Re: git: 0e79ec27f04a - main - security/vuxml: add FreeBSD SAs issued on 2024-10-29
- In reply to: Philip Paeps : "Re: git: 0e79ec27f04a - main - security/vuxml: add FreeBSD SAs issued on 2024-10-29"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 15 Nov 2024 22:59:28 UTC
On Fri, Nov 15, 2024, at 5:04 AM, Philip Paeps wrote: > On 2024-11-13 21:36:49 (+0100), Dan Langille wrote: >> On Tue, Nov 12, 2024, at 11:21 PM, Philip Paeps wrote: >>> + <vuln vid="ce0f52e1-a174-11ef-9a62-002590c1f29c"> >>> + <topic>FreeBSD -- Certificate revocation list fetch(1) option >>> fails</topic> >>> + <affects> >>> + <package> >>> + <name>FreeBSD</name> >>> + <range><ge>14.1</ge><lt>14.1_6</lt></range> >> >> I want to find a way that this does not raise false positives. Philip, >> we have discussed this before and I'm not saying you are the one to >> fix this. > > I've put this on the agenda for our next secteam call (Monday). We've > discussed this before, but we never converged on a solution. From my > notes: because we always had a kernel version bump in the pipeline > shortly after. Clearly we shouldn't hope for that to happen every time, > and we need a structural solution for this. > > We'll talk about it again on Monday and see if we can come up with > something better. freebsd-version comes to mind, but I'm not sure how useful that would be. > Meanwhile: should we revert this vuxml entry until we either find a > solution, or bump the kernel version (whichever comes first)? I'd > estimate that this particular bug is triggering rather more false > positives than actually vulnerable installations. I'm OK with leaving it. -- Dan Langille dan@langille.org