oss-sec mailing list archives

---

From: Jeffrey Walton <noloader () gmail com>
Date: Mon, 27 Oct 2025 16:12:52 -0400

---

On Mon, Oct 27, 2025 at 1:30 PM Jeremy Stanley <fungi () yuggoth org> wrote:

On 2025-10-27 09:34:03 -0700 (-0700), Alan Coopersmith wrote:
[...]

The vendor was contacted early about this disclosure but did not
respond in any way.

[...]

With the flood of dubious reports being submitted by anyone who can
thumb some words into an LLM prompt and not bother to check the
results for hallucinated nonsense, I've taken to ignoring or
summarily closing such submissions to projects I work on as not
worth my time to respond. This is probably yet another sign that the
CVE system needs an overhaul or it's going to get ignored when it
becomes as overwhelmed with "AI noise" as everything else (not
saying these reports were necessarily machine-generated, but it's
reaching the point where open source projects with limited resources
have no choice but to silently bin such nonsense to /dev/null).

cURL is fed up with the LLM nonsense, too.  cURL requires the source
of a vulnerability report be stated because the project was being
overrun with false positives and low quality bug reports from AI
generated slop.  See "AI guidelines" (May 2025),
<https://curl.se/mail/lib-2025-05/0013.html> and
<https://github.com/curl/curl/pull/17325>.

And the IETF is also concerned about submissions curated from LLMs.
See "BCP 78 policy / copyright / Generative AI / LLM .. is there a
FAQ?" (August 2025),
<https://mailarchive.ietf.org/arch/msg/ietf/ZAwDLUWAQ-iU2u6vVpw5IeW7g-E/>.

Jeff

---

Current thread:

• Questionable CVE's reported against dnsmasq Alan Coopersmith (Oct 27)
  • Re: Questionable CVE's reported against dnsmasq Jeremy Stanley (Oct 27)
    • Re: Questionable CVE's reported against dnsmasq Andrew Latham (Oct 27)
      • Re: Questionable CVE's reported against dnsmasq Sebastian Pipping (Oct 27)
      • Re: Questionable CVE's reported against dnsmasq Stuart Henderson (Oct 27)
      • Re: Questionable CVE's reported against dnsmasq Sebastian Pipping (Oct 27)
      • Re: Questionable CVE's reported against dnsmasq Matthew Fernandez (Oct 27)
      • Re: Questionable CVE's reported against dnsmasq Eli Schwartz (Oct 27)

Re: Questionable CVE's reported against dnsmasq Jeffrey Walton (Oct 27)

Re: Questionable CVE's reported against dnsmasq Moritz Mühlenhoff (Oct 27)

• Re: Questionable CVE's reported against dnsmasq Collin Funk (Oct 27)
• Re: Questionable CVE's reported against dnsmasq Michael Orlitzky (Oct 27)
  • Re: Questionable CVE's reported against dnsmasq Hank Leininger (Oct 27)
  • Re: Questionable CVE's reported against dnsmasq Solar Designer (Oct 27)
• Re: Questionable CVE's reported against dnsmasq Demi Marie Obenour (Oct 27)
• Re: Questionable CVE's reported against dnsmasq nightmare . yeah27 (Oct 27)