From nobody Fri Jan 2 02:23:55 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dj6vT0dHVz6M6CX for ; Fri, 02 Jan 2026 02:24:05 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Received: from echo.brtsvcs.net (echo.brtsvcs.net [IPv6:2607:f740:c::4ae]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4dj6vS0TYfz3f30; Fri, 02 Jan 2026 02:24:03 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of list_freebsd@bluerosetech.com designates 2607:f740:c::4ae as permitted sender) smtp.mailfrom=list_freebsd@bluerosetech.com Received: from chombo.houseloki.net (chombo [65.100.43.2]) by echo.brtsvcs.net (Postfix) with ESMTPS id 0D31DECB94; Fri, 02 Jan 2026 02:23:56 +0000 (UTC) Received: from [10.26.25.100] (ivy.pas.ds.pilgrimaccounting.com [10.26.25.100]) by chombo.houseloki.net (Postfix) with ESMTPSA id 8AA8F3D1AF; Thu, 01 Jan 2026 18:23:55 -0800 (PST) Message-ID: <9b881b84-e9b8-96b8-eb6a-8cf6a7fff3db@bluerosetech.com> Date: Thu, 1 Jan 2026 18:23:55 -0800 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.15.1 Subject: Did this need a kernel version bump? [Was: Re: FreeBSD Security Advisory FreeBSD-SA-25:11.ipfw] Content-Language: en-US To: freebsd-security@freebsd.org, FreeBSD Security Advisories References: <20251217010207.1E91EE32B@freefall.freebsd.org> From: Mel P In-Reply-To: <20251217010207.1E91EE32B@freefall.freebsd.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spamd-Bar: / X-Spamd-Result: default: False [-0.01 / 15.00]; NEURAL_HAM_SHORT(-0.99)[-0.987]; NEURAL_SPAM_LONG(0.74)[0.737]; NEURAL_SPAM_MEDIUM(0.54)[0.538]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; RCVD_TLS_ALL(0.00)[]; ASN(0.00)[asn:36236, ipnet:2607:f740:c::/48, country:US]; RCPT_COUNT_TWO(0.00)[2]; MIME_TRACE(0.00)[0:+]; MID_RHS_MATCH_FROM(0.00)[]; R_DKIM_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DMARC_NA(0.00)[bluerosetech.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; SUBJECT_HAS_QUESTION(0.00)[] X-Rspamd-Queue-Id: 4dj6vS0TYfz3f30 After updating via freebsd-update on my 13.5 systems, I have: # freebsd-version -kru 13.5-RELEASE-p6 13.5-RELEASE-p6 13.5-RELEASE-p8 However, pkg-base-audit doesn't "see" that the update was applied: Checking for security vulnerabilities in base (userland & kernel): vulnxml file up-to-date FreeBSD-kernel-13.5_6 is vulnerable: FreeBSD -- ipfw denial of service CVE: CVE-2025-14769 WWW: https://vuxml.FreeBSD.org/freebsd/0b22e22a-dae9-11f0-80b8-bc241121aa0a.html 1 problem(s) in 1 package(s) found. vulnxml file up-to-date 0 problem(s) in 0 package(s) found. That makes sense--on non-pkgbase systems it synthesizes a hypothetical kernel pkg from `freebsd-version -k`, so it can't see the update unless the kernel version increases. I can see that /boot/kernel/ipfw_pmod.ko changed between the running BE and the -p7 snapshot, so I'm confident I did get the update. Does pkg-audit-base have a bug such that it also must consider the userland version when checking for kernel vulns; or did the kernel version bump get missed?