科技回声

The post links to more context here: <a href="https://daniel.haxx.se/blog/2023/08/26/cve-2020-19909-is-everything-that-is-wrong-with-cves/" rel="nofollow">https://daniel.haxx.se/blog/2023/08/26/cve-2020-19909-is-eve...</a><p>Last year, someone got got CVE's assigned for a curl issue for code that didn't exist AND managed to get a high severity assigned to it. So curl becoming a CNA lets them provide some control to this process.

> In plain English, this means that we will reserve and manage our own CVEs in the future directly against the CVE database with no middle man, and also that we have a scope for CVEs that is our territory: curl and libcurl<p>Combining this and the announcement of the same for PostgreSQL, would be even better if each was the authority for the other. I’d trust either project to classify the severity of an issue in the other.<p>Being able to classify your own CVEs has a bit of a fox watching the hen house vibe to it.

Wow, that's some history to this. I used to believe MITRE deserved some respect, but now, I'm not sure I do anymore.

When traffic is mad, one either drives the bus or goes under it, apparently.

No need to use curl, make HTTP requests great again with <a href="https://github.com/ducaale/xh">https://github.com/ducaale/xh</a>

Wow, that's some history to this. I used to believe MITRE deserved some respect, but now, I'm not sure I do anymore.

When traffic is mad, one either drives the bus or goes under it, apparently.

No need to use curl, make HTTP requests great again with <a href="https://github.com/ducaale/xh">https://github.com/ducaale/xh</a>

Curl is now a CVE Numbering Authority

5 条评论

Curl is now a CVE Numbering Authority

5 条评论