|
| From: | Jon Schlueter |
| Subject: | Re: CVE-2023-43628? |
| Date: | Tue, 12 Dec 2023 07:54:46 -0500 |
Yo Miroslav!
On Mon, 11 Dec 2023 12:46:25 +0100
Miroslav Lichvar <mlichvar@redhat.com> wrote:
> There is a report of a security vulnerability in gpsd:
>
> https://talosintelligence.com/vulnerability_reports/TALOS-2023-1860
Sadly, yes.
> The report says 3.25.1~dev.
It originally said 3.25.1, at least I got that fixed.
> I don't see a 3.25.1 release and the 3.25
> code seems very different.
Yes. This CVE is to recently added code for a new eature (HTTP
chunking of NTRIP v2). To "explout" this you need to configure
gpsd to contact a hostile NTRIP server. And then you get a
crash. It needed to be fixed before release, and it was nice
of them to report it clearly, but ding gpsd with a CVE is just
causing FUD.
I expect out usual prerelease process (Codacy, Coverity, etc.) would
have caught this if it has persisted that long.
> Does anyone know why a CVE was assigned for
> this?
I'm sure someone does, but none of us. I objected, but that
never does any good.
> If this doesn't impact an actual release, could you please
> dispute it with MITRE?
Talos is Cisco, not Mitre. Cisco has always done what Cisco wants to
This sort of thing is whey I am confused by the !CVE projejct. They
complain that mainters are refusing CVE on real bugs. I've never seen
anyone be able to stop a CVE.
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
gem@rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can't measure it, you can't improve it." - Lord Kelvin
| [Prev in Thread] | Current Thread | [Next in Thread] |