Re: git: a580d36be4c7 - main - security/vuxml: add FreeBSD SA released on 2023-12-05

Reply: Philip Paeps : "Re: git: a580d36be4c7 - main - security/vuxml: add FreeBSD SA released on 2023-12-05"
In reply to: Philip Paeps : "Re: git: a580d36be4c7 - main - security/vuxml: add FreeBSD SA released on 2023-12-05"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Dan Langille <dan_at_langille.org>
Date: Thu, 07 Dec 2023 00:43:21 UTC

On Wed, Dec 6, 2023, at 7:34 PM, Philip Paeps wrote:
> On 2023-12-07 01:37:01 (+0800), Dan Langille wrote:
>> On Tue, Dec 5, 2023, at 6:04 PM, Philip Paeps wrote:
>>> The branch main has been updated by philip:
>>>
>>> URL:
>>> https://cgit.FreeBSD.org/ports/commit/?id=a580d36be4c7a18862a6a110e8bc2ba14e695125
>>>
>>> commit a580d36be4c7a18862a6a110e8bc2ba14e695125
>>> Author:     Philip Paeps <philip@FreeBSD.org>
>>> AuthorDate: 2023-12-05 23:01:20 +0000
>>> Commit:     Philip Paeps <philip@FreeBSD.org>
>>> CommitDate: 2023-12-05 23:01:20 +0000
>>>
>>>     security/vuxml: add FreeBSD SA released on 2023-12-05
>>>
>>>     FreeBSD-SA-23:17.pf affects all supported releases (12.4, 13.2, 
>>> 14.0).
>>> ---
>>>  security/vuxml/vuln/2023.xml | 41 
>>> +++++++++++++++++++++++++++++++++++++++++
>>>  1 file changed, 41 insertions(+)
>>>
>>> diff --git a/security/vuxml/vuln/2023.xml 
>>> b/security/vuxml/vuln/2023.xml
>>> index c484528898f7..6516a6a58f8a 100644
>>> --- a/security/vuxml/vuln/2023.xml
>>> +++ b/security/vuxml/vuln/2023.xml
>>> @@ -1,3 +1,44 @@
>>> +  <vuln vid="9cbbc506-93c1-11ee-8e38-002590c1f29c">
>>> +    <topic>FreeBSD -- TCP spoofing vulnerability in pf(4)</topic>
>>> +    <affects>
>>> +      <package>
>>> +	<name>FreeBSD-kernel</name>
>>> +	<range><ge>14.0</ge><lt>14.0_2</lt></range>
>>> +	<range><ge>13.2</ge><lt>13.2_7</lt></range>
>>
>> Houston, we have a problem.
>>
>> [17:31 r730-03 dvl ~] % freebsd-version -ukr
>> 13.2-RELEASE-p4
>> 13.2-RELEASE-p4
>> 13.2-RELEASE-p7
>>
>> [17:35 r730-03 dvl ~] % 
>> /usr/local/etc/periodic/security/405.pkg-base-audit
>>
>> Checking for security vulnerabilities in base (userland & kernel):
>> Host system:
>> Database fetched: 2023-12-06T07:45+00:00
>> FreeBSD-kernel-13.2_4 is vulnerable:
>>   FreeBSD -- TCP spoofing vulnerability in pf(4)
>>   CVE: CVE-2023-6534
>>   WWW: 
>> https://vuxml.FreeBSD.org/freebsd/9cbbc506-93c1-11ee-8e38-002590c1f29c.html
>>
>> 1 problem(s) in 1 installed package(s) found.
>> 0 problem(s) in 0 installed package(s) found.
>>
>> ...
>>
>> I hope to avoid a situation where false positives continue until the 
>> user land and kernel are on the patch levels.
>
> This is the same problem we've had before, isn't it?

Yes.

> Did we find an 
> actual solution to that, or do we have to wait until the next SA brings 
> the freebsd-version numbers back in line?

The world waited. ;)

> In other words: is there anything I can do, right now, to make this 
> better for you? :-)

It seems there kernel vulns and userland vulns.

Why don't we check them and record them separately?

-- 
  Dan Langille
  dan@langille.org