On 2/20/26 8:17 AM, Joe Malcolm wrote: > Many will have seen the recent post from Anthropic (1) and > associated reporting that says they found 500+ vulnerabilities and > lists 3 of them. These three issues don’t appear to have CVEs and > two don’t appear in releases. I don’t know if that indicates the > maintainers don't agree with the significance of these findings, but > I wonder if the other 498+ vulnerabilities also lack CVEs. > > 1. For OpenSC, the commit appears to be: > > https://github.com/OpenSC/OpenSC/ > commit/9ab1daf21029dd18f8828d684ee6151d9238edab > > There are no disclosed security issues more recent than 2024 at > https://github.com/OpenSC/OpenSC/security and the last release was > OpenSC 0.26.1. >
https://github.com/OpenSC/OpenSC/pull/3554 > The strcat is a magnet to any static analysis tools and CVEs. Lets > get rid of that and replace it with the "safe" strlcat I think this indicates they made the change solely because they were fed up with "security report harassment" and hoped that by making a change they saw as pointless, they could "defang" LLM tooling that reports "use of xxx function *could* be buggy, you use the function, we shall report it by assuming it is indeed buggy". -- Eli Schwartz
OpenPGP_signature.asc
Description: OpenPGP digital signature
