Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 17 Sep 2020 18:44:43 -0400
From:      "Dan Langille" <dan@langille.org>
To:        freebsd-stable@freebsd.org
Subject:   Re: after latest patches i386 not fully patched
Message-ID:  <58cdc26b-4f65-42e2-b13c-575add570cec@www.fastmail.com>
In-Reply-To: <C3E0C595-9974-4F62-82F1-D1B878EA1850@langille.org>
References:  <C3E0C595-9974-4F62-82F1-D1B878EA1850@langille.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Sep 17, 2020, at 6:28 PM, Dan Langille wrote:
> Hello,
> 
> After running 'freebsd-update fetch install' on a i386 server, I have 
> this situation:
> 
> [dan@gelt:~] $ freebsd-version -u
> 12.1-RELEASE-p10
> [dan@gelt:~] $ freebsd-version -k
> 12.1-RELEASE-p9
> [dan@gelt:~] $ 
> 
> Why did this not get a new kernel?
> 
> I ask because:
> 
> [dan@gelt:~] $ sudo /usr/local/etc/periodic/security/405.pkg-base-audit
> 
> Checking for security vulnerabilities in base (userland & kernel):
> Host system:
> Database fetched: Wed Sep 16 07:06:52 UTC 2020
> FreeBSD-kernel-12.1_9 is vulnerable:
> FreeBSD -- bhyve SVM guest escape
> CVE: CVE-2020-7467
> WWW: https://vuxml.FreeBSD.org/freebsd/e73c688b-f7e6-11ea-88f8-901b0ef719ab.html
> 
> FreeBSD-kernel-12.1_9 is vulnerable:
> FreeBSD -- bhyve privilege escalation via VMCS access
> CVE: CVE-2020-24718
> WWW: https://vuxml.FreeBSD.org/freebsd/2c5b9cd7-f7e6-11ea-88f8-901b0ef719ab.html
> 
> FreeBSD-kernel-12.1_9 is vulnerable:
> FreeBSD -- ure device driver susceptible to packet-in-packet attack
> CVE: CVE-2020-7464
> WWW: https://vuxml.FreeBSD.org/freebsd/bb53af7b-f7e4-11ea-88f8-901b0ef719ab.html
> 
> 3 problem(s) in 1 installed package(s) found.
> 0 problem(s) in 0 installed package(s) found.
> 
> Oh, let's try again:
> 
> [dan@slocum:~] $ sudo freebsd-update fetch install
> Looking up update.FreeBSD.org mirrors... 3 mirrors found.
> Fetching metadata signature for 12.1-RELEASE from update4.freebsd.org... done.
> Fetching metadata index... done.
> Inspecting system... done.
> Preparing to download files... done.
> 
> No updates needed to update system to 12.1-RELEASE-p10.
> No updates are available to install.
> [dan@slocum:~] $ 
> 
> I've done everything I can
> 
> How do I properly patch this i386 server?
> 
> For those wondering what I just ran:
> 
> [dan@gelt:~] $ pkg which 
> /usr/local/etc/periodic/security/405.pkg-base-audit
> /usr/local/etc/periodic/security/405.pkg-base-audit was installed by 
> package base-audit-0.4
> [dan@gelt:~] $ 
> 
> on an amd64 host I have:
> 
> [dan@slocum:~] $ freebsd-version -u
> 12.1-RELEASE-p10
> [dan@slocum:~] $ freebsd-version -k
> 12.1-RELEASE-p10

I understand why this occurs. I have reported it before:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=245878

Status:	Closed Works As Intended

What steps can we take to improve this?

vuxml will continue to report all i386 hosts as vuln until the 
next kernel version bump.  Users have no choice but to ignore the
reports.  Invalid false positives lead to alert fatigue.

Is there a way to avoid this situation where properly patched hosts
are not incorrectly labelled as vulnerable?

-- 
  Dan Langille
  dan@langille.org



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?58cdc26b-4f65-42e2-b13c-575add570cec>