From nobody Mon Nov 18 11:48:17 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XsQqm3QrRz5clN4 for ; Mon, 18 Nov 2024 11:48:20 +0000 (UTC) (envelope-from des@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XsQqm2dKgz4Jyv; Mon, 18 Nov 2024 11:48:20 +0000 (UTC) (envelope-from des@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1731930500; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=0pG8mXtzatSsEIZqX512wUYu1bTr45/5o5uv4pKrqCo=; b=lmGpJ7y99dE3wMBU5CuHtrjIMGwbIH95vlahunn0qGJAffLXAsyTVTLL3NYljUAZfdjVyb metoMRMxFwXRna1w2DNLMncyOe3JTZJtbjCK/11R6grqKzb4L65JvWu+9YL7hQDci9IWzN sP6r7+szLMB+yLIam6hegce/QWBeobJ2SfzCHiWfqdaZRl66wQuwK1bkOAouD7l02PE03h Aoo+vHIaGd2Ca18i1VdC/RkRl8O+p6kVoN9pl9pAKc7nYc7GRsOf/yX43AwhSvD9sCWL2y cNLNWwJQp+uw30vdpb3AHhWa1JwSQCcYvvPi1OT/kulNXJRby2e3XiTW0tV3jA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1731930500; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=0pG8mXtzatSsEIZqX512wUYu1bTr45/5o5uv4pKrqCo=; b=WHS4uouipFp7fOuFxU7RAUnWxgacGizSuy/vlTT9z+tEfremLmsVS2kVW1IBDdce9aUbOy /KfefWxm1xMjLLAI/VIufnkkMf5RQnGVVHxtpjjc4KGNvjtH3c7daHqL64f72kYf/U5/B0 Rx3+7L9yxAiBeu72I+KcS98HGJYBRYm1XBAB+LRungSCQXRa6RScPcaK2pZvS5lBUSNlfS G8rcFArf/znF1W9tLQmzQE09i1+d11ce8CrpR8e2/one26AR5mdLtZXasFrJ2lx0HrkbdX 5fbbAvAhNuXqpDgOcbE12v1ozbF+hLAA0p0KU/mqfUBpPb/nzaROE3DBHkKknw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1731930500; a=rsa-sha256; cv=none; b=fNxXPnQXIursCCj9sSF5sMnvBFnzfxlKGGl4T7Cdpt9uDQBQMp9YWprWyhdayweO0Qb719 Iv5XaZxlxBdVyPNvUUgUDs6yCRIvXuIicG6KoyV4vWBwn2hBUuB/jdvKe0uJJ2fC2NQPJv Zcr1/atGR3aCtpOGVRICA/ZKabTnywZDcoql3Dd1LeG5qVoM2m6B14TbfQrdgsqXGUjCHt 4ClHzUOkkOyZbOwK+RGZF3Us/UtAAv9XMPFaQu6TXmVbq/4JgptSVI7a3wwN5jwkLLMSBt DR0Ah1ys3QujMEkN9mA9lCMoWefG0qi56AyQmRHSRXR2KTw6kjJz6wzhYeQbpw== Received: from ltc.des.dev (88-177-82-251.subs.proxad.net [88.177.82.251]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: des) by smtp.freebsd.org (Postfix) with ESMTPSA id 4XsQqm1N4kzyqH; Mon, 18 Nov 2024 11:48:20 +0000 (UTC) (envelope-from des@freebsd.org) Received: by ltc.des.dev (Postfix, from userid 1001) id 613219CA0; Mon, 18 Nov 2024 12:48:17 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Lasse Kliemann Cc: freebsd-security@freebsd.org Subject: Re: CVE-2024-39281 allegedly not fixed in 14.1 In-Reply-To: <871pzbgvro.fsf@lassekliemann.de> (Lasse Kliemann's message of "Sat, 16 Nov 2024 14:20:43 +0100") References: <871pzbgvro.fsf@lassekliemann.de> User-Agent: Gnus/5.13 (Gnus v5.13) Date: Mon, 18 Nov 2024 12:48:17 +0100 Message-ID: <86wmh0sqym.fsf@ltc.des.dev> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Lasse Kliemann writes: > Since a few days, I see this warning: > > Checking for security vulnerabilities in base (userland & kernel): > Database fetched: 2024-11-15T19:30+00:00 > FreeBSD-kernel-14.1_5 is vulnerable: > FreeBSD -- Unbounded allocation in ctl(4) CAM Target Layer > CVE: CVE-2024-39281 > WWW: https://vuxml.FreeBSD.org/freebsd/8caa5d60-a174-11ef-9a62-002590c1= f29c.html > > The corresponding SA (FreeBSD-SA-24:18.ctl) is from 2024-10-29. Since > I install updates regularly, it should be applied already. Indeed: > > # freebsd-update fetch > ... > No updates needed to update system to 14.1-RELEASE-p6. > > # uname -a > FreeBSD ... 14.1-RELEASE-p5 FreeBSD 14.1-RELEASE-p5 GENERIC amd64 > > What should I do in response to the warning? It's a false positive. The advisory only affected the ctl driver, which is not included in the GENERIC kernel, therefore the kernel itself was not updated and does not reflect the patch level. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@FreeBSD.org