[Dnsmasq-discuss] Open CVEs against dnsmasq
Simon Kelley
simon at thekelleys.org.uk
Tue Feb 15 09:56:43 UTC 2022
I analysed a couple and came to the same conclusion. Have you looked in
detail at all of them?
The reports are all machine generated by the Google fuzzer. The problem
is that the fuzzing framework it's using is wrong.
The framework was done by a third party over year ago, I was aware of it
and I confess I didn't pay much attention, so some of the responsibility
is mine.
What needs to happen is that the Google 'bot need to be stopped, while
the fuzzing framework is fixed, the existing CVEs need to have humans
look at them, and be cancelled if necessary. Google needs to be hit with
a clue-stick and told that auto-generating low-quality CVEs is a bad idea.
Unfortunately I'm busy moving house at the moment, and failing to find
time to do any of these things. If someone wants to take over I'd be
very happy. I've had pretty much this conversation with someone from
Redhat security in the last week, and I can facilitate contact with them
to avoid duplication of effort, if required.
Simon.
On 14/02/2022 22:32, Hauke Mehrtens wrote:
> Hi,
>
> Our CVE checking scripts in OpenWrt found the following recently opened
> CVEs against dnsmasq:
> https://nvd.nist.gov/vuln/detail/CVE-2021-45951
> https://nvd.nist.gov/vuln/detail/CVE-2021-45952
> https://nvd.nist.gov/vuln/detail/CVE-2021-45953
> https://nvd.nist.gov/vuln/detail/CVE-2021-45954
> https://nvd.nist.gov/vuln/detail/CVE-2021-45955
> https://nvd.nist.gov/vuln/detail/CVE-2021-45956
> https://nvd.nist.gov/vuln/detail/CVE-2021-45957
>
> We think these CVE reports are wrong and should get rejected.
>
> Hauke
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
>
More information about the Dnsmasq-discuss
mailing list