Three years ago I blogged about #nuget serving outdated #curl packages.
-
Three years ago I blogged about #nuget serving outdated #curl packages.
They then removed the packages I found.
I checked nuget again *today* and immediately found a nine year old curl package that is downloaded at the rate of 1,000 times/week from there... with **64** known vulnerabilities.
The blog post from back then: https://daniel.haxx.se/blog/2023/03/02/the-curl-nuget-story/
Microsoft, and Windows.
Ah well. -
R relay@relay.infosec.exchange shared this topic
-
Three years ago I blogged about #nuget serving outdated #curl packages.
They then removed the packages I found.
I checked nuget again *today* and immediately found a nine year old curl package that is downloaded at the rate of 1,000 times/week from there... with **64** known vulnerabilities.
The blog post from back then: https://daniel.haxx.se/blog/2023/03/02/the-curl-nuget-story/
"Microsoft is no longer accepting new submissions through secure@microsoft.com. Please use the Microsoft Researcher Portal "...
-
L limebar@mastodon.social shared this topic
-
"Microsoft is no longer accepting new submissions through secure@microsoft.com. Please use the Microsoft Researcher Portal "...
but I took it to the big generic security portal and submitted a report there. Let's see what happens.
-
"Microsoft is no longer accepting new submissions through secure@microsoft.com. Please use the Microsoft Researcher Portal "...
@bagder Maybe they got too many slop reports via email.
-
@bagder Maybe they got too many slop reports via email.
-
Three years ago I blogged about #nuget serving outdated #curl packages.
They then removed the packages I found.
I checked nuget again *today* and immediately found a nine year old curl package that is downloaded at the rate of 1,000 times/week from there... with **64** known vulnerabilities.
The blog post from back then: https://daniel.haxx.se/blog/2023/03/02/the-curl-nuget-story/
@bagder Have you considered if there's a demand for vintage curl releases that you aren't serving? Give the people what they want!
-
@bagder Have you considered if there's a demand for vintage curl releases that you aren't serving? Give the people what they want!
@Tenzer I linked the security people to this relevant page: https://curl.se/docs/vuln-7.51.0.html
-
"Microsoft is no longer accepting new submissions through secure@microsoft.com. Please use the Microsoft Researcher Portal "...
@bagder AI Slop, this is why we can't have nice things.
-
R relay@relay.an.exchange shared this topic
-
-
Three years ago I blogged about #nuget serving outdated #curl packages.
They then removed the packages I found.
I checked nuget again *today* and immediately found a nine year old curl package that is downloaded at the rate of 1,000 times/week from there... with **64** known vulnerabilities.
The blog post from back then: https://daniel.haxx.se/blog/2023/03/02/the-curl-nuget-story/
@bagder I've using dotnet for a few years and wanted to try using Curl but didn't find anything that wasn't poorly maintained or totally outdated.
-
Three years ago I blogged about #nuget serving outdated #curl packages.
They then removed the packages I found.
I checked nuget again *today* and immediately found a nine year old curl package that is downloaded at the rate of 1,000 times/week from there... with **64** known vulnerabilities.
The blog post from back then: https://daniel.haxx.se/blog/2023/03/02/the-curl-nuget-story/
@bagder @shanselman responded to the bluesky mirror of this post.
-
@bagder @shanselman responded to the bluesky mirror of this post.
@ssg @shanselman thanks, I tend to miss the replies to the mirror-me over there...
-
Three years ago I blogged about #nuget serving outdated #curl packages.
They then removed the packages I found.
I checked nuget again *today* and immediately found a nine year old curl package that is downloaded at the rate of 1,000 times/week from there... with **64** known vulnerabilities.
The blog post from back then: https://daniel.haxx.se/blog/2023/03/02/the-curl-nuget-story/
@bagder
Have you considered reserving "Curl" prefix on NuGet?
https://learn.microsoft.com/en-us/nuget/nuget-org/id-prefix-reservation
It is not much but it would prevent random people from uploading "officially looking" packages. -
but I took it to the big generic security portal and submitted a report there. Let's see what happens.
My not at all surprised face: "After careful investigation, this case has been assessed as not a vulnerability and does not meet Microsoft's bar for immediate servicing."
-
My not at all surprised face: "After careful investigation, this case has been assessed as not a vulnerability and does not meet Microsoft's bar for immediate servicing."
@bagder our own IT team are running Office 2016 in a sensitive environment.
Why would MS be any better.
-
My not at all surprised face: "After careful investigation, this case has been assessed as not a vulnerability and does not meet Microsoft's bar for immediate servicing."
@bagder Subscription first, Quality second. Works as expected I suppose.
-
My not at all surprised face: "After careful investigation, this case has been assessed as not a vulnerability and does not meet Microsoft's bar for immediate servicing."
@bagder Microslop
-
Three years ago I blogged about #nuget serving outdated #curl packages.
They then removed the packages I found.
I checked nuget again *today* and immediately found a nine year old curl package that is downloaded at the rate of 1,000 times/week from there... with **64** known vulnerabilities.
The blog post from back then: https://daniel.haxx.se/blog/2023/03/02/the-curl-nuget-story/
@bagder nuget? more like oldget amirite
-
My not at all surprised face: "After careful investigation, this case has been assessed as not a vulnerability and does not meet Microsoft's bar for immediate servicing."
@bagder amazed you even got a reply that fast; it took me 6 months for them to acknowledge and patch a local root privilege escalation in Defender for Linux (https://astr.al/notes/2024-11-28_mdatp-privesc/)
-
@bagder Subscription first, Quality second. Works as expected I suppose.
@totenlegionChris @bagder ... second? That's bold of you to assume.
