From nobody Thu Nov 17 19:10:55 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NCqJL4hstz4j3ZZ for ; Thu, 17 Nov 2022 19:10:58 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from omta002.cacentral1.a.cloudfilter.net (omta002.cacentral1.a.cloudfilter.net [3.97.99.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NCqJL2MJ0z4Dd0; Thu, 17 Nov 2022 19:10:58 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Authentication-Results: mx1.freebsd.org; none Received: from shw-obgw-4004a.ext.cloudfilter.net ([10.228.9.227]) by cmsmtp with ESMTP id veWQoqYK2yQ9evkHpoQcau; Thu, 17 Nov 2022 19:10:57 +0000 Received: from spqr.komquats.com ([70.66.148.124]) by cmsmtp with ESMTPA id vkHoo9dVHCRu9vkHpocGoE; Thu, 17 Nov 2022 19:10:57 +0000 X-Authority-Analysis: v=2.4 cv=QIh7+yHL c=1 sm=1 tr=0 ts=63768741 a=Cwc3rblV8FOMdVN/wOAqyQ==:117 a=Cwc3rblV8FOMdVN/wOAqyQ==:17 a=kj9zAlcOel0A:10 a=9xFQ1JgjjksA:10 a=6I5d2MoRAAAA:8 a=YxBL1-UpAAAA:8 a=EkcXrb_YAAAA:8 a=zfMmPGIKi98dKCotuq8A:9 a=CjuIK1q_8ugA:10 a=SGtfeGh8WZUA:10 a=IjZwj45LgO3ly-622nXo:22 a=Ia-lj3WSrqcvXOmTRaiG:22 a=LK5xJRSDVpKd5WXXoEvA:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTP id B401D734; Thu, 17 Nov 2022 11:10:55 -0800 (PST) Received: by slippy.cwsent.com (Postfix, from userid 1000) id 6AB41243; Thu, 17 Nov 2022 11:10:55 -0800 (PST) X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.7+dev Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: Garrett Wollman cc: freebsd-security@freebsd.org Subject: Re: vuxml entry error for krb5 In-reply-to: <25462.32695.665376.679464@hergotha.csail.mit.edu> References: <25462.32695.665376.679464@hergotha.csail.mit.edu> Comments: In-reply-to Garrett Wollman message dated "Thu, 17 Nov 2022 13:38:47 -0500." List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 17 Nov 2022 11:10:55 -0800 Message-Id: <20221117191055.6AB41243@slippy.cwsent.com> X-CMAE-Envelope: MS4xfN6Grgkd54akCZMOgkUrk5u83cbZu5QbhEIauVeLV0Xu370Ley7v8q1vlJIYHMJgW+pM5xMQJwnCRfFP5BSDHca8K+tmLI6aYV3iOxRjal09qwOxLMUH CU/iiYhMoO4bnXPCGmdyOz4ssUy9k6QYhFNqOvxZCXNpyjgdQ4NxqGdvIMLTFiN1bmiZsXAEVor7jvKv0ul6LYUYUxfPhsZbl0WgtnWBjHr4mDh5Lz+5Cfy7 tTsT3Ydrr4KZhLUX812e2g== X-Rspamd-Queue-Id: 4NCqJL2MJ0z4Dd0 X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N In message <25462.32695.665376.679464@hergotha.csail.mit.edu>, Garrett Wollman writes: > Not sure who to address this to, so hopefully someone more > knowledgeable about vuxml can explain what needs to be fixed here. > > https://vuxml.freebsd.org/freebsd/094e4a5b-6511-11ed-8c5e-206a8a720317.html > gives incorrect "affected packages" for the main `krb5` package: it > claims that all versions < 1.20_1 are affected, but in fact the > vulnerable versions are 1.20 < x < 1.20_1 OR 1.19 < x < 1.19.3_1 OR > x < 1.19. All versions < 1.20.1 and 1.19.4 are vulnerable. If you've put 119 in your make.conf and rebuilt krb5-1.19.3_1 or 1.19.4 you will be fine. I had to do a bit of digging around but looking at an example from two y ears ago the vuxml syntax seems to support multiple ranges for a single port. > > This means that if you have KRB5_VERSION=119 set in make.conf, you > will get packages that are *not* vulnerable, but `pkg audit` will > claim that they are. This is correct. MIT released patches for 1.20 and 1.19 and within half an hour they released 1.20.1 and 1.19.4. The krb5-120 and krb5-119 branches are fully supported by MIT. vuxml has been fixed. To answer another question not asked here but I'm sure someone will: I typically keep krb5 N-2 -- in this case krb5-118 -- in the tree for a year after N is released for those needing extra time to bring their krb5 up to level. But since 1.18 is no longer supported by MIT and is also vulnerable its expiry date has been accelerated to the end of this month. MIT supports only N and N-1. I'm currently considering reducing this from a year to six months when 1.21 is released. > > -GAWollman > > -- Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org e^(i*pi)+1=0