Date: Thu, 7 Dec 2023 16:28:05 +0100 From: Felix Palmen <zirias@freebsd.org> To: Philip Paeps <philip@freebsd.org> Cc: Dan Langille <dan@langille.org>, ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org Subject: Re: git: a580d36be4c7 - main - security/vuxml: add FreeBSD SA released on 2023-12-05 Message-ID: <a2wecgnuc3hcg6vekqfuskpaa6p4xaicad6563r34og4l24ur2@vd3kjplqluwg> In-Reply-To: <1A46BB39-EBBA-4E02-97A4-860DD9608000@freebsd.org> References: <202312052304.3B5N4IOf078862@gitrepo.freebsd.org> <4c967ca4-bfa1-4e30-b330-feb94d6c765b@app.fastmail.com> <38DAC2D1-58B0-43C5-9F1E-97281068AFD5@freebsd.org> <d532ec63-66fc-410d-b397-7170a34a5f30@app.fastmail.com> <BD01492D-CF73-4A7F-8FCF-6236D25BDA1E@freebsd.org> <01372e6b-0e2d-4249-9f36-fdb24b380c71@app.fastmail.com> <1A46BB39-EBBA-4E02-97A4-860DD9608000@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--rpksmkljaxt54z36
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
* Philip Paeps <philip@freebsd.org> [20231207 12:55]:
> On 2023-12-07 09:10:31 (+0800), Dan Langille wrote:
> > On Wed, Dec 6, 2023, at 7:52 PM, Philip Paeps wrote:
> > > On 2023-12-07 08:43:21 (+0800), Dan Langille wrote:
> > > > Why don't we check them and record them separately?
> > >=20
> > > I already record them separately in vuxml. If a vulnerability only
> > > affects userland, I record
> > > <package><name>FreeBSD</name>[...]</package>.
> > > If the kernel is affected I record
> > > <package><name>FreeBSD-kernel</name>[...]</package>.
> > >=20
> > > Hmm ... is that the problem? Should I set the versions to the
> > > *kernel*
> > > patch level for FreeBSD-kernel vulnerabilities?
> >=20
> > First, let's test if that fixes it.
> >=20
> > This fixes it for me:
> >=20
> > <range><ge>13.2</ge><lt>13.2_4</lt></range>
> >=20
> > [...]
> >=20
> > > Is something going to get upset if I change the most recent entry to
> > > <lt>12.2_4</lt>?
> >=20
> > That I don't know.
> >=20
> > VUXML entries have AMENDED values don't they?
>=20
> Thanks for testing this out. I've pushed a <modified/> vuxml entry in
> 4826396e5d15.
This can't be correct, -p4 appeared in October, it can't possibly fix a
vuln discovered in December :o
I'm still on -p6 here, upgrading from source and just always building
the kernel as well (so my kernel version also shows -p6). With this
change, it won't show me the vuln that's certainly present.
I strongly assume the full freebsd-upgrade procedure will also upgrade
the kernel to -p7. If it doesn't, there's a more troubling issue
somewhere...
Cheers, Felix
--=20
Felix Palmen <zirias@FreeBSD.org> {private} felix@palmen-it.de
-- ports committer -- {web} http://palmen-it.de
{pgp public key} http://palmen-it.de/pub.txt
{pgp fingerprint} 6936 13D5 5BBF 4837 B212 3ACC 54AD E006 9879 F231
--rpksmkljaxt54z36
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iNUEABYKAH0WIQRpNhPVW79IN7ISOsxUreAGmHnyMQUCZXHkhV8UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0Njkz
NjEzRDU1QkJGNDgzN0IyMTIzQUNDNTRBREUwMDY5ODc5RjIzMQAKCRBUreAGmHny
MXBTAQDYlzCYJWlQOaPQynf4n/KJsPp7ADBX2oLMKBrOppnz4wD/TN+TvNbnhgs9
LypmuzPIe6JWL5vQOCN69HZxtn8I2wk=
=DP/C
-----END PGP SIGNATURE-----
--rpksmkljaxt54z36--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?a2wecgnuc3hcg6vekqfuskpaa6p4xaicad6563r34og4l24ur2>