--- Begin Message ---
On Mon, Nov 30, 2020 at 12:59 PM Michael Richardson <m...@sandelman.ca>

> Hi, CVE-2020-8037 causes a big amount of memory to be allocated (then
> freed),
> it does not cause an attack.

That's helpful information.  (On a low-memory device that actually requires
memory at malloc time, it might cause tcpdump to crash due to failure to
allocate memory, but on a system using, e.g., glibc, it won't).  I think
changing the availability impact from A:H to A:N results in reducing the
CVSS score from 7.5 to 0, which is probably worth pursuing if you want
people to not be freaking out about the severity here.

I think that you are on the security@ list, and I think that this did go
> through that list at the time.

I'm not receiving any messages from security@, but let's take this off-list.


--- End Message ---
tcpdump-workers mailing list

Reply via email to