|
|
Message-ID: <20260707222856.GA22800@openwall.com> Date: Wed, 8 Jul 2026 00:28:56 +0200 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Cc: Feroz Salam <feroz.salam@...valent.com>, security@...ium.io Subject: Re: [CVE request] Cilium ClusterNetworkPolicy matchExpressions Values silently dropped — 0-day in v1.20.0-pre releases, no maintainer response in 9 days via GHSA Triage On Tue, Jul 07, 2026 at 01:15:04PM -0700, Joe Stringer wrote: > I suspect we may have been the initial target for this activity; we > received a test email to security@...ium.io prior to this email. We also got one just prior to the 4 reports on July 4. I didn't let it through (as a moderator), but it was: > Subject: [Test] 2026-07-04 > From: xylove21 <xylove21@...ton.me> > To: oss-security@...ts.openwall.com > Date: Sat, 04 Jul 2026 10:12:46 +0800 > > Test 2026-07-04. Target: oss-security@...ts.openwall.com. No disclosure. Looks like just the way the tool works. I don't know what the purpose of this test was, given it was sent from a non-existent address and further messages were sent regardless of it not being accepted. Maybe the tool was misconfigured. On Tue, Jul 07, 2026 at 01:15:04PM -0700, Joe Stringer wrote: > The feature discussed in the disclosure is an alpha feature that we've > been developing this cycle. We identified and fixed the reported issue > as part of development activities, so it will not be part of a stable > release. The report from xylove21 accurately identified the commit and > PR that introduced the bug, as well as the commit that fixed the bug > and corresponding PR. > > If you asked a model to read git logs to identify changes with > security impact, it would probably point to the fix commit referenced > in the original message. The combination of "fix" and "network policy" > in a commit title is likely sufficient signal. Evidently the claw was > also directed to identify which commit may have introduced the issue. > I would guess the motivation was to identify known issues which may > not have had a public disclosure, and attempt to file a CVE for the > issue to claim some credit. Given these versions are not recommended > for production and the feature is alpha, we do not see a motivation to > file a CVE. Oh, so in your case it was search for recently fixed issues. I wonder if that's also the case for the 4 other reports against other projects. I could not quickly confirm this now. Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.