Re: Numerous unconfirmed FOSS CVEs disclosed on FD mailing list

[Christian Brabandt <cb () 256bit org>]

On Sa, 27 Jan 2024, Matthew Fernandez wrote:

> On 1/27/24 08:53, Alan Coopersmith wrote:
> > While I can't speak for all the projects involved, I can speak for the
> > X.Org maintainers & security team, and I can say that we were not
> > consulted or informed about this CVE filing - if I wasn't on the FD
> > mailing list, I wouldn't even know it had happened.  The CNA responsible
> > has not yet published the CVE to the CVE database yet, so we can't yet
> > file a dispute, but once they do, I plan to request that they withdraw
> > CVE-2023-45916 for xedit, as there is no security boundary crossed here
> > and the bug doesn't allow someone to do anything they otherwise couldn't.
>
> We (the Graphviz maintainers) were also not consulted/informed. Though we do
> not plan to contest the CVE.

Same here for Vim. I wasn't aware of this and don't think it's a 
security issue per se of Vim.

Thanks,
Christian
-- 
Tatsächlich weicht in Wahrheit die Realität häufig von der Wirklichkeit ab.