FreeBSD Errata Notice FreeBSD-EN-23:13.freebsd-update
8 November, 2023 by errata-notices@freebsd.org | freebsd
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-23:13.freebsd-update Errata Notice The FreeBSD Project Topic: freebsd-update does not handle deep boot environments Category: core Announced: 2023-11-08 Affects: All supported versions of FreeBSD. Corrected: 2023-10-24 00:04:14 UTC (stable/14, 14.0-STABLE) 2023-10-24 16:12:01 UTC (releng/14.0, 14.0-RC3) 2023-10-24 00:04:18 UTC (stable/13, 13.2-STABLE) 2023-11-08 00:59:45 UTC (releng/13.2, 13.2-RELEASE-p5) 2023-10-24 00:05:10 UTC (stable/12, 12.4-STABLE) 2023-11-08 01:10:13 UTC (releng/12.4, 12.4-RELEASE-p7) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background freebsd-update will create a new boot environment as a backup when performing updates. II. Problem Description Some systems use non-default configurations referred to as "deep" boot environments. Deep boot environments place datasets belonging to the boot environment subordinate to the boot environment dataset itself, rather than elsewhere in the pool structure. This kind of boot environment requires the -r flag to bectl(8) for most operations in order to recurse on these subordinate datasets, but freebsd-update(8) was not recursing when creating a backup boot environment. III. Impact Without recursing in bectl(8), backups taken of a deep boot environment are not complete snapshots of the system state before the upgrade takes place. This means that it's potentially painful to try and rollback to the pre-upgrade state after the upgrade has completed. IV. Workaround No workaround is available, but the default configuration is not affected and deep boot environment users may create their own backups prior to an upgrade with a manual `bectl create -r ...` V. Solution Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/EN-23:13/freebsd-update.patch # fetch https://security.FreeBSD.org/patches/EN-23:13/freebsd-update.patch.asc # gpg --verify freebsd-update.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 5c2a559876d1 stable/14-n265583 releng/14.0/ e34fdb7c119e releng/14.0-n265341 stable/13/ 80f747781f12 stable/13-n256596 releng/13.2/ e79edfaf68c5 releng/13.2-n254641 stable/12/ r373256 releng/12.4/ r373266 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat <commit hash> Or visit the following URL, replacing NNNNNN with the hash: <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> VII. References <URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id&7535> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-23:13.freebsd-update.asc> -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmVLKZUACgkQbljekB8A Gu+SVw/9FKEzcR7kUudFRwnNsY1LI7YphmuEA7xT6pdiMxizHmh/iWOF8yc5l3Ky lpXcIhbNXwOcI06Jv9OswIZyOXTtLZat+MVLyx4uoMgdHuM4wuPx4N9lo6FwvE1v Ehtf1GkEnOANcxou0PdrS+fHzUKx/hjn/WVKcdp+YmYzf19LnIqj2H58QWTP7INr cP/rj3EiqGi7XkBEh4te6nTyy27Wu+ihZZDdLFv43sf/cOEl2wsd8HJxVxfz9aEP lhJSBVMFq46YfNSLIsYLLN5v6d2C5ag4JJ2tvuX2sazLl3TXafDZ+OtAok0h8iiE qGrad3dt/g/5/WnSVK68GQ4MfyXJtfywxK18CX3fojeCuDJ5D9j7XUUXaqHHty9r CdcI4yZkswijkKIhtBRYdGh7Nvue54br6cnf7L8i/6hbPnLbdue3gs+v5OLNEttm LthNPViDJWid2TD+mRDS/2JubpiHspzb06Z+q2Hpt5wLRdISu1qPnjgGXgzXgPNB 3PYbsPp2i1rHmz52K08hK+582QL5PMS5/hpB6pN2bakugvAGz5ocrBn1C5ejNIeo 4FAFV5w4cvgaJJf7eI8Lo+IzEcg4gA6h8ibDsFXIzMf3Fnn9p7qH7cw85AoemW4a ZZBDYL81fEy9hJBqhQC4cmjEdzuvptPV5arFzX8J9M6Hirrnt9g=l1ce -----END PGP SIGNATURE-----