oss-sec mailing list archives

Re: CVE request experience


From: Fabian Keil <freebsd-listen () fabiankeil de>
Date: Sun, 31 May 2026 21:13:11 +0200

Fabian Keil <freebsd-listen () fabiankeil de> wrote on 2026-05-18 at 10:02:48:

Fabian Keil <freebsd-listen () fabiankeil de> wrote on 2021-01-31 at 13:13:29:

Nick Tait <ntait () redhat com> wrote on 2020-12-23:

That is a rather poor experience Fabian, sorry! Took a look at that
incident number and no encrypted message appears on our end. I believe
you did actually send a message but not sure what went wrong. While I
can't directly help, did request the appropriate people follow up with
you.

Thanks a lot for your help, Nick.

I was contacted by someone from Red Hat Product Security
on 2020-12-24 and received a CVE.

I replied and requested CVEs for the other issues fixed in
Privoxy 3.0.29 but did not receive a reply yet. I just
forwarded the request to <secalert () redhat com>.

Privoxy 4.2.0, which is supposed to be released around 2026-05-30,
will contain fixes for two security issues that are currently
tracked as OVE-20260515-0001 and OVE-20260515-0002.

The patches have been pushed to git today ([1], [2]).

The official Privoxy 4.2.0 release will probably happen tomorrow.

Quoting relevant parts of the preliminary announcement at [3] which
I'll have to modify before the release as the reporter responded today:

| Privoxy 4.2.0 fixes a couple of bugs including two reported security
| issues and brings a couple of general improvements including support
| for elliptic-curve keys.
|
| Unfortunately the reporter of the alleged security issues did not
| answer questions about the report that was based on an unofficial git
| mirror which was apparently two years behind. CVEs have been requested
| but haven't been assigned in time for the release.
|
| - Security fixes:
|   - Parse the chunk-size with a dedicated function and reject "unreasonably"
|     large values to prevent silent truncation by sscanf(), integer overflows
|     and misinterpretation of the content later on. Heap buffer overflows on
|     platforms with 32-bit pointers were alleged as well.
|     Commit 5b3bb22b77. OVE-20260515-0002. Reported by @TristanInSec.
|   - ssl_send_certificate_error(): Store the generated message on the heap
|     instead of the stack to prevent an alleged segmentation fault if there
|     are enough certificates in the chain to exceed the stack size.
|     While at it, replace another variable-length array that was probably
|     unproblematic with a heap-based buffer as well.
|     Commit 4963aa4f08. OVE-20260515-0001. Reported by @TristanInSec.

While it wouldn't have helped here, I've also added two paragraphs
to the "Reporting security problems" section [4] in the Privoxy
documentation that request that use of "AI" is disclosed by reporters
and that reporters should be prepared to respond to questions about
their reports ...

I tried to get two CVEs from Redhat yesterday by sending an encrypted
mail to the address above, which is still listed at [0], but so far only
received what looks like an automated response which claims that I
need an "Atlassian" account to "finish" the request.

For various reasons I don't want an "Atlassian" or any other account ...

I've sent a follow-up message to request a non-automated response
on 2026-05-26 and received another obviously-automated response a
bit later from "Atlassian <noreply+[...]@id.atlassian.com>".

This seems to contradict [0] which claims:
| Only members of Red Hat Product Security, a restricted and carefully
| chosen group of Red Hat employees, will have access to material sent
| to the secalert () redhat com address. No outside users can subscribe to
| this list.

Fabian

[0]: <https://access.redhat.com/security/team/contact/>
[1]: <https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=4963aa4f08a378d0ea8a89433a95c3948a14bb9e>
[2]: <https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=5b3bb22b771c93adddf1726ec904c9378d584a66>
[3]: 
<https://www.privoxy.org/gitweb/?p=privoxy.git;a=blob_plain;f=doc/webserver/announce.txt;hb=c93c69df8ff0b22e6d0a1bc02d7ce170e850cf02>
[4]: <https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=84a1158f288df545ee45ed9326ccf984a360d4c7>


Current thread: