Date: Thu, 7 Dec 2023 18:48:12 +0100 From: Felix Palmen <zirias@freebsd.org> To: Philip Paeps <philip@freebsd.org> Cc: ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org Subject: Re: git: 4826396e5d15 - main - security/vuxml: correct last SA's affected range Message-ID: <4aoxukh3ddhkq3qmo4qi7vpeqo3wpxc6nivrlve67hr7oszr2m@3wydgx5pc7be> In-Reply-To: <202312070452.3B74qCJr077470@gitrepo.freebsd.org> References: <202312070452.3B74qCJr077470@gitrepo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--6ca3oa7k6ql2pj7c Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable * Philip Paeps <philip@FreeBSD.org> [20231207 04:52]: > The branch main has been updated by philip: >=20 > URL: https://cgit.FreeBSD.org/ports/commit/?id=3D4826396e5d1555b9eebf58ca= c290490b24bf1243 >=20 > commit 4826396e5d1555b9eebf58cac290490b24bf1243 > Author: Philip Paeps <philip@FreeBSD.org> > AuthorDate: 2023-12-07 04:49:28 +0000 > Commit: Philip Paeps <philip@FreeBSD.org> > CommitDate: 2023-12-07 04:49:28 +0000 >=20 > security/vuxml: correct last SA's affected range > =20 > FreeBSD-SA-23:17.pf only affects the kernel, not userland. The first > patch level of the kernel without the vulnerability is 13.2_4, not > 13.2_7. Please revert this commit. The first sentence of the message is correct, the second one is wrong. The fixed kernel has version 13.2-RELEASE-p7. If this isn't reverted, only people who didn't upgrade since October '23 will ever get the warning. This most likely isn't the audience looking at these warnings in the first place. I'm well aware updates for freebsd-update skip building the kernel when there are no changes, so the kernel version can have a lower patch level than the userland version. But still, there's a single source of truth for the version information, sys/conf/newvers.sh. When a new kernel is built, it takes the version information from there. So a (fixed) kernel built after src commit e8439726cfa5bd0059a65117447d8c4160bfed43 will have a version of 13.2-RELEASE-p7. Therefore, please revert. Or beat me to whatever I missed analyzing that. Thanks, Felix > =20 > Reported by: dvl > --- > security/vuxml/vuln/2023.xml | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) >=20 > diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml > index 6516a6a58f8a..952882829c6c 100644 > --- a/security/vuxml/vuln/2023.xml > +++ b/security/vuxml/vuln/2023.xml > @@ -4,7 +4,7 @@ > <package> > <name>FreeBSD-kernel</name> > <range><ge>14.0</ge><lt>14.0_2</lt></range> > - <range><ge>13.2</ge><lt>13.2_7</lt></range> > + <range><ge>13.2</ge><lt>13.2_4</lt></range> > <range><ge>12.4</ge><lt>12.4_9</lt></range> > </package> > </affects> > @@ -36,6 +36,7 @@ > <dates> > <discovery>2023-12-05</discovery> > <entry>2023-12-05</entry> > + <modified>2023-12-07</modified> > </dates> > </vuln> > =20 --=20 Felix Palmen <zirias@FreeBSD.org> {private} felix@palmen-it.de -- ports committer -- {web} http://palmen-it.de {pgp public key} http://palmen-it.de/pub.txt {pgp fingerprint} 6936 13D5 5BBF 4837 B212 3ACC 54AD E006 9879 F231 --6ca3oa7k6ql2pj7c Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iNUEABYKAH0WIQRpNhPVW79IN7ISOsxUreAGmHnyMQUCZXIFU18UgAAAAAAuAChp c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0Njkz NjEzRDU1QkJGNDgzN0IyMTIzQUNDNTRBREUwMDY5ODc5RjIzMQAKCRBUreAGmHny MSPcAQDm4rNJQyGZEc1zG6OK1L7EzF6RDO2h31eZEKG3EX8cmgD/QAypjg6nxRzQ uCzuu60Xix7hOVQeL6pwoyM1dzESHQI= =1uNj -----END PGP SIGNATURE----- --6ca3oa7k6ql2pj7c--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4aoxukh3ddhkq3qmo4qi7vpeqo3wpxc6nivrlve67hr7oszr2m>