From nobody Fri Jan  2 13:31:35 2026
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4djPjk0RLhz6MvGD
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Fri, 02 Jan 2026 13:31:38 +0000 (UTC)
	(envelope-from des@freebsd.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "smtp.freebsd.org", Issuer "R12" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4djPjj50zWz3bKB;
	Fri, 02 Jan 2026 13:31:37 +0000 (UTC)
	(envelope-from des@freebsd.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1767360697;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=UOeox/5JCwbaoruxN2S96sBNrcJ/aN3A8RlsmNJl12s=;
	b=TBpt08JVGjrlmSWDB9/WCGFDieIcCdSQHd9HhM+S91qqZCPDvHaWCNLRGS5L6O8KWEAIQY
	O3IP3WIBUynsFFoVLtVme3jWmP90O44mFucJgfbaQAweo8+wU1gSjHhL+wPRyY7ERzCJfO
	XbnZ+MdQP0wbOvIlIdQwGEhsujMDfMQpPmVJ9a5NbGfx2cuWSEnVV4mJSwMX3+CqVwv1Ee
	Xhs7VXdnaxCumQMIziADMObwbMN1AzP0SbIVHnqq1sEPqBHoQGV/kNkgUBKddx6HUZ1+Ph
	xIdPsGVB4PU+Ek1TuOqi+YSlb9B/g9nkO8NGco4SdmtvyF3zguEPeTii+EOvqw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1767360697;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=UOeox/5JCwbaoruxN2S96sBNrcJ/aN3A8RlsmNJl12s=;
	b=tL7/BcErzpAJA4z2EYBFP11PrrFm3Fpx0//I6UON/0m0FtZFRV8bmPXmA3GEPlIQdihR5p
	7pALZ2bZf/0OuZCPod4joQdZ2XhVRTG4Qz9hlILKP6agRcpRG96fgz1F4OUcDO+GpkL93N
	wzEvSwvjC/mP7GIZtcIiW7IBensB3amHccQCWLPG8gD2CC9fO3o6aMNr5H+N+dEtImLn8J
	XiTq/REUnyrj3eunFPYgiOWjaohwgDj0BrGs26XSnyzczbA2Akv1gKpKrQTlvnKjFXcpwL
	MnjsbAPcDzd7S0XVw+mekGksXgsBKlwg3OhlpPgnT/QW3xFkBIKG/sGJgNANdA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1767360697; a=rsa-sha256; cv=none;
	b=YPBizAF0kFs2AmQ/f/ikY8mvz4aUUNqhJIUZMMdtDgrgPq83QBoRi9dHTkuRdJ4rmJV+oS
	yzCVoTtvEZI07ZYcfYJQ1L0YzjtZW6vqnuCbktKA6mTJsTNjM8Zkus8tHK0enay3EMJv4W
	q1lTIOFiOE94chnh5EdgCqTj4xnvm0YeRRHaBwW49+zMF+WW6Y9KEK75t+qCP9XgHk99B4
	g2Suckb5DfKteOuQ954UzwW7dJ7U7eGFxP1ZOoQD5Adz6qmE2mWP34rsYEvqon2XWuQPta
	JzsEY0JCvGodv9KnzC2NbFOD3OZbgnMlENuxNdfTY/hAFOXHPDkqu8eCHfUz6g==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from ltc.des.dev (lfbn-nan-1-698-103.w86-236.abo.wanadoo.fr [86.236.35.103])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	(Authenticated sender: des)
	by smtp.freebsd.org (Postfix) with ESMTPSA id 4djPjj3m8nzm0Y;
	Fri, 02 Jan 2026 13:31:37 +0000 (UTC)
	(envelope-from des@freebsd.org)
Received: by ltc.des.dev (Postfix, from userid 1001)
	id 46461F3F88; Fri, 02 Jan 2026 14:31:35 +0100 (CET)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@FreeBSD.org>
To: Mel P <list_freebsd@bluerosetech.com>
Cc: cperciva@freebsd.org, freebsd-security@freebsd.org
Subject: Re: Did this need a kernel version bump? [Was: Re: FreeBSD Security
 Advisory FreeBSD-SA-25:11.ipfw]
In-Reply-To: <9b881b84-e9b8-96b8-eb6a-8cf6a7fff3db@bluerosetech.com> (Mel P.'s
	message of "Thu, 1 Jan 2026 18:23:55 -0800")
References: <20251217010207.1E91EE32B@freefall.freebsd.org>
	<9b881b84-e9b8-96b8-eb6a-8cf6a7fff3db@bluerosetech.com>
User-Agent: Gnus/5.13 (Gnus v5.13)
Date: Fri, 02 Jan 2026 14:31:35 +0100
Message-ID: <86ldigjg3s.fsf@ltc.des.dev>
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
X-BeenThere: freebsd-security@freebsd.org
Sender: owner-freebsd-security@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Mel P <list_freebsd@bluerosetech.com> writes:
> I can see that /boot/kernel/ipfw_pmod.ko changed between the running
> BE and the -p7 snapshot, so I'm confident I did get the update.
>
> Does pkg-audit-base have a bug such that it also must consider the
> userland version when checking for kernel vulns; or did the kernel
> version bump get missed?

The scripts we use to generate binary patches discard the kernel version
bump if nothing else in the kernel itself has changed, which is the case
here since the advisory only affected a kernel module.

Whether or not this is a bug is debatable.  It has certainly caused a
lot of confusion over the years.  On the other hand, we don't want to
force a reboot when users could in theory simply reload the module.  On
the gripping hand, some modules can't be reloaded (or at least, as is
the case with ipfw, can't safely be reloaded remotely).

Either way, it is unlikely to get fixed, since we don't expect to
continue using freebsd-update much longer.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@FreeBSD.org