On 2/2/26 07:25, Gyorgy Sarvari via lists.openembedded.org wrote: > ==================== > > Removed this week (12): > - live555: CVE-2025-65405: https://nvd.nist.gov/vuln/detail/CVE-2025-65405 > - live555: CVE-2025-65407: https://nvd.nist.gov/vuln/detail/CVE-2025-65407 > - live555: CVE-2025-65408: https://nvd.nist.gov/vuln/detail/CVE-2025-65408 >
I'd like add a couple of thoughts about live555 CVEs. Why they got on this lists: - the first time they were LLM-derived (though later they received CPEs) - they were filed against an old version, but couldn't find relevant code changes - that's why I kept them on the list even after they got a CPE - couldn't verify the exploits, because the PoC files required registration with a Chinese phone number Why they got off the lists: - the writeups were made inaccessible by the reporter - couldn't find a contact to the reporter - some other distros consider them fixed (though couldn't find the version where it was fixed) Due to the writeups being scrubbed from the internet, and with having virtually 0 info about the issues, I decided that I won't forcefully keep them on the list. They are not on ignore list, but the cve-checker skips it, and I let it so.
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#124048): https://lists.openembedded.org/g/openembedded-devel/message/124048 Mute This Topic: https://lists.openembedded.org/mt/117592473/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
