git: 1e9a766add - main - Add EN-25:04 through EN-25:08.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 10 Apr 2025 16:27:50 UTC
The branch main has been updated by gordon:
URL: https://cgit.FreeBSD.org/doc/commit/?id=1e9a766addb348bcc62307b9cdcded48f705296a
commit 1e9a766addb348bcc62307b9cdcded48f705296a
Author: Gordon Tetlow <gordon@FreeBSD.org>
AuthorDate: 2025-04-10 16:27:06 +0000
Commit: Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2025-04-10 16:27:06 +0000
Add EN-25:04 through EN-25:08.
Approved by: so
---
website/data/security/errata.toml | 20 +
.../advisories/FreeBSD-EN-25:04.tzdata.asc | 161 +
.../security/advisories/FreeBSD-EN-25:05.expat.asc | 159 +
.../advisories/FreeBSD-EN-25:06.daemon.asc | 135 +
.../advisories/FreeBSD-EN-25:07.openssl.asc | 178 +
.../advisories/FreeBSD-EN-25:08.caroot.asc | 148 +
.../security/patches/EN-25:04/tzdata-2025b.patch | 274 +
.../patches/EN-25:04/tzdata-2025b.patch.asc | 16 +
.../patches/EN-25:05/expat-13.4-14.2.patch | 5223 ++++++++++++++++
.../patches/EN-25:05/expat-13.4-14.2.patch.asc | 16 +
.../security/patches/EN-25:05/expat-13.5.patch | 3179 ++++++++++
.../security/patches/EN-25:05/expat-13.5.patch.asc | 16 +
.../static/security/patches/EN-25:06/daemon.patch | 199 +
.../security/patches/EN-25:06/daemon.patch.asc | 16 +
.../static/security/patches/EN-25:07/openssl.patch | 6544 ++++++++++++++++++++
.../security/patches/EN-25:07/openssl.patch.asc | 16 +
.../security/patches/EN-25:08/caroot-13.4.patch | 3374 ++++++++++
.../patches/EN-25:08/caroot-13.4.patch.asc | 16 +
.../security/patches/EN-25:08/caroot-13.5.patch | 3374 ++++++++++
.../patches/EN-25:08/caroot-13.5.patch.asc | 16 +
.../security/patches/EN-25:08/caroot-14.2.patch | 3374 ++++++++++
.../patches/EN-25:08/caroot-14.2.patch.asc | 16 +
22 files changed, 26470 insertions(+)
diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml
index d26f0bf3f2..bd86e232cc 100644
--- a/website/data/security/errata.toml
+++ b/website/data/security/errata.toml
@@ -1,6 +1,26 @@
# Sort errata notices by year, month and day
# $FreeBSD$
+[[notices]]
+name = "FreeBSD-EN-25:08.caroot"
+date = "2025-04-10"
+
+[[notices]]
+name = "FreeBSD-EN-25:07.openssl"
+date = "2025-04-10"
+
+[[notices]]
+name = "FreeBSD-EN-25:06.daemon"
+date = "2025-04-10"
+
+[[notices]]
+name = "FreeBSD-EN-25:05.expat"
+date = "2025-04-10"
+
+[[notices]]
+name = "FreeBSD-EN-25:04.tzdata"
+date = "2025-04-10"
+
[[notices]]
name = "FreeBSD-EN-25:03.tzdata"
date = "2025-01-29"
diff --git a/website/static/security/advisories/FreeBSD-EN-25:04.tzdata.asc b/website/static/security/advisories/FreeBSD-EN-25:04.tzdata.asc
new file mode 100644
index 0000000000..acf18a34a7
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-25:04.tzdata.asc
@@ -0,0 +1,161 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-25:04.tzdata Errata Notice
+ The FreeBSD Project
+
+Topic: Timezone database information update
+
+Category: contrib
+Module: zoneinfo
+Announced: 2025-04-10
+Affects: All supported versions of FreeBSD.
+Corrected: 2025-03-26 01:04:32 UTC (stable/14, 14.2-STABLE)
+ 2025-04-10 14:57:39 UTC (releng/14.2, 14.2-RELEASE-p3)
+ 2025-03-26 01:04:59 UTC (stable/13, 13.5-STABLE)
+ 2025-04-10 14:59:01 UTC (releng/13.5, 13.5-RELEASE-p1)
+ 2025-04-10 14:59:35 UTC (releng/13.4, 13.4-RELEASE-p5)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The IANA Time Zone Database (often called tz or zoneinfo) contains code and
+data that represent the history of local time for many representative
+locations around the globe. It is updated periodically to reflect changes
+made by political bodies to time zone boundaries, UTC offsets, and
+daylight-saving rules.
+
+FreeBSD releases install the IANA Time Zone Database in /usr/share/zoneinfo.
+The tzsetup(8) utility allows the user to specify the default local time
+zone. Based on the selected time zone, tzsetup(8) copies one of the files
+from /usr/share/zoneinfo to /etc/localtime. A time zone may also be selected
+for an individual process by setting its TZ environment variable to a desired
+time zone name.
+
+II. Problem Description
+
+Several changes to future and past timestamps have been recorded in the IANA
+Time Zone Database after previous FreeBSD releases were released. This
+affects many users in different parts of the world. Because of these
+changes, the data in the zoneinfo files need to be updated. If the local
+timezone on the running system is affected, tzsetup(8) needs to be run to
+update /etc/localtime.
+
+III. Impact
+
+An incorrect time will be displayed on a system configured to use one of the
+affected time zones if the /usr/share/zoneinfo and /etc/localtime files are
+not updated, and all applications on the system that rely on the system time,
+such as cron(8) and syslog(8), will be affected.
+
+IV. Workaround
+
+The system administrator can install an updated version of the IANA Time Zone
+Database from the misc/zoneinfo port and run tzsetup(8).
+
+Applications that store and display times in Coordinated Universal Time (UTC)
+are not affected.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Please note that some third party software, for instance PHP, Ruby, Java,
+Perl and Python, may be using different zoneinfo data sources, in such cases
+this software must be updated separately. Software packages that are
+installed via binary packages can be upgraded by executing 'pkg upgrade'.
+
+Following the instructions in this Errata Notice will only update the IANA
+Time Zone Database installed in /usr/share/zoneinfo.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Restart all the affected applications and daemons, or reboot the system.
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-25:04/tzdata-2025b.patch
+# fetch https://security.FreeBSD.org/patches/EN-25:04/tzdata-2025b.patch.asc
+# gpg --verify tzdata-2025b.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all the affected applications and daemons, or reboot the system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 475082194ac8 stable/14-n270829
+releng/14.2/ 2c5831b3047d releng/14.2-n269519
+stable/13/ 7b17666c32f7 stable/13-n259218
+releng/13.5/ 74aa5e2a7b10 releng/13.5-n259163
+releng/13.4/ f8c2bedb03a2 releng/13.4-n258280
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://github.com/eggert/tz/blob/2025b/NEWS>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:04.tzdata.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmf38CwACgkQbljekB8A
+Gu8ZtxAAgvGZHyMBOTxDHJimqZQWwFMTyUrqUDAt19N1ETuFTeDXYi7OGWLUV9sn
+lSEVO+n5xEesF20vauQnv9vrXCK2gmvv97bT4SUEGjhdmPm78L14uD6UP8Ws/2+v
+lrps0cu0qYfmNLZUsKYH05ZcNCHBi7kSG14CMLXqFHPBM/9pKefnU7wp89oWvWpe
+0gsTvEEixmQELsmKDieIPiqlavRCzLLjtbUGr2/Apqe9WK2eyDwpZlSjqAUba7JR
+N4zod+EHwVrXsQdzXM1nSHAUR2I7AC2dn7CJX+o1wN1qHpLov5mnkxvFxO2otalY
+fLgOQCNzPpYlrMozCEDKTAVu+fL4qDB9NouE6uPo0AgPul9DVmJ/WsSdDEzbicss
+giG1S47ulsb/MTi0pGWz7emdstqtoxu/bGsTcjzB1IaMYZufz67rQjayfjVkX8Iy
+AOiRXJQMQnXCEOz30OskewXdrShbpV1siBBFUdvBOd/QUc4LrnrtdWUriDgdDi5w
+13ahxer5jGh+QC8tueNkZ2HOBAbid7W7wy1pbThCguCbIjUlpTh4F9my8NzVIGtF
+twmPrbwLXcX2G41NH3YWZ6U9pcB2r8JjAgbZrLjN/SytZu5Zc2hhO+JgjxAVxCdY
+SrOpg0NrCqftfNPehxqNP7BiAHCRFFrOfdEiX2Wd7mUmb7CLK0g=
+=aI5z
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-25:05.expat.asc b/website/static/security/advisories/FreeBSD-EN-25:05.expat.asc
new file mode 100644
index 0000000000..552401a580
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-25:05.expat.asc
@@ -0,0 +1,159 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-25:05.expat Errata Notice
+ The FreeBSD Project
+
+Topic: Update expat to 2.7.1
+
+Category: contrib
+Module: libbsdxml
+Announced: 2025-04-10
+Affects: All supported versions of FreeBSD.
+Corrected: 2025-04-07 03:39:34 UTC (stable/14, 14.2-STABLE)
+ 2025-04-10 14:57:40 UTC (releng/14.2, 14.2-RELEASE-p3)
+ 2025-04-07 03:41:14 UTC (stable/13, 13.5-STABLE)
+ 2025-04-10 14:59:02 UTC (releng/13.5, 13.5-RELEASE-p1)
+ 2025-04-10 14:59:36 UTC (releng/13.4, 13.4-RELEASE-p5)
+CVE Name: CVE-2024-8176
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+Expat is an XML parser library written in C. It is a stream-oriented
+parser in which an application registers handlers for things the parser
+might find in the XML document (like start tags).
+
+The FreeBSD base system ships libexpat as libbsdxml for components that
+need to parse XML data. Some of these applications use the XML parser
+on trusted data from the kernel, for instance the geom(8) configuration
+utilities, while other applications, like tar(1), cpio(1) and
+unbound-anchor(8), may use the XML parser on input from network or the
+user.
+
+II. Problem Description
+
+A stack overflow bug exists in the libexpat library due to the way it
+handles recursive entity expansion in XML documents. When parsing an
+XML document with deeply nested entity references, libexpat can be
+forced to recurse indefinitely, exhausting the stack space and causing a
+crash.
+
+III. Impact
+
+This stack overflow could cause e.g. tar(1) to crash. Owing to the
+limited number of ways libbsdxml is used in FreeBSD, the base system is
+not likely to be vulnerable to denial of service (DoS) or exploitable memory
+corruption.
+
+IV. Workaround
+
+No workaround is available, but the problem only manifests when the
+affected system needs to process data from an untrusted source.
+
+Because the library is used by many third party applications, we advise
+system administrators to check and make sure that they have the latest
+expat version as well, and restart all third party services, or reboot
+the system.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 13.4, 14.2]
+# fetch https://security.FreeBSD.org/patches/EN-25:05/expat-13.4-14.2.patch
+# fetch https://security.FreeBSD.org/patches/EN-25:05/expat-13.4-14.2.patch.asc
+# gpg --verify expat-13.4-14.2.patch.asc
+
+[FreeBSD 13.5]
+# fetch https://security.FreeBSD.org/patches/EN-25:05/expat-13.5.patch
+# fetch https://security.FreeBSD.org/patches/EN-25:05/expat-13.5.patch.asc
+# gpg --verify expat-13.5.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch -E < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+The FreeBSD base system does not install daemons that use the library.
+A reboot is not required after updating the base system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ fd4592006b13 stable/14-n271000
+releng/14.2/ 700e7384dfbf releng/14.2-n269520
+stable/13/ 5630672e6f6d stable/13-n259244
+releng/13.5/ dec0bf8096b3 releng/13.5-n259164
+releng/13.4/ e3fd2734314d releng/13.4-n258281
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://github.com/libexpat/libexpat/issues/893>
+<URL:https://github.com/libexpat/libexpat/issues/973>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:05.expat.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmf38DUACgkQbljekB8A
+Gu8jQA/6AtsNwonBza6fjbkQaDeGbyEn2agOvkZ8R0tF+QKnYLVt63O52r9VmTeG
+s5/yLjcXKqo4Bnk9x3+BiDzA6x2LQrma8QRuvz+eLrRyGK2Ux0L5py0lNb9CqTsc
+/jS+5dU18nOA4v9P+UMj6NWXAxlgJ3LVVGgSLZxjXLkyZHzzUnQHiQnY4DeWzAh6
+tTY/EeNjVd3LPIDmpomHSsrt+ayD13+SNdADNWY3mColCS4ew8duiOIoACpj8J99
+LI6hfUjninjmkPbgUmRnX5akh35uxcOhANFuyHlr5GMsh/h76BJ1FT64oZtBwWTQ
+Zy/hF6fBOb42NJMUuIu7yNEgYg2Yb8fgb0+zfFtBih5U/KBGD/yD3mst3lAAVPZS
+Q25e3U9zbyVyykZg5RdKVWy1PSI2FG7uNb+f1Jz8xPPgcCF9edjJLHD2lcTZVprR
+bJPeFXf5MJjgzSafLxon4jA/6rnoqUaML1Cbi6DIVhC4hgsBCzMzcTedo7gjP6Ab
+6c6msxXLha0Q7eBUH10uoh+I91AMERBJZpEEaX8PN9GtRZi+lvn04GW2UbjRnBpY
+eKL/9RGeW8WRMwwututtzSbFLk8iSzcOto2iVClkkybOQAau78kTpnMhGyRav/UQ
+zezIRE2X/Ob34wZK3WxQRGuIVx40Ci0ZNly2w6wRTmak9twgP6U=
+=9pZP
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-25:06.daemon.asc b/website/static/security/advisories/FreeBSD-EN-25:06.daemon.asc
new file mode 100644
index 0000000000..f137953431
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-25:06.daemon.asc
@@ -0,0 +1,135 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-25:06.daemon Errata Notice
+ The FreeBSD Project
+
+Topic: daemon(8) missing signals
+
+Category: core
+Module: daemon
+Announced: 2025-04-10
+Affects: FreeBSD 14.2 and FreeBSD 13.4
+Corrected: 2024-12-10 23:05:46 UTC (stable/14, 14.2-STABLE)
+ 2025-04-10 14:57:41 UTC (releng/14.2, 14.2-RELEASE-p3)
+ 2024-12-10 23:06:11 UTC (stable/13, 13.4-STABLE)
+ 2025-04-10 14:59:37 UTC (releng/13.4, 13.4-RELEASE-p5)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+daemon(8) can be sent some signals to control its behavior: SIGHUP to re-open
+its output file, or SIGTERM to cleanly terminate the child and shutdown.
+
+II. Problem Description
+
+Following a change to use kqueue(2) to manage signals, daemon(8) would lose
+signal events that occur while it waits to restart the supervised process.
+
+III. Impact
+
+The most notable impact is that daemon(8) may hang if a SIGTERM is sent to it
+after the child has gone away, and before it is restarted.
+
+Note that FreeBSD 13.5 is not affected. FreeBSD 13.5-PRERELEASE and later
+builds of stable/13 include the fix.
+
+IV. Workaround
+
+No workaround is available. daemon(8) invocations that do not use -r are not
+affected, with a larger -R argument being specified making it more likely to
+hit the problematic window.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date, and restart any daemon(8)
+processes that may be affected or reboot the system.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-25:06/daemonpatch
+# fetch https://security.FreeBSD.org/patches/EN-25:06/daemonpatch.asc
+# gpg --verify daemon.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the applicable daemons, or reboot the system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 7ea2874eadf9 stable/14-n269895
+releng/14.2/ 4651d400f100 releng/14.2-n269521
+stable/13/ 4bb1a558a281 stable/13-n258848
+releng/13.4/ a1f4a530dea3 releng/13.4-n258282
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277959>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:06.daemon.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmf38DgACgkQbljekB8A
+Gu97DRAAgNI+V5TOsP2a9hiQgQ5B1Za6gc28a0mFlhbl6CQn2CdaOrTGFMGXEHVv
++vXXwewBS8N1+fUloDiC6oLi7N9mwt8sI4U3jSnNc1LZhXBDohM0Pv67AOr7GfDp
+i+rkYJeGV4uVPKaHbnxWo1LTO+/oJH8N4b4kvIlyzv+C3TRNi3aFarcA+dnw7woK
+xL1qTk7uCcgvUn9zh6xlvGKHK605WqwQ3HcBv6sfghGzBdfhkArkMg45ww0z7Xoy
+1viVwrdZOIFWMKngPaRypPonp1UZmEOCIT5UzkZv8u2vctJufZEF3mWwQHLYxZg4
+1wSTF0YgwrLBsdkLveU9YLG1YWDFIs3XhfMT3ES6PXvNLfDSKH6xrnjcdeki4wtN
+wapUu+cKAmB9Itpa7jbyY3pgvqOhmCEprxZ8fAxB55iGIsuWx2jY70j0n6Dko5Z+
+AAxdIz6WmCakzpUC5q+cX0A3v33qtPZvzR3iH3ZTYsTYp7B/oKRZ6kW4snTaM/Id
+5yI+4vZdVxfWEKWo3b+JWQEi/qRdZpnaRuBK9g7bCEPPv69dVpXfI1hXnczdZrQn
+etdF21cnVyWt5brcpDBTk+0s1a2OA7kDqp1sQ/cTgoBEdVW317UDu+esgVzXkQmu
+LpPBTXqnBUNhlwiL//APijkcd1iV53RUR3ylL/tC6j04nrURFxE=
+=64Co
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-25:07.openssl.asc b/website/static/security/advisories/FreeBSD-EN-25:07.openssl.asc
new file mode 100644
index 0000000000..d32ced3c9d
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-25:07.openssl.asc
@@ -0,0 +1,178 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-25:07.openssl Errata Notice
+ The FreeBSD Project
+
+Topic: Update OpenSSL to 3.0.16
+
+Category: contrib
+Module: openssl
+Announced: 2025-04-10
+Affects: FreeBSD 14.2
+Corrected: 2025-03-25 21:07:59 UTC (stable/14, 14.2-STABLE)
+ 2025-04-10 14:57:42 UTC (releng/14.2, 14.2-RELEASE-p3)
+CVE Name: CVE-2024-13176, CVE-2024-9143
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a
+collaborative effort to develop a robust, commercial-grade, full-featured Open
+Source toolkit for the Transport Layer Security (TLS) protocol. It is also a
+general-purpose cryptography library.
+
+II. Problem Description
+
+Automated security vulnerability scanners report that OpenSSL 3.0.15, included
+with FreeBSD 14.2, is affected by CVE-2024-13176 and CVE-2024-9143.
+
+1) CVE-2024-13176
+
+A timing side-channel which could potentially allow recovering the private key
+exists in the ECDSA signature computation.
+
+2) CVE-2024-9143
+
+Use of the low-level GF(2^m) elliptic curve APIs with untrusted explicit
+values for the field polynomial can lead to out-of-bounds memory reads or
+writes.
+
+III. Impact
+
+1) CVE-2024-13176
+
+There is a timing signal of around 300 nanoseconds when the top word of the
+inverted ECDSA nonce value is zero. This can happen with significant
+probability only for some of the supported elliptic curves. In particular the
+NIST P-521 curve is affected.
+
+To be able to measure this leak, the attacker process must either be located
+in the same physical computer or must have a very fast network connection with
+low latency.
+
+2) CVE-2024-9143
+
+Applications working with "exotic" explicit binary (GF(2^m)) curve parameters,
+that make it possible to represent invalid field polynomials with a zero
+constant term, via the EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(),
+and various supporting BN_GF2m_*() or similar APIs, may terminate abruptly as
+a result of reading or writing outside of array bounds. Remote code execution
+cannot easily be ruled out.
+
+In all the protocols involving Elliptic Curve Cryptography known to the
+OpenSSL developers either only "named curves" are supported, or, if explicit
+curve parameters are supported, they specify an X9.62 encoding of binary
+(GF(2^m)) curves that can't represent problematic input values. Thus the
+likelihood of existence of a vulnerable application is low.
+
+In particular, the X9.62 encoding is used for ECC keys in X.509 certificates,
+so problematic inputs cannot occur in the context of processing X.509
+certificates. Any problematic use-cases would have to be using an "exotic"
+curve encoding.
+
+IV. Workaround
+
+No workaround is available.
+
+Systems not using base versions of OpenSSL are not affected.
+
+Systems not exposed to low-latency adversaries and systems not using "exotic"
+elliptic curve parameters are not affected.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date. A reboot is required following
+the upgrade to ensure that all applications and kernel code has been rebuilt with
+OpenSSL 3.0.16-provided code.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+The system should be rebooted after installing the update to ensure that all
+applications are using OpenSSL 3.0.16.
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-25:07/openssl.patch
+# fetch https://security.FreeBSD.org/patches/EN-25:07/openssl.patch.asc
+# gpg --verify openssl.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all daemons that use the library, or reboot the system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ cb29db243bd0 stable/14-n270826
+releng/14.2/ 862cd6b8fa9d releng/14.2-n269522
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176>
+<URL:https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:07.openssl.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmf38DoACgkQbljekB8A
+Gu/03hAAhIoD5XT/ynR4g20mOs4e03spEnJSJARO6ZGSCdI7zis5dWjnWADu1gPi
+GND4THVdOI50WDyg2kyvKivt06ykfxcfAzSV3mqn+mECsOjGknfs0UAmjc6ilW28
+PPA8QnJjYYKI+EGSFnG510MZWUTZKlldJ86ECnn7xh4xrOsMBKSK53Fjy8y96Tc2
+AUBzfu8uc0t9YdSCQlYp+T5ZEM8mXYiGbQBj+ZnLyVIhWjSWiR89wjUA7hjp0UQV
+rzKEqx9kvPNLPLRT0belbzohSIwKiCYjL3ryqsMiCliGRn1Gyii7oLIOkVPIZNyt
+QRCyifi/q5SdkYb3nkSzNlE7cYCDN2Qpnkdn6fVwxEjFgtsbG+Ljni/IXvFqf7A1
+6LNZsBLiYFGrEha9yxiI1av0jO81Ktbu2U1QUosT1T856FGR6/1KKQzUfmL1JJY7
+G0LTIrrzTJuuVeYe2f3AtwNpk+zjHH4plCORd7psdj5MwWtAAt5AifC7J0sdLcjj
+V552p2qV18RBhY38zEpY8JmWxXukLp0IuKJjYLtP81I2g3JrSUkVvycyMmACKVm1
+wzOgeAwA4qlfOaYaOffeouaMFrOqR9UGBdtiwxCiuerU3ZWhG1eXwHYTwfhBC9U4
+eB7YiAdGz/xI1GK6OsfbCxWISXYiN+QXDIkSkdK4p3VPvjkVQeA=
+=HLnD
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-25:08.caroot.asc b/website/static/security/advisories/FreeBSD-EN-25:08.caroot.asc
new file mode 100644
index 0000000000..cfbbd2968c
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-25:08.caroot.asc
@@ -0,0 +1,148 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-25:08.caroot Errata Notice
+ The FreeBSD Project
+
+Topic: Root certificate bundle update
+
+Category: core
+Module: caroot
+Announced: 2025-04-10
+Credits: michaelo@FreeBSD.org
+Affects: All supported versions of FreeBSD.
+Corrected: 2025-03-20 10:18:27 UTC (stable/14, 14.2-STABLE)
+ 2025-04-10 14:57:44 UTC (releng/14.2, 14.2-RELEASE-p3)
+ 2025-03-20 11:32:44 UTC (stable/13, 13.5-STABLE)
+ 2025-04-10 14:59:03 UTC (releng/13.5, 13.5-RELEASE-p1)
+ 2025-04-10 14:59:38 UTC (releng/13.4, 13.4-RELEASE-p5)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The root certificate bundle is the trust store that is used by OpenSSL
+programs and libraries to aid in determining whether it should trust a given
+TLS certificate.
+
+II. Problem Description
+
+Several certificates were added to the bundle after the latest release of
+FreeBSD 13.4, 13.5, and 14.2.
+
+III. Impact
+
+TLS connections using the missing root certificates as a trust anchor would
+not be trusted causing an error.
+
+IV. Workaround
+
+No workaround is available. Software that uses an internal trust store is not
+affected.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Users of FreeBSD Update should ensure that freebsd-update(8) is allowed to
+create and delete files. This is allowed by default.
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 14.2]
+# fetch https://security.FreeBSD.org/patches/EN-25:08/caroot-14.2.patch
+# fetch https://security.FreeBSD.org/patches/EN-25:08/caroot-14.2.patch.asc
+# gpg --verify caroot-14.2.patch.asc
+
+[FreeBSD 13.5]
+# fetch https://security.FreeBSD.org/patches/EN-25:08/caroot-13.5.patch
+# fetch https://security.FreeBSD.org/patches/EN-25:08/caroot-13.5.patch.asc
+# gpg --verify caroot-13.5.patch.asc
+
+[FreeBSD 13.4]
+# fetch https://security.FreeBSD.org/patches/EN-25:08/caroot-13.4.patch
+# fetch https://security.FreeBSD.org/patches/EN-25:08/caroot-13.4.patch.asc
+# gpg --verify caroot-13.4.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch -E < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all daemons that use OpenSSL, or reboot the system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 7577dae4d672 stable/14-n270816
+releng/14.2/ 23d06bb83d0a releng/14.2-n269523
+stable/13/ f89c056e1184 stable/13-n259216
+releng/13.5/ 74176002ff9f releng/13.5-n259165
+releng/13.4/ e8e9cb97d094 releng/13.4-n258283
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=285546>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:08.caroot.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmf38DwACgkQbljekB8A
+Gu+y3BAAqgGHlCNdHu/XmCADpI+yNT30mBCN+eOQ7B5R5Ao9E65b2MdveoOScARA
+wmleXASx7clmCJwUITlEC0H57omcEYk5y0o7//NalbaFNI5c3SA6TWSca3BaHoo+
+TkgRvu0vrAdT2nrqmpBPEQR1uVUyEa2bLuTSe+PwN00kIs70RSzHapAhUtfDA3ZV
+PDimqQZSnAEvC6hWyrpZfWPXiKnFoUr+reS+zcBpslFy8CN0ybj2g5PmC38hxj16
+GTk5HFYrK8hi1iCw+nvu+s4A7BU58CxIu1Z4ieOUC8GpJj7TAA92Q+Jn8642gvkm
+n9mZJiAcjq+OYfTE199xuV5XhF+dOv6maRm4dX8m1+B5SCYhpoM47fY55xnWJcOY
+j/sK6JKpJypiMd5cyuzXTs1RiI6zujkwCTNRfh7FvR0WeywdBzMRYB8TFZs7pg+/
+ZCNoyookgMHEEVBoei+FGmAE0nSErqQTvIHhvIAL57xQ1sh5ArrrPnus5Se3xGhU
+xwSMVFyVtnww79zI26czK6Fup3DaxStozw2D2As3f2PYAoXstjfL/JIWIZSJflno
+oYj9noXzWNo7s6hG3NAUKllvq3Mb5m4eIZHQrLRWHY39Wij+6hyKj9kshLwQ6Lg9
+eDE8LLSbSNqgTuy9BfoS4OXIpYQl4aYLovqultTEjTe0iu2XKdc=
+=JUPU
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-25:04/tzdata-2025b.patch b/website/static/security/patches/EN-25:04/tzdata-2025b.patch
new file mode 100644
index 0000000000..fc854ac613
--- /dev/null
+++ b/website/static/security/patches/EN-25:04/tzdata-2025b.patch
@@ -0,0 +1,274 @@
+--- contrib/tzdata/NEWS.orig
++++ contrib/tzdata/NEWS
+@@ -1,15 +1,40 @@
+ News for the tz database
+
++Release 2025b - 2025-03-22 13:40:46 -0700
++
++ Briefly:
++ New zone for Aysén Region in Chile which moves from -04/-03 to -03.
++
++ Changes to future timestamps
++
++ Chile's Aysén Region moves from -04/-03 to -03 year-round, joining
++ Magallanes Region. The region will not change its clocks on
++ 2025-04-05 at 24:00, diverging from America/Santiago and creating a
++ new zone America/Coyhaique. (Thanks to Yonathan Dossow.) Model
++ this as a change to standard offset effective 2025-03-20.
++
++ Changes to past timestamps
++
++ Iran switched from +04 to +0330 on 1978-11-10 at 24:00, not at
++ year end. (Thanks to Roozbeh Pournader.)
++
++ Changes to code
++
++ 'zic -l TIMEZONE -d . -l /some/other/file/system' no longer
++ attempts to create an incorrect symlink, and no longer has a
++ read buffer underflow. (Problem reported by Evgeniy Gorbanev.)
++
++
+ Release 2025a - 2025-01-15 10:47:24 -0800
+
+ Briefly:
+- Paraguay adopts permanent -03 starting spring 2024.
++ Paraguay adopted permanent -03 starting spring 2024.
+ Improve pre-1991 data for the Philippines.
+ Etc/Unknown is now reserved.
+
+ Changes to future timestamps
+
+- Paraguay will stop changing its clocks after the spring-forward
++ Paraguay stopped changing its clocks after the spring-forward
+ transition on 2024-10-06, so it is now permanently at -03.
+ (Thanks to Heitor David Pinto and Even Scharning.)
+ This affects timestamps starting 2025-03-22, as well as the
+--- contrib/tzdata/asia.orig
++++ contrib/tzdata/asia
+@@ -1500,6 +1500,16 @@
+ # (UIT No. 143 17.XI.1977) and not 23 September (UIT No. 141 13.IX.1977).
+ # UIT is the Operational Bulletin of International Telecommunication Union.
+
++# From Roozbeh Pournader (2025-03-18):
++# ... the exact time of Iran's transition from +0400 to +0330 ... was Friday
++# 1357/8/19 AP=1978-11-10. Here's a newspaper clip from the Ettela'at
++# newspaper, dated 1357/8/14 AP=1978-11-05, translated from Persian
++# (at https://w.wiki/DUEY):
++# Following the government's decision about returning the official time
++# to the previous status, the spokesperson for the Ministry of Energy
++# announced today: At the hour 24 of Friday 19th of Aban (=1978-11-10),
++# the country's time will be pulled back half an hour.
++#
+ # From Roozbeh Pournader (2003-03-15):
+ # This is an English translation of what I just found (originally in Persian).
+ # The Gregorian dates in brackets are mine:
+@@ -1627,7 +1637,7 @@
+ Zone Asia/Tehran 3:25:44 - LMT 1916
+ 3:25:44 - TMT 1935 Jun 13 # Tehran Mean Time
+ 3:30 Iran %z 1977 Oct 20 24:00
+- 4:00 Iran %z 1979
++ 4:00 Iran %z 1978 Nov 10 24:00
+ 3:30 Iran %z
+
+
+--- contrib/tzdata/northamerica.orig
++++ contrib/tzdata/northamerica
+@@ -1611,6 +1611,15 @@
+ # For more on Orillia, see: Daubs K. Bold attempt at daylight saving
+ # time became a comic failure in Orillia. Toronto Star 2017-07-08.
+ # https://www.thestar.com/news/insight/2017/07/08/bold-attempt-at-daylight-saving-time-became-a-comic-failure-in-orillia.html
++# From Paul Eggert (2025-03-20):
++# Also see the 1912-06-17 front page of The Evening Sunbeam,
++# reproduced in: Richardson M. "Daylight saving was a confusing
++# time in Orillia" in the 2025-03-15 Orillia Matters. Richardson writes,
++# "The first Sunday after the switch was made, [DST proponent and
++# Orillia mayor William Sword] Frost walked into church an hour late.
++# This became a symbol of the downfall of daylight saving in Orillia."
++# The mayor became known as "Daylight Bill".
++# https://www.orilliamatters.com/local-news/column-daylight-saving-was-a-confusing-time-in-orillia-10377529
+
+ # From Mark Brader (2010-03-06):
+ #
+--- contrib/tzdata/southamerica.orig
++++ contrib/tzdata/southamerica
+@@ -1246,35 +1246,45 @@
+ # dates to 2014.
+ # DST End: last Saturday of April 2014 (Sun 27 Apr 2014 03:00 UTC)
+ # DST Start: first Saturday of September 2014 (Sun 07 Sep 2014 04:00 UTC)
+-# http://www.diariooficial.interior.gob.cl//media/2014/02/19/do-20140219.pdf
++# From Tim Parenti (2025-03-22):
++# Decreto 307 of 2014 of the Ministry of the Interior and Public Security,
++# promulgated 2014-01-30 and published 2014-02-19:
*** 25658 LINES SKIPPED ***