Re: git: a580d36be4c7 - main - security/vuxml: add FreeBSD SA released on 2023-12-05

Reply: Felix Palmen : "Re: git: a580d36be4c7 - main - security/vuxml: add FreeBSD SA released on 2023-12-05"
In reply to: Felix Palmen : "Re: git: a580d36be4c7 - main - security/vuxml: add FreeBSD SA released on 2023-12-05"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Philip Paeps <philip_at_freebsd.org>
Date: Thu, 07 Dec 2023 15:44:27 UTC

On 2023-12-07 23:28:05 (+0800), Felix Palmen wrote:
> * Philip Paeps <philip@freebsd.org> [20231207 12:55]:
>> On 2023-12-07 09:10:31 (+0800), Dan Langille wrote:
>>> On Wed, Dec 6, 2023, at 7:52 PM, Philip Paeps wrote:
>>>> On 2023-12-07 08:43:21 (+0800), Dan Langille wrote:
>>>>> Why don't we check them and record them separately?
>>>>
>>>> I already record them separately in vuxml.  If a vulnerability only
>>>> affects userland, I record
>>>> <package><name>FreeBSD</name>[...]</package>.
>>>> If the kernel is affected I record
>>>> <package><name>FreeBSD-kernel</name>[...]</package>.
>>>>
>>>> Hmm ... is that the problem?  Should I set the versions to the
>>>> *kernel*
>>>> patch level for FreeBSD-kernel vulnerabilities?
>>>
>>> First, let's test if that fixes it.
>>>
>>> This fixes it for me:
>>>
>>>         <range><ge>13.2</ge><lt>13.2_4</lt></range>
>>>
>>> [...]
>>>
>>>> Is something going to get upset if I change the most recent entry 
>>>> to
>>>> <lt>12.2_4</lt>?
>>>
>>> That I don't know.
>>>
>>> VUXML entries have AMENDED values don't they?
>>
>> Thanks for testing this out.  I've pushed a <modified/> vuxml entry 
>> in
>> 4826396e5d15.
>
> This can't be correct, -p4 appeared in October, it can't possibly fix 
> a
> vuln discovered in December :o
>
> I'm still on -p6 here, upgrading from source and just always building
> the kernel as well (so my kernel version also shows -p6). With this
> change, it won't show me the vuln that's certainly present.
>
> I strongly assume the full freebsd-upgrade procedure will also upgrade
> the kernel to -p7. If it doesn't, there's a more troubling issue
> somewhere...

This assumption is wrong.  freebsd-update builds only build what has 
changed.  If a security patch does not affect the kernel, the kernel is 
not rebuilt.

We've had this conversation before.  I believe the conclusion at the 
time was that there are no good answers and we can't have nice things.

Tracking userland versions in vuxml breaks things for people running 
freebsd-update.  Tracking kernel versions hides vulnerabilities for 
people upgrading from source.

We (security team) won't push kernel updates (and require users to 
reboot) for vulnerabilities that only affect userland, only to show a 
higher number.  That would be silly.

I think the updated vuxml entry, suggested by dvl, is the most correct.  
But I have no good answer for your use case.

Philip

-- 
Philip Paeps
Senior Reality Engineer
Alternative Enterprises