Update notes for CVE-2021-45959/fmtlib

Pending REJECT from MITRE to clean up the CVE entry.

1 files changed, 4 insertions, 2 deletions

diff --git a/data/CVE/2021.list b/data/CVE/2021.list
index 70313beb77..6aa41c2a2a 100644
--- a/data/CVE/2021.list
+++ b/data/CVE/2021.list
@@ -54,10 +54,12 @@ CVE-2021-45960 (In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or mor
 	NOTE: https://github.com/libexpat/libexpat/issues/531
 	NOTE: https://github.com/libexpat/libexpat/pull/534
 CVE-2021-45959 ({fmt} 7.1.0 through 8.0.1 has a stack-based buffer overflow in fmt::v8 ...)
-	- fmtlib <unfixed>
+	- fmtlib <unfixed> (unimportant)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36110
+	NOTE: https://github.com/fmtlib/fmt/issues/2685
 	NOTE: Fixed by: https://github.com/fmtlib/fmt/commit/2038bf61831eb8faede0883965364a974d1350fe
-	TODO: check correctness, introducing commit in oss-fuzz report is related when fuzzing started
+	NOTE: The CVE is basically invalid, as the report was one of a series of false positives
+	NOTE: and the "upstream fix" is effectively a noop.
 CVE-2021-45958 (UltraJSON (aka ujson) 4.0.2 through 5.0.0 has a stack-based buffer ove ...)
 	- ujson <unfixed>
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36009