Bug 275743

Summary: Spurious "TCP spoofing vulnerability in pf" warning from 405.pkg-base-audit after updating to 12.4-RELEASE-p9
Product: Base System Reporter: martin
Component: miscAssignee: Philip Paeps <philip>
Status: Closed FIXED    
Severity: Affects Only Me CC: philip
Priority: --- Keywords: regression
Version: 12.4-RELEASE   
Hardware: i386   
OS: Any   
Attachments:
Description Flags
Output from "freebsd-update fetch install" updating to 12.4-RELEASE-p9 none

Description martin 2023-12-13 12:24:48 UTC 
Created attachment 247028 [details]
Output from "freebsd-update fetch install" updating to 12.4-RELEASE-p9

Even after using "freebsd-update fetch install" to update to 12.4-RELEASE-p9 (see attached output), the script /usr/local/etc/periodic/security/405.pkg-base-audit still reports:

Checking for security vulnerabilities in base (userland & kernel):
Fetching vuln.xml.xz: .......... done
FreeBSD-kernel-12.4_6 is vulnerable:
  FreeBSD -- TCP spoofing vulnerability in pf(4)
  CVE: CVE-2023-6534
  WWW: https://vuxml.FreeBSD.org/freebsd/9cbbc506-93c1-11ee-8e38-002590c1f29c.html

I don't see this on amd64 systems.  The difference between them seems to be that the kernel was not updated on this i386 system, so it is still on p6 even though /boot/kernel/pf.ko was updated.
Comment 1 Philip Paeps freebsd_committer freebsd_triage 2023-12-14 00:37:43 UTC 
I'll change the vuxml entry so the warning goes away.

Since this issue only affects pf.ko, there's no 100% good way to document this in vuxml.

See also the discussion in this thread:

https://lists.freebsd.org/archives/dev-commits-ports-all/2023-December/091108.html
Comment 2 commit-hook freebsd_committer freebsd_triage 2023-12-14 02:12:29 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=6c7887d34c00a0930b380f4ed487c592f2fb4569

commit 6c7887d34c00a0930b380f4ed487c592f2fb4569
Author:     Philip Paeps <philip@FreeBSD.org>
AuthorDate: 2023-12-14 02:10:36 +0000
Commit:     Philip Paeps <philip@FreeBSD.org>
CommitDate: 2023-12-14 02:10:59 +0000

    security/vuxml: adjust 12.4 range of FreeBSD SA-23:17.pf

    Similar to what I did in 4826396e5d1555b9eebf58cac290490b24bf1243,
    adjust the 12.4 releases affected by FreeBSD SA-23:17.pf.

    There is no 100% correct way to encode this issue in vuxml.  Since the
    issue only affects pf.ko, freebsd-update does not rebuild the kernel.

    PR:             275743
    Reported by:    martin@lispworks.com

 security/vuxml/vuln/2023.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)