On Wed, Jan 29, 2025 at 03:22:02PM +0100, Rafał Lichwała wrote:On 29.01.2025 2:43 PM, Dan Ritter wrote: CVSS are often bogus. Hmmm... I'm not sure what you mean. All security announcements in DSAs are referring to CVSS, so... what's the source of such opinion? Most recently: [1]https://daniel.haxx.se/blog/2025/01/23/cvss-is-dead-to-us/Did you actually read and understand the entire article?
Read - yes. Understand - I think so :-)
A blog by the author of cURL. I would submit that his opinion is extremely relevant, if for no other reason that there is hardly a more important/commonly used piece of network software out there.
Yes, I'm also a curl user on a daily basis. That was not my intention to disregard the author, blog or its content.
Do we (debians) have some better alternatives?Yes, you read the CVE, you look at how the CVSS score was derived, you adjust as need for your specific use case, and then you make a decision based on that.
Are there plans to switch to other solution? Or maybe just discussion about such switch?Many alternatives are under discussion, but the industry is largely driven by people who have a vested interested in making every vulnerability seem as critical as possible. Then they can sell security scanning and remediation solutions for a lot of money. If every vulnerability was basically "this might be a problem for 0.1% of users and a minor problem at that" then they would have a hard time selling their products and services.
Thank you for sharing this knowledge.
Maybe that's the explanation I was asking for - thank you.What is happening here is that Debian tracks this CVE as affecting its zlib package because in theory someone could take the source of zlib and modify it to produce the vulnerable binary. This is something that people should know about, since taking and modifying/rebuilding Debian source packages is rather common. However, Debian itself does *not* build the affected component. So, it makes no sense for Debian as a project to put limited effort into fixing such a vulnerability.
But still don;t understand "Debian itself does *not* build the affected component" as I can find "minizip" (and maybe other) package based on that vulnerable library - see my previous post above as Re- to Hanno.
Anyway thank you for trying to explain me things that are not obvious to me.