From nobody Fri Jan 2 02:23:55 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dj6vT0dHVz6M6CX for ; Fri, 02 Jan 2026 02:24:05 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Received: from echo.brtsvcs.net (echo.brtsvcs.net [IPv6:2607:f740:c::4ae]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4dj6vS0TYfz3f30; Fri, 02 Jan 2026 02:24:03 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of list_freebsd@bluerosetech.com designates 2607:f740:c::4ae as permitted sender) smtp.mailfrom=list_freebsd@bluerosetech.com Received: from chombo.houseloki.net (chombo [65.100.43.2]) by echo.brtsvcs.net (Postfix) with ESMTPS id 0D31DECB94; Fri, 02 Jan 2026 02:23:56 +0000 (UTC) Received: from [10.26.25.100] (ivy.pas.ds.pilgrimaccounting.com [10.26.25.100]) by chombo.houseloki.net (Postfix) with ESMTPSA id 8AA8F3D1AF; Thu, 01 Jan 2026 18:23:55 -0800 (PST) Message-ID: <9b881b84-e9b8-96b8-eb6a-8cf6a7fff3db@bluerosetech.com> Date: Thu, 1 Jan 2026 18:23:55 -0800 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.15.1 Subject: Did this need a kernel version bump? [Was: Re: FreeBSD Security Advisory FreeBSD-SA-25:11.ipfw] Content-Language: en-US To: freebsd-security@freebsd.org, FreeBSD Security Advisories References: <20251217010207.1E91EE32B@freefall.freebsd.org> From: Mel P In-Reply-To: <20251217010207.1E91EE32B@freefall.freebsd.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spamd-Bar: / X-Spamd-Result: default: False [-0.01 / 15.00]; NEURAL_HAM_SHORT(-0.99)[-0.987]; NEURAL_SPAM_LONG(0.74)[0.737]; NEURAL_SPAM_MEDIUM(0.54)[0.538]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; RCVD_TLS_ALL(0.00)[]; ASN(0.00)[asn:36236, ipnet:2607:f740:c::/48, country:US]; RCPT_COUNT_TWO(0.00)[2]; MIME_TRACE(0.00)[0:+]; MID_RHS_MATCH_FROM(0.00)[]; R_DKIM_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DMARC_NA(0.00)[bluerosetech.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; SUBJECT_HAS_QUESTION(0.00)[] X-Rspamd-Queue-Id: 4dj6vS0TYfz3f30 After updating via freebsd-update on my 13.5 systems, I have: # freebsd-version -kru 13.5-RELEASE-p6 13.5-RELEASE-p6 13.5-RELEASE-p8 However, pkg-base-audit doesn't "see" that the update was applied: Checking for security vulnerabilities in base (userland & kernel): vulnxml file up-to-date FreeBSD-kernel-13.5_6 is vulnerable: FreeBSD -- ipfw denial of service CVE: CVE-2025-14769 WWW: https://vuxml.FreeBSD.org/freebsd/0b22e22a-dae9-11f0-80b8-bc241121aa0a.html 1 problem(s) in 1 package(s) found. vulnxml file up-to-date 0 problem(s) in 0 package(s) found. That makes sense--on non-pkgbase systems it synthesizes a hypothetical kernel pkg from `freebsd-version -k`, so it can't see the update unless the kernel version increases. I can see that /boot/kernel/ipfw_pmod.ko changed between the running BE and the -p7 snapshot, so I'm confident I did get the update. Does pkg-audit-base have a bug such that it also must consider the userland version when checking for kernel vulns; or did the kernel version bump get missed? From nobody Fri Jan 2 13:31:35 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4djPjk0RLhz6MvGD for ; Fri, 02 Jan 2026 13:31:38 +0000 (UTC) (envelope-from des@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4djPjj50zWz3bKB; Fri, 02 Jan 2026 13:31:37 +0000 (UTC) (envelope-from des@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1767360697; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=UOeox/5JCwbaoruxN2S96sBNrcJ/aN3A8RlsmNJl12s=; b=TBpt08JVGjrlmSWDB9/WCGFDieIcCdSQHd9HhM+S91qqZCPDvHaWCNLRGS5L6O8KWEAIQY O3IP3WIBUynsFFoVLtVme3jWmP90O44mFucJgfbaQAweo8+wU1gSjHhL+wPRyY7ERzCJfO XbnZ+MdQP0wbOvIlIdQwGEhsujMDfMQpPmVJ9a5NbGfx2cuWSEnVV4mJSwMX3+CqVwv1Ee Xhs7VXdnaxCumQMIziADMObwbMN1AzP0SbIVHnqq1sEPqBHoQGV/kNkgUBKddx6HUZ1+Ph xIdPsGVB4PU+Ek1TuOqi+YSlb9B/g9nkO8NGco4SdmtvyF3zguEPeTii+EOvqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1767360697; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=UOeox/5JCwbaoruxN2S96sBNrcJ/aN3A8RlsmNJl12s=; b=tL7/BcErzpAJA4z2EYBFP11PrrFm3Fpx0//I6UON/0m0FtZFRV8bmPXmA3GEPlIQdihR5p 7pALZ2bZf/0OuZCPod4joQdZ2XhVRTG4Qz9hlILKP6agRcpRG96fgz1F4OUcDO+GpkL93N wzEvSwvjC/mP7GIZtcIiW7IBensB3amHccQCWLPG8gD2CC9fO3o6aMNr5H+N+dEtImLn8J XiTq/REUnyrj3eunFPYgiOWjaohwgDj0BrGs26XSnyzczbA2Akv1gKpKrQTlvnKjFXcpwL MnjsbAPcDzd7S0XVw+mekGksXgsBKlwg3OhlpPgnT/QW3xFkBIKG/sGJgNANdA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1767360697; a=rsa-sha256; cv=none; b=YPBizAF0kFs2AmQ/f/ikY8mvz4aUUNqhJIUZMMdtDgrgPq83QBoRi9dHTkuRdJ4rmJV+oS yzCVoTtvEZI07ZYcfYJQ1L0YzjtZW6vqnuCbktKA6mTJsTNjM8Zkus8tHK0enay3EMJv4W q1lTIOFiOE94chnh5EdgCqTj4xnvm0YeRRHaBwW49+zMF+WW6Y9KEK75t+qCP9XgHk99B4 g2Suckb5DfKteOuQ954UzwW7dJ7U7eGFxP1ZOoQD5Adz6qmE2mWP34rsYEvqon2XWuQPta JzsEY0JCvGodv9KnzC2NbFOD3OZbgnMlENuxNdfTY/hAFOXHPDkqu8eCHfUz6g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from ltc.des.dev (lfbn-nan-1-698-103.w86-236.abo.wanadoo.fr [86.236.35.103]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: des) by smtp.freebsd.org (Postfix) with ESMTPSA id 4djPjj3m8nzm0Y; Fri, 02 Jan 2026 13:31:37 +0000 (UTC) (envelope-from des@freebsd.org) Received: by ltc.des.dev (Postfix, from userid 1001) id 46461F3F88; Fri, 02 Jan 2026 14:31:35 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Mel P Cc: cperciva@freebsd.org, freebsd-security@freebsd.org Subject: Re: Did this need a kernel version bump? [Was: Re: FreeBSD Security Advisory FreeBSD-SA-25:11.ipfw] In-Reply-To: <9b881b84-e9b8-96b8-eb6a-8cf6a7fff3db@bluerosetech.com> (Mel P.'s message of "Thu, 1 Jan 2026 18:23:55 -0800") References: <20251217010207.1E91EE32B@freefall.freebsd.org> <9b881b84-e9b8-96b8-eb6a-8cf6a7fff3db@bluerosetech.com> User-Agent: Gnus/5.13 (Gnus v5.13) Date: Fri, 02 Jan 2026 14:31:35 +0100 Message-ID: <86ldigjg3s.fsf@ltc.des.dev> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Mel P writes: > I can see that /boot/kernel/ipfw_pmod.ko changed between the running > BE and the -p7 snapshot, so I'm confident I did get the update. > > Does pkg-audit-base have a bug such that it also must consider the > userland version when checking for kernel vulns; or did the kernel > version bump get missed? The scripts we use to generate binary patches discard the kernel version bump if nothing else in the kernel itself has changed, which is the case here since the advisory only affected a kernel module. Whether or not this is a bug is debatable. It has certainly caused a lot of confusion over the years. On the other hand, we don't want to force a reboot when users could in theory simply reload the module. On the gripping hand, some modules can't be reloaded (or at least, as is the case with ipfw, can't safely be reloaded remotely). Either way, it is unlikely to get fixed, since we don't expect to continue using freebsd-update much longer. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@FreeBSD.org