Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 17 Nov 2022 11:10:55 -0800
From:      Cy Schubert <Cy.Schubert@cschubert.com>
To:        Garrett Wollman <wollman@freebsd.org>
Cc:        freebsd-security@freebsd.org
Subject:   Re: vuxml entry error for krb5
Message-ID:  <20221117191055.6AB41243@slippy.cwsent.com>
In-Reply-To: <25462.32695.665376.679464@hergotha.csail.mit.edu>
References:  <25462.32695.665376.679464@hergotha.csail.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 
In message <25462.32695.665376.679464@hergotha.csail.mit.edu>, Garrett 
Wollman
writes:
> Not sure who to address this to, so hopefully someone more
> knowledgeable about vuxml can explain what needs to be fixed here.
>
> https://vuxml.freebsd.org/freebsd/094e4a5b-6511-11ed-8c5e-206a8a720317.html
> gives incorrect "affected packages" for the main `krb5` package: it
> claims that all versions < 1.20_1 are affected, but in fact the
> vulnerable versions are 1.20 < x < 1.20_1 OR 1.19 < x < 1.19.3_1 OR
> x < 1.19.

All versions < 1.20.1 and 1.19.4 are vulnerable. If you've put 119 in your 
make.conf and rebuilt krb5-1.19.3_1 or 1.19.4 you will be fine.

I had to do a bit of digging around but looking at an example from two y 
ears ago the vuxml syntax seems to support multiple ranges for a single 
port.

>
> This means that if you have KRB5_VERSION=119 set in make.conf, you
> will get packages that are *not* vulnerable, but `pkg audit` will
> claim that they are.

This is correct. MIT released patches for 1.20 and 1.19 and within half an 
hour they released 1.20.1 and 1.19.4. The krb5-120 and krb5-119 branches 
are fully supported by MIT.

vuxml has been fixed.

To answer another question not asked here but I'm sure someone will: I 
typically keep krb5 N-2 -- in this case krb5-118 -- in the tree for a year 
after N is released for those needing extra time to bring their krb5 up to 
level. But since 1.18 is no longer supported by MIT and is also vulnerable 
its expiry date has been accelerated to the end of this month. MIT supports 
only N and N-1.

I'm currently considering reducing this from a year to six months when 1.21 
is released.

>
> -GAWollman
>
>


-- 
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  https://FreeBSD.org
NTP:           <cy@nwtime.org>    Web:  https://nwtime.org

			e^(i*pi)+1=0

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20221117191055.6AB41243>