From nobody Tue Dec 12 09:57:54 2023 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SqDZH0XQXz53kF7; Tue, 12 Dec 2023 09:57:59 +0000 (UTC) (envelope-from philip@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SqDZH01qqz3HtN; Tue, 12 Dec 2023 09:57:59 +0000 (UTC) (envelope-from philip@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1702375079; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=OgPPTu7Fi4V9ukvG3qSBicjaPK4uCb/EsS1APOxqSbs=; b=fug0hZQ6huoOqmHHU5bk4UabvPc3KGPWNOqYgDZSRrRTqb8e7y8ED0ok3Kwr6mplZ52dbt CfBb5DdPfgPzRBgrx145TK1qNDLCR4Sz/k/ErceVDaf+LZq8px30iOlx9IMFl1gItZqSYm S0MPIFjiYp87NZxkTNByQ4GeHz7IblQETTWjkdbeCnJC1ADov+bYzSPG5tOOtkOtygNWSg yR4ikWi9MrPFCuMt8b1+P+5p6FPz4qqct5W5BfZUvKbXNF14eAwWLnGR8RUEbbXWaEg9ud xP9CAfKLfjhr2Ye80tWoxWWYfK6M01mJxI6pl1b48109ZOYZSa8CYRA6WtTpOA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1702375079; a=rsa-sha256; cv=none; b=gywq5iS4uFlvF1JdLxchZalYz0/TBIevZ6tH0ASsKZxoVMNArENh4GIBQp2VlyJj8EVAgm CcahKYas0eauEsRhTemS/mZ5HLzsii5xcUALB0R/NST/Qmc4HyNuQm8iq2m0cIuWtgZHIz B4xSRJRTAsMf2c+vYf3ug3OcpNZp5ZdbaLqeOH1Gj+DP9SbSxQJ8qc0FG57e5wiQdtJjmM Bw/olszmJXkWIZ/Q+ydmvF368SQnIGyjxQtQHL77yEcGWpoM6KPlH9GraSOXrCjk7uhpnW MxSmrfhnp3UMTo1gEEch94u3BGgDwnrxLgC0tmq9gk2iC7dB1ToSqnzA+fYugw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1702375079; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=OgPPTu7Fi4V9ukvG3qSBicjaPK4uCb/EsS1APOxqSbs=; b=iPWqgXArYPf4mFYKyd2Y/I7y9sq0fpcb4HRFiQ10HCXXDkvCl1QV2zLWodwNEFAuJvSG80 01achitZkyCBEHjS+EdWim+DfV/DPsqoUqR6a0ePZMGX4b0FtIVaZHDsV5DDb7illvcTYE KLURGSldQq9+SEjGDODeOu1ojKGsyckcFSZmSgOyYBhdBH7wjoTFL3iCacKwyg7i7WOO9f XkhldUEgVqungTPbtByl83KW8qMktMrYHHrHQCoQh51Uko7Ik4MrCL5gGyItIF8IDgU8uI W6o6+AlOiF5NCYtKCPbKmQo47a+cJdJ928eXm/c1S/AMXgm905a1lScyBXM9LQ== Received: from auth2-smtp.messagingengine.com (auth2-smtp.messagingengine.com [66.111.4.228]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: philip/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4SqDZG5wXgzD6B; Tue, 12 Dec 2023 09:57:58 +0000 (UTC) (envelope-from philip@freebsd.org) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailauth.nyi.internal (Postfix) with ESMTP id AACCB27C0060; Tue, 12 Dec 2023 04:57:58 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Tue, 12 Dec 2023 04:57:58 -0500 X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrudelgedgtdekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefhvfevufffoffkjghfgggtsehttd hmtdertddtnecuhfhrohhmpefrhhhilhhiphcurfgrvghpshcuoehphhhilhhiphesfhhr vggvsghsugdrohhrgheqnecuggftrfgrthhtvghrnhepgffgfeeigeettdeltdfgvedtff dtgedvheeuieetheetfeeifeevveetvddvkeegnecuvehluhhsthgvrhfuihiivgeptden ucfrrghrrghmpehmrghilhhfrhhomhepphhhihhlihhpodhmvghsmhhtphgruhhthhhpvg hrshhonhgrlhhithihqdduudeiiedviedvgeekqddvfeehudektddtkedqphhhihhlihhp peepfhhrvggvsghsugdrohhrghesthhrohhusghlvgdrihhs X-ME-Proxy: Feedback-ID: ia691475d:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 12 Dec 2023 04:57:57 -0500 (EST) From: Philip Paeps To: Felix Palmen Cc: ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org Subject: Re: git: 4826396e5d15 - main - security/vuxml: correct last SA's affected range Date: Tue, 12 Dec 2023 17:57:54 +0800 X-Mailer: MailMate (1.14r6010) Message-ID: <4DF4EE0F-AAD7-41A7-B940-F8192C62758D@freebsd.org> In-Reply-To: References: <202312070452.3B74qCJr077470@gitrepo.freebsd.org> <4aoxukh3ddhkq3qmo4qi7vpeqo3wpxc6nivrlve67hr7oszr2m@3wydgx5pc7be> <5ykuv4fnes6axn2l7mkuxksknt2b5oqkkuixuunndvgr5zg6yr@h7bxl6ntwkg2> <17D0B34D-59E6-4B4F-9642-FE7FA6111A19@freebsd.org> List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; format=flowed On 2023-12-12 17:45:14 (+0800), Felix Palmen wrote: > * Philip Paeps [20231212 17:34]: >> The issue described by FreeBSD-SA-23:17.pf only affects the pf kernel >> module, not the rest of the kernel. Consequently, freebsd-update >> only >> rebuilt pf.ko. kernel was not rebuilt. > > Thanks! That was the missing piece of information (for me) all the > time! It's a very subtle distinction. And we could try to be a bit clearer about what exactly freebsd-update updates under different circumstances. In practice, this category of vulnerabilities doesn't come up very often. And when it does, it usually affects device drivers and not kernel modules that a substantial fraction of our users can reasonably be expected to be using. >> - FreeBSD with the version reported by >> freebsd-version: >> this incorrectly presents the vulnerability as affecting userland. > > Wouldn't this be the "least wrong" approach for now then? Because: My reasoning for FreeBSD-kernel is that this gives users the hint that they probably need to reboot. And considering that kernel modules are part of the kernel, this feels the least incorrect to me. On the other hand, putting this category of vulnerabilities under FreeBSD may actually be the "least bad" (which is not the same as "least wrong"). At least "pkg audit" will cry if freebsd-version is behind. >> - FreeBSD-kernel with the version reported by >> uname -k: >> this is how it is currently documented. Users who have not upgraded >> anything will not realise they are affected, because uname -k has >> been at >> -p4 since October. (As you correctly point out.) > > And yes, this is pointless, and I still think somehow dangerous when > people expect to be warned by periodic. Yeah ... I follow your reasoning. I will sleep on this. >> The security-officer team is trying to come up with a way to forcibly >> rebuild the kernel for this category of vulnerabilities. This is not >> a >> great solution either though. It requires users to reboot the system >> whereas (in theory, in many/most cases), unloading and reloading the >> kernel >> module would address the vulnerability. > > This sounds like a "better than before" kind of approach as well, > thanks. > >> The good news is that pkgbase will solve this problem to some extent. >> Kernel modules are distributed in the FreeBSD-kernel package. While >> "pkg >> audit" won't be able to determine if the correct module is loaded, at >> least >> it will be able to see that the correct package has been installed. > > Sounds nice as well. Then I'll shut up for now. Still "wrong" > unfortunately, but good to know there's at least progress :) Sorry for not replying earlier. I wasn't trying to quietly wait for the problem to be overcome by events. I started typing my reply earlier and ... then ... got ... distracted. :-) Philip -- Philip Paeps Senior Reality Engineer Alternative Enterprises