Hi, Just a FYI
1. I ran sed script on the security advisory web pages on the curl web site and now all published previous security vulnerabilities are published with the CVE number in the URL and there's no longer any private ID used there. For example: https://curl.haxx.se/docs/CVE-2016-8615.html
All the former links (should) still work and permanently redirect do the new URLs. Let me know if you find anything that broke.
We should always acquire official CVE numbers for all published advisories anyway and possibly this should also make our advisories appear as more "official" documentation for curl security flaws and become easier to search for.
2. In this process, I also merged what formerly was two separate security vulnerabilities into a single one: CVE-2005-0490 to better conform with this new approach. The issue was considered as one by MITRE back in the days while we thought they were two different ones. With the new naming, it become complicated to keep them separate.
This is really not very important since that's an issue fixed over 13 years ago but someone might notice that the vulnerability counter thus shrunk and is now claiming a total of 80 published vulnerabilities again - when it previously said 81.
3. There's but one curl vulnerability that still doesn't have a valid CVE. I cheated a bit and called it CVE-2003-XXXX for now: https://curl.haxx.se/docs/CVE-2003-XXXX.html
I have applied for an official ID for this, but I'm not sure how they treat requests for IDs for 15 year old issues. If I get an ID, I'll update accordingly - otherwise I'll leave it like this.
-- / daniel.haxx.se ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
