On Fri, October 15, 2021 10:36, James B. Byrne via squirrelmail-users wrote: > n Thu, October 14, 2021 18:09, Paul Lesniewski wrote: >> On Thu, October 14, 2021 7:28 pm, James B. Byrne via squirrelmail-users >> wrote: >>> See: https://nvd.nist.gov/vuln/detail/CVE-2020-14933#match-5399106 >>> >>> Has this been patched? >> >> There is no vulnerability here. Per OWASP: >> >> https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection >> . . . >> >> SquirrelMail doesn't qualify for that scenario. Whoever accepted/assigned >> this CVE seems to have only taken the word of the reporter, who has no >> proof that I know of that there is any security issue. If anyone knows >> differently, please get in touch. >> >> I'll put something on our /security page to reflect the situation. >> >> Cheers, > . . . > > I need something done to address this CVE, either by having it removed from > NIST as invalid or through some sort of patch, meaningless or not, that > convinces NIST that the issue is resolved. That probably requires a new CPE, > and that will no doubt require the FreeBSD port maintainer to issue a version > upgrade. Otherwise I am going to be forced into an unwanted, and evidently > unnecessary, migration. For which I have neither the time nor resources to > effect. > > Regards, > > >From the NIST website (https://nvd.nist.gov/vuln/vendor-comments): "Software development organizations can submit official comments by contacting NVD staff ( nvd@xxxxxxxx). The capability exists both for organizations to manually submit comments and for organizations to log into NVD to issue and modify comments themselves. We recommend the log in capability for organizations that are affected by more than a few CVE vulnerabilities." A developer comment sent to NIST to the effect that SM is not vulnerable would probably satisfy the auditors (I hope). If you would be so kind. Regards, -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Unencrypted messages have no legal claim to privacy Do NOT open attachments nor follow links sent by e-Mail James B. Byrne mailto:ByrneJB@xxxxxxxxxxxxx Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
