[Bug 291765] freebsd-update ignores ERRATA kernel update - only updates userland

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 291765] freebsd-update ignores ERRATA kernel update - only updates userland"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 19 Dec 2025 19:40:36 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=291765

--- Comment #11 from Colin Percival <cperciva@FreeBSD.org> ---
(In reply to fillips.grisly-0a from comment #10)
> It appears that in the vulnerability database, the recent ipfw vulnerability was attributed to FreeBSD-kernel-14.3_5. This led me (and perhaps other folks) relying on `/usr/local/etc/periodic/security/410.pkg-audit` (provided by `pkg`) to believe that the system remained vulnerable. I wonder if the ipfw vulnerability should not have been attributed to FreeBSD-kernel-14.3_5.

That's the downside to not shipping new kernels.  We don't embed version
numbers into kernel modules, so there's no way for scanning tools to figure out
that you have a 14.3-p5 kernel but a 14.3-p7 ipfw.ko.

Once we all move to pkgbase, this problem will go away, because pkgbase doesn't
try to be smart like FreeBSD Update -- it will ship a new kernel even if the
only change is the version number.  But for now there really isn't any good
solution for vulnerability scanning tools.

-- 
You are receiving this mail because:
You are the assignee for the bug.