[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modu
From:       Reid Sutherland <reid () thirddimension ! net>
Date:       2023-05-03 19:57:59
Message-ID: 8038fdf3-2532-9a54-caf9-7c0d40262f52 () thirddimension ! net
[Download RAW message or body]

On 5/3/23 15:54, David A. Wheeler wrote:
> 
> 
> > On May 3, 2023, at 3:15 PM, Reid Sutherland <reid@thirddimension.net> wrote:
> > 
> > Who actually decides when something receives a CVE?
> 
> There's a process for assigning CVEs. Anyone who wants to be able to assign CVEs - \
> that is, to become a CVE Numbering Authority (CNA) - has to follow various \
> processes. I'm sure it can be improved, like all things. I'm not directly involved \
> in this. You might find more information here: \
> https://www.cve.org/ProgramOrganization/CNAs 
> > This can be used to defame projects and products as in this case.
> 
> 
> Identifying a vulnerability does not defame a project. If a library has the \
> functionality to retrieve an https URLs, and fails to verify the server \
> certificates by default, then I (and many others) would call that a vulnerability. \
> After all, the default is what happens. If you request data from \
> <https://google.com>, you wouldn't expect it to use the data from \
> <https://godzilla.com>. There's a general expectation that https://FPP provides a \
> secure connection to FOO (with confidentiality, integrity, and server \
> authentication), unless you specially disable it. 
> --- David A. Wheeler
> 


A default is not a vulnerability.  There are reasons why defaults cannot 
be changed in libraries once they are stable.  This is also why 
documentation exists.

Revoke these CVEs, it's a stain on the process.


[prev in list] [next in list] [prev in thread] [next in thread]