git: 34e274ecb6 - main - Add EN-23:09 through EN-23:11, SA-23:10 and SA-23:11.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 06 Sep 2023 18:09:32 UTC
The branch main has been updated by gordon:
URL: https://cgit.FreeBSD.org/doc/commit/?id=34e274ecb61085e2a699f1ddbe0c6a37b6d7489a
commit 34e274ecb61085e2a699f1ddbe0c6a37b6d7489a
Author: Gordon Tetlow <gordon@FreeBSD.org>
AuthorDate: 2023-09-06 18:08:43 +0000
Commit: Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2023-09-06 18:08:43 +0000
Add EN-23:09 through EN-23:11, SA-23:10 and SA-23:11.
Approved by: so
---
website/data/security/advisories.toml | 8 +
website/data/security/errata.toml | 12 +
.../advisories/FreeBSD-EN-23:09.freebsd-update.asc | 127 ++
.../security/advisories/FreeBSD-EN-23:10.pci.asc | 129 ++
.../advisories/FreeBSD-EN-23:11.caroot.asc | 125 ++
.../security/advisories/FreeBSD-SA-23:10.pf.asc | 164 ++
.../security/advisories/FreeBSD-SA-23:11.wifi.asc | 153 ++
.../security/patches/EN-23:09/freebsd-update.patch | 54 +
.../patches/EN-23:09/freebsd-update.patch.asc | 16 +
website/static/security/patches/EN-23:10/pci.patch | 56 +
.../static/security/patches/EN-23:10/pci.patch.asc | 16 +
.../static/security/patches/EN-23:11/caroot.patch | 2119 ++++++++++++++++++++
.../security/patches/EN-23:11/caroot.patch.asc | 16 +
.../static/security/patches/SA-23:10/pf.12.patch | 29 +
.../security/patches/SA-23:10/pf.12.patch.asc | 16 +
.../static/security/patches/SA-23:10/pf.13.patch | 29 +
.../security/patches/SA-23:10/pf.13.patch.asc | 16 +
.../static/security/patches/SA-23:11/wifi.patch | 34 +
.../security/patches/SA-23:11/wifi.patch.asc | 16 +
19 files changed, 3135 insertions(+)
diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml
index 2d5b3077f7..9fb568085e 100644
--- a/website/data/security/advisories.toml
+++ b/website/data/security/advisories.toml
@@ -1,6 +1,14 @@
# Sort advisories by year, month and day
# $FreeBSD$
+[[advisories]]
+name = "FreeBSD-SA-23:11.wifi"
+date = "2023-09-06"
+
+[[advisories]]
+name = "FreeBSD-SA-23:10.pf"
+date = "2023-09-06"
+
[[advisories]]
name = "FreeBSD-SA-23:09.pam_krb5"
date = "2023-08-01"
diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml
index 0fccd5baf3..b9b5b054e0 100644
--- a/website/data/security/errata.toml
+++ b/website/data/security/errata.toml
@@ -1,6 +1,18 @@
# Sort errata notices by year, month and day
# $FreeBSD$
+[[notices]]
+name = "FreeBSD-EN-23:11.caroot"
+date = "2023-09-06"
+
+[[notices]]
+name = "FreeBSD-EN-23:10.pci"
+date = "2023-09-06"
+
+[[notices]]
+name = "FreeBSD-EN-23:09.freebsd-update"
+date = "2023-09-06"
+
[[notices]]
name = "FreeBSD-EN-23:08.vnet"
date = "2023-08-01"
diff --git a/website/static/security/advisories/FreeBSD-EN-23:09.freebsd-update.asc b/website/static/security/advisories/FreeBSD-EN-23:09.freebsd-update.asc
new file mode 100644
index 0000000000..9f2d14fb2b
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-23:09.freebsd-update.asc
@@ -0,0 +1,127 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-23:09.freebsd-update Errata Notice
+ The FreeBSD Project
+
+Topic: freebsd-update incorrectly merges files on upgrade
+
+Category: core
+Module: freebsd-update
+Announced: 2023-09-06
+Affects: FreeBSD 13.2
+Corrected: 2023-05-16 21:34:10 UTC (stable/13, 13.2-STABLE)
+ 2023-09-06 16:56:24 UTC (releng/13.2, 13.2-RELEASE-p3)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+freebsd-update provides binary updates for supported releases of FreeBSD on
+amd64, arm64, and i386.
+
+II. Problem Description
+
+freebsd-update incorrectly deleted files in /etc/ in the event the file to be
+updated matched the new release and was different than the old release. This
+has not been an issue previously because the $FreeBSD$ tag expansion from
+subversion virtually guaranteed the existing file was going to be different
+from the new release. With the conversion to git in the 13.x releases,
+$FreeBSD$ is no longer expanded, making it much more likely that a file would
+find this issue.
+
+III. Impact
+
+Unmodified files in /etc/ may be deleted on running freebsd-update upgrade.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-23:09/freebsd-update.patch
+# fetch https://security.FreeBSD.org/patches/EN-23:09/freebsd-update.patch.asc
+# gpg --verify freebsd-update.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ 866e5c6b3ce7 stable/13-n255386
+releng/13.2/ 0b39d9de2e71 releng/13.2-n254628
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://reviews.freebsd.org/D39973>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-23:09.freebsd-update.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmT4vxEACgkQbljekB8A
+Gu9gmA/7BjuRje8BCxVKXenlsL0FbOLzpQd1Ac6+pQ8sYCotl9Z/S/BF0kgWGEyP
+ezkgQDndc90tzGBkFwSh55utFPDxycRJy2ybhg1ownZDyfwtSokWPSp0qdbu2wYD
+XBW2xwzsIIemvIOVAvCrn3GagIRMlziaFE8brtwiFCqAB4p4x/Ga9SRKvVPS5fVc
+FHBjWRvcNYXanz5VPZA3wbm5CIiGUC+4x22A2DPovcXT8yO1nbIyQpMUnfj+BrJ3
+QPxVmIZsWWbGtkGgplpPuOyP/BPivkDR/TN0TI6fGRKSK517aycCmwF+cgD9Th+S
+oISBwO4jZ50tyi36FtaTT9PnkLqX39McCq9T9kCQ5GBhztepSe7S31C8FLdH95TT
+wgkML9X/7zoh5Y2i8IWvbvSrAJ/eOaO8VR97aITmbOxLj4dRHB1gfc5FhNLlmeF4
+fz+VbVzOUEta/8PkDkEbbkuG2ttPs///KQB1Lu6V3UkZfIl0L40mzS+X8xMjWL9P
+TZBN1skjRcrEx8zaeyzTXEL2e4LX46wrKvm3Gvy0x5JOKgYy8ZHZpT3llChr3yTz
+oSxdEZ+oTttfXieHeDtXrxSnFi8Bvgy8j3jFtam7QNbaWYgaURlc7mUC+aUbd+J8
+hYwE+RQFlK3nBpMvGfrFJhbl9RglpYC9qvK69V1zwDQ1DLjHnfk=
+=GZ0v
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-23:10.pci.asc b/website/static/security/advisories/FreeBSD-EN-23:10.pci.asc
new file mode 100644
index 0000000000..3755634e2d
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-23:10.pci.asc
@@ -0,0 +1,129 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-23:10.pci Errata Notice
+ The FreeBSD Project
+
+Topic: PCI-e hot-plug is broken with certain devices
+
+Category: core
+Module: pci
+Announced: 2023-09-06
+Affects: FreeBSD 13.2
+Corrected: 2023-06-28 01:32:47 UTC (stable/13, 13.2-STABLE)
+ 2023-09-06 16:57:02 UTC (releng/13.2, 13.2-RELEASE-p3)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+FreeBSD's pcib(4) PCI-e bridge driver implements support for hot-plugging PCIe
+devices. When attaching to a hot-plug-capable slot, the pcib(4) driver
+allocates a MSI or MSI-X vector used to trigger handling of hot-plug
+events.
+
+II. Problem Description
+
+The code which allocated the hot-plug interrupt did not allocate MSI-X
+vectors properly. When attaching to devices which support only MSI-X
+messages, the interrupt would not be allocated.
+
+III. Impact
+
+PCIe hot-plug would fail to work for certain devices. In particular,
+this affects certain Amazon EC2 instance types which require functional
+hot-plug support in order to attach network devices.
+
+IV. Workaround
+
+No workaround is available for affected devices.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date and reboot.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for an erratum update"
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-23:10/pci.patch
+# fetch https://security.FreeBSD.org/patches/EN-23:10/pci.patch.asc
+# gpg --verify pci.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ 12ce57e6d3e7 stable/13-n255700
+releng/13.2/ e80d2d894ff1 releng/13.2-n254629
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://reviews.freebsd.org/D40581>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-23:10.pci.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIyBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmT4vyUACgkQbljekB8A
+Gu9jsQ/3cpks/UuN/HHjGQdnqwRbwwMI44jysniwnetaXwZ+z6JoDQYFZyRFZGGb
+BKNo7asZlPgfrRYCqaZ3sH6pwzj7aU/ImLvQyLuTWo14C/29nM8koFi0vCGnJD/2
+oQK8GUZLR5PZfGIsW0swGcmPYQ7NQtBiBQj/B+xqpPIllIcrTK0vCyCf2JIIGohy
+o8YIvd//FOs738Yb8ZAX6wta3KUu92SiWZH49BI/dJjkXbXSfhshDupx9EP2cfx/
+uxYzdcEvLPWvpd0KaaVqbYMpw05wRt/23ir/E1fj4uDBL9tDWEgn150uqVbErm8F
+/W+gP9DMjkA6IlredXLD1Q0pZpUlo/CbjNQLpojQcJcuQhzcy7msb9TP6oHjW2Gi
+JRed3MqBWxrZJ/KdmCttC5qlzEPVq05aejRQXM1F3+FG/hUXo5a7tSUNvZ2LIQYC
+CW4C+AbWsQwzPUdRxidAhUflRBM95p8ifKZC8qWZ0f67FBYvo3OB0hGo+5PReimc
+fIzJDVL05/XgaXX2dH+sUjZO2PgG07Q343uVPCqYwFYPx43PMYlfWkqT99G1dleV
+rWryNrO3WtLpzxWmY15h8f1I4sq8E+8rboN/HdVZm6vCLSOqfvAbnAN5Kf/hWMRj
+logaqv/WE7DX3qpoY9eZ/foMvF72Q+FXJ5atSIWJX3w6UrzKRA==
+=N9UQ
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-23:11.caroot.asc b/website/static/security/advisories/FreeBSD-EN-23:11.caroot.asc
new file mode 100644
index 0000000000..1deee71eb8
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-23:11.caroot.asc
@@ -0,0 +1,125 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-23:11.caroot Errata Notice
+ The FreeBSD Project
+
+Topic: Root certificate bundle update
+
+Category: core
+Module: caroot
+Announced: 2023-09-06
+Affects: FreeBSD 13.2
+Corrected: 2023-07-11 15:05:57 UTC (stable/13, 13.2-STABLE)
+ 2023-09-06 16:57:41 UTC (releng/13.2, 13.2-RELEASE-p3)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The root certificate bundle is the trust store that is used by OpenSSL
+programs and libraries to aid in determining whether it should trust a given
+TLS certificate.
+
+II. Problem Description
+
+Several certificates were added to the bundle after the latest release of
+FreeBSD 13.2.
+
+III. Impact
+
+TLS connections using the missing root certificates as a trust anchor would
+not be trusted causing an error.
+
+IV. Workaround
+
+No workaround is available. Software that uses an internal trust store is not
+affected.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-23:11/caroot.patch
+# fetch https://security.FreeBSD.org/patches/EN-23:11/caroot.patch.asc
+# gpg --verify caroot.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all daemons that use OpenSSL, or reboot the system.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ 565712db0dfa stable/13-n255804
+releng/13.2/ 902c13c4cf68 releng/13.2-n254630
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-23:11.caroot.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmT4vycACgkQbljekB8A
+Gu+f5BAAytNLuwte1XCdFW+5I+4Y4TC2crzZ1Om3xmC9bp1DoI8oVaCO8m7bkUr5
+9K1afCqj8+rPt0uPUwyqONuVDSusQtmUte3mLUH78BStf0kLJDEUS4dLIUJ27liI
+CuBDsUyEK+bh8oiQhOmw7OqM+bZfpekTJbe6C/VuBDGBkCY4HNhjg5QHBehLFPxz
+oaCvNMJy/71kSPrgtqOGZJMEZ4LHmosJPu9mHzjCuwBBnzV+uCt7zvAnt2hybMt0
+itYaBlGX4r3NmknHDz271+1VT4xkfw01oN5FgsAYAezzaP71+nNgxmo0cAAfLs+0
+4mZ4O4LFMbXIdjqvxduqpX9BII8ZxU+XFE7hJRGyyENuROWBt0rs4e2/M5ljneew
+IhxTut38cBCHBwQgDFM84HeramYwYwx92LpkAxj+Honsn4V3e4aoygnpJJvYw0TR
+jqO5wBe8XKwUgBdf6Jttaz4JpPTxG2Sjf2yvJDD7Q5vrdu9kxjKS/X+5pJb+0xvp
+w1bSoPF+KtXTmr3sZJy018GT7v8LbvlNXSRZmciJEi3958MHOaLPdyqhqYnvear7
+Fk9GUzb182Zm0uNGDNqEg+kDUUSs9M6pEWbKa+hqyWg3M5ySgCiirpseQnneNN+K
+q6sSdlj25+12bIUMRLtb3WTSWM0/HsuxUo8YBNjmbpI/Uo7zEJ4=
+=QFAS
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-23:10.pf.asc b/website/static/security/advisories/FreeBSD-SA-23:10.pf.asc
new file mode 100644
index 0000000000..cefc0c5999
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-23:10.pf.asc
@@ -0,0 +1,164 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-23:10.pf Security Advisory
+ The FreeBSD Project
+
+Topic: pf incorrectly handles multiple IPv6 fragment headers
+
+Category: core
+Module: pf
+Announced: 2023-09-06
+Credits: Enrico Bassetti bassetti@di.uniroma1.it
+ (NetSecurityLab @ Sapienza University of Rome)
+Affects: All supported versions of FreeBSD.
+Corrected: 2023-08-04 14:08:05 UTC (stable/13, 13.2-STABLE)
+ 2023-09-06 16:58:39 UTC (releng/13.2, 13.2-RELEASE-p3)
+ 2023-08-04 14:14:08 UTC (stable/12, 12.4-STABLE)
+ 2023-09-06 17:38:31 UTC (releng/12.4, 12.4-RELEASE-p5)
+CVE Name: CVE-2023-4809
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+pf is an Internet Protocol packet filter originally written for OpenBSD.
+pf can reassemble fragmented IPv6 packets in order to apply rules on the
+reassembled packet. This allows pf to filter based on the upper layer
+protocol (e.g. TCP, UDP) information.
+
+IPv6 packets may be fragmented by the originating node, and will then contain
+a fragment extension header. An IPv6 packet will normally contain only one
+fragment extension header.
+
+
+II. Problem Description
+
+With a 'scrub fragment reassemble' rule, a packet containing multiple IPv6
+fragment headers would be reassembled, and then immediately processed. That
+is, a packet with multiple fragment extension headers would not be recognized
+as the correct ultimate payload. Instead a packet with multiple IPv6 fragment
+headers would unexpectedly be interpreted as a fragmented packet, rather than
+as whatever the real payload is.
+
+III. Impact
+
+IPv6 fragments may bypass firewall rules written on the assumption all
+fragments have been reassembled and, as a result, be forwarded or processed
+by the host.
+
+IV. Workaround
+
+No workaround is available but systems not using the pf firewall are not
+affected.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 13.2]
+# fetch https://security.FreeBSD.org/patches/SA-23:10/pf.13.patch
+# fetch https://security.FreeBSD.org/patches/SA-23:10/pf.13.patch.asc
+# gpg --verify pf.13.patch.asc
+
+[FreeBSD 12.4]
+# fetch https://security.FreeBSD.org/patches/SA-23:10/pf.12.patch
+# fetch https://security.FreeBSD.org/patches/SA-23:10/pf.12.patch.asc
+# gpg --verify pf.12.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ 3a0461f23a4f stable/13-n255953
+releng/13.2/ 41b7760991ef releng/13.2-n254631
+stable/12/ r373157
+releng/12.4/ r373186
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4809>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-23:10.pf.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmT4vykACgkQbljekB8A
+Gu9Mow//ZodkaAf0AGC2T+CSDco592Mq7+T8V5YyqIZxGXRn55sFuVKS8cQ8a0cT
+DJ98QV0ht0WITYrBPGbllzVvT4w3bos1U0SB2z3tPjrbfNL8vaXgVl/Du3KZaPAs
+0h4fNR/R3b6XzHgFhqYKG8Q7/u21fLmwu9HpYHQ7nplWg2mS2uQeuTMtr+uoOBS2
+XPc/FpYtL2VXO2aEY3K1A/QCY6lBRxqKTTEi01j9gnyuK4L3QoLWqDdrAKM3RoDc
+wmstnn/KQAJkeMnmIOmDh0GdnAVdVyPBdI0KM86pz5L0AT0uQib0sal0yj72kCsg
+oi6flocqESDNzYPgh/nZEjCHzcRhGWxcsjhTzjBQSTW/HSarQ+wbZuIpUlUQG3A6
+oEhRBj201t4+FUSwCQfr5QdivxwtMHHJYSXqo4nyD3AsRQ2HTnFNcqq26h+bgjhR
+HmdBvffQ5lQUrtDKDb4XXr8RLFbk2RmjeD/zZfb1zhezSmJi4cD6LrClxer5aRFo
+djoqVwjzKsg/9gLaDqr/UDObF6Ke6hs03yTs1Hjrp/DV29wWjJ8NKShezIEJOPTm
+lgK+jhcEbs5vR4woG3vll7Jfaz7W8vniM9cOz/7bvWOp924cHMmwWFod4DMVf9ry
+USB3v/ClFl5caJnoYYwKiIfc/EyYrprTvMLcO6yzDkhWUlaws88=
+=bpCy
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-23:11.wifi.asc b/website/static/security/advisories/FreeBSD-SA-23:11.wifi.asc
new file mode 100644
index 0000000000..8cb94c6316
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-23:11.wifi.asc
@@ -0,0 +1,153 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-23:11.wifi Security Advisory
+ The FreeBSD Project
+
+Topic: Wi-Fi encryption bypass
+
+Category: core
+Module: net80211
+Announced: 2023-09-06
+Credits: See the paper linked in the References section.
+Affects: All supported versions of FreeBSD.
+Corrected: 2023-06-26 12:02:00 UTC (stable/13, 13.2-STABLE)
+ 2023-09-06 17:13:25 UTC (releng/13.2, 13.2-RELEASE-p3)
+ 2023-06-26 12:30:23 UTC (stable/12, 12.4-STABLE)
+ 2023-09-06 17:38:34 UTC (releng/12.4, 12.4-RELEASE-p5)
+CVE Name: CVE-2022-47522
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+FreeBSD's net80211 kernel subsystem provides infrastructure and drivers
+for IEEE 802.11 wireless (Wi-Fi) communications. Wi-Fi communications rely
+on both unicast and multicast keys to secure transmissions.
+
+II. Problem Description
+
+The net80211 subsystem would fallback to the multicast key for unicast
+traffic in the event the unicast key was removed. This would result in
+buffered unicast traffic being exposed to any stations with access to the
+multicast key.
+
+III. Impact
+
+As described in the "Framing Frames: Bypassing Wi-Fi Encryption by
+Manipulating Transmit Queues" paper, an attacker can induce an access point
+to buffer frames for a client, deauthenticate the client (causing the unicast
+key to be removed from the access point), and subsequent flushing of the
+buffered frames now encrypted with the multicast key. This would give the
+attacker access to the data.
+
+IV. Workaround
+
+No workaround is available. Systems not using Wi-Fi are not affected.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date
+and reboot
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-23:11/wifi.patch
+# fetch https://security.FreeBSD.org/patches/SA-23:11/wifi.patch.asc
+# gpg --verify wifi.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ 6c9bcecfb296 stable/13-n255680
+releng/13.2/ 7f34ee7cc56b releng/13.2-n254632
+stable/12/ r373115
+releng/12.4/ r373187
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://papers.mathyvanhoef.com/usenix2023-wifi.pdf>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47522>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-23:11.wifi.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmT4vywACgkQbljekB8A
+Gu+GuRAA1BydNZjSchRULzII3OtSfiF2Q3fF+d6bXOuUKuEOgKJvguTdeg1vqlOK
+4V/1pEOUfYQE+nn+7s4Dc8L3TKLcPECYo8nvaO+5JvhEDpEbmHZRf9P6vz9Isi5X
+jjDP+ybY5pl1Gv74AkPeWzp9OZxBBAp/CJcpAMS/y3Onn3J6Okwsns5TXlaPA401
+/iamphDSBhH1fUP0OeE9fFAWZrVnFHkrDNr+T+dd7vFyr964g/xRCQaCI5mDf+Z3
+dYIydrOgdvmev/7h460bygz+NOQ5Hd+YAgHmNbXZd9WUvE0iJtFZh2EPWshSNmRj
+5Tw+VocK8xRNCL0w6owC5Ag/pAAHURY7ffJbgMv5N4xAp6js9MSggIsyJ0YV1Own
+4JfAXPib6YTlhdfHWoUaaFSRBPCOoF72mj7jTMCz/iFJj78XMtp/rk9iGT5cfKsF
+RQ7zfqm6qbg9lEbjGAM2OR4SWvW2umiiXDZDTKHyGzdWoFA6WNlkKIxYi8e7ti9E
+ksvqDN1v9A6FD3KD+ygPCVvAZwxbFmInAd5HPZFi8UjdhFZ4ql5HYFfjTVBmE1co
+H+I1apa+9Ssq7CRQmAc/blY03i/SmhTNNNnNoIbwAC4DLI9nx/orYdoJksaneYkP
+QcOT19Jh83UYGHx2bqlVZGfggvXQgwffXhLliLwwUxtCJhGwElQ=
+=lSpK
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-23:09/freebsd-update.patch b/website/static/security/patches/EN-23:09/freebsd-update.patch
new file mode 100644
index 0000000000..93d95df184
--- /dev/null
+++ b/website/static/security/patches/EN-23:09/freebsd-update.patch
@@ -0,0 +1,54 @@
+--- usr.sbin/freebsd-update/freebsd-update.sh.orig
++++ usr.sbin/freebsd-update/freebsd-update.sh
+@@ -1677,11 +1677,12 @@
+ echo "done."
+ }
+
+-# For any paths matching ${MERGECHANGES}, compare $1 and $2 and find any
+-# files which differ; generate $3 containing these paths and the old hashes.
++# For any paths matching ${MERGECHANGES}, compare $2 against $1 and $3 and
++# find any files with values unique to $2; generate $4 containing these paths
++# and their corresponding hashes from $1.
+ fetch_filter_mergechanges () {
+ # Pull out the paths and hashes of the files matching ${MERGECHANGES}.
+- for F in $1 $2; do
++ for F in $1 $2 $3; do
+ for X in ${MERGECHANGES}; do
+ grep -E "^${X}" ${F}
+ done |
+@@ -1689,9 +1690,10 @@
+ sort > ${F}-values
+ done
+
+- # Any line in $2-values which doesn't appear in $1-values and is a
+- # file means that we should list the path in $3.
+- comm -13 $1-values $2-values |
++ # Any line in $2-values which doesn't appear in $1-values or $3-values
++ # and is a file means that we should list the path in $3.
++ sort $1-values $3-values |
++ comm -13 - $2-values |
+ fgrep '|f|' |
+ cut -f 1 -d '|' > $2-paths
+
+@@ -1703,10 +1705,10 @@
+ while read X; do
+ look "${X}|" $1-values |
+ head -1
+- done < $2-paths > $3
++ done < $2-paths > $4
+
+ # Clean up
+- rm $1-values $2-values $2-paths
++ rm $1-values $2-values $3-values $2-paths
+ }
+
+ # For any paths matching ${UPDATEIFUNMODIFIED}, remove lines from $[123]
+@@ -2711,7 +2713,7 @@
+
+ # Based on ${MERGECHANGES}, generate a file tomerge-old with the
+ # paths and hashes of old versions of files to merge.
+- fetch_filter_mergechanges INDEX-OLD INDEX-PRESENT tomerge-old
++ fetch_filter_mergechanges INDEX-OLD INDEX-PRESENT INDEX-NEW tomerge-old
+
+ # Based on ${UPDATEIFUNMODIFIED}, remove lines from INDEX-* which
+ # correspond to lines in INDEX-PRESENT with hashes not appearing
diff --git a/website/static/security/patches/EN-23:09/freebsd-update.patch.asc b/website/static/security/patches/EN-23:09/freebsd-update.patch.asc
new file mode 100644
index 0000000000..07b47b9f48
--- /dev/null
+++ b/website/static/security/patches/EN-23:09/freebsd-update.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmT4vyQACgkQbljekB8A
+Gu/mfw/+P21XhWB3J4i1xlC/yhpChzjAm6ok7e3nfE/HqdkaxD0GcI/F2sqB1tkS
+8YA/wTqTmP9YZGIiFhPcgLJj9+s4YLVq+iITgTDpdlDUcN6WA2KdKOYJRWhWKCfY
+6R6LkBb6qk/iDzWiplomoTjfe5u+lmgFuIfswflxEwVk11a+KgEnQw5A1tR3AqQM
+3jTOEtbZUpUegFK5RXKMaK925fCfOOvHOaQLr/RIeyRxe6LQ/ie1soJtHu3mdVTU
+UZinDH9epGthFWs8SWG3GC91sgjLNNrpNMsuYDZjJZpCKJN/m9tQgy06zdCC2UdQ
+jmfvXQok9OYIjNd3X3ZoIHfiKw5zMi5Q+SdyvYHeGKCzGgFt/2CbAm2BW3Baq70B
+qpD2mCwatFAmn7rUhhvFK4R3GrraKiUMHBCTeliVf0ta4ol4isbVwNpZTC+Q8rWb
+YbKQeg2/DyYaHfQrrLn8GFRt7HdqHX5ibdYXE7mbXAJejbGwC8LxdmQ1ulycF8HX
+p7cHzu1aVEE3ApF/uvcT45od4uHGnypEPYQFAM35S0KEdrC2ELh7x7a7LipHnqda
+3C9HdmobZQx0rcoVQRIxitPal2x/oNTCU0w1sF0Dl5ipj0zjtoKPPe0EMftfypZq
+b0mmVXgTtoXahN3wQNPJtRrYWEEOp+7xiRfyMBpXxn331bOgSco=
+=eI/L
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-23:10/pci.patch b/website/static/security/patches/EN-23:10/pci.patch
new file mode 100644
index 0000000000..9134ccf09e
--- /dev/null
+++ b/website/static/security/patches/EN-23:10/pci.patch
@@ -0,0 +1,56 @@
+--- sys/dev/pci/pci_pci.c.orig
++++ sys/dev/pci/pci_pci.c
+@@ -1324,7 +1324,7 @@
+ pcib_alloc_pcie_irq(struct pcib_softc *sc)
+ {
+ device_t dev;
+- int count, error, rid;
++ int count, error, mem_rid, rid;
+
+ rid = -1;
+ dev = sc->dev;
+@@ -1336,9 +1336,17 @@
+ */
+ count = pci_msix_count(dev);
+ if (count == 1) {
+- error = pci_alloc_msix(dev, &count);
+- if (error == 0)
+- rid = 1;
++ mem_rid = pci_msix_table_bar(dev);
++ sc->pcie_mem = bus_alloc_resource_any(dev, SYS_RES_MEMORY,
++ &mem_rid, RF_ACTIVE);
++ if (sc->pcie_mem == NULL) {
++ device_printf(dev,
++ "Failed to allocate BAR for MSI-X table\n");
++ } else {
++ error = pci_alloc_msix(dev, &count);
++ if (error == 0)
++ rid = 1;
++ }
+ }
+
+ if (rid < 0 && pci_msi_count(dev) > 0) {
+@@ -1386,7 +1394,12 @@
+ error = bus_free_resource(dev, SYS_RES_IRQ, sc->pcie_irq);
+ if (error)
+ return (error);
+- return (pci_release_msi(dev));
++ error = pci_release_msi(dev);
++ if (error)
++ return (error);
++ if (sc->pcie_mem != NULL)
++ error = bus_free_resource(dev, SYS_RES_MEMORY, sc->pcie_mem);
++ return (error);
+ }
+
+ static void
+--- sys/dev/pci/pcib_private.h.orig
++++ sys/dev/pci/pcib_private.h
+@@ -134,6 +134,7 @@
+ uint16_t pcie_link_sta;
+ uint16_t pcie_slot_sta;
+ uint32_t pcie_slot_cap;
++ struct resource *pcie_mem;
+ struct resource *pcie_irq;
+ void *pcie_ihand;
+ struct task pcie_hp_task;
diff --git a/website/static/security/patches/EN-23:10/pci.patch.asc b/website/static/security/patches/EN-23:10/pci.patch.asc
new file mode 100644
index 0000000000..95e2a11ba2
--- /dev/null
+++ b/website/static/security/patches/EN-23:10/pci.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmT4vyYACgkQbljekB8A
+Gu8lbhAA1hn9tKcKhCy9MdD5Jzn8gl5K6zOfvkHe/o0CKHL+xg1i/t/dXadYzUcE
+s5zbDdon75v4yKzLRSmGdOd38txl+EDS+an9g3Sv+dt9awGga5CTrEiXTN9KZTak
+BweZ9X4PvZJrU+d2TU+5srxG2UN3clU0rqhO+qKLmVPM2+kdYOvhXJECr1q80LUD
+0PuN1FnkW2ohsA5CFNqXkt78q4yHTvooVcIeXNpJxh1OsChYy2PMcT0Vmdwkyzhx
+CGPyOYg8xO/b85X/HgA909WNX49tloOjYFR/W0jAplhKVRiVXo1HG+7Bi9z+WfnT
+JTe4Rf2UPafIY9LU6iFbSuiCsqgxLi0oAQT5UcKnKCfuTjCtxRA7fei3ZQ+0vltM
+7hFq8KXiOnGk8l/ZzFyoSSpnbRza06et6sjSohx1ryw7ZhGPgKtHtRoz7JQkHwDM
+ddtHpWx9UrElaY4lsntOlkL14K96hzNiBvn6PZFwjvz3JDSZFLnFh8s5FwCE4F7z
+VGiRshBbD+Ae3WwyUKzAxgoDKHIL3KKPi9b3gbAKhCaGHDgSyYdcZQ7b+StLuN/x
+SuUYw0aUJaiJEJ5qhrsrTSJ2HFV4qtbSUXprAaUO98Y4EYsKng9mNk/UKf2BXB1k
+Ms0mur9kYe4mL62jauVjFVYRSelJuWnz5sOCwDnjdg53emc2veo=
+=9LPI
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-23:11/caroot.patch b/website/static/security/patches/EN-23:11/caroot.patch
new file mode 100644
index 0000000000..bcac9d1cf1
--- /dev/null
+++ b/website/static/security/patches/EN-23:11/caroot.patch
@@ -0,0 +1,2119 @@
+--- /dev/null
++++ secure/caroot/trusted/BJCA_Global_Root_CA1.pem
+@@ -0,0 +1,135 @@
++##
++## BJCA Global Root CA1
++##
++## This is a single X.509 certificate for a public Certificate
++## Authority (CA). It was automatically extracted from Mozilla's
++## root CA list (the file `certdata.txt' in security/nss).
*** 2308 LINES SKIPPED ***