be triggered by #curl

OpenSSL calls it it a low severity flaw. openssl.org/news/vulnerabiliti…

GitHub lists it as "critical" at 9.1 out of 10: github.com/advisories/GHSA-4fc…

CVE-2024-5535 - GitHub Advisory Database

Issue summary: Calling the OpenSSL API function...

^GitHub

This entry was edited (9 months ago)

in reply to daniel:// stenberg://

daniel:// stenberg://

in reply to daniel:// stenberg:// 9 months ago

It is time we realize and accept that there can never be a single nor objective criticality score for a CVE.

in reply to daniel:// stenberg://

p

in reply to daniel:// stenberg:// 9 months ago

there is no ultimate authority, it's a recurring problem (see politics)
@bagder

@daniel:// stenberg://

in reply to daniel:// stenberg://

Bernard Quatermass

in reply to daniel:// stenberg:// 9 months ago

Speaking as someone who is dealing with that as a OSS project member live-and-direct-this-instant, I couldn't agree more.

We're not a CNA (nor are we particularly bothered in becoming one), and as you've noted that doesn't do much to stop the garbage.

in reply to daniel:// stenberg://

Jim Fuller

in reply to daniel:// stenberg:// 9 months ago

ya, I have been fighting the battle that a CVE has a community context (general) and a specific context to any bit of software .. its the main issue with CVE that someone else's 9.1 will be one's 0 ... a community score vs a specific software score is needed to provide context

in reply to daniel:// stenberg://

Tim Yates

in reply to daniel:// stenberg:// 9 months ago

love that GitHub includes the "low severity" paragraph 🙄

in reply to daniel:// stenberg://

Clemens

in reply to daniel:// stenberg:// 9 months ago

imported from NVD again, without critical review...

⇧

daniel:// stenberg:// 9 months ago • •

daniel:// stenberg://
9 months ago