Did this need a kernel version bump? [Was: Re: FreeBSD Security Advisory FreeBSD-SA-25:11.ipfw]

Reply: Dag-Erling_Smørgrav : "Re: Did this need a kernel version bump? [Was: Re: FreeBSD Security Advisory FreeBSD-SA-25:11.ipfw]"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Mel P <list_freebsd_at_bluerosetech.com>
Date: Fri, 02 Jan 2026 02:23:55 UTC

After updating via freebsd-update on my 13.5 systems, I have:

# freebsd-version -kru
13.5-RELEASE-p6
13.5-RELEASE-p6
13.5-RELEASE-p8

However, pkg-base-audit doesn't "see" that the update was applied:

Checking for security vulnerabilities in base (userland & kernel):
vulnxml file up-to-date
FreeBSD-kernel-13.5_6 is vulnerable:
   FreeBSD -- ipfw denial of service
   CVE: CVE-2025-14769
   WWW: 
https://vuxml.FreeBSD.org/freebsd/0b22e22a-dae9-11f0-80b8-bc241121aa0a.html

1 problem(s) in 1 package(s) found.
vulnxml file up-to-date
0 problem(s) in 0 package(s) found.

That makes sense--on non-pkgbase systems it synthesizes a hypothetical 
kernel pkg from `freebsd-version -k`, so it can't see the update unless 
the kernel version increases.

I can see that /boot/kernel/ipfw_pmod.ko changed between the running BE 
and the -p7 snapshot, so I'm confident I did get the update.

Does pkg-audit-base have a bug such that it also must consider the 
userland version when checking for kernel vulns; or did the kernel 
version bump get missed?