hrbrmstr πŸ‡ΊπŸ‡¦ πŸ‡¬πŸ‡± πŸ‡¨πŸ‡¦May 11, 2024

R Core has an official statement out on the inappropriately assigned CVE-2024-27322 #RStats

https://blog.r-project.org/2024/05/10/statement-on-cve-2024-27322/

Statement on CVE-2024-27322 - The R Blog

Show threadchristophMay 11, 2024
@hrbrmstr why was it inappropriately assigned? The statement acknowledges a security bug (that they fixed).
Show threadhrbrmstr πŸ‡ΊπŸ‡¦ πŸ‡¬πŸ‡± πŸ‡¨πŸ‡¦May 11, 2024
@krz Have you read anything about this prior to the R Core statement?
Show threadchristoph
@hrbrmstr no, I haven’t heard of this bug or vulnerability before, and the r blog is not very informative either
May 11, 2024 at 12:41pmMastodon for iOS
Show threadhrbrmstr πŸ‡ΊπŸ‡¦ πŸ‡¬πŸ‡± πŸ‡¨πŸ‡¦May 11, 2024

@krz https://rud.is/b/2024/05/03/cve-2024-27322-should-never-have-been-assigned-and-r-data-files-are-still-super-risky-even-in-r-4-4-0/

https://aitap.github.io/2024/05/02/unserialize.html

CVE-2024-27322 Should Never Have Been Assigned And R Data Files Are Still Super Risky Even In R 4.4.0 - rud.is

I had not planned to blog this (this is an incredibly time-crunched week for me) but CERT/CC and CISA made a big deal out of a non-vulnerability in R, and it’s making the round on socmed, so here we are. A security vendor decided to try to get some hype before 2024 RSAC and made... Continue reading β†’

rud.is