git: d1a54e045f - main - Actually add the SA/EN texts.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 14 Feb 2024 06:57:45 UTC
The branch main has been updated by gordon:
URL: https://cgit.FreeBSD.org/doc/commit/?id=d1a54e045f3f9fcab5b4effede7b76ad17800cb3
commit d1a54e045f3f9fcab5b4effede7b76ad17800cb3
Author: Gordon Tetlow <gordon@FreeBSD.org>
AuthorDate: 2024-02-14 06:56:56 +0000
Commit: Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2024-02-14 06:56:56 +0000
Actually add the SA/EN texts.
Approved by: so
---
.../advisories/FreeBSD-EN-24:01.tzdata.asc | 191 ++
.../advisories/FreeBSD-EN-24:02.libutil.asc | 169 ++
.../advisories/FreeBSD-EN-24:03.kqueue.asc | 131 +
.../security/advisories/FreeBSD-EN-24:04.ip.asc | 130 +
.../advisories/FreeBSD-SA-24:01.bhyveload.asc | 140 +
.../security/advisories/FreeBSD-SA-24:02.tty.asc | 137 +
.../security/patches/EN-24:01/tzdata-2024a.patch | 2927 ++++++++++++++++++++
.../patches/EN-24:01/tzdata-2024a.patch.asc | 16 +
.../static/security/patches/EN-24:02/libutil.patch | 11 +
.../security/patches/EN-24:02/libutil.patch.asc | 16 +
.../static/security/patches/EN-24:03/kqueue.patch | 13 +
.../security/patches/EN-24:03/kqueue.patch.asc | 16 +
website/static/security/patches/EN-24:04/ip.patch | 150 +
.../static/security/patches/EN-24:04/ip.patch.asc | 16 +
.../security/patches/SA-24:01/bhyveload-13.2.patch | 137 +
.../patches/SA-24:01/bhyveload-13.2.patch.asc | 16 +
.../security/patches/SA-24:01/bhyveload-14.0.patch | 129 +
.../patches/SA-24:01/bhyveload-14.0.patch.asc | 16 +
website/static/security/patches/SA-24:02/tty.patch | 55 +
.../static/security/patches/SA-24:02/tty.patch.asc | 16 +
20 files changed, 4432 insertions(+)
diff --git a/website/static/security/advisories/FreeBSD-EN-24:01.tzdata.asc b/website/static/security/advisories/FreeBSD-EN-24:01.tzdata.asc
new file mode 100644
index 0000000000..91d9cb0447
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-24:01.tzdata.asc
@@ -0,0 +1,191 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-24:01.tzdata Errata Notice
+ The FreeBSD Project
+
+Topic: Timezone database information update
+
+Category: contrib
+Module: zoneinfo
+Announced: 2024-02-14
+Affects: All supported versions of FreeBSD
+Corrected: 2024-02-05 00:30:01 UTC (stable/14, 14.0-STABLE)
+ 2024-02-14 06:21:06 UTC (releng/14.0, 14.0-RELEASE-p5)
+ 2024-02-05 00:30:42 UTC (stable/13, 13.2-STABLE)
+ 2024-02-14 06:27:47 UTC (releng/13.2, 13.2-RELEASE-p10)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The IANA Time Zone Database (often called tz or zoneinfo) contains code and
+data that represent the history of local time for many representative
+locations around the globe. It is updated periodically to reflect changes
+made by political bodies to time zone boundaries, UTC offsets, and
+daylight-saving rules.
+
+Leap seconds are occasional adjustments added to -- or potentially subtracted
+from -- Coordinated Universal Time (UTC). An authoritative list of leap
+second adjustments is maintained by the International Earth Rotation and
+Reference Systems Service (IERS).
+
+FreeBSD releases install the IANA Time Zone Database in /usr/share/zoneinfo.
+The tzsetup(8) utility allows the user to specify the default local time
+zone. Based on the selected time zone, tzsetup(8) copies one of the files
+from /usr/share/zoneinfo to /etc/localtime. A time zone may also be selected
+for an individual process by setting its TZ environment variable to a desired
+time zone name.
+
+The latest list of leap seconds at the time of release is installed on FreeBSD
+in /var/db/ntpd.leap-seconds.list. The startup rc(8) scripts of the ntpd(8)
+Network Time Protocol implementation included in the FreeBSD base system can
+periodically download an updated leap-seconds.list file from configurable
+internet sites.
+
+II. Problem Description
+
+Several changes to future and past timestamps have been recorded in the IANA
+Time Zone Database after previous FreeBSD releases were released. This
+affects many users in different parts of the world. Because of these
+changes, the data in the zoneinfo files need to be updated. If the local
+timezone on the running system is affected, tzsetup(8) needs to be run to
+update /etc/localtime.
+
+In the default configuration, the ntpd(8) startup script included with FreeBSD
+checks for an updated leap-seconds.list on the IETF's web server. As of 2023,
+the IETF no longer distributes a copy of this file.
+
+III. Impact
+
+An incorrect time will be displayed on a system configured to use one of the
+affected time zones if the /usr/share/zoneinfo and /etc/localtime files are
+not updated, and all applications on the system that rely on the system time,
+such as cron(8) and syslog(8), will be affected.
+
+With the default configuration, FreeBSD systems cannot file updates to the
+installed leap-seconds.list file. Since no leap second was introduced at the
+end of 2023, the leap-seconds.list file included with all supported FreeBSD
+releases is still accurate. Moreover, ntpd(8) is able to receive updated leap
+second information from its peers. However, a diagnostic warning about an
+expired leap-seconds.list is printed at startup.
+
+IV. Workaround
+
+The system administrator can install an updated version of the IANA Time Zone
+Database from the misc/zoneinfo port and run tzsetup(8).
+
+Applications that store and display times in Coordinated Universal Time (UTC)
+are not affected.
+
+The ntpd(8) startup script can be configured to download an updated
+leap-seconds.list file from IERS with the following rc.conf(5) setting:
+
+ntp_leapfile_sources="https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list"
+
+Larger sites, or sites without reliable connectivity to the internet, may wish
+to point to their locally maintained copy of this file.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Please note that some third party software, for instance PHP, Ruby, Java,
+Perl and Python, may be using different zoneinfo data sources, in such cases
+this software must be updated separately. Software packages that are
+installed via binary packages can be upgraded by executing 'pkg upgrade'.
+
+Following the instructions in this Errata Notice will only update the IANA
+Time Zone Database installed in /usr/share/zoneinfo.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Restart all the affected applications and daemons, or reboot the system.
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-24:01/tzdata-2024a.patch
+# fetch https://security.FreeBSD.org/patches/EN-24:01/tzdata-2024a.patch.asc
+# gpg --verify tzdata-2024a.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all the affected applications and daemons, or reboot the system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 26fe22019cb2 stable/14-n266642
+releng/14.0/ a3b7bafd2acc releng/14.0-n265409
+stable/13/ f4256acec1c9 stable/13-n257384
+releng/13.2/ 66bb668fe5f2 releng/13.2-n254660
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://github.com/eggert/tz/blob/2023d/NEWS>
+<URL:https://github.com/eggert/tz/blob/2024a/NEWS>
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275419>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-24:01.tzdata.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMYP4ACgkQbljekB8A
+Gu8lBxAA6XgVr3mwvCPgeu8UFa8OeIJzIBgCDv5QFD9BL5NjK5TQuUtc/EqFeuIp
+wSR+KC5Lc/NCsi3fX85M4ZI6HnsTBwOVQ5t7xhYxmQvBmzeZWz02UfGIVLuU6/JG
+mYjpRRCx1yEyUntzfuXEYNsCLkGWYLuydBfFsL+6tN587dk7A/rRMyzdEDsKApGE
+GcP5N7/cKaxNCoDSJonLpX0AbsoQRQJeyhVFgtKWnbPKW9yTeEAZEIG2jqlqOX5O
+JQ4Ih3nj4Y4IVVSwPyO5eZYtTc1N1MMixJct63yM4C8IHjCFnxfPASz6+9s8DcAx
+BwezcAogXJ0ERuohJe2SXPayEUPqrcPAUXQfwO8kPvAX7VrF97cwfyPY6sf9j7gw
+qtHX2e9OPt+oMbXOzgvnIt/p6OZ4SHpfDpiSIIJqk0f+w+qVPeRDKa2SUjWEGphc
+GS1wQc+lXqwvlm2DknpESRDOF6nLQfgSm1IFOWin/10kf6mFQR4RnK0lxP2rwZgQ
+s1VKhA8zPLrXhB4z/OJod7F2R5nXXfqQwlCmWC8RQjL7T7Bz7NEAIU9zwqIPAQb5
+DTtCBe4dYBt6eeYPFQ8EjD3BfYzqJyT2rXQtnwl9Je/foHqZ6pJrFbQool81aRkq
+aCo/OKuzUKNnOLsLwyTTsO/kTqL1ryW/CiFHz7XhD2Y8+YqwOHE=
+=7Xjc
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-24:02.libutil.asc b/website/static/security/advisories/FreeBSD-EN-24:02.libutil.asc
new file mode 100644
index 0000000000..c5c33a7863
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-24:02.libutil.asc
@@ -0,0 +1,169 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-24:02.libutil Errata Notice
+ The FreeBSD Project
+
+Topic: Login class resource limits and CPU mask bypass
+
+Category: core
+Module: libutil
+Announced: 2024-02-14
+Credits: Olivier Certner
+Affects: All supported versions of FreeBSD.
+Corrected: 2023-10-24 00:57:11 UTC (stable/14, 14.0-STABLE)
+ 2023-02-14 06:05:41 UTC (releng/14.0, 14.0-RELEASE-p5)
+ 2023-12-21 13:39:03 UTC (stable/13, 13.2-STABLE)
+ 2023-02-14 06:05:57 UTC (releng/13.2, 13.2-RELEASE-p10)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+setusercontext() is a high-level API generally used by login-like programs to
+set the general environment of new processes launched on behalf of other
+users, including the credentials (users, groups, MAC security label), resource
+limits, CPU mask and process priority.
+
+This function only applies the settings of the types requested by the caller
+via flags (e.g., LOGIN_SETALL for all types, LOGIN_SETUSER to set the real,
+effective and saved user IDs, etc.), and for some of them requires privileges
+to do so. Among these, the resource limits (flag LOGIN_SETRESOURCES) and CPU
+mask (flag LOGIN_SETCPUMASK) types are set not only based on the target user's
+login class, which is controlled by the system administrator, but also on his
+personal configuration file '~/.login_conf' (see login.conf(5)).
+
+In order to prevent unprivileged users from overriding the administrator
+settings, setusercontext() applies a personal configuration file only if the
+real user ID of the process that runs it matches that of the target user, with
+the goal to avoid applying the user-controlled settings with privileges.
+
+II. Problem Description
+
+When deciding to apply a target user's personal configuration file,
+setusetcontext() checks the real user ID of the process whereas it should
+instead check the effective user ID, which is the one affecting the process'
+privileges and consequently which settings it can change and to which values.
+
+III. Impact
+
+An unprivileged user may bypass the administrator's resource limits and/or CPU
+mask settings stemming from his login class provided he can run a (setuid)
+login-like program that:
+- - Calls setusercontext() with the LOGIN_SETRESOURCES and/or LOGIN_SETCPUMASK
+ flags but without LOGIN_SETUSER (which excludes the use of LOGIN_SETALL),
+ and with a non-NULL 'pwd' argument.
+- - Does so before changing the effective user ID to the target user.
+
+No programs in FreeBSD's base system, including login(1) and su(1), meet these
+requirements, but third-party programs may. In particular, sudo(8) does when
+using the default sudoers(5) plugin configured with the 'use_loginclass' flag
+enabled. doas(8) does not.
+
+IV. Workaround
+
+There are at least two possible workarounds.
+
+The first one is for an administrator is to prepare for all users a
+'~/.login_conf' they can't write or replace, e.g., using filesystem flags
+'schg' or 'sunlnk' (see chflags(1)), defeating user's own customizations.
+
+The second one is to review setuid login programs accessible to users,
+determine if they meet the requirements above, and deactivate those that do or
+reconfigure them when possible, as mentioned above for sudo(8).
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+It should be followed by a restart of all third-party daemons that use the
+'libutil' library, or a reboot of the system.
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-24:02/libutil.patch
+# fetch https://security.FreeBSD.org/patches/EN-24:02/libutil.patch.asc
+# gpg --verify libutil.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart of all third-party daemons that use the 'libutil' library, or reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ ede6fd06726c stable/14-n265587
+releng/14.0/ c2a9cfc55046 releng/14.0-n265403
+stable/13/ 9fcf54d3750e stable/13-n256941
+releng/13.2/ 9deb5ca77beb releng/13.2-n254655
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271750>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-24:02.libutil.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMYQoACgkQbljekB8A
+Gu8m9Q//cmgbS/PZPMBjARTQa2kkEpIy7zYgDq9/oriREfUBgbN+hFdxlwN5q59r
+t+lJGJYSynMQDFglQcsD61nECP6fnjco1RxLPpzf+aBmP/VebOh7irsI7QElisY+
+SoiCHhZrpXcZGU5OBTA0Nd7NbKVmCflF6aJN0bOCZHvONSUH+ijsXPd98Pjx6TgF
+0yQV3ryMYtEBbIaXdR751HLe011hcQYBnlU+/0B9bzL5JCr67NaYM3MDkMkwvXSs
+zJaefj9xxMlJdB4EvkJGtcau4Kw/qdM0iFllUMmOPl3QK+s4LKguaVtuWWI0bSvL
+VlFbGVCoRmaVzV+ZaCrDZrsl3NOC92Trhg5QdLV5HJUP3sSRAo5PGNostdWB6VsT
+mfgJp0owv7LSSt/irDgtY2OGFb3Y/RZmqTBXR7ScFAguuA5dJva44eDkUX8YXBU/
+7ZlXMuF94dmaTmcDqOqWBmfeIWlIKdVsol6fzoKQhLjtZuUg5vdl2rUlj6GSNSL9
+6GLU2/LiobuBhfc0qL/mmtyovqHO2HDLsNX54zusBEzy7lI2URvTcCjcHX0Tbwwi
+cuj6b/XzvAnQ2qFyA4l8bhCSpECkGybLgar+ig199K077HrwRUjLt666JQtMBkKQ
+LZafucjfGCSpDJFcVjfGfliYnYQFyAd4NAfDsnR15xz9Pxw7MOg=
+=mDl9
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-24:03.kqueue.asc b/website/static/security/advisories/FreeBSD-EN-24:03.kqueue.asc
new file mode 100644
index 0000000000..6ddfa84ef7
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-24:03.kqueue.asc
@@ -0,0 +1,131 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-24:03.kqueue Errata Notice
+ The FreeBSD Project
+
+Topic: kqueue_close(2) page fault on exit using rfork(2)
+
+Category: core
+Module: kqueue
+Announced: 2024-02-14
+Affects: All supported versions of FreeBSD.
+Corrected: 2023-12-05 00:43:27 UTC (stable/14, 14.0-STABLE)
+ 2024-02-14 06:05:42 UTC (releng/14.0, 14.0-RELEASE-p5)
+ 2023-12-05 00:44:13 UTC (stable/13, 13.2-STABLE)
+ 2024-02-14 06:05:58 UTC (releng/13.2, 13.2-RELEASE-p10)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The kqueue(2) system call provides a generic method of notifying the user
+when an event happens or a condition holds.
+
+II. Problem Description
+
+Normally, when a process exits, all its kqueue fds will be destroyed at the
+moment p_klist is detached. However, if the process was created with rfork(2)
+with shared file descriptors, its signal knotes can survive. This can
+eventually result in a page fault when the process exits.
+
+III. Impact
+
+Using kqueue(2) with a process using rfork(2) can panic the system.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date, and reboot the system.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Reboot the system.
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-24:03/kqueue.patch
+# fetch https://security.FreeBSD.org/patches/EN-24:03/kqueue.patch.asc
+# gpg --verify kqueue.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 24346a2f7775 stable/14-n265907
+releng/14.0/ bb06104dce0b releng/14.0-n265404
+stable/13/ 55e91944998c stable/13-n256837
+releng/13.2/ 154dedade465 releng/13.2-n254656
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275286>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-24:03.kqueue.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMYQwACgkQbljekB8A
+Gu+GSxAA5voCfr4a2LrMmBjQvgD7XwpCNH9yvYN3chKG07TTqNWkHbCxNvc4Brzm
+IXKGxvolrY3PZhXgN2KZhe/wAOf0I1ZazeW9wdk13O9G2SF5aaUYBkCvoMmPME42
+f7lVXnkxhTQAovVFQRZAK6sYCVspIPQEpavoa7rq5dDDtO9g2AqB53aAbgdBpQ0j
+ClIcMzM2HdiYQBi4WuL36XVbeX6N++N5ouE8Hdz+pDcQSHuOm3VHUKlpRsEXLmYI
+3uDJ8py+PGbtcLnSVALEcnreirJcCJ5em7Gaec2KXHDRis/dLW+DPlPyZp1mpIBZ
+l073AME8hEOxnJOUALvxTVHQS3L35JjFmxnSGwnLzXH16v/fGUKlnAZkOftNcRan
+JW1fLXB2EH+H+hdnOWiQeTCk8duIIvXuWEYf8dfP6SBMm9FfzBAoTv/K1mHxGFKZ
+s3iR4WyC7Y6r56meVdNfs/F4XtVh3edhVfOdjf/5I8+Ut9HGRNuHOCepLG9DASOd
+eQbhHAnHnUB21qq4Tme0eKoA130gVcBMr2NsE0lifNArLzEvvGB0Bw+9ZP9IfFeS
+/fPs4Yq1XIjpgk+TDdOPGexLWCIBl0ursjZMSuGyhXkDaD1oYzF3SKWrJRkahpUq
++tN6jVPkG7Iy36myKSHofuPh641hSmk88IJPJHVrdNjo88hUti0=
+=xsIs
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-24:04.ip.asc b/website/static/security/advisories/FreeBSD-EN-24:04.ip.asc
new file mode 100644
index 0000000000..a5fbf4e1a1
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-24:04.ip.asc
@@ -0,0 +1,130 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-24:04.ip Errata Notice
+ The FreeBSD Project
+
+Topic: Kernel panic triggered by bind(2)
+
+Category: core
+Module: ip
+Announced: 2024-02-14
+Affects: FreeBSD 14.0
+Corrected: 2024-01-09 00:30:05 UTC (stable/14, 14.0-STABLE)
+ 2024-02-14 06:05:43 UTC (releng/14.0, 14.0-RELEASE-p5)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The inpcb subsystem of the kernel is responsible for implementing
+portions of socket-related system calls (e.g., bind(2)) on behalf of
+IP-based network protocol implementations. This layer provides lookup
+tables which can be used within the kernel to translate between sockets
+and the internet addresses to which they are bound or connected.
+
+II. Problem Description
+
+The inpcb layer maintains several hash tables which are synchronized by
+a combination of mutexes and the use of lock-free data structures. The
+implementation of the latter was flawed such that a locked lookup could
+return a socket that was in the process of being removed from the table.
+
+III. Impact
+
+The race condition can trigger a NULL pointer dereference in the kernel,
+resulting in a kernel panic.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r now
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-24:04/ip.patch
+# fetch https://security.FreeBSD.org/patches/EN-24:04/ip.patch.asc
+# gpg --verify ip.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 2bfe735277b8 stable/14-n266255
+releng/14.0/ 9db5ae3ec45f releng/14.0-n265405
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273890>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-24:04.ip.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMYQ4ACgkQbljekB8A
+Gu8ffg/7BY7BfPU1emJ7YfFNKszPKJooefFS8dejskN6ic55hCt8fh0RuV9g/Lwg
+25QehLwGl821HaoTBijM9EBt4RTT9qdzU0m+9MKKATxy5wfnfANtU3fa+nwvuWhB
+fM6kLJcnViobhGHDoFN29Nz2BjfGodh4XXf1uE4zOLytw9WrM69H/UbHPMn7xSzM
+mPqGppk/TdxEdWXywaHLhSKf8Y21jtcidQBQ3aILnLbNObt2uii+hqVQw5+CDRYw
+NnHi1QBWMTP3blwmwGV3rtpytDMhhXUptA0ILpzVm6YAtGTsTLL4VrssGtcuW+Sh
+o7wkwmNzQLayoKNwdUkx8S/X+ilCBeHVXBH3A2GHjisMstP8cU3fRAuPVI5QvIyh
+rWsCLyoL+QwtZ58KJLpe6WQtLfG/xpq20+7lUJtyLaInZ7YStkNLXMZHJUbjx7yO
+xZsraeCI3Y6qtdHYxk4wH3HBqR2w6WmU30iXMA5UWXjL9LaB0Az/8cHlXoTA6apB
+XoHCzfC/LbV972c28P7Nky97oFkYTPvB0+iHPqMB77pciMO6gKWitf4FFA9fsp7H
+QfWjUHMJSIbtzCgskKurO93UmlogQbfbgahmzSA7SDTryObbXdre2SuSrfDwbW/O
+scgug9GgFuTjAp9GB7SYFA+eYUQsakyVHK1gnxt3Su7lcw/GMG0=
+=2K5v
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-24:01.bhyveload.asc b/website/static/security/advisories/FreeBSD-SA-24:01.bhyveload.asc
new file mode 100644
index 0000000000..c61b036f16
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-24:01.bhyveload.asc
@@ -0,0 +1,140 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-24:01.bhyveload Security Advisory
+ The FreeBSD Project
+
+Topic: bhyveload(8) host file access
+
+Category: core
+Module: bhyeload
+Announced: 2024-02-14
+Credits: The water cooler. (Note, this is the requested credit)
+Affects: All supported versions of FreeBSD.
+Corrected: 2024-01-15 22:27:59 UTC (stable/14, 14.0-STABLE)
+ 2024-02-14 06:05:44 UTC (releng/14.0, 14.0-RELEASE-p5)
+ 2024-01-15 23:11:38 UTC (stable/13, 13.2-STABLE)
+ 2024-02-14 06:06:00 UTC (releng/13.2, 13.2-RELEASE-p10)
+CVE Name: CVE-2024-25940
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+bhyveload(8) is used to load a FreeBSD guest into a bhyve virtual machine.
+
+II. Problem Description
+
+`bhyveload -h <host-path>` may be used to grant loader access to the <host-path>
+directory tree on the host. Affected versions of bhyveload(8) do not make any
+attempt to restrict loader's access to <host-path>, allowing the loader to read
+any file the host user has access to.
+
+III. Impact
+
+In the bhyveload(8) model, the host supplies a userboot.so to boot with, but the
+loader scripts generally come from the guest image. A maliciously crafted
+script could be used to exfiltrate sensitive data from the host accessible to
+the user running bhyhveload(8), which is often the system root.
+
+IV. Workaround
+
+No workaround is available, but guests that do not use `bhyveload -h` are not
+impacted. Common VM solutions that use bhyveload(8) do not usually use the
+- -h option.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 14.0]
+# fetch https://security.FreeBSD.org/patches/SA-24:01/bhyveload-14.0.patch
+# fetch https://security.FreeBSD.org/patches/SA-24:01/bhyveload-14.0.patch.asc
+# gpg --verify bhyveload-14.0.patch.asc
+
+[FreeBSD 13.2]
+# fetch https://security.FreeBSD.org/patches/SA-24:01/bhyveload-13.2.patch
+# fetch https://security.FreeBSD.org/patches/SA-24:01/bhyveload-13.2.patch.asc
+# gpg --verify bhyveload-13.2.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. Virtual
+machines that have been booted with bhyveload(8) do not need to be rebooted.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 426b28fdf700 stable/14-n266333
+releng/14.0/ f5bb597829e1 releng/14.0-n265406
+stable/13/ 78345dbd7a00 stable/13-n257186
+releng/13.2/ 48598b1670ce releng/13.2-n254657
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25940>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-24:01.bhyveload.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMYRAACgkQbljekB8A
+Gu8KwRAAxCnMsCQbp/CZ1O2GYxDTCOt1M5CZaFBD8r3b4xSN1gFB79z3aHAmSX0a
+kTGpp5QSbxx1UtA9eZoZTa/wpmMAo1AZ7ry0OK1VuRFtF2D+IM64l07m91HW5ncU
+YCsbeQ6wuXHeVlZ/t7eu/X03YltYIuMu/wIzpsPYtMvTB+ZI50nm0pUGaQnH9ZA2
+jMGhLcWQSaHi46pMJ1o2iXWbaFZh4S6fHhNXSEFxaWuQf/o//whSgeqtFnhozfZ4
+vbx0pyF3HrkjPRLwc9QDRNcFnG0F9DCOmiGlAAZD4/XRNOd5PgSvmHxDPrc1UkJO
+K8CcU7vIgloKdETS43HhlDhT34/adV1dMpwCLpr9JZ3FmfTtIor1q8w9l0nLohln
+VeLUbhaMZAXYqQp5wcDso26n9moD8l/izJZZ0gWu8xsooKmE2DY0t7ASXdcvnSq8
+VKlpZP0DHcdZdeePiCF6XovAvv3fAq5hvIdCccBIJHbFIWEL2Psq9hYqFISb+mFb
+gAoX5gyo4S+lWgn33aUCzjYuR0MhelJPRFIndjr5+Dn0AgQniNre7uRt4k97jvT1
+Q9h+f4uyNFafuD5YMqfRhsk8EN93bEc3Bkq47KCYDSTJujd99pYFPE1SzvNAPmNY
+CYxqYjkfjklarfellifxvqdKrOWoeOkK4a3Ckd5+4Y8BaaTzWCY=
+=LOMD
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-24:02.tty.asc b/website/static/security/advisories/FreeBSD-SA-24:02.tty.asc
new file mode 100644
index 0000000000..6b40af77f9
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-24:02.tty.asc
@@ -0,0 +1,137 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-24:02.tty Security Advisory
+ The FreeBSD Project
+
+Topic: jail(2) information leak
+
+Category: core
+Module: jail
+Announced: 2024-02-14
+Credits: Pawel Jakub Dawidek
+Affects: All supported versions of FreeBSD.
+Corrected: 2024-02-12 16:25:54 UTC (stable/14, 14.0-STABLE)
+ 2024-02-14 06:05:46 UTC (releng/14.0, 14.0-RELEASE-p5)
+ 2024-02-12 16:27:37 UTC (stable/13, 13.2-STABLE)
+ 2024-02-14 06:06:01 UTC (releng/13.2, 13.2-RELEASE-p10)
+CVE Name: CVE-2024-25941
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The jail(2) system call allows a system administrator to lock a process
+and all of its descendants inside an environment with a very limited
+ability to affect the system outside that environment, even for
+processes with superuser privileges. It is an extension of, but
+far more powerful than, the traditional UNIX chroot(2) system call.
+
+tty(4) is a general terminal device.
+
+II. Problem Description
+
+The jail(2) system call has not limited a visiblity of allocated TTYs
+(the kern.ttys sysctl). This gives rise to an information leak about
+processes outside the current jail.
+
+III. Impact
+
+Attacker can get information about TTYs allocated on the host or in other
+jails. Effectively, the information printed by "pstat -t" may be leaked.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-24:02/tty.patch
+# fetch https://security.FreeBSD.org/patches/SA-24:02/tty.patch.asc
+# gpg --verify tty.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 215bb03edc54 stable/14-n266676
+releng/14.0/ 4d354159d150 releng/14.0-n265407
+stable/13/ 9bff7ec98354 stable/13-n257418
+releng/13.2/ 17257e6e9a23 releng/13.2-n254658
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25941>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-24:02.tty.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmXMYRMACgkQbljekB8A
+Gu8C7hAAxXasfu+Xn3+voOk5pJvFJd6jWA1ZCvR83YnIqAGibiWvNaMdsdfe4k6x
+eEoaQ6maYYu/wjXMZ0HbapTuJPRxwrcG7i2mZ52vSm9glSZO87Lw3oWVIV7eRPpN
+pFJtR5bUXns1/dWQgcgFMc/4nNk7NO6gamuK/uwfrDF0aQsYif5pX5DmhkOD/CnQ
+CjPWhv6FT94qzUiQrZLSWjCIe/rhNbmbLkhyck4MZP+1aILxsb+BHSaEeBzej2+S
+8WisLPKlTwNgpA+DN+sLn28gR1+0Vd5rAv7gvcbWHE3VNvq0ABTwRoZFA4SzHEhL
+BNkwMJnMJyR7qj1jWCmfrHptIPpSXtNIvh70yts5/+9nPBDkAYV9U+nJYQTZ40+U
+Mn1OfN4ioRfB7bOjVA4J6Ncws4M2ttcOEyk+d8Egd5/7njOGC1sqX0F4FXAtioZF
+JATTBd09J9TTZvX5xz6JdK8ZHKc+xtxYiBYg4WQTyVcPg38ONpYarSIQ6XYnNSyP
+0Cv1ih5DpxzdEBA+Pu4+dJmZSlyNOJXpmlPKgyiUX0Z085ZqHTMvAXQQS/M7MXai
+06d2YnZx4XfGoAhCXZKyvE6J6btiy+t8QNx14tEdtD/ktzAmB3EYHOuuPEFoS44Y
+8tafKE9ps5AgWtqXvK7H5NKMwtb9Ry60WSAFfgn0LoFmw8UyBjg=
+=HQVb
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-24:01/tzdata-2024a.patch b/website/static/security/patches/EN-24:01/tzdata-2024a.patch
new file mode 100644
index 0000000000..a6ce7c687d
--- /dev/null
+++ b/website/static/security/patches/EN-24:01/tzdata-2024a.patch
@@ -0,0 +1,2927 @@
+--- contrib/tzdata/Makefile.orig
++++ contrib/tzdata/Makefile
+@@ -1,7 +1,25 @@
+ # Make and install tzdb code and data.
+-
+ # This file is in the public domain, so clarified as of
+ # 2009-05-17 by Arthur David Olson.
++# Request POSIX conformance; this must be the first non-comment line.
++.POSIX:
++# On older platforms you may need to scrounge for a POSIX-conforming 'make'.
++# For example, on Solaris 10 (2005), use /usr/sfw/bin/gmake or
*** 3601 LINES SKIPPED ***