Bogus security reports plague open-source projects

Share post:

There has been a number of bogus security reports filed against popular open-source software projects. These reports have claimed to find critical vulnerabilities in software like cURL and PostgreSQL, but upon closer inspection, they have all turned out to be false.

The reports appear to have been filed by automated tools that scan commit messages for keywords like “buffer overflow” and “denial of service.” These tools then automatically generate CVEs (Common Vulnerabilities and Exposures) without actually verifying whether the vulnerabilities exist.

It was alleged that PostgreSQL 12.2 was susceptible to a denial of service attack through repeated SIGHUP signals. It was tagged
CVE-2020-21469, with a CVSS score of 9.8. However, a closer examination revealed that ordinary users lack the ability to send SIGHUP signals or terminate PostgreSQL processes. This “flaw” could be leveraged by a superuser or a user with specific privileges, making it a non-issue for the vast majority.

The result is a flood of junk CVEs that are wasting the time of security teams and open-source maintainers. In some cases, these reports have even caused unnecessary panic and confusion.

The sources for this piece include an article in OpenSourceWatch.

SUBSCRIBE NOW

Related articles

A new open source AI rivals Llama 2

LLM360, in collaboration with MBZUAI and Petuum, has unveiled K2-65B, a cutting-edge large language model (LLM) boasting 65...

Polar: A new way of funding open source projects

A company called Polar is introducing a new idea in open-source funding, aiming to allow open source developers...

Hashtag Trending Jan.19-Impact of AI on employment headlines at Davos; New study shows how much data is shared with Facebook; Starlink announces pricey Gigabit...

Where does Open Source fit into the global AI picture? Davos is abuzz with concerns about AI. A new study shows just how much data is shared with Facebook, Starlink announces Gigabit internet but it comes with a steep price, and your smart headphones might be raising eyebrows – literally.   All this and more

Open-source code fuels rise in supply chain cyberattacks

Recent research highlights a concerning trend in cybersecurity: the increasing use of open-source code and legitimate hacking tools...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways