[Daniel's week] March 10, 2023

Daniel Stenberg daniel at haxx.se
Fri Mar 10 17:09:02 CET 2023 

Hello my friends,

This has been yet another intense week. Let me tell you about some of things I 
worked on:

## Security

The last week somewhat exploded as we have received a range of 7(!) reported
and now confirmed security vulnerabilities in curl. Every such report takes a
lot of time and effort to first understand and confirm, and then to assess the
its impact and risk, write the proper fix and then write a clear and accurate
advisory that describes each single problem in detail.

Today we are ten days from the pending release so we still have time, but we
also want to pre-notify the open operating systems ahead of time so I need to
get these done sooner rather than later.

Out of the current seven issues, five are considered severity Low and two are
Medium. None of them is likely to hurt very many users.

## CVSS and scoring

On the related topic of scoring and assessing the severity of security
problem, I posted a blog entry [1] about the NVD habit of making up their own
CVSS scores for vulnerabilities as this seems to not be known everywhere.

As a follow-up from that I got involved in a constructive conversation with an
NVD representative about this subject. I don't quite know where it will end or
if it actually will make any practical end results but it still seems
worthwhile to try.

I have engaged with Hackerone to see if why they do not pass on or set the
severity levels for the CVE issues that we register at Hackerone and they pass
on to MITRE (since they are our CNA). They did at least respond and seem to
have understood the issue. The Hackerone support can be amazingly slow at
times so I'm not sure what to expect from this.

Lastly, I have a pending meeting scheduled with a GitHub Security Advisory
Database person to see if we can work out something that improves how curl is
made visible and displayed there.

Of course I will you know if any of these threads actually "bear fruit".

## EU CRA

Over in the Fossified podcast we recorded our first real episode [2] and made
it available this week. The subject was something so unsexy-sounding as
pending EU legislation, but this new EU CRA proposal is going to affect just
about everyone of us that work with software, in one way or another, so it
felt important to dive into and straighten out a little. This will probably
also be important for non-EU people making software to be used in products for
sale in the EU in the future.

The CRA is basically like a "CE" branding for software. Manufacturers that do
something with software inside need to fulfill conditions and live up to some
quality regarding that software. This will certainly affect Open Source as
well, and is going to lead to some fun and some less fun (I'm sure) moments
going forward.

Simon and Olle were great guests and Johan and Henrik make this a breeze for
me since they do so much of the lifting and actual making the thing
materialize. I mostly just blab.

The topic for the next Fossified episode is set and you are welcome to provide
your ideas and questions for it: curl 25 years [3]. Should be another fun
episode.

Oh, head over and add your topic proposals and vote on the existing ones [7]
to help us continue to pick good topics going forward.

## v8 prep

We have been fixing a fascinating number of minor bugs recently, partly thanks
to improved and new addiitonal test suites. Fascinating in the sense that I am
amazed that there can be such a steady stream of reports and yet curl works so
stable most of the time.

Today we are but ten days away from the curl 8.0.0 release and its associated
25 year anniversary celebrations [4]. We are also very close to crossing the
30,000 commits mark any day now.

The vulnerability explosion certainly added to the work I need to handle for
the release but all together I think I am on top of the situation and we
should be able to ride out the storm and deliver a smooth and well engineered
curl release soon.

On March 20 2023, at least the following will happen:

  - curl 8.0.0 release
  - several curl security advisories will be published
  - curl 8.0.0 live-streamed video presentation
  - The "curl 25 years" Fossified episode ships
  - curl 25 years online celebrations [4]

## Talks

I will do a number of talks this spring [5]: public, private and online. Next
up that we arrange ourselves are the curl Roadmap 2023 webinar coming up on
March 23 and a "QUIC and HTTP/3" webinar on April 6 (co-hosted with Stefan
Eissing). Stay tuned for details. They will both happen on Zoom but will also
be recorded and made available on Youtube after the fact.

If you want to invite [6] me to YOUR conference, here is my top advice:

  - ask several months before the event
  - don't assume I will speak for free

## Coming up

  - release prep for the coolest curl release in a long time

## Links

  [1] = https://daniel.haxx.se/blog/2023/03/06/nvd-makes-up-vulnerability-severity-levels/
  [2] = https://pod.fossified.com/2023/03/09/s01e01.html
  [3] = https://github.com/fossified/podcast/issues/12
  [4] = https://daniel.haxx.se/blog/2023/03/10/curl-25-years-online-celebration/
  [5] = https://daniel.haxx.se/talks.html
  [6] = https://daniel.haxx.se/how-to-invite-me.html
  [7] = https://github.com/fossified/podcast/labels/topic


-- 

  / daniel.haxx.se

More information about the daniel mailing list