Open source libs with fixes that don’t have CVEs are a growing problem. This is what caused the latest VLC vulnerability that want.https://twitter.com/wdormann/status/1154138404910768134 …
-
-
How do you know to "do something" (whether you're a distributor or user) if there's little indication in a release announcement or changelog that a specific release or commit might be security relevant?
-
You need a service that goes to the source, the project repos/mailing list, to get the best info. We do this at Veracode. There are others building private vulnDBs this way.
End of conversation
New conversation -
-
-
We could start by telling people that "we backport all security fixes in our lts distribution" is and has always been a lie. No distro has the resources to do that (also see recent thread on oss-sec about oss-fuzz results)
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
It get changed with assigning more CVEs. Devs should finally start caring about security. If a dev fixes a vulnerability, they should get a CVE for it. It's that simple. It's more work, but it should be part of writing software.
-
That's like saying "hey you there. You maintain that free library. No one is paying you for it. Can you please put some more work into it so our cve thing works?"
- 3 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.