<!DOCTYPE html>
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <div class="moz-cite-prefix">Am 29.10.25 um 15:25 schrieb Petr
      Menšík via Dnsmasq-discuss:<br>
    </div>
    <blockquote type="cite"
      cite="mid:4222fb77-aeac-4997-9562-1136884dd8c2@redhat.com">Unlike
      last time we received embargoed AI generated content, this time
      there is CVE assigned for dnsmasq. I have no time to solve how
      real they are, but I doubt it describes anything of severity
      Important.
      <br>
      <br>
      Yes, there might be bugs in DHCP parsing code, but if they need
      root access, then they cannot be CVSS score 7.8. If you have not
      catched them yet, just posting here they did appear. I think they
      should be disputed or fixed CVSS score of them.
      <br>
      <br>
      If any software passes unfiltered content from unprivileged users
      to dnsmasq, then that software should receive Important CVE.
      <br>
      <br>
      <a class="moz-txt-link-freetext" href="https://www.openwall.com/lists/oss-security/2025/10/27/1">https://www.openwall.com/lists/oss-security/2025/10/27/1</a>
      <br>
      <br>
      <a class="moz-txt-link-freetext" href="https://www.cve.org/CVERecord?id=CVE-2025-12198">https://www.cve.org/CVERecord?id=CVE-2025-12198</a>
      <br>
      <br>
    </blockquote>
    <p>Thanks Petr.</p>
    <p>The claim on all three of them is "up to 2.73rc6", which was a
      release candidate more than 10.5 years ago [1], and there is a
      thread of critical voices on said mailing list about being AI
      nonsense, or questionable validation (before assignment) on
      VulDB's side, which is the CNA who assigned those CVEs including
      2025-12198 -- one of the organizations that can assign CVE
      numbers.  </p>
    <p>They have been called out on the oss-security@ list by its
      moderator, Alexander aka Solar Designer, already. <br>
      See
      <a class="moz-txt-link-rfc2396E" href="https://www.openwall.com/lists/oss-security/2025/10/28/3"><https://www.openwall.com/lists/oss-security/2025/10/28/3></a>.</p>
    <p><br>
    </p>
    <p>[1] The first candidate not encompassed by three CVEs would be
      this according to the public Git:<br>
      <blockquote type="cite"><span style="font-family:monospace"><span
            style="color:#b26818;background-color:#ffffff;">tag v2.73rc7</span><span
            style="color:#000000;background-color:#ffffff;">
          </span><br>
          <span style="color:#000000;background-color:#ffffff;">Tagger:
            Simon Kelley <a class="moz-txt-link-rfc2396E" href="mailto:simon@thekelleys.org.uk"><simon@thekelleys.org.uk></a></span><span
            style="color:#000000;background-color:#ffffff;">
          </span><br>
          <span style="color:#000000;background-color:#ffffff;">Date:
              Tue Apr 28 20:46:54 2015 +0100</span><span
            style="color:#000000;background-color:#ffffff;">
          </span><br>
          <br>
          <span style="color:#000000;background-color:#ffffff;">release
            tag</span></span></blockquote>
    </p>
    <p><br>
    </p>
    <p>Regards,<br>
      Matthias</p>
  </body>
</html>