From nobody Wed Apr 29 18:40:31 2026 X-Original-To: freebsd-errata-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g5R282nq9z6ZtmX for ; Wed, 29 Apr 2026 18:40:32 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g5R276dk7z47YP; Wed, 29 Apr 2026 18:40:31 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777488031; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=SINPb+T+l5XcBI5VqzfRBag12/a1WrLY+VkmbeauKAs=; b=Hsb9Nuq/+2YdNsV1hhPqD6Fp54izlx2AXFVAASLWDKI5MxEXdf6mg6jwvP5R9ooqhaeKye SLgogkdqDy8hfcuy9maNyBqCru1bcN+IbFzQBf48NI6epf0FhuWN+4ML/U10SedqIjMFkR U4XOeXjPs2EVD0CaI6y4UJCBUY4eIUlf+If9IunkDL+MJ3JRBME/ks6pn3c4b74rKZcxex g/o/WmvRERe331+nolWjyGociFoSL/5g1hOFaK9SU1XQ5VoCx2DJdj7yRbURyboBmMdNmJ H2B+KertFT/Q18wvYQoohuEk35gtWCMKTIKe3NXDS238yAWOfyyF4DnBLjgptA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777488031; a=rsa-sha256; cv=none; b=cL7nicRDQkobIl0sTKVe06bA+7zfBffo56LJxSICcv7XE9/QyxMzZxpoIu7fNVdxhswoUP TFKqiSHwXilE5dzeSr7bSOKb52iebjblGy+DhiiFDz0nkzWcj8ReVFKb9MI1XNWlDe8sZf cU08Dvui4/IRLYLRhV00B0tQifip0j80tUFQ9WpOw5I1OQ6D6w+/gp7TNZKeIqUC4WHZHK 1OeYL/hx9TkzsFLlasY590mX2I4ARUeROLe6VhiCsfEylrLl4lBjYvV0RXYH5i854u/EVy SXYjxm5x0putDriiybkNIR0N/RTYFkq5fJTesDpCWdgRqAqjVluu0bekn+FPfQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777488031; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=SINPb+T+l5XcBI5VqzfRBag12/a1WrLY+VkmbeauKAs=; b=IJiZ3au73djJ6mXBqSUW90nq5bF+dcaq8J12qn1f51IXPfh3U/xfbqZ1se6fBAXhLDRd2N jmK+ab9dI00YQoXYYZ2cPGuJY3EJ7hlg/FjnjDCTaFfMAQNe7r3TEUFRdxmG7PjEjDcBTm kDGugZqx7/bXkAFESGJ+kzcgeFajLTgevpIuLJT9MD6BOstYzxJYW3kVXFVDQnpIVCnVBE tmx48skgnhAgF2Z1DxJk08ZRV3aMqCerpw+5uZs0Gqy4mXVYTIx3OdX7Kk3XmxNCpjnO5L OciKgn2ELoxzyzKs5pU9hRDBzz/d7NRQ1sEJdiFqEcKUlR1mbedxaWuir3dvvA== Received: by freefall.freebsd.org (Postfix, from userid 945) id C6AEC96DB; Wed, 29 Apr 2026 18:40:31 +0000 (UTC) From: FreeBSD Errata Notices To: FreeBSD Errata Notices Subject: FreeBSD Errata Notice FreeBSD-EN-26:09.tzdata Reply-To: freebsd-stable@freebsd.org Precedence: bulk Message-Id: <20260429184031.C6AEC96DB@freefall.freebsd.org> Date: Wed, 29 Apr 2026 18:40:31 +0000 (UTC) List-Id: Moderated Errata Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-errata-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-errata-notifications@freebsd.org X-BeenThere: freebsd-errata-notifications@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-26:09.tzdata Errata Notice The FreeBSD Project Topic: Timezone database information update Category: contrib Module: zoneinfo Announced: 2026-04-29 Affects: All supported versions of FreeBSD. Corrected: 2026-03-05 01:36:15 UTC (stable/15, 15.0-STABLE) 2026-04-29 14:48:25 UTC (releng/15.0, 15.0-RELEASE-p7) 2026-03-05 01:33:16 UTC (stable/14, 14.4-STABLE) 2026-04-29 14:49:38 UTC (releng/14.4, 14.4-RELEASE-p3) 2026-04-29 14:49:18 UTC (releng/14.3, 14.3-RELEASE-p12) 2026-03-05 01:33:52 UTC (stable/13, 13.5-STABLE) 2026-04-29 14:50:16 UTC (releng/13.5, 13.5-RELEASE-p13) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The IANA Time Zone Database (often called tz or zoneinfo) contains code and data that represent the history of local time for many representative locations around the globe. It is updated periodically to reflect changes made by political bodies to time zone boundaries, UTC offsets, and daylight-saving rules. FreeBSD releases install the IANA Time Zone Database in /usr/share/zoneinfo. The tzsetup(8) utility allows the user to specify the default local time zone. Based on the selected time zone, tzsetup(8) copies one of the files from /usr/share/zoneinfo to /etc/localtime. A time zone may also be selected for an individual process by setting its TZ environment variable to a desired time zone name. II. Problem Description Several changes to future and past timestamps have been recorded in the IANA Time Zone Database after previous FreeBSD releases were released. This affects many users in different parts of the world. Because of these changes, the data in the zoneinfo files need to be updated. If the local timezone on the running system is affected, tzsetup(8) needs to be run to update /etc/localtime. III. Impact An incorrect time will be displayed on a system configured to use one of the affected time zones if the /usr/share/zoneinfo and /etc/localtime files are not updated, and all applications on the system that rely on the system time, such as cron(8) and syslog(8), will be affected. IV. Workaround The system administrator can install an updated version of the IANA Time Zone Database from the misc/zoneinfo port and run tzsetup(8). Applications that store and display times in Coordinated Universal Time (UTC) are not affected. V. Solution Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Please note that some third party software, for instance PHP, Ruby, Java, Perl and Python, may be using different zoneinfo data sources, in such cases this software must be updated separately. Software packages that are installed via binary packages can be upgraded by executing 'pkg upgrade'. Following the instructions in this Errata Notice will only update the IANA Time Zone Database installed in /usr/share/zoneinfo. Perform one of the following: 1) To update your system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base 2) To update your system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, which were not installed using base system packages, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 13.5, FreeBSD 14.3, and FreeBSD 15.0] # fetch https://security.FreeBSD.org/patches/EN-26:09/tzdata-2026b.patch # fetch https://security.FreeBSD.org/patches/EN-26:09/tzdata-2026b.patch.asc # gpg --verify tzdata-2026b.patch.asc [FreeBSD 14.4] # fetch https://security.FreeBSD.org/patches/EN-26:09/tzdata-2026b-144.patch # fetch https://security.FreeBSD.org/patches/EN-26:09/tzdata-2026b-144.patch.asc # gpg --verify tzdata-2026b-144.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all the affected applications and daemons, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 564480f108e7 stable/15-n282573 releng/15.0/ 183f96697f82 releng/15.0-n281026 stable/14/ 4830cb713ed8 stable/14-n273807 releng/14.4/ 677aeab69b13 releng/14.4-n273688 releng/14.3/ 1d3ca32f88f2 releng/14.3-n271488 stable/13/ c0b2aff48ff3 stable/13-n259815 releng/13.5/ f7e6b9f128e3 releng/13.5-n259213 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnySRMbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvVGsP/20IASIuyeEzCQSGN/oA u/t7PXGIHre/ApxXzQ+K2A4Sn92f0VAG+SG4g4zdLAI+kQXfdCGq2b0oJoEzQg64 fLAMF772Pc9GMijEXcTMU76hVqD9RiQncOH8w5ODWe3Lmszr8y0foFC9LU0IyccC 5MbHIv9vRRIe0Wpgp33XMLU2mjND+4LVgKxGHpqz86Rqo9zjLAbW1aiSK9mJBE5n BHWWbRpG8lFzm3jx0m7bIZYaghnnuyrg5TV7bZBbMPg64WTFrBrEyS3QlI9addp/ hwxwUY2F14fyyjgnlVOVNsMX/BaDh/c6W8R/EyFVxADjAQazQqJJxO/DTwlxqnbu gaiwdn64vPfR9xJgglsaDutvytEXUMcNuNpDWu8OZUWx1Vd+OnJKLu0m6JC0LLuA LFbq72HyTNoI0I9kpjkY5XBcuPx4DZHzG3WgvgYJ7tO1myUDaKjawAc2khxHsvpf JIsY85kBBEoqXEJiLb5DHVO+2Airldz/8DlHVUMWmds9QrQVo7bQzwRpFMZDDc3b Psp0U9FRe87eQLhgwMn9dRi7QHRRcjAfcqOb3HRHMVRZ2MNq0O9vIRGMyfLzOqwn iweujCGTmSB9tph/StkKv/n+4zzxLOvyJcmSYcz3zLuFq9t2qOeRtQnhD4tn4wLW Kq2ZK/k/IL4g1lI6rg4C3BmF =Mc5t -----END PGP SIGNATURE----- From nobody Wed Apr 29 18:40:37 2026 X-Original-To: freebsd-errata-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g5R2F6l6Fz6ZtpP for ; Wed, 29 Apr 2026 18:40:37 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g5R2F4KfMz47Sl; Wed, 29 Apr 2026 18:40:37 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777488037; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=b2K7gGitecziLHfqxPvgk65ES4yGAwVqQK8sb34Vsik=; b=ydxsUYWeeRAKE2qskWvtOAjVK7SS+BosN5nldg70iukTSU7fKtybLI7QWilSVEuRNtwTrE C9XDgbivdeoScCnVdtTe7fsZjNGru2LRSXlb6kWk5O92hKRvKxSWSL0wcfh+feQ7aWNsmH RW3uVtzg5XThfYewg2qSty79wJymYM3dWKZmFBlHNlZBjv0F4j9ladqXSkf660S2NSpPzg 8CBKLMb+4pXzVNXblKbvmDVXRvcTScmhFUIuScDc8VLTIjtUiQRx0T+T5QP9M6P1Rbg8Et uAo4Vf5jJ/QJe3gkOtxj3zW5+0wNFSW9CwCIzhC6Jq1cKjPS/2YjAqeuH6XzzA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777488037; a=rsa-sha256; cv=none; b=obg8WvA/GHOi6LOctchWvk1qLg3Prv+sRybbWQxesYyfvXcpMOdn0zYUVJSKaTc9CtYxVy HN6HExUi6F6ryAeSBe9+3F/FHNn8sYwWb7GTjrzYQnbz3mFmc94IiYfd/p3I6WImstEzew awJIECPi+cxVVpIccIKwARem+aLiJ+sNvb4ZwclptBKiU5VstwdLl/UfwE9hqIDxIqTSvM awv0oV7W7J7ixBc8kgxMfET4W0ZNb4kwEDH5SVzL6dOdzuF44nhEYMLVcbC8hGcyAaT/A2 hsWVeZH3VrDA3HbN0q/869VXYDRNYpB/KuYVH+YUuFiCQbYJl2APaA1CEeivaQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777488037; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=b2K7gGitecziLHfqxPvgk65ES4yGAwVqQK8sb34Vsik=; b=hxDqv7YcKfw+N4vP/+e5t15WV0rgDJ/Uo6rdNY0MuQNU9PJUxE6EJ8DuPJ2qF9oCoVZOz1 Bjhoxqyj5JcST72vEFKvtgtfuD1D7XqjJ5aRUxjy4yq1pjc/1hwRWDPcffTxcUZxhUV1/1 +MkQPTfrYcJsnu9Ur44xu7lBA75xAMndroWBUBIaYFY5k/hzR9pwZRWUZX4MTBn4CjgODc Z4eZDLMDSWP5gjCm4Wi1VfCymXn9+yI4ohtbQV9jDfgIBKRwaNVwWer85E9xExcCe/LkA5 KS1NgAOUrjmrc9cc5Q15B37EFHRkUCgvRrMKx7+/7KUQw1eOQPD68+0dckad7Q== Received: by freefall.freebsd.org (Postfix, from userid 945) id 7F0A996DF; Wed, 29 Apr 2026 18:40:37 +0000 (UTC) From: FreeBSD Errata Notices To: FreeBSD Errata Notices Subject: FreeBSD Errata Notice FreeBSD-EN-26:10.amd64 Reply-To: freebsd-stable@freebsd.org Precedence: bulk Message-Id: <20260429184037.7F0A996DF@freefall.freebsd.org> Date: Wed, 29 Apr 2026 18:40:37 +0000 (UTC) List-Id: Moderated Errata Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-errata-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-errata-notifications@freebsd.org X-BeenThere: freebsd-errata-notifications@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-26:10.amd64 Errata Notice The FreeBSD Project Topic: TLB invalidation bug on AMD systems with INVLPGB Category: core Module: vm Announced: 2026-04-29 Affects: FreeBSD 14.3 and later Corrected: 2026-04-23 13:48:45 UTC (stable/15, 15.0-STABLE) 2026-04-29 14:48:26 UTC (releng/15.0, 15.0-RELEASE-p7) 2026-04-23 13:49:23 UTC (stable/14, 14.4-STABLE) 2026-04-29 14:49:39 UTC (releng/14.4, 14.4-RELEASE-p3) 2026-04-29 14:49:19 UTC (releng/14.3, 14.3-RELEASE-p12) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background On multi-core systems, TLB invalidation operations must notify other cores, as each core maintains a local TLB. On amd64 systems this has historically been implemented using interprocessor interrupts. Recent AMD CPUs provide a new instruction, invlpgb, which allows a core to broadcast TLB invalidations to other cores without need to explicitly raise interrupts. The FreeBSD kernel makes use of this instruction when available. II. Problem Description The FreeBSD implementation of ranged TLB invalidation took advantage of a bit in an invlpgb operand to invalidate consecutive 2M entries, instead of invalidating purely in increments of 4K pages. The hardware invlpgb implementation uses the underlying page size to invalidate regardless of the status of this bit, which may leave a series of 4K mappings intact that should have been invalidated. III. Impact Failing to invalidate pages when it required may result in apparent kernel memory corruption, typically resulting in a kernel panic. Workloads involving heavy use of kqueue(2) and/or large file descriptor tables seem to trigger the problem somewhat readily. IV. Workaround Intel and non-x86 systems are not affected. AMD systems that support INVLPGB (reported during the kernel boot process in "AMD Extended Feature Extensions ID EBX") may set vm.pmap.invlpgb_works=0 in /boot/loader.conf to work around this issue by disabling the use of invlpgb. V. Solution Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, which were not installed using base system packages, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/EN-26:10/amd64.patch # fetch https://security.FreeBSD.org/patches/EN-26:10/amd64.patch.asc # gpg --verify amd64.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 280cfe2264d7 stable/15-n283199 releng/15.0/ 182c59658218 releng/15.0-n281027 stable/14/ ff11ae166cd9 stable/14-n274021 releng/14.4/ b00785205990 releng/14.4-n273689 releng/14.3/ 3b1365cb816e releng/14.3-n271489 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnySRcbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv4zAP/3/9no397tY5+uMITwzb d8RklxyJatGAYnqSQrJCjxm4er+CUijdCb6jUrg2L2hKt8c3KOQctSY5ko2agkZ2 41ghOeIOU6N9+aiNN4wlqCbgufUXjtBWBBEgOvJHyU1QnSazKDZmGAwWfiTz8Uh7 QtuRHV/I8LDKpd6UtVC6S6lsKSiDrmMQ6CmDSMiMDEpJO8cM1rKejU/gGSTaiwak 25SvR6z1rgJwh5VFKnT5a7G9Gw3oV04+zWQRoYOotiblg1qUgLAjMxogrIvFQKbR fQElldSwQl7ErlFjYCBrvDbXzGqlsDDab05ay4361VD92QWQ4o64X5KHR+Rb0yYt RWfPxfCNA1fNMDjkY1y9ROjGERuNdhJzGl5o2m6TXJl/rUX+BZrWZLTC/68CMy/B DHrKPMLRD6rOS6AupNK1UfKoRPqha9tdwdofOOD4qr6PQ0UecLyUrUQljlK6QUYm yUQQzC0eun6SdQihPaHGEXK0oe7MqWJvt7s82DE6EKKR8FJ2aqWfMT7qjV3Y3E7e TJzJGDsbLoZYtPl8u6OQM2gaxAf5CqSCxU7PvyOsu5/gf89CsakdC6OUBkXh/pAS wCLDDyqffmgwOi1hE9ACgUOVASRyrITZwP1sqyAVJF8yY3YhxGHImaFrdAJ/yU4Q xp9Ok7v2qSxueDnMc9C16AFt =pWDj -----END PGP SIGNATURE----- From nobody Wed Apr 29 18:40:28 2026 X-Original-To: freebsd-errata-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g5R250wK0z6ZtxF for ; Wed, 29 Apr 2026 18:40:29 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g5R2447CRz47Hj; Wed, 29 Apr 2026 18:40:28 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777488028; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=Bbj+QfHM6e3Jqj9jTV9F4zBjf4tgYfCCEJlcE2shjUY=; b=HaIeHiMW1G8122Onij8lsVEuZB7rtFb2jTQWqQC6XQQsFQquiJO92bRekwm9+4bUa9yyCU mfI+fH+UBPdGpzr8gDOeA5u03HhadrBGziGmC7zNviDDGyq8t0KneUZRbGBBZZ692dQ1mq z8ominSYA8Ji+oKBkScyLTKynjyys8RZptpqwGtJWn5Y+dcdYsYhOrkOd0B67a/lF0FiK8 J9ZpfybVvD+bEnSVViPuab4uT7Q1U74DNe9XYXWqoxy+/xVWcePTyGkDSVZtbmpwe0wlEm 0fqa7WVYz/0jEv6qrBQOaEyPVNJzaQJeorGBXCZxJdOR6Lopy4Oxuh9g2rskhw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777488028; a=rsa-sha256; cv=none; b=IEgZ55l/D4/mRn7nBeIBXzWdpWIdjHo5IKYEcZJkQ7bTI9T1hvRuN06em7HHPbZKzQXL62 ziWdmZGG1zNrMk1asFXXTgXBMpxPk/ffTnjkR4/P2h9zU9r18Rmr0ykCsqLkVmU8YpIbiw x/UBo9MYRaEdEn65d2Xg8QUyrKBg1w0FVUM7/InrhCwjaUNskZl6C67YCpq/kmccKK1WZe SinVAzdzbNFbr74cvITxRbm/ew5p2H32r4hrxEISA9FRuaaJ1Yii3RbsDheckvUkdTcTky J+7rG8vBsvhNYOeBw5/DVXCf9eSivYzdM02s9INue6LNyjy8k8dMI+UFAYP4lA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777488028; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=Bbj+QfHM6e3Jqj9jTV9F4zBjf4tgYfCCEJlcE2shjUY=; b=FYzHPg4wnqlEBSJwTdsclbt+JnMeA7Kl1bU2wcfVRPyxRtiQB0d++RysV8JiY+yophdfi6 l5RMpSHwQulUmmm4x+rMxbSu3ExL4vFbww8G8QFdYksuroMryuCxxO3UgdU7Vai2f7Ba8K WCMlCqQ4PZGxh+vI3k3/BdEy0KPmJlDMhIfYuGFr1eEDbHcpZai2Ru0JdH2WtFghW1JhOj iOwKx4Y+PeFcTFZ9FaoLhUXmIQa7hSfrkphsna5ytyQkeQf/wQ4oLue2La+zR+Aeynte3T iSXoqr6esFIpTurOPb1mkSykEEQDhf/JHVwVepGY5vmOstNExrdEfuay2zxP3w== Received: by freefall.freebsd.org (Postfix, from userid 945) id 495CA96D9; Wed, 29 Apr 2026 18:40:28 +0000 (UTC) From: FreeBSD Errata Notices To: FreeBSD Errata Notices Subject: FreeBSD Errata Notice FreeBSD-EN-26:08.pf Reply-To: freebsd-stable@freebsd.org Precedence: bulk Message-Id: <20260429184028.495CA96D9@freefall.freebsd.org> Date: Wed, 29 Apr 2026 18:40:28 +0000 (UTC) List-Id: Moderated Errata Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-errata-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-errata-notifications@freebsd.org X-BeenThere: freebsd-errata-notifications@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-26:08.pf Errata Notice The FreeBSD Project Topic: Incorrect duplicate rule detection for automatic tables Category: core Module: pf Announced: 2026-04-29 Credits: Michael Sinatra Affects: FreeBSD 15.0 Corrected: 2026-04-26 10:12:28 UTC (stable/15, 15.0-STABLE) 2026-04-29 14:48:24 UTC (releng/15.0, 15.0-RELEASE-p7) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background pf is an Internet Protocol packet filter originally written for OpenBSD. While loading its configuration, pf hashes rules and silently drops duplicates as an optimisation. Only the first rule with the same hash is considered. II. Problem Description While checking for duplicate rules pf did not distinguish automatically created tables from each other. As a result some of those rules may have unexpectedly not been loaded. III. Impact The ruleset loaded in the kernel might not match the configured ruleset. IV. Workaround This problem only affects rules with tables created by the pfctl rules optimiser. Either disable ruleset optimisation ('set ruleset-optimization none'), or avoid constructs which would be optimisised into a table (e.g. by manually creating such tables). V. Solution Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r now 2) To update your system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, which were not installed using base system packages, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r now 3) To update your system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/EN-26:08/pf.patch # fetch https://security.FreeBSD.org/patches/EN-26:08/pf.patch.asc # gpg --verify pf.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ fdcc60f52841 stable/15-n283345 releng/15.0/ d91d13c12484 releng/15.0-n281025 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnySREbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvIygQAKSJuU4Ka3cRRqje85kA O03aC+IoU1YOaepkziI4TKxwKNSc7wh4S0xlCBiNXDqM9JUs20XbG47JT1GDUKP9 TNDymnUxNGjzmgEwbh/ZQvTKGqib2d0c4fhvLWMSg6FAbET8EnkyniM5A55QfUX0 YwsTFRk27K09AcCW8gpoRgAjJBhdlN18SvvlE8CQ57xpUQnukFJp+zh37OCGkRVO fciwOmEYmsrIur9vde7RX/ohBX2RbB3QrMQh9x4td+RpwUGfEkZ4oei+aJWJazVW VimwkJXXSl2Hdn4V/eNPKj3viSu40tgTPQelSgh1qFPxLMTVvRf1I8VlKYTFHV1O 0EGGsya4nE1pEYWL1CWh/9v2BoTiV7OVDEcu1prc9p/5dHv4cDNaaRf5ZMN8f7Sp S1X1eHY/eJ59ayBCPNShOMTf36hvMuQT9hBXdBArb6MpeGLubWFtGsHkaFZtoBvj QnpH4uTxeDMTZANqoM3t6QqrwDUEKBn9ai25k/k9a7vqYwrcLUo4WsLauiwhAbz0 7bmnXUE+gbn5qlX03UFLqANA7OujEjuBxc5+vmlJXK+1CARMcQToDEdMojhkBwbN xgxGtyol/Pq3MwvGZyKMlQii0xre2sA1Gqv41k4l7oPukU8DRAOFZQ9nDBmIB0NW s9JLPOImH1NE9iA05ezJk46Q =7VtI -----END PGP SIGNATURE----- From nobody Fri May 1 16:10:18 2026 X-Original-To: freebsd-errata-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g6bbt49gLz6bk8Q for ; Fri, 01 May 2026 16:10:18 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g6bbt3Q0Xz3qZp; Fri, 01 May 2026 16:10:18 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777651818; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=AFlXs9H/10B9qvBxNjjmS/7gEo8qGtsL86DYtyF/pPo=; b=Q8lt8ZF2ENL98z2SYMqMDF27oG7PbZqWW53OzttNAGsuSu/tlmYZJ4NHkiGiWzCabHXrhR 5T3l3iiVT9TxiQJ6e3wo+M2shLBzjHn/uhsX/hC68rY5UlExJOOhvZL2Zdo/RZaTlHirf+ 7RvpMjYiqybMe/HUyfZBB04t2AdaSP1o6JRhdmvSwW3PK9orlVSc7HB/UHzG1h5Tobrawb B79+/aLbejXWSLhWEKYlHRPgnOAK37km4OTcvg1cZf/FwotAF/qUc8B77prybPywnsErbd +KlDQTImH71iS+A0/fth9kaOFgF27awjjeHZ1SF4MYkwwPwwkVMEBJzWfwqnSA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777651818; a=rsa-sha256; cv=none; b=vahLRJZ9OAjkHqILrhMFrbhlMMmQ4XAXlLOj9y3RmFOYwhMNrhUEin9T9PKHWiKs8Ly5cF 5JNVrYoNTnTcbbG4Md9FQ/wOOJ7jXHheopufGsRId0HwqT+PFrEpt73m5nubwe+XeNARwO sxLRLkXmvo+X5/ZnMGl+X2dekfG+xhxn5zTchsPrLmk8kMHVtIDkH73vMxh8dKy2kjdZQK 1tgFDUBDLKd0SZ8kMs5w8z5OIUtISHiCJH66ff4d5X2LWdpl2gOZvTswRwIwNTURCQb6mG 4RdLbBawlhPHlX4VMa9+mpe6PvEkpUxqhz8zFPFs3HkZdWqxoCWie0DPcajSUA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777651818; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=AFlXs9H/10B9qvBxNjjmS/7gEo8qGtsL86DYtyF/pPo=; b=sJIqdX/0ocaoY0kLaeTBTrjEQ1H1gv4pj0R3Rw431FULUiW1mbal6ygJTY+5Jloin+hyXy mQICfjayTpBERXXspwsDm8pCVOl3mQd9Ujc1rMCQTL45JKbWr/ZjdDUCN20UzXl1SUmmvN qUd6P0fUD6tq1OSxh1CkI8nhNK9F7GNEbAD9RqYOhV9VZ7QTNjWCifCjOzSZwWR26Hyeyo Foh/vqwRySvmEWKos3zogvk1q8cBhf36wko0r+y9KHfZh+vOV9xgaMQ+UxqcoL/x1vfNH2 OrrzaGzeIbpJFPbsVm35eFiwsp1cTtID2htDGmxV1XTox0jFhohQi2u3X0GT9w== Received: by freefall.freebsd.org (Postfix, from userid 945) id 30CED12D5F; Fri, 01 May 2026 16:10:18 +0000 (UTC) From: FreeBSD Errata Notices To: FreeBSD Errata Notices Subject: FreeBSD Errata Notice FreeBSD-EN-26:11.dhclient Reply-To: freebsd-stable@freebsd.org Precedence: bulk Message-Id: <20260501161018.30CED12D5F@freefall.freebsd.org> Date: Fri, 01 May 2026 16:10:18 +0000 (UTC) List-Id: Moderated Errata Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-errata-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-errata-notifications@freebsd.org X-BeenThere: freebsd-errata-notifications@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-26:11.dhclient Errata Notice The FreeBSD Project Topic: dhclient(8) lease validation is too strict Category: core Module: dhclient Announced: 2026-05-01 Affects: All supported versions of FreeBSD. Corrected: 2026-04-30 21:07:00 UTC (stable/15, 15.0-STABLE) 2026-05-01 15:08:46 UTC (releng/15.0, 15.0-RELEASE-p8) 2026-04-30 21:07:11 UTC (stable/14, 14.4-STABLE) 2026-05-01 15:08:37 UTC (releng/14.4, 14.4-RELEASE-p4) 2026-05-01 15:08:30 UTC (releng/14.3, 14.3-RELEASE-p13) 2026-04-30 21:07:24 UTC (stable/13, 13.5-STABLE) 2026-05-01 15:08:19 UTC (releng/13.5, 13.5-RELEASE-p14) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . Note: While FreeBSD 13.5 is end of life (EOL) as of May 1st, 2026, the Security Team has decided to patch this issue as it was identified and a fix was in-flight before the EOL date. I. Background dhclient(8) is the default IPv4 DHCP client used on FreeBSD. It is responsible for contacting DHCP servers on a network segment and for initialising and configuring network interfaces based on received information. When processing a DHCP offer, dhclient passes various parameters provided by the server to dhclient-script(8). DHCP options, as documented in dhcp-options(5), are passed via the environment. II. Problem Description The patch for FreeBSD-SA-26:15.dhclient introduced some validation of the boot file DHCP option to prevent unescaped values from being written to the stored lease file. This validation is overly strict and rejects Windows paths. III. Impact The overly strict validation may cause dhclient(8) to reject valid leases. IV. Workaround No workaround is available. Systems not running dhclient(8) are not affected. V. Solution Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base 2) To update your system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, which were not installed using base system packages, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/EN-26:11/dhclient.patch # fetch https://security.FreeBSD.org/patches/EN-26:11/dhclient.patch.asc # gpg --verify dhclient.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 252f603d1704 stable/15-n283453 releng/15.0/ dc8762cfb6e2 releng/15.0-n281035 stable/14/ 2f9478ad42c4 stable/14-n274094 releng/14.4/ dfcb69cdb07e releng/14.4-n273699 releng/14.3/ 5bad905eb37f releng/14.3-n271499 stable/13/ b1ece85741db stable/13-n259871 releng/13.5/ b362b6b6c8f2 releng/13.5-n259221 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmn0xiAbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvJnEQAJ8ZYWjGt7iYjMkOZiM1 I7NLl7RygvIWU25ThAOXlA7zPA7LbS23+nca4QlNdvTVkpcfsCrmxhJYY4ymkZh7 QuEVDEp20n02S7362S9kCpmp3NDXQvuCPNt8zRel4ek3u/b8/9KCASL1jN+1eSgR G8ZVWVheRzKgsaYJsDIyX0AjNk41gQk8ASYoWjeIk5F14kFk3ozlfJTrBL2XlOuL J28P47d5lEgU2x04xLSZF9xQrF1I13XZa8pMtogF3aveTXXVzHDJFZIcppu0uQYY tp9uvyQ6NnzNPBXWztVCJ+eRdxS4RLp3Dp3U9/3GrqVuCfG8BO7kE5OhcjO0EPVC lmvXBJLqQnsodEQA0BysAsMxlMcw+n6z0np2DFdFCkyLrPCx3Bm+D/WRLngRcp4s +FBIgoF+ywUXVwLRkVJeCsQJTNzVhneq8rtcfE6LdJoIgW/oOUyNEJTBpgvhXmz6 /pmW47cmNY+CFWCXAL/7fLZVX1dYvEpSn+Iqqs8Efr2OFfQqRXZunJXNXnKuMtfT p82Hl////cHObQSqlI95J5yJmdBzOxlpzHTwSLVTD5SfvAcN3PzN3hRhFFqG8lg5 HV64Fu1xPqLX1mthTw1Sbng5mTUL+MJ5BN26M+UevYZBi02m5nMUyjWH+D4Bn3RS gajZ9Z16VPgdlPsNPihqsx7k =Ro3y -----END PGP SIGNATURE----- From nobody Fri May 1 16:10:23 2026 X-Original-To: freebsd-errata-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g6bc01f92z6bkDL for ; Fri, 01 May 2026 16:10:24 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g6bbz6nV0z3qV8; Fri, 01 May 2026 16:10:23 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777651824; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=BRyJlQLxiIHiAe3vgG/aCYt6rKzeztjgm2sS/OpG4bM=; b=e3i95KL/w0GJ+WwTUjsRUN+YkzM5ItGhFpNVEGwnP7a9n555bl1QDV8yBl/5ocb8+2zNsQ k825C3dLy6cjiudm+US6A3HgNbAjPOSr29WmxvnAuHvqqrilrKuSWkdk6xTosTSu9sHU7/ zochbXBl+LBfIh0QVrsuVzmru+3BeHekZc1+yIrwzXj9TqThfbgiM3wNRzRCB35o8V5hTP /cR+slGq+KaGQk8Dcs3qGxuhvGUl35l21fhfYQOrdb+Ot+2Mef5Y/fozbuBfBT/8qinHRS ErFH6ogPUR0e+YDI35YfwE480zE4Wz/BgO9AmqzRCyB/aF3NncGPpQdXQxkWZw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777651824; a=rsa-sha256; cv=none; b=TNxDiHBZ7A3H2MrnCW35m6cFAPLhYkblS6ekgFWkdZ769u4jkf5g0bvVzBYE35J2UDy66z F+QyrcqmnzyCfJtQaEvwRgJyl5tJUaaGusnBfZvZPTUu6WZtyCEBohpgNCrtvJ0idbunbJ kTBOk3+l2FNytlsHOJYui7QjoUp+zVN/ylOHwAruO7qRDwgt7tTQ6oGVtfL9flVtRzB4Bs NRI8rR997uaYjNfGWofmGYAUI3qMOYEATcU/y2MxNiGIe5ISwjv8gaQK+Ojpa+DG46MNGo axvNmOmYON9HoszjkqTdH431T46OPyogoTKhGDyzhPdHC+TqTiO7hLOXBuckRQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777651824; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=BRyJlQLxiIHiAe3vgG/aCYt6rKzeztjgm2sS/OpG4bM=; b=Q1aLLq/suuwyILpcwJL8y27s6SMTtVgO6YmNUYx2iLv0ogfDxa5RJWXWZWcJqSLNdUzoIU 6PoeoditRF/2E4+LzDg4OksW4j+V1nYr04Edsjsi++IxlCAHlOPD2r5dKIOCkYcaagNj4P QYnf9O1Op/31CjBNIFIeaFJT79eTg8q4VQnacFqinIixwAhge3vf1bVrqZnbcsjY9yHaNj JzXBLV0IiXXs2EzZtzki1Bfh2NTRVvVDcotasG76A2lyUqxiNEnW5LEWPunJZAq5HHjMMD F2PPy0EYfijf4FsYdDOnb3SMoqcsJMjfbcCtaWoV+8b0g9vL1yDE9vwqjET5hA== Received: by freefall.freebsd.org (Postfix, from userid 945) id CF62A12CF9; Fri, 01 May 2026 16:10:23 +0000 (UTC) From: FreeBSD Errata Notices To: FreeBSD Errata Notices Subject: FreeBSD Errata Notice FreeBSD-EN-26:12.freebsd-update Reply-To: freebsd-stable@freebsd.org Precedence: bulk Message-Id: <20260501161023.CF62A12CF9@freefall.freebsd.org> Date: Fri, 01 May 2026 16:10:23 +0000 (UTC) List-Id: Moderated Errata Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-errata-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-errata-notifications@freebsd.org X-BeenThere: freebsd-errata-notifications@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-26:12.freebsd-update Errata Notice The FreeBSD Project Topic: Source inconsistency between freebsd-update, EN/SAs, and git Category: core Module: freebsd-update Announced: 2026-05-01 Affects: All supported versions of FreeBSD. Corrected: 2026-05-01 15:08:47 UTC (releng/15.0, 15.0-RELEASE-p8) 2026-05-01 15:08:38 UTC (releng/14.4, 14.4-RELEASE-p4) 2026-05-01 15:08:31 UTC (releng/14.3, 14.3-RELEASE-p13) 2026-05-01 15:08:20 UTC (releng/13.5, 13.5-RELEASE-p14) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . Note: While FreeBSD 13.5 is end of life (EOL) as of May 1st, 2026, the Security Team has decided to patch this issue as it was identified and a fix was in-flight before the EOL date. I. Background The FreeBSD Security Team distributes patches for supported releases via the git version control system, as patches link through errata and advisories, and through the freebsd-update binary update system. Both freebsd-update and the errata/advisories do not directly use the authoritative git repo but instead rely on individual patch files. II. Problem Description Due to the manual nature of patch file development and management, there are instances where either a freebsd-update maintained machine or a patched source tree from errata/advisories have become out of sync with the authoritative git repository. Specifically, an earlier version of the patch associated with SA-26:11.amd64 was distributed via freebsd-update. The source patch linked in the advisory and the source in git were both correct. Additionally, patches distributed via freebsd-update and errata/advisories are occasionally missing test or non-material ancillary files to minimize patch size and improve compatibility across releases, causing an additional source of drift from the authoritative git repository. Pkgbase is unaffected as it directly builds from the authoritative git repository. III. Impact As a result of this drift, the FreeBSD Security Team has changed the freebsd-update build mechanism to retrieve source directly from the authoritative git repository. This has caused a binary update to rectify the SA-26:11.amd64 issue as well as alter a few additional files, such as test infrastructure and ancillary tooling files, that have been updated in git but were not distributed via freebsd-update. IV. Workaround No workaround is available. Systems using pkgbase or building directly from source obtained from the authoritative git repository are unaffected. V. Solution Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and reboot the system. Perform one of the following: 1) If your system is installed from base system packages: No update is needed as pkgbase is not affected by this issue. 2) To update your system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, which were not installed using base system packages, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a system update" 3) To update your system via a source code patch: The following patches are only intended to be used for source trees that have been maintained with patches linked by previous EN/SAs. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.0] # fetch https://security.FreeBSD.org/patches/EN-26:12/ensa-150.patch # fetch https://security.FreeBSD.org/patches/EN-26:12/ensa-150.patch.asc # gpg --verify ensa-150.patch.asc [FreeBSD 14.4] # fetch https://security.FreeBSD.org/patches/EN-26:12/ensa-144.patch # fetch https://security.FreeBSD.org/patches/EN-26:12/ensa-144.patch.asc # gpg --verify ensa-144.patch.asc [FreeBSD 14.3] # fetch https://security.FreeBSD.org/patches/EN-26:12/ensa-143.patch # fetch https://security.FreeBSD.org/patches/EN-26:12/ensa-143.patch.asc # gpg --verify ensa-143.patch.asc [FreeBSD 13.5] # fetch https://security.FreeBSD.org/patches/EN-26:12/ensa-135.patch # fetch https://security.FreeBSD.org/patches/EN-26:12/ensa-135.patch.asc # gpg --verify ensa-135.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- releng/15.0/ 53054229dcb3 releng/15.0-n281036 releng/14.4/ 49be56ed6fea releng/14.4-n273700 releng/14.3/ 4f4b48e8a547 releng/14.3-n271500 releng/13.5/ 2e6399fe39b3 releng/13.5-n259222 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmn0yLQbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvPNYQAIXixMavK1HRNgv1kzms qcAlmg/dd46KZKD7SkgAmlqKfO1wIdpDo5GZhcpKqS0TRorgqi7u9UU8xNsYxyG0 mD00dY1m65Vy5wE56QOYDFGnVgC4ZkP3it0HUGZf2t7H9kWO7LB8w8v41z+V7HKK XRaECq4OyCjeFL9e9C1BdztkFSeVyubN+L2ca8q4S6EWq+4tu9ubTaY+P+Xojy0X 1jX42p31ZYoowHNoNPoC6jfNXrHYg2n7TZ3/kcEwCHlENpoFNT7a87RbijoAlvNP 4Y/IsvlvFdpSjxuyT9chKCPiCaMKkb26Zzng8WPcveeQP1T0f6vV7OFCIl+5RlSM dFAYp3+IgyBfNa2iQ+ANYrVZB6718gBiE3mAweO/3VJDRK0+okxtQoOlonOSOUJd BEQrurf2nVJC0Ihi82C/Yn8lHT6IGgEWQzpLLJH2Y9A5z9IEDNpT7s6l6SwOgVuT 1C16q9IincGwKi8YuL1v3Xr9D71PaFWj9DNVuIVe6j9nAFgqZuIFOTPObDcnfN6t n7hiL2UdOIr9bUxl/H8FQoh5nHeDfbzSn0pF1mvkUMANC1/WSQY3ZVmQHOF5D0yV 9snZZTdsk4eZjhXJUGnLIgBVpYNqwTF7Hm3A0/LF4nbTQm2w78XMj/dIJq7lLliH BHnoS2GbAjlAHemJRTt14Zcm =Baez -----END PGP SIGNATURE-----