On Thu, Sep 17, 2020, at 6:28 PM, Dan Langille wrote: > Hello, > > After running 'freebsd-update fetch install' on a i386 server, I have > this situation: > > [dan@gelt:~] $ freebsd-version -u > 12.1-RELEASE-p10 > [dan@gelt:~] $ freebsd-version -k > 12.1-RELEASE-p9 > [dan@gelt:~] $ > > Why did this not get a new kernel? > > I ask because: > > [dan@gelt:~] $ sudo /usr/local/etc/periodic/security/405.pkg-base-audit > > Checking for security vulnerabilities in base (userland & kernel): > Host system: > Database fetched: Wed Sep 16 07:06:52 UTC 2020 > FreeBSD-kernel-12.1_9 is vulnerable: > FreeBSD -- bhyve SVM guest escape > CVE: CVE-2020-7467 > WWW: > https://vuxml.FreeBSD.org/freebsd/e73c688b-f7e6-11ea-88f8-901b0ef719ab.html > > FreeBSD-kernel-12.1_9 is vulnerable: > FreeBSD -- bhyve privilege escalation via VMCS access > CVE: CVE-2020-24718 > WWW: > https://vuxml.FreeBSD.org/freebsd/2c5b9cd7-f7e6-11ea-88f8-901b0ef719ab.html > > FreeBSD-kernel-12.1_9 is vulnerable: > FreeBSD -- ure device driver susceptible to packet-in-packet attack > CVE: CVE-2020-7464 > WWW: > https://vuxml.FreeBSD.org/freebsd/bb53af7b-f7e4-11ea-88f8-901b0ef719ab.html > > 3 problem(s) in 1 installed package(s) found. > 0 problem(s) in 0 installed package(s) found. > > Oh, let's try again: > > [dan@slocum:~] $ sudo freebsd-update fetch install > Looking up update.FreeBSD.org mirrors... 3 mirrors found. > Fetching metadata signature for 12.1-RELEASE from update4.freebsd.org... done. > Fetching metadata index... done. > Inspecting system... done. > Preparing to download files... done. > > No updates needed to update system to 12.1-RELEASE-p10. > No updates are available to install. > [dan@slocum:~] $ > > I've done everything I can > > How do I properly patch this i386 server? > > For those wondering what I just ran: > > [dan@gelt:~] $ pkg which > /usr/local/etc/periodic/security/405.pkg-base-audit > /usr/local/etc/periodic/security/405.pkg-base-audit was installed by > package base-audit-0.4 > [dan@gelt:~] $ > > on an amd64 host I have: > > [dan@slocum:~] $ freebsd-version -u > 12.1-RELEASE-p10 > [dan@slocum:~] $ freebsd-version -k > 12.1-RELEASE-p10
I understand why this occurs. I have reported it before: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=245878 Status: Closed Works As Intended What steps can we take to improve this? vuxml will continue to report all i386 hosts as vuln until the next kernel version bump. Users have no choice but to ignore the reports. Invalid false positives lead to alert fatigue. Is there a way to avoid this situation where properly patched hosts are not incorrectly labelled as vulnerable? -- Dan Langille d...@langille.org _______________________________________________ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
