On Sat, 26 Aug 2023, Daniel Stenberg via curl-library wrote:
Step one. A blog post with some details:
Other things I've done:
- I've pushed my blog post on social media to distribute awareness.
- I pull strings to get the CVE rejected. It is such a weird system so we
can't easily see which CNA that assigned the Id. Some language on the NVD
site made me think it was done by MITRE itself but I cannot find any public
way to contact MITRE to get a CVE rejected. For any reason.
- I wrote up an information page about this bogus CVE on the curl site:
https://curl.se/docs/CVE-2020-19909.html
Several people have told me that the only effective means that exist against
abusive CVE filings like this, is to become your own CNA as then you can
apparently "lock" your product to only be possible to get CVEs assigned from
your own CNA. I will look into this option.
--
/ daniel.haxx.se
| Commercial curl support up to 24x7 is available!
| Private help, bug fixes, support, ports, new features
| https://curl.se/support.html
--
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
