Three years ago I blogged about #nuget serving outdated #curl packages.
Uncategorized
28
Posts
21
Posters
0
Views
-
Three years ago I blogged about #nuget serving outdated #curl packages.
They then removed the packages I found.
I checked nuget again *today* and immediately found a nine year old curl package that is downloaded at the rate of 1,000 times/week from there... with **64** known vulnerabilities.
The blog post from back then: https://daniel.haxx.se/blog/2023/03/02/the-curl-nuget-story/
@bagder I've using dotnet for a few years and wanted to try using Curl but didn't find anything that wasn't poorly maintained or totally outdated.
-
Three years ago I blogged about #nuget serving outdated #curl packages.
They then removed the packages I found.
I checked nuget again *today* and immediately found a nine year old curl package that is downloaded at the rate of 1,000 times/week from there... with **64** known vulnerabilities.
The blog post from back then: https://daniel.haxx.se/blog/2023/03/02/the-curl-nuget-story/
@bagder @shanselman responded to the bluesky mirror of this post.
-
@bagder @shanselman responded to the bluesky mirror of this post.
@ssg @shanselman thanks, I tend to miss the replies to the mirror-me over there...
-
Three years ago I blogged about #nuget serving outdated #curl packages.
They then removed the packages I found.
I checked nuget again *today* and immediately found a nine year old curl package that is downloaded at the rate of 1,000 times/week from there... with **64** known vulnerabilities.
The blog post from back then: https://daniel.haxx.se/blog/2023/03/02/the-curl-nuget-story/
@bagder
Have you considered reserving "Curl" prefix on NuGet?
https://learn.microsoft.com/en-us/nuget/nuget-org/id-prefix-reservation
It is not much but it would prevent random people from uploading "officially looking" packages. -
but I took it to the big generic security portal and submitted a report there. Let's see what happens.
My not at all surprised face: "After careful investigation, this case has been assessed as not a vulnerability and does not meet Microsoft's bar for immediate servicing."
-
My not at all surprised face: "After careful investigation, this case has been assessed as not a vulnerability and does not meet Microsoft's bar for immediate servicing."
@bagder our own IT team are running Office 2016 in a sensitive environment.
Why would MS be any better. 🙁 -
My not at all surprised face: "After careful investigation, this case has been assessed as not a vulnerability and does not meet Microsoft's bar for immediate servicing."
@bagder Subscription first, Quality second. Works as expected I suppose.
-
My not at all surprised face: "After careful investigation, this case has been assessed as not a vulnerability and does not meet Microsoft's bar for immediate servicing."
@bagder Microslop
-
Three years ago I blogged about #nuget serving outdated #curl packages.
They then removed the packages I found.
I checked nuget again *today* and immediately found a nine year old curl package that is downloaded at the rate of 1,000 times/week from there... with **64** known vulnerabilities.
The blog post from back then: https://daniel.haxx.se/blog/2023/03/02/the-curl-nuget-story/
@bagder nuget? more like oldget amirite
-
My not at all surprised face: "After careful investigation, this case has been assessed as not a vulnerability and does not meet Microsoft's bar for immediate servicing."
@bagder amazed you even got a reply that fast; it took me 6 months for them to acknowledge and patch a local root privilege escalation in Defender for Linux (https://astr.al/notes/2024-11-28_mdatp-privesc/)
-
@bagder Subscription first, Quality second. Works as expected I suppose.
@totenlegionChris @bagder ... second? That's bold of you to assume.
-
My not at all surprised face: "After careful investigation, this case has been assessed as not a vulnerability and does not meet Microsoft's bar for immediate servicing."
@bagder if you had stayed in the MVP program on the other hand… ;-)
-
"Microsoft is no longer accepting new submissions through secure@microsoft.com. Please use the Microsoft Researcher Portal "...
😠
Didn't they fire everyone in the team that was handling the submissions through that email address a few years ago?
-
My not at all surprised face: "After careful investigation, this case has been assessed as not a vulnerability and does not meet Microsoft's bar for immediate servicing."
@bagder Without going into detail, I once worked for a company that sells a windowing operating system. My team managed e-mail, filtering and archiving, and we escalated a 0-day DNS vulnerability to the relevant dev team for immediate response. It wasn't even in-house DNS software. It was a "here's the BIND patch, go deploy it" situation.
The dev lead told us that if it was important, we should have brought it up in that morning's shiproom meeting.
The vulnerability wasn't announced until after the meeting had ended.
I and a senior ops engineer spent most of that day trying to convey to the senior dev lead that a major security vulnerability was more important than his next two-week ship date.
-
@bagder our own IT team are running Office 2016 in a sensitive environment.
Why would MS be any better. 🙁 -
My not at all surprised face: "After careful investigation, this case has been assessed as not a vulnerability and does not meet Microsoft's bar for immediate servicing."
@bagder For NuGet packages, there's beyond "contact owners" also the Report package option, which goes to NuGet support. But found mileage to vary there, too. If you got a package id, I could try to back-channel it. NuGet gallery have option to bot unlist, mark as deprecated, and security advisory.
-
@totenlegionChris @bagder ... second? That's bold of you to assume.
-
undefined oblomov@sociale.network shared this topic on
Gli ultimi otto messaggi ricevuti dalla Federazione
-
@ottaross har you been tempted to do the “pop pop, paaaah”?
-
It's an acoustic bass. It makes your regular guitar feel like a little ukulele when you pick it up again. 😆
So a bass is just your regular guitar with the two high strings removed, and then a longer neck to drop it all an octave.
That G string tho! So electric sounding. Think the opening notes of Seinfeld. haha
-
Saturday stroll
-
was about to post an update but uhhh let's just forget about it
love y'all
-
@fucinafibonacci @spettacoli ma come non ha avuto successo?? Ma se ne hanno fatto sequel e serie tv a non finire! 😅
Forse ha floppato negli USA. Ma io me lo ricordo fighissimo al tempo, probabilmente ero piccolo me lo devo rivedere! Aveva un villain cattivissimo e tutta la storia non era male dai con Seat connery maestro d’armi! Un classico degli action anni 80!
-
@gmarcosanti
ah beh, quello lo faccio sempre, sono brontolone per principio
-
Macron approfitta della guerra e riaccende l’atomo: vuole più armi nucleari
