oss-sec mailing list archives
Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules
From: Moritz Bechler <mbechler () eenterphace org>
Date: Wed, 3 May 2023 22:40:30 +0200
Hi,
A default is not a vulnerability. There are reasons why defaults cannot be changed in libraries once they are stable. This is also why documentation exists.Revoke these CVEs, it's a stain on the process.
while one may criticize that CVEs have been assigned both for the insecure default and (some of the) insecure usages, at least one of these is a legitimate case, in terms of CVEs likely the latter. And when it comes to defaming projects, at least in my book, choosing, keeping and defending bad defaults speaks to much more than a CVE being assigned.
Moritz
Current thread:
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules, (continued)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules David A. Wheeler (Apr 20)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Steffen Nurpmeso (Apr 20)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Jeffrey Walton (Apr 20)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Steffen Nurpmeso (Apr 20)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Matthew Fernandez (Apr 20)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Reid Sutherland (May 03)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules David A. Wheeler (May 03)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Reid Sutherland (May 03)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Moritz Bechler (May 03)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Michael Orlitzky (May 03)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Reid Sutherland (May 04)