CISA just took CVE-2024-11053 from 9.1 all the way down to 3.4!
https://github.com/cisagov/vulnrichment/blob/develop/2024/11xxx/CVE-2024-11053.json
Took just 100 minutes from my PR until they instead merged their version of an update.
@bagder Now lets see if the media outlets who reported about the critical curl vulnerability will make a correction. I'm not holding my breath.
@harrysintonen @bagder so annoying ...
@bagder good on them for owning and promptly fixing their error
@darakian I don't think it was good to do that thing in the first place. I think the ripple effects of that damage is still to come as news sites and databases will be slow to update.
Also, it was not a "mistake" they "discovered". It was done on purpose and we/I had to waste time and energy correcting it, for the sanity and safety of millions of curl users.
Rude and stupid it was.
@bagder Agreed. They should have done better on their initial pass, but it is worth praising their prompt response given where the whole CVE space has been.