Date: Thu, 25 Feb 2021 16:27:02 -0600 From: Tim Daneliuk <tundra@tundraware.com> To: FreeBSD-STABLE Mailing List <freebsd-stable@freebsd.org> Subject: Re: How do I know if my 13-stable has security patches? Message-ID: <de38f279-c95c-3ef7-ec54-bd36dbad0fee@tundraware.com> In-Reply-To: <7d4e7a1f-da3e-2860-62b1-7be88123bee9@denninger.net> References: <CAN6yY1tTt%2BEn6hzMYrjm2fRkUPBAuN9t8%2BR27Z3To_sJRbfUVA@mail.gmail.com> <1748076.jFELhIj8lM@ravel> <CAN6yY1sehRjej7vf3B_TPsg%2BecpDLG=naQ2oiMZ=DATs3PUGzQ@mail.gmail.com> <3308997.ajJYar8FF2@ravel> <001a5401-c334-5937-4ce3-315ff89e34be@denninger.net> <CANCZdfo2zq1fR5q7X47QFAFt00WrfvSzyqg4vDVbRwdGGXgfMQ@mail.gmail.com> <7d4e7a1f-da3e-2860-62b1-7be88123bee9@denninger.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2/25/21 3:56 PM, Karl Denninger wrote:
> On 2/25/2021 15:56, Warner Losh wrote:
>>
>
> Unless I've missed something that's what was lost and IMHO needs to be restored; a way to know that in seconds with nothing other than the operating OS on the box (e.g. via uname) and the advisory with its "greater than X is safe" from the mailing list. Am I misunderstanding the current state of things in this regard?
>
One mechanism for doing this with git would be to use tags of some sort to
indicate which commits address which CVEs. The problem with this is that
you still need a source tree.
I may be dense (I've certainly been told I am from time-to-time) but what's
wrong with this algo:
- FreeBSD security team sends out notification of CVE and patches
that address them AND _what date the patches went into the source tree_.
- I do a 'uname -a' to see if my running system was built before- or after
that date (+- timezone variability, perhaps).
This does assume that people are pulling latest source for their branch prior to building.
This only addresses kernel fixes directly, however. A patch to, say, sshd would
not be reflected in the kernel build date. But even there, it's kind of a hint.
If your instance of sshd is older than the patch date in question, you are for sure
not patched. The uncertainty remains whether or not a file timestamped after the
patch date was build from the correct/new source. But I would argue that this particular
problem also existed with kernel rxxxx notation.
git does get many things right, but this is an area that is kind of clunky. I also
hate that it has no equivalent to $RCSID for me to embed in code and docs.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?de38f279-c95c-3ef7-ec54-bd36dbad0fee>