Date: Thu, 07 Dec 2023 08:34:32 +0800 From: Philip Paeps <philip@freebsd.org> To: Dan Langille <dan@langille.org> Cc: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: Re: git: a580d36be4c7 - main - security/vuxml: add FreeBSD SA released on 2023-12-05 Message-ID: <38DAC2D1-58B0-43C5-9F1E-97281068AFD5@freebsd.org> In-Reply-To: <4c967ca4-bfa1-4e30-b330-feb94d6c765b@app.fastmail.com> References: <202312052304.3B5N4IOf078862@gitrepo.freebsd.org> <4c967ca4-bfa1-4e30-b330-feb94d6c765b@app.fastmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2023-12-07 01:37:01 (+0800), Dan Langille wrote: > On Tue, Dec 5, 2023, at 6:04 PM, Philip Paeps wrote: >> The branch main has been updated by philip: >> >> URL: >> https://cgit.FreeBSD.org/ports/commit/?id=3Da580d36be4c7a18862a6a110e8= bc2ba14e695125 >> >> commit a580d36be4c7a18862a6a110e8bc2ba14e695125 >> Author: Philip Paeps <philip@FreeBSD.org> >> AuthorDate: 2023-12-05 23:01:20 +0000 >> Commit: Philip Paeps <philip@FreeBSD.org> >> CommitDate: 2023-12-05 23:01:20 +0000 >> >> security/vuxml: add FreeBSD SA released on 2023-12-05 >> >> FreeBSD-SA-23:17.pf affects all supported releases (12.4, 13.2, = >> 14.0). >> --- >> security/vuxml/vuln/2023.xml | 41 = >> +++++++++++++++++++++++++++++++++++++++++ >> 1 file changed, 41 insertions(+) >> >> diff --git a/security/vuxml/vuln/2023.xml = >> b/security/vuxml/vuln/2023.xml >> index c484528898f7..6516a6a58f8a 100644 >> --- a/security/vuxml/vuln/2023.xml >> +++ b/security/vuxml/vuln/2023.xml >> @@ -1,3 +1,44 @@ >> + <vuln vid=3D"9cbbc506-93c1-11ee-8e38-002590c1f29c"> >> + <topic>FreeBSD -- TCP spoofing vulnerability in pf(4)</topic> >> + <affects> >> + <package> >> + <name>FreeBSD-kernel</name> >> + <range><ge>14.0</ge><lt>14.0_2</lt></range> >> + <range><ge>13.2</ge><lt>13.2_7</lt></range> > > Houston, we have a problem. > > [17:31 r730-03 dvl ~] % freebsd-version -ukr > 13.2-RELEASE-p4 > 13.2-RELEASE-p4 > 13.2-RELEASE-p7 > > [17:35 r730-03 dvl ~] % = > /usr/local/etc/periodic/security/405.pkg-base-audit > > Checking for security vulnerabilities in base (userland & kernel): > Host system: > Database fetched: 2023-12-06T07:45+00:00 > FreeBSD-kernel-13.2_4 is vulnerable: > FreeBSD -- TCP spoofing vulnerability in pf(4) > CVE: CVE-2023-6534 > WWW: = > https://vuxml.FreeBSD.org/freebsd/9cbbc506-93c1-11ee-8e38-002590c1f29c.= html > > 1 problem(s) in 1 installed package(s) found. > 0 problem(s) in 0 installed package(s) found. > > ... > > I hope to avoid a situation where false positives continue until the = > user land and kernel are on the patch levels. This is the same problem we've had before, isn't it? Did we find an = actual solution to that, or do we have to wait until the next SA brings = the freebsd-version numbers back in line? In other words: is there anything I can do, right now, to make this = better for you? :-) Philip -- = Philip Paeps Senior Reality Engineer Alternative Enterprises
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?38DAC2D1-58B0-43C5-9F1E-97281068AFD5>