New addresses for b.root-servers.net

• Previous message (by thread): New addresses for b.root-servers.net
• Next message (by thread): New addresses for b.root-servers.net
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Jun 7, 2023 at 12:13 PM Izaac <izaac at setec.org> wrote:
> > A quick search of https://cve.mitre.org/cve/search_cve_list.html shows
> > between 600 and 3700 CVEs related to default configurations that are
>
> You literally just gave me a link to the CVE search page, waved your
> hand, and said, "See?"  Well, I'll admit to not being as good at
> conducting CVE research as you.

Evidently. Since we're talking about default configurations, the
obvious search is "default configurations." That yields 770 results.
The fourth in my list is CVE-2023-33949, a piece of software whose
default configuration lets folks create accounts without verifying
their email address. That's a reasonable setting when the application
is not exposed to the public Internet and you want to minimize setup
effort. The mitigation is to change the configuration setting.

Expanding the search to "defaults" yields 3769 results. I didn't read
through 3769 results to find one that was perfectly, flawlessly on
point but there were plenty where something about the software's
default configuration is insecure until the operator changes the
configuration.

Regards,
Bill Herrin


-- 
William Herrin
bill at herrin.us
https://bill.herrin.us/

• Previous message (by thread): New addresses for b.root-servers.net
• Next message (by thread): New addresses for b.root-servers.net
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]