Am 29.10.25 um 15:25 schrieb Petr Menšík via Dnsmasq-discuss:
Unlike last time we received embargoed AI generated content, this time
there is CVE assigned for dnsmasq. I have no time to solve how real
they are, but I doubt it describes anything of severity Important.
Yes, there might be bugs in DHCP parsing code, but if they need root
access, then they cannot be CVSS score 7.8. If you have not catched
them yet, just posting here they did appear. I think they should be
disputed or fixed CVSS score of them.
If any software passes unfiltered content from unprivileged users to
dnsmasq, then that software should receive Important CVE.
https://www.openwall.com/lists/oss-security/2025/10/27/1
https://www.cve.org/CVERecord?id=CVE-2025-12198
Thanks Petr.
The claim on all three of them is "up to 2.73rc6", which was a release
candidate more than 10.5 years ago [1], and there is a thread of
critical voices on said mailing list about being AI nonsense, or
questionable validation (before assignment) on VulDB's side, which is
the CNA who assigned those CVEs including 2025-12198 -- one of the
organizations that can assign CVE numbers.
They have been called out on the oss-security@ list by its moderator,
Alexander aka Solar Designer, already.
See <https://www.openwall.com/lists/oss-security/2025/10/28/3>.
[1] The first candidate not encompassed by three CVEs would be this
according to the public Git:
tag v2.73rc7
Tagger: Simon Kelley <[email protected]>
Date: Tue Apr 28 20:46:54 2015 +0100
release tag
Regards,
Matthias
_______________________________________________
Dnsmasq-discuss mailing list
[email protected]
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
