Hi Simon,
On 2/15/22 10:56, Simon Kelley wrote:
I analysed a couple and came to the same conclusion. Have you looked in
detail at all of them?
No, I did not look in detail into them, I just had a quick look at
them. Thanks for looking deeper.
The reports are all machine generated by the Google fuzzer. The problem
is that the fuzzing framework it's using is wrong.
The framework was done by a third party over year ago, I was aware of it
and I confess I didn't pay much attention, so some of the responsibility
is mine.
What needs to happen is that the Google 'bot need to be stopped, while
the fuzzing framework is fixed, the existing CVEs need to have humans
look at them, and be cancelled if necessary. Google needs to be hit with
a clue-stick and told that auto-generating low-quality CVEs is a bad idea.
I was surprised seeing there no comment from a human.
Unfortunately I'm busy moving house at the moment, and failing to find
time to do any of these things. If someone wants to take over I'd be
very happy. I've had pretty much this conversation with someone from
Redhat security in the last week, and I can facilitate contact with them
to avoid duplication of effort, if required.
I think Petr from RedHat had a closer look into the reported problems.
Hauke
Simon.
On 14/02/2022 22:32, Hauke Mehrtens wrote:
Hi,
Our CVE checking scripts in OpenWrt found the following recently
opened CVEs against dnsmasq:
https://nvd.nist.gov/vuln/detail/CVE-2021-45951
https://nvd.nist.gov/vuln/detail/CVE-2021-45952
https://nvd.nist.gov/vuln/detail/CVE-2021-45953
https://nvd.nist.gov/vuln/detail/CVE-2021-45954
https://nvd.nist.gov/vuln/detail/CVE-2021-45955
https://nvd.nist.gov/vuln/detail/CVE-2021-45956
https://nvd.nist.gov/vuln/detail/CVE-2021-45957
We think these CVE reports are wrong and should get rejected.
Hauke
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss