oss-sec mailing list archives
Re: Questionable CVE's reported against dnsmasq
From: "Olle E. Johansson" <oej () edvina net>
Date: Tue, 4 Nov 2025 12:03:55 +0100
On 3 Nov 2025, at 19:07, Art Manion <zmanion () protonmail com> wrote: On 2025-11-02 03:30, Olle E. Johansson wrote:On 1 Nov 2025, at 04:00, Solar Designer <solar () openwall com> wrote: CVEs against dnsmasq (CVE-2025-12198, CVE-2025-12199, CVE-2025-12200) and Kamailio (CVE-2025-12204, CVE-2025-12205, CVE-2025-12206, and CVE-2025-12207) mentioned in this thread are not yet disputed and have no comments of this sort in their descriptions.I asked VulDB to mark the dnsmasq CVE IDs as disputed.
Ok
As part of the Kamailio project I can say that we did just become aware of these CVEs in your email. They do not make sense. Trying to get to the report, the config files used to provoke the issue can’t be downloaded. If you have access to edit the config files, there are much more simple ways to cause damage than to provoke a problem in the config file parser. We will have an internal discussion but that will likely lead to the project disputing these CVEs.Hello Olle! I was going to do o the same for the Kamailio CVE IDs but defer to the project's decision. If you do decide to dispute, the first request should go to VulDB: https://www.cve.org/PartnerInformation/ListofPartners/partner/VulDB
Ok. We’ve gone back and this was our core developer’s reaction to the mail we got earlier to our security address: "This is clearly spam, imo: vague/generic reporting, no explicit naming of Kamailio ... the email was not sent from the vuldb.com server but from mc20a2201.dnh.net ([185.46.57.114]) -- I would suggest to not clink on the links, they might lead to malware, etc... Remember that this mailing list is open for anyone to send to it, in order to allow anyone to report security issues, but that means spammers can send messages to it are well. There is a spammassassin instance on kamailio.org, but some messages can go though, therefore always be careful with the messages on this list, especially if the author is not known. “ So we ignored it. We may want to look into how someone like vulndb reaches out to projects. And vulndb should propably raise the bar a bit for what they accept as CVEs. /O
(I accidentally asked the MITRE CNA-LR first.) Regards, - Art
Current thread:
- Re: Questionable CVE's reported against dnsmasq, (continued)
- Re: Questionable CVE's reported against dnsmasq Russ Allbery (Nov 03)
- Re: Questionable CVE's reported against dnsmasq Demi Marie Obenour (Nov 03)
- Re: Questionable CVE's reported against dnsmasq Peter Gutmann (Nov 12)
- Re: Questionable CVE's reported against dnsmasq Alexander Patrakov (Nov 13)
- Re: Questionable CVE's reported against dnsmasq Jacob Bachmeyer (Nov 13)
- Re: Questionable CVE's reported against dnsmasq Peter Gutmann (Nov 13)
- Re: Questionable CVE's reported against dnsmasq Jeffrey Walton (Nov 14)
- Re: Questionable CVE's reported against dnsmasq Peter Gutmann (Nov 14)
- Re: Questionable CVE's reported against dnsmasq Olle E. Johansson (Nov 02)
- Re: Questionable CVE's reported against dnsmasq Art Manion (Nov 03)
- Re: Questionable CVE's reported against dnsmasq Olle E. Johansson (Nov 04)
- Re: Questionable CVE's reported against dnsmasq Art Manion (Nov 04)
- Re: Questionable CVE's reported against dnsmasq Olle E. Johansson (Nov 05)
- Re: Questionable CVE's reported against dnsmasq Pedro Sampaio (Nov 05)
- Re: Questionable CVE's reported against dnsmasq Olle E. Johansson (Nov 06)
- Re: Questionable CVE's reported against dnsmasq Demi Marie Obenour (Oct 28)
- Re: Questionable CVE's reported against dnsmasq Demi Marie Obenour (Oct 27)
- Re: Questionable CVE's reported against dnsmasq nightmare . yeah27 (Oct 27)
- Re: Questionable CVE's reported against dnsmasq Simon McVittie (Oct 28)