Tarfile

Josh and Kurt talk about a newly rediscovered old python vulnerability. It raises a lot of questions about what was OK in 2007 vs what’s OK in 2022. The issue is very complicated and has a wild story surrounding it. There is no reason to not fix this in 2022. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_344_Python_tarfile_2022_is_nothing_like_2007.mp3 Show Notes CVE-2007-4559 Red Hat Bug Register story Response from upstream Upstream patch ZippSlip Current upstream bug CSURF

Josh and Kurt talk about a blog post that explains there isn’t really an open source software supply chain. The whole idea of open source being one thing is incorrect, open source is really a lot of little things put together. A lot of companies and organizations get this wrong. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_343_Stop_trying_to_fix_the_open_source_software_supply_chain.mp3 Show Notes Iliana’s Twitter There is no “software supply chain” Google supply chain blog GitHub ansi_term advisory PyPI 2FA Dashboard tarfile issue rediscovered in 2022