• PlexSheep@feddit.de
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    The sheer volume of cves is not necessarily an indicator for insecurity. The CVE system is pretty bad and rulings are mostly arbitrary. For example, there was a recent curl “CVE”, where an overflow happened in some part of the app which was not relevant to security. I don’t remember the details, but the only solution to this apperent mess was that the main contributor of curl is becoming one of the guys that evaluate CVEs.

    CVE is a measure for the US government, and always assumes the worst in any case.

    That being said, I agree with you.

    • Rustmilian@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      1 year ago

      I know what curl CVE you’re referring too.
      Yeah, that was pretty stupid, they marked it high severity when 1 It was already patched like a year prior and 2 it was a complete non-issue in the first place.
      Then some fuckin AI put forth another bogus CVE based on the one you’re referring.
      The curl dev was pissed, and rightfully so.

      And You’re right, it’s more so the details of the CVEs that’s important then the actual CVEs themselves.