[Dnsmasq-discuss] Open CVEs against dnsmasq
Hauke Mehrtens
hauke at hauke-m.de
Sun Feb 20 15:32:06 UTC 2022
Hi Simon,
On 2/15/22 10:56, Simon Kelley wrote:
> I analysed a couple and came to the same conclusion. Have you looked in
> detail at all of them?
No, I did not look in detail into them, I just had a quick look at
them. Thanks for looking deeper.
> The reports are all machine generated by the Google fuzzer. The problem
> is that the fuzzing framework it's using is wrong.
>
> The framework was done by a third party over year ago, I was aware of it
> and I confess I didn't pay much attention, so some of the responsibility
> is mine.
>
> What needs to happen is that the Google 'bot need to be stopped, while
> the fuzzing framework is fixed, the existing CVEs need to have humans
> look at them, and be cancelled if necessary. Google needs to be hit with
> a clue-stick and told that auto-generating low-quality CVEs is a bad idea.
I was surprised seeing there no comment from a human.
> Unfortunately I'm busy moving house at the moment, and failing to find
> time to do any of these things. If someone wants to take over I'd be
> very happy. I've had pretty much this conversation with someone from
> Redhat security in the last week, and I can facilitate contact with them
> to avoid duplication of effort, if required.
I think Petr from RedHat had a closer look into the reported problems.
Hauke
>
>
> Simon.
>
> On 14/02/2022 22:32, Hauke Mehrtens wrote:
>> Hi,
>>
>> Our CVE checking scripts in OpenWrt found the following recently
>> opened CVEs against dnsmasq:
>> https://nvd.nist.gov/vuln/detail/CVE-2021-45951
>> https://nvd.nist.gov/vuln/detail/CVE-2021-45952
>> https://nvd.nist.gov/vuln/detail/CVE-2021-45953
>> https://nvd.nist.gov/vuln/detail/CVE-2021-45954
>> https://nvd.nist.gov/vuln/detail/CVE-2021-45955
>> https://nvd.nist.gov/vuln/detail/CVE-2021-45956
>> https://nvd.nist.gov/vuln/detail/CVE-2021-45957
>>
>> We think these CVE reports are wrong and should get rejected.
>>
>> Hauke
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
>>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
More information about the Dnsmasq-discuss
mailing list