FYI: Red Hat blog post on the CUPS vulnerability at https://www.redhat.com/en/blog/red-hat-response-openprinting-cups-vulnerabilities Security Bulletin at https://access.redhat.com/security/vulnerabilities/RHSB-2024-002?extIdCarryOver=true&sc_cid=701f2...
-
Jan Wildeboer 😷:krulorange:replied to Jan Schaumann last edited by
@jschauma Yep, full ACK. But weird stuff tends to happen at the worst time, so better safe than sorry
-
Peterreplied to Jan Wildeboer 😷:krulorange: last edited by
@jwildeboer @GossiTheDog @dangoodin just to confithr original reporter also didn’t say it was a 9.9. He just repeated what he was told. https://x.com/evilsocket/status/1839446031165190523
-
Jan Wildeboer 😷:krulorange:replied to Peter last edited by [email protected]
@plambrechtsen @GossiTheDog @dangoodin in his original Twitter thread he posted a screenshot of internal communication with someone at Red Hat in which the 9.9 was mentioned as *prelaminary* and he presented it as fact, IMHO. He deleted that tweet, it seems. Telling.
-
👾 Rene Rehmereplied to Jan Wildeboer 😷:krulorange: last edited by
@jwildeboer @GossiTheDog @dangoodin quote: "I wouldn’t classify it as a 9.9"
-
Jan Wildeboer 😷:krulorange:replied to 👾 Rene Rehme last edited by
@renereh1 Yep. That kind of behaviour is called backtracking @GossiTheDog @dangoodin
-
👾 Rene Rehmereplied to Jan Wildeboer 😷:krulorange: last edited by
@jwildeboer @GossiTheDog @dangoodin Maybe I just didn't understand it. In other words, he is referring to an initial CVSS base score that does not apply to his finding, but he claims it is confirmed?
-
Jan Wildeboer 😷:krulorange:replied to 👾 Rene Rehme last edited by [email protected]
@renereh1 He first claimed that Red Hat and Canonical had "confirmed" a 9.9 CVSS, which turned out to be (as he should have known) the preliminary assessment by an engineer, not the final rating. After this was pointed out (and the final scores were made publicly available), he changed his tune, claiming that he never thought it would be a 9.9 and that he really doesn't know how the rating process works anyway in his blog post. @GossiTheDog @dangoodin
-
👾 Rene Rehmereplied to Jan Wildeboer 😷:krulorange: last edited by
@jwildeboer @GossiTheDog @dangoodin Ah ok, I see. Yes well, when he posted that, he just took the communicated value. I can understand that somewhere, regardless of how inflated the announcement was.
-
Jan Wildeboer 😷:krulorange:replied to 👾 Rene Rehme last edited by
@renereh1 And we now know what the scale of this vulnerability is (not really earth-shattering), fixes are being made available upstream and by Linux distributions, a mitigation is available (don't run cups-browsed) so at least I am moving on to new dramas @GossiTheDog @dangoodin