Mastodawn

daniel:// stenberg://

Three years ago I blogged about #nuget serving outdated #curl packages.

They then removed the packages I found.

I checked nuget again *today* and immediately found a nine year old curl package that is downloaded at the rate of 1,000 times/week from there... with **64** known vulnerabilities.

The blog post from back then: https://daniel.haxx.se/blog/2023/03/02/the-curl-nuget-story/

The curl nuget story

Recently there has been an interesting debate in the Open Source world where people have objected to being called "Suppliers" as in Supply Chain Security when you are but an Open Source developer offering your code to the world for free and at no cost but also without any warranties. That is not a supplier, … Continue reading The curl nuget story →

daniel.haxx.se

daniel:// stenberg://Mar 2

"Microsoft is no longer accepting new submissions through [email protected]. Please use the Microsoft Researcher Portal "...

😠

daniel:// stenberg://Mar 2

but I took it to the big generic security portal and submitted a report there. Let's see what happens.

daniel:// stenberg://Mar 5

My not at all surprised face: "After careful investigation, this case has been assessed as not a vulnerability and does not meet Microsoft's bar for immediate servicing."

Wombatadon Mar 5

@bagder our own IT team are running Office 2016 in a sensitive environment.
Why would MS be any better. 🙁

Klaus Frank Mar 5

@tjbutt58 @bagder

I once had office 2003 and I'm almost certain that they're still running it to this day. On a Win 2000 server...

@bagder Subscription first, Quality second. Works as expected I suppose.

Bringer of Pants Mar 5

@totenlegionChris @bagder ... second? That's bold of you to assume.

@Enfors @bagder I am an thick headed optimist, so I will not bow to reality ;-)

chocobo13ζ Mar 5

@Enfors
MS won't settle for being second to none, they aspire to none instead
@totenlegionChris @bagder

@chocobo13 @Enfors @bagder If they get money for providing a security-like feature *Recall from governments / agencies ... Security will be a business case and not a target or quality for the software.

BitPirate Mar 5

@bagder Microslop

the vessel of morganna Mar 5

@bagder amazed you even got a reply that fast; it took me 6 months for them to acknowledge and patch a local root privilege escalation in Defender for Linux (https://astr.al/notes/2024-11-28_mdatp-privesc/)

ast.ral — eureka's homepage

Moritz Dietz Mar 5

@bagder if you had stayed in the MVP program on the other hand… ;-)

@bagder Without going into detail, I once worked for a company that sells a windowing operating system. My team managed e-mail, filtering and archiving, and we escalated a 0-day DNS vulnerability to the relevant dev team for immediate response. It wasn't even in-house DNS software. It was a "here's the BIND patch, go deploy it" situation.

The dev lead told us that if it was important, we should have brought it up in that morning's shiproom meeting.

The vulnerability wasn't announced until after the meeting had ended.

I and a senior ops engineer spent most of that day trying to convey to the senior dev lead that a major security vulnerability was more important than his next two-week ship date.

Mattias Karlsson (he/him)Mar 5

@bagder For NuGet packages, there's beyond "contact owners" also the Report package option, which goes to NuGet support. But found mileage to vary there, too. If you got a package id, I could try to back-channel it. NuGet gallery have option to bot unlist, mark as deprecated, and security advisory.

Sesquipedality Mar 5

@bagder that is a very strange definition of "not a vulnerability"

@bagder Maybe they got too many slop reports via email.

Guilherme Mar 2

@sa7dse @bagder Time to get a lot of slop via the generic security form for a change.

Daniel Gibson Mar 2

@gmgall @sa7dse @bagder
they should be more proactive and provide an MCP endpoint for slop reports

Wookiesmasher Mar 2

@bagder AI Slop, this is why we can't have nice things.

Klaus Frank Mar 5

Didn't they fire everyone in the team that was handling the submissions through that email address a few years ago?

@bagder That's quite the nugget you found there.

MidgePhoto Mar 2

Microsoft, and Windows.
Ah well.

Jeppe Fihl-Pearson Mar 2

@bagder Have you considered if there's a demand for vintage curl releases that you aren't serving? Give the people what they want!

daniel:// stenberg://Mar 2

@Tenzer I linked the security people to this relevant page: https://curl.se/docs/vuln-7.51.0.html

Vulnerabilities in curl 7.51.0

♾️ Water Mar 2

@bagder I've using dotnet for a few years and wanted to try using Curl but didn't find anything that wasn't poorly maintained or totally outdated.

Sedat Kapanoglu Mar 2

@bagder @shanselman responded to the bluesky mirror of this post.

daniel:// stenberg://Mar 2

@ssg @shanselman thanks, I tend to miss the replies to the mirror-me over there...

@bagder
Have you considered reserving "Curl" prefix on NuGet?
https://learn.microsoft.com/en-us/nuget/nuget-org/id-prefix-reservation
It is not much but it would prevent random people from uploading "officially looking" packages.

ID Prefix Reservation

Package ID Prefix Reservation feature description and author guide.

gloriouscow Mar 5

@bagder nuget? more like oldget amirite

@bagder That’s because they heard that “with JavaScript development, packages are outdated as soon as you install them,” so they wanted to do the same, but they didn’t understand it was a joke.
@poleguy