git: ccb8730e4a - main - Add EN-24:10 through EN-24:13.

From: Gordon Tetlow <gordon_at_FreeBSD.org>
Date: Wed, 19 Jun 2024 20:55:52 UTC
The branch main has been updated by gordon:

URL: https://cgit.FreeBSD.org/doc/commit/?id=ccb8730e4a6c4fc35167f59327e9ce11247c2462

commit ccb8730e4a6c4fc35167f59327e9ce11247c2462
Author:     Gordon Tetlow <gordon@FreeBSD.org>
AuthorDate: 2024-06-19 20:54:36 +0000
Commit:     Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2024-06-19 20:54:36 +0000

    Add EN-24:10 through EN-24:13.
    
    Approved by:    so
---
 website/data/security/errata.toml                  |  16 ++
 .../security/advisories/FreeBSD-EN-24:10.zfs.asc   | 130 +++++++++++++
 .../security/advisories/FreeBSD-EN-24:11.ldns.asc  | 152 +++++++++++++++
 .../advisories/FreeBSD-EN-24:12.killpg.asc         | 132 +++++++++++++
 .../advisories/FreeBSD-EN-24:13.libc++.asc         | 151 +++++++++++++++
 website/static/security/patches/EN-24:10/zfs.patch |  10 +
 .../static/security/patches/EN-24:10/zfs.patch.asc |  16 ++
 .../static/security/patches/EN-24:11/ldns.patch    | 207 +++++++++++++++++++++
 .../security/patches/EN-24:11/ldns.patch.asc       |  16 ++
 .../static/security/patches/EN-24:12/killpg.patch  |  63 +++++++
 .../security/patches/EN-24:12/killpg.patch.asc     |  16 ++
 .../static/security/patches/EN-24:13/libc++.patch  |  16 ++
 .../security/patches/EN-24:13/libc++.patch.asc     |  16 ++
 13 files changed, 941 insertions(+)

diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml
index 702576a943..885339ab1d 100644
--- a/website/data/security/errata.toml
+++ b/website/data/security/errata.toml
@@ -1,6 +1,22 @@
 # Sort errata notices by year, month and day
 # $FreeBSD$
 
+[[notices]]
+name = "FreeBSD-EN-24:13.libc++"
+date = "2024-06-19"
+
+[[notices]]
+name = "FreeBSD-EN-24:12.killpg"
+date = "2024-06-19"
+
+[[notices]]
+name = "FreeBSD-EN-24:11.ldns"
+date = "2024-06-19"
+
+[[notices]]
+name = "FreeBSD-EN-24:10.zfs"
+date = "2024-06-19"
+
 [[notices]]
 name = "FreeBSD-EN-24:09.zfs"
 date = "2024-04-24"
diff --git a/website/static/security/advisories/FreeBSD-EN-24:10.zfs.asc b/website/static/security/advisories/FreeBSD-EN-24:10.zfs.asc
new file mode 100644
index 0000000000..28b188812c
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-24:10.zfs.asc
@@ -0,0 +1,130 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-24:10.zfs                                            Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Kernel memory leak in ZFS
+
+Category:       core
+Module:         openzfs
+Announced:      2024-06-19
+Affects:        FreeBSD 14.1
+Corrected:      2024-06-17 14:35:24 UTC (stable/14, 14.1-STABLE)
+                2024-06-19 20:36:48 UTC (releng/14.1, 14.1-RELEASE-p1)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+ZFS is an advanced and scalable file system originally developed by Sun
+Microsystems for its Solaris operating system. ZFS was integrated as part of
+the FreeBSD starting with FreeBSD 7.0, and it has since become a prominent
+and preferred choice for storage management.
+
+II.  Problem Description
+
+When writing data to a file on ZFS, the kernel may need to handle soft
+page faults that can occur when accessing user data.  When doing so, in
+some cases ZFS needs to undo an earlier kernel buffer allocation.  A bug
+in the handling of these cases causes this buffer to be leaked.
+
+III. Impact
+
+The leaked kernel memory is effectively lost and cannot be reused for
+other purposes.  Some workloads may trigger the leak frequently,
+eventually requiring a reboot of the system.
+
+IV.  Workaround
+
+No workaround is available.
+
+V.   Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# reboot
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-24:10/zfs.patch
+# fetch https://security.FreeBSD.org/patches/EN-24:10/zfs.patch.asc
+# gpg --verify zfs.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path                             Hash                     Revision
+- -------------------------------------------------------------------------
+stable/14/                              1c27279ed22d    stable/14-n267965
+releng/14.1/                            f566b7eb8d94  releng/14.1-n267680
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=276341>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-24:10.zfs.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmZzRTcACgkQbljekB8A
+Gu+zUQ/+IiSe/HQFSKrBwIxBxnlFQfTjNq02f14TPZghCTxNCWdGXXD6QR2d8ydZ
+bfryBwVsnnU3WlCPs6kyJfIlSp9vH2hqRJ+N5VyDvGkBUpWaGm0+ps5LGTQbGR8O
+ig/kIuRzNO0Mqi42MIse6UvozLAuahYA6sQ3nn6j/4grV7jiuxDCrfmfBOMLgN4D
+LZ87ApJM09lT2pe8x7hZBxk8wJKf6cWvpBjNh+zwPLc+oMvvIPkqiMjuy7ni7f/5
+K/GDf4i3XgTf9pdPAwLNZoTNb7UebKzRGWlxmdOie6FUDHIuEwoJledmhbOmH91G
+PKtHx2skFVKKtFXgfMGraK5FBpwkoJbIo1uCUamEoo4cGMGR92ErP/MVa6MsIs3Z
+pLq1M/eN9aYQHCogb1uirQVZAutJhNJ9QsQo0rBJNgLE9l1UPnSIJ6CLpW83nY1f
+8eedQKyfwMYL5jivH/aKEsd/vzqInAiFU55oO64OPvgKv3pj3TgIECoc9kfdfXc7
+VR2yfNy8CKd/exb+CRqgeJGT8LaL2Wy66pUd9usIc/mNola8ce0uuPDc0703b5ob
+xfCorrd3gRhNB+Od3wrs4p7tzwqndfo5882w9EXEhuhubfft9voRTzpDvSe0y3ib
+YPY6EnHWSYAP56+f/shnworMxYtYrUipBYQVYxLBBtdV7DsYuKo=
+=YxSw
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-24:11.ldns.asc b/website/static/security/advisories/FreeBSD-EN-24:11.ldns.asc
new file mode 100644
index 0000000000..0c58c2d9f0
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-24:11.ldns.asc
@@ -0,0 +1,152 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-24:11.ldns                                           Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          LDNS uses nameserver commented out in resolv.conf
+
+Category:       contrib
+Module:         ldns
+Announced:      2024-06-19
+Credits:        Michael Gmelin <grembo@FreeBSD.org>
+                Dag-Erling Smørgrav <des@FreeBSD.org>
+Affects:        FreeBSD 13.3 and FreeBSD 14.0.
+Corrected:      2024-05-20 09:04:54 UTC (stable/14, 14.0-STABLE)
+                2024-06-19 20:36:59 UTC (releng/14.0, 14.0-RELEASE-p7)
+                2024-05-20 09:04:59 UTC (stable/13, 13.3-STABLE)
+                2024-06-19 20:37:08 UTC (releng/13.3, 13.3-RELEASE-p3)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+LDNS is a DNS library that facilitates DNS tool programming.
+
+II.  Problem Description
+
+Due to a bug in the library's configuration file parser, commented out
+configuration settings in /etc/resolv.conf were picked up by the LDNS
+resolver, potentially leading to malfunction and/or information leakage.
+
+This included, but was not limited to, the nameserver setting. Given
+this example
+
+  # /etc/resolv.conf
+
+  # nameserver 8.8.8.8
+  nameserver 127.0.0.1
+
+DNS requests were sent to the commented out external resolver instead
+of the local one.
+
+III. Impact
+
+Programs using the LDNS library might behave in unexpected ways. Name
+resolution could be inconsistent with what other tools which use libc
+return, e.g., `ping` vs. `host`. DNS request containing private
+information could leak to third parties. A system's attack surface is
+increased.
+
+Affected tools include host(1), drill(1), and ssh(1), which uses
+LDNS in the VerifyHostKeyDNS feature to fetch SSHFP records.
+
+IV.  Workaround
+
+Removing empty lines from /etc/resolv.conf mitigates the problem:
+
+    sed -i '' '/^[[:space:]]*$/d' /etc/resolv.conf
+
+V.   Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-24:11/ldns.patch
+# fetch https://security.FreeBSD.org/patches/EN-24:11/ldns.patch.asc
+# gpg --verify ldns.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all daemons that use the library, or reboot the system.
+
+VI.  Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path                             Hash                     Revision
+- -------------------------------------------------------------------------
+stable/14/                              7daf36028411    stable/14-n267742
+releng/14.0/                            bdf75e830a77  releng/14.0-n265418
+stable/13/                              e95e16191f63    stable/13-n257915
+releng/13.3/                            d45cf1d2f124  releng/13.3-n257434
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=278721>
+
+<URL:https://github.com/NLnetLabs/ldns/issues/237>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-24:11.ldns.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmZzRTkACgkQbljekB8A
+Gu9BYBAApSQZbv3wgT5PhJRsaCulmOZOH5gywlVdaBA1I4sDF3on0CFwLQfy7lLH
+q2xFEfll5vBVbfGCVp2zVBgb4IyknqMgf8Ae4uBEEJJejRgxxnFTnQmdlzg7a8TR
+9UW3g6QB/5tUIGrxFqIdx4qRAQz1ie6NwR+KvP8ojXk0xVscKIaijXACbmAgT6nH
+HygG7snrB9VmMMlRIHYhoarhRBd+aX68Jg3F+yGUX76FB4HVMSFMYo0fEWgi7SQ3
+psZfq54GvCH+kSvYduXS3QkTJ7N/S9p6JAVraRlJmFnjQ69qE7u59bc68zW0D2pn
+Pj6/c0OZtWE2SQGqCuqgnBffjArisAJ/BKiK/XeO8B1fSvaVKJToR18+6KGTmc0f
+nnqQLxFeGbh5gHHcM8QaLBJFUgm5TVvdevcDmLuiVMSvQyt5iC6rIGwb3UNYAnW7
+w/UFSresVKppsB2JDqyGjaSf2FI00rYIKHChZ8nkKYPMhb6V/TJZr3k25/3idbvi
+6zO7wfbOhwAYQ44Mg/gY/v206qpoYiZO2tMQazbiicOqBOQBYWdXsojYhCB6qkyU
+++kBNAMugpOAsDkIvN9mWLniRnvycrbEqthQlmfR7X3tZRiuz+0S1alx03Z5VsP6
+zM5//i6W2Lt8DmX34zQDeQAMTZXD3bG1JSe2UbKyZkL20vrSTfg=
+=lQUa
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-24:12.killpg.asc b/website/static/security/advisories/FreeBSD-EN-24:12.killpg.asc
new file mode 100644
index 0000000000..eac987cede
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-24:12.killpg.asc
@@ -0,0 +1,132 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-24:12.killpg                                         Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Lock order reversal in killpg causing livelock
+
+Category:       core
+Module:         kern
+Announced:      2024-06-19
+Credits:        Peter Holm <pho@FreeBSD.org>
+                Konstantin Belousov <kib@FreeBSD.org>
+                Michael Gmelin <grembo@FreeBSD.org>
+Affects:        FreeBSD 13.3
+Corrected:      2024-05-22 23:47:55 UTC (stable/13, 13.3-STABLE)
+                2024-06-19 20:37:09 UTC (releng/13.3, 13.3-RELEASE-p3)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+killpg(2) is a system call that sends signals to process groups.
+In order to prevent race conditions with the fork(2) system call,
+locking is required.
+
+II.  Problem Description
+
+The code designed to prevent lock order reversals between killpg(2)
+and fork(2) did not wait for lock availability before retrying to
+acquire a lock, which could result in a livelock causing very high
+system load.
+
+III. Impact
+
+Affected machines are practically unusable. They recover if the
+processes causing the load are killed.
+
+IV.  Workaround
+
+No workaround is available. Systems that fork a lot are more likely to
+to hit this problem.
+
+V.   Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date and reboot.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10m "Rebooting for a stability patch"
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-24:12/killpg.patch
+# fetch https://security.FreeBSD.org/patches/EN-24:12/killpg.patch.asc
+# gpg --verify killpg.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path                             Hash                     Revision
+- -------------------------------------------------------------------------
+stable/13/                              cd73b38955f6    stable/13-n257926
+releng/13.3/                            eb410545d00d  releng/13.3-n257435
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=279203>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-24:12.killpg.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmZzRTsACgkQbljekB8A
+Gu9uEA//cITydBAKrRYsf6xP1z/tDmKR3DqAkQYYytFGFI35lsvM6iN77wq5QFW4
+5i1nVS1+YMPINlI9jXCfgoEsA8KAC2l8untSKHRh0uR8TzFak6BWTjbnCBFYd1K/
+I0bnc38FeRDjMEPyCDmiq26aU7WZ0Ftjb5mgf0PUn09pX9hP8/MXa1FTxkwyWq5Y
+9RZXNXUSAEug9+uCgJqzl4CiYzqbaxHZ3ich6Erd955gDb72LwxHHkWiq0ADi35K
+d0C8LipwtpKCYoo1dfXkLnoPo0loDt18pzSIx0svmUQinlipfwSbGxuZ31NiLLgE
+bEzc6OFhV1D0WhIxM8z+kunTmWAY5/Uo5YHARulD406SS27GWp0s8fEbnN4rcnPG
+m5cPNQYXemBjRB2LnqoocgczkEHNVHr+ZuN3/mPSadS/m4llavj8xqGlrdDB1eLT
+LCkSSnF/4kBLZyHO7C5hJHQseRoWpLd/hR+h4Q/nnTsU2mbelhFm0C297mPWpt+D
+8RHxOshrA8WryQCVEqJmC63bmA3MtmqyuMhpi3+c4Iy4bvj2GKGcdsB0E4JugbMf
+5zg+muywBmIQMYIIFrdRN0i3BW8y6KPvgokoBPUfnCsdS65WWlLBQLxKpfDHCkzl
+juEZY5CUGvBnc3eFtLOzEvriFY7tAhephW0ZSal0wMyHw2NbE7E=
+=5wI2
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-24:13.libc++.asc b/website/static/security/advisories/FreeBSD-EN-24:13.libc++.asc
new file mode 100644
index 0000000000..53eacbcba6
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-24:13.libc++.asc
@@ -0,0 +1,151 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-24:13.libc++                                         Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Incorrect size passed to heap allocated std::string delete
+
+Category:       contrib
+Module:         libc++
+Announced:      2024-06-19
+Affects:        FreeBSD 14.1
+Corrected:      2024-06-07 07:29:25 UTC (stable/14, 14.1-STABLE)
+                2024-06-19 20:36:50 UTC (releng/14.1, 14.1-RELEASE-p1)
+                2024-06-07 07:29:30 UTC (stable/13, 13.3-STABLE)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+libc++ is an implementation of the C++ Standard Library, provided by the LLVM
+project. It is used by C++ programs in the base system, and also by many C++
+programs in the ports collection. 
+
+II.  Problem Description
+
+C++14 and later supports size-aware deletion of heap objects, when the compiler
+is able to determine at compile time what the exact size of a particular object
+is. For this purpose, there are specific variants of "operator delete" that take
+an additional size_t argument. If such a variant is called, the size is passed
+through to the underlying allocator, which can optionally utilize this size for
+for more efficient deallocation.
+
+A recent change in libc++'s implementation of std::string has introduced a
+potential mismatch between the actual size allocated on the heap for the
+contained string, and the size that is passed to "operator delete" when the
+string is eventually destroyed.
+
+III. Impact
+
+The default allocator in FreeBSD does not leverage the size_t argument and is
+unaffected.
+
+When std::string objects of a known size are deleted, and the size passed
+through to the deallocation function does not match the actual size on the heap,
+the underlying allocator can potentially produce unexpected results. In case of
+allocators that are used for heap debugging or profiling, such as with Google's
+gperftools (aka tcmalloc) this can lead to runtime warnings about incorrect
+deallocations.
+
+IV.  Workaround
+
+No workaround is available. Systems using the default memory allocator are
+not affected.
+
+V.   Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+No reboot is necessary, but programs compiled against the old version of the
+<string> header should be rebuilt to fully fix the problem.
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-24:13/libc++.patch
+# fetch https://security.FreeBSD.org/patches/EN-24:13/libc++.patch.asc
+# gpg --verify libc++.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+No reboot is necessary, but programs compiled against the old version of the
+<string> header should be rebuilt to fully fix the problem.
+
+VI.  Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path                             Hash                     Revision
+- -------------------------------------------------------------------------
+stable/14/                              55c5dad2f305    stable/14-n267917
+releng/14.1/                            8e0e6b428cb8  releng/14.1-n267681
+stable/13/                              ef4d145057c1    stable/13-n257958
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<other info on the problem>
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=279560>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-24:13.libc++.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmZzRT0ACgkQbljekB8A
+Gu/HpQ//Xkz6NMBUg4CdmV1ElSP+dTUfh8YpNfD/X//4RgngKoz9DKt6CM78KSWI
+68JfNrn6XRGdhjG0Mn/YvRCe8xzGBGpvcd1lcun7mAw5yqpsbSAUKvFmywjX+oxs
+bQpCJRloBLZJE6NoZgBmhw2K2HzfmvApPin3TjLGa/u/ovsK+pD7SvDynbR5VsxH
+Bey21H2+3LOqyBPaiTe6ccJ4JXCOX9+oAK5byhMLPrnRqLyvh3IV2jttWurbtNki
+nFMYhqoBq6cWoAba3gVD0ZM7S5C+P5VDeMMIBOPKQVRwIl9eDS/UKICXrMbaMNqL
+002egG7Oia22H0dpYuYX6dl7cAtn/M3NcBEwDDvqNuHncbGVeaYA8qXHAh+eeA3R
+gBK2NkltdDvZbk8Uv9hgHwIrdJyENhWGoT1OQ1JqgaIKo7tIvlhIA/HtpTygeyMA
+F/TgFvg+K42/kWQ/N1UTwUFbEH6jgDu1BGTZzkMMyQf3rymdQ1VM6Z1p7dxppVI7
+uw2+80BePzDbnV9naXMzlhr/YjYgytRRQFbVR2ZlPM+rEGyfMAM/XvtCWfdlstwY
+3bZXo/vPRZPXg/sd/AFEKqIiz1ZvVTJroMUCnnDvsDKcRzAHgIIHfMK1mMpSizna
+LNDS/vvyQszgINWPUMZOZaALQzUY9SAmm0eNqIz3uV4o0qM6DQE=
+=7Qxx
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-24:10/zfs.patch b/website/static/security/patches/EN-24:10/zfs.patch
new file mode 100644
index 0000000000..10cc6dc682
--- /dev/null
+++ b/website/static/security/patches/EN-24:10/zfs.patch
@@ -0,0 +1,10 @@
+--- sys/contrib/openzfs/module/zfs/dbuf.c.orig
++++ sys/contrib/openzfs/module/zfs/dbuf.c
+@@ -2840,6 +2840,7 @@
+ 			failed = B_FALSE;
+ 		} else if (failed) {
+ 			VERIFY(!dbuf_undirty(db, tx));
++			arc_buf_destroy(db->db_buf, db);
+ 			db->db_buf = NULL;
+ 			dbuf_clear_data(db);
+ 			DTRACE_SET_STATE(db, "fill failed");
diff --git a/website/static/security/patches/EN-24:10/zfs.patch.asc b/website/static/security/patches/EN-24:10/zfs.patch.asc
new file mode 100644
index 0000000000..a601f3e9ba
--- /dev/null
+++ b/website/static/security/patches/EN-24:10/zfs.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmZzRTgACgkQbljekB8A
+Gu86Lw//bYytQzAfOOGO1h03/l0QCiaz8jcekW3DVG0Lfl8mYVumlbzCRxOsXGox
+hzNonjnEOu8h7ShJURFu+RvmZ+dYG9i6nsXZeqO6bE8unktnpLGpvO64oSuYObPk
+NLGx6uVKdlf9c1niYzydKcLOWtQG6OA2jZOl4WPadQsrdsf3MpQ94aQWxQYV7GwY
+FhVlfFDsMFP35a6MWtnQCRmsIQUcMGSIiUkmvgfdEALoaf5pfUI8Dri9TR7ePfm9
+dfmtnyC7FTA/i8K+VdqURl/pKdAVtkpfv8OAk79Jgi77If5/+0prpC8M7kgbCq3o
+z8vOjcRkmdJO0ckflcR9onpyHSB9MK8f0aZl+a0+4ED7HiFFcB0JsnPjw16KjsEz
+qv0tur7HhBcdjIvKX9jZNx67yMtXMiLCTbK0s2fW/3y7uKkonyKiZxJf7RN05ft2
+KfPMWwUv1uq70V0gyo+cwYzrEbucQTl63fCwt8E71DL24mrPTWYHm0Ags1qM+zgn
+OeVdycKVEmZTnbSkFhyfu9Wqle0OOY0dzmKUd5qOR3U/C9XoB6r3G6Jw/tDHqBH+
+dfWF2LcTOvVGmFB2T8I/R6+hgIZ33e3J3u/Pc7xDWuzbubwfoBPQ4/MJ3aditBb2
+ev04cADlvm2MUnEHjZZJxTUQjgQRcz/1trzOeMpwezGhaxs1ZTo=
+=8kFd
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-24:11/ldns.patch b/website/static/security/patches/EN-24:11/ldns.patch
new file mode 100644
index 0000000000..4faad85808
--- /dev/null
+++ b/website/static/security/patches/EN-24:11/ldns.patch
@@ -0,0 +1,207 @@
+--- contrib/ldns/ldns/parse.h.orig
++++ contrib/ldns/ldns/parse.h
+@@ -95,6 +95,8 @@
+  */
+ ldns_status ldns_fget_token_l_st(FILE *f, char **token, size_t *limit, bool fixed, const char *delim, int *line_nr);
+ 
++ssize_t ldns_fget_token_l_resolv_conf(FILE *f, char *token, const char *delim, size_t limit, int *line_nr);
++
+ /**
+  * returns a token/char from the buffer b.
+  * This function deals with ( and ) in the buffer,
+--- contrib/ldns/parse.c.orig
++++ contrib/ldns/parse.c
+@@ -27,9 +27,14 @@
+ 	return ldns_fget_token_l(f, token, delim, limit, NULL);
+ }
+ 
+-ldns_status
+-ldns_fget_token_l_st(FILE *f, char **token, size_t *limit, bool fixed
+-                    , const char *delim, int *line_nr)
++enum file_type2parse {
++	zone_file_type, resolv_conf_file_type
++};
++
++static ldns_status
++ldns_fget_token_l_st_file_type(FILE *f, char **token, size_t *limit,
++		bool fixed, const char *delim, int *line_nr,
++		enum file_type2parse file_type)
+ {
+ 	int c, prev_c;
+ 	int p; /* 0 -> no parentheses seen, >0 nr of ( seen */
+@@ -98,7 +103,9 @@
+ 		}
+ 
+ 		/* do something with comments ; */
+-		if (c == ';' && quoted == 0) {
++		if ((c == ';'
++		||  (c == '#' && file_type == resolv_conf_file_type))
++				&& quoted == 0) {
+ 			if (prev_c != '\\') {
+ 				com = 1;
+ 			}
+@@ -215,6 +222,26 @@
+ 	return i == 0 ? LDNS_STATUS_SYNTAX_EMPTY : LDNS_STATUS_OK;
+ }
+ 
++ldns_status
++ldns_fget_token_l_st(FILE *f, char **token, size_t *limit, bool fixed
++                    , const char *delim, int *line_nr)
++{
++	return ldns_fget_token_l_st_file_type(
++		f, token, limit, fixed, delim, line_nr, zone_file_type);
++}
++
++ssize_t
++ldns_fget_token_l_resolv_conf(FILE *f, char *token, const char *delim,
++		size_t limit, int *line_nr)
++{
++	if (limit == 0)
++		limit = LDNS_MAX_LINELEN;
++	if (ldns_fget_token_l_st_file_type(f, &token, &limit, true, delim,
++				line_nr, resolv_conf_file_type))
++		return -1;
++	else
++		return (ssize_t)strlen(token);
++}
+ 
+ ssize_t
+ ldns_fget_token_l(FILE *f, char *token, const char *delim, size_t limit, int *line_nr)
+--- contrib/ldns/resolver.c.orig
++++ contrib/ldns/resolver.c
+@@ -775,7 +775,7 @@
+ #endif
+ 	ssize_t gtr, bgtr;
+ 	ldns_buffer *b;
+-        int lnr = 0, oldline;
++        int lnr = 0;
+ 	FILE* myfp = fp;
+         if(!line_nr) line_nr = &lnr;
+ 
+@@ -809,36 +809,18 @@
+ 
+ 	gtr = 1;
+ 	word[0] = 0;
+-        oldline = *line_nr;
+         expect = LDNS_RESOLV_KEYWORD;
+ 	while (gtr > 0) {
+-		/* check comments */
+-		if (word[0] == '#') {
+-                        word[0]='x';
+-                        if(oldline == *line_nr) {
+-                                /* skip until end of line */
+-                                int c;
+-                                do {
+-                                        c = fgetc(myfp);
+-                                } while(c != EOF && c != '\n');
+-                                if(c=='\n') (*line_nr)++;
+-                        }
+-			/* and read next to prepare for further parsing */
+-                        oldline = *line_nr;
+-			continue;
+-		}
+-                oldline = *line_nr;
+ 		switch(expect) {
+ 			case LDNS_RESOLV_KEYWORD:
+ 				/* keyword */
+-				gtr = ldns_fget_token_l(myfp, word, LDNS_PARSE_NORMAL, 0, line_nr);
++				gtr = ldns_fget_token_l_resolv_conf(myfp, word, LDNS_PARSE_NORMAL, 0, line_nr);
+ 				if (gtr != 0) {
+-                                        if(word[0] == '#') continue;
+ 					for(i = 0; i < LDNS_RESOLV_KEYWORDS; i++) {
+ 						if (strcasecmp(keyword[i], word) == 0) {
+ 							/* chosen the keyword and
+ 							 * expect values carefully
+-	        					 */
++							 */
+ 							expect = i;
+ 							break;
+ 						}
+@@ -856,16 +838,12 @@
+ 				break;
+ 			case LDNS_RESOLV_DEFDOMAIN:
+ 				/* default domain dname */
+-				gtr = ldns_fget_token_l(myfp, word, LDNS_PARSE_NORMAL, 0, line_nr);
++				gtr = ldns_fget_token_l_resolv_conf(myfp, word, LDNS_PARSE_NORMAL, 0, line_nr);
+ 				if (gtr == 0) {
+ 					if(!fp) fclose(myfp);
+ 					ldns_resolver_deep_free(r);
+ 					return LDNS_STATUS_SYNTAX_MISSING_VALUE_ERR;
+ 				}
+-                                if(word[0] == '#') {
+-                                        expect = LDNS_RESOLV_KEYWORD;
+-                                        continue;
+-                                }
+ 				tmp = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, word);
+ 				if (!tmp) {
+ 					if(!fp) fclose(myfp);
+@@ -879,16 +857,12 @@
+ 				break;
+ 			case LDNS_RESOLV_NAMESERVER:
+ 				/* NS aaaa or a record */
+-				gtr = ldns_fget_token_l(myfp, word, LDNS_PARSE_NORMAL, 0, line_nr);
++				gtr = ldns_fget_token_l_resolv_conf(myfp, word, LDNS_PARSE_NORMAL, 0, line_nr);
+ 				if (gtr == 0) {
+ 					if(!fp) fclose(myfp);
+ 					ldns_resolver_deep_free(r);
+ 					return LDNS_STATUS_SYNTAX_MISSING_VALUE_ERR;
+ 				}
+-                                if(word[0] == '#') {
+-                                        expect = LDNS_RESOLV_KEYWORD;
+-                                        continue;
+-                                }
+                                 if(strchr(word, '%')) {
+                                         /* snip off interface labels,
+                                          * fe80::222:19ff:fe31:4222%eth0 */
+@@ -911,7 +885,7 @@
+ 				break;
+ 			case LDNS_RESOLV_SEARCH:
+ 				/* search list domain dname */
+-				gtr = ldns_fget_token_l(myfp, word, LDNS_PARSE_SKIP_SPACE, 0, line_nr);
++				gtr = ldns_fget_token_l_resolv_conf(myfp, word, LDNS_PARSE_SKIP_SPACE, 0, line_nr);
+ 				b = LDNS_MALLOC(ldns_buffer);
+ 				if(!b) {
+ 					ldns_resolver_deep_free(r);
+@@ -929,10 +903,6 @@
+ 				bgtr = ldns_bget_token(b, word, LDNS_PARSE_NORMAL, (size_t) gtr + 1);
+ 				while (bgtr > 0) {
+ 					gtr -= bgtr;
+-                                        if(word[0] == '#') {
+-                                                expect = LDNS_RESOLV_KEYWORD;
+-                                                break;
+-                                        }
+ 					tmp = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, word);
+ 					if (!tmp) {
+ 						ldns_resolver_deep_free(r);
+@@ -954,28 +924,23 @@
+ 				}
+ 				break;
+ 			case LDNS_RESOLV_SORTLIST:
+-				gtr = ldns_fget_token_l(myfp, word, LDNS_PARSE_SKIP_SPACE, 0, line_nr);
++				gtr = ldns_fget_token_l_resolv_conf(myfp, word, LDNS_PARSE_SKIP_SPACE, 0, line_nr);
+ 				/* sortlist not implemented atm */
+ 				expect = LDNS_RESOLV_KEYWORD;
+ 				break;
+ 			case LDNS_RESOLV_OPTIONS:
+-				gtr = ldns_fget_token_l(myfp, word, LDNS_PARSE_SKIP_SPACE, 0, line_nr);
++				gtr = ldns_fget_token_l_resolv_conf(myfp, word, LDNS_PARSE_SKIP_SPACE, 0, line_nr);
+ 				/* options not implemented atm */
+ 				expect = LDNS_RESOLV_KEYWORD;
+ 				break;
+ 			case LDNS_RESOLV_ANCHOR:
+ 				/* a file containing a DNSSEC trust anchor */
+-				gtr = ldns_fget_token_l(myfp, word, LDNS_PARSE_NORMAL, 0, line_nr);
++				gtr = ldns_fget_token_l_resolv_conf(myfp, word, LDNS_PARSE_NORMAL, 0, line_nr);
+ 				if (gtr == 0) {
+ 					ldns_resolver_deep_free(r);
+ 					if(!fp) fclose(myfp);
+ 					return LDNS_STATUS_SYNTAX_MISSING_VALUE_ERR;
+ 				}
+-                                if(word[0] == '#') {
+-                                        expect = LDNS_RESOLV_KEYWORD;
+-                                        continue;
+-                                }
+-
+ #ifdef HAVE_SSL
+ 				tmp_rr = ldns_read_anchor_file(word);
+ 				(void) ldns_resolver_push_dnssec_anchor(r, tmp_rr);
diff --git a/website/static/security/patches/EN-24:11/ldns.patch.asc b/website/static/security/patches/EN-24:11/ldns.patch.asc
new file mode 100644
index 0000000000..cbf6dd5acc
--- /dev/null
+++ b/website/static/security/patches/EN-24:11/ldns.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmZzRToACgkQbljekB8A
+Gu+/nBAArstsX30sRh4RTztlnK+YppF0LX6qdi5btBGcQeim3qeVrgDem8eblbxY
+aN1rseaRjEai7KbgGzArC0w3wLOKC7fDwt5MPoPproqyb9bf03441GslGurA4hBW
+NkCyHBCuXog1DkdWvu2YONiC7UPxoHAmBaRbE9IXMmCdsopZd+m0BqAOf3GO6Hem
+XXXb0hzxBKQPS2qnnYF04OvYjitloG/Azsh0RBpRkYKhJXbypkTR+ZnfUTKke2V3
+SFu0pG2fDWc3rTQV3wY9ZezR9x4mtDuRXfupE5RLg53fI0XZzPdvLQ0FH4GfMN7E
+KbRqMuNmpkhw+NQ7XoVl9h/+COZT75lU+WTGhO3/PH6qgzGnIZ8BAYqbbmWgYXsK
+FuKWFFPQTJ5AdEaQdxe2GMCZ7/xLMpde9Bv95/s/s3NSRlj0M4SMUs+oVeiHZmQV
+/S2v/EHVze9yuKszFY9ZVtm0Km+ejRc7+hBLWJ23buB1RKOepxIfTuuMxvW+V1X7
+8OcfmRIfw+iPayWyftYpWURkKJzrWE9NHrCLtXUqgGn+0zL33Sdh/JGg6UII9OJg
+cccgev4/ohPDlZdmaKQfV37ukHO/ehdmVs6emGfqYgczTtNEvNY6uAeDWlHdZqrY
+qSWVBtHuBbSi8j3u+BYj5iRZ4R5ZzS1aoyCR4uW28eFKOWhviWw=
+=Yb9t
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-24:12/killpg.patch b/website/static/security/patches/EN-24:12/killpg.patch
new file mode 100644
index 0000000000..7b9134334b
--- /dev/null
+++ b/website/static/security/patches/EN-24:12/killpg.patch
@@ -0,0 +1,63 @@
+--- sys/kern/kern_proc.c.orig
++++ sys/kern/kern_proc.c
+@@ -587,8 +587,12 @@
+ 	    ("enterpgrp: session leader attempted setpgrp"));
+ 
+ 	old_pgrp = p->p_pgrp;
+-	if (!sx_try_xlock(&old_pgrp->pg_killsx))
++	if (!sx_try_xlock(&old_pgrp->pg_killsx)) {
++		sx_xunlock(&proctree_lock);
++		sx_xlock(&old_pgrp->pg_killsx);
++		sx_xunlock(&old_pgrp->pg_killsx);
+ 		return (ERESTART);
++	}
+ 	MPASS(old_pgrp == p->p_pgrp);
+ 
+ 	if (sess != NULL) {
+@@ -656,11 +660,18 @@
+ 	    ("%s: p %p belongs to pgrp %p", __func__, p, pgrp));
+ 
+ 	old_pgrp = p->p_pgrp;
+-	if (!sx_try_xlock(&old_pgrp->pg_killsx))
++	if (!sx_try_xlock(&old_pgrp->pg_killsx)) {
++		sx_xunlock(&proctree_lock);
++		sx_xlock(&old_pgrp->pg_killsx);
++		sx_xunlock(&old_pgrp->pg_killsx);
+ 		return (ERESTART);
++	}
+ 	MPASS(old_pgrp == p->p_pgrp);
+ 	if (!sx_try_xlock(&pgrp->pg_killsx)) {
+ 		sx_xunlock(&old_pgrp->pg_killsx);
++		sx_xunlock(&proctree_lock);
++		sx_xlock(&pgrp->pg_killsx);
++		sx_xunlock(&pgrp->pg_killsx);
+ 		return (ERESTART);
+ 	}
+ 
+--- sys/kern/kern_prot.c.orig
++++ sys/kern/kern_prot.c
+@@ -345,10 +345,8 @@
+ 		error = EPERM;
+ 	} else {
+ 		error = enterpgrp(p, p->p_pid, newpgrp, newsess);
+-		if (error == ERESTART) {
+-			sx_xunlock(&proctree_lock);
++		if (error == ERESTART)
+ 			goto again;
+-		}
+ 		MPASS(error == 0);
+ 		td->td_retval[0] = p->p_pid;
+ 		newpgrp = NULL;
+@@ -458,11 +456,11 @@
+ 		error = enterthispgrp(targp, pgrp);
+ 	}
+ done:
+-	sx_xunlock(&proctree_lock);
+ 	KASSERT(error == 0 || newpgrp != NULL,
+ 	    ("setpgid failed and newpgrp is NULL"));
+ 	if (error == ERESTART)
+ 		goto again;
++	sx_xunlock(&proctree_lock);
+ 	uma_zfree(pgrp_zone, newpgrp);
+ 	return (error);
+ }
*** 66 LINES SKIPPED ***