Created attachment 247028 [details] Output from "freebsd-update fetch install" updating to 12.4-RELEASE-p9 Even after using "freebsd-update fetch install" to update to 12.4-RELEASE-p9 (see attached output), the script /usr/local/etc/periodic/security/405.pkg-base-audit still reports: Checking for security vulnerabilities in base (userland & kernel): Fetching vuln.xml.xz: .......... done FreeBSD-kernel-12.4_6 is vulnerable: FreeBSD -- TCP spoofing vulnerability in pf(4) CVE: CVE-2023-6534 WWW: https://vuxml.FreeBSD.org/freebsd/9cbbc506-93c1-11ee-8e38-002590c1f29c.html I don't see this on amd64 systems. The difference between them seems to be that the kernel was not updated on this i386 system, so it is still on p6 even though /boot/kernel/pf.ko was updated.
I'll change the vuxml entry so the warning goes away. Since this issue only affects pf.ko, there's no 100% good way to document this in vuxml. See also the discussion in this thread: https://lists.freebsd.org/archives/dev-commits-ports-all/2023-December/091108.html
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=6c7887d34c00a0930b380f4ed487c592f2fb4569 commit 6c7887d34c00a0930b380f4ed487c592f2fb4569 Author: Philip Paeps <philip@FreeBSD.org> AuthorDate: 2023-12-14 02:10:36 +0000 Commit: Philip Paeps <philip@FreeBSD.org> CommitDate: 2023-12-14 02:10:59 +0000 security/vuxml: adjust 12.4 range of FreeBSD SA-23:17.pf Similar to what I did in 4826396e5d1555b9eebf58cac290490b24bf1243, adjust the 12.4 releases affected by FreeBSD SA-23:17.pf. There is no 100% correct way to encode this issue in vuxml. Since the issue only affects pf.ko, freebsd-update does not rebuild the kernel. PR: 275743 Reported by: martin@lispworks.com security/vuxml/vuln/2023.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)