[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modu
From:       Reid Sutherland <reid () thirddimension ! net>
Date:       2023-05-03 21:43:28
Message-ID: c3576b53-b89b-d706-002d-467acf373a9c () thirddimension ! net
[Download RAW message or body]

Moritz Bechler wrote:
> Hi,
> 
>>
>> A default is not a vulnerability.  There are reasons why defaults 
>> cannot be changed in libraries once they are stable.  This is also why 
>> documentation exists.
>>
>> Revoke these CVEs, it's a stain on the process.
> 
> 
> while one may criticize that CVEs have been assigned both for the 
> insecure default and (some of the) insecure usages, at least one of 
> these is a legitimate case, in terms of CVEs likely the latter. And when 
> it comes to defaming projects, at least in my book, choosing, keeping 
> and defending bad defaults speaks to much more than a CVE being assigned.
> 


Performing outside queries is not a reasonable default in terms of 
security.  It's up to the developer if they wish to open up the user to 
that risk.  Libraries cannot shift defaults on a whim, this is why they 
have documentation.

[prev in list] [next in list] [prev in thread] [next in thread]