Date: Fri, 15 Nov 2024 17:59:28 -0500 From: "Dan Langille" <dan@langille.org> To: "Philip Paeps" <philip@freebsd.org> Cc: ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org, "secteam@FreeBSD.org" <secteam@freebsd.org> Subject: Re: git: 0e79ec27f04a - main - security/vuxml: add FreeBSD SAs issued on 2024-10-29 Message-ID: <6929eebd-7e6a-4718-9829-83bd340fb1e1@app.fastmail.com> In-Reply-To: <2161D3CF-3A52-46CC-ACD3-D94ADEC11AAC@freebsd.org> References: <202411130421.4AD4LUrj054403@gitrepo.freebsd.org> <fc55ea06-bb1a-4bee-a6eb-62da3ad653ff@app.fastmail.com> <2161D3CF-3A52-46CC-ACD3-D94ADEC11AAC@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Nov 15, 2024, at 5:04 AM, Philip Paeps wrote: > On 2024-11-13 21:36:49 (+0100), Dan Langille wrote: >> On Tue, Nov 12, 2024, at 11:21 PM, Philip Paeps wrote: >>> + <vuln vid="ce0f52e1-a174-11ef-9a62-002590c1f29c"> >>> + <topic>FreeBSD -- Certificate revocation list fetch(1) option >>> fails</topic> >>> + <affects> >>> + <package> >>> + <name>FreeBSD</name> >>> + <range><ge>14.1</ge><lt>14.1_6</lt></range> >> >> I want to find a way that this does not raise false positives. Philip, >> we have discussed this before and I'm not saying you are the one to >> fix this. > > I've put this on the agenda for our next secteam call (Monday). We've > discussed this before, but we never converged on a solution. From my > notes: because we always had a kernel version bump in the pipeline > shortly after. Clearly we shouldn't hope for that to happen every time, > and we need a structural solution for this. > > We'll talk about it again on Monday and see if we can come up with > something better. freebsd-version comes to mind, but I'm not sure how useful that would be. > Meanwhile: should we revert this vuxml entry until we either find a > solution, or bump the kernel version (whichever comes first)? I'd > estimate that this particular bug is triggering rather more false > positives than actually vulnerable installations. I'm OK with leaving it. -- Dan Langille dan@langille.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6929eebd-7e6a-4718-9829-83bd340fb1e1>