git: a7ac9239fb - main - website: Add EN-24:14 and SA-24:05 through SA-24:08.

From: Gordon Tetlow <gordon_at_FreeBSD.org>
Date: Wed, 07 Aug 2024 14:41:20 UTC
The branch main has been updated by gordon:

URL: https://cgit.FreeBSD.org/doc/commit/?id=a7ac9239fbae263d9bdd9d50486b3150f8c579d8

commit a7ac9239fbae263d9bdd9d50486b3150f8c579d8
Author:     Gordon Tetlow <gordon@FreeBSD.org>
AuthorDate: 2024-08-07 14:38:10 +0000
Commit:     Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2024-08-07 14:38:10 +0000

    website: Add EN-24:14 and SA-24:05 through SA-24:08.
    
    Approved by:    so
---
 website/data/security/advisories.toml              |  16 +
 website/data/security/errata.toml                  |   4 +
 .../advisories/FreeBSD-EN-24:14.ifconfig.asc       | 150 +++++
 .../security/advisories/FreeBSD-SA-24:05.pf.asc    | 155 ++++++
 .../advisories/FreeBSD-SA-24:06.ktrace.asc         | 139 +++++
 .../advisories/FreeBSD-SA-24:07.nfsclient.asc      | 145 +++++
 .../advisories/FreeBSD-SA-24:08.openssh.asc        | 150 +++++
 .../security/patches/EN-24:14/ifconfig.patch       |  26 +
 .../security/patches/EN-24:14/ifconfig.patch.asc   |  16 +
 .../static/security/patches/SA-24:05/pf-13.patch   | 615 ++++++++++++++++++++
 .../security/patches/SA-24:05/pf-13.patch.asc      |  16 +
 .../static/security/patches/SA-24:05/pf-14.patch   | 616 +++++++++++++++++++++
 .../security/patches/SA-24:05/pf-14.patch.asc      |  16 +
 .../static/security/patches/SA-24:06/ktrace.patch  |  11 +
 .../security/patches/SA-24:06/ktrace.patch.asc     |  16 +
 .../security/patches/SA-24:07/nfsclient-13.patch   | 201 +++++++
 .../patches/SA-24:07/nfsclient-13.patch.asc        |  16 +
 .../security/patches/SA-24:07/nfsclient-14.patch   | 201 +++++++
 .../patches/SA-24:07/nfsclient-14.patch.asc        |  16 +
 .../static/security/patches/SA-24:08/openssh.patch |  19 +
 .../security/patches/SA-24:08/openssh.patch.asc    |  16 +
 21 files changed, 2560 insertions(+)

diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml
index d0945c9078..cd751f68a5 100644
--- a/website/data/security/advisories.toml
+++ b/website/data/security/advisories.toml
@@ -1,6 +1,22 @@
 # Sort advisories by year, month and day
 # $FreeBSD$
 
+[[advisories]]
+name = "FreeBSD-SA-24:08.openssh"
+date = "2024-08-07"
+
+[[advisories]]
+name = "FreeBSD-SA-24:07.nfsclient"
+date = "2024-08-07"
+
+[[advisories]]
+name = "FreeBSD-SA-24:06.ktrace"
+date = "2024-08-07"
+
+[[advisories]]
+name = "FreeBSD-SA-24:05.pf"
+date = "2024-08-07"
+
 [[advisories]]
 name = "FreeBSD-SA-24:04.openssh"
 date = "2024-07-01"
diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml
index 885339ab1d..47a42d0b59 100644
--- a/website/data/security/errata.toml
+++ b/website/data/security/errata.toml
@@ -1,6 +1,10 @@
 # Sort errata notices by year, month and day
 # $FreeBSD$
 
+[[notices]]
+name = "FreeBSD-EN-24:14.ifconfig"
+date = "2024-08-07"
+
 [[notices]]
 name = "FreeBSD-EN-24:13.libc++"
 date = "2024-06-19"
diff --git a/website/static/security/advisories/FreeBSD-EN-24:14.ifconfig.asc b/website/static/security/advisories/FreeBSD-EN-24:14.ifconfig.asc
new file mode 100644
index 0000000000..b71e288bf5
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-24:14.ifconfig.asc
@@ -0,0 +1,150 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-24:14.ifconfig                                       Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Incorrect ifconfig netmask assignment
+
+Category:       core
+Module:         ifconfig
+Announced:      2024-08-07
+Affects:        FreeBSD 14.0 and later
+Corrected:      2024-06-15 15:24:59 UTC (stable/14, 14.1-STABLE)
+                2024-08-07 13:44:28 UTC (releng/14.1, 14.1-RELEASE-p3)
+                2024-08-07 13:44:41 UTC (releng/14.0, 14.0-RELEASE-p9)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+Prior to the advent of classless inter-domain routing (CIDR), the IPv4
+address space was divided into classes based on how many of an address's
+most-significant bits were set.  Since the class dictated the network
+mask, it was not necessary to specify the mask when configuring an
+interface.  Even after CIDR was introduced, FreeBSD continued to allow
+the network mask to be omitted, for backward compatibility reasons.
+
+II.  Problem Description
+
+When FreeBSD switched from using ioctl(2) to using Netlink sockets to
+configure network interfaces, the logic for determining the default mask
+in cases where one was not explicitly provided was inadvertantly
+inverted, resulting in class A addresses getting a prefix size of 24
+instead of 8, and vice versa for class C addresses.  Class B addresses
+were not affected.
+
+III. Impact
+
+FreeBSD hosts which still rely on default network mask assignment and
+have addresses in the old class A (0.0.0.0-127.255.255.255) or class C
+(192.0.0.0-223.255.255.255) ranges will have an incorrect network mask.
+The exact consequences will vary depending on the direction of the error
+and the relative positions of the affected host and its default router
+within the local address space.  Affected hosts should still be able to
+communicate with at least a subset of their local network, and may also
+be able to communicate with a subset of the wider network, but will
+typically lose the ability to communicate with any address which is not
+within both the actual local address space and the misconfigured local
+address space.  This may include their default router.
+
+IV.  Workaround
+
+Make sure to always specify either a network mask or a prefix size when
+adding IPv4 addresses to network interfaces.  For instance, in a VM with
+a paravirtualized network interface and an IPv4 address of 192.0.2.5
+(historically class C), use either of the following in /etc/rc.conf or
+/etc/rc.conf.d/network:
+
+    ifconfig_vtnet0="inet 192.0.2.5/24"
+
+or
+
+    ifconfig_vtnet0="inet 192.0.2.5 netmask 255.255.255.0"
+
+V.   Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-24:14/ifconfig.patch
+# fetch https://security.FreeBSD.org/patches/EN-24:14/ifconfig.patch.asc
+# gpg --verify ifconfig.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+VI.  Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path                             Hash                     Revision
+- -------------------------------------------------------------------------
+stable/14/                              048ad7a9ef9f    stable/14-n267957
+releng/14.1/                            b9115dba07e8  releng/14.1-n267692
+releng/14.0/                            01792dd7f27b  releng/14.0-n265424
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-24:14.ifconfig.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmazhZwACgkQbljekB8A
+Gu/6HBAA1PB3WA8wuqi2iebMvqZ1iM0Oh0sb9JotX8VFpO7zWpIHImITbLvWjYEm
+0YMb62mJNiKBVxRf0p1SWhOqRJcJAVNxU8U8wb6p7UJ2LXnLgU7t3kLNVdKN+Yq5
+jIMBOHpIJz/na/LsOEtxtneCvnNL+lOQ4NkHLKfFOUtf0PkAn2nUVnYyA+PGH/3l
+VQFxSCQCB3CxNMeiI5R2x9ZdaESfNdn/qh6vZcca2fl6seWMQaoqwzxrtBS1VXsR
+1LofhqJsOvIDOkKS5SFLIGMfPdETl2jmd+YrG9ujXWYcyvaQxfRE66RRT1AROCXb
++vD8MXc7q3gtjAV398iYdMwf7eqbPngX6xZCLPs6PR96eaa1tGTK0+cdan7CfHFB
+WahFo1md9kORCq2DLkLhekdJjy1+4J9KsMjGWLYRILZNPHU/IvAGFS1czFMPmTbm
+V1IHWeszDUPgjKlp0m59CsGjwcyJnIeZBnTMiMQ5EM29zEOUdgCayz2/v6JaEgwb
+7xCb5x0HzyR0hM4GDG8ccNe8VQFSm6McRSWb77zXnB5Lp2aCug9VwuUN1mJNdQVp
+3O5tm+Wd5HeA15YubO4aQ3aUTdsk92BZ9cxorn2dOTlE8vyxmqLk7KYs0644Dzmv
+IxRNYmBfb/trIWDLW7QZTVXtoSpTjdNvQG0+yEAFDTfTuAe0qVM=
+=+Q9R
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-24:05.pf.asc b/website/static/security/advisories/FreeBSD-SA-24:05.pf.asc
new file mode 100644
index 0000000000..0c6d2b859d
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-24:05.pf.asc
@@ -0,0 +1,155 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-24:05.pf                                         Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          pf incorrectly matches different ICMPv6 states in the state table
+
+Category:       core
+Module:         pf
+Announced:      2024-08-07
+Credits:        Enrico Bassetti e.bassetti@tudelft.nl
+                (Cybersecurity @ TU Delft, SPRITZ Group @ UniPD)
+Affects:        All supported versions of FreeBSD.
+Corrected:      2024-07-31 07:41:11 UTC (stable/14, 14.0-STABLE)
+                2024-08-07 13:44:25 UTC (releng/14.1, 14.1-RELEASE-p3)
+                2024-08-07 13:44:46 UTC (releng/14.0, 14.0-RELEASE-p9)
+                2024-07-31 07:41:12 UTC (stable/13, 13.3-STABLE)
+                2024-08-07 13:44:57 UTC (releng/13.3, 13.3-RELEASE-p5)
+CVE Name:       CVE-2024-6640
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+pf is an Internet Protocol packet filter originally written for OpenBSD.  pf
+uses a state table to determine whether to allow a packet that is from a
+known/already open transmission.  It identifies ICMPv6 states based on the
+address family, protocol, addresses, and the ID.
+
+Normally, states are created by outgoing packets, or by incoming packets
+matching 'pass' rules.  A packet that do not match any rule will be blocked
+or allowed depending on the default rule.
+
+ICMPv6 Neighbor Discovery has to be allowed in the firewall for IPv6 to work
+properly in broadcast networks, such as Ethernet.
+
+II.  Problem Description
+
+In ICMPv6 Neighbor Discovery (ND), the ID is always 0.  When pf is configured
+to allow ND and block incoming Echo Requests, a crafted Echo Request packet
+after a Neighbor Solicitation (NS) can trigger an Echo Reply.  The packet has
+to come from the same host as the NS and have a zero as identifier to match
+the state created by the Neighbor Discovery and allow replies to be
+generated.
+
+III. Impact
+
+ICMPv6 packets with identifier value of zero bypass firewall rules written on
+the assumption that the incoming packets are going to create a state in the
+state table.
+
+IV.  Workaround
+
+No workaround is available but systems not using the pf firewall are not
+affected.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 13.3]
+# fetch https://security.FreeBSD.org/patches/SA-24:05/pf-13.patch
+# fetch https://security.FreeBSD.org/patches/SA-24:05/pf-13.patch.asc
+# gpg --verify pf.patch.asc
+
+[FreeBSD 14.0 & FreeBSD 14.1]
+# fetch https://security.FreeBSD.org/patches/SA-24:05/pf-14.patch
+# fetch https://security.FreeBSD.org/patches/SA-24:05/pf-14.patch.asc
+# gpg --verify pf.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path                             Hash                     Revision
+- -------------------------------------------------------------------------
+stable/14/                              3382c691dc6a    stable/14-n268277
+releng/14.1/                            a66d33fcf334  releng/14.1-n267690
+releng/14.0/                            ca9580967e74  releng/14.0-n265428
+stable/13/                              05f91f8dd5ce    stable/13-n258160
+releng/13.3/                            5eb30c313cb0  releng/13.3-n257443
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6640>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-24:05.pf.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmazhasACgkQbljekB8A
+Gu9/0Q//S/qcyIxnQ1V8Gz8ghAQuJu8OlTdYV9OexFSKExcbc9FYK6LwhSUfPtHf
+Bx9KowhQCH2D1X33qHRUCWVhDMhgpvHmg/+ajnm0IP/+nc+ZnNFCC0Ew5b/mk7Uw
+jQAxW54/RSe1Cnl11T4RTcPI7YhGTej8T5T8dm2TlCdTI3m7xS/zfR3e4x89yrmW
+gVUBG54udbSSzxMDJk2rbr9anoinzaI0eiXY/rnb729OTU6y4SmJ9ZZZwXs+bRpP
+AUE7Zgj7pNrWC1CxTMy6XLdPE/L/8Yxz9mOFpyJcHahoEHcMH+5DKQePGa4mQgnS
+N8Srtrxx3Ipz5/zzOPr+O0BbOh8m7KMXU/J8Y3aHpUzbnr+IfGEUHBukN93M3qbV
+Qkw9iW+5HZ45P16Fyaj2cq7He7F39/7B/DhfjLldbUOnWGPmn3JrWkvONL++iAyI
++vOrfGubyTtwgSdZGDcv+FUrL6af6nQzFBBgv4z4TpHN+BTcwA5c6JwuOlvMc5ZY
+ISh8WItjxmK5Gh27H7JBGKwWDnKYjqkRcgJ7QZd7dmjo2bzOlnKV0eYk51eBvoIh
+FV4YGAgMPxCJGBrl54/0F5+C8zl0cjNlEhnyyl2IEBbPbnfmvpNw3tMbJdPfEUhF
+DK+j5IkDU/4sNrV/dmeD+K+u/3xgDxtUv6IjH2odmADtlCbOV80=
+=/mRR
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-24:06.ktrace.asc b/website/static/security/advisories/FreeBSD-SA-24:06.ktrace.asc
new file mode 100644
index 0000000000..1c157f0203
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-24:06.ktrace.asc
@@ -0,0 +1,139 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-24:06.ktrace                                     Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          ktrace(2) fails to detach when executing a setuid binary
+
+Category:       core
+Module:         ktrace
+Announced:      2024-08-07
+Affects:        All supported versions of FreeBSD
+Corrected:      2024-08-07 13:41:53 UTC (stable/14, 14.1-STABLE)
+                2024-08-07 13:44:29 UTC (releng/14.1, 14.1-RELEASE-p3)
+                2024-08-07 13:44:47 UTC (releng/14.0, 14.0-RELEASE-p9)
+                2024-08-07 13:42:10 UTC (stable/13, 13.3-STABLE)
+                2024-08-07 13:44:59 UTC (releng/13.3, 13.3-RELEASE-p5)
+CVE Name:       CVE-2024-6760
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The ktrace utility enables kernel trace logging for the specified processes,
+commonly used for diagnostic or debugging purposes.  The kernel operations
+that are traced include system calls, namei translations, signal processing,
+and I/O as well as data associated with these operations.
+
+II.  Problem Description
+
+A logic bug in the code which disables kernel tracing for setuid programs
+meant that tracing was not disabled when it should have, allowing
+unprivileged users to trace and inspect the behavior of setuid programs.
+
+III. Impact
+
+The bug may be used by an unprivileged user to read the contents of files to
+which they would not otherwise have access, such as the local password
+database.
+
+IV.  Workaround
+
+No workaround is available.
+
+I/O tracing can be disabled by setting the kern.ktrace.genio_size sysctl to
+0, but other information recorded by ktrace, such as system call arguments,
+can still be leaked.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-24:06/ktrace.patch
+# fetch https://security.FreeBSD.org/patches/SA-24:06/ktrace.patch.asc
+# gpg --verify ktrace.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path                             Hash                     Revision
+- -------------------------------------------------------------------------
+stable/14/                              8b400c8488f0    stable/14-n268423
+releng/14.1/                            22d04990cee5  releng/14.1-n267693
+releng/14.0/                            c39fb98e4740  releng/14.0-n265429
+stable/13/                              f702110bc4bc    stable/13-n258224
+releng/13.3/                            769536bcb5c3  releng/13.3-n257445
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://www.cve.org/CVERecord?id=CVE-2024-6760>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-24:06.ktrace.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmazha0ACgkQbljekB8A
+Gu/6ThAAvKUJFwdRV/rSRyGEOTWJE+dv1Qig000xhD6g42yKpfGShaNFUTSvMPG+
+kLtpN41SRN/LXyNyQfk3GL2SmphB2V9nlJ+FM2PEmi4hMrWoiNi6uX9MmSheFbp3
+QbDAh5+2sRo66AUXjUX118cK1ruqQjRRMVSW6D8hOeDv64Wvg01L0R3ls1ZsdXYL
+5wYuTRNh2ciyMEHQ0QUz8X38qebdPSV/8aVNSZYinwtYE+wGWbpmUCQoqgtLlnT9
+3UqIy68KVj4+TNYoZuQkK5/Ur9YG884YlNpzsJ6peX8U0gjQhG1BfqEPAylTZn/6
+vPp0LtJ0fRRZs0a6XJQ+rBxhuh22vLLFLXI9jSthCcNdJhRFFnnY9nFoB0/EOpIH
+I6i94dEExCeGkWcpPB2wyrQGPcRTik9h57vsTaHcnEAPWu1fO2OckUILZVsMs7Yp
+WXePdrVfTke1hIzk5DAc5PYJ1IKcN49m/+GhXjLz8aCcy9RadJPpJDe2HSltgfTn
+xvxAudY+58f6518getIfvU4tAA1DVw2Y9zRoRhdlXLiVDayBkCOFRMMBY1cWOk9o
+aUnbQ9PYO2h7iyzSvqgWDLIy7fIdLZnyuflSVtJ4KUnetk2hU5kxb0VZFx10+z7l
+dsTyXGdb04olDMvURtgn5eQotbJzn+KLqi3vOmQ92uAGSsLeH70=
+=3iOc
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-24:07.nfsclient.asc b/website/static/security/advisories/FreeBSD-SA-24:07.nfsclient.asc
new file mode 100644
index 0000000000..ee3f20bf8b
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-24:07.nfsclient.asc
@@ -0,0 +1,145 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-24:07.nfsclient                                  Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          NFS client accepts file names containing path separators
+
+Category:       core
+Module:         NFS client
+Announced:      2024-08-07
+Credits:        Apple Security Engineering and Architecture (SEAR)
+Affects:        All supported versions of FreeBSD
+Corrected:      2024-07-27 03:54:45 UTC (stable/14, 14.1-STABLE)
+                2024-08-07 13:44:21 UTC (releng/14.1, 14.1-RELEASE-p3)
+                2024-08-07 13:44:39 UTC (releng/14.0, 14.0-RELEASE-p9)
+                2024-07-28 04:14:54 UTC (stable/13, 13.3-STABLE)
+                2024-08-07 13:44:52 UTC (releng/13.3, 13.3-RELEASE-p5)
+CVE Name:       CVE-2024-6759
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The Network File System (NFS) is a distributed file system that allows remote
+systems to access files and directories over a network as if they were local.
+FreeBSD includes both server and client implementations of NFS.
+
+II.  Problem Description
+
+When mounting a remote filesystem using NFS, the kernel did not sanitize
+remotely provided filenames for the path separator character, "/".  This
+allows readdir(3) and related functions to return filesystem entries with
+names containing additional path components.
+
+III. Impact
+
+The lack of validation described above gives rise to a confused deputy
+problem.  For example, a program copying files from an NFS mount could be
+tricked into copying from outside the intended source directory, and/or to a
+location outside the intended destination directory.
+
+IV.  Workaround
+
+No workaround is available.  Note that for the problem to occur, the NFS
+server would have to deliberately inject altered paths into RPC replies, or
+a MITM would have to be altering NFS traffic.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 13.3]
+# fetch https://security.FreeBSD.org/patches/SA-24:07/nfclient-13.patch
+# fetch https://security.FreeBSD.org/patches/SA-24:07/nfclient-13.patch.asc
+# gpg --verify nfsclient-13.patch.asc
+
+[FreeBSD 14.0 & FreeBSD 14.1]
+# fetch https://security.FreeBSD.org/patches/SA-24:07/nfclient-14.patch
+# fetch https://security.FreeBSD.org/patches/SA-24:07/nfclient-14.patch.asc
+# gpg --verify nfsclient-14.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path                             Hash                     Revision
+- -------------------------------------------------------------------------
+stable/14/                              9328ded386d5    stable/14-n268239
+releng/14.1/                            8533e927afc1  releng/14.1-n267686
+releng/14.0/                            4e7bf17e9db8  releng/14.0-n265422
+stable/13/                              0172b5145ad9    stable/13-n258140
+releng/13.3/                            3d5cb2b9a97c  releng/13.3-n257439
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://www.cve.org/CVERecord?id=CVE-2024-6759>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-24:07.nfsclient.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmazha8ACgkQbljekB8A
+Gu80VxAAsDhdNW5FHcXEBZXbfR6fsShdWGQo8rCY1R1Buq8uhPI4bdzXCFrgUKM7
+Rm5P+zfZNcTYtM0epU1Fiz2BhjsKVfKIOMIBmuMik9xMBfeHnTihKGFBZ+TFj7i8
+1Kv/NE+oCn99jKZS7sZVNBvdbDMNBq4Em0vixXGRnKlEpa3r8b7niLuB0rHa97//
+gzIP5GvhUTsMaw3TwCAkVnZDrx+AoAU0dbLVIFf07P4mEt7StGd76C1dq4a6+3ZV
+s3Gqm16H8nYan5NJzpH2SIhcav4YyDuSD1eS8isyLn5bybpROdYQT7tCAfplpR2X
+pX0oQ8FRlslodV/wWaGNnCTNTYoSTj0jf77CM4fd8ERdKKmhC6x9zHsDyJBzH5Ku
+E6JlY9IvM0fL2N4KPDpNjF/U8RmNWDcxxaaou/6uohWdg977CX8uP1wfSL/4Sw6u
+SvqfDwwqd5BRE4KiqMFE024zgeogeJU7i21747HKs4nxWlNuPhVrWRjrarRhYlc2
+M4l2te7OQMjVPtbYhO4DXnDMqNgN37Qf2srgBiAnlOpmRX5Trgj4pw6DGQlSVoWO
+xY8fO02xAZuRUKgNA/TEvmRVuZx0LaLkl49xQjB8DxSvggYVFbJaY2HpfjnktmN0
+ZuMlcw0h/cv9UEFn3FWy0147xN/cjXjozvACmDUWhG0LdiUcnzc=
+=tJAo
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-24:08.openssh.asc b/website/static/security/advisories/FreeBSD-SA-24:08.openssh.asc
new file mode 100644
index 0000000000..c9aefa9e68
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-24:08.openssh.asc
@@ -0,0 +1,150 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-24:08.openssh                                    Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          OpenSSH pre-authentication async signal safety issue
+
+Category:       contrib
+Module:         openssh
+Announced:      2024-08-07
+Affects:        All supported versions of FreeBSD.
+Corrected:      2024-08-06 19:43:54 UTC (stable/14, 14.1-STABLE)
+                2024-08-07 13:44:26 UTC (releng/14.1, 14.1-RELEASE-p3)
+                2024-08-07 13:44:40 UTC (releng/14.0, 14.0-RELEASE-p9)
+                2024-08-06 19:46:19 UTC (stable/13, 13.3-STABLE)
+                2024-08-07 13:44:58 UTC (releng/13.3, 13.3-RELEASE-p5)
+CVE Name:       CVE-2024-7589
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+OpenSSH is an implementation of the SSH protocol suite, providing an
+encrypted and authenticated transport for a variety of services, including
+remote shell access.
+
+II.  Problem Description
+
+A signal handler in sshd(8) may call a logging function that is not async-
+signal-safe.  The signal handler is invoked when a client does not
+authenticate within the LoginGraceTime seconds (120 by default).  This signal
+handler executes in the context of the sshd(8)'s privileged code, which is
+not sandboxed and runs with full root privileges.
+
+This issue is another instance of the problem in CVE-2024-6387 addressed by
+FreeBSD-SA-24:04.openssh.  The faulty code in this case is from the
+integration of blacklistd in OpenSSH in FreeBSD.
+
+III. Impact
+
+As a result of calling functions that are not async-signal-safe in the
+privileged sshd(8) context, a race condition exists that a determined
+attacker may be able to exploit to allow an unauthenticated remote code
+execution as root.
+
+IV.  Workaround
+
+If sshd(8) cannot be updated, this signal handler race condition can be
+mitigated by setting LoginGraceTime to 0 in /etc/ssh/sshd_config and
+restarting sshd(8).  This makes sshd(8) vulnerable to a denial of service
+(the exhaustion of all MaxStartups connections), but makes it safe from the
+remote code execution presented in this advisory.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date, and
+restart sshd.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-24:08/openssh.patch
+# fetch https://security.FreeBSD.org/patches/SA-24:08/openssh.patch.asc
+# gpg --verify openssh.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the applicable daemons, or reboot the system.
+
+VI.  Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path                             Hash                     Revision
+- -------------------------------------------------------------------------
+stable/14/                              73466449a9bf    stable/14-n268414
+releng/14.1/                            450425089212  releng/14.1-n267691
+releng/14.0/                            c4ade13d5498  releng/14.0-n265423
+stable/13/                              d5f16ef6463d    stable/13-n258221
+releng/13.3/                            f41c11d7f209  releng/13.3-n257444
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://www.cve.org/CVERecord?id=CVE-2006-5051>
+
+<URL:https://www.cve.org/CVERecord?id=CVE-2024-6387>
+
+<URL:https://www.cve.org/CVERecord?id=CVE-2024-7589>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-24:08.openssh.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmazhbIACgkQbljekB8A
+Gu8uDBAA6gj9o4DXfVMHeZCFKr3WT/g3wPbilTk2xmvzkYoCkAMFC2PZ48wbxK7U
+/tXvVC5Hs7OO0jkZXgCNiLsUe4kzgEPeutsyi3x5i6uWlLA+I03UZyPdwFgkBM75
+w4IYeut6nMfiozJmiy7ekmxdjO1f+IGMy/yoa46gUr0524TyNjqF//p1wAePTF75
+WgvZrGEildEuZk6lHp3/sm1fmv4HxG5EmNmzlzWcj/jjMnOAe5Cbf8qpcKe42V5Y
+vBj8Cm6lVtOaviuT4XXnmkQro3uejeUq6z+LYwM7Pcs26OIeRgz9kzLNB2EXEwR7
+GNJDwzUbKvaOfvTnZao8KWqdw3fbS9Un39SJAAs32Y+5sqAcUnmRbdHa1pEFZ2rx
+F9moYxZ3/xuQhxzNmMqXMyAfWrlJcoX1Tc5hVSh2Rn0TWpH17BMTs3FVdtoaP2iG
+owhwdPLXBvePkNa/FSARVfhunrFDIBEwBQd3pN5TJRCmKdzvNqmxJsL6Z2y7Ib48
+EkFaw90t9kRg1+87YUjMQlhwNVww/yLzDzdZ137bRAeJtP3i7ZdbEVqUZGQvubCE
+2eDDaYuEj4RM3UElIlHRj2Z8YlXgfmgr2BcbLpqgP3cXw6McS0POG4Pw4z4Wyshn
+prFtFlMFqJbAqlNQkXfdVquu/V8BSay0iLaEy69t4KBVp4DFsf4=
+=TDgI
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-24:14/ifconfig.patch b/website/static/security/patches/EN-24:14/ifconfig.patch
new file mode 100644
index 0000000000..80bc33028f
--- /dev/null
+++ b/website/static/security/patches/EN-24:14/ifconfig.patch
@@ -0,0 +1,26 @@
+--- sbin/ifconfig/af_inet.c.orig
++++ sbin/ifconfig/af_inet.c
+@@ -440,7 +440,7 @@
+ static void
+ in_setdefaultmask_nl(void)
+ {
+-        struct in_px *px = sintab_nl[ADDR];
++	struct in_px *px = sintab_nl[ADDR];
+ 
+ 	in_addr_t i = ntohl(px->addr.s_addr);
+ 
+@@ -451,11 +451,11 @@
+ 	 * we should return an error rather than warning.
+ 	 */
+ 	if (IN_CLASSA(i))
+-		px->plen = IN_CLASSA_NSHIFT;
++		px->plen = 32 - IN_CLASSA_NSHIFT;
+ 	else if (IN_CLASSB(i))
+-		px->plen = IN_CLASSB_NSHIFT;
++		px->plen = 32 - IN_CLASSB_NSHIFT;
+ 	else
+-		px->plen = IN_CLASSC_NSHIFT;
++		px->plen = 32 - IN_CLASSC_NSHIFT;
+ 	px->maskset = true;
+ }
+ #endif
diff --git a/website/static/security/patches/EN-24:14/ifconfig.patch.asc b/website/static/security/patches/EN-24:14/ifconfig.patch.asc
new file mode 100644
index 0000000000..0019542641
--- /dev/null
+++ b/website/static/security/patches/EN-24:14/ifconfig.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmazhaMACgkQbljekB8A
+Gu/swxAAzAKd+3rr/cfRw0A2eh264D+y29FyjsMONJ7MUeGil8yHLAW1mF35uVAl
+7VVeGM2z3KMkuI57yrmV2qqFmY5kmHMaJQ806JfC8a7QmwSpFb34P7Ti3JgnQBPw
+8+iaa0PkbBKkj4SM3D5RRCic+oz5XxFg8gjsFzJwil6t48rsZuqGby6U/MUtswbz
+NI4Qs/koxjuyWwougPqEcqL3feCO3leV4dXV6V211nT+zRlrFf0p4/bzbN4hRz81
+xn+w7xrwB85LxOyuz8XLb/Akqih+g/AXZf4hOBxDlPdVWdYmMBG8Ze1QIuO1Drzj
+1cxGAuzxzJEKWNjIuXvDxebLA9PbF+S/BYl+a8bFETBBnfazylA0ONYsU+CjOnYB
+RhJT7Z+65hFVNK3DqfQ7B0PYXwkZgZC60I4Kfl3FOu9RnM5R+aYxRhfhjKZBdIA5
+rTftpcUWt9ZDs0ZuHLTcNcwcmUrJ6Kb/qy8Q7yZ8XJHm8GD63fOLYZ5ayBCZsG3u
+EoEJ0/lz4u4A6mRkfGG08MT0Rv0ek6B0lVURlgS7lSmiLRTRCzJ8n0IzXJq3w8xl
+53Q0GDH+UNBJlM2H8QKNTb5+Dl0AlOm/C6MbGci+8xdTRp7bPeU5rfsh9vHUQ1vn
+fUatggjLfsgWJHRnQD4t8ll0yz7muppsDj02ejGn6DcDUZ5Xots=
+=iSB0
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/SA-24:05/pf-13.patch b/website/static/security/patches/SA-24:05/pf-13.patch
new file mode 100644
index 0000000000..e41ace722d
--- /dev/null
+++ b/website/static/security/patches/SA-24:05/pf-13.patch
@@ -0,0 +1,615 @@
+--- sys/netpfil/pf/pf.c.orig
++++ sys/netpfil/pf/pf.c
+@@ -276,6 +276,8 @@
+ 			    u_int16_t, u_int8_t, sa_family_t);
+ static int		 pf_modulate_sack(struct mbuf *, int, struct pf_pdesc *,
+ 			    struct tcphdr *, struct pf_state_peer *);
++int			 pf_icmp_mapping(struct pf_pdesc *, u_int8_t, int *,
++			    int *, u_int16_t *, u_int16_t *);
+ static void		 pf_change_icmp(struct pf_addr *, u_int16_t *,
+ 			    struct pf_addr *, struct pf_addr *, u_int16_t,
+ 			    u_int16_t *, u_int16_t *, u_int16_t *,
+@@ -316,6 +318,10 @@
+ static int		 pf_test_state_udp(struct pf_kstate **, int,
+ 			    struct pfi_kkif *, struct mbuf *, int,
+ 			    void *, struct pf_pdesc *);
++int			 pf_icmp_state_lookup(struct pf_state_key_cmp *,
++			    struct pf_pdesc *, struct pf_kstate **, struct mbuf *,
++			    int, struct pfi_kkif *, u_int16_t, u_int16_t,
++			    int, int *, int);
+ static int		 pf_test_state_icmp(struct pf_kstate **, int,
+ 			    struct pfi_kkif *, struct mbuf *, int,
+ 			    void *, struct pf_pdesc *, u_short *);
+@@ -369,6 +375,7 @@
+ extern struct proc *pf_purge_proc;
+ 
+ VNET_DEFINE(struct pf_limit, pf_limits[PF_LIMIT_MAX]);
++enum { PF_ICMP_MULTI_NONE, PF_ICMP_MULTI_SOLICITED, PF_ICMP_MULTI_LINK };
+ 
+ #define	PACKET_UNDO_NAT(_m, _pd, _off, _s, _dir)		\
+ 	do {								\
+@@ -1689,6 +1696,172 @@
+ 	return (false);
+ }
+ 
++int
++pf_icmp_mapping(struct pf_pdesc *pd, u_int8_t type,
++    int *icmp_dir, int *multi, u_int16_t *virtual_id, u_int16_t *virtual_type)
++{
++	/*
++	 * ICMP types marked with PF_OUT are typically responses to
++	 * PF_IN, and will match states in the opposite direction.
++	 * PF_IN ICMP types need to match a state with that type.
++	 */
++	*icmp_dir = PF_OUT;
++	*multi = PF_ICMP_MULTI_LINK;
++	/* Queries (and responses) */
++	switch (pd->af) {
++#ifdef INET
++	case AF_INET:
++		switch (type) {
++		case ICMP_ECHO:
++			*icmp_dir = PF_IN;
++		case ICMP_ECHOREPLY:
++			*virtual_type = ICMP_ECHO;
++			*virtual_id = pd->hdr.icmp.icmp_id;
++			break;
++
++		case ICMP_TSTAMP:
++			*icmp_dir = PF_IN;
++		case ICMP_TSTAMPREPLY:
++			*virtual_type = ICMP_TSTAMP;
++			*virtual_id = pd->hdr.icmp.icmp_id;
++			break;
++
++		case ICMP_IREQ:
++			*icmp_dir = PF_IN;
++		case ICMP_IREQREPLY:
++			*virtual_type = ICMP_IREQ;
++			*virtual_id = pd->hdr.icmp.icmp_id;
++			break;
++
++		case ICMP_MASKREQ:
++			*icmp_dir = PF_IN;
++		case ICMP_MASKREPLY:
++			*virtual_type = ICMP_MASKREQ;
++			*virtual_id = pd->hdr.icmp.icmp_id;
++			break;
++
*** 1747 LINES SKIPPED ***