mstdn.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A general-purpose Mastodon server with a 500 character limit. All languages are welcome.

Administered by:

Server stats:

12K
active users

This is your regular reminder that CVSSv3 base scores are information-poor, and taken alone are not fit for the purpose of evaluating appropriate actions to take for a given security vulnerability.

I am hoping that CVSSv4 helps improve industry practices. It's badly needed.


csrc.nist.gov/csrc/media/Prese

If you use or and are worried about the pending "High" CVE that's coming out, @bagder said...

"Every security flaw requires a set of conditions to apply for the problem to trigger. The pending security vulnerabilities are no different. I cannot comment on what that set is ahead of time.

The severity level is a blunt tool. This is a HIGH severity problem but there is still going to be a large chunk of users who will not be affected by these problems."

github.com/curl/curl/discussio

GitHubSeverity HIGH security problem to be announced with curl 8.4.0 on Oct 11 · curl/curl · Discussion #12026We are cutting the release cycle short and will release curl 8.4.0 on October 11, including fixes for a severity HIGH CVE and one severity LOW. The one rated HIGH is probably the worst curl securit...

The "High" rating for this bulletin, like "CVSSv3 base score >= 7.0", is information-poor.

For open source libraries in particular, there are many potential mitigating circumstances.

I really want for the community and industry practice to improve so that we don't blindly look at base scores or vendor ratings for libraries in particular, and then panic.

@msw kind of hard to see how publicizing this helps, though?

@slink Sure, it's just that @JohnHammond posted some good content over there.

I'd love for it to be over here!

@msw @slink @JohnHammond I really hate Elon for destroying Twitter. Now I have to scour multiple platforms for info like this because I refuse to use X and support him.

Thanks for sharing this here.