Bogus security reports plague open-source projects

Share post:

There has been a number of bogus security reports filed against popular open-source software projects. These reports have claimed to find critical vulnerabilities in software like cURL and PostgreSQL, but upon closer inspection, they have all turned out to be false.

The reports appear to have been filed by automated tools that scan commit messages for keywords like “buffer overflow” and “denial of service.” These tools then automatically generate CVEs (Common Vulnerabilities and Exposures) without actually verifying whether the vulnerabilities exist.

It was alleged that PostgreSQL 12.2 was susceptible to a denial of service attack through repeated SIGHUP signals. It was tagged
CVE-2020-21469, with a CVSS score of 9.8. However, a closer examination revealed that ordinary users lack the ability to send SIGHUP signals or terminate PostgreSQL processes. This “flaw” could be leveraged by a superuser or a user with specific privileges, making it a non-issue for the vast majority.

The result is a flood of junk CVEs that are wasting the time of security teams and open-source maintainers. In some cases, these reports have even caused unnecessary panic and confusion.

The sources for this piece include an article in OpenSourceWatch.

Featured Tech Jobs


Related articles

Harness launches open-source Git repository

Harness, the software delivery platform founded by AppDynamics founder and CEO Jyoti Bansal, has announced the launch of...

Microsoft to axe third-party printer drivers in Windows

Microsoft has announced that it will phase out third-party printer drivers in Windows by 2027, and will replace...

Government and tech leaders hold open source security summit

Government officials and private sector executives from around the world are gathering in Washington this week to discuss...

Contrast Security open source AI policy to protect privacy and security

Contrast Security, a provider of application security testing, has open sourced an AI policy designed to help organizations...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways