[Daniel's week] March 3, 2023
daniel at haxx.se
Fri Mar 3 17:00:50 CET 2023
Nailed another week. Here we go...
## Hacker Stations
My photos and associated descriptions of my home office went up
hackerstations.com  and people on hacker news got the opportunity to
discuss how or if my desk is from IKEA or not. (The legs are, the rest is
Someone helped me realize the bad situation for the curl package hosted by
nuget for their package manager and I kicked off my mission to rectify that.
It got a lot of attention and ended fairly well .
## GitHub Security Advisory Database
That nuget story turned my attention over to the GitHub Security Advisory
Database, since the nuget people referred to them for vulnerability lookup for
projects. Turns out there are a few issues with this database from a curl
point of view and I've talked to someone in that team during the week to get
some answers and there is a coming slightly critical blog post slowly being
written in my head.
## security warning on Windows
My third Microsoft encounter this week (in addition to nuget and GitHub)
started with several companies approaching the wolfSSL curl support "hotline"
asking questions and being worried about security warnings on Windows! It
turns out that at least the security scanner Tenable Nessus this week started
to issue warnings when it finds curl 7.83.1 in a Windows machine. The warning
concerns CVE-2022-43552  which is a use-after-free that we rated 'low' in
the curl project because of the mitigating factor that the time window for it
is narrow (microseconds).
The curl installation it warns about is of course the *bundled* curl version
that Microsoft themselves builds and ships and I don't feel comfortable
recommending users to just erase or replace it. Not to mention that a mere
user probably cannot even do it.
According to my contact, Microsoft is aware of this and might address with at
least some sort of public communication about it. I don't know when or even if
it actually will happen. Until then I remain uncertain what to tell the users
that are hurt by this.
We released the pilot episode of our new podcast "Fossified" . I co-host
this show together with my old Swedish Open Source friends Henrik, Johan and
Magnus. We need your feedback. Propose topics on our GitHub and vote on the
existing proposals for coming episodes. If things work out, we should be doing
them on roughly a weekly schedule.
## Hacker news three times
The hacker stations, the nuget situation and then finally uncurled  got
attention and were up on hacker news within some 30 hours this week. Probably
more attention to myself than what is considered healthy.
Some of the comments there are certainly downright health hazards.
## Intro music
I am going to speak at the myconf conference in Karlskrona  in May, and I
was asked what "intro music" I would like played when I enter the stage. When
tested with a challenging question I did what every sensible person would do:
I deflected it and asked my Mastodon followers for help . It turned out
people had lots of creative suggestions and I ended up with many awesome
proposals. Now I just need to pick one. I'm leaning towards The Imperial March
from Star Wars because it is both pompous and fun.
## curl regressions
Several curl regressions have been reported and fixed recently. They are
fall-outs from the big HTTP/3 and HTTP/2 refactors where testing has been
sparse. What is good is that almost every single one of these regressions are
now fixed in assocation with the addition of a new test case to first
reproduce the problem and then verify the fix. Then they remain there to make
sure we avoid that regression again in the future.
An upside here is also that fixing lots of bugs now will only make the coming
8.0.0 release better.
## Coming up
- fix bugs, merge pull-requests
 = https://hackerstations.com/setups/daniel_stenberg/
 = https://daniel.haxx.se/blog/2023/03/02/the-curl-nuget-story/
 = https://www.tenable.com/plugins/nessus/171859
 = https://curl.se/docs/CVE-2022-43552.html
 = https://fossified.com/
 = https://myconf.io/
 = https://mastodon.social/@bagder/109952980359681383
 = https://un.curl.dev/
More information about the daniel