From nobody Sat Nov 16 13:20:43 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with UTF8SMTP id 4XrF0r1Kbwz5dJYY for ; Sat, 16 Nov 2024 13:22:04 +0000 (UTC) (envelope-from bounce+9e8900.bda42-freebsd-security=freebsd.org@lassekliemann.de) Received: from m32-11.eu.mailgun.net (m32-11.eu.mailgun.net [141.193.32.11]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with UTF8SMTPS id 4XrF0p6hX9z58Nl for ; Sat, 16 Nov 2024 13:22:02 +0000 (UTC) (envelope-from bounce+9e8900.bda42-freebsd-security=freebsd.org@lassekliemann.de) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=lassekliemann.de header.s=mta header.b=Gt10Hw3g; spf=pass (mx1.freebsd.org: domain of "bounce+9e8900.bda42-freebsd-security=freebsd.org@lassekliemann.de" designates 141.193.32.11 as permitted sender) smtp.mailfrom="bounce+9e8900.bda42-freebsd-security=freebsd.org@lassekliemann.de"; dmarc=none DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=lassekliemann.de; q=dns/txt; s=mta; t=1731763320; x=1731770520; h=Content-Type: MIME-Version: Message-ID: Date: Subject: Subject: To: To: From: From: Sender: Sender; bh=wSHPlprF/96ivjbrlQPeQjUE3SvXIU+7+nnxDzXshWU=; b=Gt10Hw3g/T64iK09vAN0QLWeZffZ8/+MSHemTlF4xt7km+ax0F713CgvGV1iebT8vlvph9OKudwbbvU4p6o/UXd0Z/6wzo4MhNE12D5R3aYSQt2/75a+QbrmVQY6K2iec8XFe7w2W7eRwmGImMu+9oqx7an2gkesqYimmDxzR/g= X-Mailgun-Sending-Ip: 141.193.32.11 X-Mailgun-Sending-Ip-Pool-Name: X-Mailgun-Sending-Ip-Pool: X-Mailgun-Sid: WyI1ZTNkMiIsImZyZWVic2Qtc2VjdXJpdHlAZnJlZWJzZC5vcmciLCJiZGE0MiJd Received: from localhost (unknown [86.103.34.124]) by 9786eb00ccb7 with SMTP id 67389c78939073805c58542e (version=TLS1.3, cipher=TLS_AES_128_GCM_SHA256); Sat, 16 Nov 2024 13:22:00 GMT Sender: lasse@lassekliemann.de From: Lasse Kliemann To: freebsd-security@freebsd.org Subject: CVE-2024-39281 allegedly not fixed in 14.1 Date: Sat, 16 Nov 2024 14:20:43 +0100 Message-ID: <871pzbgvro.fsf@lassekliemann.de> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spamd-Result: default: False [-5.30 / 15.00]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FORGED_SENDER(0.30)[lasse@lassekliemann.de,bounce@lassekliemann.de]; R_SPF_ALLOW(-0.20)[+ip4:141.193.32.0/23]; R_DKIM_ALLOW(-0.20)[lassekliemann.de:s=mta]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; RCVD_TLS_LAST(0.00)[]; FROM_HAS_DN(0.00)[]; DMARC_NA(0.00)[lassekliemann.de]; ARC_NA(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCPT_COUNT_ONE(0.00)[1]; TAGGED_FROM(0.00)[9e8900.bda42-freebsd-security=freebsd.org]; RCVD_COUNT_ONE(0.00)[1]; MISSING_XM_UA(0.00)[]; TO_DN_NONE(0.00)[]; FROM_NEQ_ENVFROM(0.00)[lasse@lassekliemann.de,bounce@lassekliemann.de]; DKIM_TRACE(0.00)[lassekliemann.de:+]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; RWL_MAILSPIKE_POSSIBLE(0.00)[141.193.32.11:from]; MID_RHS_MATCH_FROM(0.00)[]; ASN(0.00)[asn:16509, ipnet:141.193.32.0/23, country:US]; RCVD_IN_DNSWL_NONE(0.00)[141.193.32.11:from] X-Rspamd-Queue-Id: 4XrF0p6hX9z58Nl X-Spamd-Bar: ----- --=-=-= Content-Type: text/plain Since a few days, I see this warning: Checking for security vulnerabilities in base (userland & kernel): Database fetched: 2024-11-15T19:30+00:00 FreeBSD-kernel-14.1_5 is vulnerable: FreeBSD -- Unbounded allocation in ctl(4) CAM Target Layer CVE: CVE-2024-39281 WWW: https://vuxml.FreeBSD.org/freebsd/8caa5d60-a174-11ef-9a62-002590c1f29c.html The corresponding SA (FreeBSD-SA-24:18.ctl) is from 2024-10-29. Since I install updates regularly, it should be applied already. Indeed: # freebsd-update fetch ... No updates needed to update system to 14.1-RELEASE-p6. # uname -a FreeBSD ... 14.1-RELEASE-p5 FreeBSD 14.1-RELEASE-p5 GENERIC amd64 What should I do in response to the warning? --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iI0EARYKADUWIQRNabwEzR91iTNLCwCfwv7prmllKgUCZzicLBccbGFzc2VAbGFz c2VrbGllbWFubi5kZQAKCRCfwv7prmllKqn7AP9RThgGMRFxNqkDsRnjCV+3naS5 6kDJ2shO+aPuzWmdRgEAxeDIXKmaJsIlEc0Uj/z1KTM9CBIl6mBd/mnCkkJKcwI= =czPs -----END PGP SIGNATURE----- --=-=-=--