oss-sec mailing list archives

Re: Questionable CVE's reported against dnsmasq

From: Petr Menšík <pemensik () redhat com>
Date: Fri, 31 Oct 2025 11:06:59 +0100

If it is security issue, it needs to be rated correctly. It is okay toassign CVE ID to issue, even if it is low or medium severity. Yes, we donot backport medium or low CVEs always, especially if fixing them inolder versions is complicated and requires non-trivial rewriting.

We would backport even _important_ issues without CVE ids into releaseswith _full_ support. But it has to have known reproducer and have nosimple workaround in configuration. I do not think this is such case.

If this is a problem in configuration generator, then fix the generatoror validate inputs from the user.


Petr

On 27/10/2025 21:40, Sebastian Pipping wrote:

Hello Stuart,


On 10/27/25 20:45, Stuart Henderson wrote:

On 2025/10/27 19:51, Sebastian Pipping wrote:

Also, fixes without a CVE will not be backported downstream.


That depends on the downstream.


I'm happy to learn which downstreams backport security issues
without a CVE, in practice. Do you have an example or two?

Thanks and best



Sebastian

--
Petr Menšík
Senior Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

Current thread:

Questionable CVE's reported against dnsmasq Alan Coopersmith (Oct 27)
- Re: Questionable CVE's reported against dnsmasq Jeremy Stanley (Oct 27)
  - Re: Questionable CVE's reported against dnsmasq Andrew Latham (Oct 27)
    - Re: Questionable CVE's reported against dnsmasq Sebastian Pipping (Oct 27)
    - Re: Questionable CVE's reported against dnsmasq Stuart Henderson (Oct 27)
    - Re: Questionable CVE's reported against dnsmasq Sebastian Pipping (Oct 27)
    - Re: Questionable CVE's reported against dnsmasq Matthew Fernandez (Oct 27)
    - Re: Questionable CVE's reported against dnsmasq Eli Schwartz (Oct 27)
    - Re: Questionable CVE's reported against dnsmasq Stuart Henderson (Oct 28)
    - Re: Questionable CVE's reported against dnsmasq Salvatore Bonaccorso (Oct 29)
    - Re: Questionable CVE's reported against dnsmasq Petr Menšík (Oct 31)
    - Re: Questionable CVE's reported against dnsmasq Sebastian Pipping (Oct 31)
  - Re: Questionable CVE's reported against dnsmasq Jeffrey Walton (Oct 27)
- Re: Questionable CVE's reported against dnsmasq Moritz Mühlenhoff (Oct 27)
  - Re: Questionable CVE's reported against dnsmasq Collin Funk (Oct 27)
  - Re: Questionable CVE's reported against dnsmasq Michael Orlitzky (Oct 27)
    - Re: Questionable CVE's reported against dnsmasq Hank Leininger (Oct 27)
    - Re: Questionable CVE's reported against dnsmasq Solar Designer (Oct 27)
    - Re: Questionable CVE's reported against dnsmasq Douglas Bagnall (Oct 29)
    - Re: Questionable CVE's reported against dnsmasq Art Manion (Oct 31)
    - Re: Questionable CVE's reported against dnsmasq Solar Designer (Oct 31)

(Thread continues...)