Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 4 May 2023 20:23:45 +0200
From: Rainer Canavan <>
Subject: Re: Perl's HTTP::Tiny has insecure TLS cert default,
 affecting and other modules

On Thu, May 4, 2023 at 7:59 PM Sam Bull <> wrote:
> But, reporting a CVE where there is no vulnerability wastes a lot of time for the project
> maintainers, as we had last year with this CVE:
> As far as we could tell, it seems a random user reported a DoS vulnerability to Github
> (maybe?) and got a CVE assigned, with no reproducer or any evidence of a vulnerability,
> and just a link to an issue which was never considered a security issue by anybody. None
> of us involved with the project were notified of the report either, we learnt about the
> CVE from other users asking us about it.
> It took months to get that satisfactorily revoked and stop getting users asking us about
> it (apparently there's no standardised way to tell if CVEs are revoked, so seems DB
> maintainers have to remove them on a case-by-case basis, making the process much longer).
> So, something somewhere is not fully working in the process.

As a project maintainer, you should be able to ask the CNA to REJECT a
CVE, or at least have it marked DISPUTED, and that state should be
reflected in all reasonable CVE databases. You'll still have to figure
out how to document it as a non-issue inside your project for your
users to find, but once you've established a working solution, that
should not take months to resolve. I'd suspect that the issue in
HTTP::Tiny would end up DISPUTED, since not validating TLS names is
not the generally expected behavior, although it is documented (in
bold no less).


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.