Re: git: 4826396e5d15 - main - security/vuxml: correct last SA's affected range
Date: Tue, 12 Dec 2023 09:14:02 UTC
* Felix Palmen <zirias@freebsd.org> [20231207 18:48]:
> * Philip Paeps <philip@FreeBSD.org> [20231207 04:52]:
> > FreeBSD-SA-23:17.pf only affects the kernel, not userland. The first
> > patch level of the kernel without the vulnerability is 13.2_4, not
> > 13.2_7.
>
> Please revert this commit. The first sentence of the message is correct,
> the second one is wrong. The fixed kernel has version 13.2-RELEASE-p7.
The more time passes the less important this will be, but I'm still
convinced it is wrong and might be dangerous to someone only relying on
periodic security reports.
I double-checked multiple times, and I see no way how a kernel could
ever be built with a different version than the one listed in
sys/conf/newvers.sh. If there *is* a way, please explain how this could
ever work (and how to ever avoid massive confusion, even for people just
building their custom kernel).
So given that, the version was bumped to -p4 in
https://cgit.freebsd.org/src/commit/?id=d20ece445acfc5d29ca096b38e30e4c0cb0b0d95
on 2023-10-03.
After that, there were no changes to the kernel on releng/13.2 (so its
version stayed at -p4 when using freebsd-update), *until* commit
https://cgit.freebsd.org/src/commit/?id=45e256e24c976a55dc856907a57564cbc30cfb60
on 2023-12-05, fixing this very issue.
I rest my case, there's no way a kernel with version 13.2-RELEASE-p4
could ever include that fix. Therefore, please correct this, so people
looking at periodic are properly warned.
Thanks, Felix
--
Felix Palmen <zirias@FreeBSD.org> {private} felix@palmen-it.de
-- ports committer -- {web} http://palmen-it.de
{pgp public key} http://palmen-it.de/pub.txt
{pgp fingerprint} 6936 13D5 5BBF 4837 B212 3ACC 54AD E006 9879 F231