From nobody Thu Dec  7 00:43:21 2023
X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SlwW567wLz53Gwq;
	Thu,  7 Dec 2023 00:43:45 +0000 (UTC)
	(envelope-from dan@langille.org)
Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4SlwW45WVkz4NWc;
	Thu,  7 Dec 2023 00:43:44 +0000 (UTC)
	(envelope-from dan@langille.org)
Authentication-Results: mx1.freebsd.org;
	none
Received: from compute7.internal (compute7.nyi.internal [10.202.2.48])
	by mailout.west.internal (Postfix) with ESMTP id 1CB5A3200A44;
	Wed,  6 Dec 2023 19:43:43 -0500 (EST)
Received: from imap42 ([10.202.2.92])
  by compute7.internal (MEProxy); Wed, 06 Dec 2023 19:43:43 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=langille.org; h=
	cc:cc:content-type:content-type:date:date:from:from:in-reply-to
	:in-reply-to:message-id:mime-version:references:reply-to:sender
	:subject:subject:to:to; s=fm1; t=1701909822; x=1701996222; bh=xz
	Nhr+2TRiFkxIKB7Zj2+QOx8BFjxXdSXv19Rwlu1Y4=; b=t5h2lNuedFL4Tx17sP
	QSAgFMiapMFAVd6FmWwFUSf2g/F3khsL8FdC9kG8t/5xmPdRnlRfdYnvLCH37FM0
	zsAY96Te3++/bISPhec29WP+U5SFxMAZbip7oitw20K1hW6E8eGxIgOiDaleg2UH
	VM1JSP6QfNG/cYXj0QGRBHIukdq+doQF/MI9IIHO5jezfKadpwOkgMffMKuXvd4+
	5QI11LiUqGEfdv/gUkWmGNPh7Yo02fN+wfbSvlKvea3fcfUTZplsetpED8hL0LGX
	fkKIJfaNOA7en2ozJ8WCibuEqqjuh2fd/P0n2sf+dUxQTMmaicdZEWZbXx5TRq1E
	AzTQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-type:content-type:date:date
	:feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
	:message-id:mime-version:references:reply-to:sender:subject
	:subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
	:x-sasl-enc; s=fm1; t=1701909822; x=1701996222; bh=xzNhr+2TRiFkx
	IKB7Zj2+QOx8BFjxXdSXv19Rwlu1Y4=; b=EAErOfJuUkSmagm2KAA4lccboxgyn
	aTe9rwvt2CyqVQL63wZbh+GJLfTQmhHtdTbuto+Q+9tG/uHFgEassPFqvy/MDktb
	0zvmsCo8HXjejX6Gy9z8bqxFPPCRKpE0RxMgIOyJFhwfVFv8iD5YgFBvEDKlw1Eh
	5M5Zv7mZoPE/5Lv9v7s66k6nJKdc6QPANbvbfVpg1LciV1IML6552L/962W7EdJb
	hOSFYj5qPKstir/Z07XfrXHg064eiU4EsSWRgjFAdEoWJsz6G2h+J0yVWJBqQHT2
	8leSpN/zZwRKCDSas8v1lYFJb0fZ9hKIJNOSXAZ+/6WTC+yJBRZxfLQSA==
X-ME-Sender: <xms:PhVxZeoqOSYcxBbqSNvcjV45FioH_7YGeK2-9bnw8Z02h2kQYLDa9w>
    <xme:PhVxZcqdk2byBdbN3dyce-Dh0RXBS_rheQMBXdGBh6V7iHH5LZJHn23wtbETD0dWB
    HqPnN39H5aFKd3YuA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrudekuddgvdehucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
    uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvvefutgesth
    dtredtreertdenucfhrhhomhepfdffrghnucfnrghnghhilhhlvgdfuceouggrnheslhgr
    nhhgihhllhgvrdhorhhgqeenucggtffrrghtthgvrhhnpeehgedvteeiiedtvdeivdfhvd
    eltedthffhudejgfejhfelueeluefhgeeiiefftdenucffohhmrghinhepfhhrvggvsghs
    ugdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhroh
    hmpegurghnsehlrghnghhilhhlvgdrohhrgh
X-ME-Proxy: <xmx:PhVxZTMDNuZ2hIianZzwtaKVHKpgnTgUWvH7hc-PimBX_DiZI6o4TA>
    <xmx:PhVxZd6axv2nYyvxUehErw6Yz8HwWWARUJLl-yNohMGHSvvuyYil2A>
    <xmx:PhVxZd4onwEtkdoiHAr0lhSlqXmspED0p135EF-iXRUZ1RyuVJbynA>
    <xmx:PhVxZbR1_1omrVcIZgfHIClJ8DvH732_Pc_5QyNmS22EGz6tvY98qg>
Feedback-ID: ifbf9424e:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501)
	id 5B7D5BC007C; Wed,  6 Dec 2023 19:43:42 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-1178-geeaf0069a7-fm-20231114.001-geeaf0069
List-Id: Commits to the main branch of the FreeBSD ports repository <dev-commits-ports-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main
List-Help: <mailto:dev-commits-ports-main+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-main+unsubscribe@freebsd.org>
Sender: owner-dev-commits-ports-main@freebsd.org
X-BeenThere: dev-commits-ports-main@freebsd.org
MIME-Version: 1.0
Message-Id: <d532ec63-66fc-410d-b397-7170a34a5f30@app.fastmail.com>
In-Reply-To: <38DAC2D1-58B0-43C5-9F1E-97281068AFD5@freebsd.org>
References: <202312052304.3B5N4IOf078862@gitrepo.freebsd.org>
 <4c967ca4-bfa1-4e30-b330-feb94d6c765b@app.fastmail.com>
 <38DAC2D1-58B0-43C5-9F1E-97281068AFD5@freebsd.org>
Date: Wed, 06 Dec 2023 19:43:21 -0500
From: "Dan Langille" <dan@langille.org>
To: "Philip Paeps" <philip@freebsd.org>
Cc: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
 dev-commits-ports-main@FreeBSD.org
Subject: Re: git: a580d36be4c7 - main - security/vuxml: add FreeBSD SA  released on
 2023-12-05
Content-Type: text/plain
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:29838, ipnet:64.147.123.0/24, country:US]
X-Spamd-Bar: ----
X-Rspamd-Queue-Id: 4SlwW45WVkz4NWc

On Wed, Dec 6, 2023, at 7:34 PM, Philip Paeps wrote:
> On 2023-12-07 01:37:01 (+0800), Dan Langille wrote:
>> On Tue, Dec 5, 2023, at 6:04 PM, Philip Paeps wrote:
>>> The branch main has been updated by philip:
>>>
>>> URL:
>>> https://cgit.FreeBSD.org/ports/commit/?id=a580d36be4c7a18862a6a110e8bc2ba14e695125
>>>
>>> commit a580d36be4c7a18862a6a110e8bc2ba14e695125
>>> Author:     Philip Paeps <philip@FreeBSD.org>
>>> AuthorDate: 2023-12-05 23:01:20 +0000
>>> Commit:     Philip Paeps <philip@FreeBSD.org>
>>> CommitDate: 2023-12-05 23:01:20 +0000
>>>
>>>     security/vuxml: add FreeBSD SA released on 2023-12-05
>>>
>>>     FreeBSD-SA-23:17.pf affects all supported releases (12.4, 13.2, 
>>> 14.0).
>>> ---
>>>  security/vuxml/vuln/2023.xml | 41 
>>> +++++++++++++++++++++++++++++++++++++++++
>>>  1 file changed, 41 insertions(+)
>>>
>>> diff --git a/security/vuxml/vuln/2023.xml 
>>> b/security/vuxml/vuln/2023.xml
>>> index c484528898f7..6516a6a58f8a 100644
>>> --- a/security/vuxml/vuln/2023.xml
>>> +++ b/security/vuxml/vuln/2023.xml
>>> @@ -1,3 +1,44 @@
>>> +  <vuln vid="9cbbc506-93c1-11ee-8e38-002590c1f29c">
>>> +    <topic>FreeBSD -- TCP spoofing vulnerability in pf(4)</topic>
>>> +    <affects>
>>> +      <package>
>>> +	<name>FreeBSD-kernel</name>
>>> +	<range><ge>14.0</ge><lt>14.0_2</lt></range>
>>> +	<range><ge>13.2</ge><lt>13.2_7</lt></range>
>>
>> Houston, we have a problem.
>>
>> [17:31 r730-03 dvl ~] % freebsd-version -ukr
>> 13.2-RELEASE-p4
>> 13.2-RELEASE-p4
>> 13.2-RELEASE-p7
>>
>> [17:35 r730-03 dvl ~] % 
>> /usr/local/etc/periodic/security/405.pkg-base-audit
>>
>> Checking for security vulnerabilities in base (userland & kernel):
>> Host system:
>> Database fetched: 2023-12-06T07:45+00:00
>> FreeBSD-kernel-13.2_4 is vulnerable:
>>   FreeBSD -- TCP spoofing vulnerability in pf(4)
>>   CVE: CVE-2023-6534
>>   WWW: 
>> https://vuxml.FreeBSD.org/freebsd/9cbbc506-93c1-11ee-8e38-002590c1f29c.html
>>
>> 1 problem(s) in 1 installed package(s) found.
>> 0 problem(s) in 0 installed package(s) found.
>>
>> ...
>>
>> I hope to avoid a situation where false positives continue until the 
>> user land and kernel are on the patch levels.
>
> This is the same problem we've had before, isn't it?

Yes.

> Did we find an 
> actual solution to that, or do we have to wait until the next SA brings 
> the freebsd-version numbers back in line?

The world waited. ;)

> In other words: is there anything I can do, right now, to make this 
> better for you? :-)

It seems there kernel vulns and userland vulns.

Why don't we check them and record them separately?

-- 
  Dan Langille
  dan@langille.org