From nobody Thu Dec 07 15:44:27 2023 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SmJVS4sJ4z539rm; Thu, 7 Dec 2023 15:44:32 +0000 (UTC) (envelope-from philip@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SmJVS4Nc5z4Pxr; Thu, 7 Dec 2023 15:44:32 +0000 (UTC) (envelope-from philip@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1701963872; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=9dfsh0xwxe0Oe2l3VyHcF4T9i4ohXfjUNIzd4LmdlmA=; b=loNptU/fwbddifns+8tA4edSpB7Enc1al+tRh5puV1mI+l//tT3vxUsN7skUIvwwOFQJWy tRGv3QybwBZioHkCL6mPTAjnqS0rPOhBR3DBjSCsjnVZ+7eJSrXdDY+PYAXxLmCfzKntIU 6V49oQSwoolKCdmPgl5CE6L9S6uDI25na+3OmVnlcIfyMLkMW4UndNehr0elFNPDH8UMto +KQkfRnuuIdpEWICog4JOuv7NbWazUIJ1wuooaeUSsmLmSqX4QdR142YM6iOPYSMEFH/yY sUrCxgRzXOFjtDW6qLIsylwDk1adK5PqvvzsVyhuCwYdspwlu+y968+7nXdW8Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1701963872; a=rsa-sha256; cv=none; b=L9gxSvolGHMJOX4rGgr36I6pOawPUhzWIcZgz5Q5G5cq+c3+mx0FtihhtqJ5rJE1H1Ra0Z C+PUb6GRYUVVp3eRR366pHtGp/F0LdTcNZn2zK9G9U8Bo29LpXXhjT3Ctih0B9Ed/gzrEB cRGigMf2MzrgQgRgQJ55aPbQUyfxkUvGvOQCHQXlzyXz/P8EvqM6to6+w+kF5YLJLGU1eO sBs9TXo5krEerfL4ae+YR4nItgy66E4lkXgp4AN860NGbAZverY3AlBIQl93QlSaop6eXU gYQXqEB00X4g3jCJEg1NYR8yuD0u7N+NpVVUdUEIRvDCX9Aw/auvS/mSszMBgw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1701963872; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=9dfsh0xwxe0Oe2l3VyHcF4T9i4ohXfjUNIzd4LmdlmA=; b=ixXkWEkt29MSYhUIw3095ote+HXlm9zzWf4xHo3lSWyCG1h9E0DteaPu2JzgmIznTUqa5J rfsQj+dkMtGlL/z4p0i/05gbP6xCHZKFtB89Kv1sFDjBIEps+u3z5lIo+4Uq7a24qxRRrV 7TYLWP1PupbWZKU1TvuXwUhqSMDcIqXkHZi3afAsTZ6RLm9T9eS7yXhf2HAsM/3925TZw0 4qCxluFQrAU6ewDJ7kdOWaaVReRwLGg4HAeF7SbDL2D/y06RV3bqLd5idUI6GFfv9FbBxe vgSnRnM7M22+a209edX7/hvt+Rzlm+iOINL4qqTCTr8q3U8ZykvFEliAx90m9A== Received: from auth2-smtp.messagingengine.com (auth2-smtp.messagingengine.com [66.111.4.228]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: philip/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4SmJVS39qCzB5k; Thu, 7 Dec 2023 15:44:32 +0000 (UTC) (envelope-from philip@freebsd.org) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailauth.nyi.internal (Postfix) with ESMTP id 4C0A627C0054; Thu, 7 Dec 2023 10:44:32 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Thu, 07 Dec 2023 10:44:32 -0500 X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrudekfedgvddtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefhvfevufffoffkjghfgggtsehttd hmtdertddtnecuhfhrohhmpefrhhhilhhiphcurfgrvghpshcuoehphhhilhhiphesfhhr vggvsghsugdrohhrgheqnecuggftrfgrthhtvghrnhepgffgfeeigeettdeltdfgvedtff dtgedvheeuieetheetfeeifeevveetvddvkeegnecuvehluhhsthgvrhfuihiivgeptden ucfrrghrrghmpehmrghilhhfrhhomhepphhhihhlihhpodhmvghsmhhtphgruhhthhhpvg hrshhonhgrlhhithihqdduudeiiedviedvgeekqddvfeehudektddtkedqphhhihhlihhp peepfhhrvggvsghsugdrohhrghesthhrohhusghlvgdrihhs X-ME-Proxy: Feedback-ID: ia691475d:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 7 Dec 2023 10:44:30 -0500 (EST) From: Philip Paeps To: Felix Palmen Cc: Dan Langille , ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org Subject: Re: git: a580d36be4c7 - main - security/vuxml: add FreeBSD SA released on 2023-12-05 Date: Thu, 07 Dec 2023 23:44:27 +0800 X-Mailer: MailMate (1.14r6003) Message-ID: In-Reply-To: References: <202312052304.3B5N4IOf078862@gitrepo.freebsd.org> <4c967ca4-bfa1-4e30-b330-feb94d6c765b@app.fastmail.com> <38DAC2D1-58B0-43C5-9F1E-97281068AFD5@freebsd.org> <01372e6b-0e2d-4249-9f36-fdb24b380c71@app.fastmail.com> <1A46BB39-EBBA-4E02-97A4-860DD9608000@freebsd.org> List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; format=flowed On 2023-12-07 23:28:05 (+0800), Felix Palmen wrote: > * Philip Paeps [20231207 12:55]: >> On 2023-12-07 09:10:31 (+0800), Dan Langille wrote: >>> On Wed, Dec 6, 2023, at 7:52 PM, Philip Paeps wrote: >>>> On 2023-12-07 08:43:21 (+0800), Dan Langille wrote: >>>>> Why don't we check them and record them separately? >>>> >>>> I already record them separately in vuxml. If a vulnerability only >>>> affects userland, I record >>>> FreeBSD[...]. >>>> If the kernel is affected I record >>>> FreeBSD-kernel[...]. >>>> >>>> Hmm ... is that the problem? Should I set the versions to the >>>> *kernel* >>>> patch level for FreeBSD-kernel vulnerabilities? >>> >>> First, let's test if that fixes it. >>> >>> This fixes it for me: >>> >>> 13.213.2_4 >>> >>> [...] >>> >>>> Is something going to get upset if I change the most recent entry >>>> to >>>> 12.2_4? >>> >>> That I don't know. >>> >>> VUXML entries have AMENDED values don't they? >> >> Thanks for testing this out. I've pushed a vuxml entry >> in >> 4826396e5d15. > > This can't be correct, -p4 appeared in October, it can't possibly fix > a > vuln discovered in December :o > > I'm still on -p6 here, upgrading from source and just always building > the kernel as well (so my kernel version also shows -p6). With this > change, it won't show me the vuln that's certainly present. > > I strongly assume the full freebsd-upgrade procedure will also upgrade > the kernel to -p7. If it doesn't, there's a more troubling issue > somewhere... This assumption is wrong. freebsd-update builds only build what has changed. If a security patch does not affect the kernel, the kernel is not rebuilt. We've had this conversation before. I believe the conclusion at the time was that there are no good answers and we can't have nice things. Tracking userland versions in vuxml breaks things for people running freebsd-update. Tracking kernel versions hides vulnerabilities for people upgrading from source. We (security team) won't push kernel updates (and require users to reboot) for vulnerabilities that only affect userland, only to show a higher number. That would be silly. I think the updated vuxml entry, suggested by dvl, is the most correct. But I have no good answer for your use case. Philip -- Philip Paeps Senior Reality Engineer Alternative Enterprises