BSDSec

deadsimple BSD Security Advisories and Announcements

[HEADS UP] freebsd-update issues in 10.1

18 December, 2014 by security-officer@FreeBSD.org | freebsd 

Dear FreeBSD community,

As many of you have noticed, running freebsd-update on FreeBSD 10.1
amd64 systems produces unexpected results, including reinstalling the
32-bit compatibility libraries (lib32) on systems where they are not
installed and claiming to want to remove the root directory.

When FreeBSD 10.1 was released, the lib32 component was inadvertantly
left out of the baseline used to generate freebsd-update patches.  The
consequences are twofold: first, users upgrading from 10.0 to 10.1 would
lose lib32; and second, users who had either installed 10.1 from scratch
or manually reinstalled lib32 after freebsd-update removed it would not
receive patches for it.

When this issue was discovered, we were faced with two options: either
ignore it or use the next update to re-add lib32.  The latter was
considered the lesser of two evils, as it was the only way to ensure
that lib32 receives security updates.  An unfortunate side effect is
that freebsd-update will now recreate lib32 even on systems where it was
intentionally left out or removed.

Users who do not wish to have lib32 installed should replace "world"
with "world/base" on the "Components" line in /etc/freebsd-update.conf.

The second issue, attempting to remove '/', seems to be the consequence
of a bug in the freebsd-update build process which we do not yet fully
understand, but which results in an incorrect index for the lib32
component.  We hope to be able to correct this (at the latest) when we
next publish an advisory.  In the meantime, the error can safely be
ignored, as freebsd-update will not actually remove anything.  Users who
have disabled lib32 in /etc/freebsd-update.conf as described above are
not affected.

DES