a CVE dispute. What a great system.
A few years years ago the curl project signed up and became a CNA. This means that we are masters of and can allocate our own CVE identifiers. For any security problems within our territory, it is we who decides if the issue should get a CVE our not. No more bogus CVEs. 57 CVEs … Continue reading a CVE dispute →
I agree that it’s not worthy of a CVE. In addition to your reasoning I see another argument for why a CVE is not warranted. Even if an attacker could make resolution work for this invalid hostname, what attack could they actually perform? If they control the wildcard certificate they can use it for any subdomain, so what sort of attack can be performed using the invalid domain which couldn’t have been achieved using a valid subdomain?
There is one thing about the bug which puzzles me. I would have expected the validation of domain matching certificate to have been performed by the TLS library and not in curl, so what’s the reason this is a bug in curl rather than the library?
daniel:// stenberg://
kasperd