Date: Wed, 06 Dec 2023 19:43:21 -0500 From: "Dan Langille" <dan@langille.org> To: "Philip Paeps" <philip@freebsd.org> Cc: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: Re: git: a580d36be4c7 - main - security/vuxml: add FreeBSD SA released on 2023-12-05 Message-ID: <d532ec63-66fc-410d-b397-7170a34a5f30@app.fastmail.com> In-Reply-To: <38DAC2D1-58B0-43C5-9F1E-97281068AFD5@freebsd.org> References: <202312052304.3B5N4IOf078862@gitrepo.freebsd.org> <4c967ca4-bfa1-4e30-b330-feb94d6c765b@app.fastmail.com> <38DAC2D1-58B0-43C5-9F1E-97281068AFD5@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Dec 6, 2023, at 7:34 PM, Philip Paeps wrote: > On 2023-12-07 01:37:01 (+0800), Dan Langille wrote: >> On Tue, Dec 5, 2023, at 6:04 PM, Philip Paeps wrote: >>> The branch main has been updated by philip: >>> >>> URL: >>> https://cgit.FreeBSD.org/ports/commit/?id=a580d36be4c7a18862a6a110e8bc2ba14e695125 >>> >>> commit a580d36be4c7a18862a6a110e8bc2ba14e695125 >>> Author: Philip Paeps <philip@FreeBSD.org> >>> AuthorDate: 2023-12-05 23:01:20 +0000 >>> Commit: Philip Paeps <philip@FreeBSD.org> >>> CommitDate: 2023-12-05 23:01:20 +0000 >>> >>> security/vuxml: add FreeBSD SA released on 2023-12-05 >>> >>> FreeBSD-SA-23:17.pf affects all supported releases (12.4, 13.2, >>> 14.0). >>> --- >>> security/vuxml/vuln/2023.xml | 41 >>> +++++++++++++++++++++++++++++++++++++++++ >>> 1 file changed, 41 insertions(+) >>> >>> diff --git a/security/vuxml/vuln/2023.xml >>> b/security/vuxml/vuln/2023.xml >>> index c484528898f7..6516a6a58f8a 100644 >>> --- a/security/vuxml/vuln/2023.xml >>> +++ b/security/vuxml/vuln/2023.xml >>> @@ -1,3 +1,44 @@ >>> + <vuln vid="9cbbc506-93c1-11ee-8e38-002590c1f29c"> >>> + <topic>FreeBSD -- TCP spoofing vulnerability in pf(4)</topic> >>> + <affects> >>> + <package> >>> + <name>FreeBSD-kernel</name> >>> + <range><ge>14.0</ge><lt>14.0_2</lt></range> >>> + <range><ge>13.2</ge><lt>13.2_7</lt></range> >> >> Houston, we have a problem. >> >> [17:31 r730-03 dvl ~] % freebsd-version -ukr >> 13.2-RELEASE-p4 >> 13.2-RELEASE-p4 >> 13.2-RELEASE-p7 >> >> [17:35 r730-03 dvl ~] % >> /usr/local/etc/periodic/security/405.pkg-base-audit >> >> Checking for security vulnerabilities in base (userland & kernel): >> Host system: >> Database fetched: 2023-12-06T07:45+00:00 >> FreeBSD-kernel-13.2_4 is vulnerable: >> FreeBSD -- TCP spoofing vulnerability in pf(4) >> CVE: CVE-2023-6534 >> WWW: >> https://vuxml.FreeBSD.org/freebsd/9cbbc506-93c1-11ee-8e38-002590c1f29c.html >> >> 1 problem(s) in 1 installed package(s) found. >> 0 problem(s) in 0 installed package(s) found. >> >> ... >> >> I hope to avoid a situation where false positives continue until the >> user land and kernel are on the patch levels. > > This is the same problem we've had before, isn't it? Yes. > Did we find an > actual solution to that, or do we have to wait until the next SA brings > the freebsd-version numbers back in line? The world waited. ;) > In other words: is there anything I can do, right now, to make this > better for you? :-) It seems there kernel vulns and userland vulns. Why don't we check them and record them separately? -- Dan Langille dan@langille.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d532ec63-66fc-410d-b397-7170a34a5f30>