Re: git: a580d36be4c7 - main - security/vuxml: add FreeBSD SA released on 2023-12-05

From: Philip Paeps <philip_at_freebsd.org>
Date: Thu, 07 Dec 2023 00:34:32 UTC
On 2023-12-07 01:37:01 (+0800), Dan Langille wrote:
> On Tue, Dec 5, 2023, at 6:04 PM, Philip Paeps wrote:
>> The branch main has been updated by philip:
>>
>> URL:
>> https://cgit.FreeBSD.org/ports/commit/?id=a580d36be4c7a18862a6a110e8bc2ba14e695125
>>
>> commit a580d36be4c7a18862a6a110e8bc2ba14e695125
>> Author:     Philip Paeps <philip@FreeBSD.org>
>> AuthorDate: 2023-12-05 23:01:20 +0000
>> Commit:     Philip Paeps <philip@FreeBSD.org>
>> CommitDate: 2023-12-05 23:01:20 +0000
>>
>>     security/vuxml: add FreeBSD SA released on 2023-12-05
>>
>>     FreeBSD-SA-23:17.pf affects all supported releases (12.4, 13.2, 
>> 14.0).
>> ---
>>  security/vuxml/vuln/2023.xml | 41 
>> +++++++++++++++++++++++++++++++++++++++++
>>  1 file changed, 41 insertions(+)
>>
>> diff --git a/security/vuxml/vuln/2023.xml 
>> b/security/vuxml/vuln/2023.xml
>> index c484528898f7..6516a6a58f8a 100644
>> --- a/security/vuxml/vuln/2023.xml
>> +++ b/security/vuxml/vuln/2023.xml
>> @@ -1,3 +1,44 @@
>> +  <vuln vid="9cbbc506-93c1-11ee-8e38-002590c1f29c">
>> +    <topic>FreeBSD -- TCP spoofing vulnerability in pf(4)</topic>
>> +    <affects>
>> +      <package>
>> +	<name>FreeBSD-kernel</name>
>> +	<range><ge>14.0</ge><lt>14.0_2</lt></range>
>> +	<range><ge>13.2</ge><lt>13.2_7</lt></range>
>
> Houston, we have a problem.
>
> [17:31 r730-03 dvl ~] % freebsd-version -ukr
> 13.2-RELEASE-p4
> 13.2-RELEASE-p4
> 13.2-RELEASE-p7
>
> [17:35 r730-03 dvl ~] % 
> /usr/local/etc/periodic/security/405.pkg-base-audit
>
> Checking for security vulnerabilities in base (userland & kernel):
> Host system:
> Database fetched: 2023-12-06T07:45+00:00
> FreeBSD-kernel-13.2_4 is vulnerable:
>   FreeBSD -- TCP spoofing vulnerability in pf(4)
>   CVE: CVE-2023-6534
>   WWW: 
> https://vuxml.FreeBSD.org/freebsd/9cbbc506-93c1-11ee-8e38-002590c1f29c.html
>
> 1 problem(s) in 1 installed package(s) found.
> 0 problem(s) in 0 installed package(s) found.
>
> ...
>
> I hope to avoid a situation where false positives continue until the 
> user land and kernel are on the patch levels.

This is the same problem we've had before, isn't it?  Did we find an 
actual solution to that, or do we have to wait until the next SA brings 
the freebsd-version numbers back in line?

In other words: is there anything I can do, right now, to make this 
better for you? :-)

Philip


-- 
Philip Paeps
Senior Reality Engineer
Alternative Enterprises