-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-26:13.freebsd-update Errata Notice
The FreeBSD Project
Topic: freebsd-update attempts to merge a generated file
Category: core
Module: freebsd-update
Announced: 2026-05-20
Affects: All supported versions of FreeBSD.
Corrected: 2026-05-19 13:59:37 UTC (stable/15, 15.0-STABLE)
2026-05-20 19:39:27 UTC (releng/15.0, 15.0-RELEASE-p9)
2026-05-19 13:59:57 UTC (stable/14, 14.4-STABLE)
2026-05-20 19:39:53 UTC (releng/14.4, 14.4-RELEASE-p5)
2026-05-20 19:40:31 UTC (releng/14.3, 14.3-RELEASE-p14)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
.
I. Background
The freebsd-update utility is used both to apply binary updates for security
advisories and errata notices, and to upgrade from one FreeBSD release to
another.
In the latter scenario, when it detects local changes to a configuration file
which is affected by the upgrade, freebsd-update will perform a three-way
merge and prompt the user to manually resolve any conflicts between local and
incoming changes.
The certctl utility has been used since FreeBSD 12.0 to manage a hashed
directory of root certificates for use when validating TLS server
certificates. Since FreeBSD 15.0, certctl also maintains a bundle for the
benefit of applications which either do not support the hashed directory
format or need to preload the trust store prior to entering capability mode,
a chroot, or similar.
II. Problem Description
When upgrading from FreeBSD 15.0 to FreeBSD 15.1, freebsd-update incorrectly
treats the certificate bundle /etc/ssl/cert.pem as a configuration file. In
most cases, the three-way merge results in conflicts which the user is then
asked to resolve. The bundle is not human-readable, and merging it serves no
purpose since freebsd-update regenerates the entire certificate store at the
end of the upgrade.
When upgrading from an older FreeBSD release to FreeBSD 15.0 or 15.1, if
/etc/ssl/cert.pem is present (e.g. as provided by the ETCSYMLINK option of
the security/ca_root_nss port, or manually created by an administrator),
freebsd-update will emit a non-fatal error message and pause until the user
acknowledges the message.
III. Impact
Users upgrading from 15.0 to 15.1 may be presented with one or more merge
conflicts in thousands of lines of Base64-encoded ASN.1 data.
Users upgrading from older releases to 15.0 or 15.1 may encounter a non-fatal
error message with no clear resolution, reducing user confidence in the
upgrade process.
IV. Workaround
If prompted to resolve conflicts, exit the editor and force freebsd-update
to accept the unmerged file by typing "ACCEPT" (all upper-case, without the
quotes). The bundle will be regenerated at the end of the upgrade process
and the system will be fully functional.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
Perform one of the following:
1) To update your system installed from base system packages:
Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64
platforms, which were installed using base system packages, can be updated
via the pkg(8) utility:
# pkg upgrade -r FreeBSD-base
2) To update your system installed from binary distribution sets:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
which were not installed using base system packages can be updated via the
freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-26:13/freebsd-update.patch
# fetch https://security.FreeBSD.org/patches/EN-26:13/freebsd-update.patch.asc
# gpg --verify freebsd-update.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in .
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ b97f143b6ca9 stable/15-n283610
releng/15.0/ 2709755d39f5 releng/15.0-n281037
stable/14/ 7d9c1d3895b3 stable/14-n274144
releng/14.4/ 081a9e933033 releng/14.4-n273701
releng/14.3/ a1b3818746e3 releng/14.3-n271501
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat
Or visit the following URL, replacing NNNNNN with the hash:
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKGEbFIAAAAAABAAO
bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvgJQP/RY20Qr2cM3gsEsVSt5+
xXS/yCXu+IZq/ALOzw4RvqzdqvVzlA3U2VgSXpucnkrV0rABc7yxLbmvTVj6GOG7
yvKXSmV58akQoUbnOtwHZF4x+4A9+Y3BzGIWUrzh014ll4MyhGw/4ekFiu36J0Mg
QBDPkAy+3jrCTE3i2aAF1w1gLYdyIfDwGYQHqpPCsMmGhHuleogGqmhc5pH2J30g
fPRLe8a4njizX5aT15TZvo6U5sQC6tll4DBUqTWh6k49XxSELKQwYgXhqhespI++
yZ327VPwkVgaYI0C96LCV5SVB811BvFAKXKzjItKOWpJyg6HpB8hiSEubqlWW7zX
vltqLyf8qe15wZPvrs1kgX2kH9ZJXYwJ9W5z5kY8sk/DCYos+bxtEQ47CU5u6/nF
h01i3mAwOdh0/br7Y7hRS4eekNg9XUpu9dakJdhpJjbRylS6I6wK/C/f89L+qmgP
4jq20TCFHQ2riVHxhOG3nSGkP+5CsIUnjg94x/EKK9xA9DZb0D5/Vy+hQYhJ5qza
q5TKkv72vb32LKFKvzXXJbCrRlJr6bmCOMXYRGZwDzKzfd5jrVwzlIfooiaQ28bj
g2egNBCe69H0SboydGi6J4yciBn3TeBHilfPuDLxs2eRZmYFd4wVD4wnigsysL2J
JETeDqmCxDDqbzhIYf3XL7Pt
=zyAg
-----END PGP SIGNATURE-----