-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-EN-23:13.freebsd-update                                 Errata Notice
                                                          The FreeBSD Project

Topic:          freebsd-update does not handle deep boot environments

Category:       core
Announced:      2023-11-08
Affects:        All supported versions of FreeBSD.
Corrected:      2023-10-24 00:04:14 UTC (stable/14, 14.0-STABLE)
                2023-10-24 16:12:01 UTC (releng/14.0, 14.0-RC3)
                2023-10-24 00:04:18 UTC (stable/13, 13.2-STABLE)
                2023-11-08 00:59:45 UTC (releng/13.2, 13.2-RELEASE-p5)
                2023-10-24 00:05:10 UTC (stable/12, 12.4-STABLE)
                2023-11-08 01:10:13 UTC (releng/12.4, 12.4-RELEASE-p7)

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.

I.   Background

freebsd-update will create a new boot environment as a backup when performing
updates.

II.  Problem Description

Some systems use non-default configurations referred to as "deep" boot
environments.  Deep boot environments place datasets belonging to the boot
environment subordinate to the boot environment dataset itself, rather than
elsewhere in the pool structure.

This kind of boot environment requires the -r flag to bectl(8) for most
operations in order to recurse on these subordinate datasets, but
freebsd-update(8) was not recursing when creating a backup boot environment.

III. Impact

Without recursing in bectl(8), backups taken of a deep boot environment are not
complete snapshots of the system state before the upgrade takes place.  This
means that it's potentially painful to try and rollback to the pre-upgrade state
after the upgrade has completed.

IV.  Workaround

No workaround is available, but the default configuration is not affected and
deep boot environment users may create their own backups prior to an upgrade
with a manual `bectl create -r ...`

V.   Solution

Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.

Perform one of the following:

1) To update your system via a binary patch:

Systems running a RELEASE version of FreeBSD on the amd64, i386, or
(on FreeBSD 13 and later) arm64 platforms can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

2) To update your system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/EN-23:13/freebsd-update.patch
# fetch https://security.FreeBSD.org/patches/EN-23:13/freebsd-update.patch.asc
# gpg --verify freebsd-update.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.

VI.  Correction details

This issue is corrected by the corresponding Git commit hash or Subversion
revision number in the following stable and release branches:

Branch/path                             Hash                     Revision
- -------------------------------------------------------------------------
stable/14/                              5c2a559876d1    stable/14-n265583
releng/14.0/                            e34fdb7c119e  releng/14.0-n265341
stable/13/                              80f747781f12    stable/13-n256596
releng/13.2/                            e79edfaf68c5  releng/13.2-n254641
stable/12/                                                        r373256
releng/12.4/                                                      r373266
- -------------------------------------------------------------------------

For FreeBSD 13 and later:

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

For FreeBSD 12 and earlier:

Run the following command to see which files were modified by a particular
revision, replacing NNNNNN with the revision number:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=267535>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-23:13.freebsd-update.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmVLKZUACgkQbljekB8A
Gu+SVw/9FKEzcR7kUudFRwnNsY1LI7YphmuEA7xT6pdiMxizHmh/iWOF8yc5l3Ky
lpXcIhbNXwOcI06Jv9OswIZyOXTtLZat+MVLyx4uoMgdHuM4wuPx4N9lo6FwvE1v
Ehtf1GkEnOANcxou0PdrS+fHzUKx/hjn/WVKcdp+YmYzf19LnIqj2H58QWTP7INr
cP/rj3EiqGi7XkBEh4te6nTyy27Wu+ihZZDdLFv43sf/cOEl2wsd8HJxVxfz9aEP
lhJSBVMFq46YfNSLIsYLLN5v6d2C5ag4JJ2tvuX2sazLl3TXafDZ+OtAok0h8iiE
qGrad3dt/g/5/WnSVK68GQ4MfyXJtfywxK18CX3fojeCuDJ5D9j7XUUXaqHHty9r
CdcI4yZkswijkKIhtBRYdGh7Nvue54br6cnf7L8i/6hbPnLbdue3gs+v5OLNEttm
LthNPViDJWid2TD+mRDS/2JubpiHspzb06Z+q2Hpt5wLRdISu1qPnjgGXgzXgPNB
3PYbsPp2i1rHmz52K08hK+582QL5PMS5/hpB6pN2bakugvAGz5ocrBn1C5ejNIeo
4FAFV5w4cvgaJJf7eI8Lo+IzEcg4gA6h8ibDsFXIzMf3Fnn9p7qH7cw85AoemW4a
ZZBDYL81fEy9hJBqhQC4cmjEdzuvptPV5arFzX8J9M6Hirrnt9g=
=l1ce
-----END PGP SIGNATURE-----