Re: git: 0e79ec27f04a - main - security/vuxml: add FreeBSD SAs issued on 2024-10-29

From: Philip Paeps <philip_at_freebsd.org>
Date: Fri, 15 Nov 2024 10:04:38 UTC
On 2024-11-13 21:36:49 (+0100), Dan Langille wrote:
> On Tue, Nov 12, 2024, at 11:21 PM, Philip Paeps wrote:
>> +  <vuln vid="ce0f52e1-a174-11ef-9a62-002590c1f29c">
>> +    <topic>FreeBSD -- Certificate revocation list fetch(1) option 
>> fails</topic>
>> +    <affects>
>> +      <package>
>> +	<name>FreeBSD</name>
>> +	<range><ge>14.1</ge><lt>14.1_6</lt></range>
>
> I want to find a way that this does not raise false positives. Philip, 
> we have discussed this before and I'm not saying you are the one to 
> fix this.

I've put this on the agenda for our next secteam call (Monday).  We've 
discussed this before, but we never converged on a solution.  From my 
notes: because we always had a kernel version bump in the pipeline 
shortly after.  Clearly we shouldn't hope for that to happen every time, 
and we need a structural solution for this.

We'll talk about it again on Monday and see if we can come up with 
something better.

Meanwhile: should we revert this vuxml entry until we either find a 
solution, or bump the kernel version (whichever comes first)?  I'd 
estimate that this particular bug is triggering rather more false 
positives than actually vulnerable installations.

Philip