Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <2025012512-likely-strainer-4e6d@gregkh>
Date: Sat, 25 Jan 2025 08:00:04 +0100
From: Greg KH <greg@...ah.com>
To: oss-security@...ts.openwall.com
Subject: Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088,
 CVE-2025-23089

On Fri, Jan 24, 2025 at 10:55:39AM -0800, Alan Coopersmith wrote:
> Their reasons for this are detailed on the blog post at:
> https://nodejs.org/en/blog/vulnerability/upcoming-cve-for-eol-versions
> including getting CVE scanners to report EOL versions as vulnerable even
> if no existing CVE specifically says that they are.
> 
> While I can understand their reasoning, I can just imagine the noise if
> every project started issuing CVE's for every version that reaches EOL.

I think that's a great idea for projects to start doing (especially ones
that are a CNA which I recommend all open source projects become.)

And as for "noise", I think that will just be a "drop in the bucket" of
the overall CVE assignment numbers these days as just how many different
software versions are going EOL each month?

thanks,

greg k-h

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.