|
|
Message-ID: <20260707182636.GA20763@openwall.com> Date: Tue, 7 Jul 2026 20:26:36 +0200 From: Solar Designer <solar@...nwall.com> To: Feroz Salam <feroz.salam@...valent.com> Cc: oss-security@...ts.openwall.com, security@...ium.io Subject: Re: [CVE request] Cilium ClusterNetworkPolicy matchExpressions Values silently dropped — 0-day in v1.20.0-pre releases, no maintainer response in 9 days via GHSA Triage Hello Feroz, xylove21's AI sent us 4 other claimed vulnerability reports to oss-security, but not actually this one you're replying to (and I just checked the logs, found no trace of it - not even spam-filtered). Given the confusion about embargoes vs. publication and a lot of other aspects like this, I doubt the vulnerabilities are for real. It feels like a less capable model from last year or older, not state of the art. On Tue, Jul 07, 2026 at 09:07:11PM +0530, Feroz Salam wrote: > As noted in your report, the issue you have reported only affects > development snapshots of Cilium, and no released stable versions. We do not > expect these development snapshots to be used in production environments, > and do not see the benefit of CVE issuance in this case. Have you looked into the reported issue and determined whether it's real or not? I ask so that we have extra input on how to treat other reports by xylove21. > > From: xylove21 <xuy0515@...il.com> Unlike the xylove21@...ton.me address these reports were sent from, the above Gmail address actually exists, and we got a response from it (probably also written by AI) on another issue. > > - 2026-06-29 19:56 +08:00 — Filing publicly via oss-security > > (escalation after 9 days of GHSA Triage silence). > > - 90-day public disclosure timeline: public release 2026-09-22 (or > > upon upstream fix in v1.20.0 stable, whichever comes first). If an AI is so poor it "thinks" there's distinction between "Filing publicly" and "public disclosure", it feels unlikely its "reasoning" about the claimed vulnerabilities is sound. Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.