oss-sec mailing list archives

Re: Questionable CVE's reported against dnsmasq

From: "Olle E. Johansson" <oej () edvina net>
Date: Wed, 5 Nov 2025 11:16:14 +0100

On 4 Nov 2025, at 18:59, Art Manion <zmanion () protonmail com> wrote:

On 2025-11-04 04:03, Olle E. Johansson wrote:

On 3 Nov 2025, at 19:07, Art Manion <zmanion () protonmail com> wrote:

CVEs against dnsmasq (CVE-2025-12198, CVE-2025-12199, CVE-2025-12200)
and Kamailio (CVE-2025-12204, CVE-2025-12205, CVE-2025-12206, and
CVE-2025-12207) mentioned in this thread are not yet disputed and have
no comments of this sort in their descriptions.


I asked VulDB to mark the dnsmasq CVE IDs as disputed.


The VulDB CNA decided to reject the dnsmasq CVE IDs.

As part of the Kamailio project I can say that we did just become aware
of these CVEs in your email. They do not make sense. Trying to get to
the report, the config files used to provoke the issue can’t be downloaded.

We’ve gone back and this was our core developer’s reaction to the mail we got earlier to our security address:

"This is clearly spam, imo: vague/generic reporting, no explicit naming
of Kamailio ... the email was not sent from the vuldb.com server
but from mc20a2201.dnh.net ([185.46.57.114]) -- I would suggest to not
clink on the links, they might lead to malware, etc...


I understand both sides of this problem.  Would it have helped if the VulDB
notification included details such as these (from CVE-2025-12207)?

 https://shimo.im/docs/vVqRMVMlrycMO63y/read

For us that site is not trustworthy. It could be language/cultural issues. One example is that the actual configuration 
files for some reason can’t be downloaded and the error message is
in a language I have no understanding of.

Trust is hard. We have to think about this. We get all kinds of strange emails to our
security reporting email address so we’re very cautious unfortunately. 

How can we create some kind of trust system so that any open source developer - from one person projects to large 
projects with massive funding - know that a report is worth reacting to?

/O

- Art

Current thread:

Re: Questionable CVE's reported against dnsmasq, (continued)
- - - Re: Questionable CVE's reported against dnsmasq Peter Gutmann (Nov 12)
    - Re: Questionable CVE's reported against dnsmasq Alexander Patrakov (Nov 13)
    - Re: Questionable CVE's reported against dnsmasq Jacob Bachmeyer (Nov 13)
    - Re: Questionable CVE's reported against dnsmasq Peter Gutmann (Nov 13)
    - Re: Questionable CVE's reported against dnsmasq Jeffrey Walton (Nov 14)
    - Re: Questionable CVE's reported against dnsmasq Peter Gutmann (Nov 14)
    - Re: Questionable CVE's reported against dnsmasq Olle E. Johansson (Nov 02)
    - Re: Questionable CVE's reported against dnsmasq Art Manion (Nov 03)
    - Re: Questionable CVE's reported against dnsmasq Olle E. Johansson (Nov 04)
    - Re: Questionable CVE's reported against dnsmasq Art Manion (Nov 04)
    - Re: Questionable CVE's reported against dnsmasq Olle E. Johansson (Nov 05)
    - Re: Questionable CVE's reported against dnsmasq Pedro Sampaio (Nov 05)
    - Re: Questionable CVE's reported against dnsmasq Olle E. Johansson (Nov 06)
    - Re: Questionable CVE's reported against dnsmasq Demi Marie Obenour (Oct 28)
    - Re: Questionable CVE's reported against dnsmasq Demi Marie Obenour (Oct 27)
    - Re: Questionable CVE's reported against dnsmasq nightmare . yeah27 (Oct 27)
    - Re: Questionable CVE's reported against dnsmasq Simon McVittie (Oct 28)
- Re: Questionable CVE's reported against dnsmasq Alan Coopersmith (Oct 29)
- Re: Questionable CVE's reported against dnsmasq Christian Fischer (Dec 03)