From owner-freebsd-stable@freebsd.org  Thu Sep 17 22:45:05 2020
Return-Path: <owner-freebsd-stable@freebsd.org>
Delivered-To: freebsd-stable@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 623733F02A2
 for <freebsd-stable@mailman.nyi.freebsd.org>;
 Thu, 17 Sep 2020 22:45:05 +0000 (UTC)
 (envelope-from dan@langille.org)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com
 [66.111.4.27])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4BssVS5ZKhz3VjK
 for <freebsd-stable@freebsd.org>; Thu, 17 Sep 2020 22:45:04 +0000 (UTC)
 (envelope-from dan@langille.org)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42])
 by mailout.nyi.internal (Postfix) with ESMTP id 4E1255C00E8
 for <freebsd-stable@freebsd.org>; Thu, 17 Sep 2020 18:45:04 -0400 (EDT)
Received: from imap36 ([10.202.2.86])
 by compute2.internal (MEProxy); Thu, 17 Sep 2020 18:45:04 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=langille.org; h=
 mime-version:message-id:in-reply-to:references:date:from:to
 :subject:content-type; s=fm2; bh=pj83OZBdlCMzxx205qP5T4yX5g4Dul6
 fTplmTzpW4BQ=; b=n1mBXHY7H2CHtD4/+uz50Bb8ab0BrkF2DkrOeJ1otPfmp4n
 LKPjQ6IqdfJH80L7ZjxvypnFxyzd6W0PBwEH4rMuhlVDZOBFxfzzghh/jC34UfPl
 +2Cs+u6nwmXNHu5GkwXkV+KZY9vBBPcvhTjHizkftdktZWQPF/QpV2FrTYbO/IeH
 Ed8CvaGoQ892CwHXeKLg8qhBKAYIZDnwhHCzsLF986YdgD2GSuN/eYl7T7Pp35KS
 xgTgdwOIAS2uILn9s1OZyDBZuCt8QMo55gnMRhRkKgbF5CPyzWzf4034wD0cTY3a
 9GuueCZFOqy99WteGoNqXh3vA9o30qwiFsrw5nA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=pj83OZ
 BdlCMzxx205qP5T4yX5g4Dul6fTplmTzpW4BQ=; b=fNtY5JNtWJ++ss0z6T09mx
 IJiqvl4xeKzN+VHshzoBOJx+QmCOrjfT5eYlCYaXQma8cZdromJCduFWeVfY5myi
 AisXFPbbIwONsL+wvB8AM5Jes0tTFYvZ/YXUPGgHxPlymePnQnmOmlJwnT7t9qMu
 l3w67+3WQSAcZhYZkxDBTpoAnEXgHgyB+1uypWiYE4E9i0lKcV1+5Hg4rD4zA5Jz
 83ISMMtULn7PqjYzT/yjJvr+C5Qc3C3sveKvjQGXlyBJ+Da6Mra+H9PgGmaGkZND
 32W6DAcI+aExjrM06EGwzTLDN3mRUA5zf2itLfcea1Oha0mBRwPRxLS+h432Oj6g
 ==
X-ME-Sender: <xms:7-ZjX5BK3DI6n5nNQtdh91IS2VHZK_BCL_WOilx_zHIhiBc9mmmtDA>
 <xme:7-ZjX3g7f3c70arHbljtRJ01OKl8nz_vX3y2gReqNCPwKcuYxKFxxe4vFUgpOkJUH
 48vKhJqGq2_mSKjFQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrtdehgddufecutefuodetggdotefrodftvf
 curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu
 uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesthdtre
 dtreertdenucfhrhhomhepfdffrghnucfnrghnghhilhhlvgdfuceouggrnheslhgrnhhg
 ihhllhgvrdhorhhgqeenucggtffrrghtthgvrhhnpeeifeehgfdvkeehffehudehhffhhf
 efieeukeetleffveegueduueeiieduuedvleenucffohhmrghinhepfhhrvggvsghsugdr
 ohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpe
 gurghnsehlrghnghhilhhlvgdrohhrgh
X-ME-Proxy: <xmx:7-ZjX0l6mgpl7fk-XH6gXpmEiFiH6O6sDy6pSSWuU_CB4zeJF32atQ>
 <xmx:7-ZjXzwT05tCOJ-kLITOXgZjFTCFp-ZkhD-QzhtlX1CZR8PYYRc5Gg>
 <xmx:7-ZjX-Tcuvu9kX88rp8chG-05hwwcqO7wRZjA2tGmRhXw7UtRRoVEg>
 <xmx:8OZjX5ciB8i-d7ErVOkAr3esJbb-rZfMyCqYX1Rx5WL_N7CgycAy7g>
Received: by mailuser.nyi.internal (Postfix, from userid 501)
 id C95541880188; Thu, 17 Sep 2020 18:45:03 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-324-g0f99587-fm-20200916.004-g0f995879
Mime-Version: 1.0
Message-Id: <58cdc26b-4f65-42e2-b13c-575add570cec@www.fastmail.com>
In-Reply-To: <C3E0C595-9974-4F62-82F1-D1B878EA1850@langille.org>
References: <C3E0C595-9974-4F62-82F1-D1B878EA1850@langille.org>
Date: Thu, 17 Sep 2020 18:44:43 -0400
From: "Dan Langille" <dan@langille.org>
To: freebsd-stable@freebsd.org
Subject: Re: after latest patches i386 not fully patched
Content-Type: text/plain
X-Rspamd-Queue-Id: 4BssVS5ZKhz3VjK
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=langille.org header.s=fm2 header.b=n1mBXHY7;
 dkim=pass header.d=messagingengine.com header.s=fm3 header.b=fNtY5JNt;
 dmarc=pass (policy=none) header.from=langille.org;
 spf=pass (mx1.freebsd.org: domain of dan@langille.org designates 66.111.4.27
 as permitted sender) smtp.mailfrom=dan@langille.org
X-Spamd-Result: default: False [-2.58 / 15.00]; XM_UA_NO_VERSION(0.01)[];
 RWL_MAILSPIKE_GOOD(0.00)[66.111.4.27:from]; MV_CASE(0.50)[];
 R_SPF_ALLOW(-0.20)[+ip4:66.111.4.27]; TO_DN_NONE(0.00)[];
 RCVD_COUNT_THREE(0.00)[4];
 DKIM_TRACE(0.00)[langille.org:+,messagingengine.com:+];
 DMARC_POLICY_ALLOW(-0.50)[langille.org,none];
 NEURAL_HAM_SHORT(-0.51)[-0.515];
 RCVD_IN_DNSWL_LOW(-0.10)[66.111.4.27:from];
 FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:11403, ipnet:66.111.4.0/24, country:US];
 RCVD_TLS_LAST(0.00)[]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-0.94)[-0.945];
 R_DKIM_ALLOW(-0.20)[langille.org:s=fm2,messagingengine.com:s=fm3];
 FREEFALL_USER(0.00)[dan]; FROM_HAS_DN(0.00)[];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.03)[-1.025];
 MIME_GOOD(-0.10)[text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-stable@freebsd.org];
 RCPT_COUNT_ONE(0.00)[1]; MAILMAN_DEST(0.00)[freebsd-stable];
 MID_RHS_WWW(0.50)[]
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-stable>, 
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Sep 2020 22:45:05 -0000

On Thu, Sep 17, 2020, at 6:28 PM, Dan Langille wrote:
> Hello,
> 
> After running 'freebsd-update fetch install' on a i386 server, I have 
> this situation:
> 
> [dan@gelt:~] $ freebsd-version -u
> 12.1-RELEASE-p10
> [dan@gelt:~] $ freebsd-version -k
> 12.1-RELEASE-p9
> [dan@gelt:~] $ 
> 
> Why did this not get a new kernel?
> 
> I ask because:
> 
> [dan@gelt:~] $ sudo /usr/local/etc/periodic/security/405.pkg-base-audit
> 
> Checking for security vulnerabilities in base (userland & kernel):
> Host system:
> Database fetched: Wed Sep 16 07:06:52 UTC 2020
> FreeBSD-kernel-12.1_9 is vulnerable:
> FreeBSD -- bhyve SVM guest escape
> CVE: CVE-2020-7467
> WWW: https://vuxml.FreeBSD.org/freebsd/e73c688b-f7e6-11ea-88f8-901b0ef719ab.html
> 
> FreeBSD-kernel-12.1_9 is vulnerable:
> FreeBSD -- bhyve privilege escalation via VMCS access
> CVE: CVE-2020-24718
> WWW: https://vuxml.FreeBSD.org/freebsd/2c5b9cd7-f7e6-11ea-88f8-901b0ef719ab.html
> 
> FreeBSD-kernel-12.1_9 is vulnerable:
> FreeBSD -- ure device driver susceptible to packet-in-packet attack
> CVE: CVE-2020-7464
> WWW: https://vuxml.FreeBSD.org/freebsd/bb53af7b-f7e4-11ea-88f8-901b0ef719ab.html
> 
> 3 problem(s) in 1 installed package(s) found.
> 0 problem(s) in 0 installed package(s) found.
> 
> Oh, let's try again:
> 
> [dan@slocum:~] $ sudo freebsd-update fetch install
> Looking up update.FreeBSD.org mirrors... 3 mirrors found.
> Fetching metadata signature for 12.1-RELEASE from update4.freebsd.org... done.
> Fetching metadata index... done.
> Inspecting system... done.
> Preparing to download files... done.
> 
> No updates needed to update system to 12.1-RELEASE-p10.
> No updates are available to install.
> [dan@slocum:~] $ 
> 
> I've done everything I can
> 
> How do I properly patch this i386 server?
> 
> For those wondering what I just ran:
> 
> [dan@gelt:~] $ pkg which 
> /usr/local/etc/periodic/security/405.pkg-base-audit
> /usr/local/etc/periodic/security/405.pkg-base-audit was installed by 
> package base-audit-0.4
> [dan@gelt:~] $ 
> 
> on an amd64 host I have:
> 
> [dan@slocum:~] $ freebsd-version -u
> 12.1-RELEASE-p10
> [dan@slocum:~] $ freebsd-version -k
> 12.1-RELEASE-p10

I understand why this occurs. I have reported it before:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=245878

Status:	Closed Works As Intended

What steps can we take to improve this?

vuxml will continue to report all i386 hosts as vuln until the 
next kernel version bump.  Users have no choice but to ignore the
reports.  Invalid false positives lead to alert fatigue.

Is there a way to avoid this situation where properly patched hosts
are not incorrectly labelled as vulnerable?

-- 
  Dan Langille
  dan@langille.org