CVE-2025-14769 fix not available on 15.0-RELEASE-p1?

minWi

minWi


Code: 
root@n54lvillaverde:~ # freebsd-version
15.0-RELEASE-p1
root@n54lvillaverde:~ # freebsd-update fetch
src component not installed, skipped
Looking up update.FreeBSD.org mirrors... 3 mirrors found.
Fetching metadata signature for 15.0-RELEASE from update2.freebsd.org... done.
Fetching metadata index... done.
Inspecting system... done.
Preparing to download files... done.

No updates needed to update system to 15.0-RELEASE-p1
Am I doing something wrong?
 
Kernel wasn't updated, only the module. Unfortunately all the pkgbase packages get rebuild as a whole with each update. So the pkgbase kernel package does show 15.0-RELEASE-p1, while a freebsd-update(8) system would not.

It's a bit of an issue with pkg-audit(8) and pkgbase, I'm hoping this gets fixed some time soon because it's utterly confusing, even for seasoned FreeBSD users.

minWi said:
Am I doing something wrong?
Click to expand...
You did nothing wrong.
 
SirDice said:
Oh, to further fuel the confusion, the bug only seems to be fixed in 13.5 and 14.3, there's no mention of 15.0 in the advisory. Could be it didn't apply, but VuXML seems to imply it does.


Kristof Provost might know. Maybe the fix wasn't needed on 15.0.
Click to expand...
Comparing:
14.3-RELEASE - ipfw: pmod: avoid further rule processing after tcp-mod failures - committed on 2025-12-16
15.0-RELEASE - ipfw: pmod: avoid further rule processing after tcp-mod failures - committed on 2025-11-05

The latter one had already been committed before the official release date of 15.0-RELEASE.
In my view:
https://www.freebsd.org/security/advisories/FreeBSD-SA-25:11.ipfw.asc seems correct.
https://vuxml.freebsd.org/freebsd/0b22e22a-dae9-11f0-80b8-bc241121aa0a.html seems incorrect,
where it states: "15.0 <= FreeBSD-kernel < 15.0_1" in its "Affected packages" table entry.

My hunch is that, because base packages were all being rebuild for the 15.0-RELEASE p1 patch, the VuXML generating process might have erroneously considered 15.0-RELEASE to have been afected as well. It seems that this is the first instance that officially supported base packages are being processed by the "vulnerability mechanism" that detects and reports package vulnerabilities. That used to be completely and uniquely geared towards the ports tree. Now it is taking into account base packages.

The fact that the concerned 15.0-RELEASE package, base/FreeBSD-ipfw didn't get its port revision number bumped (no 15.0_1) supports the fact that 15.0-RELEASE was indeed not affected by https://www.freebsd.org/security/advisories/FreeBSD-SA-25:11.ipfw.asc: the bug had already been resolved when 15.0-RELEASE was released.
On my packaged base 15.0-RELEASE:
Code: 
[0-0] # freebsd-version -kru
15.0-RELEASE-p1
15.0-RELEASE-p1
15.0-RELEASE-p1
[1-0] # pkg query -e '%n~FreeBSD-ipfw' '%R %o %n %v'
FreeBSD-base base/FreeBSD-ipfw FreeBSD-ipfw 15.0
 
Erichans said:
The latter one had already been committed before the official release date of 15.0-RELEASE.
Click to expand...
Ah, that explains it. It would have been nice if it was mentioned in the SA though, patch was done on stable/15, that would have been one of the ALPHA releases.

Erichans said:
It seems that this is the first instance that officially supported base packages are being processed by the "vulnerability mechanism" that detects and reports package vulnerabilities.
Click to expand...
No, it happened before. Can't remember the exact one. I'll see if I can find it again.
 
Thanks. So it seems it is a report issue, not a security issue then, right?
Can someone report it as a bug perhaps? I don't have bugzilla access (I requested it).
 
You must log in or register to reply here.
Back
Top