Dr. Neal Krawetz

Any update on when this will be patched? Even if it doesn't really impact caddy, many companies focus on scanner outputs. If the scanner says "there's a critical CVE in...

> > If the scanner says "there's a critical CVE in that code", then it doesn't get deployed -- period. > > You know, in a sense, the CVE ecosystem...

> We're waiting for 2.9.1 fixes 2.9.1 just came out. The critical and high vulnerabilities have not been addressed. ``` $ ./caddy -v v2.9.1 h1:OEYiZ7DbCzAWVb6TNEkjRcSCRGHVoZsJinoDR/n9oaY= $ grype ./caddy ✔ Vulnerability...

> [@hackerfactor](https://github.com/hackerfactor) Did you make your own Caddy v2.9.1 build with an outdated (Go 1.22.3) toolchain? > I went to https://caddyserver.com/download and clicked the download button.

Just rechecked. Fixed. Thank you.

I agree with @thaoula. This should be part of the regular build-check process. For my own tools, I use 'grype' to scan for known open CVE issues.

I just tried it with c2patool 0.9.5 on Linux and can confirm the error. ``` c2patool -d 8a602824d5f0191fde64734b32fa27da71386516.2335945.jpeg trust --trust_anchors trust_anchors_Truepic_only.pem.txt ... "validation_status": [ { "code": "signingCredential.untrusted", "url": "Cose_Sign1", "explanation":...

@pkslinkedin Just for clarity: I'm not one of the C2PA/CAI developers. The response needs to come from Adobe: @andyparsons or @mauricefisher64

Just making my opinion public here: Disabling, ignoring, or working around expiration dates on X.509 certificates is a REALLY BAD idea. If you must do that, then switch to something...

May be due to a bad build. My build process: ``` rm -f Cargo.lock git pull cargo update cargo build --bin c2patool --target x86_64-unknown-linux-musl --release # Output: # ./target/x86_64-unknown-linux-musl/release/c2patool ./target/x86_64-unknown-linux-musl/release/c2patool...