
Curl-library: An alert on the upcoming 7.51.0 release - sounds
http://curl.haxx.se/mail/lib-2016-10/0076.html
======
djsumdog
Wow. I'm really curious to take a look at these once they're disclosed.
Considering how extensively curl libraries are used everywhere, this could
have pretty big impacts.

------
bowmessage
Thank you Daniel Stenberg for your work!

------
akerl_
Is anybody aware of a relative security ranking for the vulns / an indication
of the maximum level of impact, similar to how OpenSSL grades their alerts
before the release?

It's hard to tell for sure if curl is just bundling together several smaller
vulns to save people doing 11 individual patch/update cycles, or if the
implication is that one or more of the vulns are "critical".

~~~
QUFB
There's CVSS:

[https://en.wikipedia.org/wiki/CVSS](https://en.wikipedia.org/wiki/CVSS)

The utility of such metrics is a topic of debate in the security community.

~~~
akerl_
My apologies: I'm familiar with CVSS and other scales that exist, was more
asking if a score is known for these particular disclosures so I can
guesstimate how much of my other work I'll be sidelining to rush out the new
fixed version.

------
gpvos
Why wouldn't they do the merge _now_ instead of 48h before release, so they
have more time to see if there's any problems with it?

~~~
0xmohit
> Why wouldn't they do the merge now instead of 48h before release

The idea is not to publicly disclose the vulnerabilities with too much time
remaining for a release. I guess that two weeks are mostly required so as to
minimize the time taken by different distros to release updates.

~~~
gpvos
I was thinking about a non-public merge, but with running the tests the
article mentions. I don't know anything about their build setup though.

------
user5994461
This mail is shady and not providing any critical information.

Shipping 11 secret patchs? developed in 11 secret branches? to fix 11
undisclosed security issues?

Not a single word about the vulnerabilities, the bugs being fixed, the impact,
or the security risks.

~~~
fbender
This is done to reduce the impact of vulnerabilities before a patch is out.
Pretty common and sensible procedure.

------
choward
> This release will bundle no less than _eleven_ security advisories and their
> associated fixes (unless we get more reported in the time we have left).

So if a security advisory gets reported there will be less than 11 fixes?

