Gregory's ServerThe biggest Linux CVE of the century was published nearly 2 weeks early and would you look at that, it's not the biggest Linux CVE of the century
 15 comments
@jenbanim It's a really bad CVE for CUPS but this dude was hyping it up like it was the 2nd coming of xz utils, this is a problem for desktop Linux systems that use CUPS  @BrodieOnLinux Yeah it's a serious CVE, but the way he was talking I was expecting another heartbleed. My anxiety was through the roof right before the disclosure   @BrodieOnLinux @jenbanim To be clear, the security researcher did not have anything to do with the score of 9.9. He hyped it up to be a bad vulnerability sure (which it was), but it's the 9.9 score that really got people concerned. He's getting unfairly dogpiled IMO, and it's unfortunate to see you joining in on that. @jenbanim @BrodieOnLinux That's it? There was supposed to be 3-6 CVE rated 9.9 in the end it's just one and just cups? @BrodieOnLinux so no global infrastructure collapse? I thought that this was a "Linux figureheads will pay the price for their arrogance" type of thing? @BrodieOnLinux even though the ends do not justify the means (calling the severity a 9.9) we are all a little safer because someone found this exploit and reported it. Margaritelli owned up to the misclassification as well according to El Reg:  @BrodieOnLinux I believe the erudite sophisticated expression for this is a “damp squib” @BrodieOnLinux What is nice from the reporter of the vulnerability is that they investigated deeply and reported in detail, but they overhyped it, with the 9.9 grade and making pressure against us from #OpenPrinting. In addition, there was the leak which forced us to disclose quickly, before we had a complete set of fixes (but already enough to prevent the described exploit), perhaps cause by the post on X by the reporter, which stayed only visible for short time ... @BrodieOnLinux why would anyone not run a firewall on any desktop -> block all incoming, allow all outgoing (except 443 UDP, which is just evil) |
@BrodieOnLinux mrw 9.9 CVE but it relies on running CUPS with an exposed UDP port 631