Josh Bressers

9 months ago

Josh Bressers
9 months ago

The Node.js project just issued CVE IDs for 3 EOL versions

Is this a good idea or a bad idea? It depends who you ask

It's a weird discussion to follow, so I broke it down in a way that should offend all the involved parties

opensourcesecurity.io/2025/01-…

CVEs for End of Life?

Very recently the Node.js project filed a few CVE IDs for end of life products. For vulnerability nerds this is exciting because historically EOL things didn’t get CVE IDs just for being EOL.

^{Josh Bressers (Open Source Security)}

in reply to Josh Bressers

daniel:// stenberg://

in reply to Josh Bressers 9 months ago

we're getting into similar territory with a CVE we publish for #curl next week. We've debated it to death internally... 😀

Stay tuned!

#curl

in reply to daniel:// stenberg://

Josh Bressers

in reply to daniel:// stenberg:// 9 months ago

@bagder I shall wait with anticipation :)

@daniel:// stenberg://

in reply to Josh Bressers

since open source is often not really "EOLed", I have tried to draw a line by defining that from now on we don't consider problems that require "legacy dependencies" and I try to define what that means: curl.se/dev/vuln-disclosure.ht…

curl - Vulnerability Disclosure Policy

^curl.se

in reply to daniel:// stenberg://

Josh Bressers

in reply to daniel:// stenberg:// 9 months ago

@bagder I like this definition, I will probably steal it :)

@daniel:// stenberg://

in reply to Josh Bressers

daniel:// stenberg://

in reply to Josh Bressers 9 months ago

excellent, and feel free to!

⇧

Josh Bressers 9 months ago • •

Josh Bressers
9 months ago