git: 08fecaeaba - main - Add EN-24:05 through EN-24:08, SA-24:03.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 28 Mar 2024 07:20:26 UTC
The branch main has been updated by gordon:
URL: https://cgit.FreeBSD.org/doc/commit/?id=08fecaeabaa47379154afa3f8fd71c46b2371e80
commit 08fecaeabaa47379154afa3f8fd71c46b2371e80
Author: Gordon Tetlow <gordon@FreeBSD.org>
AuthorDate: 2024-03-28 07:20:00 +0000
Commit: Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2024-03-28 07:20:00 +0000
Add EN-24:05 through EN-24:08, SA-24:03.
Approved by: so
---
website/data/security/advisories.toml | 4 +
website/data/security/errata.toml | 16 +
.../security/advisories/FreeBSD-EN-24:05.tty.asc | 132 +
.../advisories/FreeBSD-EN-24:06.wireguard.asc | 138 +
.../security/advisories/FreeBSD-EN-24:07.clang.asc | 127 +
.../advisories/FreeBSD-EN-24:08.kerberos.asc | 127 +
.../advisories/FreeBSD-SA-24:03.unbound.asc | 147 +
website/static/security/patches/EN-24:05/tty.patch | 23 +
.../static/security/patches/EN-24:05/tty.patch.asc | 16 +
.../security/patches/EN-24:06/wireguard.patch | 40 +
.../security/patches/EN-24:06/wireguard.patch.asc | 16 +
.../static/security/patches/EN-24:07/clang.patch | 25 +
.../security/patches/EN-24:07/clang.patch.asc | 16 +
.../security/patches/EN-24:08/kerberos.patch | 203 +
.../security/patches/EN-24:08/kerberos.patch.asc | 16 +
.../security/patches/SA-24:03/unbound-13.patch | 24911 +++++++++++++++++++
.../security/patches/SA-24:03/unbound-13.patch.asc | 16 +
.../security/patches/SA-24:03/unbound-14.patch | 24911 +++++++++++++++++++
.../security/patches/SA-24:03/unbound-14.patch.asc | 16 +
19 files changed, 50900 insertions(+)
diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml
index 15f9a96938..d2a4603d5f 100644
--- a/website/data/security/advisories.toml
+++ b/website/data/security/advisories.toml
@@ -1,6 +1,10 @@
# Sort advisories by year, month and day
# $FreeBSD$
+[[advisories]]
+name = "FreeBSD-SA-24:03.unbound"
+date = "2024-03-28"
+
[[advisories]]
name = "FreeBSD-SA-24:02.tty"
date = "2024-02-14"
diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml
index c292820014..50d0a89e3a 100644
--- a/website/data/security/errata.toml
+++ b/website/data/security/errata.toml
@@ -1,6 +1,22 @@
# Sort errata notices by year, month and day
# $FreeBSD$
+[[notices]]
+name = "FreeBSD-EN-24:08.kerberos"
+date = "2024-03-28"
+
+[[notices]]
+name = "FreeBSD-EN-24:07.clang"
+date = "2024-03-28"
+
+[[notices]]
+name = "FreeBSD-EN-24:06.wireguard"
+date = "2024-03-28"
+
+[[notices]]
+name = "FreeBSD-EN-24:05.tty"
+date = "2024-03-28"
+
[[notices]]
name = "FreeBSD-EN-24:04.ip"
date = "2024-02-14"
diff --git a/website/static/security/advisories/FreeBSD-EN-24:05.tty.asc b/website/static/security/advisories/FreeBSD-EN-24:05.tty.asc
new file mode 100644
index 0000000000..979d0c2c5f
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-24:05.tty.asc
@@ -0,0 +1,132 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-24:05.tty Erratum Notice
+ The FreeBSD Project
+
+Topic: TTY Kernel Panic
+
+Category: core
+Module: kernel
+Announced: 2024-03-28
+Affects: FreeBSD 13.2 and FreeBSD 14.0
+Corrected: 2024-02-29 00:29:13 UTC (stable/14, 14.0-STABLE)
+ 2024-03-28 05:06:21 UTC (releng/14.0, 14.0-RELEASE-p6)
+ 2024-02-29 00:30:12 UTC (stable/13, 13.2-STABLE)
+ 2024-03-28 05:07:53 UTC (releng/13.2, 13.2-RELEASE-p11)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+tty(4) is the general terminal device. The kern.ttys sysctl provides tty
+information for tools such as `pstat -t`.
+
+FreeBSD-SA-24:02.tty addressed an information leak about outside processes
+from within a jail.
+
+II. Problem Description
+
+A missing check resulted in a null pointer dereference if a tty had a session
+associated, but no session leader.
+
+III. Impact
+
+Under certain conditions an unprivileged user could provoke a kernel panic.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date, and reboot.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for an erratum update"
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-24:05/tty.patch
+# fetch https://security.FreeBSD.org/patches/EN-24:05/tty.patch.asc
+# gpg --verify tty.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 8d22744f5be1 stable/14-n266915
+releng/14.0/ a3ec3054762f releng/14.0-n265411
+stable/13/ a60220bbb551 stable/13-n257543
+releng/13.2/ f3195cc08ccc releng/13.2-n254662
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277240>
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277329>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-24:05.tty.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmYFGaEACgkQbljekB8A
+Gu8NTw//Rqyq8heDUZZyz0TKMs/ObZY9h7VbL3Pces9mpnE6mgZx9g1kalo1xml3
+x0kRIJ0L606oBxhrJYqam3DrcJsPWs/8LOmmUa9u4/M2sAPuw03pyPEYNnokhf05
+NvC6mjNCpuJY4jzoa1hYdjvUHJe6u66reEoWuARPxoT6ZGPLiVhYPmoYIJFtoEAy
+tLEIH4GRjfRuOEgSDY7sIy5MoxjObBqPQl4VtbCSZDN/PN4z6WuxC/f2N0vpN1uq
+IyDGWCvEOa6g+7kDEiBJo4LRp30mQtMJalfQUlLm653Do2Jh6L5tUuQ+T0qIOlqc
+gTlKnnaa0m/hMUD9t4lJHQbLfGFaYpXbyJpblO8hPoM7Trk2vsoGubksMYZSRHIy
+/9IiZafdnNoHxa5+ZTRSqxYw9e38gwTlWsNjQpCezhtaZo0FWkhcgC7zUG+yMUXz
+zYhYXCQkZXpEvIg+BJs3ZdigGK7wRjC9qsC8jfnhOU+q452qqnKjg8bxJdGxBbZ0
+HKFfAVgtqAEgU3PzPN7Nmu4QJ+VOu9L/e1mOhrqcmHtYDYLfdelCT8DjHj85oggn
+C5iDPG6AxnLczTlTxVsHTiQcmTy6awfeTf1N1JCbfZPovrO/CTaOLnMy/PNeZIml
+UnarxLtQNeK6BDKd0E/rEym9wL0YJ1Xj/3XE1qPAjz52YufRHHM=
+=w167
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-24:06.wireguard.asc b/website/static/security/advisories/FreeBSD-EN-24:06.wireguard.asc
new file mode 100644
index 0000000000..a7c7fb1c09
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-24:06.wireguard.asc
@@ -0,0 +1,138 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-24:06.wireguard Errata Notice
+ The FreeBSD Project
+
+Topic: Insufficient barriers in WireGuard if_wg(4)
+
+Category: core
+Module: if_wg
+Announced: 2024-03-28
+Affects: All supported versions of FreeBSD.
+Corrected: 2024-03-22 15:21:39 UTC (stable/14, 14.0-STABLE)
+ 2024-03-28 05:06:22 UTC (releng/14.0, 14.0-RELEASE-p6)
+ 2024-03-22 15:21:42 UTC (stable/13, 13.3-STABLE)
+ 2024-03-28 07:14:19 UTC (releng/13.3, 13.3-RELEASE-p1)
+ 2024-03-28 05:07:54 UTC (releng/13.2, 13.2-RELEASE-p11)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+if_wg is the kernel module that implements WireGuard tunnels between two
+endpoints. When packets arrive from the tunnel or are sent over the tunnel,
+they are decrypted or encrypted in a separate thread from the one that delivers
+the packet to its final destination.
+
+II. Problem Description
+
+Insufficient barriers between the encrypt/decrypt threads and the delivery
+threads may result in the wrong part of an mbuf chain being read and sent along
+through the network stack on architectures with a weaker memory model, e.g.,
+aarch64, under certain workloads.
+
+III. Impact
+
+The part of the mbuf chain being sent along may contain some invalid state that
+causes a later fault and panic.
+
+IV. Workaround
+
+No workaround is available, but X86 platforms (that is, i386 and amd64) are
+not affected.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date and reboot or reload the
+if_wg kernel module.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD arm64 platform can be updated
+via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+After the updates have installed, you will need to reboot the system or reload
+the if_wg kernel module.
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-24:06/wireguard.patch
+# fetch https://security.FreeBSD.org/patches/EN-24:06/wireguard.patch.asc
+# gpg --verify wireguard.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system or reload the if_wg kernel module.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 590e02d3c088 stable/14-2576116
+releng/14.0/ 56be7cd84447 releng/14.0-n265412
+stable/13/ 806e51f81dba stable/13-n257611
+releng/13.3/ f07351f90aa3 releng/13.3-n257429
+releng/13.2/ 8f1f4e60ceb9 releng/13.2-n254663
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264115>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-24:06.wireguard.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmYFGagACgkQbljekB8A
+Gu/p2g//cupzJnkQB/sXm0EWroHjy/I6X6gbZlDpHZFbetGx8niyCH/xK3FMySuq
+q1XGKpXqQKBR3R+VmTNs+Tfd0DbFK8nwStPHXnewKZJ+Qddah27Y3zEuj9+vmmmq
+rzgJNDNv53eZj0c2ExIWVSfjn1faiE4ctVUOROtvxvxr9RtFpatGTzT5i/wgoNnj
+gyO/VoFIn3C4ya8F/7EMicnEdQuXW55Ds+3ub9MO4DcXDds3QLWnYIVYfnvnBNV4
+YX7N+yynBxGOwD1Isbee6dCFTslsOgqV8WGkN4hMXvikPGvD+lXwCpDftfJCEFbR
+xDUzf+M/6eBDgTztMmg7bTQO53Dp1iv5nd6Sw71rqS6tCwJ4BoxHV8Cx31yBbPRq
+S2JsUjT0UsH5Cdvq8Ky5vMPSuSa/n8Ma/CeNtAQ0wvMw9WXkDGOZQSfBuEvJIItB
+WQyfpBgrWjUZ3fMX7URPc5hca04y/bLyBV+gRfRqVy2nc4T4AwplWYOvBb5f8EXs
+2+Jq1Bh3PQTBM4ZdXJtGmBct7ciZn3tZSrAt8c2sNLV5tUfVhWgNTYmcj5ffpPGh
+r6D9m++Oq4ZORrFpydDfgv/0qXJQrp/9nFVxv8TdhwHBOkdYWP9mJpIUJxVxwfYp
+jlFBr6yZWp4bWsGGgdtQqQ5+gKo8B25aQ52IE22weZsFxxaYn24=
+=oKHT
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-24:07.clang.asc b/website/static/security/advisories/FreeBSD-EN-24:07.clang.asc
new file mode 100644
index 0000000000..eeaceee0b4
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-24:07.clang.asc
@@ -0,0 +1,127 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-24:07.clang Errata Notice
+ The FreeBSD Project
+
+Topic: Clang crash when certain optimization is enabled
+
+Category: contrib
+Module: clang
+Announced: 2024-03-28
+Affects: FreeBSD 14.0 and FreeBSD 13.3
+Corrected: 2024-03-08 08:19:28 UTC (stable/14, 14.0-STABLE)
+ 2024-03-28 05:06:23 UTC (releng/14.0, 14.0-RELEASE-p6)
+ 2024-03-08 08:19:49 UTC (stable/13, 13.3-STABLE)
+ 2024-03-28 07:14:20 UTC (releng/13.3, 13.3-RELEASE-p1)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+FreeBSD includes the Clang C/C++ compiler in the base system. FreeBSD 14.0
+and FreeBSD 13.3 include Clang version 17.
+
+II. Problem Description
+
+Clang 17 has a bug that results in a crash under certain circumstances.
+
+III. Impact
+
+The compiler crashes instead of generating an object file.
+
+IV. Workaround
+
+Avoid use of -fzero-call-used-regs, or install a version of Clang other than
+17 from ports or packages.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-24:07/clang.patch
+# fetch https://security.FreeBSD.org/patches/EN-24:07/clang.patch.asc
+# gpg --verify clang.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ fc31d474c40a stable/14-n266942
+releng/14.0/ 711422d54795 releng/14.0-n265413
+stable/13/ 961271f952fc stable/13-n257558
+releng/13.3/ 26059a4f2c14 releng/13.3-n257430
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277474>
+<URL:https://github.com/llvm/llvm-project/issues/75168>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-24:07.clang.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmYFGaoACgkQbljekB8A
+Gu/y4RAAqXAE1WeZIk1tYMnlgqcw1SM5ojKvzK2iZegpPND0Yov7gzkwmNYNqCGY
+GLEKVJcVqS5hagCowAZkptq0dh8JtHusBVWq53IZdI5RB81xQOa2yYp+87GkVacn
+j8UnnbmAbb0rfMQyzVbMc5Kv3fkeAkZYZxiKmm+2iKt1cFHXv8yU4DIsTkxLAOUM
+AlextCl+SO6NLyZ6+64XkArc9ekcrrTs4QpKhZwHcBWNOogDzvFxCokObVGM98cb
+AN9pS09BTquuN5Yq5kXgFVzp8KLM0uruFKuEy+yNTCFJMMix1/9hj84yA2STm1iu
+AGd0lp8N7JXfnGKdktBZ4YeOL7GRTTgrInixJ3KbzjFbwmwrgQSzBC1neZqjPbAf
+iomKNIo23wsaMpjDh+RBBIOpDZnfPOO+imWh6A4ErdObMWyNw3+2MqUSHgMI9STO
+qqWIAHvQQwlB0lZAYvh6/iHntfLfIa3vdUH+g7kl8d5xzZlV18HkqsF6LtzbXbE5
+tJ6QxtqlZjLa7eq/7qyg5bQFk7eJ0bhN7al+P5FOjezJo/tCFOIStWaFgTWntNep
+FkysAdgJUnkMreaccWT3YrIKKKyjBUVYvh1UWf6GudSdPs9ZPzsAR3X1RmixGO6H
+Y5EjL5hvuaNdqM3RiCF2/Vm/sVwF8KkEJs1rDbFFhM1HKCt9000=
+=lTOH
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-24:08.kerberos.asc b/website/static/security/advisories/FreeBSD-EN-24:08.kerberos.asc
new file mode 100644
index 0000000000..32ac450b39
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-24:08.kerberos.asc
@@ -0,0 +1,127 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-24:08.kerberos Errata Notice
+ The FreeBSD Project
+
+Topic: Kerberos segfaults when using weak crypto
+
+Category: contrib
+Module: heimdal
+Announced: 2024-03-28
+Affects: FreeBSD 14.0
+Corrected: 2024-01-22 15:49:24 UTC (stable/14, 14.0-STABLE)
+ 2024-03-28 05:06:25 UTC (releng/14.0, 14.0-RELEASE-p6)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+FreeBSD includes Heimdal, an implementation of ASN.1/DER, PKIX, and Kerberos.
+It uses OpenSSL to provide a number of cryptographic routines.
+
+II. Problem Description
+
+Weak crypto is provided by the openssl "legacy" provider which is not loaded
+by default.
+
+III. Impact
+
+Attempting to use weak crypto routines when the legacy provider is not loaded
+results in the application crashing.
+
+IV. Workaround
+
+Edit /etc/ssl/openssl.cnf to load the legacy provider unconditionally.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-24:08/kerberos.patch
+# fetch https://security.FreeBSD.org/patches/EN-24:08/kerberos.patch.asc
+# gpg --verify kerberos.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all daemons that use the library, or reboot the system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ c7db2e15e404 stable/14-n266467
+releng/14.0/ c48fe39ad139 releng/14.0-n265415
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<other info on the problem>
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272835>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-24:08.kerberos.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmYFGawACgkQbljekB8A
+Gu9Euw/+LX8qcrGUvA11MNOVemD+SEH/Ol97L4gLHhzGlWSf3VMq5F1KtY0VRwGK
+ykM3VsSAk3PoYHLn+jbHPuAMjJVym+MLg27ZZWlqnx2Z7/wk2KuAb9RVCUl4FnPy
+eTXzBNt3tCSYa2ZCRWEH+uN6dZh4o8VP0DWfrNdaazH7R7ezRmTzirvcQ39MXTcE
+8wI+zQedVZG4OSuqOSFY21d70nlzqgs6ThY3K6KrtcaQGfenYBSQgFmjMJlBqtrb
+Mr1Yvgc+wE66Ara/Hz+/2L11bwjyFwT1dpO57DKrcyTaGTnSYiDQiDscUIAW0gCh
+bUMCgWCHq+kk7pAyUIMlRbdrA/6N/wmvwP/iO6GGxYmN0lNX8udxeZWz3OPPnbif
+anM5OGnvKFkkTzCqnpHumljolvJL0/VeD7XCNBBgWa1I46gFmmNZ7R2esm7UEdU8
+IR4Hk9EqGhfl+EwU7OW04/Hq3br667kXbVsq1TTVM4ht39K+WhVoxzirp7QzOGTJ
+WjRq6DK+44PyhQgnnAJgM/4gOGr5O/Y3ezRx4uj1S9L9faXTC5xlT8Vw78xU2wXq
+BjG7vXi5r9d4POjtRcNiaMVKXQPF/saGjHcPGrGnuBLC8AFG54bFycmvM5QzWqng
+AeRFOg+O8lkxLoQMDqJsNt8OMIk7vZHguwL7pt0tRtouuoaszU0=
+=UnED
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-24:03.unbound.asc b/website/static/security/advisories/FreeBSD-SA-24:03.unbound.asc
new file mode 100644
index 0000000000..6873ea8d0d
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-24:03.unbound.asc
@@ -0,0 +1,147 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-24:03.unbound Security Advisory
+ The FreeBSD Project
+
+Topic: Multiple vulnerabilities in unbound
+
+Category: contrib
+Module: unbound
+Announced: 2024-03-28
+Affects: FreeBSD 13.2 and FreeBSD 14.0
+Corrected: 2024-02-17 13:45:44 UTC (stable/14, 14.0-STABLE)
+ 2024-03-28 05:06:26 UTC (releng/14.0, 14.0-RELEASE-p6)
+ 2024-02-17 13:45:44 UTC (stable/13, 13.2-STABLE)
+ 2024-03-28 05:07:55 UTC (releng/13.2, 13.2-RELEASE-p11)
+CVE Name: CVE-2023-50387, CVE-2023-50868
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+Unbound is a validating, recursive, and caching DNS resolver.
+
+II. Problem Description
+
+The KeyTrap vulnerability (CVE-2023-50387) works by using a combination of Keys
+(also colliding Keys), Signatures and number of RRSETs on a malicious zone.
+Answers from that zone can force a DNSSEC validator down a very CPU intensive
+and time costly validation path.
+
+The NSEC3 vulnerability (CVE-2023-50868) uses specially crafted responses on a
+malicious zone with multiple NSEC3 RRSETs to force a DNSSEC validator down a
+very CPU intensive and time costly NSEC3 hash calculation path.
+
+
+III. Impact
+
+Both issues can force Unbound to spend an enormous time (comparative to regular
+traffic) validating a single specially crafted DNSSEC response while everything
+else is on hold for that thread. A trivially orchestrated attack could render
+all threads busy with such responses leading to denial of service.
+
+IV. Workaround
+
+No workaround is available. Systems not running Unbound are not affected.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 14.0]
+# fetch https://security.FreeBSD.org/patches/SA-24:03/unbound-14.patch
+# fetch https://security.FreeBSD.org/patches/SA-24:03/unbound-14.patch.asc
+# gpg --verify unbound-14.patch.asc
+
+[FreeBSD 13.2]
+# fetch https://security.FreeBSD.org/patches/SA-24:03/unbound-13.patch
+# fetch https://security.FreeBSD.org/patches/SA-24:03/unbound-13.patch.asc
+# gpg --verify unbound-13.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch -p0 < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the applicable daemons, or reboot the system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ e2b44c401cc2 stable/14-n266696
+releng/14.0/ c189b94f8a22 releng/14.0-n265416
+stable/13/ abe4ced2b9de stable/13-n257436
+releng/13.2/ d9d90e5e42f6 releng/13.2-n254664
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://www.nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50387>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50868>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-24:03.unbound.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmYFGa4ACgkQbljekB8A
+Gu8Oxw/9HrzGZVx0FsUb8dhvf6Hlcfy3B0RNjxcnvvBm+P/V0+WSEaFTod9YaonO
+GN331SXI1blvqfCpOz2TLiOvHjWDPCcb8bb9YqQXRId4axnpxCCzIY0HkxgXFNDu
+XgXwM4JYapmWis/pOxifRXnB087lwbkfVx/0iOTeA0XUFoRRIbooiL/6H76hOmq7
+XR5moI8xYyAX5Xh+5/6yZgd+A+0n/KfQnOEpA7Ex9MWC17co+RGOP1JUZYIFHhAc
+W/vNuL23UWqR1TjMgVWTHEvVBTrUPEiDfp2Z1LiQexH9IaQ4cePu7qrWlzAo7rr6
+6Cf3DybH9IxALQQSSKq1JWNqQFOWvpXCy5JKBua+Z7kcFHR5tmAgolqGLGJ629Ko
+GNwsSUTZ8SzwupJ93boMaD4jF2t+zOXvBvceYywZEEvd2gq2zkfMV6WJwtUUOvdm
+z7Z7AejUFONrQyYps4rcKCthnQOLHtzcPUQom68KpUACsdOr1hkA0VOCf5HRrEe6
+DpwM9PX1T3eiHSq1eZj2MMkz+Cw/DJK+wegkULRxg2ZOmWKA2U8df+Qj1RYpX4QT
+JrPSHh4EqovfrB5H0uUgfLWBgAzGBLEeFKAMA+omlEaELyNzvG/4xv8eJVtjTG+D
+EEQCXVTJmws/ZFDC2vJhVR6vdAwMuPz8YkBtcQkqnNcF+zzbcEk=
+=PELN
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-24:05/tty.patch b/website/static/security/patches/EN-24:05/tty.patch
new file mode 100644
index 0000000000..8499da5c00
--- /dev/null
+++ b/website/static/security/patches/EN-24:05/tty.patch
@@ -0,0 +1,23 @@
+--- sys/kern/tty.c.orig
++++ sys/kern/tty.c
+@@ -1312,7 +1312,8 @@
+ struct xtty *xtlist, *xt;
+ struct tty *tp;
+ struct proc *p;
+- int cansee, error;
++ int error;
++ bool cansee;
+
+ sx_slock(&tty_list_sx);
+ lsize = tty_list_count * sizeof(struct xtty);
+@@ -1325,8 +1326,8 @@
+
+ TAILQ_FOREACH(tp, &tty_list, t_list) {
+ tty_lock(tp);
+- if (tp->t_session != NULL) {
+- p = tp->t_session->s_leader;
++ if (tp->t_session != NULL &&
++ (p = atomic_load_ptr(&tp->t_session->s_leader)) != NULL) {
+ PROC_LOCK(p);
+ cansee = (p_cansee(td, p) == 0);
+ PROC_UNLOCK(p);
diff --git a/website/static/security/patches/EN-24:05/tty.patch.asc b/website/static/security/patches/EN-24:05/tty.patch.asc
new file mode 100644
index 0000000000..02b14fbbcb
--- /dev/null
+++ b/website/static/security/patches/EN-24:05/tty.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmYFGacACgkQbljekB8A
+Gu/pQxAA4CSM2nWX56Ajxbg37GqmL3I72ePFiC5qZa5/JbjqowQP82PfWOd4chRC
+0qy3RFy9WN2+fS8md7blvLqqj1OiM9S6FrfQLJEaBlovZ4w4VH763Za3mr1zrrvc
+LF4Jz6KAwOhv6Zm8ROaywjHhOsNHci81pzcdTEQoKJnML85IiGdelaMwdbgN02fo
+f7muMsHsLV+BMQXAx//2UZqWZ/d11LmqlSjYWy3JYdasy+mA4Arwy3Qoyq1WyQzo
+qeBQO1V78VyG5+5trbe7YvjhsOqQUbf3ctACvVtQ4XIufXnPskPNFb/0bmDOYwkG
+e+7GMKNvnzIwa7bpFCM6B/8iqN6Mye7Nn0jiCjThH481NsbjdSnab6YbnmSYtgo9
+2Fn2u7hWDCagZgwCkEzLPUWzDR8yoiibFhsMrsnxrZZMzNT+AWP1HMo5JlArWeQf
+TveQwUfpMYdHGHPcrKCACv3w1RVEVzAKfOjDy/NgtYKSpOt4Wi7FGTzWvCkHPA2M
+CXYLi/0hWWbEJ7ZhybZilOvb+wy/8iK7mcoqYBmLGYM9Ne8quGtHfLS7FbuRaiXL
+ZXD1if338wxZj+iekZQxdqG+MB0TrNbGn50jekiv+laQ1mQBhjYcpgd3E6/uYVvZ
+TXsWzDPBjKXxKtIuw0UYtimQYg4oBwzNPVtKIZSRcSClDuv138Q=
+=ZBRs
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-24:06/wireguard.patch b/website/static/security/patches/EN-24:06/wireguard.patch
new file mode 100644
index 0000000000..c736ef8ee0
--- /dev/null
+++ b/website/static/security/patches/EN-24:06/wireguard.patch
@@ -0,0 +1,40 @@
+--- sys/dev/wg/if_wg.c.orig
++++ sys/dev/wg/if_wg.c
+@@ -1515,8 +1515,7 @@
+ state = WG_PACKET_CRYPTED;
+ out:
+ pkt->p_mbuf = m;
+- wmb();
+- pkt->p_state = state;
++ atomic_store_rel_int(&pkt->p_state, state);
+ GROUPTASK_ENQUEUE(&peer->p_send);
+ noise_remote_put(remote);
+ }
+@@ -1588,8 +1587,7 @@
+ state = WG_PACKET_CRYPTED;
+ out:
+ pkt->p_mbuf = m;
+- wmb();
+- pkt->p_state = state;
++ atomic_store_rel_int(&pkt->p_state, state);
+ GROUPTASK_ENQUEUE(&peer->p_recv);
+ noise_remote_put(remote);
+ }
+@@ -1645,7 +1643,7 @@
+ wg_peer_get_endpoint(peer, &endpoint);
+
+ while ((pkt = wg_queue_dequeue_serial(&peer->p_encrypt_serial)) != NULL) {
+- if (pkt->p_state != WG_PACKET_CRYPTED)
++ if (atomic_load_acq_int(&pkt->p_state) != WG_PACKET_CRYPTED)
+ goto error;
+
+ m = pkt->p_mbuf;
+@@ -1687,7 +1685,7 @@
+ struct epoch_tracker et;
+
+ while ((pkt = wg_queue_dequeue_serial(&peer->p_decrypt_serial)) != NULL) {
+- if (pkt->p_state != WG_PACKET_CRYPTED)
++ if (atomic_load_acq_int(&pkt->p_state) != WG_PACKET_CRYPTED)
+ goto error;
+
+ m = pkt->p_mbuf;
diff --git a/website/static/security/patches/EN-24:06/wireguard.patch.asc b/website/static/security/patches/EN-24:06/wireguard.patch.asc
new file mode 100644
index 0000000000..8d89aa382d
--- /dev/null
+++ b/website/static/security/patches/EN-24:06/wireguard.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmYFGakACgkQbljekB8A
+Gu8yxQ//RsSn/2skiogUdzdv2r/2Ax4jYBMCDOI5QyBorhXEr188pU5iqG070NU3
+WnjD5YjjgIlfmZfHhN+ONwaoG7RuDou6lmCKydzXg1NJawUsUoa3Wwjn5JBwg9LB
+5VzSGa3zoQkcKT/mbyTuqUgtsFjRJc130UtnUtOt9HNRTiMMExnTE3XFgrutFv4t
+Rlhmw4puKPvNucsjjQWU94ra2eOEQVKqyBEOLO5hABIfz0G4LpLplkeEnW1O43RF
+uNCOoFU2vSOovGQX1DpdhNDrQPYX+0BjKZD4SGb+RnXSH3GekxhtKVZu2B7Vx82F
+w0kNtxK+6cD91R3JdIRl9Fl/uDI6NoYD4WKzO5dLS2Xon0VpIsQl6R1YNVnYF2nT
+wfvBNaLyB4mmu02/9LXQx4NtKf6Fln7bdB1Aie00/nJx/2X2pTJMA+Juc+stMarQ
+MNJikdx3ilbVW4Jd5iLGA1yH1VrK4lLdgLUs4XoaS8jp7pFefsElbVBH9SzSJIJn
+7EExx16JMynUltN88pe/b79JNjFH33HQBD8ncFh8JXh8wKQCYX+A5fM23QUxwMPO
+o3VL//YLuwyU/v+b9xDurkNAgi0tlq+TOgviNFDJbrxQADgdvZmYCZI8H2XViA+M
+SAwx5zLRJJAao/78A+n0Q8ixjJ89h5bExdozkXZwqUNsOLUe29o=
+=fsNv
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-24:07/clang.patch b/website/static/security/patches/EN-24:07/clang.patch
new file mode 100644
index 0000000000..5ac7e17e7a
--- /dev/null
+++ b/website/static/security/patches/EN-24:07/clang.patch
@@ -0,0 +1,25 @@
+--- contrib/llvm-project/llvm/lib/CodeGen/PrologEpilogInserter.cpp.orig
++++ contrib/llvm-project/llvm/lib/CodeGen/PrologEpilogInserter.cpp
+@@ -1285,6 +1285,8 @@
+ continue;
+
+ MCRegister Reg = MO.getReg();
++ if (!Reg)
++ continue;
+
+ // This picks up sibling registers (e.q. %al -> %ah).
+ for (MCRegUnit Unit : TRI.regunits(Reg))
+@@ -1308,8 +1310,11 @@
+ if (!MO.isReg())
+ continue;
+
+- for (const MCPhysReg &Reg :
+- TRI.sub_and_superregs_inclusive(MO.getReg()))
++ MCRegister Reg = MO.getReg();
++ if (!Reg)
++ continue;
++
++ for (const MCPhysReg Reg : TRI.sub_and_superregs_inclusive(Reg))
+ RegsToZero.reset(Reg);
+ }
+ }
diff --git a/website/static/security/patches/EN-24:07/clang.patch.asc b/website/static/security/patches/EN-24:07/clang.patch.asc
new file mode 100644
index 0000000000..957b801ada
--- /dev/null
+++ b/website/static/security/patches/EN-24:07/clang.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmYFGasACgkQbljekB8A
+Gu9AWw/+LI09U9VZahOf/j6NPfrneFaDy0SWK5GEQeUausZ8bdotxzwIlu0OC8S0
+1hmpPlaXtINY0xNru5sSsENCFnj0JXyB/CFVXL/gLnCYnYx99ae77jBcDzX86VAV
+XcX89hwcqIk9u/a8MHxvIyoRBunqO1617lRxP0ZGZ6CxGLwCk/ys8HFkPavYvfQT
+y/h8sbbKp7VDlKEjVwr8uPy1XnO+e5dRLHsinWXp2DM/JPRLi5slcbO9SmPiGyVB
+F1Pca5ryAsWJYsnqA6O7aDviBDodrR8EigzkEbYGOlh3QLLHKCmfQRI9i6zMTzKK
+G9LvIcodR1w/DQ9S4TwozpXG5zfuvU8vz/BGNtySL5DzZ2zyHHhwC3wWqZZRFVAY
+2KggMsXnCo7pVSQWVofQ9zL+w3lUEiJSCiYvbHW9gFqMnv0891zTIbHTfu5ktYeV
++p5vQv6qxhkp9PC/LYGOxHTYRAeZT4BBWG92dqrEivZTPd4LNzLmOn0WlZBOjlfl
+Ztdes1BhxmY4+wBgxivvVWoNb15jQjUU9+HBGgF6GhiZRuXw84KzzAjP12FkN0lH
+5IH4qbhsMHzD2256rMKGPpvS35DzKoMkWBYgVup/ZnScw0luTEOybHiTswzg3T/c
+6Rgj545wxkyRYYw2zIHTmr2pMPQnTUXWETn51WTqk3UsVREFhiY=
+=GKxn
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-24:08/kerberos.patch b/website/static/security/patches/EN-24:08/kerberos.patch
new file mode 100644
index 0000000000..adf73729d8
--- /dev/null
+++ b/website/static/security/patches/EN-24:08/kerberos.patch
@@ -0,0 +1,203 @@
+--- crypto/heimdal/lib/kadm5/create_s.c.orig
++++ crypto/heimdal/lib/kadm5/create_s.c
+@@ -169,6 +169,10 @@
+ ent.entry.keys.len = 0;
+ ent.entry.keys.val = NULL;
+
++ ret = fbsd_ossl_provider_load();
++ if (ret)
++ goto out;
++
+ ret = _kadm5_set_keys(context, &ent.entry, password);
+ if (ret)
+ goto out;
+--- crypto/heimdal/lib/kadm5/kadm5_locl.h.orig
++++ crypto/heimdal/lib/kadm5/kadm5_locl.h
+@@ -79,5 +79,6 @@
+ #include <der.h>
+ #include <parse_units.h>
+ #include "private.h"
++#include "fbsd_ossl_provider.h"
+
+ #endif /* __KADM5_LOCL_H__ */
+--- crypto/heimdal/lib/krb5/context.c.orig
++++ crypto/heimdal/lib/krb5/context.c
+@@ -392,6 +392,10 @@
+ }
+ HEIMDAL_MUTEX_init(p->mutex);
+
++ ret = fbsd_ossl_provider_load();
++ if(ret)
*** 50073 LINES SKIPPED ***