--- Begin Message ---
On Mon, Nov 30, 2020 at 12:59 PM Michael Richardson <m...@sandelman.ca>
wrote:
> Hi, CVE-2020-8037 causes a big amount of memory to be allocated (then
> freed),
> it does not cause an attack.
That's helpful information. (On a low-memory device that actually requires
memory at malloc time, it might cause tcpdump to crash due to failure to
allocate memory, but on a system using, e.g., glibc, it won't). I think
changing the availability impact from A:H to A:N results in reducing the
CVSS score from 7.5 to 0, which is probably worth pursuing if you want
people to not be freaking out about the severity here.
I think that you are on the security@ list, and I think that this did go
> through that list at the time.
>
I'm not receiving any messages from security@, but let's take this off-list.
Bill
--- End Message ---
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
