Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20231005182818.64a446f0@fabiankeil.de>
Date: Thu, 5 Oct 2023 18:28:18 +0200
From: Fabian Keil <freebsd-listen@...iankeil.de>
To: oss-security@...ts.openwall.com
Subject: Re: There is a curl "severity HIGH security problem"
 pre-announcement on GitHub

Shawn Webb <shawn.webb@...denedbsd.org> wrote on 2023-10-05 at 09:54:11:

> On Thu, Oct 05, 2023 at 10:14:49AM +0200, Erik Auerswald wrote:

> > there is a pre-announcement of a curl security problem with high severity
> > that can be found on GitHub:
> > 
> >  - https://github.com/curl/curl/discussions
> >  - https://github.com/curl/curl/discussions/12026
> 
> I wonder if this could also be coordinated through CERT VINCE since
> there will be a wider impact than those on the distros mailing list.

I wondered what "CERT VINCE" is supposed to mean so I tried to
search the English Wikipedia but was unsuccessful. Probably
even the English Wikipedia can't keep up with all the "CERTS"
that are available now.

Anyway, after a proper web search I ended at [0] which says:

| Welcome to the Vulnerability Information and Coordination
| Environment (VINCE). If you are a vendor and would like to
| communicate with us about a vulnerability or update your
| contact information, please create an account or sign in. You
| can also report a vulnerability to us, with or without a VINCE
| account. For more information see the VINCE Documentation site

There doesn't seem to be a period after the last sentence,
but maybe that's art or the page is still under construction.

Apparently they are "Sponsored by CISA." and apparently
CISA is "America's Cyber Defence Agency" [1] which seems
to be relying a bit too much on computers without lower
caps, otherwise their website would probably look a bit
more professional.

Luckily I use ElectroBSD [2] so I was able to spell their
name using lower caps anyway.

I also briefly looked at the "VINCE"
"Vulnerability Disclosure Guidance" [3] and read:

| A vulnerability is difficult to define. It can be thought of as
| a flaw in software or hardware components that allows an
| attacker to perform actions that wouldn't normally be
| allowed. The impact of such vulnerabilities varies
| greatly. They may allow the attacker to learn someone's private
| email address, take control of a computer, or even cause
| physical damage and bodily injury.

My first impression is that they may be targeting children
below ten and I wish them the best of luck in their endeavors.
I'm already a bit older than ten and I already have enough
accounts for somewhat dubious sites that could leak my data
at any minute.

Anyway, I suppose nobody on this list will stop you, Shawn,
from personally giving "CERT VINCE" a heads-up that a somewhat
important curl [4] patch will probably be published around
2023-10-11.

If they ask you what curl is you should probably use simple
words when you explain it.

Happy hacking
Fabian

[0] <https://kb.cert.org/vince/>
[1] <https://www.cisa.gov/>
[2] <https://www.fabiankeil.de/gehacktes/electrobsd/>
[3] <https://kb.cert.org/vuls/guidance/>
[4] <https://curl.se/>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.