Mastodawn

daniel:// stenberg://Aug 25, 2023

"CVE-2020-19909 is everything that is wrong with CVEs"

A claimed "9.8 CRITICAL" flaw in #curl that does not exist.

https://daniel.haxx.se/blog/2023/08/26/cve-2020-19909-is-everything-that-is-wrong-with-cves/

CVE-2020-19909 is everything that is wrong with CVEs

This is a story consisting of several little building blocks and they occurred spread out in time and in different places. It is a story that shows with clarity how our current system with CVE Ids and lots of power given to NVD is a completely broken system. CVE-2020-19909 On August 25 2023, we got … Continue reading CVE-2020-19909 is everything that is wrong with CVEs →

daniel.haxx.se

Show thread

4censord

Aug 26, 2023

@bagder there was something similar with the h2 dB system within the last few weeks, CVE-2022-45868.
Similar thing with it not actually being an issue, the project not being informed until soneone asked them about it.

Show thread

ilmari Aug 26, 2023

@4censord @bagder PostgreSQL's CVE-2019-9193 is another fun one. The security team explained to the reporter that it was by design, but they still went ahead and filed for a CVE!

CVE-2019-9193: Not a Security Vulnerability

There is widespread mention in the media of a security vulnerability in PostgreSQL, registered as [CVE-2019-9193](https://nvd.nist.gov/vuln/detail/CVE-2019-9193). The PostgreSQL Security Team …

PostgreSQL News

Show thread

Talya (she/her) 🏳️‍⚧️✡️

@ilmari @4censord @bagder
and there was also the classic CVE-2023-24068/9 in @signalapp 's Desktop client that required the exploiter to already have full acess to the machine, at which point they can just straight up open the client...

https://mastodon.world/@Mer__edith/109751701529562752

Meredith Whittaker (@[email protected])

The report by johnjhacking is confused. What they propose requires a level of access that's only available if the device is already completely compromised: “First and foremost, you need access to the device.” TLDR someone compromising your device is not a problem with Signal. Yes, someone with that level of access to your device can do just about anything you can, like open Signal Desktop, look at your photos, review your browser history, etc.

Mastodon