Date: Thu, 1 Jan 2026 18:23:55 -0800 From: Mel P <list_freebsd@bluerosetech.com> To: freebsd-security@freebsd.org, FreeBSD Security Advisories <security-advisories@freebsd.org> Subject: Did this need a kernel version bump? [Was: Re: FreeBSD Security Advisory FreeBSD-SA-25:11.ipfw] Message-ID: <9b881b84-e9b8-96b8-eb6a-8cf6a7fff3db@bluerosetech.com> In-Reply-To: <20251217010207.1E91EE32B@freefall.freebsd.org>
index | next in thread | previous in thread | raw e-mail
After updating via freebsd-update on my 13.5 systems, I have: # freebsd-version -kru 13.5-RELEASE-p6 13.5-RELEASE-p6 13.5-RELEASE-p8 However, pkg-base-audit doesn't "see" that the update was applied: Checking for security vulnerabilities in base (userland & kernel): vulnxml file up-to-date FreeBSD-kernel-13.5_6 is vulnerable: FreeBSD -- ipfw denial of service CVE: CVE-2025-14769 WWW: https://vuxml.FreeBSD.org/freebsd/0b22e22a-dae9-11f0-80b8-bc241121aa0a.html 1 problem(s) in 1 package(s) found. vulnxml file up-to-date 0 problem(s) in 0 package(s) found. That makes sense--on non-pkgbase systems it synthesizes a hypothetical kernel pkg from `freebsd-version -k`, so it can't see the update unless the kernel version increases. I can see that /boot/kernel/ipfw_pmod.ko changed between the running BE and the -p7 snapshot, so I'm confident I did get the update. Does pkg-audit-base have a bug such that it also must consider the userland version when checking for kernel vulns; or did the kernel version bump get missed?home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9b881b84-e9b8-96b8-eb6a-8cf6a7fff3db>