On 29.01.2025 3:30 PM, Roberto C. Sánchez wrote:
On Wed, Jan 29, 2025 at 03:22:02PM +0100, Rafał Lichwała wrote:
On 29.01.2025 2:43 PM, Dan Ritter wrote:
CVSS are often bogus.
Hmmm... I'm not sure what you mean. All security announcements in DSAs are
referring to CVSS, so... what's the source of such opinion?
Most recently: [1]https://daniel.haxx.se/blog/2025/01/23/cvss-is-dead-to-us/
Did you actually read and understand the entire article?
Read - yes. Understand - I think so :-)
A blog by the author of cURL. I would submit that his opinion is
extremely relevant, if for no other reason that there is hardly a more
important/commonly used piece of network software out there.
Yes, I'm also a curl user on a daily basis. That was not my intention to
disregard the author, blog or its content.
Do we (debians) have some better
alternatives?
Yes, you read the CVE, you look at how the CVSS score was derived, you
adjust as need for your specific use case, and then you make a decision
based on that.
Are there plans to switch to other solution? Or maybe just discussion
about such switch?
Many alternatives are under discussion, but the industry is largely
driven by people who have a vested interested in making every
vulnerability seem as critical as possible. Then they can sell security
scanning and remediation solutions for a lot of money. If every
vulnerability was basically "this might be a problem for 0.1% of users
and a minor problem at that" then they would have a hard time selling
their products and services.
Thank you for sharing this knowledge.
What is happening here is that Debian tracks this CVE as affecting its
zlib package because in theory someone could take the source of zlib and
modify it to produce the vulnerable binary. This is something that
people should know about, since taking and modifying/rebuilding Debian
source packages is rather common.
However, Debian itself does *not* build the affected component. So, it
makes no sense for Debian as a project to put limited effort into fixing
such a vulnerability.
Maybe that's the explanation I was asking for - thank you.
But still don;t understand "Debian itself does *not* build the affected
component" as I can find "minizip" (and maybe other) package based on
that vulnerable library - see my previous post above as Re- to Hanno.
Anyway thank you for trying to explain me things that are not obvious to me.
