oss-sec mailing list archives
Re: Numerous unconfirmed FOSS CVEs disclosed on FD mailing list
From: Amos Jeffries <squid3 () treenet co nz>
Date: Thu, 1 Feb 2024 21:54:05 +1300
On 27/01/24 12:03, Matthew Fernandez wrote:
On 1/27/24 08:53, Alan Coopersmith wrote:While I can't speak for all the projects involved, I can speak for the X.Org maintainers & security team, and I can say that we were not consulted or informed about this CVE filing - if I wasn't on the FD mailing list, I wouldn't even know it had happened. The CNA responsible has not yet published the CVE to the CVE database yet, so we can't yet file a dispute, but once they do, I plan to request that they withdraw CVE-2023-45916 for xedit, as there is no security boundary crossed here and the bug doesn't allow someone to do anything they otherwise couldn't.We (the Graphviz maintainers) were also not consulted/informed. Though we do not plan to contest the CVE.
Please *DO* contest CVE issued for non-security bugs. It helps discourage this kind of bad behaviour if their CVEs get removed. May also help CNA to identify repeat offenders for closer inspection of reports.
HTH AYJ
Current thread:
- Numerous unconfirmed FOSS CVEs disclosed on FD mailing list Alan Coopersmith (Jan 26)
- Re: Numerous unconfirmed FOSS CVEs disclosed on FD mailing list Matthew Fernandez (Jan 26)
- Re: Numerous unconfirmed FOSS CVEs disclosed on FD mailing list Christian Brabandt (Jan 28)
- Re: Numerous unconfirmed FOSS CVEs disclosed on FD mailing list Amos Jeffries (Feb 01)
- Re: Numerous unconfirmed FOSS CVEs disclosed on FD mailing list Matthew Fernandez (Feb 01)
- Re: Numerous unconfirmed FOSS CVEs disclosed on FD mailing list Christian Brabandt (Feb 01)
- Re: Numerous unconfirmed FOSS CVEs disclosed on FD mailing list Matthew Fernandez (Jan 26)