On Sun, Apr 05, 2026 at 04:25:41PM +0000, Mathias Gibbens wrote:
> control: forwarded -1 https://github.com/osrg/gobgp/issues/3362
>
> More AI slop courtesy of the VulDB CNA. I created the linked issue to
> make the gobgp upstream aware of the issue.
Indeed, they appear to be randomly assigning CVEs which sound like
security issues w/o ever properly involving the maintainers of
upstream projects.
Have CVE-2026-5122 CVE-2026-5123 CVE-2026-5124 all been confirmed
to have no actual security impact? Then we can simply declare them
as non-issues in the Debian Security Tracker.
> Is there anything the Debian Security Team could do to de-
> prioritize/ignore CVEs originating from VulDB?
We could filter out CVEs from that CNA in the feed processing, but
that might bury some legit issues. Maybe there's some mechanism to
flag the CNA to the MITRE root to force them to stop, dunno.
Cheers,
Moritz
