|
|
Subscribe / Log in / New account

Security quote of the week

[Posted February 5, 2025 by jzb]

While the impact of this problem is potentially huge, we struggled with setting a severity combined with the knowledge that a user vulnerable to this is using an over twenty years old and vulnerable zlib and has practically "given up" all security. If there actually exist users vulnerable to this flaw in the world, they most likely already have worse problems than this to deal with.

Daniel Stenberg in a CVE report.


to post comments

Daniel shouldering *everything* for curl - again.

Posted Feb 6, 2025 22:37 UTC (Thu) by amacater (subscriber, #790) [Link] (3 responses)

Curl has been the subject of a huge amount of scrutiny for bugs. Nice to know that Daniel's prepared to fix code for a bug that was actually effectively fixed 20 years ago. There's a lot of effort going in to finding bugs - some of it automated fuzzing - and Daniel ends up playing whack-a-mole. This level of commitment is admirable.

Daniel shouldering *everything* for curl - again.

Posted Feb 7, 2025 5:11 UTC (Fri) by mirabilos (subscriber, #84359) [Link] (2 responses)

Following the link… he hasn’t actually fixed it, he removed support for that old libz versions.

But yes, in general, he’s doing a great job.

Daniel shouldering *everything* for curl - again.

Posted Feb 7, 2025 11:32 UTC (Fri) by cthart (guest, #4457) [Link] (1 responses)

What was he supposed to do...? Dropping support for such an old library is the only sane response. It almost certainly has other security flaws.

Daniel shouldering *everything* for curl - again.

Posted Feb 7, 2025 21:54 UTC (Fri) by mirabilos (subscriber, #84359) [Link]

I wasn’t criticising this, I was only clarifying.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds