12 comments

[ 4.1 ms ] story [ 40.2 ms ] thread
Thank you Daniel Stenberg for your work!
> This release will bundle no less than _eleven_ security advisories and their associated fixes (unless we get more reported in the time we have left).

So if a security advisory gets reported there will be less than 11 fixes?

Is anybody aware of a relative security ranking for the vulns / an indication of the maximum level of impact, similar to how OpenSSL grades their alerts before the release?

It's hard to tell for sure if curl is just bundling together several smaller vulns to save people doing 11 individual patch/update cycles, or if the implication is that one or more of the vulns are "critical".

There's CVSS:

https://en.wikipedia.org/wiki/CVSS

The utility of such metrics is a topic of debate in the security community.

My apologies: I'm familiar with CVSS and other scales that exist, was more asking if a score is known for these particular disclosures so I can guesstimate how much of my other work I'll be sidelining to rush out the new fixed version.
Wow. I'm really curious to take a look at these once they're disclosed. Considering how extensively curl libraries are used everywhere, this could have pretty big impacts.
This mail is shady and not providing any critical information.

Shipping 11 secret patchs? developed in 11 secret branches? to fix 11 undisclosed security issues?

Not a single word about the vulnerabilities, the bugs being fixed, the impact, or the security risks.

This is done to reduce the impact of vulnerabilities before a patch is out. Pretty common and sensible procedure.
Any hints at all would just give hackers a place to look for the bugs, before they are fixed. Just the existence of this email gives quite a bit of information (that there are a bunch of serious holes to be found).
Why wouldn't they do the merge now instead of 48h before release, so they have more time to see if there's any problems with it?
> Why wouldn't they do the merge now instead of 48h before release

The idea is not to publicly disclose the vulnerabilities with too much time remaining for a release. I guess that two weeks are mostly required so as to minimize the time taken by different distros to release updates.

I was thinking about a non-public merge, but with running the tests the article mentions. I don't know anything about their build setup though.