Run fsck with -z for ufs on upgrade to address FreeBSD-SA-19:10.ufs
Full details at https://www.freebsd.org/security/advisories/FreeBSD-SA-19:10.ufs.asc but long story short, on UFS filesystems uninitialized directory padding may contain a few bytes of content from kernel memory readable by anyone who can access a directory.
To clean it up, at boot time before mounting root, this must be run:
fsck -t ufs -f -p -T ufs:-z
We already have code to run fsck then, but we need to trigger this special run just once for everyone unconditionally on upgrade to a release containing the fix.