Hello First thanks to Alexander for reposting because I was not able to do so! You're right Clemens, I have myself ask the question on this github (https://github.com/cisagov/vulnrichment/issues/130), but still no information for the moment. Joel
________________________________________ De : Clemens Lang <[email protected]> Envoyé : mardi 12 novembre 2024 16h12 À : [email protected] <[email protected]> Objet : Re: [oss-security] CVE-2024-36905: Linux kernel: Divide-by-zero on shutdown of TCP_SYN_RECV sockets [Vous ne recevez pas souvent de courriers de [email protected]. Découvrez pourquoi ceci est important à https://aka.ms/LearnAboutSenderIdentification ] Hi, > On 12. Nov 2024, at 15:58, Solar Designer <[email protected]> wrote: > > So a question for this list/thread may be - where/how may we dispute > CISA-ADP analysis? Maybe someone would reply with specific contact info > for them, and Joel would proceed with that. I think the source for the CISA-ADP data is at [1]. For this specific CVE, the relevant file would be [2]. Their readme has a section at the bottom, where they encourage feedback: > We want to hear from you, the IT cybersecurity professional community, about > Vulnrichment and ADP! If you see something, please feel free to say something > in the Issues, or even better, open a Pull Request with your suggested fix. I’m aware of at last one prior case where a similar case of (IMHO) overblown CVSS scores was discussed in an issue on this particular GitHub project [3]. Somebody seems to already have opened a ticket for this CVE, too: [4] [1]: https://github.com/cisagov/vulnrichment [2]: https://github.com/cisagov/vulnrichment/blob/develop/2024/36xxx/CVE-2024-36905.json [3]: https://github.com/cisagov/vulnrichment/issues/93 [4]: https://github.com/cisagov/vulnrichment/issues/130 HTH, Clemens -- Clemens Lang RHEL Crypto Team Red Hat
