oss-sec mailing list archives
Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules
From: Sam Bull <9m199i () sambull org>
Date: Thu, 04 May 2023 18:15:19 +0100
On Wed, 2023-05-03 at 15:54 -0400, David A. Wheeler wrote:
On May 3, 2023, at 3:15 PM, Reid Sutherland <reid () thirddimension net> wrote: Who actually decides when something receives a CVE?There's a process for assigning CVEs. Anyone who wants to be able to assign CVEs - that is, to become a CVE Numbering Authority (CNA) - has to follow various processes.This can be used to defame projects and products as in this case.Identifying a vulnerability does not defame a project.
But, reporting a CVE where there is no vulnerability wastes a lot of time for the project maintainers, as we had last year with this CVE: https://github.com/aio-libs/aiohttp/issues/6801 As far as we could tell, it seems a random user reported a DoS vulnerability to Github (maybe?) and got a CVE assigned, with no reproducer or any evidence of a vulnerability, and just a link to an issue which was never considered a security issue by anybody. None of us involved with the project were notified of the report either, we learnt about the CVE from other users asking us about it. It took months to get that satisfactorily revoked and stop getting users asking us about it (apparently there's no standardised way to tell if CVEs are revoked, so seems DB maintainers have to remove them on a case-by-case basis, making the process much longer). So, something somewhere is not fully working in the process.
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules, (continued)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Steffen Nurpmeso (Apr 20)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Matthew Fernandez (Apr 20)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Christian Heinrich (Apr 21)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Stig Palmquist (Apr 29)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Reid Sutherland (May 03)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules David A. Wheeler (May 03)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Reid Sutherland (May 03)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Moritz Bechler (May 03)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Michael Orlitzky (May 03)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Reid Sutherland (May 04)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Reid Sutherland (May 03)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Sam Bull (May 04)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Alan Coopersmith (May 04)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Rainer Canavan (May 04)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules David A. Wheeler (May 04)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Steffen Nurpmeso (May 04)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Jeffrey Walton (May 03)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules John Helmert III (May 07)