[ndriscoll]

> Best to get insecure and vulnerable software out of the hands of those who may not be familiar with this CVE or their change in policy that has not gotten a press release in any way.

Why is that the best? MinIO is not the type of thing that people ought to be directly making available on the Internet anyway, so CVEs are mostly irrelevant unless you are an organization that has to keep on top of them, in which case you certainly have a process in place to do so already.

People straight pulling an image off Dockerhub (so not a particularly sophisticated use-case) to run seem like they'd be the least likely to be impacted by a CVE like this. The impact is apparently "[it] allows the attacker to access buckets and objects beyond their intended restrictions and modify, delete, or create objects outside their authorized scope". Are people pulling from Dockerhub even setting up anything but the absolute most basic (Allow All) ACL?

[b112]

Zero trust is the way to assess threat. Not Internet access or not.

[ndriscoll]

No, it is a defense strategy. For e.g. hobbyists, it's basically irrelevant, and having something on a private LAN is fine. There is almost no chance of an issue. Not everything in the world needs to be maximally secured, and the people who are using those IAM policies are probably not pulling a vanilla image off Dockerhub to run something as fundamental as their storage layer. They probably also have firewalls tightly locking down which machines are able to talk to MinIO on top of token auth.

The cargo-culting around security is so bizarre to me. In a context where e.g. your organization needs to pass audits, it's cheaper/easier to just update stuff and not attempt to analyze everything so you can check the box. For everyone else, most security advisories are just noise that usually aren't relevant to the actual way software is used. Notably, no one in these discussions is even bringing up what the vulnerability is.

[b112]

Notably, no one in these discussions is even bringing up what the vulnerability is

That's because of two things. The first is, assessment takes a deep dive into the issue, not a summary. Conjoined with the second, in that you must be ready to update if required, without issue.

In every case, it's less time cost even for home lab users to update instead of assess.

If it isn't, you're using terrible software, for example software which pushes security updates along with API and code changes. Such software doesn't take user security seriously, and should be avoided at all costs.

There's no way around it. Just do it right, don't half ass with excuses. Don't use terrible software. If it's plugged into a network, zero trust it is.