git: bf75c163e2 - main - Add EN-23:08 and SA-23:06 through SA-23:09.

From: Gordon Tetlow <gordon_at_FreeBSD.org>
Date: Tue, 01 Aug 2023 21:26:02 UTC
The branch main has been updated by gordon:

URL: https://cgit.FreeBSD.org/doc/commit/?id=bf75c163e29a921f5ade9d5046a8f637789de307

commit bf75c163e29a921f5ade9d5046a8f637789de307
Author:     Gordon Tetlow <gordon@FreeBSD.org>
AuthorDate: 2023-08-01 21:25:02 +0000
Commit:     Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2023-08-01 21:25:02 +0000

    Add EN-23:08 and SA-23:06 through SA-23:09.
    
    Approved by:    so
---
 website/data/security/advisories.toml              |   16 +
 website/data/security/errata.toml                  |    4 +
 .../security/advisories/FreeBSD-EN-23:08.vnet.asc  |  147 ++
 .../security/advisories/FreeBSD-SA-23:06.ipv6.asc  |  171 ++
 .../security/advisories/FreeBSD-SA-23:07.bhyve.asc |  148 ++
 .../security/advisories/FreeBSD-SA-23:08.ssh.asc   |  167 ++
 .../advisories/FreeBSD-SA-23:09.pam_krb5.asc       |  166 ++
 .../static/security/patches/EN-23:08/vnet.patch    |   16 +
 .../security/patches/EN-23:08/vnet.patch.asc       |   16 +
 .../static/security/patches/SA-23:06/ipv6.patch    |   14 +
 .../security/patches/SA-23:06/ipv6.patch.asc       |   16 +
 .../security/patches/SA-23:07/bhyve.13.1.patch     |   87 +
 .../security/patches/SA-23:07/bhyve.13.1.patch.asc |   16 +
 .../security/patches/SA-23:07/bhyve.13.2.patch     |   84 +
 .../security/patches/SA-23:07/bhyve.13.2.patch.asc |   16 +
 .../security/patches/SA-23:08/ssh.12.4.patch       |  189 ++
 .../security/patches/SA-23:08/ssh.12.4.patch.asc   |   16 +
 .../security/patches/SA-23:08/ssh.13.1.patch       |   48 +
 .../security/patches/SA-23:08/ssh.13.1.patch.asc   |   16 +
 .../security/patches/SA-23:08/ssh.13.2.patch       | 2036 ++++++++++++++++++++
 .../security/patches/SA-23:08/ssh.13.2.patch.asc   |   16 +
 .../security/patches/SA-23:09/pam_krb5.patch       |   21 +
 .../security/patches/SA-23:09/pam_krb5.patch.asc   |   16 +
 23 files changed, 3442 insertions(+)

diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml
index 72324804c6..2d5b3077f7 100644
--- a/website/data/security/advisories.toml
+++ b/website/data/security/advisories.toml
@@ -1,6 +1,22 @@
 # Sort advisories by year, month and day
 # $FreeBSD$
 
+[[advisories]]
+name = "FreeBSD-SA-23:09.pam_krb5"
+date = "2023-08-01"
+
+[[advisories]]
+name = "FreeBSD-SA-23:08.ssh"
+date = "2023-08-01"
+
+[[advisories]]
+name = "FreeBSD-SA-23:07.bhyve"
+date = "2023-08-01"
+
+[[advisories]]
+name = "FreeBSD-SA-23:06.ipv6"
+date = "2023-08-01"
+
 [[advisories]]
 name = "FreeBSD-SA-23:05.openssh"
 date = "2023-06-21"
diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml
index 15ae740438..0fccd5baf3 100644
--- a/website/data/security/errata.toml
+++ b/website/data/security/errata.toml
@@ -1,6 +1,10 @@
 # Sort errata notices by year, month and day
 # $FreeBSD$
 
+[[notices]]
+name = "FreeBSD-EN-23:08.vnet"
+date = "2023-08-01"
+
 [[notices]]
 name = "FreeBSD-EN-23:07.mpr"
 date = "2023-06-21"
diff --git a/website/static/security/advisories/FreeBSD-EN-23:08.vnet.asc b/website/static/security/advisories/FreeBSD-EN-23:08.vnet.asc
new file mode 100644
index 0000000000..fc722d9cff
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-23:08.vnet.asc
@@ -0,0 +1,147 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-23:08.vnet                                           Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          VNET and DPCPU module panic on arm64
+
+Category:       core
+Module:         kernel
+Announced:      2023-08-01
+Affects:        FreeBSD 13.2
+Corrected:      2023-07-26 18:03:46 UTC (stable/13, 13.2-STABLE)
+                2023-08-01 19:50:47 UTC (releng/13.2, 13.2-RELEASE-p2)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+VNET is the name of a technique to virtualize the network stack. It changes
+global resources, most notably variables, into per network stack resources
+and handles them in the context of the correct instance. VNET is enabled by
+default in GENERIC kernels on all architectures except 32-bit ARM.
+
+DPCPU is a dynamic per-CPU memory allocator which can instantiate one
+instance of a global variable with each CPU in the system. Dynamically
+allocated per-CPU variables can be defined with custom names and types.
+DPCPU is always enabled.
+
+II.  Problem Description
+
+After FreeBSD 13.1 was released, the contributed LLVM components (LLVM,
+clang, compiler-rt, libc++, libunwind, lld, lldb and openmp) were
+upgraded to upstream version 14.0.5. The new version of lld, the llvm
+linker, got additional optimizations for arm64 in the form of so-called
+relocation relaxations.
+
+These relaxations are fine for regular userland applications, as the
+dynamic linker can handle the optimized relocations. However, due to the
+way the VNET and DPCPU features are implemented, the optimized
+relocations can cause panics if they are used in kernel modules.
+
+III. Impact
+
+On arm64 systems, loading kernel modules that use VNET or DPCPU features can
+cause panics. A known example is the WireGuard kernel module, if_wg(4).
+
+IV.  Workaround
+
+No workaround is available.
+
+V.   Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+A reboot is required, because the kernel and several kernel modules are
+updated.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+A reboot is required, because the kernel and several kernel modules are updated.
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-23:08/vnet.patch
+# fetch https://security.FreeBSD.org/patches/EN-23:08/vnet.patch.asc
+# gpg --verify vnet.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path                             Hash                     Revision
+- -------------------------------------------------------------------------
+stable/13/                              98e7f836e65e    stable/13-n255888
+releng/13.2/                            e3e6fc371322  releng/13.2-n254623
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://github.com/ARM-software/abi-aa/blob/844a79fd4c77252a11342709e3b27b2c9f590cf1/aaelf64/aaelf64.rst#relocation-optimization>
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264094>
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264115>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-23:08.vnet.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJd+EACgkQbljekB8A
+Gu+2XRAAnIRnEfyWHe8XQa3ElzCx3gwyldIkZJqjqEX1hWm1uhASJGV3Zk/xj6gv
+6yyr8P5nij6rbblpo/YpUzwFeRVUX3foMU+R4blTB0nriJuW6P1vMiHpD1w52oS5
+OWpsyAouJ4/IsDh73jCqrJk3M7ZKOkfQ5tHn/E+bLl20ASQy/5S/t3G9QU8o8TeH
+Ak+zakq8Gf13BA6vMyq0beA34A0zT0niznKhbTqAc3czdsd18Rkeg/9txXU2iOkV
+8VBqnN2kJQ/gBfM79PtUOfz8uK/7tIWMpNoept4Kp0XlDPpJUhqBwjjmTBsuxB8w
+fpYpfNF5ADX50L1nzm24oxBjFsbA+YUNXzO1VHCQZeWNxI2cubZWFtzu7WoxT7QQ
+trdhUWlSI28jtRJSg5eBwfSI/iT/iESIH9f5wFdVo3iORPXe28CrW6EtEHXhVk37
+JQaQdIPr48n2IfsEzuogQyEMAWuD6hSUDksfZsArkPcS9QJFBzv1xkiTXmInn1CL
+JQK4XaVXSELKh0JWgnGTA3/Xsi/DRXcPbN+1saKi8Dp5LzwaMN26UmvWzMFYpQuY
+hrfFDpk3IP9iacvnnObuMretppd1LdwFx3O2Pq4Fs0nRYIKSU3OVpIVzu75otiwE
+GtArfSeRWgwy9moWd8W4wSWNFosTkFMFbZONS0n9SfEYzabpCzM=
+=0mU9
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-23:06.ipv6.asc b/website/static/security/advisories/FreeBSD-SA-23:06.ipv6.asc
new file mode 100644
index 0000000000..77b3701de3
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-23:06.ipv6.asc
@@ -0,0 +1,171 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-23:06.ipv6                                       Security Advisory
+                                                          The FreeBSD Project
+
+Topic: Remote denial of service in IPv6 fragment reassembly
+
+Category:       core
+Module:         ipv6
+Announced:      2023-08-01
+Credits:        Zweig of Kunlun Lab
+Affects:        All supported versions of FreeBSD
+Corrected:      2023-08-01 19:49:07 UTC (stable/13, 13.2-STABLE)
+                2023-08-01 19:51:27 UTC (releng/13.2, 13.2-RELEASE-p2)
+                2023-08-01 19:49:52 UTC (releng/13.1, 13.1-RELEASE-p9)
+                2023-08-01 20:05:08 UTC (stable/12, 12.4-STABLE)
+                2023-08-01 20:05:42 UTC (releng/12.4, 12.4-RELEASE-p4)
+CVE Name:       CVE-2023-3107
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+IPv6 packets may be fragmented in order to accommodate the maximum
+transmission unit (MTU) of the network path between the source and
+destination hosts.  The FreeBSD kernel keeps track of received packet
+fragments and will reassemble the original packet once all fragments
+have been received, at which point the packet is processed normally.
+
+II.  Problem Description
+
+Each fragment of an IPv6 packet contains a fragment header which
+specifies the offset of the fragment relative to the original packet,
+and each fragment specifies its length in the IPv6 header.  When
+reassembling the packet, the kernel calculates the complete IPv6 payload
+length.  The payload length must fit into a 16-bit field in the IPv6
+header.
+
+Due to a bug in the kernel, a set of carefully crafted packets can
+trigger an integer overflow in the calculation of the reassembled
+packet's payload length field.
+
+III. Impact
+
+Once an IPv6 packet has been reassembled, the kernel continues
+processing its contents.  It does so assuming that the fragmentation
+layer has validated all fields of the constructed IPv6 header.  This bug
+violates such assumptions and can be exploited to trigger a remote
+kernel panic, resulting in a denial of service.
+
+IV.  Workaround
+
+Users with IPv6 disabled on untrusted network interfaces are not
+affected.  Such interfaces will have the IFDISABLED nd6 flag set in
+ifconfig(8).
+
+The kernel may be configured to drop all IPv6 fragments by setting the
+net.inet6.ip6.maxfrags sysctl to 0.  Doing so will prevent the bug from
+being triggered, with the caveat that legitimate IPv6 fragments will
+be dropped.
+
+If the pf(4) firewall is enabled, and scrubbing and fragment reassembly
+is enabled on untrusted interfaces, the bug cannot be triggered.  This
+is the default if pf(4) is enabled.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date and
+reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-23:06/ipv6.patch
+# fetch https://security.FreeBSD.org/patches/SA-23:06/ipv6.patch.asc
+# gpg --verify ipv6.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path                             Hash                     Revision
+- -------------------------------------------------------------------------
+stable/13/                              9515f04fe3b1    stable/13-n255919
+releng/13.2/                            da38eaca4a22  releng/13.2-n254626
+releng/13.1/                            4e548c72914a  releng/13.1-n250191
+stable/12/                                                        r373149
+releng/12.4/                                                      r373152
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3107>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-23:06.ipv6.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdsAACgkQbljekB8A
+Gu8rERAA2iGzA4ydDrYsKnNGXMtQEXRIkGOPOkCSB1fC6CGIWLD//XuPw7sISPNu
+vvt0DVlkOC/ZKjgUQVWDLHd/DWcEv6prhhCUEPEQ57nwvgfa9/oZNqF0ZvVgdyst
+OUc7wO3Pt9lAp6fPkay0LGmsHLlgRJR1VqUQ6fnWvJ7jRllsvIdjxr8krIwYyyVn
+E7U8+lBYoBmQLMql0jgiQ3S4FZ5kYX6MN9r2I1/nSQdE6IUOiqL0oux9H2PDTz3r
+mx9nYSrsd0WPNVO7n7GRnk48STwJryJNdY7tCZOUGsmOOtQAnXvF/ZYDQOMK1L66
+4d5XFVXTwYdHDwDbXMPCCqa+MsZyjrgz8NmNzcto1l0mClz1SGNW9MKmxTKU7op/
+dNTjziffvwxZefpFPv+r9ZEyJpPe1rcNgOskJFW4DVq0uNSaujPkHE77hkE93ozF
+ScDErtexPV+OEQyqGTgO4MxTjlk2l9DZGFVrLl+8Js1sFfLXlReGHLA2xtDtxJL0
+mLo1WtKq8Oq3XPBdU0UoAw3Wlp+BOZ7cY5AVk7IY5zU0T2jQP636QgzX33ZTynkD
+oLtFufJBOWMSPNx9bTFautEoNsivtKcOl3XWEKKgEqt4b+9h6VGU0tFjfRuozjxJ
+QAaYf0qXk9kfHp4EdHj4CeSoeZKgHCExJxpfX54qBGH/TY3Dd4c=
+=V/jE
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-23:07.bhyve.asc b/website/static/security/advisories/FreeBSD-SA-23:07.bhyve.asc
new file mode 100644
index 0000000000..770be95081
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-23:07.bhyve.asc
@@ -0,0 +1,148 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-23:07.bhyve                                      Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          bhyve privileged guest escape via fwctl
+
+Category:       core
+Module:         bhyve
+Announced:      2023-08-01
+Credits:        Omri Ben Bassat and Vladimir Eli Tokarev from Microsoft
+Affects:        FreeBSD 13.1 and 13.2
+Corrected:      2023-08-01 19:48:53 UTC (stable/13, 13.2-STABLE)
+                2023-08-01 19:50:47 UTC (releng/13.2, 13.2-RELEASE-p2)
+                2023-08-01 19:48:26 UTC (releng/13.1, 13.1-RELEASE-p9)
+CVE Name:       CVE-2023-3494
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+bhyve(8)'s fwctl interface provides a mechanism through which guest
+firmware can query the hypervisor for information about the virtual
+machine.  The fwctl interface is available to guests when bhyve is run
+with the "-l bootrom" option, used for example when booting guests in
+UEFI mode.
+
+bhyve is currently only supported on the amd64 platform.
+
+II.  Problem Description
+
+The fwctl driver implements a state machine which is executed when the
+guest accesses certain x86 I/O ports.  The interface lets the guest copy
+a string into a buffer resident in the bhyve process' memory.  A bug in
+the state machine implementation can result in a buffer overflowing when
+copying this string.
+
+III. Impact
+
+A malicious, privileged software running in a guest VM can exploit the
+buffer overflow to achieve code execution on the host in the bhyve
+userspace process, which typically runs as root.  Note that bhyve runs
+in a Capsicum sandbox, so malicious code is constrained by the
+capabilities available to the bhyve process.
+
+IV.  Workaround
+
+No workaround is available.  bhyve guests that are executed without the
+"-l bootrom" option are unaffected.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Restart all affected virtual machines.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 13.2]
+# fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.2.patch
+# fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.2.patch.asc
+# gpg --verify bhyve.13.2.patch.asc
+
+[FreeBSD 13.1]
+# fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.1.patch
+# fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.1.patch.asc
+# gpg --verify bhyve.13.1.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all affected virtual machines.
+
+VI.  Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path                             Hash                     Revision
+- -------------------------------------------------------------------------
+stable/13/                              9fe302d78109    stable/13-n255918
+releng/13.2/                            2bae613e0da3  releng/13.2-n254625
+releng/13.1/                            87702e38a4b4  releng/13.1-n250190
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3494>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-23:07.bhyve.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdsIACgkQbljekB8A
+Gu8Q1Q/7BFw5Aa0cFxBzbdz+O5NAImj58MvKS6xw61bXcYr12jchyT6ENC7yiR+K
+qCqbe5TssRbtZ1gg/94gSGEXccz5OcJGxW+qozhcdPUh2L2nzBPkMCrclrYJfTtM
+cnmQKjg/wFZLUVr71GEM95ZFaktlZdXyXx9Z8eBzow5rXexpl1TTHQQ2kZZ41K4K
+KFhup91dzGCIj02cqbl+1h5BrXJe3s/oNJt5JKIh/GBh5THQu9n6AywQYl18HtjV
+fMb1qRTAS9WbiEP5QV2eEuOG86ucuhytqnEN5MnXJ2rLSjfb9izs9HzLo3ggy7yb
+hN3tlbfIPjMEwYexieuoyP3rzKkLeYfLXqJU4zKCRnIbBIkMRy4mcFkfcYmI+MhF
+NPh2R9kccemppKXeDhKJurH0vsetr8ti+AwOZ3pgO21+9w+mjE+EfaedIi+JWhip
+hwqeFv03bAQHJdacNYGV47NsJ91CY4ZgWC3ZOzBZ2Y5SDtKFjyc0bf83WTfU9A/0
+drC0z3xaJribah9e6k5d7lmZ7L6aHCbQ70+aayuAEZQLr/N1doB0smNi0IHdrtY0
+JdIqmVX+d1ihVhJ05prC460AS/Kolqiaysun1igxR+ZnctE9Xdo1BlLEbYu2KjT4
+LpWvSuhRMSQaYkJU72SodQc0FM5mqqNN42Vx+X4EutOfvQuRGlI=
+=MlAY
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-23:08.ssh.asc b/website/static/security/advisories/FreeBSD-SA-23:08.ssh.asc
new file mode 100644
index 0000000000..37d9c0df7f
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-23:08.ssh.asc
@@ -0,0 +1,167 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-23:08.ssh                                        Security Advisory
+                                                          The FreeBSD Project
+
+Topic:		Potential remote code execution via ssh-agent forwarding
+
+Category:       contrib
+Module:         OpenSSH
+Announced:      2023-08-01
+Credits:        Qualys
+Affects:        All supported versions of FreeBSD.
+Corrected:      2023-07-21 14:41:41 UTC (stable/13, 13.2-STABLE)
+                2023-08-01 19:50:47 UTC (releng/13.2, 13.2-RELEASE-p2)
+                2023-08-01 19:48:26 UTC (releng/13.1, 13.1-RELEASE-p9)
+                2023-07-21 16:25:51 UTC (stable/12, 12.4-STABLE)
+                2023-08-01 19:47:00 UTC (releng/12.4, 12.4-RELEASE-p4)
+CVE Name:       CVE-2023-38408
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+ssh-agent is a program to hold private keys used for OpenSSH public key
+authentication.  Connections to ssh-agent may be forwarded from further
+remote hosts using the -A option to ssh.  The server to which the ssh-agent
+connection is forwarded may cause the ssh-agent process to load (and unload)
+operating system-provided shared libraries to support the addition and
+deletion of PKCS#11 keys.
+
+II.  Problem Description
+
+The server may cause ssh-agent to load shared libraries other than those
+required for PKCS#11 support.  These shared libraries may have side effects
+that occur on load and unload (dlopen and dlclose). 
+
+III. Impact
+
+An attacker with access to a server that accepts a forwarded ssh-agent
+connection may be able to execute code on the machine running ssh-agent.
+Note that the attack relies on properties of operating system-provided
+libraries.  This has been demonstrated on other operating systems; it is
+unknown whether this attack is possible using the libraries provided by
+a FreeBSD installation.
+
+IV.  Workaround
+
+Avoid using ssh-agent forwarding, or start ssh-agent with an empty
+PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that
+contains only specific provider libraries.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date and
+restart any ssh sessions using ssh-agent forwarding.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 13.2]
+# fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.13.2.patch
+# fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.13.2.patch.asc
+# gpg --verify ssh.13.2.patch.asc
+
+[FreeBSD 13.1]
+# fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.13.1.patch
+# fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.13.1.patch.asc
+# gpg --verify ssh.13.1.patch.asc
+
+[FreeBSD 12.4]
+# fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.12.4.patch
+# fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.12.4.patch.asc
+# gpg --verify ssh.12.4.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+Restart all ssh sessions that use ssh-agent forwarding, or reboot.
+
+VI.  Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path                             Hash                     Revision
+- -------------------------------------------------------------------------
+stable/13/                              d578a19e2cd3    stable/13-n255848
+releng/13.2/                            20bcfc33d3f2  releng/13.2-n254624
+releng/13.1/                            3d3a1cbfd7a2  releng/13.1-n250189
+stable/12/                                                        r373142
+releng/12.4/                                                      r373151
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38408>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-23:08.ssh.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdsUACgkQbljekB8A
+Gu9M3A//ftE38dmRBx//0dm0sY6Pb++OprS7SKkm/dPlv2ywFMrUOZJl47pcfEuJ
+h+jeHOMWzQJYwSQBxPii/PbJRbxd4w4c0pjLDKXO3fc74anmuLQh7b8DLip6jQ/S
+C4LM11e0lGfxwJmrQl49r8eKkm4ta+TOn+IoSzGzsYUYkpqX3jpBuP/yhFvueXO7
+9ZaXCIsg99/tZvXU34b4ZA5t3vVjkAhtbV9HSAza0RnM4ZFJnXJoZbheVMgp63qp
+yg2pieDnA5U/c1exC8joRQoiyXtSZjmq2+8e4HYXc9+LZvWr+/fyfBXO6BXn4hmU
+KSB6t2aldvB0ywWEbge+mM9I+h0jPKHNo/HsAwwF4gKfLqzZ1XNLnHC+LVTTe0cD
+lNHw6kBgH9qx4oLBXg8fZwxtPGv5qvSjC4qisDWi/BMDeVsTfr8wa+LoKHIp0KOH
+AnhuNKs1/TYpyHZfa2l7OfvSc70jSGYyG6Flcr5lYrhfDnXEFR6En4qbRLjIS6GA
++8otM6AyuLLiwfaLdha2G9scuA/RUfyixB7AAhrFrxJPBQypC/kIi+lF0TKmEx69
+Q2TlWktN/zzHzPJLafor5g9W9dft2Kt4T8hHsmQVwwwN58l3Q49FSrKAib5Agv66
+1QuQDP5hhsq7VISG81ZzMZbgvhNgCM5EPjggZ65Qrk9/NCyWhOw=
+=scNH
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-23:09.pam_krb5.asc b/website/static/security/advisories/FreeBSD-SA-23:09.pam_krb5.asc
new file mode 100644
index 0000000000..9d40ed76db
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-23:09.pam_krb5.asc
@@ -0,0 +1,166 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-23:09.pam_krb5                                   Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Network authentication attack via pam_krb5
+
+Category:       core
+Module:         pam_krb5
+Announced:      2023-08-01
+Affects:        All supported versions of FreeBSD
+Corrected:      2023-07-08 05:44:29 UTC (stable/13, 13.2-STABLE)
+                2023-08-01 19:50:30 UTC (releng/13.2, 13.2-RELEASE-p2)
+                2023-08-01 19:48:09 UTC (releng/13.1, 13.1-RELEASE-p9)
+                2023-07-08 05:44:51 UTC (stable/12, 12.4-STABLE)
+                2023-08-01 19:46:53 UTC (releng/12.4, 12.4-RELEASE-p4)
+CVE Name:       CVE-2023-3326
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+Kerberos 5 (krb5) is a computer-network authentication protocol that works on
+the basis of tickets to allow nodes communicating over a non-secure network
+to prove their identity to one another in a secure manner.
+
+The PAM (Pluggable Authentication Modules) library provides a flexible
+framework for user authentication and session setup / teardown.
+
+pam_krb5 is a PAM module that allows using a Kerberos password to
+authenticate the user. pam_krb5 is disabled in the default FreeBSD
+installation.
+
+pam_krb5 uses passwords for authentication, which is distinct from
+Kerberos native protocols like GSSAPI, which allows for login without the
+exchange of passwords. GSSAPI is not affected by this issue.
+
+II.  Problem Description
+
+The problem detailed in FreeBSD-SA-23:04.pam_krb5 persisted following
+the patch for that advisory.
+
+III. Impact
+
+The impact described in FreeBSD-SA-23:04.pam_krb5 persists.
+
+IV.  Workaround
+
+If you are not using Kerberos at all, ensure /etc/krb5.conf is missing from
+your system. Additionally, ensure pam_krb5 is commented out of your PAM
+configuration located as documented in pam.conf(5), generally /etc/pam.d.
+Note, the default FreeBSD PAM configuration has pam_krb5 commented out.
+
+If you are using Kerberos, but not using pam_krb5, ensure pam_krb5 is
+commented out of your PAM configuration located as documented in pam.conf(5),
+generally /etc/pam.d. Note, the default FreeBSD PAM configuration has
+pam_krb5 commented out.
+
+If you are using pam_krb5, ensure you have a keytab on your system as
+provided by your Kerberos administrator.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-23:09/pam_krb5.patch
+# fetch https://security.FreeBSD.org/patches/SA-23:09/pam_krb5.patch.asc
+# gpg --verify pam_krb5.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all daemons that use the PAM module, or reboot the system.
+
+VI.  Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path                             Hash                     Revision
+- -------------------------------------------------------------------------
+stable/13/                              d295e418ae7e    stable/13-n255792
+releng/13.2/                            9b45d8eddfac  releng/13.2-n254622
+releng/13.1/                            140f65a20533  releng/13.1-n250188
+stable/12/                                                        r373127
+releng/12.4/                                                      r373150
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3326>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-23:09.pam_krb5.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdskACgkQbljekB8A
+Gu9QjQ/7BlRQJGHtf/tljjCbzVKAOTcknk/d2VncZ4dDidsHWgO4umaYIrQzYxX0
+1mBtLEPZ7vHt2t4IC4NZ1FP7wrdLNDWCfHcKlP9p9tCzhh2zQXgv6NHbruUTMtJX
+/LN+fxdOcRo++23ae0ohaBUwFVo69/nel0KnSq3QOeSwzJdvaW9cggimOK96pvB1
+QXsqJvb9uBZGdv0yufZ4xJ174xDVnchBY/wvLx2qSdAsXGPO6ihvoeJHFJ7JAYLP
+JYtEAKkgHnkDtG9cw9DQigskwr8VC0x8J+9JG5H4zTXtzofng4pFD7+LBDhozoPy
+FRGi5IfWA4VkeQYDaMB9mE37R333PpKFfJZWF8cwOyeLXNTTUvtPEu2k0DRvljqs
+6lmKcqNLJMbbHa7jIDwdYs5wrSqXJuKOD0Fsj/QScfqWphK86oz6VBdft71A+g55
+D9QFVoXZ2kYTdJ3mMvcKPCdsnixVdtIaaTQ+Embeu2dnMUemc9xsRiPNp18a5y1a
+EgLJ5WHIVJoCjte7HROnPKN6IeB7G/laPeewpoO8AJqL46Z+Ch0PMJacYLhNp5fn
+9rDnJkurJBa4hqii05MztQvhvaoJyy1WFQbObrzfNQI7Hl+EtMb8dlP09qsiWeGq
+27gca8AB1KaMbG+Wwc92n1cn8ZSiF6WT0cV/+Cx3lYuIbmMgnBU=
+=eKnj
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-23:08/vnet.patch b/website/static/security/patches/EN-23:08/vnet.patch
new file mode 100644
index 0000000000..e3ae10b6a5
--- /dev/null
+++ b/website/static/security/patches/EN-23:08/vnet.patch
@@ -0,0 +1,16 @@
+--- sys/conf/kmod.mk.orig
++++ sys/conf/kmod.mk
+@@ -168,6 +168,13 @@
+ CFLAGS+=	-fPIC
+ .endif
+ 
++.if ${MACHINE_CPUARCH} == "aarch64"
++# https://bugs.freebsd.org/264094
++# lld >= 14 and recent GNU ld can relax adrp+add and adrp+ldr instructions,
++# which breaks VNET.
++LDFLAGS+=	--no-relax
++.endif
++
+ # Temporary workaround for PR 196407, which contains the fascinating details.
+ # Don't allow clang to use fpu instructions or registers in kernel modules.
+ .if ${MACHINE_CPUARCH} == arm
diff --git a/website/static/security/patches/EN-23:08/vnet.patch.asc b/website/static/security/patches/EN-23:08/vnet.patch.asc
new file mode 100644
index 0000000000..deba5b5d36
--- /dev/null
+++ b/website/static/security/patches/EN-23:08/vnet.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdr8ACgkQbljekB8A
+Gu+HgBAApQv1OSL3BdPCm44GOO4JE8cyWetpTxlM/wblnQS2WHv+cvWiDitgthgX
+Enek4lTFjz3SlgyeSGEwgDz0NucHSOGixS4SIqLKGHXEEqwcZFdICOhb56tcT5Mg
+GLndgCKaNjCM4vLQ7U/TRHZl03m0NyxXt9c9ga6cad4fZkFDAWpiIWAmzVF766vY
+7KIXlZ97y1IpqmHtuv3nTwcfBlw1ThiWj23JdoJyj9CEA8Qd5I3vAdHkX8JDirkJ
+qzS1hMExQAWQfY7cNH7fa56Z418ZdDRPoZeub7VYBaC4YG79D3s/FBcu9tADyb07
+aW6k6CnAGDOGPCxzKCCWgGB+GeYyd+zT0pEstwin43m9yNCgiXtI4UBIEZCJrbo4
+wKR5QF22R3uSBfU5T6JrLvl1muyGvcEsCWja0+O3CR6vrFKZEqm0nkzmTrNsB7e+
+9V5ZtgSEH3NmBejwLUjjDAoLz9EFf6Asji3obkdSbzEaZV5OSF20w4XDnvc8hXze
+psDcgspUjdiFoS3ci8LO/xl0jf6rguj56JA4FG9nB8fHe3lxuxwbJuJsm4dsHtNr
+Hxh7RQRGvTdvZ1bHwbIVc6Y9+Nnwozl7+q1+7a2yws2ZuxtLYE86+dvA/l2dl8iH
+IkZSKycsArwnnmkxfcqUGbbzKOF+x3nBruC0z8cYlSo0KWr193Q=
+=mU3Y
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/SA-23:06/ipv6.patch b/website/static/security/patches/SA-23:06/ipv6.patch
new file mode 100644
index 0000000000..9735c134d9
--- /dev/null
+++ b/website/static/security/patches/SA-23:06/ipv6.patch
@@ -0,0 +1,14 @@
+--- sys/netinet6/frag6.c.orig
++++ sys/netinet6/frag6.c
+@@ -807,6 +807,11 @@
+ 	/* Adjust offset to point where the original next header starts. */
+ 	offset = ip6af->ip6af_offset - sizeof(struct ip6_frag);
+ 	free(ip6af, M_FRAG6);
++	if ((u_int)plen + (u_int)offset - sizeof(struct ip6_hdr) >
++	    IPV6_MAXPACKET) {
++		frag6_freef(q6, bucket);
++		goto dropfrag;
++	}
+ 	ip6 = mtod(m, struct ip6_hdr *);
+ 	ip6->ip6_plen = htons((u_short)plen + offset - sizeof(struct ip6_hdr));
+ 	if (q6->ip6q_ecn == IPTOS_ECN_CE)
diff --git a/website/static/security/patches/SA-23:06/ipv6.patch.asc b/website/static/security/patches/SA-23:06/ipv6.patch.asc
new file mode 100644
index 0000000000..1bbe4f57cc
--- /dev/null
+++ b/website/static/security/patches/SA-23:06/ipv6.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdsEACgkQbljekB8A
+Gu8RkA/+Kt5g7V4+D2GAttjm73kuDZpYpiD0evC7i1SMEJqm9SuLrUhAY0glKHLC
+wvXGOLQxKLupPv4XVtimtAPY9sSaTqnWtvit/upLLw5N+fIhEXWSX7JXnsmsALEv
+ky+mTt4RL8kB6XnzVJGA6kEpn6DF0tuR8kooxWvoxTAdSGQsS5P2PIcDP026JWWk
++4VgHe1iB4sAtIUlCp55HYWw+GaUMhXf74pJjGNG0GihW1m4XCrEYMas/f4PqMID
*** 2642 LINES SKIPPED ***