Notices by Will Dormann (wdormann@infosec.exchange), page 2

@GossiTheDog
It was uploaded 6 years ago.
It's flagged as 33/65 malicious.

VirusTotal peeps:

Why does searching for a hex pattern that's definitely in a file that is definitely in VirusTotal return "No matches found"?
https://www.virustotal.com/gui/file/11dadc71018027c7e005a70c306532e5ea7abdc389964cbc85cf3b79f97f6b44

Am I doing something wrong, or are VirusTotal (hex) content searches something other than what they advertise them to be?

@ryanc @jik @ocdtrekkie
Wow...
"We have not stopped issuance and we are not planning to stop issuance or to revoke certificates issued"
(Because it will annoy out customers)
Some time later:
Entrust nuked from existence.

watchTowr: Ivanti Connect Secure CVE-2024-22024 - Are We Now Part Of Ivanti?
https://labs.watchtowr.com/are-we-now-part-of-ivanti/

Things on a currrent Ivanti VPN box:
curl 7.19.7 2009-11-04 (14 years)
openssl 1.0.2n-fips 2017-12-07 (6 years)
perl 5.6.1 2001-04-09 (23 years)
psql 9.6.14 2019-06-20 (5 years)
cabextract 0.5 2001-08-20 (22 years)
ssh 5.3p1 2009-10-01 (14 years)
unzip 6.00 2009-04-29 (15 years)

@GossiTheDog
Counterpoint:
https://infosec.exchange/@seajay/111879635522838535
Vendors allowed to assign new CVEs to old vulnerabilities gives them the ability to hide their negligence in keeping their software up to date. 🤔

@GossiTheDog @chort @reverseics @cR0w
The thing was clearly made about 20 years ago without changing anything fundamental about how it works.
The only reason for its existence is to collect licensing fees.

I wonder why Atlassian doesn't have any security documents anymore.
No? Just me?

CVE wonders:
Apache created CVE-2023-49070 to capture: "Our OFBiz product has Apache XML-RPC, which is vulnerable to CVE-2019-17570".
This seems... wrong?
If every vendor created a new CVE to capture "Hey, we use library <foo> that already has a CVE", how can this possibly scale?

This isn't the first time CVE abuse for libraries has happened.
Take the recent libweb vulnerability. Apple got the report and assigned CVE-2023-41064 to "ImageIO"
Google got the report and assigned CVE-2023-4863 to "Chrome"
Eventually MITRE fixed the latter CVE to be libwebp.

CVE has assignment "rules" to avoid problems like these, but I get the impression that they're not really enforced anywhere by anyone.
What do you call rules that aren't enforced? "Suggestions"?