Hello First thanks to Alexander for reposting because I was not able to do so! You're right Clemens, I have myself ask the question on this github (https://github.com/cisagov/vulnrichment/issues/130), but still no information for the moment. Joel
________________________________________ De : Clemens Lang <cll...@redhat.com> Envoyé : mardi 12 novembre 2024 16h12 À : oss-security@lists.openwall.com <oss-security@lists.openwall.com> Objet : Re: [oss-security] CVE-2024-36905: Linux kernel: Divide-by-zero on shutdown of TCP_SYN_RECV sockets [Vous ne recevez pas souvent de courriers de cll...@redhat.com. Découvrez pourquoi ceci est important à https://aka.ms/LearnAboutSenderIdentification ] Hi, > On 12. Nov 2024, at 15:58, Solar Designer <so...@openwall.com> wrote: > > So a question for this list/thread may be - where/how may we dispute > CISA-ADP analysis? Maybe someone would reply with specific contact info > for them, and Joel would proceed with that. I think the source for the CISA-ADP data is at [1]. For this specific CVE, the relevant file would be [2]. Their readme has a section at the bottom, where they encourage feedback: > We want to hear from you, the IT cybersecurity professional community, about > Vulnrichment and ADP! If you see something, please feel free to say something > in the Issues, or even better, open a Pull Request with your suggested fix. I’m aware of at last one prior case where a similar case of (IMHO) overblown CVSS scores was discussed in an issue on this particular GitHub project [3]. Somebody seems to already have opened a ticket for this CVE, too: [4] [1]: https://github.com/cisagov/vulnrichment [2]: https://github.com/cisagov/vulnrichment/blob/develop/2024/36xxx/CVE-2024-36905.json [3]: https://github.com/cisagov/vulnrichment/issues/93 [4]: https://github.com/cisagov/vulnrichment/issues/130 HTH, Clemens -- Clemens Lang RHEL Crypto Team Red Hat
