Date: Tue, 12 Dec 2023 10:14:02 +0100 From: Felix Palmen <zirias@freebsd.org> To: Philip Paeps <philip@freebsd.org>, ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org Subject: Re: git: 4826396e5d15 - main - security/vuxml: correct last SA's affected range Message-ID: <5ykuv4fnes6axn2l7mkuxksknt2b5oqkkuixuunndvgr5zg6yr@h7bxl6ntwkg2> In-Reply-To: <4aoxukh3ddhkq3qmo4qi7vpeqo3wpxc6nivrlve67hr7oszr2m@3wydgx5pc7be> References: <202312070452.3B74qCJr077470@gitrepo.freebsd.org> <4aoxukh3ddhkq3qmo4qi7vpeqo3wpxc6nivrlve67hr7oszr2m@3wydgx5pc7be>
next in thread | previous in thread | raw e-mail | index | archive | help
--gb2ne6ma5eismyjy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable * Felix Palmen <zirias@freebsd.org> [20231207 18:48]: > * Philip Paeps <philip@FreeBSD.org> [20231207 04:52]: > > FreeBSD-SA-23:17.pf only affects the kernel, not userland. The fir= st > > patch level of the kernel without the vulnerability is 13.2_4, not > > 13.2_7. >=20 > Please revert this commit. The first sentence of the message is correct, > the second one is wrong. The fixed kernel has version 13.2-RELEASE-p7. The more time passes the less important this will be, but I'm still convinced it is wrong and might be dangerous to someone only relying on periodic security reports. I double-checked multiple times, and I see no way how a kernel could ever be built with a different version than the one listed in sys/conf/newvers.sh. If there *is* a way, please explain how this could ever work (and how to ever avoid massive confusion, even for people just building their custom kernel). So given that, the version was bumped to -p4 in https://cgit.freebsd.org/src/commit/?id=3Dd20ece445acfc5d29ca096b38e30e4c0c= b0b0d95 on 2023-10-03. After that, there were no changes to the kernel on releng/13.2 (so its version stayed at -p4 when using freebsd-update), *until* commit https://cgit.freebsd.org/src/commit/?id=3D45e256e24c976a55dc856907a57564cbc= 30cfb60 on 2023-12-05, fixing this very issue. I rest my case, there's no way a kernel with version 13.2-RELEASE-p4 could ever include that fix. Therefore, please correct this, so people looking at periodic are properly warned. Thanks, Felix --=20 Felix Palmen <zirias@FreeBSD.org> {private} felix@palmen-it.de -- ports committer -- {web} http://palmen-it.de {pgp public key} http://palmen-it.de/pub.txt {pgp fingerprint} 6936 13D5 5BBF 4837 B212 3ACC 54AD E006 9879 F231 --gb2ne6ma5eismyjy Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iNUEABYKAH0WIQRpNhPVW79IN7ISOsxUreAGmHnyMQUCZXgkVF8UgAAAAAAuAChp c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0Njkz NjEzRDU1QkJGNDgzN0IyMTIzQUNDNTRBREUwMDY5ODc5RjIzMQAKCRBUreAGmHny MVfCAQDfXxUjsckLcf36D1AdLmVpq+dFpv61fUT17yciLkykpAEA3L0QHCiIaHB2 QPXY3TeRKy4pjE8c6G2GPjjvnaB6uQM= =0pU8 -----END PGP SIGNATURE----- --gb2ne6ma5eismyjy--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5ykuv4fnes6axn2l7mkuxksknt2b5oqkkuixuunndvgr5zg6yr>