Bug 275743 - Spurious "TCP spoofing vulnerability in pf" warning from 405.pkg-base-audit after updating to 12.4-RELEASE-p9
Summary: Spurious "TCP spoofing vulnerability in pf" warning from 405.pkg-base-audit a...
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: misc (show other bugs)
Version: 12.4-RELEASE
Hardware: i386 Any
: --- Affects Only Me
Assignee: Philip Paeps
URL:
Keywords: regression
Depends on:
Blocks:
 
Reported: 2023-12-13 12:24 UTC by martin
Modified: 2023-12-14 02:14 UTC (History)
1 user (show)

See Also:


Attachments
Output from "freebsd-update fetch install" updating to 12.4-RELEASE-p9 (2.99 KB, text/plain)
2023-12-13 12:24 UTC, martin
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description martin 2023-12-13 12:24:48 UTC
Created attachment 247028 [details]
Output from "freebsd-update fetch install" updating to 12.4-RELEASE-p9

Even after using "freebsd-update fetch install" to update to 12.4-RELEASE-p9 (see attached output), the script /usr/local/etc/periodic/security/405.pkg-base-audit still reports:

Checking for security vulnerabilities in base (userland & kernel):
Fetching vuln.xml.xz: .......... done
FreeBSD-kernel-12.4_6 is vulnerable:
  FreeBSD -- TCP spoofing vulnerability in pf(4)
  CVE: CVE-2023-6534
  WWW: https://vuxml.FreeBSD.org/freebsd/9cbbc506-93c1-11ee-8e38-002590c1f29c.html

I don't see this on amd64 systems.  The difference between them seems to be that the kernel was not updated on this i386 system, so it is still on p6 even though /boot/kernel/pf.ko was updated.
Comment 1 Philip Paeps freebsd_committer freebsd_triage 2023-12-14 00:37:43 UTC
I'll change the vuxml entry so the warning goes away.

Since this issue only affects pf.ko, there's no 100% good way to document this in vuxml.

See also the discussion in this thread:

https://lists.freebsd.org/archives/dev-commits-ports-all/2023-December/091108.html
Comment 2 commit-hook freebsd_committer freebsd_triage 2023-12-14 02:12:29 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=6c7887d34c00a0930b380f4ed487c592f2fb4569

commit 6c7887d34c00a0930b380f4ed487c592f2fb4569
Author:     Philip Paeps <philip@FreeBSD.org>
AuthorDate: 2023-12-14 02:10:36 +0000
Commit:     Philip Paeps <philip@FreeBSD.org>
CommitDate: 2023-12-14 02:10:59 +0000

    security/vuxml: adjust 12.4 range of FreeBSD SA-23:17.pf

    Similar to what I did in 4826396e5d1555b9eebf58cac290490b24bf1243,
    adjust the 12.4 releases affected by FreeBSD SA-23:17.pf.

    There is no 100% correct way to encode this issue in vuxml.  Since the
    issue only affects pf.ko, freebsd-update does not rebuild the kernel.

    PR:             275743
    Reported by:    martin@lispworks.com

 security/vuxml/vuln/2023.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)