Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 17 Sep 2020 18:28:59 -0400
From:      Dan Langille <dan@langille.org>
To:        freebsd-stable@freebsd.org
Subject:   after latest patches i386 not fully patched
Message-ID:  <C3E0C595-9974-4F62-82F1-D1B878EA1850@langille.org>
next in thread | raw e-mail | index | archive | help 
Hello,

After running 'freebsd-update fetch install' on a i386 server, I have =
this situation:

[dan@gelt:~] $ freebsd-version -u
12.1-RELEASE-p10
[dan@gelt:~] $ freebsd-version -k
12.1-RELEASE-p9
[dan@gelt:~] $=20

Why did this not get a new kernel?

I ask because:

[dan@gelt:~] $ sudo /usr/local/etc/periodic/security/405.pkg-base-audit

Checking for security vulnerabilities in base (userland & kernel):
Host system:
Database fetched: Wed Sep 16 07:06:52 UTC 2020
FreeBSD-kernel-12.1_9 is vulnerable:
FreeBSD -- bhyve SVM guest escape
CVE: CVE-2020-7467
WWW: =
https://vuxml.FreeBSD.org/freebsd/e73c688b-f7e6-11ea-88f8-901b0ef719ab.htm=
l

FreeBSD-kernel-12.1_9 is vulnerable:
FreeBSD -- bhyve privilege escalation via VMCS access
CVE: CVE-2020-24718
WWW: =
https://vuxml.FreeBSD.org/freebsd/2c5b9cd7-f7e6-11ea-88f8-901b0ef719ab.htm=
l

FreeBSD-kernel-12.1_9 is vulnerable:
FreeBSD -- ure device driver susceptible to packet-in-packet attack
CVE: CVE-2020-7464
WWW: =
https://vuxml.FreeBSD.org/freebsd/bb53af7b-f7e4-11ea-88f8-901b0ef719ab.htm=
l

3 problem(s) in 1 installed package(s) found.
0 problem(s) in 0 installed package(s) found.

Oh, let's try again:

[dan@slocum:~] $ sudo freebsd-update fetch install
Looking up update.FreeBSD.org mirrors... 3 mirrors found.
Fetching metadata signature for 12.1-RELEASE from update4.freebsd.org... =
done.
Fetching metadata index... done.
Inspecting system... done.
Preparing to download files... done.

No updates needed to update system to 12.1-RELEASE-p10.
No updates are available to install.
[dan@slocum:~] $=20

I've done everything I can

How do I properly patch this i386 server?

For those wondering what I just ran:

[dan@gelt:~] $ pkg which =
/usr/local/etc/periodic/security/405.pkg-base-audit
/usr/local/etc/periodic/security/405.pkg-base-audit was installed by =
package base-audit-0.4
[dan@gelt:~] $=20

on an amd64 host I have:

[dan@slocum:~] $ freebsd-version -u
12.1-RELEASE-p10
[dan@slocum:~] $ freebsd-version -k
12.1-RELEASE-p10


=E2=80=94=20
Dan Langille
http://langille.org/

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C3E0C595-9974-4F62-82F1-D1B878EA1850>