• Backslash@feddit.de
      link
      fedilink
      arrow-up
      45
      ·
      1 year ago

      Reading the blog post, it’s a lot more nuanced than that: someone reported a CVE, which was related to a possible int overflow in client code handling the timeout between requests. NVD chose to grade this as a 9.8/10 on their severity scale (for context, CVE-2014-0160, also known as Heartbleed, got a 7.5/10), which is ludicrous for a bug which could at most change the retry timeout of your request from your intended years to a few seconds. Daniel says that this is not a security vulnerability at all and has no business being listed on the CVE database, whereas NVD argues that it’s a bug, it’s been reported to them and because overflows are undefined behavior, anything can happen and so it’s a security vulnerability.

      In the end, they agreed to at least adjust the severity down to a 3.3, but I can understand that Daniel is still somewhat miffed about it. Personally I also agree that it’s not really a security issue and that even a 3.3 is too high in terms of severity.

      • feral_hedgehog
        link
        fedilink
        arrow-up
        8
        ·
        1 year ago

        Are we reading the same article?

        You assume they’ve read the article 😬

    • SteveTech@programming.dev
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      I’m not sure, but I think they’re able to review their own CVEs now, or at least they were trying to be able to after 2020-19909. Because companies like Microsoft, Intel, and stuff already do. (I believe the term is CNA)