Conversation

Notices

1. Embed this notice
   Leah Neukirchen (leah@blahaj.social)'s status on Wednesday, 22-Nov-2023 18:48:46 JST Leah Neukirchen

   in reply to

   • Matthias Schmidt

   @_xhr_ Given that this code seems to be vendored all over the place, providing a fixed upstream version is not super unreasonable...

   • Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Matthias Schmidt (_xhr_@cybervillains.com)'s status on Wednesday, 22-Nov-2023 18:48:47 JST Matthias Schmidt

     This pull request clearly shows what's currently wrong in the #infosec community.

     Another misaligned CVE with a CVSS score of 9.8 for code in a contrib/ dir that is not even build by default shows up in commercial vulnerability scanners and suddenly random people press the maintainer to release an updated version.

     https://github.com/madler/zlib/pull/843

     GreenSkyOverMe (Monika) repeated this.
   • Embed this notice
     Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Wednesday, 22-Nov-2023 18:57:52 JST Haelwenn /элвэн/ :triskell:

     in reply to

     • Matthias Schmidt
     @_xhr_ Maybe not built by default but zlib is the upstream of minizip, regardless of it's contrib folder status, and there's software depending on that minizip*. (There's minizip-ng but not everyone has migrated to it)
     
     * Dolphin, Mupen64plus and snes9x emulators, Wireshark, …
   • Embed this notice
     Alex Holst (holsta@helvede.net)'s status on Wednesday, 22-Nov-2023 21:58:27 JST Alex Holst

     in reply to

     • Matthias Schmidt

     @_xhr_ GitHub should have a built-in way for maintainers to respond to issues with an invoice.