Date: Mon, 18 Nov 2024 07:40:44 -0800 From: Kevin Oberman <rkoberman@gmail.com> To: =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= <des@freebsd.org> Cc: "freebsd-questions@freebsd.org" <questions@freebsd.org> Subject: Re: Unable to update to 14.1-p6 Message-ID: <CAN6yY1s9CxbmavJg2zPQ3pxz0cOVMYshwxicArotvpYmq8C8-w@mail.gmail.com> In-Reply-To: <86serosqxr.fsf@ltc.des.dev> References: <CAN6yY1stBxS5OVeLpZyzBKn%2B=b_jqFqtRsYM1Zx16OC3DWBu8A@mail.gmail.com> <86serosqxr.fsf@ltc.des.dev>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Mon, Nov 18, 2024 at 3:48 AM Dag-Erling Smørgrav <des@freebsd.org> wrote: > Kevin Oberman <rkoberman@gmail.com> writes: > > I am running 14.1-p5 and get a daily message that I have a kernel > security vulnerability: > > Checking for security vulnerabilities in base (userland & kernel): > > Fetching vuln.xml.xz: .......... done > > FreeBSD-kernel-14.1_5 is vulnerable: > > FreeBSD -- Unbounded allocation in ctl(4) CAM Target Layer > > CVE: CVE-2024-39281 > > WWW: > https://vuxml.FreeBSD.org/freebsd/8caa5d60-a174-11ef-9a62-002590c1f29c.html > > It's a false positive. The advisory only affected the ctl driver, which > is not included in the GENERIC kernel, therefore the kernel itself was > not updated and does not reflect the patch level. > > DES > -- > Dag-Erling Smørgrav - des@FreeBSD.org > Thanks! This has happened before but I don't recall the warning in the periodic report. It is, indeed, a tricky problem. At least a note in UPDATING when there is a security update to a non-GENERIC module would be a good idea as well as a note in the Security Advisory. -- Kevin Oberman, Part time kid herder and retired Network Engineer E-mail: rkoberman@gmail.com PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 [-- Attachment #2 --] <div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small">On Mon, Nov 18, 2024 at 3:48 AM Dag-Erling Smørgrav <<a href="mailto:des@freebsd.org" target="_blank">des@freebsd.org</a>> wrote:</div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Kevin Oberman <<a href="mailto:rkoberman@gmail.com" target="_blank">rkoberman@gmail.com</a>> writes:<br> > I am running 14.1-p5 and get a daily message that I have a kernel security vulnerability:<br> > Checking for security vulnerabilities in base (userland & kernel):<br> > Fetching vuln.xml.xz: .......... done<br> > FreeBSD-kernel-14.1_5 is vulnerable:<br> > FreeBSD -- Unbounded allocation in ctl(4) CAM Target Layer<br> > CVE: CVE-2024-39281<br> > WWW: <a href="https://vuxml.FreeBSD.org/freebsd/8caa5d60-a174-11ef-9a62-002590c1f29c.html" rel="noreferrer" target="_blank">https://vuxml.FreeBSD.org/freebsd/8caa5d60-a174-11ef-9a62-002590c1f29c.html</a><br>; <br> It's a false positive. The advisory only affected the ctl driver, which<br> is not included in the GENERIC kernel, therefore the kernel itself was<br> not updated and does not reflect the patch level.<br> <br> DES<br> -- <br> Dag-Erling Smørgrav - des@FreeBSD.org<br> </blockquote></div><div><br clear="all"></div><div style="font-family:tahoma,sans-serif;font-size:small" class="gmail_default">Thanks! This has happened before but I don't recall the warning in the periodic report. It is, indeed, a tricky problem. At least a note in UPDATING when there is a security update to a non-GENERIC module would be a good idea as well as a note in the Security Advisory.<br></div><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr">Kevin Oberman, Part time kid herder and retired Network Engineer<br>E-mail: <a href="mailto:rkoberman@gmail.com" target="_blank">rkoberman@gmail.com</a><br></div><div>PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683</div></div></div></div></div></div></div></div></div> </div>home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAN6yY1s9CxbmavJg2zPQ3pxz0cOVMYshwxicArotvpYmq8C8-w>