BEST OF THE WEB

Bogus security reports plague open-source projects

There has been a number of bogus security reports filed against popular open-source software projects. These reports have claimed to find critical vulnerabilities in software like cURL and PostgreSQL, but upon closer inspection, they have all turned out to be false.

The reports appear to have been filed by automated tools that scan commit messages for keywords like “buffer overflow” and “denial of service.” These tools then automatically generate CVEs (Common Vulnerabilities and Exposures) without actually verifying whether the vulnerabilities exist.

It was alleged that PostgreSQL 12.2 was susceptible to a denial of service attack through repeated SIGHUP signals. It was tagged
CVE-2020-21469, with a CVSS score of 9.8. However, a closer examination revealed that ordinary users lack the ability to send SIGHUP signals or terminate PostgreSQL processes. This “flaw” could be leveraged by a superuser or a user with specific privileges, making it a non-issue for the vast majority.

The result is a flood of junk CVEs that are wasting the time of security teams and open-source maintainers. In some cases, these reports have even caused unnecessary panic and confusion.

The sources for this piece include an article in OpenSourceWatch.

IT World Canada Staff
IT World Canada Staffhttp://www.itworldcanada.com/
The online resource for Canadian Information Technology professionals.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web