Re: git: a580d36be4c7 - main - security/vuxml: add FreeBSD SA released on 2023-12-05
Date: Thu, 07 Dec 2023 15:28:05 UTC
* Philip Paeps <philip@freebsd.org> [20231207 12:55]:
> On 2023-12-07 09:10:31 (+0800), Dan Langille wrote:
> > On Wed, Dec 6, 2023, at 7:52 PM, Philip Paeps wrote:
> > > On 2023-12-07 08:43:21 (+0800), Dan Langille wrote:
> > > > Why don't we check them and record them separately?
> > >
> > > I already record them separately in vuxml. If a vulnerability only
> > > affects userland, I record
> > > <package><name>FreeBSD</name>[...]</package>.
> > > If the kernel is affected I record
> > > <package><name>FreeBSD-kernel</name>[...]</package>.
> > >
> > > Hmm ... is that the problem? Should I set the versions to the
> > > *kernel*
> > > patch level for FreeBSD-kernel vulnerabilities?
> >
> > First, let's test if that fixes it.
> >
> > This fixes it for me:
> >
> > <range><ge>13.2</ge><lt>13.2_4</lt></range>
> >
> > [...]
> >
> > > Is something going to get upset if I change the most recent entry to
> > > <lt>12.2_4</lt>?
> >
> > That I don't know.
> >
> > VUXML entries have AMENDED values don't they?
>
> Thanks for testing this out. I've pushed a <modified/> vuxml entry in
> 4826396e5d15.
This can't be correct, -p4 appeared in October, it can't possibly fix a
vuln discovered in December :o
I'm still on -p6 here, upgrading from source and just always building
the kernel as well (so my kernel version also shows -p6). With this
change, it won't show me the vuln that's certainly present.
I strongly assume the full freebsd-upgrade procedure will also upgrade
the kernel to -p7. If it doesn't, there's a more troubling issue
somewhere...
Cheers, Felix
--
Felix Palmen <zirias@FreeBSD.org> {private} felix@palmen-it.de
-- ports committer -- {web} http://palmen-it.de
{pgp public key} http://palmen-it.de/pub.txt
{pgp fingerprint} 6936 13D5 5BBF 4837 B212 3ACC 54AD E006 9879 F231