1. Forum
  2. FidoNet
  3. comp.unix.bsd.freebsd.ann

  • FreeBSD Errata Notice FreeBSD-EN-26:12.freebsd-update

    From FreeBSD Errata Notices@3:633/10 to All on Friday, May 01, 2026 17:00:09
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    ============================================================================= FreeBSD-EN-26:12.freebsd-update Errata Notice
    The FreeBSD Project

    Topic: Source inconsistency between freebsd-update, EN/SAs, and git

    Category: core
    Module: freebsd-update
    Announced: 2026-05-01
    Affects: All supported versions of FreeBSD.
    Corrected: 2026-05-01 15:08:47 UTC (releng/15.0, 15.0-RELEASE-p8)
    2026-05-01 15:08:38 UTC (releng/14.4, 14.4-RELEASE-p4)
    2026-05-01 15:08:31 UTC (releng/14.3, 14.3-RELEASE-p13)
    2026-05-01 15:08:20 UTC (releng/13.5, 13.5-RELEASE-p14)

    For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security
    branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>.

    Note: While FreeBSD 13.5 is end of life (EOL) as of May 1st, 2026, the
    Security Team has decided to patch this issue as it was identified and a fix was in-flight before the EOL date.

    I. Background

    The FreeBSD Security Team distributes patches for supported releases via the git version control system, as patches link through errata and advisories,
    and through the freebsd-update binary update system.

    Both freebsd-update and the errata/advisories do not directly use the authoritative git repo but instead rely on individual patch files.

    II. Problem Description

    Due to the manual nature of patch file development and management, there are instances where either a freebsd-update maintained machine or a patched
    source tree from errata/advisories have become out of sync with the authoritative git repository.

    Specifically, an earlier version of the patch associated with SA-26:11.amd64 was distributed via freebsd-update. The source patch linked in the advisory
    and the source in git were both correct.

    Additionally, patches distributed via freebsd-update and errata/advisories
    are occasionally missing test or non-material ancillary files to minimize
    patch size and improve compatibility across releases, causing an additional source of drift from the authoritative git repository.

    Pkgbase is unaffected as it directly builds from the authoritative git repository.

    III. Impact

    As a result of this drift, the FreeBSD Security Team has changed the freebsd-update build mechanism to retrieve source directly from the authoritative git repository. This has caused a binary update to rectify the SA-26:11.amd64 issue as well as alter a few additional files, such as test infrastructure and ancillary tooling files, that have been updated in git but were not distributed via freebsd-update.

    IV. Workaround

    No workaround is available. Systems using pkgbase or building directly from source obtained from the authoritative git repository are unaffected.

    V. Solution

    Upgrade your system to a supported FreeBSD stable or release / security
    branch (releng) dated after the correction date and reboot the system.

    Perform one of the following:

    1) If your system is installed from base system packages:

    No update is needed as pkgbase is not affected by this issue.

    2) To update your system installed from binary distribution sets:

    Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, which were not installed using base
    system packages, can be updated via the freebsd-update(8) utility:

    # freebsd-update fetch
    # freebsd-update install
    # shutdown -r +10min "Rebooting for a system update"

    3) To update your system via a source code patch:

    The following patches are only intended to be used for source trees that have been maintained with patches linked by previous EN/SAs.

    a) Download the relevant patch from the location below, and verify the
    detached PGP signature using your PGP utility.

    [FreeBSD 15.0]
    # fetch https://security.FreeBSD.org/patches/EN-26:12/ensa-150.patch
    # fetch https://security.FreeBSD.org/patches/EN-26:12/ensa-150.patch.asc
    # gpg --verify ensa-150.patch.asc

    [FreeBSD 14.4]
    # fetch https://security.FreeBSD.org/patches/EN-26:12/ensa-144.patch
    # fetch https://security.FreeBSD.org/patches/EN-26:12/ensa-144.patch.asc
    # gpg --verify ensa-144.patch.asc

    [FreeBSD 14.3]
    # fetch https://security.FreeBSD.org/patches/EN-26:12/ensa-143.patch
    # fetch https://security.FreeBSD.org/patches/EN-26:12/ensa-143.patch.asc
    # gpg --verify ensa-143.patch.asc

    [FreeBSD 13.5]
    # fetch https://security.FreeBSD.org/patches/EN-26:12/ensa-135.patch
    # fetch https://security.FreeBSD.org/patches/EN-26:12/ensa-135.patch.asc
    # gpg --verify ensa-135.patch.asc

    b) Apply the patch. Execute the following commands as root:

    # cd /usr/src
    # patch < /path/to/patch

    c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.

    Reboot the system.

    VI. Correction details

    This issue is corrected as of the corresponding Git commit hash in the following stable and release branches:

    Branch/path Hash Revision
    - ------------------------------------------------------------------------- releng/15.0/ 53054229dcb3 releng/15.0-n281036 releng/14.4/ 49be56ed6fea releng/14.4-n273700 releng/14.3/ 4f4b48e8a547 releng/14.3-n271500 releng/13.5/ 2e6399fe39b3 releng/13.5-n259222
    - -------------------------------------------------------------------------

    Run the following command to see which files were modified by a
    particular commit:

    # git show --stat <commit hash>

    Or visit the following URL, replacing NNNNNN with the hash:

    <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

    To determine the commit count in a working tree (for comparison against
    nNNNNNN in the table above), run:

    # git rev-list --count --first-parent HEAD

    VII. References

    <URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=270166>

    The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-26:12.freebsd-update.asc>
    -----BEGIN PGP SIGNATURE-----

    iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmn0yLQbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvPNYQAIXixMavK1HRNgv1kzms qcAlmg/dd46KZKD7SkgAmlqKfO1wIdpDo5GZhcpKqS0TRorgqi7u9UU8xNsYxyG0 mD00dY1m65Vy5wE56QOYDFGnVgC4ZkP3it0HUGZf2t7H9kWO7LB8w8v41z+V7HKK XRaECq4OyCjeFL9e9C1BdztkFSeVyubN+L2ca8q4S6EWq+4tu9ubTaY+P+Xojy0X 1jX42p31ZYoowHNoNPoC6jfNXrHYg2n7TZ3/kcEwCHlENpoFNT7a87RbijoAlvNP 4Y/IsvlvFdpSjxuyT9chKCPiCaMKkb26Zzng8WPcveeQP1T0f6vV7OFCIl+5RlSM dFAYp3+IgyBfNa2iQ+ANYrVZB6718gBiE3mAweO/3VJDRK0+okxtQoOlonOSOUJd BEQrurf2nVJC0Ihi82C/Yn8lHT6IGgEWQzpLLJH2Y9A5z9IEDNpT7s6l6SwOgVuT 1C16q9IincGwKi8YuL1v3Xr9D71PaFWj9DNVuIVe6j9nAFgqZuIFOTPObDcnfN6t n7hiL2UdOIr9bUxl/H8FQoh5nHeDfbzSn0pF1mvkUMANC1/WSQY3ZVmQHOF5D0yV 9snZZTdsk4eZjhXJUGnLIgBVpYNqwTF7Hm3A0/LF4nbTQm2w78XMj/dIJq7lLliH BHnoS2GbAjlAHemJRTt14Zcm
    =Baez
    -----END PGP SIGNATURE-----


    --- PyGate Linux v1.5.14
    * Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)