git: ccb8730e4a - main - Add EN-24:10 through EN-24:13.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 19 Jun 2024 20:55:52 UTC
The branch main has been updated by gordon:
URL: https://cgit.FreeBSD.org/doc/commit/?id=ccb8730e4a6c4fc35167f59327e9ce11247c2462
commit ccb8730e4a6c4fc35167f59327e9ce11247c2462
Author: Gordon Tetlow <gordon@FreeBSD.org>
AuthorDate: 2024-06-19 20:54:36 +0000
Commit: Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2024-06-19 20:54:36 +0000
Add EN-24:10 through EN-24:13.
Approved by: so
---
website/data/security/errata.toml | 16 ++
.../security/advisories/FreeBSD-EN-24:10.zfs.asc | 130 +++++++++++++
.../security/advisories/FreeBSD-EN-24:11.ldns.asc | 152 +++++++++++++++
.../advisories/FreeBSD-EN-24:12.killpg.asc | 132 +++++++++++++
.../advisories/FreeBSD-EN-24:13.libc++.asc | 151 +++++++++++++++
website/static/security/patches/EN-24:10/zfs.patch | 10 +
.../static/security/patches/EN-24:10/zfs.patch.asc | 16 ++
.../static/security/patches/EN-24:11/ldns.patch | 207 +++++++++++++++++++++
.../security/patches/EN-24:11/ldns.patch.asc | 16 ++
.../static/security/patches/EN-24:12/killpg.patch | 63 +++++++
.../security/patches/EN-24:12/killpg.patch.asc | 16 ++
.../static/security/patches/EN-24:13/libc++.patch | 16 ++
.../security/patches/EN-24:13/libc++.patch.asc | 16 ++
13 files changed, 941 insertions(+)
diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml
index 702576a943..885339ab1d 100644
--- a/website/data/security/errata.toml
+++ b/website/data/security/errata.toml
@@ -1,6 +1,22 @@
# Sort errata notices by year, month and day
# $FreeBSD$
+[[notices]]
+name = "FreeBSD-EN-24:13.libc++"
+date = "2024-06-19"
+
+[[notices]]
+name = "FreeBSD-EN-24:12.killpg"
+date = "2024-06-19"
+
+[[notices]]
+name = "FreeBSD-EN-24:11.ldns"
+date = "2024-06-19"
+
+[[notices]]
+name = "FreeBSD-EN-24:10.zfs"
+date = "2024-06-19"
+
[[notices]]
name = "FreeBSD-EN-24:09.zfs"
date = "2024-04-24"
diff --git a/website/static/security/advisories/FreeBSD-EN-24:10.zfs.asc b/website/static/security/advisories/FreeBSD-EN-24:10.zfs.asc
new file mode 100644
index 0000000000..28b188812c
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-24:10.zfs.asc
@@ -0,0 +1,130 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-24:10.zfs Errata Notice
+ The FreeBSD Project
+
+Topic: Kernel memory leak in ZFS
+
+Category: core
+Module: openzfs
+Announced: 2024-06-19
+Affects: FreeBSD 14.1
+Corrected: 2024-06-17 14:35:24 UTC (stable/14, 14.1-STABLE)
+ 2024-06-19 20:36:48 UTC (releng/14.1, 14.1-RELEASE-p1)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+ZFS is an advanced and scalable file system originally developed by Sun
+Microsystems for its Solaris operating system. ZFS was integrated as part of
+the FreeBSD starting with FreeBSD 7.0, and it has since become a prominent
+and preferred choice for storage management.
+
+II. Problem Description
+
+When writing data to a file on ZFS, the kernel may need to handle soft
+page faults that can occur when accessing user data. When doing so, in
+some cases ZFS needs to undo an earlier kernel buffer allocation. A bug
+in the handling of these cases causes this buffer to be leaked.
+
+III. Impact
+
+The leaked kernel memory is effectively lost and cannot be reused for
+other purposes. Some workloads may trigger the leak frequently,
+eventually requiring a reboot of the system.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# reboot
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-24:10/zfs.patch
+# fetch https://security.FreeBSD.org/patches/EN-24:10/zfs.patch.asc
+# gpg --verify zfs.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 1c27279ed22d stable/14-n267965
+releng/14.1/ f566b7eb8d94 releng/14.1-n267680
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=276341>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-24:10.zfs.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmZzRTcACgkQbljekB8A
+Gu+zUQ/+IiSe/HQFSKrBwIxBxnlFQfTjNq02f14TPZghCTxNCWdGXXD6QR2d8ydZ
+bfryBwVsnnU3WlCPs6kyJfIlSp9vH2hqRJ+N5VyDvGkBUpWaGm0+ps5LGTQbGR8O
+ig/kIuRzNO0Mqi42MIse6UvozLAuahYA6sQ3nn6j/4grV7jiuxDCrfmfBOMLgN4D
+LZ87ApJM09lT2pe8x7hZBxk8wJKf6cWvpBjNh+zwPLc+oMvvIPkqiMjuy7ni7f/5
+K/GDf4i3XgTf9pdPAwLNZoTNb7UebKzRGWlxmdOie6FUDHIuEwoJledmhbOmH91G
+PKtHx2skFVKKtFXgfMGraK5FBpwkoJbIo1uCUamEoo4cGMGR92ErP/MVa6MsIs3Z
+pLq1M/eN9aYQHCogb1uirQVZAutJhNJ9QsQo0rBJNgLE9l1UPnSIJ6CLpW83nY1f
+8eedQKyfwMYL5jivH/aKEsd/vzqInAiFU55oO64OPvgKv3pj3TgIECoc9kfdfXc7
+VR2yfNy8CKd/exb+CRqgeJGT8LaL2Wy66pUd9usIc/mNola8ce0uuPDc0703b5ob
+xfCorrd3gRhNB+Od3wrs4p7tzwqndfo5882w9EXEhuhubfft9voRTzpDvSe0y3ib
+YPY6EnHWSYAP56+f/shnworMxYtYrUipBYQVYxLBBtdV7DsYuKo=
+=YxSw
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-24:11.ldns.asc b/website/static/security/advisories/FreeBSD-EN-24:11.ldns.asc
new file mode 100644
index 0000000000..0c58c2d9f0
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-24:11.ldns.asc
@@ -0,0 +1,152 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-24:11.ldns Errata Notice
+ The FreeBSD Project
+
+Topic: LDNS uses nameserver commented out in resolv.conf
+
+Category: contrib
+Module: ldns
+Announced: 2024-06-19
+Credits: Michael Gmelin <grembo@FreeBSD.org>
+ Dag-Erling Smørgrav <des@FreeBSD.org>
+Affects: FreeBSD 13.3 and FreeBSD 14.0.
+Corrected: 2024-05-20 09:04:54 UTC (stable/14, 14.0-STABLE)
+ 2024-06-19 20:36:59 UTC (releng/14.0, 14.0-RELEASE-p7)
+ 2024-05-20 09:04:59 UTC (stable/13, 13.3-STABLE)
+ 2024-06-19 20:37:08 UTC (releng/13.3, 13.3-RELEASE-p3)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+LDNS is a DNS library that facilitates DNS tool programming.
+
+II. Problem Description
+
+Due to a bug in the library's configuration file parser, commented out
+configuration settings in /etc/resolv.conf were picked up by the LDNS
+resolver, potentially leading to malfunction and/or information leakage.
+
+This included, but was not limited to, the nameserver setting. Given
+this example
+
+ # /etc/resolv.conf
+
+ # nameserver 8.8.8.8
+ nameserver 127.0.0.1
+
+DNS requests were sent to the commented out external resolver instead
+of the local one.
+
+III. Impact
+
+Programs using the LDNS library might behave in unexpected ways. Name
+resolution could be inconsistent with what other tools which use libc
+return, e.g., `ping` vs. `host`. DNS request containing private
+information could leak to third parties. A system's attack surface is
+increased.
+
+Affected tools include host(1), drill(1), and ssh(1), which uses
+LDNS in the VerifyHostKeyDNS feature to fetch SSHFP records.
+
+IV. Workaround
+
+Removing empty lines from /etc/resolv.conf mitigates the problem:
+
+ sed -i '' '/^[[:space:]]*$/d' /etc/resolv.conf
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-24:11/ldns.patch
+# fetch https://security.FreeBSD.org/patches/EN-24:11/ldns.patch.asc
+# gpg --verify ldns.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all daemons that use the library, or reboot the system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 7daf36028411 stable/14-n267742
+releng/14.0/ bdf75e830a77 releng/14.0-n265418
+stable/13/ e95e16191f63 stable/13-n257915
+releng/13.3/ d45cf1d2f124 releng/13.3-n257434
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=278721>
+
+<URL:https://github.com/NLnetLabs/ldns/issues/237>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-24:11.ldns.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmZzRTkACgkQbljekB8A
+Gu9BYBAApSQZbv3wgT5PhJRsaCulmOZOH5gywlVdaBA1I4sDF3on0CFwLQfy7lLH
+q2xFEfll5vBVbfGCVp2zVBgb4IyknqMgf8Ae4uBEEJJejRgxxnFTnQmdlzg7a8TR
+9UW3g6QB/5tUIGrxFqIdx4qRAQz1ie6NwR+KvP8ojXk0xVscKIaijXACbmAgT6nH
+HygG7snrB9VmMMlRIHYhoarhRBd+aX68Jg3F+yGUX76FB4HVMSFMYo0fEWgi7SQ3
+psZfq54GvCH+kSvYduXS3QkTJ7N/S9p6JAVraRlJmFnjQ69qE7u59bc68zW0D2pn
+Pj6/c0OZtWE2SQGqCuqgnBffjArisAJ/BKiK/XeO8B1fSvaVKJToR18+6KGTmc0f
+nnqQLxFeGbh5gHHcM8QaLBJFUgm5TVvdevcDmLuiVMSvQyt5iC6rIGwb3UNYAnW7
+w/UFSresVKppsB2JDqyGjaSf2FI00rYIKHChZ8nkKYPMhb6V/TJZr3k25/3idbvi
+6zO7wfbOhwAYQ44Mg/gY/v206qpoYiZO2tMQazbiicOqBOQBYWdXsojYhCB6qkyU
+++kBNAMugpOAsDkIvN9mWLniRnvycrbEqthQlmfR7X3tZRiuz+0S1alx03Z5VsP6
+zM5//i6W2Lt8DmX34zQDeQAMTZXD3bG1JSe2UbKyZkL20vrSTfg=
+=lQUa
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-24:12.killpg.asc b/website/static/security/advisories/FreeBSD-EN-24:12.killpg.asc
new file mode 100644
index 0000000000..eac987cede
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-24:12.killpg.asc
@@ -0,0 +1,132 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-24:12.killpg Errata Notice
+ The FreeBSD Project
+
+Topic: Lock order reversal in killpg causing livelock
+
+Category: core
+Module: kern
+Announced: 2024-06-19
+Credits: Peter Holm <pho@FreeBSD.org>
+ Konstantin Belousov <kib@FreeBSD.org>
+ Michael Gmelin <grembo@FreeBSD.org>
+Affects: FreeBSD 13.3
+Corrected: 2024-05-22 23:47:55 UTC (stable/13, 13.3-STABLE)
+ 2024-06-19 20:37:09 UTC (releng/13.3, 13.3-RELEASE-p3)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+killpg(2) is a system call that sends signals to process groups.
+In order to prevent race conditions with the fork(2) system call,
+locking is required.
+
+II. Problem Description
+
+The code designed to prevent lock order reversals between killpg(2)
+and fork(2) did not wait for lock availability before retrying to
+acquire a lock, which could result in a livelock causing very high
+system load.
+
+III. Impact
+
+Affected machines are practically unusable. They recover if the
+processes causing the load are killed.
+
+IV. Workaround
+
+No workaround is available. Systems that fork a lot are more likely to
+to hit this problem.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date and reboot.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10m "Rebooting for a stability patch"
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-24:12/killpg.patch
+# fetch https://security.FreeBSD.org/patches/EN-24:12/killpg.patch.asc
+# gpg --verify killpg.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ cd73b38955f6 stable/13-n257926
+releng/13.3/ eb410545d00d releng/13.3-n257435
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=279203>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-24:12.killpg.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmZzRTsACgkQbljekB8A
+Gu9uEA//cITydBAKrRYsf6xP1z/tDmKR3DqAkQYYytFGFI35lsvM6iN77wq5QFW4
+5i1nVS1+YMPINlI9jXCfgoEsA8KAC2l8untSKHRh0uR8TzFak6BWTjbnCBFYd1K/
+I0bnc38FeRDjMEPyCDmiq26aU7WZ0Ftjb5mgf0PUn09pX9hP8/MXa1FTxkwyWq5Y
+9RZXNXUSAEug9+uCgJqzl4CiYzqbaxHZ3ich6Erd955gDb72LwxHHkWiq0ADi35K
+d0C8LipwtpKCYoo1dfXkLnoPo0loDt18pzSIx0svmUQinlipfwSbGxuZ31NiLLgE
+bEzc6OFhV1D0WhIxM8z+kunTmWAY5/Uo5YHARulD406SS27GWp0s8fEbnN4rcnPG
+m5cPNQYXemBjRB2LnqoocgczkEHNVHr+ZuN3/mPSadS/m4llavj8xqGlrdDB1eLT
+LCkSSnF/4kBLZyHO7C5hJHQseRoWpLd/hR+h4Q/nnTsU2mbelhFm0C297mPWpt+D
+8RHxOshrA8WryQCVEqJmC63bmA3MtmqyuMhpi3+c4Iy4bvj2GKGcdsB0E4JugbMf
+5zg+muywBmIQMYIIFrdRN0i3BW8y6KPvgokoBPUfnCsdS65WWlLBQLxKpfDHCkzl
+juEZY5CUGvBnc3eFtLOzEvriFY7tAhephW0ZSal0wMyHw2NbE7E=
+=5wI2
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-24:13.libc++.asc b/website/static/security/advisories/FreeBSD-EN-24:13.libc++.asc
new file mode 100644
index 0000000000..53eacbcba6
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-24:13.libc++.asc
@@ -0,0 +1,151 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-24:13.libc++ Errata Notice
+ The FreeBSD Project
+
+Topic: Incorrect size passed to heap allocated std::string delete
+
+Category: contrib
+Module: libc++
+Announced: 2024-06-19
+Affects: FreeBSD 14.1
+Corrected: 2024-06-07 07:29:25 UTC (stable/14, 14.1-STABLE)
+ 2024-06-19 20:36:50 UTC (releng/14.1, 14.1-RELEASE-p1)
+ 2024-06-07 07:29:30 UTC (stable/13, 13.3-STABLE)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+libc++ is an implementation of the C++ Standard Library, provided by the LLVM
+project. It is used by C++ programs in the base system, and also by many C++
+programs in the ports collection.
+
+II. Problem Description
+
+C++14 and later supports size-aware deletion of heap objects, when the compiler
+is able to determine at compile time what the exact size of a particular object
+is. For this purpose, there are specific variants of "operator delete" that take
+an additional size_t argument. If such a variant is called, the size is passed
+through to the underlying allocator, which can optionally utilize this size for
+for more efficient deallocation.
+
+A recent change in libc++'s implementation of std::string has introduced a
+potential mismatch between the actual size allocated on the heap for the
+contained string, and the size that is passed to "operator delete" when the
+string is eventually destroyed.
+
+III. Impact
+
+The default allocator in FreeBSD does not leverage the size_t argument and is
+unaffected.
+
+When std::string objects of a known size are deleted, and the size passed
+through to the deallocation function does not match the actual size on the heap,
+the underlying allocator can potentially produce unexpected results. In case of
+allocators that are used for heap debugging or profiling, such as with Google's
+gperftools (aka tcmalloc) this can lead to runtime warnings about incorrect
+deallocations.
+
+IV. Workaround
+
+No workaround is available. Systems using the default memory allocator are
+not affected.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+No reboot is necessary, but programs compiled against the old version of the
+<string> header should be rebuilt to fully fix the problem.
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-24:13/libc++.patch
+# fetch https://security.FreeBSD.org/patches/EN-24:13/libc++.patch.asc
+# gpg --verify libc++.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+No reboot is necessary, but programs compiled against the old version of the
+<string> header should be rebuilt to fully fix the problem.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 55c5dad2f305 stable/14-n267917
+releng/14.1/ 8e0e6b428cb8 releng/14.1-n267681
+stable/13/ ef4d145057c1 stable/13-n257958
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<other info on the problem>
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=279560>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-24:13.libc++.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmZzRT0ACgkQbljekB8A
+Gu/HpQ//Xkz6NMBUg4CdmV1ElSP+dTUfh8YpNfD/X//4RgngKoz9DKt6CM78KSWI
+68JfNrn6XRGdhjG0Mn/YvRCe8xzGBGpvcd1lcun7mAw5yqpsbSAUKvFmywjX+oxs
+bQpCJRloBLZJE6NoZgBmhw2K2HzfmvApPin3TjLGa/u/ovsK+pD7SvDynbR5VsxH
+Bey21H2+3LOqyBPaiTe6ccJ4JXCOX9+oAK5byhMLPrnRqLyvh3IV2jttWurbtNki
+nFMYhqoBq6cWoAba3gVD0ZM7S5C+P5VDeMMIBOPKQVRwIl9eDS/UKICXrMbaMNqL
+002egG7Oia22H0dpYuYX6dl7cAtn/M3NcBEwDDvqNuHncbGVeaYA8qXHAh+eeA3R
+gBK2NkltdDvZbk8Uv9hgHwIrdJyENhWGoT1OQ1JqgaIKo7tIvlhIA/HtpTygeyMA
+F/TgFvg+K42/kWQ/N1UTwUFbEH6jgDu1BGTZzkMMyQf3rymdQ1VM6Z1p7dxppVI7
+uw2+80BePzDbnV9naXMzlhr/YjYgytRRQFbVR2ZlPM+rEGyfMAM/XvtCWfdlstwY
+3bZXo/vPRZPXg/sd/AFEKqIiz1ZvVTJroMUCnnDvsDKcRzAHgIIHfMK1mMpSizna
+LNDS/vvyQszgINWPUMZOZaALQzUY9SAmm0eNqIz3uV4o0qM6DQE=
+=7Qxx
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-24:10/zfs.patch b/website/static/security/patches/EN-24:10/zfs.patch
new file mode 100644
index 0000000000..10cc6dc682
--- /dev/null
+++ b/website/static/security/patches/EN-24:10/zfs.patch
@@ -0,0 +1,10 @@
+--- sys/contrib/openzfs/module/zfs/dbuf.c.orig
++++ sys/contrib/openzfs/module/zfs/dbuf.c
+@@ -2840,6 +2840,7 @@
+ failed = B_FALSE;
+ } else if (failed) {
+ VERIFY(!dbuf_undirty(db, tx));
++ arc_buf_destroy(db->db_buf, db);
+ db->db_buf = NULL;
+ dbuf_clear_data(db);
+ DTRACE_SET_STATE(db, "fill failed");
diff --git a/website/static/security/patches/EN-24:10/zfs.patch.asc b/website/static/security/patches/EN-24:10/zfs.patch.asc
new file mode 100644
index 0000000000..a601f3e9ba
--- /dev/null
+++ b/website/static/security/patches/EN-24:10/zfs.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmZzRTgACgkQbljekB8A
+Gu86Lw//bYytQzAfOOGO1h03/l0QCiaz8jcekW3DVG0Lfl8mYVumlbzCRxOsXGox
+hzNonjnEOu8h7ShJURFu+RvmZ+dYG9i6nsXZeqO6bE8unktnpLGpvO64oSuYObPk
+NLGx6uVKdlf9c1niYzydKcLOWtQG6OA2jZOl4WPadQsrdsf3MpQ94aQWxQYV7GwY
+FhVlfFDsMFP35a6MWtnQCRmsIQUcMGSIiUkmvgfdEALoaf5pfUI8Dri9TR7ePfm9
+dfmtnyC7FTA/i8K+VdqURl/pKdAVtkpfv8OAk79Jgi77If5/+0prpC8M7kgbCq3o
+z8vOjcRkmdJO0ckflcR9onpyHSB9MK8f0aZl+a0+4ED7HiFFcB0JsnPjw16KjsEz
+qv0tur7HhBcdjIvKX9jZNx67yMtXMiLCTbK0s2fW/3y7uKkonyKiZxJf7RN05ft2
+KfPMWwUv1uq70V0gyo+cwYzrEbucQTl63fCwt8E71DL24mrPTWYHm0Ags1qM+zgn
+OeVdycKVEmZTnbSkFhyfu9Wqle0OOY0dzmKUd5qOR3U/C9XoB6r3G6Jw/tDHqBH+
+dfWF2LcTOvVGmFB2T8I/R6+hgIZ33e3J3u/Pc7xDWuzbubwfoBPQ4/MJ3aditBb2
+ev04cADlvm2MUnEHjZZJxTUQjgQRcz/1trzOeMpwezGhaxs1ZTo=
+=8kFd
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-24:11/ldns.patch b/website/static/security/patches/EN-24:11/ldns.patch
new file mode 100644
index 0000000000..4faad85808
--- /dev/null
+++ b/website/static/security/patches/EN-24:11/ldns.patch
@@ -0,0 +1,207 @@
+--- contrib/ldns/ldns/parse.h.orig
++++ contrib/ldns/ldns/parse.h
+@@ -95,6 +95,8 @@
+ */
+ ldns_status ldns_fget_token_l_st(FILE *f, char **token, size_t *limit, bool fixed, const char *delim, int *line_nr);
+
++ssize_t ldns_fget_token_l_resolv_conf(FILE *f, char *token, const char *delim, size_t limit, int *line_nr);
++
+ /**
+ * returns a token/char from the buffer b.
+ * This function deals with ( and ) in the buffer,
+--- contrib/ldns/parse.c.orig
++++ contrib/ldns/parse.c
+@@ -27,9 +27,14 @@
+ return ldns_fget_token_l(f, token, delim, limit, NULL);
+ }
+
+-ldns_status
+-ldns_fget_token_l_st(FILE *f, char **token, size_t *limit, bool fixed
+- , const char *delim, int *line_nr)
++enum file_type2parse {
++ zone_file_type, resolv_conf_file_type
++};
++
++static ldns_status
++ldns_fget_token_l_st_file_type(FILE *f, char **token, size_t *limit,
++ bool fixed, const char *delim, int *line_nr,
++ enum file_type2parse file_type)
+ {
+ int c, prev_c;
+ int p; /* 0 -> no parentheses seen, >0 nr of ( seen */
+@@ -98,7 +103,9 @@
+ }
+
+ /* do something with comments ; */
+- if (c == ';' && quoted == 0) {
++ if ((c == ';'
++ || (c == '#' && file_type == resolv_conf_file_type))
++ && quoted == 0) {
+ if (prev_c != '\\') {
+ com = 1;
+ }
+@@ -215,6 +222,26 @@
+ return i == 0 ? LDNS_STATUS_SYNTAX_EMPTY : LDNS_STATUS_OK;
+ }
+
++ldns_status
++ldns_fget_token_l_st(FILE *f, char **token, size_t *limit, bool fixed
++ , const char *delim, int *line_nr)
++{
++ return ldns_fget_token_l_st_file_type(
++ f, token, limit, fixed, delim, line_nr, zone_file_type);
++}
++
++ssize_t
++ldns_fget_token_l_resolv_conf(FILE *f, char *token, const char *delim,
++ size_t limit, int *line_nr)
++{
++ if (limit == 0)
++ limit = LDNS_MAX_LINELEN;
++ if (ldns_fget_token_l_st_file_type(f, &token, &limit, true, delim,
++ line_nr, resolv_conf_file_type))
++ return -1;
++ else
++ return (ssize_t)strlen(token);
++}
+
+ ssize_t
+ ldns_fget_token_l(FILE *f, char *token, const char *delim, size_t limit, int *line_nr)
+--- contrib/ldns/resolver.c.orig
++++ contrib/ldns/resolver.c
+@@ -775,7 +775,7 @@
+ #endif
+ ssize_t gtr, bgtr;
+ ldns_buffer *b;
+- int lnr = 0, oldline;
++ int lnr = 0;
+ FILE* myfp = fp;
+ if(!line_nr) line_nr = &lnr;
+
+@@ -809,36 +809,18 @@
+
+ gtr = 1;
+ word[0] = 0;
+- oldline = *line_nr;
+ expect = LDNS_RESOLV_KEYWORD;
+ while (gtr > 0) {
+- /* check comments */
+- if (word[0] == '#') {
+- word[0]='x';
+- if(oldline == *line_nr) {
+- /* skip until end of line */
+- int c;
+- do {
+- c = fgetc(myfp);
+- } while(c != EOF && c != '\n');
+- if(c=='\n') (*line_nr)++;
+- }
+- /* and read next to prepare for further parsing */
+- oldline = *line_nr;
+- continue;
+- }
+- oldline = *line_nr;
+ switch(expect) {
+ case LDNS_RESOLV_KEYWORD:
+ /* keyword */
+- gtr = ldns_fget_token_l(myfp, word, LDNS_PARSE_NORMAL, 0, line_nr);
++ gtr = ldns_fget_token_l_resolv_conf(myfp, word, LDNS_PARSE_NORMAL, 0, line_nr);
+ if (gtr != 0) {
+- if(word[0] == '#') continue;
+ for(i = 0; i < LDNS_RESOLV_KEYWORDS; i++) {
+ if (strcasecmp(keyword[i], word) == 0) {
+ /* chosen the keyword and
+ * expect values carefully
+- */
++ */
+ expect = i;
+ break;
+ }
+@@ -856,16 +838,12 @@
+ break;
+ case LDNS_RESOLV_DEFDOMAIN:
+ /* default domain dname */
+- gtr = ldns_fget_token_l(myfp, word, LDNS_PARSE_NORMAL, 0, line_nr);
++ gtr = ldns_fget_token_l_resolv_conf(myfp, word, LDNS_PARSE_NORMAL, 0, line_nr);
+ if (gtr == 0) {
+ if(!fp) fclose(myfp);
+ ldns_resolver_deep_free(r);
+ return LDNS_STATUS_SYNTAX_MISSING_VALUE_ERR;
+ }
+- if(word[0] == '#') {
+- expect = LDNS_RESOLV_KEYWORD;
+- continue;
+- }
+ tmp = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, word);
+ if (!tmp) {
+ if(!fp) fclose(myfp);
+@@ -879,16 +857,12 @@
+ break;
+ case LDNS_RESOLV_NAMESERVER:
+ /* NS aaaa or a record */
+- gtr = ldns_fget_token_l(myfp, word, LDNS_PARSE_NORMAL, 0, line_nr);
++ gtr = ldns_fget_token_l_resolv_conf(myfp, word, LDNS_PARSE_NORMAL, 0, line_nr);
+ if (gtr == 0) {
+ if(!fp) fclose(myfp);
+ ldns_resolver_deep_free(r);
+ return LDNS_STATUS_SYNTAX_MISSING_VALUE_ERR;
+ }
+- if(word[0] == '#') {
+- expect = LDNS_RESOLV_KEYWORD;
+- continue;
+- }
+ if(strchr(word, '%')) {
+ /* snip off interface labels,
+ * fe80::222:19ff:fe31:4222%eth0 */
+@@ -911,7 +885,7 @@
+ break;
+ case LDNS_RESOLV_SEARCH:
+ /* search list domain dname */
+- gtr = ldns_fget_token_l(myfp, word, LDNS_PARSE_SKIP_SPACE, 0, line_nr);
++ gtr = ldns_fget_token_l_resolv_conf(myfp, word, LDNS_PARSE_SKIP_SPACE, 0, line_nr);
+ b = LDNS_MALLOC(ldns_buffer);
+ if(!b) {
+ ldns_resolver_deep_free(r);
+@@ -929,10 +903,6 @@
+ bgtr = ldns_bget_token(b, word, LDNS_PARSE_NORMAL, (size_t) gtr + 1);
+ while (bgtr > 0) {
+ gtr -= bgtr;
+- if(word[0] == '#') {
+- expect = LDNS_RESOLV_KEYWORD;
+- break;
+- }
+ tmp = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, word);
+ if (!tmp) {
+ ldns_resolver_deep_free(r);
+@@ -954,28 +924,23 @@
+ }
+ break;
+ case LDNS_RESOLV_SORTLIST:
+- gtr = ldns_fget_token_l(myfp, word, LDNS_PARSE_SKIP_SPACE, 0, line_nr);
++ gtr = ldns_fget_token_l_resolv_conf(myfp, word, LDNS_PARSE_SKIP_SPACE, 0, line_nr);
+ /* sortlist not implemented atm */
+ expect = LDNS_RESOLV_KEYWORD;
+ break;
+ case LDNS_RESOLV_OPTIONS:
+- gtr = ldns_fget_token_l(myfp, word, LDNS_PARSE_SKIP_SPACE, 0, line_nr);
++ gtr = ldns_fget_token_l_resolv_conf(myfp, word, LDNS_PARSE_SKIP_SPACE, 0, line_nr);
+ /* options not implemented atm */
+ expect = LDNS_RESOLV_KEYWORD;
+ break;
+ case LDNS_RESOLV_ANCHOR:
+ /* a file containing a DNSSEC trust anchor */
+- gtr = ldns_fget_token_l(myfp, word, LDNS_PARSE_NORMAL, 0, line_nr);
++ gtr = ldns_fget_token_l_resolv_conf(myfp, word, LDNS_PARSE_NORMAL, 0, line_nr);
+ if (gtr == 0) {
+ ldns_resolver_deep_free(r);
+ if(!fp) fclose(myfp);
+ return LDNS_STATUS_SYNTAX_MISSING_VALUE_ERR;
+ }
+- if(word[0] == '#') {
+- expect = LDNS_RESOLV_KEYWORD;
+- continue;
+- }
+-
+ #ifdef HAVE_SSL
+ tmp_rr = ldns_read_anchor_file(word);
+ (void) ldns_resolver_push_dnssec_anchor(r, tmp_rr);
diff --git a/website/static/security/patches/EN-24:11/ldns.patch.asc b/website/static/security/patches/EN-24:11/ldns.patch.asc
new file mode 100644
index 0000000000..cbf6dd5acc
--- /dev/null
+++ b/website/static/security/patches/EN-24:11/ldns.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmZzRToACgkQbljekB8A
+Gu+/nBAArstsX30sRh4RTztlnK+YppF0LX6qdi5btBGcQeim3qeVrgDem8eblbxY
+aN1rseaRjEai7KbgGzArC0w3wLOKC7fDwt5MPoPproqyb9bf03441GslGurA4hBW
+NkCyHBCuXog1DkdWvu2YONiC7UPxoHAmBaRbE9IXMmCdsopZd+m0BqAOf3GO6Hem
+XXXb0hzxBKQPS2qnnYF04OvYjitloG/Azsh0RBpRkYKhJXbypkTR+ZnfUTKke2V3
+SFu0pG2fDWc3rTQV3wY9ZezR9x4mtDuRXfupE5RLg53fI0XZzPdvLQ0FH4GfMN7E
+KbRqMuNmpkhw+NQ7XoVl9h/+COZT75lU+WTGhO3/PH6qgzGnIZ8BAYqbbmWgYXsK
+FuKWFFPQTJ5AdEaQdxe2GMCZ7/xLMpde9Bv95/s/s3NSRlj0M4SMUs+oVeiHZmQV
+/S2v/EHVze9yuKszFY9ZVtm0Km+ejRc7+hBLWJ23buB1RKOepxIfTuuMxvW+V1X7
+8OcfmRIfw+iPayWyftYpWURkKJzrWE9NHrCLtXUqgGn+0zL33Sdh/JGg6UII9OJg
+cccgev4/ohPDlZdmaKQfV37ukHO/ehdmVs6emGfqYgczTtNEvNY6uAeDWlHdZqrY
+qSWVBtHuBbSi8j3u+BYj5iRZ4R5ZzS1aoyCR4uW28eFKOWhviWw=
+=Yb9t
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-24:12/killpg.patch b/website/static/security/patches/EN-24:12/killpg.patch
new file mode 100644
index 0000000000..7b9134334b
--- /dev/null
+++ b/website/static/security/patches/EN-24:12/killpg.patch
@@ -0,0 +1,63 @@
+--- sys/kern/kern_proc.c.orig
++++ sys/kern/kern_proc.c
+@@ -587,8 +587,12 @@
+ ("enterpgrp: session leader attempted setpgrp"));
+
+ old_pgrp = p->p_pgrp;
+- if (!sx_try_xlock(&old_pgrp->pg_killsx))
++ if (!sx_try_xlock(&old_pgrp->pg_killsx)) {
++ sx_xunlock(&proctree_lock);
++ sx_xlock(&old_pgrp->pg_killsx);
++ sx_xunlock(&old_pgrp->pg_killsx);
+ return (ERESTART);
++ }
+ MPASS(old_pgrp == p->p_pgrp);
+
+ if (sess != NULL) {
+@@ -656,11 +660,18 @@
+ ("%s: p %p belongs to pgrp %p", __func__, p, pgrp));
+
+ old_pgrp = p->p_pgrp;
+- if (!sx_try_xlock(&old_pgrp->pg_killsx))
++ if (!sx_try_xlock(&old_pgrp->pg_killsx)) {
++ sx_xunlock(&proctree_lock);
++ sx_xlock(&old_pgrp->pg_killsx);
++ sx_xunlock(&old_pgrp->pg_killsx);
+ return (ERESTART);
++ }
+ MPASS(old_pgrp == p->p_pgrp);
+ if (!sx_try_xlock(&pgrp->pg_killsx)) {
+ sx_xunlock(&old_pgrp->pg_killsx);
++ sx_xunlock(&proctree_lock);
++ sx_xlock(&pgrp->pg_killsx);
++ sx_xunlock(&pgrp->pg_killsx);
+ return (ERESTART);
+ }
+
+--- sys/kern/kern_prot.c.orig
++++ sys/kern/kern_prot.c
+@@ -345,10 +345,8 @@
+ error = EPERM;
+ } else {
+ error = enterpgrp(p, p->p_pid, newpgrp, newsess);
+- if (error == ERESTART) {
+- sx_xunlock(&proctree_lock);
++ if (error == ERESTART)
+ goto again;
+- }
+ MPASS(error == 0);
+ td->td_retval[0] = p->p_pid;
+ newpgrp = NULL;
+@@ -458,11 +456,11 @@
+ error = enterthispgrp(targp, pgrp);
+ }
+ done:
+- sx_xunlock(&proctree_lock);
+ KASSERT(error == 0 || newpgrp != NULL,
+ ("setpgid failed and newpgrp is NULL"));
+ if (error == ERESTART)
+ goto again;
++ sx_xunlock(&proctree_lock);
+ uma_zfree(pgrp_zone, newpgrp);
+ return (error);
+ }
*** 66 LINES SKIPPED ***