oss-sec mailing list archives
Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089
From: Greg KH <greg () kroah com>
Date: Sat, 25 Jan 2025 08:00:04 +0100
On Fri, Jan 24, 2025 at 10:55:39AM -0800, Alan Coopersmith wrote:
Their reasons for this are detailed on the blog post at: https://nodejs.org/en/blog/vulnerability/upcoming-cve-for-eol-versions including getting CVE scanners to report EOL versions as vulnerable even if no existing CVE specifically says that they are. While I can understand their reasoning, I can just imagine the noise if every project started issuing CVE's for every version that reaches EOL.
I think that's a great idea for projects to start doing (especially ones that are a CNA which I recommend all open source projects become.) And as for "noise", I think that will just be a "drop in the bucket" of the overall CVE assignment numbers these days as just how many different software versions are going EOL each month? thanks, greg k-h
Current thread:
- Node.js security updates: CVE-2025-23083, CVE-2025-23084, CVE-2025-23085 Jan Schaumann (Jan 21)
- Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Alan Coopersmith (Jan 24)
- Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Greg KH (Jan 24)
- Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Pete Allor (Jan 25)
- Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Florian Weimer (Jan 26)
- Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Pete Allor (Jan 27)
- Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Florian Weimer (Jan 28)
- Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Pete Allor (Jan 28)
- Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Greg KH (Jan 24)
- Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 Alan Coopersmith (Jan 24)