BSDSec

deadsimple BSD Security Advisories and Announcements

FreeBSD Errata Notice FreeBSD-EN-23:19.pkgbase

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-EN-23:19.pkgbase                                        Errata Notice
                                                          The FreeBSD Project

Topic:          Incorrect pkgbase version number for FreeBSD 14.0

Category:       core
Module:         bin
Announced:      2023-12-05
Affects:        FreeBSD 14.0
Corrected:      2023-11-16 08:19:08 UTC (stable/14, 14.0-STABLE)
                2023-12-05 18:27:36 UTC (releng/14.0, 14.0-RELEASE-p2)

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.

I.   Background

In addition to the traditional release artifacts (such as base.txz), the base
system is also packaged into a few hundred packages installable with pkg(8)
as part of the experimental pkgbase project.

II.  Problem Description

The pkgbase package versions for 14.0-RELEASE packages are set to "14"
instead of "14.0".  This differs from earlier releases, for instance the
latest pkgbase version number for releng/13.2 is "13.2p5".

III. Impact

Using package versions without the minor version will cause package version
conflicts in the future for FreeBSD 14.1 and later.

IV.  Workaround

No workaround is available.  This problem only affects systems using the
experimental pkgbase package sets.

V.   Solution

Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.  No reboot is required.
If pkgbase is not in use on your system, no action is required.

Perform one of the following:

1) To update your system via a binary patch:

Systems using pkgbase can be updated via the pkg(8) utility.

# pkg update -r FreeBSD-base
# pkg upgrade -r FreeBSD-base

2) To update your system via a source code patch:

The following patches have been verified to apply to the applicable FreeBSD
release branches.  Note that since this issue mainly affects people that
build pkgbase packages locally, consumers of pkbbase (i.e users that have
installed experimental pkgbase packages should update using pkg(8) as
described above.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/EN-23:19/pkgbase.patch
# fetch https://security.FreeBSD.org/patches/EN-23:19/pkgbase.patch.asc
# gpg --verify pkgbase.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and buildkernel and create
a package set with correct version numbers using 'make packages'

VI.  Correction details

This issue is corrected by the corresponding Git commit hash or Subversion
revision number in the following stable and release branches:

Branch/path                             Hash          Revision
- -------------------------------------------------------------------------
stable/14/                              da7e9601a99a    stable/14-n265735
releng/14.0/                            ad3edd66d15e  releng/14.0-n265390
- -------------------------------------------------------------------------

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

VII. References

<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id'5051>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-23:19.pkgbase.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmVvmWMACgkQbljekB8A
Gu+GgRAAo/xP3ZVWXUhcg9JXK2RnqTH2K4V/8f67e//HEs4wjYjkfvZe2m7yiYzu
pvwKo+ifCmWiMEHzHiMuVIknmfD2eDfVWH687KCHBhG7CJztxickSWIIFJyuTzKb
leg1ZBQo546SQVtamkGo8TEb+TMJhaRBz3McQ0ZxsyQJU59f02SH8Ua2swpTbZ58
irL7PiDJi85dlmLiVry33osotdfoSkmPeNHDZFtXMhWWIy/5MVy0FBvkmA9NzR6S
R1QozM9kXmcpEEOmt9EmW/asDFtF9p/2Ozi6wEnB67oNh2+ASynGlOD4mjYcRgYh
/RBLT0+j4FlB2FVU7n94oysPN72dYDCAMqk7tqzGFeOjNBJ2cdlN/7iGNvi7kp65
kgmHUd0Rr4txMb2XcxKfMOyOoknPluktNcQ2QoU9oBFR7ejNgGmSMaXIWI3O5NaQ
pdZJEj/4eOn0A5xuWCKCW16ymgXlGYdC3DzQ71nlKREV5uZJqYBmQBI+PbVJij+C
Z7Cxw1Ia3TKZn1B7NocRQNjPQIKLo12SLwJ+TcbxjRHE3QC8sLyYl8moXRaG4UWy
8C4yBatzAOmn4d50JzElNHDnE+XXaKExDBBcSVab3T+Y+4z7HNINH+d6+RdNSI3L
2MgKURXoaegGB7ExqA/kgKQliuFUg320LOrIq7gnQ47SaCBZ6xI=cn6s
-----END PGP SIGNATURE-----