Moritz Mühlenhoff <[email protected]> writes: > On Mon, Oct 27, 2025 at 09:34:03AM -0700, Alan Coopersmith wrote: >> Among the new CVE's published this weekend were these from the VulDB CNA: >> >> For all three bugs, the documented "exploit" requires "Replace the default >> configuration file (/etc/dnsmasq.conf) with the provided malicious file." >> and if you can replace the server's configuration file you don't need to >> play games with putting invalid contents in to break the parser, but can >> simply change the configuration directly. > > The same nonsense also happened for the Kamailio SIP server (CVE-2025-12204, > CVE-2025-12205, CVE-2025-12206 and CVE-2025-12207).
GNU Bison got 2 CVEs assigned that are bogus, CVE-2025-8734 and CVE-2025-8733. The report for CVE-2025-8733 has a stack trace that references files that do not exist in Bison. I'm pretty sure it is some AI hallucination mixing up Gnulib and glibc, since the stack trace looks like an ancient glibc version which had assertions there. Collin
