[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modu
From: Reid Sutherland <reid () thirddimension ! net>
Date: 2023-05-03 21:43:28
Message-ID: c3576b53-b89b-d706-002d-467acf373a9c () thirddimension ! net
[Download RAW message or body]
Moritz Bechler wrote:
> Hi,
>
>>
>> A default is not a vulnerability. There are reasons why defaults
>> cannot be changed in libraries once they are stable. This is also why
>> documentation exists.
>>
>> Revoke these CVEs, it's a stain on the process.
>
>
> while one may criticize that CVEs have been assigned both for the
> insecure default and (some of the) insecure usages, at least one of
> these is a legitimate case, in terms of CVEs likely the latter. And when
> it comes to defaming projects, at least in my book, choosing, keeping
> and defending bad defaults speaks to much more than a CVE being assigned.
>
Performing outside queries is not a reasonable default in terms of
security. It's up to the developer if they wish to open up the user to
that risk. Libraries cannot shift defaults on a whim, this is why they
have documentation.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic