Re: git: 4826396e5d15 - main - security/vuxml: correct last SA's affected range

Reply: Felix Palmen : "Re: git: 4826396e5d15 - main - security/vuxml: correct last SA's affected range"
In reply to: Philip Paeps : "git: 4826396e5d15 - main - security/vuxml: correct last SA's affected range"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Felix Palmen <zirias_at_freebsd.org>
Date: Thu, 07 Dec 2023 17:48:12 UTC

* Philip Paeps <philip@FreeBSD.org> [20231207 04:52]:
> The branch main has been updated by philip:
> 
> URL: https://cgit.FreeBSD.org/ports/commit/?id=4826396e5d1555b9eebf58cac290490b24bf1243
> 
> commit 4826396e5d1555b9eebf58cac290490b24bf1243
> Author:     Philip Paeps <philip@FreeBSD.org>
> AuthorDate: 2023-12-07 04:49:28 +0000
> Commit:     Philip Paeps <philip@FreeBSD.org>
> CommitDate: 2023-12-07 04:49:28 +0000
> 
>     security/vuxml: correct last SA's affected range
>     
>     FreeBSD-SA-23:17.pf only affects the kernel, not userland.  The first
>     patch level of the kernel without the vulnerability is 13.2_4, not
>     13.2_7.

Please revert this commit. The first sentence of the message is correct,
the second one is wrong. The fixed kernel has version 13.2-RELEASE-p7.

If this isn't reverted, only people who didn't upgrade since October '23
will ever get the warning. This most likely isn't the audience looking
at these warnings in the first place.

I'm well aware updates for freebsd-update skip building the kernel when
there are no changes, so the kernel version can have a lower patch level
than the userland version. But still, there's a single source of truth
for the version information, sys/conf/newvers.sh. When a new kernel is
built, it takes the version information from there. So a (fixed) kernel
built after src commit e8439726cfa5bd0059a65117447d8c4160bfed43 will
have a version of 13.2-RELEASE-p7.

Therefore, please revert. Or beat me to whatever I missed analyzing
that.

Thanks, Felix

>     
>     Reported by:    dvl
> ---
>  security/vuxml/vuln/2023.xml | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml
> index 6516a6a58f8a..952882829c6c 100644
> --- a/security/vuxml/vuln/2023.xml
> +++ b/security/vuxml/vuln/2023.xml
> @@ -4,7 +4,7 @@
>        <package>
>  	<name>FreeBSD-kernel</name>
>  	<range><ge>14.0</ge><lt>14.0_2</lt></range>
> -	<range><ge>13.2</ge><lt>13.2_7</lt></range>
> +	<range><ge>13.2</ge><lt>13.2_4</lt></range>
>  	<range><ge>12.4</ge><lt>12.4_9</lt></range>
>        </package>
>      </affects>
> @@ -36,6 +36,7 @@
>      <dates>
>        <discovery>2023-12-05</discovery>
>        <entry>2023-12-05</entry>
> +      <modified>2023-12-07</modified>
>      </dates>
>    </vuln>
>  

-- 
 Felix Palmen <zirias@FreeBSD.org>     {private}   felix@palmen-it.de
 -- ports committer --                     {web}  http://palmen-it.de
 {pgp public key}  http://palmen-it.de/pub.txt
 {pgp fingerprint} 6936 13D5 5BBF 4837 B212  3ACC 54AD E006 9879 F231