daniel:// stenberg://Aug 25, 2023

"CVE-2020-19909 is everything that is wrong with CVEs"

A claimed "9.8 CRITICAL" flaw in #curl that does not exist.

https://daniel.haxx.se/blog/2023/08/26/cve-2020-19909-is-everything-that-is-wrong-with-cves/

CVE-2020-19909 is everything that is wrong with CVEs

This is a story consisting of several little building blocks and they occurred spread out in time and in different places. It is a story that shows with clarity how our current system with CVE Ids and lots of power given to NVD is a completely broken system. CVE-2020-19909 On August 25 2023, we got … Continue reading CVE-2020-19909 is everything that is wrong with CVEs →

daniel.haxx.se
Show threadShortfingaAug 26, 2023
@bagder I can recommend becoming a CNA (https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryCNA) not much work and you get all CVEs reported and you need to assign them. There is a escalation process though in case the reporter disagrees with your assessment. We became CNA this year and I enjoy it!
cve-website

Show threaddaniel:// stenberg://
@Shortfinga in a case like this, how would being a CNA have changed things? Does it prohibit other CNAs to submit CVEs for your products?
Aug 26, 2023 at 8:03amTusky
Show threadRemi GacogneAug 26, 2023
@bagder @Shortfinga Yes, it does. Only Mitre could then decide to allocate a CVE after hearing all parties.
Show threaddaniel:// stenberg://Aug 26, 2023
@rgacogne @Shortfinga Thanks. It seems going full CNA is the best way for us to control this madness.
Show threadDerick RethansAug 26, 2023
@bagder @rgacogne @Shortfinga The PHP project is one too. I've done it for one and although not easy, it isn't terrible either.