Re: [Dnsmasq-discuss] Open CVEs against dnsmasq

Sun, 20 Feb 2022 07:55:16 -0800 

Hi Simon,

On 2/15/22 10:56, Simon Kelley wrote:
I analysed a couple and came to the same conclusion. Have you looked in detail at all of them? 


No, I did  not look in detail into them, I just had a quick look at 
them. Thanks for looking deeper.



The reports are all machine generated by the Google fuzzer. The problem 
is that the fuzzing framework it's using is wrong.



The framework was done by a third party over year ago, I was aware of it 
and I confess I didn't pay much attention, so some of the responsibility 
is mine.



What needs to happen is that the Google 'bot need to be stopped, while 
the fuzzing framework is fixed, the existing CVEs need to have humans 
look at them, and be cancelled if necessary. Google needs to be hit with 
a clue-stick and told that auto-generating low-quality CVEs is a bad idea.


I was surprised seeing there no comment from a human.


Unfortunately I'm busy moving house at the moment, and failing to find 
time to do any of these things. If someone wants to take over I'd be 
very happy. I've had pretty much this conversation with someone from 
Redhat security in the last week, and I can facilitate contact with them 
to avoid duplication of effort, if required.


I think Petr from RedHat had a closer look into the reported problems.

Hauke




Simon.

On 14/02/2022 22:32, Hauke Mehrtens wrote:

Hi,


Our CVE checking scripts in OpenWrt found the following recently 
opened CVEs against dnsmasq:

https://nvd.nist.gov/vuln/detail/CVE-2021-45951
https://nvd.nist.gov/vuln/detail/CVE-2021-45952
https://nvd.nist.gov/vuln/detail/CVE-2021-45953
https://nvd.nist.gov/vuln/detail/CVE-2021-45954
https://nvd.nist.gov/vuln/detail/CVE-2021-45955
https://nvd.nist.gov/vuln/detail/CVE-2021-45956
https://nvd.nist.gov/vuln/detail/CVE-2021-45957

We think these CVE reports are wrong and should get rejected.

Hauke

_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss



_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss



_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss






















					Reply via email to