After updating via freebsd-update on my 13.5 systems, I have:
# freebsd-version -kru
13.5-RELEASE-p6
13.5-RELEASE-p6
13.5-RELEASE-p8
However, pkg-base-audit doesn't "see" that the update was applied:
Checking for security vulnerabilities in base (userland & kernel):
vulnxml file up-to-date
FreeBSD-kernel-13.5_6 is vulnerable:
FreeBSD -- ipfw denial of service
CVE: CVE-2025-14769
WWW:
https://vuxml.FreeBSD.org/freebsd/0b22e22a-dae9-11f0-80b8-bc241121aa0a.html
1 problem(s) in 1 package(s) found.
vulnxml file up-to-date
0 problem(s) in 0 package(s) found.
That makes sense--on non-pkgbase systems it synthesizes a hypothetical
kernel pkg from `freebsd-version -k`, so it can't see the update unless
the kernel version increases.
I can see that /boot/kernel/ipfw_pmod.ko changed between the running BE
and the -p7 snapshot, so I'm confident I did get the update.
Does pkg-audit-base have a bug such that it also must consider the
userland version when checking for kernel vulns; or did the kernel
version bump get missed?
