This sounds very much like the idiocy of "infosec" lunkheads who know nothing about what they're "fixing" but if an automated system tells them a CVE exists, they've absolutely got to have it "patched". They don't look into what the claims of the CVE are, or whether their specific use case is vulnerable. They don't know, they don't care, they're not even programmers. All they know is a box needs ticking.
A similar thing happened with h2database - a "security researcher" found that if you do something you're told not to do, then bad things happen.. but they demanded and got a CVE allocated anyway. Anyone who looks at it realises it's bullshit, but the mere existence of a CVE is all that matters to these idiots.
> I struggle to understand why I should feel the slightest shred of sympathy for "major corporations" that are using a volunteer-developed open-source project. Feel free to get your corporation to pay someone to deal with this, or pay for a similar commercial library.
> This sounds very much like the idiocy of "infosec" lunkheads who know nothing about what they're "fixing" but if an automated system tells them a CVE exists, they've absolutely got to have it "patched". They don't look into what the claims of the CVE are, or whether their specific use case is vulnerable. They don't know, they don't care, they're not even programmers. All they know is a box needs ticking.
They may know and understand all of this and still not care. Maybe their performance is judged by how quick they can get checkboxes checked, with overzealous approvals harming them more than overzealous rejections. They may be empowered to make exceptions when the specific circumstance warrants it, but that might require them to fill out even more paperwork to justify their decision. That extra paperwork slows them down and harms the metrics by which their performance is judged.
“If you pass a password via the command line, other processes on the system could see it via ps.”
Yeah, no shit. If that qualifies as a “high severity” CVE then, uh, you can call me a security researcher because I can think of at least a half a dozen applications that allow the exact same thing with the exact same disclaimer (“don’t do this”).
I work for a SaaS vendor in an industry where that is still a bit 'exotic'. We get sent ridiculous 'security surveys' for which 90% of the answers are N/A. I'm dubious that anyone reviews the other answers.
A similar thing happened with h2database - a "security researcher" found that if you do something you're told not to do, then bad things happen.. but they demanded and got a CVE allocated anyway. Anyone who looks at it realises it's bullshit, but the mere existence of a CVE is all that matters to these idiots.
What the h2database developer said about it: https://github.com/h2database/h2database/issues/3686#issueco...
> I struggle to understand why I should feel the slightest shred of sympathy for "major corporations" that are using a volunteer-developed open-source project. Feel free to get your corporation to pay someone to deal with this, or pay for a similar commercial library.