git: f6535796eb - main - Add EN-22:01 to EN-22:06 and SA-22:01.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 11 Jan 2022 19:26:38 UTC
The branch main has been updated by gordon (src committer):
URL: https://cgit.FreeBSD.org/doc/commit/?id=f6535796eb10714be8889f3b2328fd70f24b2138
commit f6535796eb10714be8889f3b2328fd70f24b2138
Author: Gordon Tetlow <gordon@FreeBSD.org>
AuthorDate: 2022-01-11 19:24:37 +0000
Commit: Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2022-01-11 19:24:37 +0000
Add EN-22:01 to EN-22:06 and SA-22:01.
Approved by: so
---
website/data/security/advisories.toml | 4 +
website/data/security/errata.toml | 24 +
.../advisories/FreeBSD-EN-22:01.fsck_ffs.asc | 126 +++++
.../security/advisories/FreeBSD-EN-22:02.xsave.asc | 162 +++++++
.../advisories/FreeBSD-EN-22:03.hyperv.asc | 154 ++++++
.../security/advisories/FreeBSD-EN-22:04.pcid.asc | 129 +++++
.../security/advisories/FreeBSD-EN-22:05.tail.asc | 129 +++++
.../advisories/FreeBSD-EN-22:06.libalias.asc | 166 +++++++
.../security/advisories/FreeBSD-SA-22:01.vt.asc | 145 ++++++
.../security/patches/EN-22:01/fsck_ffs.patch | 24 +
.../security/patches/EN-22:01/fsck_ffs.patch.asc | 16 +
.../static/security/patches/EN-22:02/xsave.patch | 11 +
.../security/patches/EN-22:02/xsave.patch.asc | 16 +
.../static/security/patches/EN-22:03/hyperv.patch | 59 +++
.../security/patches/EN-22:03/hyperv.patch.asc | 16 +
.../static/security/patches/EN-22:04/pcid.patch | 537 +++++++++++++++++++++
.../security/patches/EN-22:04/pcid.patch.asc | 16 +
.../static/security/patches/EN-22:05/tail.patch | 11 +
.../security/patches/EN-22:05/tail.patch.asc | 16 +
.../security/patches/EN-22:06/libalias.12.patch | 282 +++++++++++
.../patches/EN-22:06/libalias.12.patch.asc | 16 +
.../security/patches/EN-22:06/libalias.13.patch | 479 ++++++++++++++++++
.../patches/EN-22:06/libalias.13.patch.asc | 16 +
website/static/security/patches/SA-22:01/vt.patch | 44 ++
.../static/security/patches/SA-22:01/vt.patch.asc | 16 +
25 files changed, 2614 insertions(+)
diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml
index 1df4d90a44..bfacfbf277 100644
--- a/website/data/security/advisories.toml
+++ b/website/data/security/advisories.toml
@@ -1,6 +1,10 @@
# Sort advisories by year, month and day
# $FreeBSD$
+[[advisories]]
+name = "FreeBSD-SA-22:01.vt"
+date = "2022-01-11"
+
[[advisories]]
name = "FreeBSD-SA-21:17.openssl"
date = "2021-08-24"
diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml
index c74f581696..913e1dc6df 100644
--- a/website/data/security/errata.toml
+++ b/website/data/security/errata.toml
@@ -1,6 +1,30 @@
# Sort errata notices by year, month and day
# $FreeBSD$
+[[notices]]
+name = "FreeBSD-EN-22:06.libalias"
+date = "2022-01-11"
+
+[[notices]]
+name = "FreeBSD-EN-22:05.tail"
+date = "2022-01-11"
+
+[[notices]]
+name = "FreeBSD-EN-22:04.pcid"
+date = "2022-01-11"
+
+[[notices]]
+name = "FreeBSD-EN-22:03.hyperv"
+date = "2022-01-11"
+
+[[notices]]
+name = "FreeBSD-EN-22:02.xsave"
+date = "2022-01-11"
+
+[[notices]]
+name = "FreeBSD-EN-22:01.fsck_ffs"
+date = "2022-01-11"
+
[[notices]]
name = "FreeBSD-EN-21:29.tzdata"
date = "2021-11-03"
diff --git a/website/static/security/advisories/FreeBSD-EN-22:01.fsck_ffs.asc b/website/static/security/advisories/FreeBSD-EN-22:01.fsck_ffs.asc
new file mode 100644
index 0000000000..7d3979b5a9
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-22:01.fsck_ffs.asc
@@ -0,0 +1,126 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-22:01.fsck_ffs Errata Notice
+ The FreeBSD Project
+
+Topic: fsck_ffs fails to correct certain errors
+
+Category: base
+Module: fsck_ffs
+Announced: 2022-01-11
+Affects: FreeBSD 13.0
+Corrected: 2021-05-19 21:38:21 UTC (stable/13, 13.0-STABLE)
+ 2022-01-11 18:14:57 UTC (releng/13.0, 13.0-RELEASE-p6)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The fsck_ffs(8) program checks and corrects errors in the UFS/FFS
+filesystem. One error that it detects and corrects is when two
+different files both claim the same block on the disk. This error
+occurs rarely and is usually caused by hardware failure.
+
+II. Problem Description
+
+fsck_ffs(8) was not able to correct blocks claimed by multiple files.
+
+III. Impact
+
+When duplicate block allocation has occurred, the filesystem is
+unusable until it is corrected.
+
+IV. Workaround
+
+No practical workaround is available.
+
+Duplicate blocks can be eliminated using the fsdb(8) program, but
+requires hours of work by a filesystem expert.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+arm64 platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-22:01/fsck_ffs.patch
+# fetch https://security.FreeBSD.org/patches/EN-22:01/fsck_ffs.patch.asc
+# gpg --verify fsck_ffs.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ e198c1dc8f6f stable/13-n245745
+releng/13.0/ 3286a8dc8382 releng/13.0-n244768
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255979>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-22:01.fsck_ffs.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmHd1fMACgkQ05eS9J6n
+5cKY0hAAhYQC9fvksfYxoWdsDW8KQX2LdTRVPZ9zfZ/Y1AAPfDU46C41SI1sTIn9
+0AunPHMVqnku5H8dh+TrL2o9PAW1CktxoTnHA+sFZX0/2hbox6UB/Spr/Iq/auzB
+iyAZ/9jskb4YQuh1HPHp7P4uCdAKfY5lHFE9bn4nLNpH+05AwIc6AFCQ8xilTaRK
+K6eu++DuxJ4p3WLJmRERjuBFK0HAIEnV72diPfZvJH6HOpgTqRTsvURai4GkAsH8
+zyexLlHNUGWY+Kbl2t915i7Fu8ApIQV1HJ1sxi5NwyRwm4e/Azif5kjtAlgFOUws
+gwOfsbqEfGqmzopFSaCk1d7DcjhAnH0GkZ/SGO/WFCiQYV58rXoqs8q8GLpTBenF
+fwQ4IZakrjz/2qlUxNTMM2YbSyf35GpxuvV0jnigHlzXhN+I11yHS3r/GycTUJ1s
+z+Hk0JrV6f6fBxCDqC8hrthaxbf9jqcSsrYKRcaIUkcCB/gJ6wz3AApCkW9Z0ii+
+7sRpnNlvPQYJm2PhDTegCfASGRPd0GamXZNVwzohn+c8u+AVUQ5IiPabd7JNfbXD
+BhPnMj14/1uFuj1TtQ6c9/g+dtLvM7r0p9W/pbPFh1+PRkpyTGWyN5WWCjY3e7wa
+VOkMVapFXnfe0VLK5VFOCcb7lLbd2uDeaxkGRyP+4rBNqd4MC6s=
+=J7Og
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-22:02.xsave.asc b/website/static/security/advisories/FreeBSD-EN-22:02.xsave.asc
new file mode 100644
index 0000000000..4547cf8c8b
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-22:02.xsave.asc
@@ -0,0 +1,162 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-22:02.xsave Errata Notice
+ The FreeBSD Project
+
+Topic: Incorrect XSAVE state size
+
+Category: core
+Module: kernel
+Announced: 2022-01-11
+Affects: All supported versions of FreeBSD.
+Corrected: 2021-12-12 02:49:50 UTC (stable/13, 13.0-STABLE)
+ 2022-01-11 18:14:58 UTC (releng/13.0, 13.0-RELEASE-p6)
+ 2021-12-12 02:49:50 UTC (stable/12, 12.3-STABLE)
+ 2022-01-11 18:19:21 UTC (releng/12.3, 12.3-RELEASE-p1)
+ 2022-01-11 18:33:11 UTC (releng/12.2, 12.2-RELEASE-p12)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+Contemporary x86 CPUs support the XSAVE instruction, "Save Processor Extended
+tates." Some but not all CPUs support the so-called init optimization for
+XSAVE. The optimization means that the CPU may not write all of the state on
+XSAVE, and indicates that it did not in xstate_bv. Whether or not this
+happens depends on "complex internal microarchitectural conditions."
+
+On signal delivery, the OS provides the saved context interrupted by the
+signal to the signal handler. The context includes all CPU state available to
+userspace, including FPU registers (XSAVE area). Also, upon return from the
+signal handler, the saved context is restored, which allows the handler to
+modify the main program flow. When the init optimization kicks in, the OS
+tries to hide the effects of the init state optimization from the signal
+handler by filling in parts of the XSAVE area.
+
+The CPU reports sizes of some of the XSAVE state regions, but two of them
+are fixed and must be hard-coded by the kernel.
+
+II. Problem Description
+
+The hard-coded size for state region 1 (SSE/XMM) was incorrect, effectively
+filling the xmm8 through xmm15 registers with arbitrary values on signal
+return when the init optimization occurred.
+
+III. Impact
+
+On amd64 and i386 systems, application memory may become corrupted, leading to
+incorrect behaviour. Other platforms are not affected.
+
+IV. Workaround
+
+Use of XSAVEOPT may be disabled by adding the following line to loader.conf:
+
+ hw.cpu_stdext_disable=0x1
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date, and reboot.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for an errata update"
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-22:02/xsave.patch
+# fetch https://security.FreeBSD.org/patches/EN-22:02/xsave.patch.asc
+# gpg --verify xsave.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ 1d6ebddb62bc stable/13-n248578
+releng/13.0/ f2caded7f590 releng/13.0-n244769
+stable/12/ r371242
+releng/12.3/ r371483
+releng/12.2/ r371488
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://reviews.freebsd.org/D33390>
+<URL:https://github.com/golang/go/issues/46272>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-22:02.xsave.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmHd2CUACgkQ05eS9J6n
+5cKE+w//bOsl0ry/Vx4OaIFzX52Blp6iu5nYoSwFu9wipTq5d07xL+UhXT3bbnRN
+yzxJz4KLkBlBaorwN0OX9N3/bjErOq10QMzzcX2jQnvixgIhV9oxqZoOoMcehfVp
+9L2yo1JNhXkn0ysKU2ysxpi1F/9t9xATcqxxC1PuSbl1N143qTnmRB5EWDi9Ygan
+sjFgBhcTmfz3gATxwKP0hz25KaXO+/0WwZzYHCnGYncPnfh12OgKCkMDi6H2v54R
+7+Rl0JtbycK257UIACki/s1FgbiIXkQuPLILD3YBn1kuXFPDhlIBKeK4NLu0G5DQ
+6vqYHKrP5RssGsXdROVpjTe4eO1VkKQAkMI9NHCo6SOStbHcOqiB0bdz0TuGYyQN
+uhI5we2tqDb6uhZBi0az4c+yKp58d+2dF8DizRKGelDjDNby/1L09XAiybnR8liN
+YcHPV/v0Sx/QPjX9sfutMkhtpw28OdPeqoAQyzW9+VSeTC4z61CDmFi9qrN7Vpne
+KIvLbgaBYFMSsN4oeG5CfZzlemLNkk8R+5JKmPCxoewX9r7jj2gr9yMqXcmQhjyR
+46z0Xp9JL0ovYzvfA9g0nV9tPxmRsAuOL2k7C4nPI38kXbCUlOuCjcNc7EP/gdfi
+e7sNXtXwzRDWgO4ipHfLeqzmAnxXy42vFpD2Be5RjbsqXdcH+6I=
+=ejFK
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-22:03.hyperv.asc b/website/static/security/advisories/FreeBSD-EN-22:03.hyperv.asc
new file mode 100644
index 0000000000..75ef7ff404
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-22:03.hyperv.asc
@@ -0,0 +1,154 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-22:03.hyperv Errata Notice
+ The FreeBSD Project
+
+Topic: vPCI compatibility improvements with certain Hyper-V releases
+
+Category: core
+Module: hyperv
+Announced: 2022-01-11
+Credits: Microsoft OSTC
+Affects: All supported versions of FreeBSD.
+Corrected: 2021-11-30 07:43:32 UTC (stable/13, 13.0-STABLE)
+ 2022-01-11 18:14:59 UTC (releng/13.0, 13.0-RELEASE-p6)
+ 2021-12-14 12:20:17 UTC (stable/12, 12.3-STABLE)
+ 2022-01-11 18:19:26 UTC (releng/12.3, 12.3-RELEASE-p1)
+ 2022-01-11 18:33:14 UTC (releng/12.2, 12.2-RELEASE-p12)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+Hyper-V is a hypervisor provided on Windows server by Microsoft. It
+supports vPCI, which is a virtualized bus driver used to expose hardware
+devices to virtual machines. FreeBSD provides drivers
+
+II. Problem Description
+
+A Hyper-V vPCI emulation change can cause SR-IOV (Single-Root I/O
+Virtualization) and DDA (Discrete Device Assignment) devices to fail to
+operate correctly under Hyper-V.
+
+In recent Hyper-V releases on Windows Server 2022, the vPCI code does
+not initialize the last 4 bit of device registers. This behavior change
+could result in failure to initialize guest drivers for SR-IOV or DDA
+devices.
+
+III. Impact
+
+SR-IOV and DDA devices may not work in FreeBSD running under certain
+Hyper-V releases.
+
+IV. Workaround
+
+No workaround is available, however systems not running within Hyper-V
+or Azure are unaffected.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+A reboot is required.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+A reboot is required.
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-22:03/hyperv.patch
+# fetch https://security.FreeBSD.org/patches/EN-22:03/hyperv.patch.asc
+# gpg --verify hyperv.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ d11e9de955ea stable/13-n248279
+releng/13.0/ dfca965af4e1 releng/13.0-n244770
+stable/12/ r371235
+releng/12.3/ r371484
+releng/12.2/ r371489
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-22:03.hyperv.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmHd1f0ACgkQ05eS9J6n
+5cJOLw//UcDfEZpVJqRvHm3e5B5c/rXCFLUWSS8NOQ7c4ioAOFZdOIs2D4u17Mbf
+EJwiYLTdknv1mT2BkE8hr1fgPb/m1+FLyyEuhfaIRpJuqzn2l4YW4v9lwpBNl0I7
+neuKqK4/j3SIjgdq7HZeiBEAyhIq5BGzzjnkPSbtW+RvGI8TCaAM7MgJYzCk1GKs
+kaIHyc0tyFIkoW0RDTjWt3g6UD+VVn7VU6/8xfiBBF9WUBKOay8MtgjAQMpNXcLK
+SZY2gLM9SMcdHZaKN0M5C0uly1bsXYn8eGOTy+dwGVOiJU2J0rFkcPdFjAIiWARb
+c9fotcunUzv53dy2ZiP0VWv4chdqv8Yel9wm6D0jkqZ1QKTq3jFnHzaPCmcWPII5
+92+YyGF5Yg+pm/s42AqVaMblN0vH/y8GlwOsp9zQBn4jjIhgUENYRdJMfY0KBopH
+7SqWtC9C9yUli0PQHN79z6/u7ZIzEPugsGk19WAZUktcWIj+kTkRq7PGBSm3CL/E
+tSpfRkhx1nMWa6c2ujZkFVCW7+HBaGtv9rlCb450g6Uzv6/7aYPGvxh7RCT8mQYK
+9ao05vSkdCrbdGSTlCDG7iSjGTGPVLj7LH2eGp6mfXiZo9UmfItwu24J88QfRhmO
+nUW3NY9Ff5dYKRLUw7G1nNIynzWsEz8NKyV/HwY2bkd53090CrI=
+=wXdl
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-22:04.pcid.asc b/website/static/security/advisories/FreeBSD-EN-22:04.pcid.asc
new file mode 100644
index 0000000000..4d06d51527
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-22:04.pcid.asc
@@ -0,0 +1,129 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-22:04.pcid Errata Notice
+ The FreeBSD Project
+
+Topic: Incorrect PCID mode invalidations
+
+Category: core
+Module: kernel
+Announced: 2022-01-11
+Affects: FreeBSD 12.x
+Corrected: 2021-12-14 14:46:07 UTC (stable/12, 12.3-STABLE)
+ 2022-01-11 18:19:29 UTC (releng/12.3, 12.3-RELEASE-p1)
+ 2022-01-11 18:33:17 UTC (releng/12.2, 12.2-RELEASE-p12)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+When switching address spaces the kernel must flush stale Translation
+Lookaside Buffer (TLB) entries to ensure that correct data is visible to the
+CPU. An Inter Processor Interrupt (IPI) is used to signal other CPUs of the
+need to flush TLB entries.
+
+PCID is an optimization that associates each page table with an identifier
+(i.e., Process ID) to allow for efficient context switching.
+
+II. Problem Description
+
+Operations specific to TLB invalidation in PCID mode were misordered with
+respect to IPI transmission.
+
+III. Impact
+
+This issue may cause stale TLB translation entries (and hence invalid data)
+in multithreaded applications, leading to application misbehaviour.
+
+IV. Workaround
+
+PCID may be disabled by adding the following line to /boot/loader.conf:
+
+ vm.pmap.pcid_enabled=0
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date, and reboot.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for an errata update"
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-22:04/pcid.patch
+# fetch https://security.FreeBSD.org/patches/EN-22:04/pcid.patch.asc
+# gpg --verify pcid.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/12/ r371237
+releng/12.3/ r371485
+releng/12.2/ r371490
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://reviews.freebsd.org/D33413>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-22:04.pcid.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmHd1f0ACgkQ05eS9J6n
+5cKgjQ//QW16Hxk3gfCvYOKk1PAxDmov2RlSENPrIT/LaHq6UVjGOsB/xaRGFK7U
+peWDMtyIQHboTG2RW819xAuB0ZRk7tLzZU9oOIQlQBWwV9qugre9pBLOHhbr98wX
+D4tZ1nFN3Yz55I2RWPzyT+ncF2NdsXAJLuBtmb4Uj+MPqMl7dhj01X82vPaFvjJH
+tJDMyWTgWHGJlGRk8ZcQ48gF3/G5p3xV6oD0axCQ+RXz9Sx8y4xX+uW2IUskTFkD
+ukbRHiNG+Mh1Jt4R9TC92AIvIvFhODts8+R1/1BtARQ76exfYDw6mIf+JC2oCX5+
+TrUmk7G8/cxCMyafVNU5+qqVx2qQBcJ8MG/4JwjlEl1kYy9w4ehhB1R7jJtJdfkr
+CD92bhJcPnS4zB7M90qTanPA+B7QlBWsbxXEaYmy1jyPZFl7KWLNxME6Ywf9BTpW
+oNE6Jnc77EkWWEMpYAk9i5udRCmxDDnYVFaMWuJR3GaSi4yKNxz4P1jsqOYWLR0v
+M+fjV6/PJnzn1xZBAWyCHrNT2gUbHxSrjEuHA1r6BKXt59lRFw5VEjwE05T9R7nd
+gSi12DEkzvz2ijq5iDFblKmW4B6f8jZsnLpaH/c+U5JfaiEotxb+fg2XCyBzxot5
+teHqbyKYYKGWmwRl09HyVB9rSawKibmQqCvhGSpxqSjJTInHLpM=
+=1FCm
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-22:05.tail.asc b/website/static/security/advisories/FreeBSD-EN-22:05.tail.asc
new file mode 100644
index 0000000000..c680737c00
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-22:05.tail.asc
@@ -0,0 +1,129 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-22:05.tail Errata Notice
+ The FreeBSD Project
+
+Topic: tail -F fails to follow some types of log rotation
+
+Category: core
+Module: tail
+Announced: 2022-01-11
+Affects: FreeBSD 13.0
+Corrected: 2021-03-18 20:12:24 UTC (stable/13, 13.0-STABLE)
+ 2022-01-11 18:15:01 UTC (releng/13.0, 13.0-RELEASE-p6)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+tail(1) displays the last part of a file, and can wait for and print any data
+appended to the file. As of FreeBSD 13.0, tail(1) runs in capability mode
+via Capsicum.
+
+II. Problem Description
+
+When comparing the inode number of the current file to the file tail(1) has
+open (in order to detect log rotation), tail(1) compared the inode number of
+the already open file descriptor, rather than the file that currently has the
+filename that was passed to tail(1).
+
+III. Impact
+
+When using tail(1)'s -F flag to follow a log file through log rotation,
+depending on the type of log rotation performed, tail(1) may continue to
+follow the original file after it is renamed, rather than detecting the
+rotation and re-opening the original filename, and then following the new log
+file.
+
+The rotated log is usually never written to after it is rotated, causing
+tail(1)'s -F flag to not perform its intended function.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or arm64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-22:05/tail.patch
+# fetch https://security.FreeBSD.org/patches/EN-22:05/tail.patch.asc
+# gpg --verify tail.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ 8c59e863e2c0 stable/13-n244979
+releng/13.0/ 60cacd2e41e1 releng/13.0-n244771
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-22:05.tail.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmHd1f0ACgkQ05eS9J6n
+5cKySw/8DUfeI4ku+36DJjnqTt+SGSqP7CLon8tNneD3MeuXxHewHfF9quVqlW5C
+9qaCAJZztpinCvg9u2YXXZbbaZ6FPJKwjrOspo85/ZkodbXXtNkzfIHHVauE0+AH
+BbHYAMcAUjDgvUaApKRVkUUYODRtzlra2qqpA3ITzK4+vo3WYMmFA78uR6j6TYvN
+CWkXOEXPGjcMfmaLFtO7udfOs7//0+RaE4X15Ep+tWD+XZlgBF9kNqQ0jLOE6Dio
+mgJmlmHBNXPNAKud8VjLiEaJ0fhgy5q+9E+UEwol+XW/1HTH4ZMgXyPVenl7O1wH
+jyZhygc+sV3RK1P3ZC6Ecrm7Ktugtx9urmCOC8/isg/SVBbi1fj+hSeTY3tIrUHr
+yxtHS7aelPVENxHaRbHW1bJI5O4G0FH0KiLIMHkCg8/9LmDvdozpGqozLijXVaaf
+KGJ5Xt3qT3udbQP0T0yrmd5yusO75FLS/NnOrrCinQj8gB+355gaEeB58lWH2ndT
+EqfhS4ey4MM86nrxJrzxBymVlqfGmdNtfkl/HubsBy0qnJ6OWKwom3OCnf8rc9VW
+534GFt6BIYM8Ixqc5oOy6pGwzA3vuQ6V3kKOiTNNCvTar5YU9biayf2KI5TTtOo3
+vneWtb2fsOSuOdySNBR4k8LxDvefpS36MSgEV4TYiixXx+fRVRg=
+=nu3N
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-22:06.libalias.asc b/website/static/security/advisories/FreeBSD-EN-22:06.libalias.asc
new file mode 100644
index 0000000000..61d2c1055c
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-22:06.libalias.asc
@@ -0,0 +1,166 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-22:06.libalias Errata Notice
+ The FreeBSD Project
+
+Topic: Incorrect fragmented IPv4 packet handling in libalias
+
+Category: core
+Module: libalias
+Announced: 2022-01-11
+Affects: All supported versions of FreeBSD.
+Corrected: 2022-01-09 22:04:56 UTC (stable/13, 13.0-STABLE)
+ 2022-01-11 18:15:02 UTC (releng/13.0, 13.0-RELEASE-p6)
+ 2022-01-09 23:06:52 UTC (stable/12, 12.3-STABLE)
+ 2022-01-11 18:19:32 UTC (releng/12.3, 12.3-RELEASE-p1)
+
+Note: This errata notice does not update FreeBSD 12.2. FreeBSD 12.2
+users affected by this update should upgrade to FreeBSD 12.3.
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The libalias(3) library is a collection of functions for aliasing and
+dealiasing of IPv4 packets, intended for masquerading and network
+address translation (NAT). Additionally, libalias(3) includes modules
+to support protocols that require additional logic to support address
+translation.
+
+libalias(3) is used by several FreeBSD networking components: ng_nat(4),
+ipfw(4) and natd(8).
+
+II. Problem Description
+
+The patch committed for SA-20:12.libalias introduced additional
+validation of TCP, UDP and ICMP protocol headers. This validation
+failed to take into account the possibility of IP packet fragmentation,
+and could cause libalias(3) to return the PKT_ALIAS_IGNORED status code
+for the first fragment of a packet, rather than applying aliasing rules.
+
+III. Impact
+
+Depending on the configuration of the consumer, this bug may cause
+fragmented packets to be dropped, or may cause further processing of
+fragments without aliasing rules applied. For example, if the
+NG_NAT_DENY_INCOMING flag is set on an ng_nat(4) node, fragments will be
+unconditionally dropped. Similarly, if the "deny_in" flag is set for an
+ipfw(4) NAT rule, fragments will be unconditionally dropped.
+
+IV. Workaround
+
+No workaround is available. Only systems using NAT via ng_nat(4),
+ipfw(4) NAT rules, or natd(8) are affected. Systems leveraging pf(4) or
+ipf(4) to perform NAT are not affected.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date, and reboot.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for an errata update"
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 13.0]
+# fetch https://security.FreeBSD.org/patches/EN-22:06/libalias.13.patch
+# fetch https://security.FreeBSD.org/patches/EN-22:06/libalias.13.patch.asc
+# gpg --verify libalias.13.patch.asc
+
+[FreeBSD 12.3]
+# fetch https://security.FreeBSD.org/patches/EN-22:06/libalias.12.patch
+# fetch https://security.FreeBSD.org/patches/EN-22:06/libalias.12.patch.asc
+# gpg --verify libalias.12.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ ec746e619578 stable/13-n248913
+releng/13.0/ 4378aee9f82f releng/13.0-n244772
+stable/12/ r371477
+releng/12.3/ r371486
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=258970>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-22:06.libalias.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmHd1f4ACgkQ05eS9J6n
+5cLW2xAAjuMj68hzBt5aSxuRliu4wT+NdXMq/M5VWH9kHSZw2HrMfQuDY25ecwWE
+VAkeQoIAV/+Uz8OrVKBBqlTgxZyFxmM8a2pNBURPSeY508o7X5h8HMHECaUndqMJ
+dXfa2YgpUm36RQZfaKCGbBCIXUj4V+fmSFkoq87U0EXexrCim6m5tzMoBsWV7Eob
+KWbZObwR2PrvYSoHvdbPNWrGF/6CDu/38x9TBxPU+sT3dVa4qJyUD3D/7hhe3Onb
+VscwvebHNKZwaxxEJJma4xbUcOXJpOUVA/JRjphkzeX5B1Fgix1N4ae8C3ATXiZT
+H9OhB+AU/EtTU5rbcWjEiNckIh/icGV9lkEuqX4AXKmQHeYJEVCctY+IgcZfppzq
+MpY1OuDhjObvQtyuBv6up0EN/Lv2AAN8sooXIwwy00DX6ISnjtynP81huCpHLRE9
*** 1828 LINES SKIPPED ***