Re: CVE-2024-39281 allegedly not fixed in 14.1

From: Dag-Erling_Smørgrav <des_at_FreeBSD.org>
Date: Mon, 18 Nov 2024 11:48:17 UTC
Lasse Kliemann <lasse@lassekliemann.de> writes:
> Since a few days, I see this warning:
>
> Checking for security vulnerabilities in base (userland & kernel):
> Database fetched: 2024-11-15T19:30+00:00
> FreeBSD-kernel-14.1_5 is vulnerable:
>   FreeBSD -- Unbounded allocation in ctl(4) CAM Target Layer
>   CVE: CVE-2024-39281
>   WWW: https://vuxml.FreeBSD.org/freebsd/8caa5d60-a174-11ef-9a62-002590c1f29c.html
>
> The corresponding SA (FreeBSD-SA-24:18.ctl) is from 2024-10-29. Since
> I install updates regularly, it should be applied already. Indeed:
>
> # freebsd-update fetch
> ...
> No updates needed to update system to 14.1-RELEASE-p6.
>
> # uname -a
> FreeBSD ... 14.1-RELEASE-p5 FreeBSD 14.1-RELEASE-p5 GENERIC amd64
>
> What should I do in response to the warning?

It's a false positive.  The advisory only affected the ctl driver, which
is not included in the GENERIC kernel, therefore the kernel itself was
not updated and does not reflect the patch level.

DES
-- 
Dag-Erling Smørgrav - des@FreeBSD.org