Search

Items tagged with: CVE

I chatted with Philippe Ombredanne about Package URLs, or PURLs. He created them, so he knows a thing or two.

We do complain about CPE quite a bit :)

But it's a really hard problem. It feels like a package identifier should be easy, but it's way harder than you think it is. There's nobody better than Philippe to drop some knowledge.

opensourcesecurity.io/2025/202โ€ฆ

#PURL
#CVE
#SBOM


Package URLs with Philippe Ombredanne

Iโ€™m joined by Philippe Ombredanne, creator of the Package URL (PURL), to discuss the surprisingly complex and messy problem of simply identifying open source software packages.
Josh Bressers (Open Source Security)
#SBOM #cve #purl

Top #CWE reasons used in #curl #CVE reports. In the 161 CVEs we have published over 25+ years so far, we have used 59 different CWEs.

The graph shows all CWEs that have been used more than once.

#curl #cve #cwe

The number of CNAs over time (#CVE Numbering Authorities). At 385 right now. Over 20,000 CVEs published in the first half of 2024.

From the "CVE Program and CNA Quarterly Report"

#cve

โœ… Achievement unlocked - Got a minor credit in a CVE.

mcphail wrote:

"I recently found a bug in Snap, a package manager for Ubuntu and other Linux distributions, which allows the snap to escape the sandbox and run arbitrary code (as the user) if the home permission is set. This exploit could be run on a vanilla install of Ubuntu and was patched in commit aa191f9 on 13th March 2024."

gld.mcphail.uk/posts/explaininโ€ฆ

cve.mitre.org/cgi-bin/cvename.โ€ฆ

#cve #snapcraft #linux

CVE - CVE-2024-1724

The mission of the CVEยฎ Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.
cve.mitre.org
#linux #cve #snapcraft

#linux #opensource #OpenBSD #freebsd #netbsd #posix #IP #developers #curl #cve #programmers #daniel #stenberg #fedor #indutny #phenomena #panic #bogus

#curl #cve

#curl #cve

#cybersecurity #vulnerability #cve #CNA #vulnerabilitymanagement

100% agreed that the CVSS scoring system and "assume the worst" guidance makes for scores that do not accurately reflect importance. Especially for very broad-use things.

My take on this is that. like it or not, more open source projects of note need to become "CNA" (certificate numbering authorities) of their own which I understand can given them some control over the content of CVEs filed against their project. cve.org/ProgramOrganization/CNโ€ฆ

#cve #cvss #cna #oss

cve-website

www.cve.org
#oss #cve #cvss #CNA

โ‡ง