Date: Thu, 07 Dec 2023 23:44:27 +0800 From: Philip Paeps <philip@freebsd.org> To: Felix Palmen <zirias@freebsd.org> Cc: Dan Langille <dan@langille.org>, ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org Subject: Re: git: a580d36be4c7 - main - security/vuxml: add FreeBSD SA released on 2023-12-05 Message-ID: <D5B534F6-FA63-4941-9BD0-3C0F662D3E3E@freebsd.org> In-Reply-To: <a2wecgnuc3hcg6vekqfuskpaa6p4xaicad6563r34og4l24ur2@vd3kjplqluwg> References: <202312052304.3B5N4IOf078862@gitrepo.freebsd.org> <4c967ca4-bfa1-4e30-b330-feb94d6c765b@app.fastmail.com> <38DAC2D1-58B0-43C5-9F1E-97281068AFD5@freebsd.org> <d532ec63-66fc-410d-b397-7170a34a5f30@app.fastmail.com> <BD01492D-CF73-4A7F-8FCF-6236D25BDA1E@freebsd.org> <01372e6b-0e2d-4249-9f36-fdb24b380c71@app.fastmail.com> <1A46BB39-EBBA-4E02-97A4-860DD9608000@freebsd.org> <a2wecgnuc3hcg6vekqfuskpaa6p4xaicad6563r34og4l24ur2@vd3kjplqluwg>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2023-12-07 23:28:05 (+0800), Felix Palmen wrote: > * Philip Paeps <philip@freebsd.org> [20231207 12:55]: >> On 2023-12-07 09:10:31 (+0800), Dan Langille wrote: >>> On Wed, Dec 6, 2023, at 7:52 PM, Philip Paeps wrote: >>>> On 2023-12-07 08:43:21 (+0800), Dan Langille wrote: >>>>> Why don't we check them and record them separately? >>>> >>>> I already record them separately in vuxml. If a vulnerability only >>>> affects userland, I record >>>> <package><name>FreeBSD</name>[...]</package>. >>>> If the kernel is affected I record >>>> <package><name>FreeBSD-kernel</name>[...]</package>. >>>> >>>> Hmm ... is that the problem? Should I set the versions to the >>>> *kernel* >>>> patch level for FreeBSD-kernel vulnerabilities? >>> >>> First, let's test if that fixes it. >>> >>> This fixes it for me: >>> >>> <range><ge>13.2</ge><lt>13.2_4</lt></range> >>> >>> [...] >>> >>>> Is something going to get upset if I change the most recent entry >>>> to >>>> <lt>12.2_4</lt>? >>> >>> That I don't know. >>> >>> VUXML entries have AMENDED values don't they? >> >> Thanks for testing this out. I've pushed a <modified/> vuxml entry >> in >> 4826396e5d15. > > This can't be correct, -p4 appeared in October, it can't possibly fix > a > vuln discovered in December :o > > I'm still on -p6 here, upgrading from source and just always building > the kernel as well (so my kernel version also shows -p6). With this > change, it won't show me the vuln that's certainly present. > > I strongly assume the full freebsd-upgrade procedure will also upgrade > the kernel to -p7. If it doesn't, there's a more troubling issue > somewhere... This assumption is wrong. freebsd-update builds only build what has changed. If a security patch does not affect the kernel, the kernel is not rebuilt. We've had this conversation before. I believe the conclusion at the time was that there are no good answers and we can't have nice things. Tracking userland versions in vuxml breaks things for people running freebsd-update. Tracking kernel versions hides vulnerabilities for people upgrading from source. We (security team) won't push kernel updates (and require users to reboot) for vulnerabilities that only affect userland, only to show a higher number. That would be silly. I think the updated vuxml entry, suggested by dvl, is the most correct. But I have no good answer for your use case. Philip -- Philip Paeps Senior Reality Engineer Alternative Enterprises
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D5B534F6-FA63-4941-9BD0-3C0F662D3E3E>