Re: Unable to update to 14.1-p6

From: Kevin Oberman <rkoberman_at_gmail.com>
Date: Mon, 18 Nov 2024 15:40:44 UTC
On Mon, Nov 18, 2024 at 3:48 AM Dag-Erling Smørgrav <des@freebsd.org> wrote:

> Kevin Oberman <rkoberman@gmail.com> writes:
> > I am running 14.1-p5 and get a daily message that I have a kernel
> security vulnerability:
> > Checking for security vulnerabilities in base (userland & kernel):
> > Fetching vuln.xml.xz: .......... done
> > FreeBSD-kernel-14.1_5 is vulnerable:
> >   FreeBSD -- Unbounded allocation in ctl(4) CAM Target Layer
> >   CVE: CVE-2024-39281
> >   WWW:
> https://vuxml.FreeBSD.org/freebsd/8caa5d60-a174-11ef-9a62-002590c1f29c.html
>
> It's a false positive.  The advisory only affected the ctl driver, which
> is not included in the GENERIC kernel, therefore the kernel itself was
> not updated and does not reflect the patch level.
>
> DES
> --
> Dag-Erling Smørgrav - des@FreeBSD.org
>

Thanks! This has happened before but I don't recall the warning in the
periodic report. It is, indeed, a tricky problem. At least a note in
UPDATING when there is a security update to a non-GENERIC module would be a
good idea as well as a note in the Security Advisory.
-- 
Kevin Oberman, Part time kid herder and retired Network Engineer
E-mail: rkoberman@gmail.com
PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683