-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-26:12.freebsd-update Errata Notice
The FreeBSD Project
Topic: Source inconsistency between freebsd-update, EN/SAs, and git
Category: core
Module: freebsd-update
Announced: 2026-05-01
Affects: All supported versions of FreeBSD.
Corrected: 2026-05-01 15:08:47 UTC (releng/15.0, 15.0-RELEASE-p8)
2026-05-01 15:08:38 UTC (releng/14.4, 14.4-RELEASE-p4)
2026-05-01 15:08:31 UTC (releng/14.3, 14.3-RELEASE-p13)
2026-05-01 15:08:20 UTC (releng/13.5, 13.5-RELEASE-p14)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
.
Note: While FreeBSD 13.5 is end of life (EOL) as of May 1st, 2026, the
Security Team has decided to patch this issue as it was identified and a fix
was in-flight before the EOL date.
I. Background
The FreeBSD Security Team distributes patches for supported releases via the
git version control system, as patches link through errata and advisories,
and through the freebsd-update binary update system.
Both freebsd-update and the errata/advisories do not directly use the
authoritative git repo but instead rely on individual patch files.
II. Problem Description
Due to the manual nature of patch file development and management, there are
instances where either a freebsd-update maintained machine or a patched
source tree from errata/advisories have become out of sync with the
authoritative git repository.
Specifically, an earlier version of the patch associated with SA-26:11.amd64
was distributed via freebsd-update. The source patch linked in the advisory
and the source in git were both correct.
Additionally, patches distributed via freebsd-update and errata/advisories
are occasionally missing test or non-material ancillary files to minimize
patch size and improve compatibility across releases, causing an additional
source of drift from the authoritative git repository.
Pkgbase is unaffected as it directly builds from the authoritative git
repository.
III. Impact
As a result of this drift, the FreeBSD Security Team has changed the
freebsd-update build mechanism to retrieve source directly from the
authoritative git repository. This has caused a binary update to rectify the
SA-26:11.amd64 issue as well as alter a few additional files, such as test
infrastructure and ancillary tooling files, that have been updated in git but
were not distributed via freebsd-update.
IV. Workaround
No workaround is available. Systems using pkgbase or building directly from
source obtained from the authoritative git repository are unaffected.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date and reboot the system.
Perform one of the following:
1) If your system is installed from base system packages:
No update is needed as pkgbase is not affected by this issue.
2) To update your system installed from binary distribution sets:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, which were not installed using base
system packages, can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a system update"
3) To update your system via a source code patch:
The following patches are only intended to be used for source trees that have
been maintained with patches linked by previous EN/SAs.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 15.0]
# fetch https://security.FreeBSD.org/patches/EN-26:12/ensa-150.patch
# fetch https://security.FreeBSD.org/patches/EN-26:12/ensa-150.patch.asc
# gpg --verify ensa-150.patch.asc
[FreeBSD 14.4]
# fetch https://security.FreeBSD.org/patches/EN-26:12/ensa-144.patch
# fetch https://security.FreeBSD.org/patches/EN-26:12/ensa-144.patch.asc
# gpg --verify ensa-144.patch.asc
[FreeBSD 14.3]
# fetch https://security.FreeBSD.org/patches/EN-26:12/ensa-143.patch
# fetch https://security.FreeBSD.org/patches/EN-26:12/ensa-143.patch.asc
# gpg --verify ensa-143.patch.asc
[FreeBSD 13.5]
# fetch https://security.FreeBSD.org/patches/EN-26:12/ensa-135.patch
# fetch https://security.FreeBSD.org/patches/EN-26:12/ensa-135.patch.asc
# gpg --verify ensa-135.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in .
Reboot the system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
releng/15.0/ 53054229dcb3 releng/15.0-n281036
releng/14.4/ 49be56ed6fea releng/14.4-n273700
releng/14.3/ 4f4b48e8a547 releng/14.3-n271500
releng/13.5/ 2e6399fe39b3 releng/13.5-n259222
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat
Or visit the following URL, replacing NNNNNN with the hash:
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmn0yLQbFIAAAAAABAAO
bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvPNYQAIXixMavK1HRNgv1kzms
qcAlmg/dd46KZKD7SkgAmlqKfO1wIdpDo5GZhcpKqS0TRorgqi7u9UU8xNsYxyG0
mD00dY1m65Vy5wE56QOYDFGnVgC4ZkP3it0HUGZf2t7H9kWO7LB8w8v41z+V7HKK
XRaECq4OyCjeFL9e9C1BdztkFSeVyubN+L2ca8q4S6EWq+4tu9ubTaY+P+Xojy0X
1jX42p31ZYoowHNoNPoC6jfNXrHYg2n7TZ3/kcEwCHlENpoFNT7a87RbijoAlvNP
4Y/IsvlvFdpSjxuyT9chKCPiCaMKkb26Zzng8WPcveeQP1T0f6vV7OFCIl+5RlSM
dFAYp3+IgyBfNa2iQ+ANYrVZB6718gBiE3mAweO/3VJDRK0+okxtQoOlonOSOUJd
BEQrurf2nVJC0Ihi82C/Yn8lHT6IGgEWQzpLLJH2Y9A5z9IEDNpT7s6l6SwOgVuT
1C16q9IincGwKi8YuL1v3Xr9D71PaFWj9DNVuIVe6j9nAFgqZuIFOTPObDcnfN6t
n7hiL2UdOIr9bUxl/H8FQoh5nHeDfbzSn0pF1mvkUMANC1/WSQY3ZVmQHOF5D0yV
9snZZTdsk4eZjhXJUGnLIgBVpYNqwTF7Hm3A0/LF4nbTQm2w78XMj/dIJq7lLliH
BHnoS2GbAjlAHemJRTt14Zcm
=Baez
-----END PGP SIGNATURE-----