[Bug 275743] Spurious "TCP spoofing vulnerability in pf" warning from 405.pkg-base-audit after updating to 12.4-RELEASE-p9

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 275743] Spurious "TCP spoofing vulnerability in pf" warning from 405.pkg-base-audit after updating to 12.4-RELEASE-p9"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 13 Dec 2023 12:24:48 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275743

            Bug ID: 275743
           Summary: Spurious "TCP spoofing vulnerability in pf" warning
                    from 405.pkg-base-audit after updating to
                    12.4-RELEASE-p9
           Product: Base System
           Version: 12.4-RELEASE
          Hardware: i386
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: misc
          Assignee: bugs@FreeBSD.org
          Reporter: martin@lispworks.com

Created attachment 247028
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=247028&action=edit
Output from "freebsd-update fetch install" updating to 12.4-RELEASE-p9

Even after using "freebsd-update fetch install" to update to 12.4-RELEASE-p9
(see attached output), the script
/usr/local/etc/periodic/security/405.pkg-base-audit still reports:

Checking for security vulnerabilities in base (userland & kernel):
Fetching vuln.xml.xz: .......... done
FreeBSD-kernel-12.4_6 is vulnerable:
  FreeBSD -- TCP spoofing vulnerability in pf(4)
  CVE: CVE-2023-6534
  WWW:
https://vuxml.FreeBSD.org/freebsd/9cbbc506-93c1-11ee-8e38-002590c1f29c.html

I don't see this on amd64 systems.  The difference between them seems to be
that the kernel was not updated on this i386 system, so it is still on p6 even
though /boot/kernel/pf.ko was updated.

-- 
You are receiving this mail because:
You are the assignee for the bug.