Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CADa=Ryy1zvjfJSO-Nu7uK8yJMt9jXevJOQsPdC_9MxpHO0Qqrw@mail.gmail.com>
Date: Tue, 7 Jul 2026 13:15:04 -0700
From: Joe Stringer <joe@...valent.com>
To: Solar Designer <solar@...nwall.com>
Cc: Feroz Salam <feroz.salam@...valent.com>, oss-security@...ts.openwall.com, 
	security@...ium.io
Subject: Re: [CVE request] Cilium ClusterNetworkPolicy matchExpressions Values silently dropped — 0-day in v1.20.0-pre releases, no maintainer response in 9 days via GHSA Triage

Hi Alexander,

> xylove21's AI sent us 4 other claimed vulnerability reports to
> oss-security, but not actually this one you're replying to (and I just
> checked the logs, found no trace of it - not even spam-filtered).

I suspect we may have been the initial target for this activity; we
received a test email to security@...ium.io prior to this email.
Additionally, this report has unusual formatting. The email body
suggests an intention to send the disclosure to openwall with CC to
our list, but the email itself was sent directly to our security list.

> Have you looked into the reported issue and determined whether it's real
> or not?  I ask so that we have extra input on how to treat other reports
> by xylove21.

The feature discussed in the disclosure is an alpha feature that we've
been developing this cycle. We identified and fixed the reported issue
as part of development activities, so it will not be part of a stable
release. The report from xylove21 accurately identified the commit and
PR that introduced the bug, as well as the commit that fixed the bug
and corresponding PR.

If you asked a model to read git logs to identify changes with
security impact, it would probably point to the fix commit referenced
in the original message. The combination of "fix" and "network policy"
in a commit title is likely sufficient signal. Evidently the claw was
also directed to identify which commit may have introduced the issue.
I would guess the motivation was to identify known issues which may
not have had a public disclosure, and attempt to file a CVE for the
issue to claim some credit. Given these versions are not recommended
for production and the feature is alpha, we do not see a motivation to
file a CVE.

Cheers,
Joe

On Tue, Jul 7, 2026 at 11:26 AM Solar Designer <solar@...nwall.com> wrote:
>
> Hello Feroz,
>
> xylove21's AI sent us 4 other claimed vulnerability reports to
> oss-security, but not actually this one you're replying to (and I just
> checked the logs, found no trace of it - not even spam-filtered).
>
> Given the confusion about embargoes vs. publication and a lot of other
> aspects like this, I doubt the vulnerabilities are for real.  It feels
> like a less capable model from last year or older, not state of the art.
>
> On Tue, Jul 07, 2026 at 09:07:11PM +0530, Feroz Salam wrote:
> > As noted in your report, the issue you have reported only affects
> > development snapshots of Cilium, and no released stable versions. We do not
> > expect these development snapshots to be used in production environments,
> > and do not see the benefit of CVE issuance in this case.
>
> Have you looked into the reported issue and determined whether it's real
> or not?  I ask so that we have extra input on how to treat other reports
> by xylove21.
>
> > > From: xylove21 <xuy0515@...il.com>
>
> Unlike the xylove21@...ton.me address these reports were sent from, the
> above Gmail address actually exists, and we got a response from it
> (probably also written by AI) on another issue.
>
> > > - 2026-06-29 19:56 +08:00 — Filing publicly via oss-security
> > >   (escalation after 9 days of GHSA Triage silence).
> > > - 90-day public disclosure timeline: public release 2026-09-22 (or
> > >   upon upstream fix in v1.20.0 stable, whichever comes first).
>
> If an AI is so poor it "thinks" there's distinction between "Filing
> publicly" and "public disclosure", it feels unlikely its "reasoning"
> about the claimed vulnerabilities is sound.
>
> Alexander
>
> --
> You received this message because you are subscribed to the Google Groups "Cilium Security Response Team" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to cilium-security+unsubscribe@...valent.com.
> To view this discussion visit https://groups.google.com/a/isovalent.com/d/msgid/cilium-security/20260707182636.GA20763%40openwall.com.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.