From nobody Tue Dec 12 09:45:14 2023 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SqDHc2q0Vz53jhZ; Tue, 12 Dec 2023 09:45:16 +0000 (UTC) (envelope-from felix@palmen-it.de) Received: from stef.palmen-it.de (stef.palmen-it.de [IPv6:2001:470:1f0b:bbb:1::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4SqDHc2MR9z3HGS; Tue, 12 Dec 2023 09:45:16 +0000 (UTC) (envelope-from felix@palmen-it.de) Authentication-Results: mx1.freebsd.org; none DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=palmen-it.de; s=20200414; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=/KiycMGaVDWmFoo+fv8U0qLdexHkVS7ShSo/xT4V73U=; b=4yPMs6ae/6hyu9lv5fFoEeVFq0 bMJ7IC5xTb2aIZcWFOvIMpZG5mmhuRGbkr5VlhlumcmBRI1HC8qf2PNiGT6122iuW/KeazyL8oqfL TQyk/CzV0AMkABxRXhvsrQZsvO3Y98jnd02jbNUTIXk0EP7USjLtCwj1nskuXoWKLjWoFVN75Kff/ ncQz8QfcFfI49XzAnstYk2wCVBjjBe/zQUSkCa1/Br7X/WtEbHbD3e4pFqKw+e7fcAUCRT5LX2VUe 0022rRP0bL1B8oIAIFC7pPHTiYOlb4ktYf+6la3P8h7LSVxicVGzq1H90Yl9PKSu56MhjYvN7GLpm 9L+5EL2w==; Received: from [192.168.71.101] (helo=mail.home.palmen-it.de) by stef.palmen-it.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1rCzKF-005kWc-0J; Tue, 12 Dec 2023 10:45:15 +0100 Received: from nexus.home.palmen-it.de ([192.168.99.2]) by mail.home.palmen-it.de with esmtpsa (TLS1.3) tls TLS_CHACHA20_POLY1305_SHA256 (Exim 4.97 (FreeBSD)) (envelope-from ) id 1rCzKE-00000000GEH-3UW8; Tue, 12 Dec 2023 09:45:14 +0000 Date: Tue, 12 Dec 2023 10:45:14 +0100 From: Felix Palmen To: Philip Paeps Cc: ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org Subject: Re: git: 4826396e5d15 - main - security/vuxml: correct last SA's affected range Message-ID: Mail-Followup-To: Philip Paeps , ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org X-Face: /1K@t"h.}e~pR@]c7HorQ!T`F^RJCa'BCr#e>IKA{>C/9OTGB4|xh"y2{?1Z5M i2w"AH^pN_LlHR^{+f',_Np~;.B;!M/bL}*qk]p5*r7F5vW};{:@4u5S?T&f0$7BJ-71Q5SV]:v$`5 A0[DZ:=?S52x8HJ~5@^P_\T@MsjG{R( Organization: FreeBSD.org References: <202312070452.3B74qCJr077470@gitrepo.freebsd.org> <4aoxukh3ddhkq3qmo4qi7vpeqo3wpxc6nivrlve67hr7oszr2m@3wydgx5pc7be> <5ykuv4fnes6axn2l7mkuxksknt2b5oqkkuixuunndvgr5zg6yr@h7bxl6ntwkg2> <17D0B34D-59E6-4B4F-9642-FE7FA6111A19@freebsd.org> List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="wrg4ljrsloczaepj" Content-Disposition: inline In-Reply-To: <17D0B34D-59E6-4B4F-9642-FE7FA6111A19@freebsd.org> User-Agent: NeoMutt/20231103 X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US] X-Spamd-Bar: ---- X-Rspamd-Queue-Id: 4SqDHc2MR9z3HGS --wrg4ljrsloczaepj Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable * Philip Paeps [20231212 17:34]: > The issue described by FreeBSD-SA-23:17.pf only affects the pf kernel > module, not the rest of the kernel. Consequently, freebsd-update only > rebuilt pf.ko. kernel was not rebuilt. Thanks! That was the missing piece of information (for me) all the time! > - FreeBSD with the version reported by freebsd-version: > this incorrectly presents the vulnerability as affecting userland. Wouldn't this be the "least wrong" approach for now then? Because: > - FreeBSD-kernel with the version reported by > freebsd-version: this is how I originally documented the vulnerability. > Since the kernel was not rebuilt (only pf.ko), systems comparing the outp= ut > of uname -k to the versions in the vuxml document cannot see that the sys= tem > was upgraded. Yes, this is clearly wrong then. Sorry, I wasn't aware the kernel wasn't rebuilt when modules are affected by a fix ... > - FreeBSD-kernel with the version reported by uname -k: > this is how it is currently documented. Users who have not upgraded > anything will not realise they are affected, because uname -k has been at > -p4 since October. (As you correctly point out.) And yes, this is pointless, and I still think somehow dangerous when people expect to be warned by periodic. > The security-officer team is trying to come up with a way to forcibly > rebuild the kernel for this category of vulnerabilities. This is not a > great solution either though. It requires users to reboot the system > whereas (in theory, in many/most cases), unloading and reloading the kern= el > module would address the vulnerability. This sounds like a "better than before" kind of approach as well, thanks. > The good news is that pkgbase will solve this problem to some extent. > Kernel modules are distributed in the FreeBSD-kernel package. While "pkg > audit" won't be able to determine if the correct module is loaded, at lea= st > it will be able to see that the correct package has been installed. Sounds nice as well. Then I'll shut up for now. Still "wrong" unfortunately, but good to know there's at least progress :) Cheers, Felix --=20 Felix Palmen {private} felix@palmen-it.de -- ports committer -- {web} http://palmen-it.de {pgp public key} http://palmen-it.de/pub.txt {pgp fingerprint} 6936 13D5 5BBF 4837 B212 3ACC 54AD E006 9879 F231 --wrg4ljrsloczaepj Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iNUEABYKAH0WIQRpNhPVW79IN7ISOsxUreAGmHnyMQUCZXgrql8UgAAAAAAuAChp c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0Njkz NjEzRDU1QkJGNDgzN0IyMTIzQUNDNTRBREUwMDY5ODc5RjIzMQAKCRBUreAGmHny MQSpAQD9d2ZScZwJvj9oRf7rDf0+WX3zN1tsu2VsrIQE91fiJgD+KkcOLl1Jz59M UJVyH56xQnEQFM4/wDtf3/4p4Wv33As= =7prQ -----END PGP SIGNATURE----- --wrg4ljrsloczaepj--