←back to thread

Libxml2's "no security embargoes" policy

(lwn.net)
278 points jwilk | 1 comments | 25 Jun 25 19:36 UTC | HN request time: 0.001s | source
Show context
arp242 ◴[25 Jun 25 22:06 UTC] No.44382233[source]
A lot of these "security bugs" are not really "security bugs" in the first place. Denial of service is not resulting in people's bank accounts being emptied or nude selfies being spread all over the internet.

Things like "panics on certain content" like [1] or [2] are "security bugs" now. By that standard anything that fixes a potential panic is a "security bug". I've probably fixed hundreds if not thousands of "security bugs" in my career by that standard.

Barely qualifies as a "security bug" yet it's rated as "6.2 Moderate" and "7.5 HIGH". To say nothing of gazillion "high severity" "regular expression DoS" nonsense and whatnot.

And the worst part is all of this makes it so much harder to find actual high-severity issues. It's not harmless spam.

[1]: https://github.com/gomarkdown/markdown/security/advisories/G...

[2]: https://rustsec.org/advisories/RUSTSEC-2024-0373.html

replies(13): >>44382268 #>>44382299 #>>44382855 #>>44384066 #>>44384368 #>>44384421 #>>44384513 #>>44384791 #>>44385347 #>>44385556 #>>44389612 #>>44390124 #>>44390292 #
nicce ◴[25 Jun 25 22:11 UTC] No.44382268[source]
> A lot of these "security bugs" are not really "security bugs" in the first place. Denial of service is not resulting in people's bank accounts being emptied or nude selfies being spread all over the internet.

That is not true at all. Availability is also critical. If nobody can use bank accounts, bank has no purpose.

replies(5): >>44382300 #>>44382443 #>>44382474 #>>44382869 #>>44383755 #
bogeholm ◴[25 Jun 25 22:17 UTC] No.44382300[source]
Security and utility are separate qualities.

You’re correct that inaccessible money are useless, however one could make the case that they’re secure.

replies(4): >>44382341 #>>44382350 #>>44382887 #>>44383068 #
nicce ◴[25 Jun 25 22:26 UTC] No.44382341[source]
I think you are only considering the users - for the business provider the availability has larger meaning because the lack of it can bankrupt your business. It is about securing operations.
replies(3): >>44382398 #>>44382482 #>>44382532 #
1. em-bee ◴[25 Jun 25 22:46 UTC] No.44382482{3}[source]
not paying rent can get you evicted. and not paying your medical bill can get you denied care. (in china most medical care is not very expensive, but every procedure has to be paid in advance. you probably won't be denied emergency care so your life would not be in immediate danger, but sometimes an optional scan discovers something life threatening that you weren't aware of so not being able to pay for it can put you at risk)