Three years ago I blogged about #nuget serving outdated #curl packages.
-
Three years ago I blogged about #nuget serving outdated #curl packages.
They then removed the packages I found.
I checked nuget again *today* and immediately found a nine year old curl package that is downloaded at the rate of 1,000 times/week from there... with **64** known vulnerabilities.
The blog post from back then: https://daniel.haxx.se/blog/2023/03/02/the-curl-nuget-story/
@bagder @shanselman responded to the bluesky mirror of this post.
-
@bagder @shanselman responded to the bluesky mirror of this post.
@ssg @shanselman thanks, I tend to miss the replies to the mirror-me over there...
-
Three years ago I blogged about #nuget serving outdated #curl packages.
They then removed the packages I found.
I checked nuget again *today* and immediately found a nine year old curl package that is downloaded at the rate of 1,000 times/week from there... with **64** known vulnerabilities.
The blog post from back then: https://daniel.haxx.se/blog/2023/03/02/the-curl-nuget-story/
@bagder
Have you considered reserving "Curl" prefix on NuGet?
https://learn.microsoft.com/en-us/nuget/nuget-org/id-prefix-reservation
It is not much but it would prevent random people from uploading "officially looking" packages. -
but I took it to the big generic security portal and submitted a report there. Let's see what happens.
My not at all surprised face: "After careful investigation, this case has been assessed as not a vulnerability and does not meet Microsoft's bar for immediate servicing."
-
My not at all surprised face: "After careful investigation, this case has been assessed as not a vulnerability and does not meet Microsoft's bar for immediate servicing."
@bagder our own IT team are running Office 2016 in a sensitive environment.
Why would MS be any better.
-
My not at all surprised face: "After careful investigation, this case has been assessed as not a vulnerability and does not meet Microsoft's bar for immediate servicing."
@bagder Subscription first, Quality second. Works as expected I suppose.
-
My not at all surprised face: "After careful investigation, this case has been assessed as not a vulnerability and does not meet Microsoft's bar for immediate servicing."
@bagder Microslop
-
Three years ago I blogged about #nuget serving outdated #curl packages.
They then removed the packages I found.
I checked nuget again *today* and immediately found a nine year old curl package that is downloaded at the rate of 1,000 times/week from there... with **64** known vulnerabilities.
The blog post from back then: https://daniel.haxx.se/blog/2023/03/02/the-curl-nuget-story/
@bagder nuget? more like oldget amirite
-
My not at all surprised face: "After careful investigation, this case has been assessed as not a vulnerability and does not meet Microsoft's bar for immediate servicing."
@bagder amazed you even got a reply that fast; it took me 6 months for them to acknowledge and patch a local root privilege escalation in Defender for Linux (https://astr.al/notes/2024-11-28_mdatp-privesc/)
-
@bagder Subscription first, Quality second. Works as expected I suppose.
@totenlegionChris @bagder ... second? That's bold of you to assume.
-
My not at all surprised face: "After careful investigation, this case has been assessed as not a vulnerability and does not meet Microsoft's bar for immediate servicing."
@bagder if you had stayed in the MVP program on the other handโฆ
-
"Microsoft is no longer accepting new submissions through secure@microsoft.com. Please use the Microsoft Researcher Portal "...
Didn't they fire everyone in the team that was handling the submissions through that email address a few years ago?
-
My not at all surprised face: "After careful investigation, this case has been assessed as not a vulnerability and does not meet Microsoft's bar for immediate servicing."
@bagder Without going into detail, I once worked for a company that sells a windowing operating system. My team managed e-mail, filtering and archiving, and we escalated a 0-day DNS vulnerability to the relevant dev team for immediate response. It wasn't even in-house DNS software. It was a "here's the BIND patch, go deploy it" situation.
The dev lead told us that if it was important, we should have brought it up in that morning's shiproom meeting.
The vulnerability wasn't announced until after the meeting had ended.
I and a senior ops engineer spent most of that day trying to convey to the senior dev lead that a major security vulnerability was more important than his next two-week ship date.
-
@bagder our own IT team are running Office 2016 in a sensitive environment.
Why would MS be any better. -
My not at all surprised face: "After careful investigation, this case has been assessed as not a vulnerability and does not meet Microsoft's bar for immediate servicing."
@bagder For NuGet packages, there's beyond "contact owners" also the Report package option, which goes to NuGet support. But found mileage to vary there, too. If you got a package id, I could try to back-channel it. NuGet gallery have option to bot unlist, mark as deprecated, and security advisory.
-
@totenlegionChris @bagder ... second? That's bold of you to assume.
