git: eb228f6747 - main - Add EN-21:26 through EN-21:29.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 03 Nov 2021 22:44:29 UTC
The branch main has been updated by gordon (src committer):
URL: https://cgit.FreeBSD.org/doc/commit/?id=eb228f6747b7a6b02148cee8cde337a033be56e4
commit eb228f6747b7a6b02148cee8cde337a033be56e4
Author: Gordon Tetlow <gordon@FreeBSD.org>
AuthorDate: 2021-11-03 22:43:58 +0000
Commit: Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2021-11-03 22:43:58 +0000
Add EN-21:26 through EN-21:29.
Approved by: so
---
website/data/security/errata.toml | 16 +
.../advisories/FreeBSD-EN-21:26.libevent.asc | 132 +
.../advisories/FreeBSD-EN-21:27.caroot.asc | 154 +
.../security/advisories/FreeBSD-EN-21:28.vmci.asc | 145 +
.../advisories/FreeBSD-EN-21:29.tzdata.asc | 168 +
.../security/patches/EN-21:26/libevent.patch | 10 +
.../security/patches/EN-21:26/libevent.patch.asc | 16 +
.../security/patches/EN-21:27/caroot.12.patch | 6734 ++++++++++++++++++++
.../security/patches/EN-21:27/caroot.12.patch.asc | 16 +
.../security/patches/EN-21:27/caroot.13.patch | 6374 ++++++++++++++++++
.../security/patches/EN-21:27/caroot.13.patch.asc | 16 +
.../static/security/patches/EN-21:28/vmci.patch | 138 +
.../security/patches/EN-21:28/vmci.patch.asc | 16 +
.../security/patches/EN-21:29/tzdata-2021a3.patch | 205 +
.../patches/EN-21:29/tzdata-2021a3.patch.asc | 16 +
15 files changed, 14156 insertions(+)
diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml
index 4cc5b7ccfa..c74f581696 100644
--- a/website/data/security/errata.toml
+++ b/website/data/security/errata.toml
@@ -1,6 +1,22 @@
# Sort errata notices by year, month and day
# $FreeBSD$
+[[notices]]
+name = "FreeBSD-EN-21:29.tzdata"
+date = "2021-11-03"
+
+[[notices]]
+name = "FreeBSD-EN-21:28.vmci"
+date = "2021-11-03"
+
+[[notices]]
+name = "FreeBSD-EN-21:27.caroot"
+date = "2021-11-03"
+
+[[notices]]
+name = "FreeBSD-EN-21:26.libevent"
+date = "2021-11-03"
+
[[notices]]
name = "FreeBSD-EN-21:25.bhyve"
date = "2021-08-24"
diff --git a/website/static/security/advisories/FreeBSD-EN-21:26.libevent.asc b/website/static/security/advisories/FreeBSD-EN-21:26.libevent.asc
new file mode 100644
index 0000000000..a169171d52
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-21:26.libevent.asc
@@ -0,0 +1,132 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-21:26.libevent Errata Notice
+ The FreeBSD Project
+
+Topic: libevent1 ABI breakage
+
+Category: core
+Module: libevent1
+Announced: 2021-11-03
+Affects: FreeBSD 13.0
+Corrected: 2021-04-01 17:29:20 UTC (stable/13, 13.0-STABLE)
+ 2021-11-03 20:37:22 UTC (releng/13.0, 13.0-RELEASE-p5)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+libevent1 is a version of libevent in the base system used in ftp-proxy(8) and
+ypldap(8).
+
+II. Problem Description
+
+libevent1 maintains a local copy of some structure definitions from system
+headers to simplify consumers of the library. One of these structures no
+longer matched the corresponding system definition, causing inconsistent views
+of the `struct event` and `struct bufferevent` layouts.
+
+III. Impact
+
+ftp-proxy(8) will no longer handle incoming connections, ypldap(8) is likely
+affected as well.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date. No reboot will be required,
+but ftp-proxy and ypldap will need to be restarted.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-21:26/libevent.patch
+# fetch https://security.FreeBSD.org/patches/EN-21:26/libevent.patch.asc
+# gpg --verify libevent.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the applicable daemons, or reboot the system.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ e0ad785a5d29 stable/13-n245086
+releng/13.0/ 5cd45ad4784b releng/13.0-n244761
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253509>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:26.libevent.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmGDD8QACgkQ05eS9J6n
+5cJe9g/6A2NIX4/0rlO0gGzTvYcRGb/0aAiR58mcinn5SNPVN40kzG93iq8AxKhq
+h9U2BtM/KZEIgbmwaltoQWQUrzHwF/K1pKFo6+u1nNSSbUy3dLV+rIDKXSinNND6
+vPkZIZbVBIsEWvMRbLexuuBI9QT+jEQFrMnRKocEXp3Yr0eooEzpseKUEfAS5yvt
++WlbN4m7lwCnod8gCT7phKATPfQZ1aKj46z5f99qc1+VyJ3323uI//1LsN9A7ra5
+sWW40FeNfbxKweaqgYZRqdwPvxtwh7luQGWBTk/2uQZ7yxEKLgGp5mRkIYG8GQsM
+d3gvGgw0ZUuRAjlA9io10T1Drb31pOR8/7aeD3EtsnBNEc3+M7OSOju5C1bU3put
+zAvForqifSq45wMTnW3CbsMdurq2JKhhAwpYXFib19Lv2yKVWNTOrtR6MGtbBv9b
+KSsJw2w8xLVN1/xGCtbrd4qZQhakQijyoqgG4reP1J+mw073WJVJMRG29YDvDcwD
+Zu+rAVlO7dz/uQZKowQJrWh4+kKxZCRbBPIQiQUxQ1T5XsCrQ6DNzvNZHuRWWoDs
+KV43T2RNgq70ur1sX4L+VSU0RVx4q9akGSD0lEl8pb/OvbEwCTWzs+UmjdpiTnUS
+b8ySlj56z6/yTpAVjQsHQijTCOy8L/uaVd2sXlr4sfDnbL+2mgg=
+=oYzJ
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-21:27.caroot.asc b/website/static/security/advisories/FreeBSD-EN-21:27.caroot.asc
new file mode 100644
index 0000000000..2c7c5f51be
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-21:27.caroot.asc
@@ -0,0 +1,154 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-21:27.caroot Errata Notice
+ The FreeBSD Project
+
+Topic: Root certificate bundle update
+
+Category: core
+Module: caroot
+Announced: 2021-11-03
+Affects: FreeBSD 12.2 and later.
+Corrected: 2021-09-04 07:39:07 UTC (stable/13, 13.0-STABLE)
+ 2021-11-03 20:37:26 UTC (releng/13.0, 13.0-RELEASE-p5)
+ 2021-09-04 07:39:03 UTC (stable/12, 12.2-STABLE)
+ 2021-11-03 20:55:26 UTC (releng/12.2, 12.2-RELEASE-p11)
+
+Note: Systems running FreeBSD 12.3-BETA are unaffected.
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The root certificate bundle is the trust store that is used by OpenSSL
+programs and libraries to aide in determining whether it should trust
+a given TLS certificate.
+
+II. Problem Description
+
+Several certificates were removed from the bundle after the latest release
+of FreeBSD 12.2 and FreeBSD 13.0. Additionally, an oversight in the root
+bundle processor included some roots that were not intended to be trusted for
+these purposes (SERVER_AUTH).
+
+III. Impact
+
+Certificates are often removed from the root bundle due to a failure to
+meet the standards established by Mozilla for being considered a trusted
+Certificate Authority. Continuing to trust roots despite their removal from
+the bundle should be considered risky.
+
+IV. Workaround
+
+No workaround is available. Software that uses an internal trust store
+is not affected.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 13.0]
+# fetch https://security.FreeBSD.org/patches/EN-21:27/caroot.13.patch
+# fetch https://security.FreeBSD.org/patches/EN-21:27/caroot.13.patch.asc
+# gpg --verify caroot.13.patch.asc
+
+[FreeBSD 12.2]
+# fetch https://security.FreeBSD.org/patches/EN-21:27/caroot.12.patch
+# fetch https://security.FreeBSD.org/patches/EN-21:27/caroot.12.patch.asc
+# gpg --verify caroot.12.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all applications that may be using OpenSSL, or reboot the system.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ 62aaa70143a6 stable/13-n247098
+releng/13.0/ b76aaa35423e releng/13.0-n244762
+stable/12/ r370507
+releng/12.2/ r370978
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:27.caroot.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmGDD88ACgkQ05eS9J6n
+5cKyaA//RQJ2wYygqL8o9iQK9FAl+gZO8x9C7Vlbgj1PBe0VHxlKoEmE48Iu4+vi
+56DR0rgPflx4EdqStFYzkjWnwIEhWGCJLIxFnDpL15/b3cxYoD+R9ipF3qt8ljz+
+Yyuw0NCCgyq36IfJMThQ3pKBOBbY8Bw4GLHAJE790AqXY+wIdUKdo+DxzYj/NcyS
+kbis9f+PCGPoDXSf4wMIj2IbE5LiMZbM6NF9QkmPE1ZzOh9eegsO2opm1FWE8UyD
+43i3HkpnBbKooq9yE/MpldrUH3+4VWiXpD0FtBMUY65ZMBSw2ddzzvupQ8jROkQq
+F6ZB4nwAVLwCiq7Yvwg5gTFyy6KUywdYs211R3SycjHwMoyCZOPLLFPqM1vio8u+
+Z1TItxKfW0/MT0yTQFNQK6CAPd92Co3mmEGKzPmvbxwK7idfB2lgFjExCeF3FwVU
+guUeIDTXDKQ+V0nynWERmDdI1S3x9bllZzIMU23BuuwKZDdR+lPJiKX1vUXmpe8p
+lmISyCVIg+0bIRL4WNAqceAIuUA/7zLCtCWF4OEl6utmb7hWVxmPH8GyjyzktLWh
+BwwHCspeT2h5y1leCVXigFv9nGgTj+kDXtgE4itIJXRPiliQ2j9VueGOe/I0gS/4
+9R2ro6t4UIi/E4T7Mp+oaiOGKARnE3Uf2aAelQbt9Do68taqTSU=
+=9hM5
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-21:28.vmci.asc b/website/static/security/advisories/FreeBSD-EN-21:28.vmci.asc
new file mode 100644
index 0000000000..d4ec4fd0ff
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-21:28.vmci.asc
@@ -0,0 +1,145 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-21:28.vmci Errata Notice
+ The FreeBSD Project
+
+Topic: Fix kernel panic in vmci driver initialization
+
+Category: core
+Module: vmci
+Announced: 2021-11-03
+Affects: FreeBSD 12.x, FreeBSD 13.0
+Corrected: 2021-10-16 18:22:43 UTC (stable/13, 13.0-STABLE)
+ 2021-11-03 20:40:19 UTC (releng/13.0, 13.0-RELEASE-p5)
+ 2021-10-17 18:51:19 UTC (stable/12, 12.2-STABLE)
+ 2021-11-03 20:55:32 UTC (releng/12.2, 12.2-RELEASE-p11)
+
+Note: Systems running FreeBSD 12.3-BETA are unaffected.
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The vmci(4) driver implements VMware Virtual Machine Communication Interface
+for FreeBSD. It allows virtual machines to communicate with host kernel modules
+and VMware hypervisors.
+
+II. Problem Description
+
+An error during driver initialization results in a kernel panic due to unallocated
+resources being freed up.
+
+III. Impact
+
+The vmci(4) driver is loaded automatically by devd when the system is being
+run on the VMWare hypervisor. The kernel panic happens at the system boot stage.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r now
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-21:28/vmci.patch
+# fetch https://security.FreeBSD.org/patches/EN-21:28/vmci.patch.asc
+# gpg --verify vmci.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ 4e5c1be4202a stable/13-n247688
+releng/13.0/ 847819dca14d releng/13.0-n244763
+stable/12/ r370935
+releng/12.2/ r370979
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=252445>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:28.vmci.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmGDD9AACgkQ05eS9J6n
+5cLAKxAApP3naU6wV6gwTGIVfugBt74TG6Q3thkg8mWqFUIRnpBgHH5yBrP7SESu
+N07Y21Z84tNzOoQtZs1MrF2gfW8KUdBC80wIT+1I8fEmteX/+8/6CKsu0JRh//n4
+8YXf5/BjqgC2aQXfm0Zp4ddKLymmq1rLrxJcjOGqlrVsxXgSyh/ExUbpM/vIUBDi
+DKSpK0zjv+54R0B3ihWM2+qRmMEMKEAwxNTm3IKVUyZymYm7SpLpKZetE9GFOmKU
+1AFlTomJmxbPcSGR2APu0R8xHf+wZIMiw1SqJR8bBrXxHjoVTrjl+PosIlX9jakE
+S9V0xbnVBSxsmIOfEXw3U8Q+AYCQ3bQXXJ1E6YmKCpOcqKYF8wC+iD7Q/OHzUCFE
+Hrnf8mNJHdZ8QK3WjdzfLwR2JAQ6yVJ2F2Bojqp+wwBIX+/Sq/mGPsZMVPVImdXj
+9OOo+O+nZmBVqRHcLeis/GOy7CdPlnVQOxdhMcR4DMv739dJwKDYb0iYHw86KM++
+3RNbJk89TSHGYGR4bKNZsDtq+9UUclBqwZesZSVDsgyB4gJvmqeBbV1g21yVdjw8
+ZvUI7MgI/4IB3Ac8qH5XSYdfUDZtDqzcjo6FnK/cEOYKFAgTPsCbBbbi3lZHoV9y
+Hz1Hwg0mqS1VEIUh8ipMTIod3yBiGoYEMiF4TGhpJhn100LaVFQ=
+=+4Iy
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-21:29.tzdata.asc b/website/static/security/advisories/FreeBSD-EN-21:29.tzdata.asc
new file mode 100644
index 0000000000..5da76853cf
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-21:29.tzdata.asc
@@ -0,0 +1,168 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-21:29.tzdata Errata Notice
+ The FreeBSD Project
+
+Topic: Timezone database information update
+
+Category: contrib
+Module: zoneinfo
+Announced: 2021-11-03
+Affects: All supported versions of FreeBSD.
+Corrected: 2021-10-25 01:09:01 UTC (stable/13, 13.0-STABLE)
+ 2021-11-03 20:44:52 UTC (releng/13.0, 13.0-RELEASE-p5)
+ 2021-10-25 01:09:08 UTC (stable/12, 12.3-STABLE)
+ 2021-10-25 01:12:50 UTC (releng/12.3, 12.3-BETA1)
+ 2021-11-03 20:55:36 UTC (releng/12.2, 12.2-RELEASE-p11)
+
+Note: Systems running FreeBSD 12.3-BETA1 are affected, however 12.3-BETA2
+ and later are already remediated.
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The tzsetup(8) program allows the user to specify the default local timezone.
+Based on the selected timezone, tzsetup(8) copies one of the files from
+/usr/share/zoneinfo to /etc/localtime. This file actually controls the
+conversion.
+
+II. Problem Description
+
+Several changes in Daylight Saving Time transition dates happened after
+previous FreeBSD releases were released affecting many users in different
+parts of the world. Because of these changes, the data in the zoneinfo files
+need to be updated, and if the local timezone on the running system is
+affected, tzsetup(8) needs to be run so the /etc/localtime is updated.
+
+III. Impact
+
+An incorrect time will be displayed on a system configured to use one of the
+affected timezones if the /usr/share/zoneinfo and /etc/localtime files are
+not updated, and all applications on the system that rely on the system time,
+such as cron(8) and syslog(8), will be affected.
+
+IV. Workaround
+
+The system administrator can install an updated timezone database from the
+misc/zoneinfo port and run tzsetup(8) to get the timezone database corrected.
+
+Applications that store and display times in Coordinated Universal Time (UTC)
+are not affected.
+
+V. Solution
+
+Please note that some third party software, for instance PHP, Ruby, Java, Perl
+and Python, may be using different zoneinfo data source, in such cases this
+software must be updated separately. Software packages that are installed via
+binary packages can be upgraded by executing `pkg upgrade'.
+
+Following the instructions in this Errata Notice will update all of the
+zoneinfo files to be the same as what was released with FreeBSD release.
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date. Restart all the affected
+applications and daemons, or reboot the system.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Restart all the affected applications and daemons, or reboot the system.
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-21:29/tzdata-2021a3.patch
+# fetch https://security.FreeBSD.org/patches/EN-21:29/tzdata-2021a3.patch.asc
+# gpg --verify tzdata-2021a3.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all the affected applications and daemons, or reboot the system.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ ed325e2ec2dc stable/13-n247816
+releng/13.0/ 11754a61115f releng/13.0-n244764
+stable/12/ r370968
+releng/12.3/ r370969
+releng/12.2/ r370980
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://github.com/eggert/tz/blob/2021e/NEWS>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:29.tzdata.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmGDD9AACgkQ05eS9J6n
+5cLIrg/+L/OYcepPmR4va4+0Q+vv90D0lsZGH/So6FJ2aa8zXdAmpQJaA5g+cptW
+pwwOPa58UzOVCuIZSlAsBubqj9XPT/LUFN0FxcsduyHf0izf2+tfjS/RsmOtzCD0
+muE5UwIDQwXdmDNnyWnrdBbBW94nqD3BU526LbG/RkmKumDgd4wPIuGsbFAcSiAW
+BVyrZQXdttyw6ZK7I7YxITsXtqrCMmYwDm4ZpnI+iLzh5droQxf7S2ejMTyKLPxQ
+mRNHQxa+TAVWZUyLDPT6mZc9yWzuM0huuIl70iTaz59SFcs2/s4Qw+J2WTVammsl
+4FzVoFjLD9/Bkx2JyghC5MD45XE5oHrxQ2duL6TLgqu1ZnN1EUvw8AS9TRD51pEP
+6ryG9OZ5ICpaiEniEbgfuvzbM3sJm0DwA84LVahpVD7fCflzimn4NESz6UyVDp86
+B9l1O2yRLpaMz5CIUBI9yRI7QefK2em3PE19n0/JGYZbSMOd5J9no3692vIMZhS9
+xEgUCRTpr68s2df+liXK1oKJe6v8uZWIeptINGLA9aHfYPw4pI4jYN67S93mhqXc
+ORO9VPTeJPrmmn82/fpPKFRZsi8nE+pHatCYeKwLA1ZiClDJo+nTcdIP8jMJAixW
+S1yDx0acbOWth7NzgRf3bdA3NZ9Vp8jX0oxmYYbJxQjh4K+mwRY=
+=uW9d
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-21:26/libevent.patch b/website/static/security/patches/EN-21:26/libevent.patch
new file mode 100644
index 0000000000..5cdc37d825
--- /dev/null
+++ b/website/static/security/patches/EN-21:26/libevent.patch
@@ -0,0 +1,10 @@
+--- contrib/pf/libevent/event.h.orig
++++ contrib/pf/libevent/event.h
+@@ -73,7 +73,6 @@
+ struct type *rbe_left; /* left element */ \
+ struct type *rbe_right; /* right element */ \
+ struct type *rbe_parent; /* parent element */ \
+- int rbe_color; /* node color */ \
+ }
+ #endif /* !RB_ENTRY */
+
diff --git a/website/static/security/patches/EN-21:26/libevent.patch.asc b/website/static/security/patches/EN-21:26/libevent.patch.asc
new file mode 100644
index 0000000000..aefeb09f3d
--- /dev/null
+++ b/website/static/security/patches/EN-21:26/libevent.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmGDD88ACgkQ05eS9J6n
+5cLSDxAAmQxhTq0KDh6Sde2t92VLvkAj4WZbRnSCMP7fkqqd7YoC05/ptINbM2+I
+vB8SakIx8Ic5AUqniF43wRnTz1V4XIeM9f0iZyZyy+ksMB0hYPVVdx1AjWrCWDfA
+wEF38MoWXk4EPDinBL9QCfa85Vq0beivdcIFMbiDal1X6zK3iDATq8qNSX+ChshP
+Xno2QCCPwoZjPpZhRpb+j4MGP8Ro+jCJuawzwhsm999MbAF4GzKZqAzdF8i8oTda
+RHF9blnqo4Q3ENMfBs6pdKcxaymu+E82GioHqpEUkZdmQzcW2z15TBcX405Zbl8/
+vGeY7GMhTr7JDvw324bYdpRoDaO2HbBrDGaowCo1PgsAUKsat0qqGIzZ5aS22tPt
+DIixovSuGe8u1n21l3SX1LKmrVGfhLjl3IH8DHWrYxOMhI1iAQ42qDtD+kTUc5zS
+vNdGno1CBlCGKqUOwUlwJSE+hSxYV3+NOuqzunv5eHmnfwlEa4AtNZqx6NCBEcnt
+T9PCpEa3fIB5HiHGD1mFm8Zyjnk6kwdnUpnQeQKcYz+ShkjytXQ7tR79W+XdTSgf
+H6HDWEYGF1oRN+et/I/TgspdFcvq036xAFX7XzOFrp/93cZkPS2Dddwow7rzKGPK
+I/NpXu0tHiUwrkZu5BXmbuqLyLRRVQjsTehJGfKve9gdlWYZiEA=
+=tm73
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-21:27/caroot.12.patch b/website/static/security/patches/EN-21:27/caroot.12.patch
new file mode 100644
index 0000000000..b41f372bab
--- /dev/null
+++ b/website/static/security/patches/EN-21:27/caroot.12.patch
@@ -0,0 +1,6734 @@
+--- secure/caroot/MAca-bundle.pl.orig
++++ secure/caroot/MAca-bundle.pl
+@@ -76,6 +76,8 @@
+ ## Authority (CA). It was automatically extracted from Mozilla's
+ ## root CA list (the file `certdata.txt' in security/nss).
+ ##
++## It contains a certificate trusted for server authentication.
++##
+ ## Extracted from nss
+ ## with $VERSION
+ ##
+@@ -91,6 +93,8 @@
+ ## Authorities (CA). These were automatically extracted from Mozilla's
+ ## root CA list (the file `certdata.txt').
+ ##
++## It contains certificates trusted for server authentication.
++##
+ ## Extracted from nss
+ ## with $VERSION
+ ##
+@@ -100,6 +104,13 @@
+ }
+ }
+
++# returns a string like YYMMDDhhmmssZ of current time in GMT zone
++sub timenow()
++{
++ my ($sec,$min,$hour,$mday,$mon,$year,undef,undef,undef) = gmtime(time);
++ return sprintf "%02d%02d%02d%02d%02d%02dZ", $year-100, $mon+1, $mday, $hour, $min, $sec;
++}
++
+ sub printcert($$$)
+ {
+ my ($fh, $label, $certdata) = @_;
+@@ -110,6 +121,8 @@
+ close(OUT) or die "openssl x509 failed with exit code $?";
+ }
+
++# converts a datastream that is to be \177-style octal constants
++# from <> to a (binary) string and returns it
+ sub graboct($)
+ {
+ my $ifh = shift;
+@@ -125,13 +138,13 @@
+ return $data;
+ }
+
+-
+ sub grabcert($)
+ {
+ my $ifh = shift;
+ my $certdata;
+- my $cka_label;
+- my $serial;
++ my $cka_label = '';
++ my $serial = 0;
++ my $distrust = 0;
+
+ while (<$ifh>) {
+ chomp;
+@@ -148,6 +161,19 @@
+ if (/^CKA_SERIAL_NUMBER MULTILINE_OCTAL/) {
+ $serial = graboct($ifh);
+ }
++
++ if (/^CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL/)
++ {
++ my $distrust_after = graboct($ifh);
++ my $time_now = timenow();
++ if ($time_now >= $distrust_after) { $distrust = 1; }
++ if ($debug) {
++ printf STDERR "line $.: $cka_label ser #%d: distrust after %s, now: %s -> distrust $distrust\n", $serial, $distrust_after, timenow();
++ }
++ if ($distrust) {
++ return undef;
++ }
++ }
+ }
+ return ($serial, $cka_label, $certdata);
+ }
+@@ -171,13 +197,13 @@
+ $serial = graboct($ifh);
+ }
+
+- if (/^CKA_TRUST_(SERVER_AUTH|EMAIL_PROTECTION|CODE_SIGNING) CK_TRUST (\S+)$/)
++ if (/^CKA_TRUST_SERVER_AUTH CK_TRUST (\S+)$/)
+ {
+- if ($2 eq 'CKT_NSS_NOT_TRUSTED') {
++ if ($1 eq 'CKT_NSS_NOT_TRUSTED') {
+ $distrust = 1;
+- } elsif ($2 eq 'CKT_NSS_TRUSTED_DELEGATOR') {
++ } elsif ($1 eq 'CKT_NSS_TRUSTED_DELEGATOR') {
+ $maytrust = 1;
+- } elsif ($2 ne 'CKT_NSS_MUST_VERIFY_TRUST') {
++ } elsif ($1 ne 'CKT_NSS_MUST_VERIFY_TRUST') {
+ confess "Unknown trust setting on line $.:\n"
+ . "$_\n"
+ . "Script must be updated:";
+@@ -197,16 +223,22 @@
+ print_header(*STDOUT, "");
+ }
+
++my $untrusted = 0;
++
+ while (<$inputfh>) {
+ if (/^CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE/) {
+ my ($serial, $label, $certdata) = grabcert($inputfh);
+ if (defined $certs{$label."\0".$serial}) {
+ warn "Certificate $label duplicated!\n";
+ }
+- $certs{$label."\0".$serial} = $certdata;
+- # We store the label in a separate hash because truncating the key
+- # with \0 was causing garbage data after the end of the text.
+- $labels{$label."\0".$serial} = $label;
++ if (defined $certdata) {
++ $certs{$label."\0".$serial} = $certdata;
++ # We store the label in a separate hash because truncating the key
++ # with \0 was causing garbage data after the end of the text.
++ $labels{$label."\0".$serial} = $label;
++ } else { # $certdata undefined? distrust_after in effect
++ $untrusted ++;
++ }
+ } elsif (/^CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST/) {
+ my ($serial, $label, $trust) = grabtrust($inputfh);
+ if (defined $trusts{$label."\0".$serial}) {
+@@ -226,7 +258,6 @@
+ }
+
+ # weed out untrusted certificates
+-my $untrusted = 0;
+ foreach my $it (keys %trusts) {
+ if (!$trusts{$it}) {
+ if (!exists($certs{$it})) {
+--- /dev/null
++++ secure/caroot/blacklisted/Camerfirma_Chambers_of_Commerce_Root.pem
+@@ -0,0 +1,112 @@
++##
++## Camerfirma Chambers of Commerce Root
++##
++## This is a single X.509 certificate for a public Certificate
++## Authority (CA). It was automatically extracted from Mozilla's
++## root CA list (the file `certdata.txt' in security/nss).
++##
++## Extracted from nss
++## with $FreeBSD$
++##
++## @generated
++##
++Certificate:
++ Data:
++ Version: 3 (0x2)
++ Serial Number: 0 (0x0)
++ Signature Algorithm: sha1WithRSAEncryption
++ Issuer: C = EU, O = AC Camerfirma SA CIF A82743287, OU = http://www.chambersign.org, CN = Chambers of Commerce Root
++ Validity
++ Not Before: Sep 30 16:13:43 2003 GMT
++ Not After : Sep 30 16:13:44 2037 GMT
++ Subject: C = EU, O = AC Camerfirma SA CIF A82743287, OU = http://www.chambersign.org, CN = Chambers of Commerce Root
++ Subject Public Key Info:
++ Public Key Algorithm: rsaEncryption
++ RSA Public-Key: (2048 bit)
++ Modulus:
++ 00:b7:36:55:e5:a5:5d:18:30:e0:da:89:54:91:fc:
++ c8:c7:52:f8:2f:50:d9:ef:b1:75:73:65:47:7d:1b:
++ 5b:ba:75:c5:fc:a1:88:24:fa:2f:ed:ca:08:4a:39:
++ 54:c4:51:7a:b5:da:60:ea:38:3c:81:b2:cb:f1:bb:
++ d9:91:23:3f:48:01:70:75:a9:05:2a:ad:1f:71:f3:
++ c9:54:3d:1d:06:6a:40:3e:b3:0c:85:ee:5c:1b:79:
++ c2:62:c4:b8:36:8e:35:5d:01:0c:23:04:47:35:aa:
++ 9b:60:4e:a0:66:3d:cb:26:0a:9c:40:a1:f4:5d:98:
++ bf:71:ab:a5:00:68:2a:ed:83:7a:0f:a2:14:b5:d4:
++ 22:b3:80:b0:3c:0c:5a:51:69:2d:58:18:8f:ed:99:
++ 9e:f1:ae:e2:95:e6:f6:47:a8:d6:0c:0f:b0:58:58:
++ db:c3:66:37:9e:9b:91:54:33:37:d2:94:1c:6a:48:
++ c9:c9:f2:a5:da:a5:0c:23:f7:23:0e:9c:32:55:5e:
++ 71:9c:84:05:51:9a:2d:fd:e6:4e:2a:34:5a:de:ca:
++ 40:37:67:0c:54:21:55:77:da:0a:0c:cc:97:ae:80:
++ dc:94:36:4a:f4:3e:ce:36:13:1e:53:e4:ac:4e:3a:
++ 05:ec:db:ae:72:9c:38:8b:d0:39:3b:89:0a:3e:77:
++ fe:75
++ Exponent: 3 (0x3)
++ X509v3 extensions:
++ X509v3 Basic Constraints: critical
++ CA:TRUE, pathlen:12
++ X509v3 CRL Distribution Points:
++
++ Full Name:
++ URI:http://crl.chambersign.org/chambersroot.crl
++
++ X509v3 Subject Key Identifier:
++ E3:94:F5:B1:4D:E9:DB:A1:29:5B:57:8B:4D:76:06:76:E1:D1:A2:8A
++ X509v3 Key Usage: critical
++ Certificate Sign, CRL Sign
++ Netscape Cert Type:
++ SSL CA, S/MIME CA, Object Signing CA
++ X509v3 Subject Alternative Name:
++ email:chambersroot@chambersign.org
++ X509v3 Issuer Alternative Name:
++ email:chambersroot@chambersign.org
++ X509v3 Certificate Policies:
++ Policy: 1.3.6.1.4.1.17326.10.3.1
++ CPS: http://cps.chambersign.org/cps/chambersroot.html
++
++ Signature Algorithm: sha1WithRSAEncryption
++ 0c:41:97:c2:1a:86:c0:22:7c:9f:fb:90:f3:1a:d1:03:b1:ef:
++ 13:f9:21:5f:04:9c:da:c9:a5:8d:27:6c:96:87:91:be:41:90:
++ 01:72:93:e7:1e:7d:5f:f6:89:c6:5d:a7:40:09:3d:ac:49:45:
++ 45:dc:2e:8d:30:68:b2:09:ba:fb:c3:2f:cc:ba:0b:df:3f:77:
++ 7b:46:7d:3a:12:24:8e:96:8f:3c:05:0a:6f:d2:94:28:1d:6d:
++ 0c:c0:2e:88:22:d5:d8:cf:1d:13:c7:f0:48:d7:d7:05:a7:cf:
++ c7:47:9e:3b:3c:34:c8:80:4f:d4:14:bb:fc:0d:50:f7:fa:b3:
++ ec:42:5f:a9:dd:6d:c8:f4:75:cf:7b:c1:72:26:b1:01:1c:5c:
++ 2c:fd:7a:4e:b4:01:c5:05:57:b9:e7:3c:aa:05:d9:88:e9:07:
++ 46:41:ce:ef:41:81:ae:58:df:83:a2:ae:ca:d7:77:1f:e7:00:
++ 3c:9d:6f:8e:e4:32:09:1d:4d:78:34:78:34:3c:94:9b:26:ed:
++ 4f:71:c6:19:7a:bd:20:22:48:5a:fe:4b:7d:03:b7:e7:58:be:
++ c6:32:4e:74:1e:68:dd:a8:68:5b:b3:3e:ee:62:7d:d9:80:e8:
++ 0a:75:7a:b7:ee:b4:65:9a:21:90:e0:aa:d0:98:bc:38:b5:73:
++ 3c:8b:f8:dc
++SHA1 Fingerprint=6E:3A:55:A4:19:0C:19:5C:93:84:3C:C0:DB:72:2E:31:30:61:F0:B1
++-----BEGIN CERTIFICATE-----
++MIIEvTCCA6WgAwIBAgIBADANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJFVTEn
++MCUGA1UEChMeQUMgQ2FtZXJmaXJtYSBTQSBDSUYgQTgyNzQzMjg3MSMwIQYDVQQL
++ExpodHRwOi8vd3d3LmNoYW1iZXJzaWduLm9yZzEiMCAGA1UEAxMZQ2hhbWJlcnMg
++b2YgQ29tbWVyY2UgUm9vdDAeFw0wMzA5MzAxNjEzNDNaFw0zNzA5MzAxNjEzNDRa
++MH8xCzAJBgNVBAYTAkVVMScwJQYDVQQKEx5BQyBDYW1lcmZpcm1hIFNBIENJRiBB
++ODI3NDMyODcxIzAhBgNVBAsTGmh0dHA6Ly93d3cuY2hhbWJlcnNpZ24ub3JnMSIw
++IAYDVQQDExlDaGFtYmVycyBvZiBDb21tZXJjZSBSb290MIIBIDANBgkqhkiG9w0B
++AQEFAAOCAQ0AMIIBCAKCAQEAtzZV5aVdGDDg2olUkfzIx1L4L1DZ77F1c2VHfRtb
++unXF/KGIJPov7coISjlUxFF6tdpg6jg8gbLL8bvZkSM/SAFwdakFKq0fcfPJVD0d
++BmpAPrMMhe5cG3nCYsS4No41XQEMIwRHNaqbYE6gZj3LJgqcQKH0XZi/caulAGgq
++7YN6D6IUtdQis4CwPAxaUWktWBiP7Zme8a7ileb2R6jWDA+wWFjbw2Y3npuRVDM3
++0pQcakjJyfKl2qUMI/cjDpwyVV5xnIQFUZot/eZOKjRa3spAN2cMVCFVd9oKDMyX
++roDclDZK9D7ONhMeU+SsTjoF7Nuucpw4i9A5O4kKPnf+dQIBA6OCAUQwggFAMBIG
++A1UdEwEB/wQIMAYBAf8CAQwwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5j
++aGFtYmVyc2lnbi5vcmcvY2hhbWJlcnNyb290LmNybDAdBgNVHQ4EFgQU45T1sU3p
++26EpW1eLTXYGduHRooowDgYDVR0PAQH/BAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIA
++BzAnBgNVHREEIDAegRxjaGFtYmVyc3Jvb3RAY2hhbWJlcnNpZ24ub3JnMCcGA1Ud
++EgQgMB6BHGNoYW1iZXJzcm9vdEBjaGFtYmVyc2lnbi5vcmcwWAYDVR0gBFEwTzBN
++BgsrBgEEAYGHLgoDATA+MDwGCCsGAQUFBwIBFjBodHRwOi8vY3BzLmNoYW1iZXJz
++aWduLm9yZy9jcHMvY2hhbWJlcnNyb290Lmh0bWwwDQYJKoZIhvcNAQEFBQADggEB
++AAxBl8IahsAifJ/7kPMa0QOx7xP5IV8EnNrJpY0nbJaHkb5BkAFyk+cefV/2icZd
++p0AJPaxJRUXcLo0waLIJuvvDL8y6C98/d3tGfToSJI6WjzwFCm/SlCgdbQzALogi
++1djPHRPH8EjX1wWnz8dHnjs8NMiAT9QUu/wNUPf6s+xCX6ndbcj0dc97wXImsQEc
++XCz9ek60AcUFV7nnPKoF2YjpB0ZBzu9Bga5Y34OirsrXdx/nADydb47kMgkdTXg0
++eDQ8lJsm7U9xxhl6vSAiSFr+S30Dt+dYvsYyTnQeaN2oaFuzPu5ifdmA6Ap1erfu
++tGWaIZDgqtCYvDi1czyL+Nw=
++-----END CERTIFICATE-----
+--- /dev/null
++++ secure/caroot/blacklisted/Camerfirma_Global_Chambersign_Root.pem
+@@ -0,0 +1,112 @@
++##
++## Camerfirma Global Chambersign Root
++##
++## This is a single X.509 certificate for a public Certificate
++## Authority (CA). It was automatically extracted from Mozilla's
++## root CA list (the file `certdata.txt' in security/nss).
++##
++## Extracted from nss
++## with $FreeBSD$
++##
++## @generated
*** 13295 LINES SKIPPED ***