Our great sponsors
-
mitmproxy
An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.
-
cryptography
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers.
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
Actually, reading the issue I think the IBM request is a lot more reasonable than this tweet makes it seem.[1] The issue is essentially that a mitmproxy dependency has a CVE, mitmproy updated the dependency (in March), but hasn't made a stable release yet with this update, and IBM guy is asking "when do you plan to tag a release? Do you have a timeline for this?"
Notably it's NOT asking for a fix; "when will you fix it?" is not accurate as there is nothing to be fixed. It's just asking "when do you plan to make a new release with this dependency update?"
[1]: https://github.com/mitmproxy/mitmproxy/issues/6051
Some context:
- The cryptography dependency used by the current release of mitmproxy has a CVE related to an OpenSSL vulnerability (https://github.com/pyca/cryptography/security/advisories/GHS...)
- The main branch of mitmproxy has already upgraded to the latest version of the cryptography package
- The author of the package does not believe the CVE impacts users of mitmproxy so a release including this commit has not been made
This sounds very much like the idiocy of "infosec" lunkheads who know nothing about what they're "fixing" but if an automated system tells them a CVE exists, they've absolutely got to have it "patched". They don't look into what the claims of the CVE are, or whether their specific use case is vulnerable. They don't know, they don't care, they're not even programmers. All they know is a box needs ticking.
A similar thing happened with h2database - a "security researcher" found that if you do something you're told not to do, then bad things happen.. but they demanded and got a CVE allocated anyway. Anyone who looks at it realises it's bullshit, but the mere existence of a CVE is all that matters to these idiots.
What the h2database developer said about it: https://github.com/h2database/h2database/issues/3686#issueco...
> I struggle to understand why I should feel the slightest shred of sympathy for "major corporations" that are using a volunteer-developed open-source project. Feel free to get your corporation to pay someone to deal with this, or pay for a similar commercial library.