Re: git: 0e79ec27f04a - main - security/vuxml: add FreeBSD SAs issued on 2024-10-29
Date: Fri, 15 Nov 2024 10:04:38 UTC
On 2024-11-13 21:36:49 (+0100), Dan Langille wrote: > On Tue, Nov 12, 2024, at 11:21 PM, Philip Paeps wrote: >> + <vuln vid="ce0f52e1-a174-11ef-9a62-002590c1f29c"> >> + <topic>FreeBSD -- Certificate revocation list fetch(1) option >> fails</topic> >> + <affects> >> + <package> >> + <name>FreeBSD</name> >> + <range><ge>14.1</ge><lt>14.1_6</lt></range> > > I want to find a way that this does not raise false positives. Philip, > we have discussed this before and I'm not saying you are the one to > fix this. I've put this on the agenda for our next secteam call (Monday). We've discussed this before, but we never converged on a solution. From my notes: because we always had a kernel version bump in the pipeline shortly after. Clearly we shouldn't hope for that to happen every time, and we need a structural solution for this. We'll talk about it again on Monday and see if we can come up with something better. Meanwhile: should we revert this vuxml entry until we either find a solution, or bump the kernel version (whichever comes first)? I'd estimate that this particular bug is triggering rather more false positives than actually vulnerable installations. Philip