oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: There is a curl "severity HIGH security problem" pre-announcement on GitHub

From: Fabian Keil <freebsd-listen () fabiankeil de>
Date: Thu, 5 Oct 2023 18:28:18 +0200
Shawn Webb <shawn.webb () hardenedbsd org> wrote on 2023-10-05 at 09:54:11:


On Thu, Oct 05, 2023 at 10:14:49AM +0200, Erik Auerswald wrote:



there is a pre-announcement of a curl security problem with high severity
that can be found on GitHub:

 - https://github.com/curl/curl/discussions
 - https://github.com/curl/curl/discussions/12026


I wonder if this could also be coordinated through CERT VINCE since
there will be a wider impact than those on the distros mailing list.


I wondered what "CERT VINCE" is supposed to mean so I tried to
search the English Wikipedia but was unsuccessful. Probably
even the English Wikipedia can't keep up with all the "CERTS"
that are available now.

Anyway, after a proper web search I ended at [0] which says:

| Welcome to the Vulnerability Information and Coordination
| Environment (VINCE). If you are a vendor and would like to
| communicate with us about a vulnerability or update your
| contact information, please create an account or sign in. You
| can also report a vulnerability to us, with or without a VINCE
| account. For more information see the VINCE Documentation site

There doesn't seem to be a period after the last sentence,
but maybe that's art or the page is still under construction.

Apparently they are "Sponsored by CISA." and apparently
CISA is "America's Cyber Defence Agency" [1] which seems
to be relying a bit too much on computers without lower
caps, otherwise their website would probably look a bit
more professional.

Luckily I use ElectroBSD [2] so I was able to spell their
name using lower caps anyway.

I also briefly looked at the "VINCE"
"Vulnerability Disclosure Guidance" [3] and read:

| A vulnerability is difficult to define. It can be thought of as
| a flaw in software or hardware components that allows an
| attacker to perform actions that wouldn't normally be
| allowed. The impact of such vulnerabilities varies
| greatly. They may allow the attacker to learn someone's private
| email address, take control of a computer, or even cause
| physical damage and bodily injury.

My first impression is that they may be targeting children
below ten and I wish them the best of luck in their endeavors.
I'm already a bit older than ten and I already have enough
accounts for somewhat dubious sites that could leak my data
at any minute.

Anyway, I suppose nobody on this list will stop you, Shawn,
from personally giving "CERT VINCE" a heads-up that a somewhat
important curl [4] patch will probably be published around
2023-10-11.

If they ask you what curl is you should probably use simple
words when you explain it.

Happy hacking
Fabian

[0] <https://kb.cert.org/vince/>
[1] <https://www.cisa.gov/>
[2] <https://www.fabiankeil.de/gehacktes/electrobsd/>
[3] <https://kb.cert.org/vuls/guidance/>
[4] <https://curl.se/>
Previous By Date Next
Previous By Thread Next

Current thread: