git: e546c17a0b - main - Add EN-25:12 through EN-25:14 and SA-25:07.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 08 Aug 2025 00:53:58 UTC
The branch main has been updated by gordon:
URL: https://cgit.FreeBSD.org/doc/commit/?id=e546c17a0be3dc9343b06a7ef5910817666743c4
commit e546c17a0be3dc9343b06a7ef5910817666743c4
Author: Gordon Tetlow <gordon@FreeBSD.org>
AuthorDate: 2025-08-08 00:53:37 +0000
Commit: Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2025-08-08 00:53:37 +0000
Add EN-25:12 through EN-25:14 and SA-25:07.
Approved by: so
---
website/data/security/advisories.toml | 4 +
website/data/security/errata.toml | 12 +
.../security/advisories/FreeBSD-EN-25:12.efi.asc | 130 +
.../advisories/FreeBSD-EN-25:13.wlan_tkip.asc | 131 +
.../security/advisories/FreeBSD-EN-25:14.route.asc | 133 +
.../advisories/FreeBSD-SA-25:07.libarchive.asc | 136 +
website/static/security/patches/EN-25:12/efi.patch | 59 +
.../static/security/patches/EN-25:12/efi.patch.asc | 16 +
.../security/patches/EN-25:13/wlan_tkip.patch | 13 +
.../security/patches/EN-25:13/wlan_tkip.patch.asc | 16 +
.../static/security/patches/EN-25:14/route.patch | 10 +
.../security/patches/EN-25:14/route.patch.asc | 16 +
.../security/patches/SA-25:07/libarchive.patch | 38022 +++++++++++++++++++
.../security/patches/SA-25:07/libarchive.patch.asc | 16 +
14 files changed, 38714 insertions(+)
diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml
index 103be4c068..298db59a39 100644
--- a/website/data/security/advisories.toml
+++ b/website/data/security/advisories.toml
@@ -1,6 +1,10 @@
# Sort advisories by year, month and day
# $FreeBSD$
+[[advisories]]
+name = "FreeBSD-SA-25:07.libarchive"
+date = "2025-08-08"
+
[[advisories]]
name = "FreeBSD-SA-25:06.xz"
date = "2025-07-02"
diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml
index c58cf02825..6f9ce70d62 100644
--- a/website/data/security/errata.toml
+++ b/website/data/security/errata.toml
@@ -1,6 +1,18 @@
# Sort errata notices by year, month and day
# $FreeBSD$
+[[notices]]
+name = "FreeBSD-EN-25:14.route"
+date = "2025-08-08"
+
+[[notices]]
+name = "FreeBSD-EN-25:13.wlan_tkip"
+date = "2025-08-08"
+
+[[notices]]
+name = "FreeBSD-EN-25:12.efi"
+date = "2025-08-08"
+
[[notices]]
name = "FreeBSD-EN-25:11.ena"
date = "2025-07-02"
diff --git a/website/static/security/advisories/FreeBSD-EN-25:12.efi.asc b/website/static/security/advisories/FreeBSD-EN-25:12.efi.asc
new file mode 100644
index 0000000000..d33b44ce3a
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-25:12.efi.asc
@@ -0,0 +1,130 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-25:12.efi Errata Notice
+ The FreeBSD Project
+
+Topic: bsdinstall(8) not copying the correct loader on systems with
+ IA32 UEFI firmware.
+
+Category: core
+Module: efi
+Announced: 2025-08-08
+Affects: FreeBSD 14.3
+Corrected: 2025-06-16 23:07:25 UTC (stable/14, 14.3-STABLE)
+ 2025-08-08 00:39:02 UTC (releng/14.3, 14.3-RELEASE-p2)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+bsdinstall(8) checks the machdep.efi_arch sysctl and depending on its value,
+it either copies loader.efi or loader_ia32.efi.
+
+II. Problem Description
+
+The commit that added the machdep.efi_arch sysctl was not MFCed in time for
+releng/14.3, however, the commit that added support for loader_ia32.efi in
+bsdinstall(8) was. The result is that bsdinstall(8) always copies loader.efi.
+
+III. Impact
+
+bsdinstall(8) copying loader.efi regardless of the firmware's architecture
+results in an unbootable system after install for systems which expect a
+32-bit UEFI loader.
+
+IV. Workaround
+
+loader_ia32.efi can be manually copied to /boot/efi/efi/boot/bootia32.efi
+where the EFI boot partition is mounted at /boot/efi.
+
+Systems which have 64-bit UEFI firmware are unaffected. Non x86 systems are
+likewise unaffected.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date and reboot the system.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# reboot
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-25:12/efi.patch
+# fetch https://security.FreeBSD.org/patches/EN-25:12/efi.patch.asc
+# gpg --verify efi.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 0e8890a425bc stable/14-n271710
+releng/14.3/ ce4fe4c4bfcd releng/14.3-n271435
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:12.efi.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmiVShUACgkQbljekB8A
+Gu/B+xAAy3AcOLVmDr4YNs0PXwENZ5Xqg00TYgSXSRl/iA+wk4h7XFcaytdVUgk5
+nX0dLZGTyZoQpmdiX8HsVht95XONfdhwoPxUtWFTY9SWBYh859IjFHTpr8E/MXHH
+lAmbs7H0W/lw4Fqm6xs6+esXitaBE2Q3rgl0LFI0BbEfHdGiNz/qWYXR2U+qVAPY
+5aiC9tcvRU3pNLLN7XGIophVjL10k1iuwzQeKGDopzBx7qVFklRSDb1oe1BawDYh
+jkn+mqzpkgqEIVdgsZSKGO5lpEMCtDwgyA7uIik/QE525oNVpsWfJ/aHbDapB+1P
+pFYH/yWpI/eT3DVMnTiNhCBkBcm0pCWJZlLTKcLU19fm8wMxq01H5FqqueBLrh39
+LztN/xnmdpAoG1AytICoV86gbRy4fnCbbbhLOLWhPVfc6q2UyJUHa1LjR3LtSeNG
+0f+evVM81IfG0Niynqcy/DEIem0aamFUJhqU6aJISj+aVGd9PRp2JhVllbkiR7H/
+xd3dnEHtLt6wCJh1PlK+3Sa2WuSDDRWo1WCmx1xvUI+5VWl4HL8f+YoQl8aOu0DR
+XnpxyAqD+4uTXiQOhf+9HuteoTq9aePbUef5qkSQXXxOtohUL6xvq62Zb1HU6Jbs
+ZpGd15oa4o4yJXTu1lEE/D/dSZhtX2rACh+GzEW9vt6lIUZENe0=
+=7zQB
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-25:13.wlan_tkip.asc b/website/static/security/advisories/FreeBSD-EN-25:13.wlan_tkip.asc
new file mode 100644
index 0000000000..4dfd91e244
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-25:13.wlan_tkip.asc
@@ -0,0 +1,131 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-25:13.wlan_tkip Errata Notice
+ The FreeBSD Project
+
+Topic: net80211 TKIP crypto support fails for some drivers
+
+Category: core
+Module: wlan_tkip
+Announced: 2025-08-08
+Credits: Adrian Chadd
+Affects: FreeBSD 14.3
+Corrected: 2025-06-10 23:45:16 UTC (stable/14, 14.3-STABLE)
+ 2025-08-08 00:39:03 UTC (releng/14.3, 14.3-RELEASE-p2)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+In order to support Temporal Key Integrity Protocol (TKIP) on modern wireless
+chipsets, the net80211 wireless stack was adjusted to skip certain crypto
+operations if a driver indicated that they were already done by hardware.
+
+II. Problem Description
+
+One adjustment erroneously changed a default for an operation from opt-in
+to opt-out.
+
+III. Impact
+
+Older drivers may not pass flags to either opt-in or opt-out and thus
+one TKIP operations is no longer executed for them given the changed
+default. This leads to non-working wireless connections.
+
+IV. Workaround
+
+Users still using TKIP are highly advised to change their Cipher Suite
+to CCMP as TKIP is no longer considered secure and has been deprecated
+since 2012.
+
+No other workaround is available. Systems using CCMP are unaffected.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date and reboot.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for erratum update"
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-25:13/wlan_tkip.patch
+# fetch https://security.FreeBSD.org/patches/EN-25:13/wlan_tkip.patch.asc
+# gpg --verify wlan_tkip.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 950343a170f0 stable/14-n271651
+releng/14.3/ a3bd81ddfe29 releng/14.3-n271436
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=288009>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:13.wlan_tkip.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmiVSh0ACgkQbljekB8A
+Gu9d9BAAhaBGWImVR+mFeKhvJFJ01a47YpxVTyyfJR+Rd+4wF1Z9YZu1OcoZyMMQ
+0vSkumjR98NeMFGpH9rZg2D6dJ4JQfvF+MbFlKlQ0QCdD8El++KM3T/S3h9WVXGp
+Rs5in2XMxGj36LKNZ43Okmszh/JO6AiSLkfqkt708JiV+8Fff00JugFnU9ulQeDP
+k3e5hw68ohS6DS5xrlmuY3yLzySl3PcI8vAp/8fY7cLchhJsPBmoWv87mParj6AG
+uIlzJoQMFCVdlv2+e8p6be2Ua68f/qp6i1wgwUzLqLrirPUe74RlnU/+hkGRMYL+
++tkaPI/Bwdhn1xyybueBuGAJMiHi6iqlvmbORwxaTvuRZr2UTX/piCAMlWaiOlsu
+REsVHc3d2bF6GkY7xx1TGYMI/+jx5Y5xrgXrpWZwcf8xzJxkMu+FOpOkzJEmqG3L
+oDsvoCAOlck3/8+1R9nWMj36Q8HqhnJTr6axKNi7yRs5KC8BcTxjqM98eNSfurAe
+pg818lA6xCEwgbc1M7kcVTAtQbaZUwSCaTbryr9EBBSIudVnsn7ZnrtT/yr/MLk8
+/F4KDaPKXcbWYEPIFwIV0GKkMXVltD4O4cUPO1SSXmxcrMV+9mJ0xlKmQzbCD56y
+6eFZsADV0l9mGYMv3LtODycbwAiL36F2JgTiNGLrPJbkAmy9foc=
+=uFgf
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-25:14.route.asc b/website/static/security/advisories/FreeBSD-EN-25:14.route.asc
new file mode 100644
index 0000000000..8f3a13f3bc
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-25:14.route.asc
@@ -0,0 +1,133 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-25:14.route Errata Notice
+ The FreeBSD Project
+
+Topic: route(8) monitor buffers too much when redirected to a file
+
+Category: core
+Module: route
+Announced: 2025-08-08
+Affects: FreeBSD 14.x
+Corrected: 2025-07-21 02:13:16 UTC (stable/14, 14.3-STABLE)
+ 2025-08-08 00:39:04 UTC (releng/14.3, 14.3-RELEASE-p2)
+ 2025-08-08 00:39:17 UTC (releng/14.2, 14.2-RELEASE-p5)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+route(8)'s `monitor` command continuously reports routing changes on the system,
+which may be used interactively or by other tooling. When a command's output
+is redirected to a file, its standard output becomes fully buffered.
+
+II. Problem Description
+
+In FreeBSD 14.x, route(8) does not flush its standard output at distinct message
+boundaries as it previously did in FreeBSD 13.x and before. As such, it could
+appear that no changes are happening on the system when its output has been
+redirected to a file.
+
+III. Impact
+
+Other programs that rely on `route monitor` are likely to miss changes that
+they are expecting to see, unless routing tables/information are changing at
+a high frequency.
+
+IV. Workaround
+
+Use `stdbuf -oL route monitor` to force the output of `route monitor` to be
+line-buffered. See stdbuf(1). Programs watching `route monitor` output are
+not incredibly common.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date, and restart any affected
+services.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-25:14/route.patch
+# fetch https://security.FreeBSD.org/patches/EN-25:14/route.patch.asc
+# gpg --verify route.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ dd695839efd8 stable/14-n271995
+releng/14.3/ 97f34921d77b releng/14.3-n271437
+releng/14.2/ 168703212b61 releng/14.2-n269531
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=278265>
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275026>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:14.route.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmiVSh8ACgkQbljekB8A
+Gu9SKxAAwfW3Ql0ZaqG5aIYJ1FOUBMY/F0p22E9RmO1L8xGpX6m0vzjQUrrCycHq
+3Lc+QWg4IpDq9WUvfg3yuslZpRnRa679EVjeR7R/Bo7qgfAEVYVZK52g5L7kukAq
+ta9Ufqltrp5UZUkYdfj1k5nROM/SfSROj8opvlwDxdwjzgr0shiY5WUfYTxkTFOA
+WNSzxnjB95VLgT9PCRXv2oUvs/4N/vZtLwzxFPkfBsbLOyz0+lDZ/ub5q1tllBfi
+QMRrsJ+bxAfjZtD0VutmL1kY0BaialP6/hOqTka+DuGVi3C73mk6+/xlu/ig7RUk
+xsaAigN5pdfQpa2UDx+vEVp5OYHIja6rgzlZeIELv1sZLridp8kySygQ7W3k9PED
+nQM6rZe4d/sp7REv/wSCK0sC6BEQ5KgZ1l89ChR8BtCb7gVj69A/OU1KoSyUkuAV
+Qn8vCVr0zOBXrwlGIgP94R2qhl4smWylynKajjqT6Hgh3k4KRZMJKfFxDAQlUxWf
+5m1aHD41O7h92L6IixoVAHQ0E/MtnuV9Pos5lDlDewRvUdSSfT02UahcIOoch860
+NtsFyurxnBOVPtpr92gg1aVx/u4EnP3/2NnMDWwLIM80QvsXOXZ+e6WigBJ3bJxB
+FAMdoiMJyi3orwDfxnCuUBOwnnwLtxjd3iw5frZXEa5xJfmKpsA=
+=YgHt
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-25:07.libarchive.asc b/website/static/security/advisories/FreeBSD-SA-25:07.libarchive.asc
new file mode 100644
index 0000000000..f1242dd39a
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-25:07.libarchive.asc
@@ -0,0 +1,136 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-25:07.libarchive Security Advisory
+ The FreeBSD Project
+
+Topic: Integer overflow in libarchive leading to double free
+
+Category: contrib
+Module: libarchive
+Announced: 2025-08-08
+Affects: All supported versions of FreeBSD.
+Corrected: 2025-06-19 22:47:34 UTC (stable/14, 14.3-STABLE)
+ 2025-08-08 00:39:05 UTC (releng/14.3, 14.3-RELEASE-p2)
+ 2025-08-08 00:39:19 UTC (releng/14.2, 14.2-RELEASE-p5)
+ 2025-06-20 20:43:32 UTC (stable/13, 13.5-STABLE)
+ 2025-08-08 00:39:29 UTC (releng/13.5, 13.5-RELEASE-p3)
+CVE Name: CVE-2025-5914
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The libarchive(3) library provides a flexible interface for reading and
+writing streaming archive files such as tar(1) and cpio(1), and has been the
+basis for the FreeBSD implementation of the tar(1) and cpio(1) utilities
+since FreeBSD 5.3.
+
+II. Problem Description
+
+An integer overflow in the archive_read_format_rar_seek_data() function may
+lead to a double free problem.
+
+III. Impact
+
+Exploiting a double free vulnerability can cause memory corruption. This in
+turn could enable a threat actor to execute arbitrary code. It might also
+result in denial of service.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-25:07/libarchive.patch
+# fetch https://security.FreeBSD.org/patches/SA-25:07/libarchive.patch.asc
+# gpg --verify libarchive.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all daemons that use the library, or reboot the system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 6dad4525a291 stable/14-n271728
+releng/14.3/ fb780a82dfbd releng/14.3-n271438
+releng/14.2/ c0979bd2734f releng/14.2-n269532
+stable/13/ f47afeb2ce1e stable/13-n259312
+releng/13.5/ 798b7b161a71 releng/13.5-n259173
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://github.com/libarchive/libarchive/pull/2598>
+<URL:https://github.com/advisories/GHSA-7376-x4rm-3v8x>
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5914>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-25:07.libarchive.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmiVSiEACgkQbljekB8A
+Gu9QGg/9Gri16tBoEsU57UcI3MlbHYGHSXb3Bqs+EgAfxeLjSB58GH1zDUjgjVmT
+js6QN6scVbyX4SHQyM4nBw1zn5D7Ejhr/1nrnkbr98YWJn6OZzadp9ANNO2joclx
+QBD6Gztk9bCPMPtSyMCTe7yOtvcYWoNzHQfaIU+xdfRmlRFNv/VzaUL/vfGdTF1a
++yJ0BEB0oNLlRpCFayDXpFquxe72Uwc2qaYKd5cuEHNrXoo54KZC7fSH1lJR5ZiH
+puPz/mxp3sY/zdWwNvmuFxZTuAIgfLiovV1Hr/UbzyoOfhqtZUuPuXkSS1JQAfuo
+9lSd71E8ZB11MSUZ23kfUMO8KMAgt+d47UGHC2v/uU2t9CcSpc7IpO7khZpRGisE
+DjwQ0XgMu5Csa7YBB++tulOsESlNqlcVaredBqRaT8h7ClTQ4pNguhkJy+mRm0m1
+3nRYKoG7xejJIArrg+aTu5HboAPGINwbX1m2dOIhI/P6hKCMxoZm4P5ubgxDIXIM
+Ofv19plmhEVACSPb+uzEvIke82R51aGyCnVAjORL6fNX5SkZoLZb5VDJTr5F3BdL
+90ZOgWpKCwD6r7K65unDA7BuHz/VntNNR0QdxO3+fJk/Bmqo8mykAAU5LO0JmWUw
+H4mgUonPalkZag2pYFJpixqV/BPa9tad2xXRfKiFzsRsawfzrJA=
+=fwMp
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-25:12/efi.patch b/website/static/security/patches/EN-25:12/efi.patch
new file mode 100644
index 0000000000..cd15bf1b89
--- /dev/null
+++ b/website/static/security/patches/EN-25:12/efi.patch
@@ -0,0 +1,59 @@
+--- stand/efi/loader/bootinfo.c.orig
++++ stand/efi/loader/bootinfo.c
+@@ -447,9 +447,15 @@
+ module = *modulep;
+ file_addmetadata(kfp, MODINFOMD_MODULEP, sizeof(module), &module);
+ #endif
+-#if defined(EFI) && !defined(__i386__)
++#ifdef EFI
++#ifndef __i386__
+ file_addmetadata(kfp, MODINFOMD_FW_HANDLE, sizeof(ST), &ST);
+ #endif
++#if defined(__amd64__) || defined(__i386__)
++ file_addmetadata(kfp, MODINFOMD_EFI_ARCH, sizeof(MACHINE_ARCH),
++ MACHINE_ARCH);
++#endif
++#endif
+ #ifdef LOADER_GELI_SUPPORT
+ geli_export_key_metadata(kfp);
+ #endif
+--- sys/amd64/amd64/machdep.c.orig
++++ sys/amd64/amd64/machdep.c
+@@ -1691,6 +1691,27 @@
+ efi_map_sysctl_handler, "S,efi_map_header",
+ "Raw EFI Memory Map");
+
++static int
++efi_arch_sysctl_handler(SYSCTL_HANDLER_ARGS)
++{
++ char *arch;
++ caddr_t kmdp;
++
++ kmdp = preload_search_by_type("elf kernel");
++ if (kmdp == NULL)
++ kmdp = preload_search_by_type("elf64 kernel");
++
++ arch = (char *)preload_search_info(kmdp,
++ MODINFO_METADATA | MODINFOMD_EFI_ARCH);
++ if (arch == NULL)
++ return (0);
++
++ return (SYSCTL_OUT_STR(req, arch));
++}
++SYSCTL_PROC(_machdep, OID_AUTO, efi_arch,
++ CTLTYPE_STRING | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0,
++ efi_arch_sysctl_handler, "A", "EFI Firmware Architecture");
++
+ void
+ spinlock_enter(void)
+ {
+--- sys/x86/include/metadata.h.orig
++++ sys/x86/include/metadata.h
+@@ -34,6 +34,7 @@
+ #define MODINFOMD_EFI_FB 0x1005
+ #define MODINFOMD_MODULEP 0x1006
+ #define MODINFOMD_VBE_FB 0x1007
++#define MODINFOMD_EFI_ARCH 0x1008
+
+ struct efi_map_header {
+ uint64_t memory_size;
diff --git a/website/static/security/patches/EN-25:12/efi.patch.asc b/website/static/security/patches/EN-25:12/efi.patch.asc
new file mode 100644
index 0000000000..ac25268b3a
--- /dev/null
+++ b/website/static/security/patches/EN-25:12/efi.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmiVShwACgkQbljekB8A
+Gu96qRAAw0SdIOM6CoKh6R91MNsbA4wBL4TtrlBG8pPBDkhP8N1zn3hYOFu10MA8
+hEMB08WdHm6ruLG8Hlb7toVIvs2xM83CUZnywDvAHryuCZ81/JrzPU7MKJCAhz8/
+wqhGN56qsn9R7jSNYS4KgGSZlK+742OJD9hRgbUQ57ZRlpN0/VLRovTPQ9KPVPEG
+OaNKZh4vcAKjIYHpLmKdtKnM7BY7Ep4r9ZUfIck147PiV1T6b4eC/k4ZjIXnKLX5
+EfxB93r7DaOYSsyBI8IDMMyJFD7JcsWWzacoOoLqak0YciuaJAFFObJ8r5EpOIH/
+YfC0r+siD4tL+RYd4DlSNdB9xLhLA9tGQ4x1IMJspMj0vXb2QY+docgUG6QUzqCI
+cUaZSm7kWnyELir4NfYHocpRZP8dTQzB0kLkXCz8DY8crhhhMEwfLBKoz7j7mMTL
+d+M5cSNqwbHRrSC1DG9BrC8r4LWmZ7Rtbj90sTtcTCv9Ue5K4TOW9+h8p08LpSHk
+p93Jp7SQxy8qniaANnciXgjXS48HlReWL1GbFXI372M01qNAxdP3ZysvUpm9OKuV
+KEyYsyhe+324fKKtEhq5hSJD3eyCycih3eN9/VCDOQqKEnfG4Y9+Mch7MiQt3Z3i
+1Nc+Ri9sUgpE3fXMa/OEapu6CX9QLUSkLwsscP/wIRvasbX1qQw=
+=rniG
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-25:13/wlan_tkip.patch b/website/static/security/patches/EN-25:13/wlan_tkip.patch
new file mode 100644
index 0000000000..b26adf8fb6
--- /dev/null
+++ b/website/static/security/patches/EN-25:13/wlan_tkip.patch
@@ -0,0 +1,13 @@
+ sys/net80211/ieee80211_crypto_tkip.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+--- sys/net80211/ieee80211_crypto_tkip.c.orig
++++ sys/net80211/ieee80211_crypto_tkip.c
+@@ -370,7 +370,7 @@
+ /*
+ * Strip the ICV if hardware has not done so already.
+ */
+- if (rxs != NULL && (rxs->c_pktflags & IEEE80211_RX_F_ICV_STRIP) == 0)
++ if ((rxs == NULL) || (rxs->c_pktflags & IEEE80211_RX_F_ICV_STRIP) == 0)
+ m_adj(m, -tkip.ic_trailer);
+
+ return 1;
diff --git a/website/static/security/patches/EN-25:13/wlan_tkip.patch.asc b/website/static/security/patches/EN-25:13/wlan_tkip.patch.asc
new file mode 100644
index 0000000000..a757c7505d
--- /dev/null
+++ b/website/static/security/patches/EN-25:13/wlan_tkip.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmiVSh4ACgkQbljekB8A
+Gu/8XxAAyLbpO5IQL14hklDvN8E6jJb3+71TG5cH7e8mTPMQ0hFVer9CrWIxm8JC
+QqWYHOxV+ahuopQOcQz8Km1jJGB88gLTPNsyD1V8KF37HIfsXpuM8pKV2UuJaU9w
+TzlYflsfL4OTgKhqgplPG4rdo5na1G+UoslScpX+0rm8EhpZCtd4w5TNOKOuQI5f
+nnNPjGboFfudzlTJF19bZlZzJJoHSeQHpqNYi/ZBeRMzhHYlKLvpDATW3j31tklL
+GM04iT2Rlrco2BB7WBiftn2te6Ok/3Zv7UVyqSUPdi/v+pNmn5BuXE2+8bNrKP84
+OomUsh5dfw1E/J2cb+Wh0J7nExUa9RtbSFXqVlZgLyos5DIDQ6wDuuMNTcOFhPnJ
+mvIkDrfBLPS8pWWSPEuajaPvtG3BkKy5JiK0pxfJlvx6MA7DA0myhBAjm27n5sxb
+r+18h2ra9umZzvIxBzs3qTnxo/1V//J2C/B1EuoR2oBU532mk5CooZQuBbzUQ+5P
+EsqzMGBUf2Q+h9V6Jr87hdLgMCc33yNlNgQSpNq4QIKx42l0SSNaQhc4RRfs8fR/
+gRCC+Xx9Fdzx7FNvnQMJV8F6TxDDfetM4oh6FaGlCFBosVJJxPMlz8XFecgwi0q4
+rKhYthBbfc5wCGIWhnYvP7xWB/dZ9nbNcU6RKGhNu8UJi0Luf/c=
+=np7v
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-25:14/route.patch b/website/static/security/patches/EN-25:14/route.patch
new file mode 100644
index 0000000000..fcdde605ba
--- /dev/null
+++ b/website/static/security/patches/EN-25:14/route.patch
@@ -0,0 +1,10 @@
+--- sbin/route/route_netlink.c.orig
++++ sbin/route/route_netlink.c
+@@ -733,6 +733,7 @@
+ print_nlmsg_generic(h, hdr, cinfo);
+ }
+
++ fflush(stdout);
+ snl_clear_lb(&h->ss_cmd);
+ }
+
diff --git a/website/static/security/patches/EN-25:14/route.patch.asc b/website/static/security/patches/EN-25:14/route.patch.asc
new file mode 100644
index 0000000000..2921d98028
--- /dev/null
+++ b/website/static/security/patches/EN-25:14/route.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmiVSiAACgkQbljekB8A
+Gu+bhQ//VsSVSQD09d5QSCn36S0WaBsCDN2NbeROFoh59GBgj2PJtErMd7FhISpA
+eAKk55yJ42irIRCPRZtozWg2UWoiBKb43kHzZqdmW1SAPKHP4BQOmTiM7X033qiD
+yzap8t2R2kniBta8fzfYnC+m2V5wXc9ObQnsQCk1kNV6+b/9fFjQBrsLGRrRmM0S
+t8gI+tpG5peIKnTs+SyCqHNaTu+GzHJY2ZfEMylrTK+IU1JMR1taw+a8TAPKVhth
+REciSl3Pj3X9v8rsuATkW+V0RFnRwd8XOBWJoZt+sgK61B9pwcIvC5yiXZcYiPUJ
+vmAkSiDJDisgmB+T1o/ZHAuxBz8CbifP4rHC0h9HJubLzsu1NCFelKPaFhJrVvkl
+1YZzN+Oi2mJiKHfg4gNTKjcdMtTSA/AAUt2ZhFk94/oNpxnivs33os+uIg2PNWH3
+iH3Pt6ihEr77gJZ2AYot8RShsQivKRAX3HSsefj7uusLys8ZO8vbrgs/CgBtj/cl
+fWCvCIRwq0EOL5WqNQ9YIck3jIASbSAJSkmEhKSw+3c1zSewVirrqONXIvxvGJ5Y
+BV4G3LJBQ9EThr03mIuI4clYz6rUHYBIAp5/G1CrYhRUVb0WC4TRGTlGYR0ReuKe
+cVLrbVEFJIFy6e9yOMutcMTTyFvGsW86llDLR8oNWoxqP4jyohg=
+=f+CH
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/SA-25:07/libarchive.patch b/website/static/security/patches/SA-25:07/libarchive.patch
new file mode 100644
index 0000000000..30d2e8d1df
--- /dev/null
+++ b/website/static/security/patches/SA-25:07/libarchive.patch
@@ -0,0 +1,38022 @@
+--- contrib/libarchive/COPYING.orig
++++ contrib/libarchive/COPYING
+@@ -20,7 +20,7 @@
+ libarchive/mtree.5
+
+ * The following source files are in the public domain:
+- libarchive/archive_getdate.c
++ libarchive/archive_parse_date.c
+
+ * The following source files are triple-licensed with the ability to choose
+ from CC0 1.0 Universal, OpenSSL or Apache 2.0 licenses:
+--- contrib/libarchive/NEWS.orig
++++ contrib/libarchive/NEWS
+@@ -1,3 +1,11 @@
++Jun 01, 2026: libarchive 3.8.1 released
++
++May 20, 2025: libarchive 3.8.0 released
++
++Mar 30, 2025: libarchive 3.7.9 released
++
++Mar 20, 2025: libarchive 3.7.8 released
++
+ Oct 13, 2024: libarchive 3.7.7 released
+
+ Sep 23, 2024: libarchive 3.7.6 released
+--- contrib/libarchive/README.md.orig
++++ contrib/libarchive/README.md
+@@ -85,13 +85,14 @@
+ * PWB binary cpio
+ * ISO9660 CD-ROM images (with optional Rockridge or Joliet extensions)
+ * ZIP archives (with uncompressed or "deflate" compressed entries, including support for encrypted Zip archives)
+- * ZIPX archives (with support for bzip2, ppmd8, lzma and xz compressed entries)
++ * ZIPX archives (with support for bzip2, zstd, ppmd8, lzma and xz compressed entries)
+ * GNU and BSD 'ar' archives
+ * 'mtree' format
+ * 7-Zip archives (including archives that use zstandard compression)
+ * Microsoft CAB format
+ * LHA and LZH archives
+ * RAR and RAR 5.0 archives (with some limitations due to RAR's proprietary status)
++ * WARC archives
+ * XAR archives
+
+ The library also detects and handles any of the following before evaluating the archive:
+@@ -120,15 +121,18 @@
+ * PWB binary cpio
+ * shar archives
+ * ZIP archives (with uncompressed or "deflate" compressed entries)
++ * ZIPX archives (with bzip2, zstd, lzma or xz compressed entries)
+ * GNU and BSD 'ar' archives
+ * 'mtree' format
+ * ISO9660 format
+- * 7-Zip archives
++ * 7-Zip archives (including archives that use zstandard compression)
++ * WARC archives
+ * XAR archives
+
+ When creating archives, the result can be filtered with any of the following:
+
+ * uuencode
++ * base64
+ * gzip compression
+ * bzip2 compression
+ * compress/LZW compression
+@@ -241,4 +245,3 @@
+ appropriate. It has many advantages over other tar formats
+ (including the legacy GNU tar format) and is widely supported by
+ current tar implementations.
+-
+--- /dev/null
++++ contrib/libarchive/build/ci/github_actions/install-macos-dependencies.sh
+@@ -0,0 +1,19 @@
++#!/bin/sh
++set -eux
++
++# Uncommenting these adds a full minute to the CI time
++#brew update > /dev/null
++#brew upgrade > /dev/null
++
++# This does an upgrade if the package is already installed
++brew install \
++ autoconf \
++ automake \
++ libtool \
++ pkg-config \
++ cmake \
++ xz \
++ lz4 \
++ zstd \
++ libxml2 \
++ openssl
+--- contrib/libarchive/cpio/cpio.c.orig
++++ contrib/libarchive/cpio/cpio.c
+@@ -1206,7 +1206,7 @@
+ else
+ strcpy(date, "invalid mtime");
+
+- fprintf(out, "%s%3d %-8s %-8s %8s %12s %s",
++ fprintf(out, "%s%3u %-8s %-8s %8s %12s %s",
+ archive_entry_strmode(entry),
+ archive_entry_nlink(entry),
+ uname, gname, size, date,
+--- contrib/libarchive/cpio/test/test_format_newc.c.orig
++++ contrib/libarchive/cpio/test/test_format_newc.c
+@@ -189,10 +189,10 @@
+ gid = from_hex(e + 30, 8); /* gid */
+ assertEqualMem(e + 38, "00000003", 8); /* nlink */
+ t = from_hex(e + 46, 8); /* mtime */
+- failure("t=%#08jx now=%#08jx=%jd", (intmax_t)t, (intmax_t)now,
++ failure("t=%#08jx now=%#08jx=%jd", (uintmax_t)t, (uintmax_t)now,
+ (intmax_t)now);
+ assert(t <= now); /* File wasn't created in future. */
+- failure("t=%#08jx now - 2=%#08jx=%jd", (intmax_t)t, (intmax_t)now - 2,
++ failure("t=%#08jx now - 2=%#08jx=%jd", (uintmax_t)t, (uintmax_t)now - 2,
+ (intmax_t)now - 2);
+ assert(t >= now - 2); /* File was created w/in last 2 secs. */
+ failure("newc format stores body only with last appearance of a link\n"
+@@ -219,7 +219,7 @@
+ assert(is_hex(e, 110));
+ assertEqualMem(e + 0, "070701", 6); /* Magic */
+ assert(is_hex(e + 6, 8)); /* ino */
+-#if defined(_WIN32) && !defined(CYGWIN)
++#if defined(_WIN32) && !defined(__CYGWIN__)
+ /* Mode: Group members bits and others bits do not work. */
+ assertEqualInt(0xa180, from_hex(e + 14, 8) & 0xffc0);
+ #else
+@@ -230,7 +230,7 @@
+ assertEqualMem(e + 38, "00000001", 8); /* nlink */
+ t2 = from_hex(e + 46, 8); /* mtime */
+ failure("First entry created at t=%#08jx this entry created"
+- " at t2=%#08jx", (intmax_t)t, (intmax_t)t2);
++ " at t2=%#08jx", (uintmax_t)t, (uintmax_t)t2);
+ assert(t2 == t || t2 == t + 1); /* Almost same as first entry. */
+ assertEqualMem(e + 54, "00000005", 8); /* File size */
+ fs = (uint64_t)from_hex(e + 54, 8);
+@@ -266,7 +266,7 @@
+ #endif
+ t2 = from_hex(e + 46, 8); /* mtime */
+ failure("First entry created at t=%#08jx this entry created at"
+- "t2=%#08jx", (intmax_t)t, (intmax_t)t2);
++ "t2=%#08jx", (uintmax_t)t, (uintmax_t)t2);
+ assert(t2 == t || t2 == t + 1); /* Almost same as first entry. */
+ assertEqualMem(e + 54, "00000000", 8); /* File size */
+ fs = (uint64_t)from_hex(e + 54, 8);
+@@ -300,7 +300,7 @@
+ assertEqualMem(e + 38, "00000003", 8); /* nlink */
+ t2 = from_hex(e + 46, 8); /* mtime */
+ failure("First entry created at t=%#08jx this entry created at"
+- "t2=%#08jx", (intmax_t)t, (intmax_t)t2);
++ "t2=%#08jx", (uintmax_t)t, (uintmax_t)t2);
+ assert(t2 == t || t2 == t + 1); /* Almost same as first entry. */
+ assertEqualInt(10, from_hex(e + 54, 8)); /* File size */
+ fs = (uint64_t)from_hex(e + 54, 8);
+--- contrib/libarchive/cpio/test/test_option_a.c.orig
++++ contrib/libarchive/cpio/test/test_option_a.c
+@@ -52,7 +52,7 @@
+ * #ifdef this section out. Most of the test below is
+ * still valid. */
+ memset(×, 0, sizeof(times));
+-#if defined(_WIN32) && !defined(CYGWIN)
++#if defined(_WIN32) && !defined(__CYGWIN__)
+ times.actime = 86400;
+ times.modtime = 86400;
+ #else
+--- contrib/libarchive/cpio/test/test_option_c.c.orig
++++ contrib/libarchive/cpio/test/test_option_c.c
+@@ -18,7 +18,7 @@
+ return (1);
+ }
+
+-static long long int
++static unsigned long long int
+ from_octal(const char *p, size_t l)
+ {
+ long long int r = 0;
+@@ -117,7 +117,7 @@
+ gid = (int)from_octal(e + 30, 6);
+ assertEqualMem(e + 36, "000001", 6); /* nlink */
+ failure("file entries should not have rdev set (dev field was 0%o)",
+- dev);
++ (unsigned int)dev);
+ assertEqualMem(e + 42, "000000", 6); /* rdev */
+ t = from_octal(e + 48, 11); /* mtime */
+ assert(t <= now); /* File wasn't created in future. */
+@@ -133,7 +133,7 @@
+ assert(is_octal(e, 76)); /* Entire header is octal digits. */
+ assertEqualMem(e + 0, "070707", 6); /* Magic */
+ assertEqualInt(dev, from_octal(e + 6, 6)); /* dev */
+- assert(ino != from_octal(e + 12, 6)); /* ino */
++ assert(ino != (int)from_octal(e + 12, 6)); /* ino */
+ #if !defined(_WIN32) || defined(__CYGWIN__)
+ /* On Windows, symbolic link and group members bits and
+ * others bits do not work. */
*** 37852 LINES SKIPPED ***