Date: Fri, 15 Nov 2024 11:04:38 +0100 From: Philip Paeps <philip@freebsd.org> To: Dan Langille <dan@langille.org> Cc: ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org, FreeBSD Security Team <secteam@freebsd.org> Subject: Re: git: 0e79ec27f04a - main - security/vuxml: add FreeBSD SAs issued on 2024-10-29 Message-ID: <2161D3CF-3A52-46CC-ACD3-D94ADEC11AAC@freebsd.org> In-Reply-To: <fc55ea06-bb1a-4bee-a6eb-62da3ad653ff@app.fastmail.com> References: <202411130421.4AD4LUrj054403@gitrepo.freebsd.org> <fc55ea06-bb1a-4bee-a6eb-62da3ad653ff@app.fastmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2024-11-13 21:36:49 (+0100), Dan Langille wrote: > On Tue, Nov 12, 2024, at 11:21 PM, Philip Paeps wrote: >> + <vuln vid="ce0f52e1-a174-11ef-9a62-002590c1f29c"> >> + <topic>FreeBSD -- Certificate revocation list fetch(1) option >> fails</topic> >> + <affects> >> + <package> >> + <name>FreeBSD</name> >> + <range><ge>14.1</ge><lt>14.1_6</lt></range> > > I want to find a way that this does not raise false positives. Philip, > we have discussed this before and I'm not saying you are the one to > fix this. I've put this on the agenda for our next secteam call (Monday). We've discussed this before, but we never converged on a solution. From my notes: because we always had a kernel version bump in the pipeline shortly after. Clearly we shouldn't hope for that to happen every time, and we need a structural solution for this. We'll talk about it again on Monday and see if we can come up with something better. Meanwhile: should we revert this vuxml entry until we either find a solution, or bump the kernel version (whichever comes first)? I'd estimate that this particular bug is triggering rather more false positives than actually vulnerable installations. Philip
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2161D3CF-3A52-46CC-ACD3-D94ADEC11AAC>