thr3ads.net - freebsd stable - after latest patches i386 not fully patched [Sep 2020]

If this information is useful, please help other people find it:
Share via:

Dan Langille

2020-Sep-17 22:28 UTC

after latest patches i386 not fully patched

Hello,

After running 'freebsd-update fetch install' on a i386 server, I have
this situation:

[dan at gelt:~] $ freebsd-version -u
12.1-RELEASE-p10
[dan at gelt:~] $ freebsd-version -k
12.1-RELEASE-p9
[dan at gelt:~] $ 

Why did this not get a new kernel?

I ask because:

[dan at gelt:~] $ sudo /usr/local/etc/periodic/security/405.pkg-base-audit

Checking for security vulnerabilities in base (userland & kernel):
Host system:
Database fetched: Wed Sep 16 07:06:52 UTC 2020
FreeBSD-kernel-12.1_9 is vulnerable:
FreeBSD -- bhyve SVM guest escape
CVE: CVE-2020-7467
WWW: https://vuxml.FreeBSD.org/freebsd/e73c688b-f7e6-11ea-88f8-901b0ef719ab.html

FreeBSD-kernel-12.1_9 is vulnerable:
FreeBSD -- bhyve privilege escalation via VMCS access
CVE: CVE-2020-24718
WWW: https://vuxml.FreeBSD.org/freebsd/2c5b9cd7-f7e6-11ea-88f8-901b0ef719ab.html

FreeBSD-kernel-12.1_9 is vulnerable:
FreeBSD -- ure device driver susceptible to packet-in-packet attack
CVE: CVE-2020-7464
WWW: https://vuxml.FreeBSD.org/freebsd/bb53af7b-f7e4-11ea-88f8-901b0ef719ab.html

3 problem(s) in 1 installed package(s) found.
0 problem(s) in 0 installed package(s) found.

Oh, let's try again:

[dan at slocum:~] $ sudo freebsd-update fetch install
Looking up update.FreeBSD.org mirrors... 3 mirrors found.
Fetching metadata signature for 12.1-RELEASE from update4.freebsd.org... done.
Fetching metadata index... done.
Inspecting system... done.
Preparing to download files... done.

No updates needed to update system to 12.1-RELEASE-p10.
No updates are available to install.
[dan at slocum:~] $ 

I've done everything I can

How do I properly patch this i386 server?

For those wondering what I just ran:

[dan at gelt:~] $ pkg which /usr/local/etc/periodic/security/405.pkg-base-audit
/usr/local/etc/periodic/security/405.pkg-base-audit was installed by package
base-audit-0.4
[dan at gelt:~] $ 

on an amd64 host I have:

[dan at slocum:~] $ freebsd-version -u
12.1-RELEASE-p10
[dan at slocum:~] $ freebsd-version -k
12.1-RELEASE-p10


? 
Dan Langille
http://langille.org/

Dan Langille

2020-Sep-17 22:44 UTC

head link

after latest patches i386 not fully patched

On Thu, Sep 17, 2020, at 6:28 PM, Dan Langille wrote:> Hello,
> 
> After running 'freebsd-update fetch install' on a i386 server, I
have
> this situation:
> 
> [dan at gelt:~] $ freebsd-version -u
> 12.1-RELEASE-p10
> [dan at gelt:~] $ freebsd-version -k
> 12.1-RELEASE-p9
> [dan at gelt:~] $ 
> 
> Why did this not get a new kernel?
> 
> I ask because:
> 
> [dan at gelt:~] $ sudo /usr/local/etc/periodic/security/405.pkg-base-audit
> 
> Checking for security vulnerabilities in base (userland & kernel):
> Host system:
> Database fetched: Wed Sep 16 07:06:52 UTC 2020
> FreeBSD-kernel-12.1_9 is vulnerable:
> FreeBSD -- bhyve SVM guest escape
> CVE: CVE-2020-7467
> WWW:
https://vuxml.FreeBSD.org/freebsd/e73c688b-f7e6-11ea-88f8-901b0ef719ab.html
> 
> FreeBSD-kernel-12.1_9 is vulnerable:
> FreeBSD -- bhyve privilege escalation via VMCS access
> CVE: CVE-2020-24718
> WWW:
https://vuxml.FreeBSD.org/freebsd/2c5b9cd7-f7e6-11ea-88f8-901b0ef719ab.html
> 
> FreeBSD-kernel-12.1_9 is vulnerable:
> FreeBSD -- ure device driver susceptible to packet-in-packet attack
> CVE: CVE-2020-7464
> WWW:
https://vuxml.FreeBSD.org/freebsd/bb53af7b-f7e4-11ea-88f8-901b0ef719ab.html
> 
> 3 problem(s) in 1 installed package(s) found.
> 0 problem(s) in 0 installed package(s) found.
> 
> Oh, let's try again:
> 
> [dan at slocum:~] $ sudo freebsd-update fetch install
> Looking up update.FreeBSD.org mirrors... 3 mirrors found.
> Fetching metadata signature for 12.1-RELEASE from update4.freebsd.org...
done.
> Fetching metadata index... done.
> Inspecting system... done.
> Preparing to download files... done.
> 
> No updates needed to update system to 12.1-RELEASE-p10.
> No updates are available to install.
> [dan at slocum:~] $ 
> 
> I've done everything I can
> 
> How do I properly patch this i386 server?
> 
> For those wondering what I just ran:
> 
> [dan at gelt:~] $ pkg which 
> /usr/local/etc/periodic/security/405.pkg-base-audit
> /usr/local/etc/periodic/security/405.pkg-base-audit was installed by 
> package base-audit-0.4
> [dan at gelt:~] $ 
> 
> on an amd64 host I have:
> 
> [dan at slocum:~] $ freebsd-version -u
> 12.1-RELEASE-p10
> [dan at slocum:~] $ freebsd-version -k
> 12.1-RELEASE-p10
I understand why this occurs. I have reported it before:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=245878

Status:	Closed Works As Intended

What steps can we take to improve this?

vuxml will continue to report all i386 hosts as vuln until the 
next kernel version bump.  Users have no choice but to ignore the
reports.  Invalid false positives lead to alert fatigue.

Is there a way to avoid this situation where properly patched hosts
are not incorrectly labelled as vulnerable?

-- 
  Dan Langille
  dan at langille.org

freebsd stable - Sep 2020 - after latest patches i386 not fully patched

after latest patches i386 not fully patched

after latest patches i386 not fully patched