Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <3e318f64-58f5-4909-8098-d157a3ecc00c@catalyst.net.nz>
Date: Thu, 30 Oct 2025 13:46:06 +1300
From: Douglas Bagnall <douglas.bagnall@...alyst.net.nz>
To: oss-security@...ts.openwall.com, Solar Designer <solar@...nwall.com>
Subject: Re: Questionable CVE's reported against dnsmasq

On 28/10/25 14:49, Solar Designer wrote:

> At this point, I think we want to hear from VulDB on this, and from
> MITRE on their requirements for CNAs in general and VulDB in particular
> to review CVE requests before assignment.  Maybe VulDB is in violation.

Samba has had at least one bogus CVE claim from a different CNA 
(mitre.org), but it is in some sort of "reserved" rather than "issued" 
state. That means that searching for the CVE number returns a single 
result -- the claimant's LinkedIn profile.

This would be the perfect outcome for all parties if we had not been 
required to spend hours confirming the report was bogus.

Alan Coopersmith wrote:
> The folks on the dnsmasq mailing list also pointed out the version claimed is
> a release candidate from 10 years ago, not anything current:

We also see this pattern.

Douglas

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.