daniel:// stenberg://Aug 25, 2023

"CVE-2020-19909 is everything that is wrong with CVEs"

A claimed "9.8 CRITICAL" flaw in #curl that does not exist.

https://daniel.haxx.se/blog/2023/08/26/cve-2020-19909-is-everything-that-is-wrong-with-cves/

CVE-2020-19909 is everything that is wrong with CVEs

This is a story consisting of several little building blocks and they occurred spread out in time and in different places. It is a story that shows with clarity how our current system with CVE Ids and lots of power given to NVD is a completely broken system. CVE-2020-19909 On August 25 2023, we got … Continue reading CVE-2020-19909 is everything that is wrong with CVEs →

daniel.haxx.se
Show threadDylan Aug 25, 2023
@bagder can you see any path forward where maintainers who want to could have a bigger role in maintaining their CVE list? Has NIST or would NIST consider such a thing, or would we need a whole new platform? Is there already a better alternative we could start preferring?
Show threaddaniel:// stenberg://Aug 25, 2023
@dbanty I'm not that familiar with all the processes and details to tell.People tend to tell me "you should become your own CNA" as if that makes things better, but I have no idea. And also seems like a complicated way as surely not everyone can be CNAs. This system clearly needs fixing though.
Show threadJeremy Mill  
@bagder @dbanty Hey Daniel, I've run a CNA before (for Puppet) and I would be happy to have a chat about the pros and cons and how it may help you with some of these
Aug 25, 2023 at 11:23pmWeb