git: 5c437387fc - main - Add EN-23:01 to EN-23:04 and SA-23:01.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 08 Feb 2023 18:58:20 UTC
The branch main has been updated by gordon (src committer):
URL: https://cgit.FreeBSD.org/doc/commit/?id=5c437387fc2911dee561bade23e80c7f372d69f3
commit 5c437387fc2911dee561bade23e80c7f372d69f3
Author: Gordon Tetlow <gordon@FreeBSD.org>
AuthorDate: 2023-02-08 18:57:57 +0000
Commit: Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2023-02-08 18:57:57 +0000
Add EN-23:01 to EN-23:04 and SA-23:01.
Approved by: so
---
website/data/security/advisories.toml | 4 +
website/data/security/errata.toml | 16 +
.../advisories/FreeBSD-EN-23:01.tzdata.asc | 174 +++++
.../security/advisories/FreeBSD-EN-23:02.sdhci.asc | 126 ++++
.../security/advisories/FreeBSD-EN-23:03.ena.asc | 133 ++++
.../security/advisories/FreeBSD-EN-23:04.ixgbe.asc | 146 ++++
.../security/advisories/FreeBSD-SA-23:01.geli.asc | 159 ++++
.../security/patches/EN-23:01/tzdata-2022g.patch | 804 +++++++++++++++++++++
.../patches/EN-23:01/tzdata-2022g.patch.asc | 16 +
.../static/security/patches/EN-23:02/sdhci.patch | 11 +
.../security/patches/EN-23:02/sdhci.patch.asc | 16 +
website/static/security/patches/EN-23:03/ena.patch | 125 ++++
.../static/security/patches/EN-23:03/ena.patch.asc | 16 +
.../static/security/patches/EN-23:04/ixgbe.patch | 16 +
.../security/patches/EN-23:04/ixgbe.patch.asc | 16 +
.../static/security/patches/SA-23:01/geli.patch | 181 +++++
.../security/patches/SA-23:01/geli.patch.asc | 16 +
17 files changed, 1975 insertions(+)
diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml
index 6a3d6ed32c..2c697786f8 100644
--- a/website/data/security/advisories.toml
+++ b/website/data/security/advisories.toml
@@ -1,6 +1,10 @@
# Sort advisories by year, month and day
# $FreeBSD$
+[[advisories]]
+name = "FreeBSD-SA-23:01.geli"
+date = "2023-02-08"
+
[[advisories]]
name = "FreeBSD-SA-22:15.ping"
date = "2022-11-29"
diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml
index b4a4a7c26d..b1b74bf67c 100644
--- a/website/data/security/errata.toml
+++ b/website/data/security/errata.toml
@@ -1,6 +1,22 @@
# Sort errata notices by year, month and day
# $FreeBSD$
+[[notices]]
+name = "FreeBSD-EN-23:04.ixgbe"
+date = "2023-02-08"
+
+[[notices]]
+name = "FreeBSD-EN-23:03.ena"
+date = "2023-02-08"
+
+[[notices]]
+name = "FreeBSD-EN-23:02.sdhci"
+date = "2023-02-08"
+
+[[notices]]
+name = "FreeBSD-EN-23:01.tzdata"
+date = "2023-02-08"
+
[[notices]]
name = "FreeBSD-EN-22:28.heimdal"
date = "2022-11-29"
diff --git a/website/static/security/advisories/FreeBSD-EN-23:01.tzdata.asc b/website/static/security/advisories/FreeBSD-EN-23:01.tzdata.asc
new file mode 100644
index 0000000000..584cb095f6
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-23:01.tzdata.asc
@@ -0,0 +1,174 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-23:01.tzdata Errata Notice
+ The FreeBSD Project
+
+Topic: Timezone database information update
+
+Category: contrib
+Module: zoneinfo
+Announced: 2022-02-08
+Affects: All supported versions of FreeBSD.
+Corrected: 2022-12-01 01:36:29 UTC (stable/13, 13.1-STABLE)
+ 2023-02-08 16:08:28 UTC (releng/13.1, 13.1-RELEASE-p6)
+ 2022-12-01 01:40:23 UTC (stable/12, 12.4-STABLE)
+ 2023-02-08 18:30:20 UTC (releng/12.4, 12.4-RELEASE-p1)
+ 2023-02-08 18:28:25 UTC (releng/12.3, 12.3-RELEASE-p11)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The IANA Time Zone Database (often called tz or zoneinfo) contains code and
+data that represent the history of local time for many representative
+locations around the globe. It is updated periodically to reflect changes
+made by political bodies to time zone boundaries, UTC offsets, and
+daylight-saving rules.
+
+FreeBSD releases install the IANA Time Zone Database in /usr/share/zoneinfo.
+The tzsetup(8) utility allows the user to specify the default local time
+zone. Based on the selected time zone, tzsetup(8) copies one of the files
+from /usr/share/zoneinfo to /etc/localtime. A time zone may also be selected
+for an individual process by setting its TZ environment variable to a desired
+time zone name.
+
+II. Problem Description
+
+Several changes to future and past timestamps have been recorded in the IANA
+Time Zone Database after previous FreeBSD releases were released. This
+affects many users in different parts of the world. Because of these
+changes, the data in the zoneinfo files need to be updated. If the local
+timezone on the running system is affected, tzsetup(8) needs to be run to
+update /etc/localtime.
+
+III. Impact
+
+An incorrect time will be displayed on a system configured to use one of the
+affected time zones if the /usr/share/zoneinfo and /etc/localtime files are
+not updated, and all applications on the system that rely on the system time,
+such as cron(8) and syslog(8), will be affected.
+
+IV. Workaround
+
+The system administrator can install an updated version of the IANA Time Zone
+Database from the misc/zoneinfo port and run tzsetup(8).
+
+Applications that store and display times in Coordinated Universal Time (UTC)
+are not affected.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Please note that some third party software, for instance PHP, Ruby, Java,
+Perl and Python, may be using different zoneinfo data sources, in such cases
+this software must be updated separately. Software packages that are
+installed via binary packages can be upgraded by executing 'pkg upgrade'.
+
+Following the instructions in this Errata Notice will only update the IANA
+Time Zone Database installed in /usr/share/zoneinfo.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Restart all the affected applications and daemons, or reboot the system.
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-23:01/tzdata-2022g.patch
+# fetch https://security.FreeBSD.org/patches/EN-23:01/tzdata-2022g.patch.asc
+# gpg --verify tzdata-2022g.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch -E < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all the affected applications and daemons, or reboot the system.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ e851e0aabdff stable/13-n253192
+releng/13.1/ 9e3b86743c4b releng/13.1-n250175
+stable/12/ r372783
+releng/12.4/ r372915
+releng/12.3/ r372911
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://github.com/eggert/tz/blob/2022g/NEWS>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-23:01.tzdata.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmPj7/8ACgkQbljekB8A
+Gu/xNg/9EgSCULshR9xN3vYa4sTdsMVLpz24zuRMxPqYAAFckJ2GDOwDuvIA78r+
+U8u/efb0pE3xJvbAH0vFMUqt7mxsJeO4TVurEpAMrsuQRfjru0FLzNlXhJUnTDF9
+mSveNDs1QeihpaOfG8b8v8onk1Nr6SMuVO37s5FdFNrGxc+WHpmXJiQqHy71r0AG
+4CtdgZ+TxjRmvKeU2ue/+xjDVhhTUEFoOjwaeq54dgVP9u3aFENFejcOjPZYVWJt
+aNaMAiWvarER1HIhqKppVbui/U7J73lWC0ocBwCAA/NDhC5C0IEw3tPx5KLOmw5c
+M4TX4bliFNLWnokPEdTd9OLU0OJzDhPn00awm9NH0c6F3y/dznHoYtKXVirj7GpW
+FbKxsrsJf8xFxAHyFApLan7i7I1Y3R+mnRimYMUonfv08tVcCMlSu9QMXNmC+0+r
+phCU6mwtrv/RwoRk0QGYyg9z4sfX+eKX2zhHiEigvbD6IHnIpcIRgu6yuZL/eETg
+AwG2WUX3WSvi6C6hcQKPYw0mhxp4WnIFz6FmFYWBESDTSDjWRhmHCLU2VV7JvuPn
+zRpY1dYJSbulAvWEXbKTh5oALuYfVSeL9qnbL2cmcxFCHJcyMm/yB9VOG9nMBFQD
+drCXwK/KGV1jvD0OxHaemLs7hxTJwOaI4RKl9OWIS6J195YdPIc=
+=z60r
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-23:02.sdhci.asc b/website/static/security/advisories/FreeBSD-EN-23:02.sdhci.asc
new file mode 100644
index 0000000000..ecbdd003ef
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-23:02.sdhci.asc
@@ -0,0 +1,126 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-23:02.sdhci Errata Notice
+ The FreeBSD Project
+
+Topic: sdhci(4) broken write-protect settings
+
+Category: core
+Module: sdhci
+Announced: 2023-02-08
+Affects: FreeBSD 13.1
+Corrected: 2022-03-29 22:24:27 UTC (stable/13, 13.1-STABLE)
+ 2023-02-08 16:16:32023-02-08 16:16:31.1-RELEASE-p6)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The sdhci(4) driver supports PCI devices with class 8 and subclass 5
+according to the SD Host Controller Specification. One of the devices
+supported is the Marvell Xenon SDHCI controller.
+
+II. Problem Description
+
+The write-protect flag on Marvell Xenon SDHCI controllers was incorrectly
+handled, resulting in devices being erroneously marked as read-only.
+
+III. Impact
+
+On affected systems, SD cards cannot be written to; where an SD card is used
+as the root device, this may result in the system failing to boot.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +5min "Installing errata update"
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-23:02/sdhci.patch
+# fetch https://security.FreeBSD.org/patches/EN-23:02/sdhci.patch.asc
+# gpg --verify sdhci.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ 693af80b7435 stable/13-n250156
+releng/13.1/ 4b31a7861af0 releng/13.1-n250176
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263928>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-23:02.sdhci.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmPj8BMACgkQbljekB8A
+Gu9itxAAupVjrBaZYIMnSf9NWwMzG3fUStINrAO8ys8VHOsFxl72C0BcPBKffQw4
+cKgvpcMSK/MO3i+a8Xk8gbGlUcdLdvcL3F+MZI4RM6V8lkp22iz558tzh3c3H7z3
+/uJNC9r9PvUUi9jDgPYfhXKub72Gr0Uae8K27tNoSaeTvZelXNJYHGKs/aB/LVdE
+V6f+k7gyIdPjcScHVFG20+Wp5GrongMknZm26Mch+tGMtT2lqPT/5xj/KHHADj53
+pFkxrDWTagpae2Ibr2nsBJUKQ5X6adPQdUEK7TLucQvqsDe/y+WQnzf0YJDUc0ZA
+VNg+FcIU1cEuAo4R5yLBrcan436cVGWE4VpjdruxnHOCvCyYaOARk9GK+ZyuIiWw
+KtN21MthBljIURJMjaMpKRmb7Dv0IqXHojVps6x6dELIAIo98IEMM14feDHzC1l0
+E7gb2LYOOB+MV71GMWcC2URgcMXDhP3Ew46UGuYJT/G+K6Y/XpmproVR8Mw2SELB
+0aTk5qmE+T3j05tThaOt4SkCs/cFkFKqbx8Ix9/ohOzA32293KsPfbKdOYcbOLE9
+aC8/mMmRSF5SJ8spOFApd8PFaHlR6G+KDVuQ3NVfX6ezHzECYVnO2B/SWbVSWBll
+Bl0oGrbmhWhrTvBG5hsox/+0NzAqF1U8cSR+IYE33WygQ/o8E3s=
+=7hux
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-23:03.ena.asc b/website/static/security/advisories/FreeBSD-EN-23:03.ena.asc
new file mode 100644
index 0000000000..0f7811c42b
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-23:03.ena.asc
@@ -0,0 +1,133 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-23:03.ena Errata Notice
+ The FreeBSD Project
+
+Topic: ena driver crash after reset in 7th gen AWS instance types
+
+Category: core
+Module: ena
+Announced: 2023-02-08
+Affects: FreeBSD 13.1
+Corrected: 2022-07-26 19:30:17 UTC (stable/13, 13.2-STABLE)
+ 2023-02-08 16:18:27 UTC (releng/13.1, 13.1-RELEASE-p6)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The ena(4) driver is used to access the Elastic Network Adapter network
+interface on recent Amazon Elastic Compute Cloud (EC2) instances. It is
+designed to make full use of the EC2 cloud architecture for optimal network
+performance.
+
+Since the 4th generation of AWS instances, there are 2 modes of operation for
+the ENA device: Normal and Low Latency Queues (LLQ). In order to leverage
+EC2's optimal network capabilities on 7th generation instance-types, LLQ is
+the default mode of operation. Users who disable LLQ will experience
+sub-optimal performance and hence this is not recommended.
+
+II. Problem Description
+
+The ENA driver does not properly initialize LLQ when recovering from a device
+reset. The improperly initialized LLQ leads to a performance degradation on
+6th gen instance types and to a kernel panic on 7th gen instance types.
+
+III. Impact
+
+Users with FreeBSD 13.1 using 6th generation AWS instances will suffer from
+performance degredation, and with 7th generation AWS instances will
+experience kernel panic after a device reset.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date and reboot.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+arm64 (on FreeBSD 13 and later) platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for erratum update"
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-23:03/ena.patch
+# fetch https://security.FreeBSD.org/patches/EN-23:03/ena.patch.asc
+# gpg --verify ena.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ e8253e47e1dc stable/13-n251949
+releng/13.1/ b508850e150e releng/13.1-n250177
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-23:03.ena.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmPj8BUACgkQbljekB8A
+Gu+zDxAAsM4Fn6a5F0ocswNvMT8RBVxJ2YrOK9WIZdlBH9rV0ZHTOQDpTlo1Mizk
+7R+vfAps18dnnjSf2F+IGKR6u/+kR3YJAw4fzIJyRgLBC/qkjsLS+3d7yEPxbIrL
+wCB1vfMlJlS333gV0hMTq8CELwYVbqi6Rqb1D2h+L+qDjqhbLStVOHTo1gztAk1U
+bVaApXZglaNL8VdFanHYRZg+SmM+saGwOPOCO1O4oEttfwfFfDBqkkfHVtbcaVDA
+9h9qSBpV2iLueDcRzfg7Q9/9DzPE7n88pz8aCzyoaXxhXGUcgzhAfJeSpeblRL12
+dq848iI/zn8jTxO+2pqGooBw5HQHwRgw0v1rjDkj9YCKSg9D5BH3Cj60RKV8D6BC
+e7eQlOXfO6ubWcKHethxNj/zU3XpQN7CD2rfNtKkMYq6PVBWYIPTLlrIhRVPHmVs
+/EKBD2RsHdQHID7rA67V9G0/NQjfFaq5pDzaNbP7NdkhMpgzvW2boixAnyqRtTVK
+Jkxqq3MVdOIktOvRTnXHCkyxSXy67R8qmHCKwvW5omVDv7ro8oS+Vq0PvS4NN7LR
+Q0r0E/iwM4hCRSWwuKF5brC7wIeeWPExKkWjpQ3i9gOcvyXAUqo9KDpwN622s3gP
+Ar1mm82FHUNNcv2uo4WpsLT9p+30bROSU0XUvYcVQHEqazy2A3o=
+=9D+P
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-23:04.ixgbe.asc b/website/static/security/advisories/FreeBSD-EN-23:04.ixgbe.asc
new file mode 100644
index 0000000000..0a93a5f603
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-23:04.ixgbe.asc
@@ -0,0 +1,146 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-23:04.ixgbe Errata Notice
+ The FreeBSD Project
+
+Topic: ixgbe incorrectly reports input errors for 82599ES
+
+Category: core
+Module: ixgbe
+Announced: 2023-02-08
+Affects: All supported versions of FreeBSD.
+Corrected: 2022-11-17 20:13:43 UTC (stable/13, 13.1-STABLE)
+ 2023-02-08 16:30:38 UTC (releng/13.1, 13.1-RELEASE-p6)
+ 2022-11-17 20:17:22 UTC (stable/12, 12.4-STABLE)
+ 2023-02-08 18:30:24 UTC (releng/12.4, 12.4-RELEASE-p1)
+ 2023-02-08 18:28:28 UTC (releng/12.3, 12.3-RELEASE-p11)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+ixgbe(4) is driver that supports multiple Intel 10Gb Ethernet cards including
+the Intel 82599.
+
+II. Problem Description
+
+Intel 82599 hardware has errata related to IPv4 UDP frames with a zero
+checksum. The L4 integrity error counter is incremented for such frames,
+which results in reported interface errors through utilities such as
+ifconfig(8). This confuses users, since all frames are in fact handled
+correctly by the system.
+
+III. Impact
+
+Incorrect interface statistics are reported for affected hardware.
+
+IV. Workaround
+
+Ignore reported interface errors.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date and reboot.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for an erratum update"
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-23:04/ixgbe.patch
+# fetch https://security.FreeBSD.org/patches/EN-23:04/ixgbe.patch.asc
+# gpg --verify ixgbe.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ daf3d88ac184 stable/13-n253100
+releng/13.1/ f3e20eb8d8f0 releng/13.1-n250178
+stable/12/ r372757
+releng/12.4/ r372916
+releng/12.3/ r372912
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=266048>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-23:04.ixgbe.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmPj8BcACgkQbljekB8A
+Gu+H7g//dEdyDgXVQeyezAZuL1wqUaKVE0ZzPfpouG9X3+FaXMalo0FzkJy75olx
+vv0eOznDoS+IWlwkdvzKCaAGZK8ZFPNT0SkNTGlABh+xvX0FoORdPLh9AmZbDlsx
+1FA1Az+Sew0EJ/t0D0v/ZMTpj267664yVXI1G5IFUxTLnFq/bC9w8ssOQCWF4/+z
+KgwTt7XfaxE03EE6JasyeIRKF4nobbErNo7Z+yjEkqT43geSS8N3T6uE8JwV8y2w
+0wAZT3nj7TBsHnRErHgDQabPXOEdZDODV+iDGTOmu7bwmoG9FKbuuE4tZtDzKNZ1
+wjjG0Gka091Wx7ss5KLO0kD99iqHrtno/I2qJuk/R5HZuNTzOsp56RgQUQu9uxjm
+1Lfsd6HdzV2dd4/PZ9dGgU7bTiSIJXCh5pu3NGF3nKshgDPDq05kz3Ho3ktWEccQ
+SpWOc6IyMibuxq9T50CFyW+qPMoPa4pN2BsVilwQJ/LeWYp8lcN9T5bY2ssVk33q
+s6elPBZsmGOvIMe14mDUL2ANfcZSUDkbZuvCPoOo1LMGnh8TSikbj1uaWH4qntlC
+gPJ502ggGaw1CuMuUzddyv14bNCL9PMY1zZOnEi6MWwZWZnVvzdqLvhz4U6BORVJ
+OOqJTlxquMYGyILtHqKvqodZ471SaHMC9Sk5MPvO/mk0u3W5Zeg=
+=sTJD
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-23:01.geli.asc b/website/static/security/advisories/FreeBSD-SA-23:01.geli.asc
new file mode 100644
index 0000000000..01448c87c6
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-23:01.geli.asc
@@ -0,0 +1,159 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-23:01.geli Security Advisory
+ The FreeBSD Project
+
+Topic: GELI silently omits the keyfile if read from stdin
+
+Category: core
+Module: geli
+Announced: 2023-02-08
+Credits: Nathan Dorfman <ndorf@rtfm.net>
+Affects: All supported versions of FreeBSD.
+Corrected: 2023-02-08 18:03:19 UTC (stable/13, 13.1-STABLE)
+ 2023-02-08 18:06:31 UTC (releng/13.1, 13.1-RELEASE-p6)
+ 2023-02-08 18:05:45 UTC (stable/12, 12.4-STABLE)
+ 2023-02-08 18:30:27 UTC (releng/12.4, 12.4-RELEASE-p1)
+ 2023-02-08 18:28:31 UTC (releng/12.3, 12.3-RELEASE-p11)
+CVE Name: CVE-2023-0751
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+GELI is a block device-layer disk encryption utility. It uses a random
+master key to perform symmetric cryptography on sectors. The master key is
+encrypted using a user key, which might consist of up to two components: a
+user passphrase and a key file. The key file might be read from a file or a
+standard input. GELI also allows to initialization of multiple devices with
+a single command.
+
+II. Problem Description
+
+When GELI reads a key file from a standard input, it doesn't store it
+anywhere. If the user tries to initialize multiple providers at once, for
+the second and subsequent devices the standard input stream will be already
+empty. In this case, GELI silently uses a NULL key as the user key file. If
+the user used only a key file without a user passphrase, the master key was
+encrypted with an empty key file. This might not be noticed if the devices
+were also decrypted in a batch operation.
+
+III. Impact
+
+Some GELI providers might be silently encrypted with a NULL key file.
+
+IV. Workaround
+
+On affected systems, instead of initializing GELI devices in a batch
+operation, the recommended way is to do this operation on a single provider.
+
+V. Solution
+
+If the system already has the device initialized with a null key, the master
+key has to be encrypted:
+echo -n | geli setkey -k- -p -K /path/to/keyfile -P /dev/provider
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-23:01/geli.patch
+# fetch https://security.FreeBSD.org/patches/SA-23:01/geli.patch.asc
+# gpg --verify geli.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ 88bb08452ee3 stable/13-n254412
+releng/13.1/ 98933c7013a5 releng/13.1-n250179
+stable/12/ r372910
+releng/12.4/ r372917
+releng/12.3/ r372913
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0751>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-23:01.geli.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmPj8B8ACgkQbljekB8A
+Gu8Q2g//WfBcATFcQsXQC/fO8oGa90pZl3+mBIBabMO7bMsZ3jzmsZM0DjEuztDM
+sOY6g9ExN5Fmh4O6Mvg12FjtsbJwp/4KxsrfjG3F8aTKjTKTdbBqhDodwQwCL9ZF
+u+qkNMrtdqFvigGqmCpKq6vC7kYx12NVFvr4X81kgBmwCOPUKlD351lnkQKv0C5B
+G3HeLdQb7stMRcnHWcqOw7m98aRSU0gE2/9BAMqfvtVWboa6LrdF6PQVav8Lq417
+qh8Md71IAAWyFm8jcOtsX949KdtI1kcwDbVyuO5mT6TNFTuEu/lIx78/YpvGVZUt
+1a7FAkiekr6c19xC01o6muc6E1XiwxO/vQMMwEsW9lv+N2fm4d7EGUP3nvFZTzgt
+OOKVORcqEsdZj92/UDdUXsIFV7fja0t7rGUXhI/YTAtnOvESTvDkUzfNQ3fxIMcG
+COFQdxJ0+P2oItMSeY2dlN8A/z41N6BqAilmg/LxuzZkCblC8q0JxLoAsAEydT4j
+RHA7dTwFNeM+6kVluERX302l6JGogg6mB+o/O+vqKWfDrvEzv7CLHEGnBT6lcAkX
+x1RQwXFd84fHwWXAffsUNKxrQe0QI+dbPcGH0YtHZntno1Azds3oVBAFa5nUcYVD
+3A8ShP18hwkVLRyG9680fSD5cQwYKZpLuasujikLqnme/PkYDy4=
+=6d7v
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-23:01/tzdata-2022g.patch b/website/static/security/patches/EN-23:01/tzdata-2022g.patch
new file mode 100644
index 0000000000..ed664ab22d
--- /dev/null
+++ b/website/static/security/patches/EN-23:01/tzdata-2022g.patch
@@ -0,0 +1,804 @@
+--- contrib/tzdata/Makefile.orig
++++ contrib/tzdata/Makefile
+@@ -196,6 +196,7 @@
+ UTF8_LOCALE= en_US.utf8
+
+ # Non-default libraries needed to link.
++# On some hosts, this should have -lintl unless CFLAGS has -DHAVE_GETTEXT=0.
+ LDLIBS=
+
+ # Add the following to the end of the "CFLAGS=" line as needed to override
+@@ -208,14 +209,18 @@
+ # For example, N is 252460800 on AmigaOS.
+ # -DHAVE_DECL_ASCTIME_R=0 if <time.h> does not declare asctime_r
+ # -DHAVE_DECL_ENVIRON if <unistd.h> declares 'environ'
++# -DHAVE_DECL_TIMEGM=0 if <time.h> does not declare timegm
+ # -DHAVE_DIRECT_H if mkdir needs <direct.h> (MS-Windows)
+-# -DHAVE_GENERIC=0 if _Generic does not work
+-# -DHAVE_GETRANDOM if getgrandom works (e.g., GNU/Linux)*
+-# -DHAVE_GETTEXT if 'gettext' works (e.g., GNU/Linux, FreeBSD, Solaris)*
++# -DHAVE_GENERIC=0 if _Generic does not work*
++# -DHAVE_GETRANDOM if getrandom works (e.g., GNU/Linux),
++# -DHAVE_GETRANDOM=0 to avoid using getrandom
++# -DHAVE_GETTEXT if gettext works (e.g., GNU/Linux, FreeBSD, Solaris),
++# where LDLIBS also needs to contain -lintl on some hosts;
++# -DHAVE_GETTEXT=0 to avoid using gettext
+ # -DHAVE_INCOMPATIBLE_CTIME_R if your system's time.h declares
+ # ctime_r and asctime_r incompatibly with the POSIX standard
+ # (Solaris when _POSIX_PTHREAD_SEMANTICS is not defined).
+-# -DHAVE_INTTYPES_H if you have a non-C99 compiler with <inttypes.h>
++# -DHAVE_INTTYPES_H=0 if <inttypes.h> does not work*
+ # -DHAVE_LINK=0 if your system lacks a link function
+ # -DHAVE_LOCALTIME_R=0 if your system lacks a localtime_r function
+ # -DHAVE_LOCALTIME_RZ=0 if you do not want zdump to use localtime_rz
+@@ -225,15 +230,17 @@
+ # functions like 'link' or variables like 'tzname' required by POSIX
+ # -DHAVE_SETENV=0 if your system lacks the setenv function
+ # -DHAVE_SNPRINTF=0 if your system lacks the snprintf function
+-# -DHAVE_STDINT_H if you have a non-C99 compiler with <stdint.h>*
++# -DHAVE_STDCKDINT_H=0 if neither <stdckdint.h> nor substitutes like
++# __builtin_add_overflow work*
++# -DHAVE_STDINT_H=0 if <stdint.h> does not work*
+ # -DHAVE_STRFTIME_L if <time.h> declares locale_t and strftime_l
+ # -DHAVE_STRDUP=0 if your system lacks the strdup function
+ # -DHAVE_STRTOLL=0 if your system lacks the strtoll function
+ # -DHAVE_SYMLINK=0 if your system lacks the symlink function
+-# -DHAVE_SYS_STAT_H=0 if your compiler lacks a <sys/stat.h>*
++# -DHAVE_SYS_STAT_H=0 if <sys/stat.h> does not work*
+ # -DHAVE_TZSET=0 if your system lacks a tzset function
+-# -DHAVE_UNISTD_H=0 if your compiler lacks a <unistd.h>*
+-# -DHAVE_UTMPX_H=0 if your compiler lacks a <utmpx.h>*
++# -DHAVE_UNISTD_H=0 if <unistd.h> does not work*
++# -DHAVE_UTMPX_H=0 if <utmpx.h> does not work*
+ # -Dlocale_t=XXX if your system uses XXX instead of locale_t
+ # -DRESERVE_STD_EXT_IDS if your platform reserves standard identifiers
+ # with external linkage, e.g., applications cannot define 'localtime'.
+@@ -280,7 +287,7 @@
+ -Wdeclaration-after-statement -Wdouble-promotion \
+ -Wduplicated-branches -Wduplicated-cond \
+ -Wformat=2 -Wformat-overflow=2 -Wformat-signedness -Wformat-truncation \
+- -Winit-self -Wlogical-op \
++ -Wimplicit-fallthrough=5 -Winit-self -Wlogical-op \
+ -Wmissing-declarations -Wmissing-prototypes -Wnested-externs \
+ -Wnull-dereference \
+ -Wold-style-definition -Woverlength-strings -Wpointer-arith \
+@@ -293,7 +300,7 @@
+ -Wtrampolines -Wundef -Wuninitialized -Wunused-macros -Wuse-after-free=3 \
+ -Wvariadic-macros -Wvla -Wwrite-strings \
+ -Wno-address -Wno-format-nonliteral -Wno-sign-compare \
+- -Wno-type-limits -Wno-unused-parameter
++ -Wno-type-limits
+ #
+ # If your system has a "GMT offset" field in its "struct tm"s
+ # (or if you decide to add such a field in your system's "time.h" file),
+@@ -340,14 +347,11 @@
+ # If you want functions that were inspired by early versions of X3J11's work,
+ # add
+ # -DSTD_INSPIRED
+-# to the end of the "CFLAGS=" line. This arranges for the functions
+-# "offtime", "timelocal", "timegm", "timeoff",
+-# "posix2time", and "time2posix" to be added to the time conversion library.
++# to the end of the "CFLAGS=" line. This arranges for the following
++# functions to be added to the time conversion library.
+ # "offtime" is like "gmtime" except that it accepts a second (long) argument
+ # that gives an offset to add to the time_t when converting it.
+ # "timelocal" is equivalent to "mktime".
+-# "timegm" is like "timelocal" except that it turns a struct tm into
+-# a time_t using UT (rather than local time as "timelocal" does).
+ # "timeoff" is like "timegm" except that it accepts a second (long) argument
+ # that gives an offset to use when converting to a time_t.
+ # "posix2time" and "time2posix" are described in an included manual page.
+@@ -495,6 +499,11 @@
+ # Flags to give 'gzip' when making a distribution.
+ GZIPFLAGS= -9n
+
++# When comparing .tzs files, use GNU diff's -F'^TZ=' option if supported.
++# This makes it easier to see which Zone has been affected.
++DIFF_TZS= diff -u$$(! diff -u -F'^TZ=' - - <>/dev/null >&0 2>&1 \
++ || echo ' -F^TZ=')
++
+ ###############################################################################
+
+ #MAKE= make
+@@ -773,7 +782,8 @@
+ chmod +x $@.out
+ mv $@.out $@
+
+-check: check_character_set check_white_space check_links \
++check: check_back check_mild
++check_mild: check_character_set check_white_space check_links \
+ check_name_lengths check_slashed_abbrs check_sorted \
+ check_tables check_web check_ziguard check_zishrink check_tzs
+
+@@ -824,16 +834,19 @@
+ CHECK_CC_LIST = { n = split($$1,a,/,/); for (i=2; i<=n; i++) print a[1], a[i]; }
+
+ check_sorted: backward backzone iso3166.tab zone.tab zone1970.tab
+- $(AWK) '/^Link/ {printf "%.5d %s\n", g, $$3} /^$$/ {g++}' \
++ $(AWK) '/^Link/ {printf "%.5d %s\n", g, $$3} !/./ {g++}' \
+ backward | LC_ALL=C sort -cu
+ $(AWK) '/^Zone/ {print $$2}' backzone | LC_ALL=C sort -cu
+ touch $@
+
+-check_links: checklinks.awk $(TDATA_TO_CHECK) tzdata.zi
++check_back: checklinks.awk $(TDATA_TO_CHECK)
+ $(AWK) \
+ -v DATAFORM=$(DATAFORM) \
+ -v backcheck=backward \
+ -f checklinks.awk $(TDATA_TO_CHECK)
++ touch $@
++
++check_links: checklinks.awk tzdata.zi
+ $(AWK) \
+ -v DATAFORM=$(DATAFORM) \
+ -f checklinks.awk tzdata.zi
+@@ -849,7 +862,7 @@
+
+ check_tzs: $(TZS) $(TZS_NEW)
+ if test -s $(TZS); then \
*** 1133 LINES SKIPPED ***