Re: git: 4826396e5d15 - main - security/vuxml: correct last SA's affected range
Date: Tue, 12 Dec 2023 09:14:02 UTC
* Felix Palmen <zirias@freebsd.org> [20231207 18:48]: > * Philip Paeps <philip@FreeBSD.org> [20231207 04:52]: > > FreeBSD-SA-23:17.pf only affects the kernel, not userland. The first > > patch level of the kernel without the vulnerability is 13.2_4, not > > 13.2_7. > > Please revert this commit. The first sentence of the message is correct, > the second one is wrong. The fixed kernel has version 13.2-RELEASE-p7. The more time passes the less important this will be, but I'm still convinced it is wrong and might be dangerous to someone only relying on periodic security reports. I double-checked multiple times, and I see no way how a kernel could ever be built with a different version than the one listed in sys/conf/newvers.sh. If there *is* a way, please explain how this could ever work (and how to ever avoid massive confusion, even for people just building their custom kernel). So given that, the version was bumped to -p4 in https://cgit.freebsd.org/src/commit/?id=d20ece445acfc5d29ca096b38e30e4c0cb0b0d95 on 2023-10-03. After that, there were no changes to the kernel on releng/13.2 (so its version stayed at -p4 when using freebsd-update), *until* commit https://cgit.freebsd.org/src/commit/?id=45e256e24c976a55dc856907a57564cbc30cfb60 on 2023-12-05, fixing this very issue. I rest my case, there's no way a kernel with version 13.2-RELEASE-p4 could ever include that fix. Therefore, please correct this, so people looking at periodic are properly warned. Thanks, Felix -- Felix Palmen <zirias@FreeBSD.org> {private} felix@palmen-it.de -- ports committer -- {web} http://palmen-it.de {pgp public key} http://palmen-it.de/pub.txt {pgp fingerprint} 6936 13D5 5BBF 4837 B212 3ACC 54AD E006 9879 F231