> This release will bundle no less than _eleven_ security advisories and their associated fixes (unless we get more reported in the time we have left).
So if a security advisory gets reported there will be less than 11 fixes?
Is anybody aware of a relative security ranking for the vulns / an indication of the maximum level of impact, similar to how OpenSSL grades their alerts before the release?
It's hard to tell for sure if curl is just bundling together several smaller vulns to save people doing 11 individual patch/update cycles, or if the implication is that one or more of the vulns are "critical".
My apologies: I'm familiar with CVSS and other scales that exist, was more asking if a score is known for these particular disclosures so I can guesstimate how much of my other work I'll be sidelining to rush out the new fixed version.
Wow. I'm really curious to take a look at these once they're disclosed. Considering how extensively curl libraries are used everywhere, this could have pretty big impacts.
Any hints at all would just give hackers a place to look for the bugs, before they are fixed. Just the existence of this email gives quite a bit of information (that there are a bunch of serious holes to be found).
> Why wouldn't they do the merge now instead of 48h before release
The idea is not to publicly disclose the vulnerabilities with too much time remaining for a release. I guess that two weeks are mostly required so as to minimize the time taken by different distros to release updates.
12 comments
[ 4.1 ms ] story [ 40.2 ms ] threadSo if a security advisory gets reported there will be less than 11 fixes?
It's hard to tell for sure if curl is just bundling together several smaller vulns to save people doing 11 individual patch/update cycles, or if the implication is that one or more of the vulns are "critical".
https://en.wikipedia.org/wiki/CVSS
The utility of such metrics is a topic of debate in the security community.
Shipping 11 secret patchs? developed in 11 secret branches? to fix 11 undisclosed security issues?
Not a single word about the vulnerabilities, the bugs being fixed, the impact, or the security risks.
The idea is not to publicly disclose the vulnerabilities with too much time remaining for a release. I guess that two weeks are mostly required so as to minimize the time taken by different distros to release updates.