Re: git: 0e79ec27f04a - main - security/vuxml: add FreeBSD SAs issued on 2024-10-29

Reply: Philip Paeps : "Re: git: 0e79ec27f04a - main - security/vuxml: add FreeBSD SAs issued on 2024-10-29"
In reply to: Philip Paeps : "git: 0e79ec27f04a - main - security/vuxml: add FreeBSD SAs issued on 2024-10-29"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Dan Langille <dan_at_langille.org>
Date: Wed, 13 Nov 2024 20:36:49 UTC

On Tue, Nov 12, 2024, at 11:21 PM, Philip Paeps wrote:
> The branch main has been updated by philip:
>
> URL: 
> https://cgit.FreeBSD.org/ports/commit/?id=0e79ec27f04afe521d06b51257d5b548d98ccfa2
>
> commit 0e79ec27f04afe521d06b51257d5b548d98ccfa2
> Author:     Philip Paeps <philip@FreeBSD.org>
> AuthorDate: 2024-11-13 04:21:13 +0000
> Commit:     Philip Paeps <philip@FreeBSD.org>
> CommitDate: 2024-11-13 04:21:13 +0000
>
>     security/vuxml: add FreeBSD SAs issued on 2024-10-29
>    
>     FreeBSD-SA-24:17.bhyve affects all supported versions of FreeBSD
>     FreeBSD-SA-24:18.ctl affects all supported versions of FreeBSD
>     FreeBSD-SA-24:19.fetch affects all supported versions of FreeBSD
> ---
>  security/vuxml/vuln/2024.xml | 108 +++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 108 insertions(+)
>
> diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml
> index a7d36c690346..657ab1b9436e 100644
> --- a/security/vuxml/vuln/2024.xml
> +++ b/security/vuxml/vuln/2024.xml
> @@ -1,3 +1,111 @@
> +  <vuln vid="ce0f52e1-a174-11ef-9a62-002590c1f29c">
> +    <topic>FreeBSD -- Certificate revocation list fetch(1) option fails</topic>
> +    <affects>
> +      <package>
> +	<name>FreeBSD</name>
> +	<range><ge>14.1</ge><lt>14.1_6</lt></range>

I want to find a way that this does not raise false positives. Philip, we have discussed this before and I'm not saying you are the one to fix this.

[20:31 r730-01 dvl ~] % sudo /usr/local/etc/periodic/security/405.pkg-base-audit

Checking for security vulnerabilities in base (userland & kernel):
Host system:
Database fetched: 2024-11-13T19:00+00:00
FreeBSD-kernel-14.1_5 is vulnerable:
  FreeBSD -- Unbounded allocation in ctl(4) CAM Target Layer
  CVE: CVE-2024-39281
  WWW: https://vuxml.FreeBSD.org/freebsd/8caa5d60-a174-11ef-9a62-002590c1f29c.html

1 problem(s) in 1 installed package(s) found.
0 problem(s) in 0 installed package(s) found.

....

[20:32 r730-01 dvl ~] % freebsd-version -ukr             
14.1-RELEASE-p5
14.1-RELEASE-p5
14.1-RELEASE-p6

The host is full patched. As are all the hosts upon which this alert is now false positive.

At present, I have to ignore this false-positive which leads to alert fatigue until the kernel version bumps.

-- 
  Dan Langille
  dan@langille.org