From nobody Thu Aug 10 15:33:04 2023
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RM9tD1QKzz4mR94
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Thu, 10 Aug 2023 15:33:08 +0000 (UTC)
	(envelope-from des@freebsd.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "smtp.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4RM9tD0w1Nz4D37
	for <freebsd-security@freebsd.org>; Thu, 10 Aug 2023 15:33:08 +0000 (UTC)
	(envelope-from des@freebsd.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1691681588;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=tSIKVikW+j7nNFCdYKxwkYvVlQBNbIbTdzM2LcRI5/I=;
	b=jI4kCakMZitgz030ToNy1A1h5taabAgcnEOcaifi7Ofo/MRYajbSzNBaRygx1Uk6TKaWCm
	TDhnOKXzEGRs54Se6c08u2SKd11bbbJevlDSWyKRa8h2d7ab+ujYkNPRFlXVA+XcCSMWML
	X9jk7DJG0mj9JeOlL8R9x6FOIlfnmzOJkHsiwSIj9x9DKRU3OySG92BYUrtLeNDtPuM37h
	/0+P6AIkXxt04lFkYxA8VIOp+/OC0JX63RJaC+dKwJktKzB8Rvd4Y2q4N+wXLdSv6tknYN
	dz5W1Enzgxeupdm/vmaDhomsO1DNqGnlGTQSfFOpuCYwFJgBijGbrm0TkILxow==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1691681588;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=tSIKVikW+j7nNFCdYKxwkYvVlQBNbIbTdzM2LcRI5/I=;
	b=D73XPonqEV70jf34cM4l2GsDNSLJD/TW8H0U35fXm98X1Pl+uQ+UCQUiOd1YnctPWO5mlF
	NPpcqjk07qVSDaZ+yr/uo88uI5FgIeHYrraf3AWiphQJJ6mNOgD/vt0qhlMN9eBH0YAmQC
	oo7wqzizrdZFyRcrLfSY7FiaH5/5Rk+KE9Dqs5qmYMsnkiYH6L3462VgCMzIwHDBGSxMUq
	EbNmMDHTU1aDIL9GQyx6r1yhdriic1fvC7NwFiX2GRLEac2rwDlKia9/W+OCls6ZCfFcSG
	iNl0EGUDmDkhUI2TKwmFTfMGjOEuckGKf413WP+4TQSG3KAQnuZqxKAamr/YAg==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1691681588; a=rsa-sha256; cv=none;
	b=J6t1WplNBzs1GjDGTRo0RhfvpRCFcdMqJUhdW39lIDkgVYVrLaYAaFyjysIxqGcYwDZCTC
	R3rCa/hHYEJeeDhKDVQZWxWMnX6nkId1TuLJzjadYNCZEGK0t5juiph2dXStNe54CntRJN
	hCHXdVNXKqhrKbwUyAlqKU0EfcWPsS4PPigkWsnLZxn8u2CC4/7TJW+ZLPS8Com1o6BQd8
	R7rmVcEqCPXlW6PUPVkbBMKDAvmAR7SQ8I5ycaPaiBfDqgofizaJZjJUAuFrlGSca8MpCM
	Tgffqxc5tyBd15mlF/G3D2yjT6vgnfjxDf6OqI/Qcs1xCG4l3vykWkayzJkxZQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from ltc.des.no (ti0187a400-1976.bb.online.no [85.166.95.197])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	(Authenticated sender: des)
	by smtp.freebsd.org (Postfix) with ESMTPSA id 4RM9tC6GgJz5t9
	for <freebsd-security@freebsd.org>; Thu, 10 Aug 2023 15:33:07 +0000 (UTC)
	(envelope-from des@freebsd.org)
Received: by ltc.des.no (Postfix, from userid 1001)
	id DB564186AC; Thu, 10 Aug 2023 17:33:04 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@FreeBSD.org>
To: freebsd-security@freebsd.org
Subject: Re: Downfall microcode update
In-Reply-To: <ZNQrjNUuimrHTT8W@int21h> (void@f-m.fm's message of "Thu, 10 Aug
	2023 01:13:00 +0100")
References: <E2A96C20-6F5D-42B0-A16D-BF70CBB6B99B@lassitu.de>
	<66285345-7ab9-931a-fbb4-fd988f629e74@grosbein.net>
	<867cq4tuot.fsf@ltc.des.no> <ZNQrjNUuimrHTT8W@int21h>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (berkeley-unix)
Date: Thu, 10 Aug 2023 17:33:04 +0200
Message-ID: <86v8dmsyj3.fsf@ltc.des.no>
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
Sender: owner-freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

void <void@f-m.fm> writes:
> What's the proper way then, for intel?
>
> 1. install sysutils/cpupdate and enable it in rc.conf ?
> 2. microcode_update_enable=3D"yes" in rc.conf ?

Sorry, I thought we were talking about devcpu-data, which uses the
service name "microcode_update".

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@FreeBSD.org

From nobody Sun Aug 13 17:43:37 2023
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RP4dg2htxz4mS3y
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Sun, 13 Aug 2023 17:43:51 +0000 (UTC)
	(envelope-from SRS0=oua0=D6=quip.cz=000.fbsd@elsa.codelab.cz)
Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4RP4df120vz4d4q
	for <freebsd-security@freebsd.org>; Sun, 13 Aug 2023 17:43:50 +0000 (UTC)
	(envelope-from SRS0=oua0=D6=quip.cz=000.fbsd@elsa.codelab.cz)
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	spf=none (mx1.freebsd.org: domain of "SRS0=oua0=D6=quip.cz=000.fbsd@elsa.codelab.cz" has no SPF policy when checking 94.124.105.4) smtp.mailfrom="SRS0=oua0=D6=quip.cz=000.fbsd@elsa.codelab.cz";
	dmarc=none
Received: from elsa.codelab.cz (localhost [127.0.0.1])
	by elsa.codelab.cz (Postfix) with ESMTP id EB837D7897
	for <freebsd-security@freebsd.org>; Sun, 13 Aug 2023 19:43:41 +0200 (CEST)
Received: from [192.168.145.49] (ip-89-177-27-225.bb.vodafone.cz [89.177.27.225])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by elsa.codelab.cz (Postfix) with ESMTPSA id D9CABD788B
	for <freebsd-security@freebsd.org>; Sun, 13 Aug 2023 19:43:37 +0200 (CEST)
Message-ID: <dada4886-f75e-df01-2382-ec464f0c8b13@quip.cz>
Date: Sun, 13 Aug 2023 19:43:37 +0200
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
Sender: owner-freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:102.0) Gecko/20100101
 Thunderbird/102.13.0
Subject: Re: vulnerablities in base unreported in VuXML
To: freebsd-security@freebsd.org
References: <08443176-fdef-ee00-ed7e-6d90d2b241f7@quip.cz>
Content-Language: cs-Cestina, en-US
Cc: freebsd-security <freebsd-security@freebsd.org>
From: Miroslav Lachman <000.fbsd@quip.cz>
In-Reply-To: <08443176-fdef-ee00-ed7e-6d90d2b241f7@quip.cz>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spamd-Result: default: False [-1.76 / 15.00];
	AUTH_NA(1.00)[];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_LONG(-0.99)[-0.995];
	NEURAL_HAM_SHORT(-0.97)[-0.969];
	FORGED_SENDER(0.30)[000.fbsd@quip.cz,SRS0=oua0=D6=quip.cz=000.fbsd@elsa.codelab.cz];
	MIME_GOOD(-0.10)[text/plain];
	RCPT_COUNT_TWO(0.00)[2];
	FROM_NEQ_ENVFROM(0.00)[000.fbsd@quip.cz,SRS0=oua0=D6=quip.cz=000.fbsd@elsa.codelab.cz];
	R_SPF_NA(0.00)[no SPF record];
	MLMMJ_DEST(0.00)[freebsd-security@freebsd.org];
	ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ];
	R_DKIM_NA(0.00)[];
	MIME_TRACE(0.00)[0:+];
	RCVD_TLS_LAST(0.00)[];
	DMARC_NA(0.00)[quip.cz];
	ARC_NA(0.00)[];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	MID_RHS_MATCH_FROM(0.00)[];
	FROM_HAS_DN(0.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	TO_DN_SOME(0.00)[];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org];
	RCVD_COUNT_TWO(0.00)[2]
X-Spamd-Bar: -
X-Rspamd-Queue-Id: 4RP4df120vz4d4q

Again and again and again...
New Security Vulnerabilities were published almost 2 weeks ago but they 
were not added to VuXML database again so 
/usr/local/etc/periodic/security/410.pkg-audit from pkg cannot report 
these vulnerabilities on kernel and userland on any vulnerable system.

Please can Security Team add all past vulnerabilities in to VuXML and 
fix process of publishing future SAs that they will never be missed again?

Kind regards
Miroslav Lachman


On 04/05/2023 19:56, Miroslav Lachman wrote:
> As was noted on FreeBSD forum [1], there is problem with missing SA 
> entries in VuXML (again).
> The last entry is from 2022-08-31 for zlip heap buffer overflow [2]
> 5 SA entries are missing. Can somebody from Securitu Officers take a 
> look on it and publish missing entries?
> And fix the SA release process for all future SAs so we do not miss any 
> again? Periodic 405.pkg-base-audit from pkg is usless without up to date 
> VuXML.
> 
> [1] 
> https://forums.freebsd.org/threads/pkg-audit-vuln-xml-no-more-updates-for-base-system-and-kernel.71239/#post-609407
> [2] https://www.vuxml.org/freebsd/pkg-FreeBSD.html
> 
> Kind regards
> Miroslav Lachman
>