Samuel Henrique

@FFmpeg @PhantomStnd Pro-tip: if you become a CNA, you get to decide what becomes a CVE. I know it does take some work, but you'll have control.

@PhantomStnd It's Google getting the CVEs assigned, not us

Here's an example of Google's AI reporting security vulnerabilities in this codec: issuetracker.google.com/issues/4401831… We take security very seriously but at the same time is it really fair that trillion dollar corporations run AI to find security issues on people's hobby code? Then expect volunteers to fix.

"curl maintainers BoF - DebConf 25" youtube.com/watch?v=OhTjgU… curl maintainers meet-up to discuss HTTP3, GnuTLS, wcurl and other things.

I've published the recordings of two of our #curl activities from Debian 's #debconf25 "wcurl - one year later - DebConf 25" youtube.com/watch?v=RvnDvi… Short presentation about what happened since wcurl’s creation in May 17 2024 and what will happen next.

I've just published a blog post listing exciting new features in Debian 13, focusing on practical changes that can improve your workflow for better performance and productivity. samueloph.dev/blog/debian-13…

@odyssjii @HSVSphere no, it goes to 0 because curl vulnerabilities are detected/fixed years after they got introduced, on average.

@HSVSphere Notice how it goes down to essentially 0? Yeah, look at the dates — this has a lot more to do with lack of safety mindset because there was no real threat previously.

From the curl creator himself: About half of all curl vulnerabilities were caused by C directly, and wouldn't have been possible in any other language.

@tsoding Lovely, thank you!

@samueloph_ github.com/tsoding/boomer

Time is the Best Unique Identifier

Debian should publish a micronews article about this soon.

Fixes for other lower severity CVEs have also been released in the same update and can all be tracked at security-tracker.debian.org/tracker/source…. The fixed Stable version is 3.2.7-1+deb12u1 and the fixed Testing/Unstable version is 3.3.0+ds1-3

-- CRITICAL CVE UPDATE FOR DEBIAN-- Fixes for a critical rsync vulnerability (CVE-2024-12084) have been released for Stable/Bookworm, Testing and Unstable. Oldstable/Bullseye is not affected.

Just released a new version of wcurl: github.com/curl/wcurl/rel…

The LWN article about one of my DebConf talks was published today: Debian's "secret" sauce lwn.net/Articles/99017…

@the_codedog Put this in your bashrc # Automatically run "ls" after "cd" [[ $- == *i* ]] && function cd { builtin cd "$@" && ls -Ftr1 }

cd ../ ls cd ../ ls cd ../ ls

@lauriewired @bagder nice idea for a curl graph

The half-life of code is an interesting predictor of project quality. Linux, has one of the longest code half-life’s at 6.6 years. WordPress, less than 2. Every software change induces some risk. Repos with numerous "change bursts" have the highest incidence of defects.

@evilsocket @JeffreyShran Sorry, I didn't mean to sound like I doubt you, just pointing it out as this might be useful for you when discussing the vector

@samueloph_ @JeffreyShran that was the initial CVSS that someone at redhat suggested, there's been and there's still conversations going on with a lot of confusion mostly due to miscommunication ... i can assure you it's a RCE.

* Unauthenticated RCE vs all GNU/Linux systems (plus others) disclosed 3 weeks ago. * Full disclosure happening in less than 2 weeks (as agreed with devs). * Still no CVE assigned (there should be at least 3, possibly 4, ideally 6). * Still no working fix. * Canonical, RedHat and others have confirmed the severity, a 9.9, check screenshot. * Devs are still arguing about whether or not some of the issues have a security impact. I've spent the last 3 weeks of my sabbatical working full time on this research, reporting, coordination and so on with the sole purpose of helping and pretty much only got patronized because the devs just can't accept that their code is crap - responsible disclosure: no more.

@evilsocket @JeffreyShran That CVSS vector doesn't look right, I can't say it's wrong because I don't know the details but it looks like the person who scored it doesn't believe it's an RCE.

@JeffreyShran honest answer: i have no idea, i don't do vuln research for work and i have really no idea how the CVSS scores are assigned, i literally had to use that web decoder to understand what the redhat guy was talking about

@evilsocket @Halxor149 That's a lot of work indeed, thanks

@samueloph_ @Halxor149 I’ve reached out to 3 of the developers of the project and two people at canonical. Plus I’ve spent a week debugging the issue for them, showing root causes and suggesting fixes. I feel at this point I’ve done my best, will wait the 30 days embargo and then disclose.

A week after disclosure, no clear timeline for a fix, no clear idea for the fix itself, the developer's been patronizing me from the very beginning, I asked multiple times to request CVEs for (at least) four vulnerabilities and didn't even get an ack ... very close to drop an 0day

@evilsocket @Halxor149 Just wondering, have you tried to reach out to Debian's security team as well? They might be helpful too: security@debian.org

@Halxor149 There're two people from Canonical involved in the conversation and so far they participated constructively to it less than the developer. I would understand if the problem was low impact, but it's not.

@evilsocket The previous version was 2.33.0, was the new one a mistake? Looks like it should be 2.40.0, otherwise there's no version comparison logic that will identify the update.

Introducing Bettercap 2.4.0: CAN-Bus Hacking, WiFi Bruteforcing and Builtin Web UI evilsocket.net/2024/09/13/Int…