| fungi | https://nodejs.org/en/blog/vulnerability/upcoming-cve-for-eol-versions seems like an odd decision | 20:05 |
|---|---|---|
| JayF | honestly it's pretty smart | 20:12 |
| fungi | i'm mainly just not sure how i feel about using cve identifiers to declare eol versions of software "vulnerable" to something nonspecific | 20:13 |
| fungi | taking that to its extreme, you could issue a cve for every non-latest version in each supported series, since technically you're not supporting earlier versions in those series either | 20:15 |
| JayF | so I think what they are saying is, they know a specific vulnerability in those versions are soon to be published | 20:18 |
| JayF | and they are giving people a longer-than-usual heads up since they'll have to upgrade entire releases | 20:18 |
| JayF | I would assume the CVE impacts *most versions of node* but this pre-announcement is for the people so far behind they won't get the fixes that'll drop with the details | 20:19 |
| JayF | at least that's how I read it | 20:19 |
| fungi | "This CVE will serve as an official notification to inform users that these versions are no longer maintained and may pose significant security risks." | 20:19 |
| fungi | the go on to basically say that they consider running eol versions to be a vulnerability, because they might contain unaddressed vulnerabilities | 20:20 |
| fungi | just wondering what happens if every project and manufacturer starts issuing a cve every time they eol a version of something | 20:21 |
| fungi | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-23089 is an example | 20:22 |
| JayF | oh, interesting | 20:25 |
| JayF | I mean, I dig it to an extent? | 20:26 |
| JayF | I've worked places where being able to point to a CVE would've helped a project to upgrade be more highly prioritized | 20:26 |
| fungi | something tells me that if every project did that, it would cease to provide as strong of a motivator | 20:26 |
| fungi | and/or cve scanner tools would evolve some way to filter them out | 20:27 |
| JayF | My experience with tools /already/ is that they are pretty low value. | 20:30 |
| fungi | agreed | 20:30 |
| JayF | So none of what you said sounds that horrible to me :). If it makes someone stop and realize a CVE doesn't mean "ALL MUST FIX IMMEDIATELY" in all cases, good. | 20:30 |
| fungi | yeah, that's a good point, it does help underscore that the existence of a cve doesn't necessarily imply the existence of a vulnerability | 20:35 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!