CVE-2024-39281 allegedly not fixed in 14.1

Reply: Dag-Erling_Smørgrav : "Re: CVE-2024-39281 allegedly not fixed in 14.1"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Lasse Kliemann <lasse_at_lassekliemann.de>
Date: Sat, 16 Nov 2024 13:20:43 UTC

Since a few days, I see this warning:

Checking for security vulnerabilities in base (userland & kernel):
Database fetched: 2024-11-15T19:30+00:00
FreeBSD-kernel-14.1_5 is vulnerable:
  FreeBSD -- Unbounded allocation in ctl(4) CAM Target Layer
  CVE: CVE-2024-39281
  WWW: https://vuxml.FreeBSD.org/freebsd/8caa5d60-a174-11ef-9a62-002590c1f29c.html

The corresponding SA (FreeBSD-SA-24:18.ctl) is from 2024-10-29. Since I install updates regularly, it should be applied already. Indeed:

# freebsd-update fetch
...
No updates needed to update system to 14.1-RELEASE-p6.

# uname -a
FreeBSD ... 14.1-RELEASE-p5 FreeBSD 14.1-RELEASE-p5 GENERIC amd64

What should I do in response to the warning?