I analysed a couple and came to the same conclusion. Have you looked in
detail at all of them?
The reports are all machine generated by the Google fuzzer. The problem
is that the fuzzing framework it's using is wrong.
The framework was done by a third party over year ago, I was aware of it
and I confess I didn't pay much attention, so some of the responsibility
is mine.
What needs to happen is that the Google 'bot need to be stopped, while
the fuzzing framework is fixed, the existing CVEs need to have humans
look at them, and be cancelled if necessary. Google needs to be hit with
a clue-stick and told that auto-generating low-quality CVEs is a bad idea.
Unfortunately I'm busy moving house at the moment, and failing to find
time to do any of these things. If someone wants to take over I'd be
very happy. I've had pretty much this conversation with someone from
Redhat security in the last week, and I can facilitate contact with them
to avoid duplication of effort, if required.
Simon.
On 14/02/2022 22:32, Hauke Mehrtens wrote:
Hi,
Our CVE checking scripts in OpenWrt found the following recently opened
CVEs against dnsmasq:
https://nvd.nist.gov/vuln/detail/CVE-2021-45951
https://nvd.nist.gov/vuln/detail/CVE-2021-45952
https://nvd.nist.gov/vuln/detail/CVE-2021-45953
https://nvd.nist.gov/vuln/detail/CVE-2021-45954
https://nvd.nist.gov/vuln/detail/CVE-2021-45955
https://nvd.nist.gov/vuln/detail/CVE-2021-45956
https://nvd.nist.gov/vuln/detail/CVE-2021-45957
We think these CVE reports are wrong and should get rejected.
Hauke
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
