https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=291765
--- Comment #11 from Colin Percival <[email protected]> --- (In reply to fillips.grisly-0a from comment #10) > It appears that in the vulnerability database, the recent ipfw vulnerability > was attributed to FreeBSD-kernel-14.3_5. This led me (and perhaps other > folks) relying on `/usr/local/etc/periodic/security/410.pkg-audit` (provided > by `pkg`) to believe that the system remained vulnerable. I wonder if the > ipfw vulnerability should not have been attributed to FreeBSD-kernel-14.3_5. That's the downside to not shipping new kernels. We don't embed version numbers into kernel modules, so there's no way for scanning tools to figure out that you have a 14.3-p5 kernel but a 14.3-p7 ipfw.ko. Once we all move to pkgbase, this problem will go away, because pkgbase doesn't try to be smart like FreeBSD Update -- it will ship a new kernel even if the only change is the version number. But for now there really isn't any good solution for vulnerability scanning tools. -- You are receiving this mail because: You are the assignee for the bug.
