Episode 203: What’s wrong with CVEs? Daniel Stenberg of cURL wants you to know
vor 2 Jahren
Daniel discusses CVE issues, proposes fixes, and addresses concerns
like DDOS attacks while Dan shares insights on NVD and improving
CVE quality.
Podcast
Podcaster
Beschreibung
vor 2 Jahren
Guests Daniel Stenberg | Dan Lorenc Panelist Richard Littauer Show
Notes Today, we are switching things up and doing something new for
this episode of Sustain, where we’ll be talking about current
events, specifically security challenges. Richard welcomes guest,
Daniel Stenberg, founder, and lead developer of the cURL project.
Richard and Daniel dive into the complexities of Common
Vulnerabilities and Exposures (CVEs), discussing issues with how
they are reported, scored, and the potential impact on open source
maintainers. They also explore the difficulty of fixing the CVE
system, propose short-term solutions, and address concerns about
CVE-related DDOS attacks. Dan Lorenc, co-founder, and CEO of
Chainguard, also joins us and offers insights into the National
Vulnerability Database (NVD) and suggests ways to improve CVE
quality. NDS’s response is examined, and Daniel shares his
frustrations and uncertainties regarding the CVE system’s future.
Hit download now to hear more! [00:01:00] Richard explains that
they will discuss Common Vulnerabilities and Exposures (CVEs) and
mentions that CVEs were launched in September 1999, briefly
highlighting their purpose. He mentions receiving an email about a
CVE related to the cURL project, which wasn’t acknowledged by the
cURL team. [00:01:50] Daniel explains that the email about the CVE
was sent to the cURL library mailing list by a contributor who
noticed the issue. He describes the confusion about the old bug
being registered as a new CVE. discusses the process of requesting
a CVE. He also mentions the National Vulnerability Database (NVD)
and how it consumes and assigns severity scores to CVEs. [00:03:54]
Daniel discusses the process of requesting a CVE which involves
organizations like MITRE, and he mentions the National
Vulnerability Database (NVD) and how it consumes and assigns
severity scores to CVEs. [00:06:21] Richard asks about how NVD
assigns severity scores to CVEs and specifically in the case of CVE
2020, and Daniel describes the actual bug in curl, which was a
minor issue involving retry delays and not a severe security
threat. [00:09:57] Richard questions who at NVD determines these
scores and whether they are policy makers or coders, to which
Daniel admits he has no idea and discusses his efforts to address
the issue. He expresses frustration with NVD’s scoring system and
their lack of communication. [00:11:18] Daniel and Richard discuss
their concerns about the accuracy and relevance of CVE ratings,
especially in cases where those assigning scores may not fully
understand the technical details of vulnerabilities. [00:14:37] We
now welcome Dan Lorenc to get his point of view on this issue. Dan
introduces himself and talks about his experience with the NVD,
highlighting some of the issues with CVE scoring and the varying
quality of CVE reports. [00:16:11] Dan mentions the problems with
the CVSS scoring and the incentives for individuals to report
vulnerabilities with higher scores for personal gain, leading to
score inflation. Dan suggests that NVD could improve the quality of
CVEs by applying more scrutiny to high-severity and widely used
libraries like cURL, which could reduce the noise and waste of
resources in the industry. [00:18:23] Richard presents NVD’s
response to their inquiry. Then, Daniel and Richard discuss NVD’s
response and the discrepancy between their assessment and that of
open source maintainers like Daniel who believe that some CVEs are
not valid security issues. [00:20:44] Richard asks if anyone
offered to fund the work to fix vulnerabilities in important open
source projects like cURL when a CVE is reported. Daniel replies
that no such offers have been made, as most involved in the project
recognize that some CVEs are not actual security problems, but
rather meta problems caused by the CVE rating system. [00:21:40]
Daniel explains his short-term solution of registering his own CNA
(CVE Numbering Authority) to manage CVEs for his products and
prevent anonymous users from filing CVEs. [00:23:04] Richard raises
concerns about the potential for a CVE DDOS attack on open source,
overwhelming them with a flood of CVE reports. [00:24:20] Daniel
comments on the growing problem of both legitimate and invalid CVEs
being reported, as security scanners increasingly scan for them.
Richard reflects on the global nature of the problem, and Daniel
emphasizes the importance of having a unique ID for security
problems like CVEs. Links SustainOSS (https://sustainoss.org/)
SustainOSS Twitter
(https://twitter.com/SustainOSS?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor)
SustainOSS Discourse (https://discourse.sustainoss.org/)
podcast@sustainoss.org (mailto:podcast@sustainoss.org) SustainOSS
Mastodon (https://mastodon.social/tags/sustainoss) Open
Collective-SustainOSS (Contribute)
(https://opencollective.com/sustainoss) Richard Littauer Twitter
(https://twitter.com/richlitt?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor)
Richard Littauer Mastodon (https://mastodon.social/@richlitt)
Daniel Stenberg Twitter
(https://twitter.com/bagder?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor)
Daniel Stenberg Mastodon (https://mastodon.social/@bagder) Daniel
Stenberg Website (https://daniel.haxx.se/) Dan Lorenc Twitter
(https://twitter.com/lorenc_dan?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor)
National Vulnerability Database (https://nvd.nist.gov/) CVE
(https://www.cve.org/) cURL (https://curl.se/) Chainguard
(https://www.chainguard.dev/) Sustain Podcast-Episode 185: Daniel
Stenberg on the cURL project
(https://podcast.sustainoss.org/guests/stenberg) Sustain
Podcast-Episode 93: Dan Lorenc and OSS Supply Chain Security at
Google (https://podcast.sustainoss.org/93) Credits Produced by
Justin Dorfman (https://www.justindorfman.com) & Richard
Littauer (https://www.burntfen.com/) Edited by Paul M. Bahr at
Peachtree Sound (https://www.peachtreesound.com/) Show notes by
DeAnn Bahr Peachtree Sound (https://www.peachtreesound.com/)
Special Guests: Dan Lorenc and Daniel Stenberg.
Notes Today, we are switching things up and doing something new for
this episode of Sustain, where we’ll be talking about current
events, specifically security challenges. Richard welcomes guest,
Daniel Stenberg, founder, and lead developer of the cURL project.
Richard and Daniel dive into the complexities of Common
Vulnerabilities and Exposures (CVEs), discussing issues with how
they are reported, scored, and the potential impact on open source
maintainers. They also explore the difficulty of fixing the CVE
system, propose short-term solutions, and address concerns about
CVE-related DDOS attacks. Dan Lorenc, co-founder, and CEO of
Chainguard, also joins us and offers insights into the National
Vulnerability Database (NVD) and suggests ways to improve CVE
quality. NDS’s response is examined, and Daniel shares his
frustrations and uncertainties regarding the CVE system’s future.
Hit download now to hear more! [00:01:00] Richard explains that
they will discuss Common Vulnerabilities and Exposures (CVEs) and
mentions that CVEs were launched in September 1999, briefly
highlighting their purpose. He mentions receiving an email about a
CVE related to the cURL project, which wasn’t acknowledged by the
cURL team. [00:01:50] Daniel explains that the email about the CVE
was sent to the cURL library mailing list by a contributor who
noticed the issue. He describes the confusion about the old bug
being registered as a new CVE. discusses the process of requesting
a CVE. He also mentions the National Vulnerability Database (NVD)
and how it consumes and assigns severity scores to CVEs. [00:03:54]
Daniel discusses the process of requesting a CVE which involves
organizations like MITRE, and he mentions the National
Vulnerability Database (NVD) and how it consumes and assigns
severity scores to CVEs. [00:06:21] Richard asks about how NVD
assigns severity scores to CVEs and specifically in the case of CVE
2020, and Daniel describes the actual bug in curl, which was a
minor issue involving retry delays and not a severe security
threat. [00:09:57] Richard questions who at NVD determines these
scores and whether they are policy makers or coders, to which
Daniel admits he has no idea and discusses his efforts to address
the issue. He expresses frustration with NVD’s scoring system and
their lack of communication. [00:11:18] Daniel and Richard discuss
their concerns about the accuracy and relevance of CVE ratings,
especially in cases where those assigning scores may not fully
understand the technical details of vulnerabilities. [00:14:37] We
now welcome Dan Lorenc to get his point of view on this issue. Dan
introduces himself and talks about his experience with the NVD,
highlighting some of the issues with CVE scoring and the varying
quality of CVE reports. [00:16:11] Dan mentions the problems with
the CVSS scoring and the incentives for individuals to report
vulnerabilities with higher scores for personal gain, leading to
score inflation. Dan suggests that NVD could improve the quality of
CVEs by applying more scrutiny to high-severity and widely used
libraries like cURL, which could reduce the noise and waste of
resources in the industry. [00:18:23] Richard presents NVD’s
response to their inquiry. Then, Daniel and Richard discuss NVD’s
response and the discrepancy between their assessment and that of
open source maintainers like Daniel who believe that some CVEs are
not valid security issues. [00:20:44] Richard asks if anyone
offered to fund the work to fix vulnerabilities in important open
source projects like cURL when a CVE is reported. Daniel replies
that no such offers have been made, as most involved in the project
recognize that some CVEs are not actual security problems, but
rather meta problems caused by the CVE rating system. [00:21:40]
Daniel explains his short-term solution of registering his own CNA
(CVE Numbering Authority) to manage CVEs for his products and
prevent anonymous users from filing CVEs. [00:23:04] Richard raises
concerns about the potential for a CVE DDOS attack on open source,
overwhelming them with a flood of CVE reports. [00:24:20] Daniel
comments on the growing problem of both legitimate and invalid CVEs
being reported, as security scanners increasingly scan for them.
Richard reflects on the global nature of the problem, and Daniel
emphasizes the importance of having a unique ID for security
problems like CVEs. Links SustainOSS (https://sustainoss.org/)
SustainOSS Twitter
(https://twitter.com/SustainOSS?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor)
SustainOSS Discourse (https://discourse.sustainoss.org/)
podcast@sustainoss.org (mailto:podcast@sustainoss.org) SustainOSS
Mastodon (https://mastodon.social/tags/sustainoss) Open
Collective-SustainOSS (Contribute)
(https://opencollective.com/sustainoss) Richard Littauer Twitter
(https://twitter.com/richlitt?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor)
Richard Littauer Mastodon (https://mastodon.social/@richlitt)
Daniel Stenberg Twitter
(https://twitter.com/bagder?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor)
Daniel Stenberg Mastodon (https://mastodon.social/@bagder) Daniel
Stenberg Website (https://daniel.haxx.se/) Dan Lorenc Twitter
(https://twitter.com/lorenc_dan?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor)
National Vulnerability Database (https://nvd.nist.gov/) CVE
(https://www.cve.org/) cURL (https://curl.se/) Chainguard
(https://www.chainguard.dev/) Sustain Podcast-Episode 185: Daniel
Stenberg on the cURL project
(https://podcast.sustainoss.org/guests/stenberg) Sustain
Podcast-Episode 93: Dan Lorenc and OSS Supply Chain Security at
Google (https://podcast.sustainoss.org/93) Credits Produced by
Justin Dorfman (https://www.justindorfman.com) & Richard
Littauer (https://www.burntfen.com/) Edited by Paul M. Bahr at
Peachtree Sound (https://www.peachtreesound.com/) Show notes by
DeAnn Bahr Peachtree Sound (https://www.peachtreesound.com/)
Special Guests: Dan Lorenc and Daniel Stenberg.
Weitere Episoden
34 Minuten
vor 9 Monaten
46 Minuten
vor 9 Monaten
40 Minuten
vor 9 Monaten
38 Minuten
vor 10 Monaten
Kommentare (0)
Melde Dich an, um einen Kommentar zu schreiben.