what is the likely hood about theses happening? 2025-50976, 2025-50975 , 2025-50974
Are they going be addressed?
1 Like
Fixes are already in our next repo.
Of course to execute the vulnerabilities your attacker has to have authenticated local access to the system.
The risk is that some other unknown vulnerability gives an attacker an entry to a system and then it is good to not have any of the known vulnerabilities available for them to leverage.
2 Likes
Looking at these closer, these CVE’s have been raised by someone who has not communicated with IPFire at all and just published the CVE’s.
We have created fixes because another researcher communicated to us and provided a report with details of the vulnerabilities found and more technical details.
Based on this we created the fixes.
This researcher has reserved CVE numbers earlier than the ones you have highlighted.
So the person related to your CVE’s, has found some vulnerabilities and made no attempt to report them, either by email to the security@ipfire.org address or in the IPFire bugzilla as security bugs.
I find this type of approach really very unsocial.
Luckily this other researcher did take the time to report the vulnerabilities to us and we have already worked on them and the fixes merged on 25th September, two days after we were informed about them.
6 Likes
Thanks to the maintainers!
1 Like
Hello,
@dan786 thank you for letting us know.
I didn’t know this needed saying, but of course we strongly encourage everyone to report and kind of bug - whether it is security critical or not - to us. Over the past years we had so many contribute to IPFire and IPFire wouldn’t be what it is today without the help of each of these individuals.
Filing for a CVE (which is something that I would consider is a first step on the route to responsible disclosure) and then not report it to the actual project is indeed not a very good thing to do.
The next step would have been to consult our security policy and simply send us an email:
I believe that this individual has used some AI to find “security issues” and keeps publishing them as their own. Some other maintainers have complained about a huge amount of AI-generated reports which basically lead to nowhere. Daniel Stenberg calls it “AI slop”:
When in the past having a CVE filed against something, it used to be a big deal. These days, it could mean nothing.
The reports here don’t seem to have a very high severity for us, but we have already developed fixes which will be released with the next update.
2 Likes
This is why i asked a question regarding these things since i wanted know your pov regarding them . i agree with with you on ai. I notice spike in look like scanners possibly ai or bot some sort