Hi, On Sun, Aug 03, 2025 at 07:59:32PM +0200, Andrea Pappacoda wrote: > On Sun Aug 3, 2025 at 7:11 PM CEST, Andrea Pappacoda wrote: > > After taking a closer look to these CVEs, I found out that > > CVE-2025-53628's description is completely wrong. In fact, it describes > > CVE-2025-46728 (I believe they got mixed up since they both end with > > 28). This theory of mine is also reinforced by the fact that the GitHub > > advisory of CVE-2025-53629 mentions CVE-2025-46728, and not 53628. > > > > Opening the GitHub advisory you can find the correct description, which > > is about HTTP header smuggling (and not memory exhaustion). > > > > Apart from being annoying, this also makes it harder for me to figure > > out which commit actually fixed the vulnerability of GHSA-j6p8-779x-p5pw > > (i.e., the real CVE-2025-53628), as upstream's commit messages are... > > let's say... unhelpful. > > > > What should I do? How can the CVE text be rectified? (CVE-2025-53629 > > should be modified as well, to mention CVE-2025-46728). > > Did some more digging, and turns out that even the commit mentioned in > CVE-2025-53629 is wrong, which in fact fixes 53628. > > - The commit fixing CVE-2025-53628 is 17ba303889b8d4d719be3879a70639ab653efb99 > - The commit fixing CVE-2025-53629 is 082acacd4581d10e05fccbe9cb336aa7822c4ea2 > > I'm also sending this to [email protected] as this to me seems relevant > information to fix the CVEs, not the package itself.
You seem to be right, while the GHSA references were correctly mapped I think we had wrong commits. I have updated the tracker as https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29c3c8b9f97361016802d46761ead5d3410ce797 Regards, Salvatore
