Hi, On Sun, Apr 05, 2026 at 06:13:03PM +0000, Moritz Mühlenhoff wrote: > On Sun, Apr 05, 2026 at 04:25:41PM +0000, Mathias Gibbens wrote: > > control: forwarded -1 https://github.com/osrg/gobgp/issues/3362 > > > > More AI slop courtesy of the VulDB CNA. I created the linked issue to > > make the gobgp upstream aware of the issue. > > Indeed, they appear to be randomly assigning CVEs which sound like > security issues w/o ever properly involving the maintainers of > upstream projects. > > Have CVE-2026-5122 CVE-2026-5123 CVE-2026-5124 all been confirmed > to have no actual security impact? Then we can simply declare them > as non-issues in the Debian Security Tracker. > > > Is there anything the Debian Security Team could do to de- > > prioritize/ignore CVEs originating from VulDB? > > We could filter out CVEs from that CNA in the feed processing, but > that might bury some legit issues. Maybe there's some mechanism to > flag the CNA to the MITRE root to force them to stop, dunno.
If upstream can make a statement if the recent three CVEs are in fact non-issues from security perspective and should not have gotten legit CVE assigned, then this would help that we can report the problem. Unfortunately the scope of VulDB at this point is: "Vulnerabilities in VulDB products and vulnerabilities discovered by, or reported to, the VulDB vulnerability database that are not in another CNA’s scope." One option is for the osrg / nttlabs organization to become a own CNA and so have the authority to which issues with security impact CVEs are assigned. But in short, if the issues are confirmed by upstream to be with no security impact this will help to report the problem. Regards, Salvatore
