oss-sec mailing list archives
Re: Numerous unconfirmed FOSS CVEs disclosed on FD mailing list
From: Christian Brabandt <cb () 256bit org>
Date: Sun, 28 Jan 2024 22:24:18 +0100
On Sa, 27 Jan 2024, Matthew Fernandez wrote:
On 1/27/24 08:53, Alan Coopersmith wrote:While I can't speak for all the projects involved, I can speak for the X.Org maintainers & security team, and I can say that we were not consulted or informed about this CVE filing - if I wasn't on the FD mailing list, I wouldn't even know it had happened. The CNA responsible has not yet published the CVE to the CVE database yet, so we can't yet file a dispute, but once they do, I plan to request that they withdraw CVE-2023-45916 for xedit, as there is no security boundary crossed here and the bug doesn't allow someone to do anything they otherwise couldn't.We (the Graphviz maintainers) were also not consulted/informed. Though we do not plan to contest the CVE.
Same here for Vim. I wasn't aware of this and don't think it's a security issue per se of Vim. Thanks, Christian -- Tatsächlich weicht in Wahrheit die Realität häufig von der Wirklichkeit ab.
Current thread:
- Numerous unconfirmed FOSS CVEs disclosed on FD mailing list Alan Coopersmith (Jan 26)
- Re: Numerous unconfirmed FOSS CVEs disclosed on FD mailing list Matthew Fernandez (Jan 26)
- Re: Numerous unconfirmed FOSS CVEs disclosed on FD mailing list Christian Brabandt (Jan 28)
- Re: Numerous unconfirmed FOSS CVEs disclosed on FD mailing list Amos Jeffries (Feb 01)
- Re: Numerous unconfirmed FOSS CVEs disclosed on FD mailing list Matthew Fernandez (Feb 01)
- Re: Numerous unconfirmed FOSS CVEs disclosed on FD mailing list Christian Brabandt (Feb 01)
- Re: Numerous unconfirmed FOSS CVEs disclosed on FD mailing list Matthew Fernandez (Jan 26)