Add EN-20:13 through EN-20:15, and SA-20:18 through SA-20:20.

Approved by:	so

share/security/advisories/FreeBSD-EN-20:13.bhyve.asc

@@ -0,0 +1,143 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-20:13.bhyve                                          Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Host crash in bhyve with PCI device passthrough
+
+Category:       core
+Module:         bhyve
+Announced:      2020-07-08
+Credits:        Peter Grehan
+Affects:        FreeBSD 12.1
+Corrected:      2020-06-01 05:14:01 UTC (stable/12, 12.1-STABLE)
+                2020-07-08 19:56:34 UTC (releng/12.1, 12.1-RELEASE-p7)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+bhyve(8) is a hypervisor that supports running a variety of guest operating
+systems in virtual machines.  bhyve(8) includes support for PCI devices
+passthrough (a technique to pass host PCI devices to a virtual machine for its
+exclusive control and use).
+
+II.  Problem Description
+
+When an attempt is made to pass through a PCI device to a bhyve(8) VM (causing
+initialization of IOMMU) on certain Intel chipsets using VT-d the PCI bus
+stops working entirely resulting in a host crash.  This issue occurs at least
+on the Intel Skylake series processors and those released later.
+
+A device passed through to a guest VM running OpenBSD at least since version
+6.4 on both AMD and Intel processors may not fully work in the guest.  OpenBSD
+issues 4-byte PCI configuration-space register reads and writes to consecutive
+2-byte fields, which were not handled correctly by bhyve(8).
+
+III. Impact
+
+These issues prevent using bhyve in production with some combinations of host
+hardware and/or guest operating system.
+
+IV.  Workaround
+
+No workaround is available.  Systems not using bhyve(8) for virtualization
+with PCI passthrough are not affected.
+
+V.   Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date and reboot.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for errata update"
+
+The first problem requires a reboot as the affected part is the kernel.
+
+The second problem does not require a reboot as the affected part is the
+bhyve userland executable.
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-20:13/bhyve.patch
+# fetch https://security.FreeBSD.org/patches/EN-20:13/bhyve.patch.asc
+# gpg --verify bhyve.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+d) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r361686
+releng/12.1/                                                      r363022
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229852>
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=245392>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:13.bhyve.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl8GLjVfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKMwQ/9HxrcUNvL8myn512t+drnCnDg/lNL2cqlc53VyDsvwesgXbGA3k1pQsyV
+VLB2jn56+EWcq0b1eieLavK77YtdrbEfa72YOlTd576586VRroUC3d4o6eaAHKHS
+Hzm/Qh5cQM46065Eoshz8T+N1/RNmU0ANS19ogBmogqhbJwwQUSr402a/BGrTES+
++rx4ywmTOrmXxVQwAlRHp1/7pQ5PL3cK2ByYzuFjKjzNX3scHoMxOul2TC1bYwj6
+IhBT7NNxQuY/g7gxGM/ndifOiJtAlsxJdccWxZAMdYv3mzhnM2vqCmdz8KjB7UKH
+2XOKB1RwSq0b1FBsur8Z0Pg6AlIRcNW952mAn2UJxx9mh/oCSj0sqtdmAKu0EO1e
+Vn6+psOffB28ITvdBsf7D/3ixM8+jdAogFzW00iGPppF02QwM6FVxa3+mogOVtsv
+R+Fu381qwQmqvMtAEXOxQ6NiAk3fTan+VuEDB8FnYPEs5JkWef/fn4SPRUrr04hY
+yTkX8F3XID2XdSMTgJllQzhf1uCK3QT77Y0BcPJH+NPZIZiyKkROxqnpS7LGFlEs
+v8dLXTOFnaHfdrjefB/QCwLMTcX1AfN1n0OxQigtwKC1rvKHweaqZBEujtDmyMOm
+uFXhQjoT3o29i1O139Q/3yINEbVYn6U5INrW5ZUGt1nm/wL9PuA=
+=mH7Y
+-----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-EN-20:14.linuxkpi.asc

@@ -0,0 +1,131 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-20:14.linuxkpi                                       Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Kernel panic in LinuxKPI subsystem
+
+Category:       core
+Module:         linuxkpi
+Announced:      2020-07-08
+Affects:        FreeBSD 12.1 and 11.3
+Corrected:      2020-01-22 00:30:27 UTC (stable/12, 12.1-STABLE)
+                2020-07-08 19:57:24 UTC (releng/12.1, 12.1-RELEASE-p7)
+                2020-01-22 15:51:24 UTC (stable/11, 11.3-STABLE)
+                2020-07-08 19:57:24 UTC (releng/11.3, 11.3-RELEASE-p11)
+
+Note: FreeBSD 11.4 was branched after the original commit to the stable/11
+branch and already includes this erratum.
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The LinuxKPI subsystem allows kernel code ported from Linux to run in the
+FreeBSD kernel without extensive modification.  Some graphics drivers make
+use of this subsystem.
+
+II.  Problem Description
+
+A bug in one of the LinuxKPI subroutines could cause a kernel panic.
+
+III. Impact
+
+Certain graphical applications may trigger a kernel panic.  This is most
+often observed when using X11 forwarding to run an application remotely.
+
+IV.  Workaround
+
+No workaround is available.
+
+V.   Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date and reboot.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for errata update"
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-20:14/linuxpki.patch
+# fetch https://security.FreeBSD.org/patches/EN-20:14/linuxpki.patch.asc
+# gpg --verify linuxkpi.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r356953
+releng/12.1/                                                      r363023
+stable/11/                                                        r356987
+releng/11.3/                                                      r363023
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<other info on the problem>
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=242913>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:14.linuxkpi.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl8GLkpfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJG7A//RWsupxbp1AMqYFz7KsC6zezh8pYU8rONJvWGgaH5MNTdzKVa+SDAg9il
+HI2IOAsDDRFRQvweyf1yOPMdPFUv15ZPgYpUcx2MoAbLFNa5TsqcodE6t1hEjBrQ
+20x0yjg/Fy6T17BaX3cziBFjxd3YW79jf/+FpzCTOoNasxIteiR5Vt4NbJ7Esqoa
+u7U3uXtIvDmfVASfMYq2NmKWTP8cz+f2FCB3687G4jGmBhrfMK8DNVQ3RI6IjGEm
+RUzmnYLX0Xbs83PTCYEkEqmEdj+o9zRokCPxdhFjd9XxnKaWh5vM0N6FNxBOcYER
+OqGMy0X88wsqvs5l+FnXYdI/BzELrzXmB4lMEh9wXDfrCZt4wVkb0C0NBLGgrafV
+95/YQobMsghe44ysVTmpfTi1++NnEDPgV/klVwBo6u9VluMH3PRxrTtW92SB0DOt
+QABVpgV96LKibsO26PRLS5yqMEgUPJ57W6mQvL9RdsTL/4VBamHQmUinXM1VlMml
+d2WVLguLw2vc86Mv2V4FZiC6A1eG91mUDTUYCeGxqBknl7DxBl+iGyM4Bu3Kw1+p
+eRi1Y6hAR/Vb/VyE4mNTBd0UzZhRymaXkiVm7nAKZjTAvSbpbEe26QCPzZGUgVsT
+UemEPi2lAAn2J3O46sEv8RjFjOOdrbOnyaZkJNBaKSPK7qq6etc=
+=1UKD
+-----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-EN-20:15.mps.asc

@@ -0,0 +1,129 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-20:15.mps                                            Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Kernel panic in mps(4) driver
+
+Category:       core
+Module:         mps
+Announced:      2020-07-08
+Affects:        All supported version of FreeBSD.
+Corrected:      2020-06-11 14:48:20 UTC (stable/12, 12.1-STABLE)
+                2020-07-08 19:58:00 UTC (releng/12.1, 12.1-RELEASE-p7)
+                2020-06-11 14:49:38 UTC (stable/11, 11.4-STABLE)
+                2020-07-08 19:58:00 UTC (releng/11.4, 11.4-RELEASE-p1)
+                2020-07-08 19:58:00 UTC (releng/11.3, 11.3-RELEASE-p11)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+mps(4) is a disk controller driver.  It exports an ioctl(2) interface used by
+several command-line utilities to query for or set properties of the device.
+
+II.  Problem Description
+
+mps(4) implements a pass-through interface which allows privileged user
+processes to submit commands directly to disks behind the controller.  A bug
+in the code which copies command results out to the requesting process could
+cause a kernel panic.
+
+III. Impact
+
+Administrative commands issued by, e.g., sas2ircu, could cause a kernel panic.
+
+IV.  Workaround
+
+No workaround is available.  Systems that do not use mps(4) are unaffected.
+
+V.   Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date and reboot.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for errata update"
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-20:15/mps.patch
+# fetch https://security.FreeBSD.org/patches/EN-20:15/mps.patch.asc
+# gpg --verify mps.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r362057
+releng/12.1/                                                      r363024
+stable/11/                                                        r362058
+releng/11.4/                                                      r363024
+releng/11.3/                                                      r363024
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223813>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:15.mps.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl8GLk5fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cLlPxAAgUVjwHuRGD4sTiymH2QgkdjneeE99obAzXDTDDNAOWaJQqmZV2L+ooYq
+2nnNdax0CpNvSaNF7KyEFYy30kcoBkSl8MBfOwtuUbO4fWUTDLIm3nUBn6YLvlkr
+ZdrDEzLN3EXOoHnVez4+dcCostVDWAVMPiGzNitU4htPy3pPvwyEcko9lA4eOF5Q
+ZanF1YjsAJOUvtmmCOr1XGRjzsW05Fbiyv6dAmaK7z508gAUj9t7x1a6XnIdLbJY
+tx4+UcBT3yvdSkXNlqGa8EGtPXz9ue4Aq53PSy+C9pbUiEBPgvnLQB0IJNU5Kynv
+fGlHMhee/Ih9+ZfSXoInvDJ+gVYdhufqQQ3GSUcdm7suUuQ+Gc8xn+KUUUZ8xtub
+3EfDeQ2h2eKlaGs0RrVNHtE9ETn+aimagVp5wcws6JLw3Nm5cEAzJFz8fK8lIbXe
+xONslLH1a6985k8CmHVDh6YULCZV9G3G+DGG3mvBnj+/wtysSaa3nOyQEPFuUXHI
+rf6d9JWzV6Is3nx0+34StQu/lyyixwb1LssSjop08+J2G66/ZBVYoorQ1qVzU1lH
+OkUg00JeHvFI4uKEEsv0/P31vM4aeW5iJsiWvjY6MAZ7VMmJMOrJEdiX+vycNkQ1
+cS7Qi6DCEpnFZCP61cEbYonBK1rgvNexTRTwIHIrATLLKEOtq+U=
+=6tC9
+-----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-SA-20:18.posix_spawnp.asc

@@ -0,0 +1,138 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-20:18.posix_spawnp                               Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          posix_spawnp(3) buffer overflow
+
+Category:       core
+Module:         libc
+Announced:      2020-07-08
+Credits:        Andrew Gierth
+Affects:        FreeBSD 11.4
+Corrected:      2020-06-17 16:22:08 UTC (stable/12, 12.1-STABLE)
+                2020-06-17 16:22:08 UTC (stable/11, 11.4-STABLE)
+                2020-07-08 20:08:05 UTC (releng/11.4, 11.4-RELEASE-p1)
+CVE Name:       CVE-2020-7458
+
+Note: This vulnerability was introduced after the release of FreeBSD 11.3 and
+FreeBSD 12.1; FreeBSD 11.4 is the only affected release.
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+posix_spawnp(3) is a lightweight process creation mechanism provided by libc
+for general application usage.
+
+II.  Problem Description
+
+posix_spawnp spawns a new thread with a limited stack allocated on the heap
+before delegating to execvp for the final execution within that thread.
+
+execvp would previously make unbounded allocations on the stack, directly
+proportional to the length of the user-controlled PATH environment variable.
+
+III. Impact
+
+Long values in the user-controlled PATH environment variable cause 
+posix_spawnp to write beyond the end of stack that was allocated, ultimately
+overflowing the heap-allocated stack with a direct copy of the value stored
+in PATH.
+
+IV.  Workaround
+
+No workaround is available.  Few applications in the base system use
+posix_spawnp(3) and none of them are particularly viable candidates for an
+exploit.  Use by third-party applications has not been investigated.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 11.4]
+# fetch https://security.FreeBSD.org/patches/SA-20:18/posix_spawnp.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:18/posix_spawnp.patch.asc
+# gpg --verify posix_spawnp.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all daemons that use the library, or reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r362281
+stable/11/                                                        r362281
+releng/11.4/                                                      r363025
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7458>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:18.posix_spawnp.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl8GLlNfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cLdthAAgchE9dOcTvmFerK/SEAI7G/+3l1GRQ/hKJfvGbvNuZKKudpMdCmLHzil
+MepCvRO7ft6OTBF66PaAscbdadD54CluQGjD96eLNnQ6dMgU5yZdWTUvvjdJze1R
+200oAlAu2eoZvuRghSNFqh4s8iffYN/T4Tc1ubRCAyZUXYbq5rg3r21P9FugXX+Y
+RZhYzUNRMCi4ZSGkUmcqLltZZtSrI9GOU2H4cKpedYaHJ+b76tALt1fCsSVZwMJK
+7WKiqKkw4ilRH5gbUuTqngVjt7Uy9JGyS2WrAwhnxLIr6+4qxAkiOltwZdFNUhSJ
+HGvTzl2As/gxxjqpqmvzegKfrGOd4pz2i7ZdAhhPWEK0sHNp1NttPQ7wWnU1Ikt3
+bkoiy+eJTF43GL7IpxurOOMDdH9MWL/RAZBZNpTof4XCjhEHvvMaSoeO/GLpcSja
++dYFoip65b1tlBtGt/tlgHVqlzCD86o6pBiRdZ7mYYLTxurDc/dcTpebypQPogcB
+agD3IO0hMXnt1Q/UQVl1pC3LDnSvabeHVI7xuB1T9UP/CsAxTt1nhEM4b9/YnJv5
+Bt1cZFlBvZgrVFVvegYAf7lVz3TsF3xz2pKZD6wxezAk+QbH4ho6aTHWJkRotE4z
+C5bcIEbIz6OX+J7VjOxcgkTu+bFykWb9xcTjtKpRexxICMOef+E=
+=2OBY
+-----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-SA-20:19.unbound.asc

@@ -0,0 +1,143 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-20:19.unbound                                    Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Multiple vulnerabilities in unbound
+
+Category:       contrib
+Module:         unbound
+Announced:      2020-07-08
+Affects:        All supported versions of FreeBSD.
+Corrected:      2020-05-24 16:47:27 UTC (stable/12, 12.1-STABLE)
+                2020-07-08 20:25:06 UTC (releng/12.1, 12.1-RELEASE-p7)
+                2020-05-24 11:47:27 UTC (stable/11, 11.4-STABLE)
+                2020-07-08 20:22:38 UTC (releng/11.4, 11.4-RELEASE-p1)
+                2020-07-08 20:20:59 UTC (releng/11.3, 11.3-RELEASE-p11)
+CVE Name:       CVE-2020-12662, CVE-2020-12663
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+Unbound is a validating, recursive, and caching DNS resolver.
+
+II.  Problem Description
+
+Malformed answers from upstream name servers can send Unbound into an infinite
+loop, resulting in denial of service.  A malicious query can cause a traffic
+amplification attack against third party authoritative nameservers.
+
+III. Impact
+
+Denial of service of the affected host, or of third parties via traffic
+amplification.
+
+IV.  Workaround
+
+No workaround is available.  Systems not running Unbound are not affected.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 12.1]
+# fetch https://security.FreeBSD.org/patches/SA-20:19/unbound.12.1.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:19/unbound.12.1.patch.asc
+# gpg --verify unbound.12.1.patch.asc
+
+[FreeBSD 11.4]
+# fetch https://security.FreeBSD.org/patches/SA-20:19/unbound.11.4.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:19/unbound.11.4.patch.asc
+# gpg --verify unbound.11.4.patch.asc
+
+[FreeBSD 11.3]
+# fetch https://security.FreeBSD.org/patches/SA-20:19/unbound.11.3.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:19/unbound.11.3.patch.asc
+# gpg --verify unbound.11.3.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch -p0 < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the applicable daemons, or reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r361435
+releng/12.1/                                                      r363029
+stable/11/                                                        r361435
+releng/11.4/                                                      r363028
+releng/11.3/                                                      r363027
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://nlnetlabs.nl/downloads/unbound/CVE-2020-12662_2020-12663.txt>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12662>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12663>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:19.unbound.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl8GLldfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cLg3g/+KxaCk6wFvqDCYlT2Rx8ZfxuU4cG8anJvdanwI8pV7SWsVIilWvpIuW5Y
+1P/TVmZiXpICToiUXdwaOMj8r/8QhmALXd3icb+QBUBdLlkm6Cuh/lSbEAyA63aF
+YYDF9FsXITVMcUCiUCxpVWSzDUW3LD5jMC/0jjvb7N0VhQyn4vHgEUa74jstnu4r
+36QV1s+ucsJafwAyzfobP+fCGKnVM8rmJ/3jE/eifN9RajFJdlkTtV0j6ReK9XQR
+jWunCgYZs8Ur0RFu98hspeRsXPuygV83sDiVWPQUd+iKXC8fW52f+IpAVO4BB763
+ZOjXaeudVfqorBXpKsldggEaCrxbJlEdwR9oZOrNww4QDqgPnU4Fkdb2TXyl5Gtx
+t0fbvEl2sxfx5M+3rF9ae++DPpmIiu8DiodF8XKfXicFZ2WpJmnwEY0SeEGYGyrO
+MJZW3i45qfe4CneFtt1r1v1feX3XQZKuyjtb++S2/PDiSQ1ZrkdE3Y3VYS3X+pLt
+C1ZFkw6nLDDSVzPiD+1i8VzRoKwS7zZKfAWMBJRiO3Jjh2vXsNRYO6wAMPq4HAvA
+DkB0Ykm0ioDqtUwEKhqAcJEmu6P44BM9SJ0ApFeKQ8L+isNoiaEMEVFG1HW9avl6
+E+I33y5yBtvgrRiyqUvANh/ZYSb7FQDTf5rlUOwG+Pk/kUlMrUA=
+=tonD
+-----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-SA-20:20.ipv6.asc

@@ -0,0 +1,131 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-20:20.ipv6                                       Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          IPv6 socket option race condition and use after free
+
+Category:       core
+Module:         network
+Announced:      2020-07-08
+Credits:        syzkaller, Andy Nguyen
+Affects:        All supported versions of FreeBSD.
+Corrected:      2020-04-02 15:30:51 UTC (stable/12, 12.1-STABLE)
+                2020-07-08 20:11:40 UTC (releng/12.1, 12.1-RELEASE-p7)
+                2020-07-06 20:23:14 UTC (stable/11, 11.4-STABLE)
+                2020-07-08 20:11:40 UTC (releng/11.4, 11.4-RELEASE-p1)
+                2020-07-08 20:11:40 UTC (releng/11.3, 11.3-RELEASE-p11)
+CVE Name:       CVE-2020-7457
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The IPV6_2292PKTOPTIONS socket option allows user code to set IPv6
+header options on a socket.
+
+II.  Problem Description
+
+The IPV6_2292PKTOPTIONS set handler was missing synchronization,
+so racing accesses could modify freed memory.
+
+III. Impact
+
+A malicious user application could trigger memory corruption, leading
+to privilege escalation.
+
+IV.  Workaround
+
+No workaround is available.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or release /
+security branch (releng) dated after the correction date and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-20:20/ipv6.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:20/ipv6.patch.asc
+# gpg --verify ipv6.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r359565
+releng/12.1/                                                      r363026
+stable/11/                                                        r362975
+releng/11.4/                                                      r363026
+releng/11.3/                                                      r363026
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://hackerone.com/reports/826026>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7457>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:20.ipv6.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl8GLvVfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJqxA/9H58yyRUSUy6BTRw0XkCQFO3r0NpTYPWK4RJFPWO2Jh5zL2QjxuSj3k9t
+zgJXM6a1RRgOxevxSzJJXD74BZz3XLJnC9T0tXsp3nikMrd+NSVN0g2jfAbx0l7R
+RFRUJOI2EfcGkIe0tZy4/nGr+H9eZiJt9a9vJ8DCoJuU9Ph/7w3GrVG+gbJfH4sV
+KhvhrRzla4ePadnHyQZALL5ov554BUa3dB9STz8zbdjt5yFREpvCJ9mIOHKNPBCR
+X5v7OMwhw++2Q0JtoMsmBHMi8zOkDpbjPk5eQNLHg3Iw9ZQrxW8KtM9Ru3KFtPw9
+gisI9e53NkCUGLm9iq3oQG6CnCMulTMAlgN5f0HflEwy3vd7R/ibNLvx2yObmVOU
+cX1Nf0ydFfhoS/YQwArdGTUg12BlYL9lqiXTqojUBG+yikwA3XAIUJccpcYyZDLQ
+jR5N8Ct7fV9Ec5pdu4xkSQhKsto9pQVfS0Kabv7hlwumynVL+S7qsmS7FT3IC/4n
+FiXisrJr5TTNO8p/bIs8qooHYUkd06A5O8xy+gRDDPbgvYfevGWrd/vaHmiXpUsv
+dvv9ZnU8xlaSi66AEPs9kYw/WhF55deqaU1M0p6Ob3+TGyJIR3j3IPTAIIXSgTrq
+YiyvzqXM+ob3aysILYRv48LK7+5N/3hDU48FLUN6q1V99G7TV8o=
+=JUip
+-----END PGP SIGNATURE-----

share/security/patches/EN-20:13/bhyve.patch

@@ -0,0 +1,342 @@
+--- sys/amd64/vmm/intel/vtd.c.orig
++++ sys/amd64/vmm/intel/vtd.c
+@@ -51,6 +51,8 @@
+  * Architecture Spec, September 2008.
+  */
+ 
++#define VTD_DRHD_INCLUDE_PCI_ALL(Flags)  (((Flags) >> 0) & 0x1)
++
+ /* Section 10.4 "Register Descriptions" */
+ struct vtdmap {
+ 	volatile uint32_t	version;
+@@ -116,10 +118,11 @@
+ static SLIST_HEAD(, domain) domhead;
+ 
+ #define	DRHD_MAX_UNITS	8
+-static int		drhd_num;
+-static struct vtdmap	*vtdmaps[DRHD_MAX_UNITS];
+-static int		max_domains;
+-typedef int		(*drhd_ident_func_t)(void);
++static ACPI_DMAR_HARDWARE_UNIT	*drhds[DRHD_MAX_UNITS];
++static int			drhd_num;
++static struct vtdmap		*vtdmaps[DRHD_MAX_UNITS];
++static int			max_domains;
++typedef int			(*drhd_ident_func_t)(void);
+ 
+ static uint64_t root_table[PAGE_SIZE / sizeof(uint64_t)] __aligned(4096);
+ static uint64_t ctx_tables[256][PAGE_SIZE / sizeof(uint64_t)] __aligned(4096);
+@@ -175,6 +178,69 @@
+ 	return (id);
+ }
+ 
++static struct vtdmap *
++vtd_device_scope(uint16_t rid)
++{
++	int i, remaining, pathremaining;
++	char *end, *pathend;
++	struct vtdmap *vtdmap;
++	ACPI_DMAR_HARDWARE_UNIT *drhd;
++	ACPI_DMAR_DEVICE_SCOPE *device_scope;
++	ACPI_DMAR_PCI_PATH *path;
++
++	for (i = 0; i < drhd_num; i++) {
++		drhd = drhds[i];
++
++		if (VTD_DRHD_INCLUDE_PCI_ALL(drhd->Flags)) {
++			/*
++			 * From Intel VT-d arch spec, version 3.0:
++			 * If a DRHD structure with INCLUDE_PCI_ALL flag Set is reported
++			 * for a Segment, it must be enumerated by BIOS after all other
++			 * DRHD structures for the same Segment.
++			 */
++			vtdmap = vtdmaps[i];
++			return(vtdmap);
++		}
++
++		end = (char *)drhd + drhd->Header.Length;
++		remaining = drhd->Header.Length - sizeof(ACPI_DMAR_HARDWARE_UNIT);
++		while (remaining > sizeof(ACPI_DMAR_DEVICE_SCOPE)) {
++			device_scope = (ACPI_DMAR_DEVICE_SCOPE *)(end - remaining);
++			remaining -= device_scope->Length;
++
++			switch (device_scope->EntryType){
++				/* 0x01 and 0x02 are PCI device entries */
++				case 0x01:
++				case 0x02:
++					break;
++				default:
++					continue;
++			}
++
++			if (PCI_RID2BUS(rid) != device_scope->Bus)
++				continue;
++
++			pathend = (char *)device_scope + device_scope->Length;
++			pathremaining = device_scope->Length - sizeof(ACPI_DMAR_DEVICE_SCOPE);
++			while (pathremaining >= sizeof(ACPI_DMAR_PCI_PATH)) {
++				path = (ACPI_DMAR_PCI_PATH *)(pathend - pathremaining);
++				pathremaining -= sizeof(ACPI_DMAR_PCI_PATH);
++
++				if (PCI_RID2SLOT(rid) != path->Device)
++					continue;
++				if (PCI_RID2FUNC(rid) != path->Function)
++					continue;
++
++				vtdmap = vtdmaps[i];
++				return (vtdmap);
++			}
++		}
++	}
++
++	/* No matching scope */
++	return (NULL);
++}
++
+ static void
+ vtd_wbflush(struct vtdmap *vtdmap)
+ {
+@@ -240,7 +306,7 @@
+ static int
+ vtd_init(void)
+ {
+-	int i, units, remaining;
++	int i, units, remaining, tmp;
+ 	struct vtdmap *vtdmap;
+ 	vm_paddr_t ctx_paddr;
+ 	char *end, envname[32];
+@@ -291,8 +357,9 @@
+ 			break;
+ 
+ 		drhd = (ACPI_DMAR_HARDWARE_UNIT *)hdr;
+-		vtdmaps[units++] = (struct vtdmap *)PHYS_TO_DMAP(drhd->Address);
+-		if (units >= DRHD_MAX_UNITS)
++		drhds[units] = drhd;
++		vtdmaps[units] = (struct vtdmap *)PHYS_TO_DMAP(drhd->Address);
++		if (++units >= DRHD_MAX_UNITS)
+ 			break;
+ 		remaining -= hdr->Length;
+ 	}
+@@ -302,12 +369,18 @@
+ 
+ skip_dmar:
+ 	drhd_num = units;
+-	vtdmap = vtdmaps[0];
+ 
+-	if (VTD_CAP_CM(vtdmap->cap) != 0)
+-		panic("vtd_init: invalid caching mode");
++	max_domains = 64 * 1024; /* maximum valid value */
++	for (i = 0; i < drhd_num; i++){
++		vtdmap = vtdmaps[i];
++
++		if (VTD_CAP_CM(vtdmap->cap) != 0)
++			panic("vtd_init: invalid caching mode");
+ 
+-	max_domains = vtd_max_domains(vtdmap);
++		/* take most compatible (minimum) value */
++		if ((tmp = vtd_max_domains(vtdmap)) < max_domains)
++			max_domains = tmp;
++	}
+ 
+ 	/*
+ 	 * Set up the root-table to point to the context-entry tables
+@@ -373,7 +446,6 @@
+ 	struct vtdmap *vtdmap;
+ 	uint8_t bus;
+ 
+-	vtdmap = vtdmaps[0];
+ 	bus = PCI_RID2BUS(rid);
+ 	ctxp = ctx_tables[bus];
+ 	pt_paddr = vtophys(dom->ptp);
+@@ -385,6 +457,10 @@
+ 		      (uint16_t)(ctxp[idx + 1] >> 8));
+ 	}
+ 
++	if ((vtdmap = vtd_device_scope(rid)) == NULL)
++		panic("vtd_add_device: device %x is not in scope for "
++		      "any DMA remapping unit", rid);
++
+ 	/*
+ 	 * Order is important. The 'present' bit is set only after all fields
+ 	 * of the context pointer are initialized.
+@@ -568,8 +644,6 @@
+ 	if (drhd_num <= 0)
+ 		panic("vtd_create_domain: no dma remapping hardware available");
+ 
+-	vtdmap = vtdmaps[0];
+-
+ 	/*
+ 	 * Calculate AGAW.
+ 	 * Section 3.4.2 "Adjusted Guest Address Width", Architecture Spec.
+@@ -594,7 +668,14 @@
+ 	pt_levels = 2;
+ 	sagaw = 30;
+ 	addrwidth = 0;
+-	tmp = VTD_CAP_SAGAW(vtdmap->cap);
++
++	tmp = ~0;
++	for (i = 0; i < drhd_num; i++) {
++		vtdmap = vtdmaps[i];
++		/* take most compatible value */
++		tmp &= VTD_CAP_SAGAW(vtdmap->cap);
++	}
++
+ 	for (i = 0; i < 5; i++) {
+ 		if ((tmp & (1 << i)) != 0 && sagaw >= agaw)
+ 			break;
+@@ -606,8 +687,8 @@
+ 	}
+ 
+ 	if (i >= 5) {
+-		panic("vtd_create_domain: SAGAW 0x%lx does not support AGAW %d",
+-		      VTD_CAP_SAGAW(vtdmap->cap), agaw);
++		panic("vtd_create_domain: SAGAW 0x%x does not support AGAW %d",
++		      tmp, agaw);
+ 	}
+ 
+ 	dom = malloc(sizeof(struct domain), M_VTD, M_ZERO | M_WAITOK);
+@@ -634,7 +715,12 @@
+ 	 * There is not any code to deal with the demotion at the moment
+ 	 * so we disable superpage mappings altogether.
+ 	 */
+-	dom->spsmask = VTD_CAP_SPS(vtdmap->cap);
++	dom->spsmask = ~0;
++	for (i = 0; i < drhd_num; i++) {
++		vtdmap = vtdmaps[i];
++		/* take most compatible value */
++		dom->spsmask &= VTD_CAP_SPS(vtdmap->cap);
++	}
+ #endif
+ 
+ 	SLIST_INSERT_HEAD(&domhead, dom, next);
+--- usr.sbin/bhyve/pci_emul.c.orig
++++ usr.sbin/bhyve/pci_emul.c
+@@ -868,7 +868,7 @@
+ 					sizeof(msixcap)));
+ }
+ 
+-void
++static void
+ msixcap_cfgwrite(struct pci_devinst *pi, int capoff, int offset,
+ 		 int bytes, uint32_t val)
+ {
+@@ -892,7 +892,7 @@
+ 	CFGWRITE(pi, offset, val, bytes);
+ }
+ 
+-void
++static void
+ msicap_cfgwrite(struct pci_devinst *pi, int capoff, int offset,
+ 		int bytes, uint32_t val)
+ {
+@@ -971,30 +971,34 @@
+ 
+ /*
+  * This function assumes that 'coff' is in the capabilities region of the
+- * config space.
++ * config space. A capoff parameter of zero will force a search for the
++ * offset and type.
+  */
+-static void
+-pci_emul_capwrite(struct pci_devinst *pi, int offset, int bytes, uint32_t val)
++void
++pci_emul_capwrite(struct pci_devinst *pi, int offset, int bytes, uint32_t val,
++    uint8_t capoff, int capid)
+ {
+-	int capid;
+-	uint8_t capoff, nextoff;
++	uint8_t nextoff;
+ 
+ 	/* Do not allow un-aligned writes */
+ 	if ((offset & (bytes - 1)) != 0)
+ 		return;
+ 
+-	/* Find the capability that we want to update */
+-	capoff = CAP_START_OFFSET;
+-	while (1) {
+-		nextoff = pci_get_cfgdata8(pi, capoff + 1);
+-		if (nextoff == 0)
+-			break;
+-		if (offset >= capoff && offset < nextoff)
+-			break;
++	if (capoff == 0) {
++		/* Find the capability that we want to update */
++		capoff = CAP_START_OFFSET;
++		while (1) {
++			nextoff = pci_get_cfgdata8(pi, capoff + 1);
++			if (nextoff == 0)
++				break;
++			if (offset >= capoff && offset < nextoff)
++				break;
+ 
+-		capoff = nextoff;
++			capoff = nextoff;
++		}
++		assert(offset >= capoff);
++		capid = pci_get_cfgdata8(pi, capoff);
+ 	}
+-	assert(offset >= capoff);
+ 
+ 	/*
+ 	 * Capability ID and Next Capability Pointer are readonly.
+@@ -1011,7 +1015,6 @@
+ 			return;
+ 	}
+ 
+-	capid = pci_get_cfgdata8(pi, capoff);
+ 	switch (capid) {
+ 	case PCIY_MSI:
+ 		msicap_cfgwrite(pi, capoff, offset, bytes, val);
+@@ -1878,7 +1881,7 @@
+ 			pci_set_cfgdata32(pi, coff, bar);
+ 
+ 		} else if (pci_emul_iscap(pi, coff)) {
+-			pci_emul_capwrite(pi, coff, bytes, *eax);
++			pci_emul_capwrite(pi, coff, bytes, *eax, 0, 0);
+ 		} else if (coff >= PCIR_COMMAND && coff < PCIR_REVID) {
+ 			pci_emul_cmdsts_write(pi, coff, *eax, bytes);
+ 		} else {
+--- usr.sbin/bhyve/pci_emul.h.orig
++++ usr.sbin/bhyve/pci_emul.h
+@@ -212,10 +212,6 @@
+     int ioapic_irq, void *arg);
+ 
+ int	init_pci(struct vmctx *ctx);
+-void	msicap_cfgwrite(struct pci_devinst *pi, int capoff, int offset,
+-	    int bytes, uint32_t val);
+-void	msixcap_cfgwrite(struct pci_devinst *pi, int capoff, int offset,
+-	    int bytes, uint32_t val);
+ void	pci_callback(void);
+ int	pci_emul_alloc_bar(struct pci_devinst *pdi, int idx,
+ 	    enum pcibar_type type, uint64_t size);
+@@ -223,6 +219,8 @@
+ 	    uint64_t hostbase, enum pcibar_type type, uint64_t size);
+ int	pci_emul_add_msicap(struct pci_devinst *pi, int msgnum);
+ int	pci_emul_add_pciecap(struct pci_devinst *pi, int pcie_device_type);
++void	pci_emul_capwrite(struct pci_devinst *pi, int offset, int bytes,
++	    uint32_t val, uint8_t capoff, int capid);
+ void	pci_generate_msi(struct pci_devinst *pi, int msgnum);
+ void	pci_generate_msix(struct pci_devinst *pi, int msgnum);
+ void	pci_lintr_assert(struct pci_devinst *pi);
+--- usr.sbin/bhyve/pci_passthru.c.orig
++++ usr.sbin/bhyve/pci_passthru.c
+@@ -828,8 +828,8 @@
+ 	 * MSI capability is emulated
+ 	 */
+ 	if (msicap_access(sc, coff)) {
+-		msicap_cfgwrite(pi, sc->psc_msi.capoff, coff, bytes, val);
+-
++		pci_emul_capwrite(pi, coff, bytes, val, sc->psc_msi.capoff,
++		    PCIY_MSI);
+ 		error = vm_setup_pptdev_msi(ctx, vcpu, sc->psc_sel.pc_bus,
+ 			sc->psc_sel.pc_dev, sc->psc_sel.pc_func,
+ 			pi->pi_msi.addr, pi->pi_msi.msg_data,
+@@ -840,7 +840,8 @@
+ 	}
+ 
+ 	if (msixcap_access(sc, coff)) {
+-		msixcap_cfgwrite(pi, sc->psc_msix.capoff, coff, bytes, val);
++		pci_emul_capwrite(pi, coff, bytes, val, sc->psc_msix.capoff,
++		    PCIY_MSIX);
+ 		if (pi->pi_msix.enabled) {
+ 			msix_table_entries = pi->pi_msix.table_count;
+ 			for (i = 0; i < msix_table_entries; i++) {

share/security/patches/EN-20:13/bhyve.patch.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl8GLnVfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJnVQ//a+Sv6tvAbSY/NigpbYLEXFT2iC66yxnL4WkIjy8eDZq4DbE95seOlYa0
+MErgPFCWvpiEbmWmtW4zt9KMOgvUXVPXr3y7siax9wBFbQil87HW+5ujHueKOLo0
+drl+wllxHMNaYFnY3leHCBlQRcMF/vCmQwuh67wvpKm4R3lcJFVw7fzuKRRtOTrU
+Mf621q5NRAiBUlTD9V3jdGbWd7aZ00N+UNmOdErjf2jIm8yKEk/seKEQr+u/dD0l
+HmTxG2HFSggUNiFLaR1OLVYDTQZnnuegAj50YTIR96kBfXNX+RmoT6iUmICbhPGt
+zbEy2ApvUYK2XmfRmcXTT8n1IRDlgSo19Ajf7rEuVaX3i8H8NNQHoeV9pxnNBEs8
+0HaSjeL9hTuWdVbDEIrb4yPyl8ud3ZIOymcegkG5bXgzCBdvTQ1J4DqMJWrndoTE
+Bnvn+DvIKtqTNxxZNMdAW4jgj9xsW9UDKppAKjCM1JChco6VjJoE4qr/H+MClBES
+rRSTUeh9FX2Zt1fr+roGmgjS5lV7YWtEOb1SxsNLTY6ehuyNRoEPmfvmfGkhy+mm
+I9cVql2ZBvJjsd2cA7u5TjrkiSIIuARn8w/itF5t7ETHWjsq5H56OdvrVyfHTKw2
+2s6lc0rXOBwB0kcPIVv0pl1TAei8y0zbKsUgm3rdCORuxG0vAIo=
+=csQT
+-----END PGP SIGNATURE-----

share/security/patches/EN-20:14/linuxkpi.patch

@@ -0,0 +1,12 @@
+--- sys/compat/linuxkpi/common/src/linux_compat.c.orig
++++ sys/compat/linuxkpi/common/src/linux_compat.c
+@@ -1502,6 +1502,9 @@
+ 	KASSERT(file_count(filp) == 0,
+ 	    ("File refcount(%d) is not zero", file_count(filp)));
+ 
++	if (td == NULL)
++		td = curthread;
++
+ 	error = 0;
+ 	filp->f_flags = file->f_flag;
+ 	linux_set_current(td);

share/security/patches/EN-20:14/linuxkpi.patch.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl8GLnpfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cLGGg//YXr2SKIW7W0Rx1KR44PjEp2zkDLPIYVRjwUeQoTO3Jpljpt66WfehbOH
+GS4vb1RfA97KYiOjNxY3NhgRPDzoXR9b6Ht+ezzEtbsAF9tQAtc3Nt+FDoMfYLh8
+sZ6sUZdMUQExF3R5a0qmoi5FoggPaFft5cFSrrYkKRv26VcyaizJhSSCZOtGR91D
+pLWk/napYpaTrDXUnYGjyMHtj2zRimv3fa2T+4+UUTWQnMyWsnwLCd0d4+Ks+dwy
+fULPoLXRu2APflau5kHpAf6A8m/y/geYX3esjC9lj6G6xDCTmlY1ILQsXqm2DIVx
+RYcsSh7z0hsBlfIDcebj/+3GYU0ydyA/0N5mC4J3Xy7hm1HQvVPoCo+QcP/PdKvu
+E1Q4PF1fn7aPR77ghfnPtodznzA2zoSpAC24hHaDSy7H+NVGUgCxXiJNcQ4gsaBn
+/3Fv24bvLcUbu0M+sBn75NMsBf31HY6h/V7h6a6f4fVYnmwe0Qcd+5NQU3kIxcNX
+lO/T8NPn3eBzkWghm8ZpDSm/ql73QslJY2ZIdsUxdX0+YhBZBudgQxJYQ5jQ5I7J
+6NwfJsIaMqNXRz8H9DH6+Jc8vCvd74DiLp2dl7mUHggBeuW1aRpK1MnGAaUJvsgz
+m7iIix9yIJqCNpRnYl0hsdtm8O9pkYF6KiJw0n63nK5O3rBb9Ck=
+=gXbu
+-----END PGP SIGNATURE-----

share/security/patches/EN-20:15/mps.patch

@@ -0,0 +1,18 @@
+--- sys/dev/mps/mps_user.c.orig
++++ sys/dev/mps/mps_user.c
+@@ -1045,10 +1045,12 @@
+ 			if (((MPI2_SCSI_IO_REPLY *)rpl)->SCSIState &
+ 			    MPI2_SCSI_STATE_AUTOSENSE_VALID) {
+ 				sense_len =
+-				    MIN((le32toh(((MPI2_SCSI_IO_REPLY *)rpl)->SenseCount)),
+-				    sizeof(struct scsi_sense_data));
++				    MIN((le32toh(((MPI2_SCSI_IO_REPLY *)rpl)->
++				    SenseCount)), sizeof(struct
++				    scsi_sense_data));
+ 				mps_unlock(sc);
+-				copyout(cm->cm_sense, cm->cm_req + 64, sense_len);
++				copyout(cm->cm_sense, (PTRIN(data->PtrReply +
++				    sizeof(MPI2_SCSI_IO_REPLY))), sense_len);
+ 				mps_lock(sc);
+ 			}
+ 		}

share/security/patches/EN-20:15/mps.patch.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl8GLn5fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cLLmQ/+M8BAUgkejk4cpsJOVpfnRRPol7ap5nUQEU/HnXkkQS9iYMh8tf1gMPh1
+bDG50TfWUR9AyYoN1VQmHbi7fpEefzP2HwcfoNp7sIhI4PIvT2Eep05V+Tciplsc
+vlAMvaHT/kVTDxTMtnmWGU8e64NziJbPMMkTMZiJaU3fQc8o8gAWIA8dtxCD3/21
+XEFV5UEvBVcoAdB1xONM77PeMtKUysOccoVXlZJkscW99o8nUfrI6UZE75aR53KD
++AZbZIHWV6CRHIf/JzZFg7To2gLsi2/bAWPFcXPHzbu9c7z3rka6WmXc8AZCdOPf
+x1yHRzeMb3axbsTOl8Sderew41AWyhwSk58WN+kyWgH5N4UubjOTgS5kZK6rancn
+5H3hq/59n5qIJz2yCVVMg0QSqgh2DwLjxuWJRRg9dfKy6+8FgjIDCrXl4Y20YkI3
+MhpvwPr7nsduiAg/NdHxpTYnN8vXC0PyGgIWbhyJzYvu3nb35gAlGs6HJo4gNId8
+Skc2q8wG059fjG0BbJhsn+n10hzL3N9uienZ+SM7nZdRrhEvxSPGpuzxa7+9lL+C
+RFVMVvdDvgol88FGfxVNxwVQ9s+n4nbwh4JC0YsbP5atvHZnGT+JLpBFgasOkEvA
+/vw+YcCazl2oxOwoq3eXoAkJWkJpn3Xv3eBfxj567k1EDLuGC5I=
+=u0ny
+-----END PGP SIGNATURE-----

share/security/patches/SA-20:18/posix_spawnp.patch

@@ -0,0 +1,280 @@
+--- lib/libc/gen/exec.c.orig
++++ lib/libc/gen/exec.c
+@@ -49,6 +49,9 @@
+ 
+ extern char **environ;
+ 
++static const char execvPe_err_preamble[] = "execvP: ";
++static const char execvPe_err_trailer[] = ": path too long\n";
++
+ int
+ execl(const char *name, const char *arg, ...)
+ {
+@@ -149,8 +152,8 @@
+ 	const char **memp;
+ 	size_t cnt, lp, ln;
+ 	int eacces, save_errno;
+-	char *cur, buf[MAXPATHLEN];
+-	const char *p, *bp;
++	char buf[MAXPATHLEN];
++	const char *bp, *np, *op, *p;
+ 	struct stat sb;
+ 
+ 	eacces = 0;
+@@ -158,7 +161,7 @@
+ 	/* If it's an absolute or relative path name, it's easy. */
+ 	if (strchr(name, '/')) {
+ 		bp = name;
+-		cur = NULL;
++		op = NULL;
+ 		goto retry;
+ 	}
+ 	bp = buf;
+@@ -169,24 +172,31 @@
+ 		return (-1);
+ 	}
+ 
+-	cur = alloca(strlen(path) + 1);
+-	if (cur == NULL) {
+-		errno = ENOMEM;
+-		return (-1);
+-	}
+-	strcpy(cur, path);
+-	while ((p = strsep(&cur, ":")) != NULL) {
++	op = path;
++	ln = strlen(name);
++	while (op != NULL) {
++		np = strchrnul(op, ':');
++
+ 		/*
+ 		 * It's a SHELL path -- double, leading and trailing colons
+ 		 * mean the current directory.
+ 		 */
+-		if (*p == '\0') {
++		if (np == op) {
++			/* Empty component. */
+ 			p = ".";
+ 			lp = 1;
+-		} else
+-			lp = strlen(p);
+-		ln = strlen(name);
++		} else {
++			/* Non-empty component. */
++			p = op;
++			lp = np - op;
++		}
+ 
++		/* Advance to the next component or terminate after this. */
++		if (*np == '\0')
++			op = NULL;
++		else
++			op = np + 1;
++
+ 		/*
+ 		 * If the path is too long complain.  This is a possible
+ 		 * security issue; given a way to make the path too long
+@@ -193,10 +203,11 @@
+ 		 * the user may execute the wrong program.
+ 		 */
+ 		if (lp + ln + 2 > sizeof(buf)) {
+-			(void)_write(STDERR_FILENO, "execvP: ", 8);
++			(void)_write(STDERR_FILENO, execvPe_err_preamble,
++			    sizeof(execvPe_err_preamble) - 1);
+ 			(void)_write(STDERR_FILENO, p, lp);
+-			(void)_write(STDERR_FILENO, ": path too long\n",
+-			    16);
++			(void)_write(STDERR_FILENO, execvPe_err_trailer,
++			    sizeof(execvPe_err_trailer) - 1);
+ 			continue;
+ 		}
+ 		bcopy(p, buf, lp);
+@@ -215,14 +226,28 @@
+ 		case ENOEXEC:
+ 			for (cnt = 0; argv[cnt]; ++cnt)
+ 				;
+-			memp = alloca((cnt + 2) * sizeof(char *));
++
++			/*
++			 * cnt may be 0 above; always allocate at least
++			 * 3 entries so that we can at least fit "sh", bp, and
++			 * the NULL terminator.  We can rely on cnt to take into
++			 * account the NULL terminator in all other scenarios,
++			 * as we drop argv[0].
++			 */
++			memp = alloca(MAX(3, cnt + 2) * sizeof(char *));
+ 			if (memp == NULL) {
+ 				/* errno = ENOMEM; XXX override ENOEXEC? */
+ 				goto done;
+ 			}
+-			memp[0] = "sh";
+-			memp[1] = bp;
+-			bcopy(argv + 1, memp + 2, cnt * sizeof(char *));
++			if (cnt > 0) {
++				memp[0] = argv[0];
++				memp[1] = bp;
++				bcopy(argv + 1, memp + 2, cnt * sizeof(char *));
++			} else {
++				memp[0] = "sh";
++				memp[1] = bp;
++				memp[2] = NULL;
++			}
+  			(void)_execve(_PATH_BSHELL,
+ 			    __DECONST(char **, memp), envp);
+ 			goto done;
+--- lib/libc/gen/posix_spawn.c.orig
++++ lib/libc/gen/posix_spawn.c
+@@ -28,6 +28,7 @@
+ __FBSDID("$FreeBSD$");
+ 
+ #include "namespace.h"
++#include <sys/param.h>
+ #include <sys/queue.h>
+ #include <sys/wait.h>
+ 
+@@ -202,8 +203,20 @@
+ 	volatile int error;
+ };
+ 
++#define	PSPAWN_STACK_ALIGNMENT	16
++#define	PSPAWN_STACK_ALIGNBYTES	(PSPAWN_STACK_ALIGNMENT - 1)
++#define	PSPAWN_STACK_ALIGN(sz) \
++	(((sz) + PSPAWN_STACK_ALIGNBYTES) & ~PSPAWN_STACK_ALIGNBYTES)
++
+ #if defined(__i386__) || defined(__amd64__)
++/*
++ * Below we'll assume that _RFORK_THREAD_STACK_SIZE is appropriately aligned for
++ * the posix_spawn() case where we do not end up calling _execvpe and won't ever
++ * try to allocate space on the stack for argv[].
++ */
+ #define	_RFORK_THREAD_STACK_SIZE	4096
++_Static_assert((_RFORK_THREAD_STACK_SIZE % PSPAWN_STACK_ALIGNMENT) == 0,
++    "Inappropriate stack size alignment");
+ #endif
+ 
+ static int
+@@ -244,10 +257,36 @@
+ 	pid_t p;
+ #ifdef _RFORK_THREAD_STACK_SIZE
+ 	char *stack;
++	size_t cnt, stacksz;
+ 
+-	stack = malloc(_RFORK_THREAD_STACK_SIZE);
++	stacksz = _RFORK_THREAD_STACK_SIZE;
++	if (use_env_path) {
++		/*
++		 * We need to make sure we have enough room on the stack for the
++		 * potential alloca() in execvPe if it gets kicked back an
++		 * ENOEXEC from execve(2), plus the original buffer we gave
++		 * ourselves; this protects us in the event that the caller
++		 * intentionally or inadvertently supplies enough arguments to
++		 * make us blow past the stack we've allocated from it.
++		 */
++		for (cnt = 0; argv[cnt] != NULL; ++cnt)
++			;
++		stacksz += MAX(3, cnt + 2) * sizeof(char *);
++		stacksz = PSPAWN_STACK_ALIGN(stacksz);
++	}
++
++	/*
++	 * aligned_alloc is not safe to use here, because we can't guarantee
++	 * that aligned_alloc and free will be provided by the same
++	 * implementation.  We've actively hit at least one application that
++	 * will provide its own malloc/free but not aligned_alloc leading to
++	 * a free by the wrong allocator.
++	 */
++	stack = malloc(stacksz);
+ 	if (stack == NULL)
+ 		return (ENOMEM);
++	stacksz = (((uintptr_t)stack + stacksz) & ~PSPAWN_STACK_ALIGNBYTES) -
++	    (uintptr_t)stack;
+ #endif
+ 	psa.path = path;
+ 	psa.fa = fa;
+@@ -271,8 +310,7 @@
+ 	 * parent.  Because of this, we must use rfork_thread instead while
+ 	 * almost every other arch stores the return address in a register.
+ 	 */
+-	p = rfork_thread(RFSPAWN, stack + _RFORK_THREAD_STACK_SIZE,
+-	    _posix_spawn_thr, &psa);
++	p = rfork_thread(RFSPAWN, stack + stacksz, _posix_spawn_thr, &psa);
+ 	free(stack);
+ #else
+ 	p = rfork(RFSPAWN);
+--- lib/libc/tests/gen/Makefile.orig
++++ lib/libc/tests/gen/Makefile
+@@ -20,6 +20,15 @@
+ # TODO: t_siginfo (fixes require further inspection)
+ # TODO: t_sethostname_test (consistently screws up the hostname)
+ 
++FILESGROUPS+=		posix_spawn_test_FILES
++
++posix_spawn_test_FILES=	spawnp_enoexec.sh
++posix_spawn_test_FILESDIR=	${TESTSDIR}
++posix_spawn_test_FILESMODE= 0755
++posix_spawn_test_FILESOWN= root
++posix_spawn_test_FILESGRP= wheel
++posix_spawn_test_FILESPACKAGE=	${PACKAGE}
++
+ CFLAGS+=	-DTEST_LONG_DOUBLE
+ 
+ # Not sure why this isn't defined for all architectures, since most
+--- lib/libc/tests/gen/posix_spawn_test.c.orig
++++ lib/libc/tests/gen/posix_spawn_test.c
+@@ -93,11 +93,50 @@
+ 	}
+ }
+ 
++ATF_TC_WITHOUT_HEAD(posix_spawnp_enoexec_fallback);
++ATF_TC_BODY(posix_spawnp_enoexec_fallback, tc)
++{
++	char buf[FILENAME_MAX];
++	char *myargs[2];
++	int error, status;
++	pid_t pid, waitres;
++
++	snprintf(buf, sizeof(buf), "%s/spawnp_enoexec.sh",
++	    atf_tc_get_config_var(tc, "srcdir"));
++	myargs[0] = buf;
++	myargs[1] = NULL;
++	error = posix_spawnp(&pid, myargs[0], NULL, NULL, myargs, myenv);
++	ATF_REQUIRE(error == 0);
++	waitres = waitpid(pid, &status, 0);
++	ATF_REQUIRE(waitres == pid);
++	ATF_REQUIRE(WIFEXITED(status) && WEXITSTATUS(status) == 42);
++}
++
++ATF_TC_WITHOUT_HEAD(posix_spawnp_enoexec_fallback_null_argv0);
++ATF_TC_BODY(posix_spawnp_enoexec_fallback_null_argv0, tc)
++{
++	char buf[FILENAME_MAX];
++	char *myargs[1];
++	int error, status;
++	pid_t pid, waitres;
++
++	snprintf(buf, sizeof(buf), "%s/spawnp_enoexec.sh",
++	    atf_tc_get_config_var(tc, "srcdir"));
++	myargs[0] = NULL;
++	error = posix_spawnp(&pid, buf, NULL, NULL, myargs, myenv);
++	ATF_REQUIRE(error == 0);
++	waitres = waitpid(pid, &status, 0);
++	ATF_REQUIRE(waitres == pid);
++	ATF_REQUIRE(WIFEXITED(status) && WEXITSTATUS(status) == 42);
++}
++
+ ATF_TP_ADD_TCS(tp)
+ {
+ 
+ 	ATF_TP_ADD_TC(tp, posix_spawn_simple_test);
+ 	ATF_TP_ADD_TC(tp, posix_spawn_no_such_command_negative_test);
++	ATF_TP_ADD_TC(tp, posix_spawnp_enoexec_fallback);
++	ATF_TP_ADD_TC(tp, posix_spawnp_enoexec_fallback_null_argv0);
+ 
+ 	return (atf_no_error());
+ }
+--- lib/libc/tests/gen/spawnp_enoexec.sh.orig
++++ lib/libc/tests/gen/spawnp_enoexec.sh
+@@ -0,0 +1,4 @@
++# $FreeBSD$
++# Intentionally no interpreter
++
++exit 42

share/security/patches/SA-20:18/posix_spawnp.patch.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl8GLolfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKQYhAAnw5pU+TxqHv7BT4v6lXqIAnJhYpoD3TlcbEfqYErN+rYb6PB7c1tuKTR
+/+4YCM4SZVXtHmaL1VkHqQUpWL7hTMLdaGKT3kkycETESZEednEs9A/IPHZ7ooLv
+ZdsK4/PdVac2DxaHN5suENB3054Hmm8TIHTxcEyac1rLGsYpMzo9iA5PzE3imNWH
+hCI7dV8cdFJ20wS+Zq2HsbjxYbXtZ5su0whn+ziQx3ObfMbfC19fKSRL8/oI7MFc
+qASSEj3Aw5bprDLR85fukZNpg2iIxkf4gJ3Yw47BuQ6I/fid52sDhuBcMRKJArHe
+LIK5mhy+NcwOOZH3At1PjGpbjPUU8SUonbeHKAqzcDVC6UtOK88tqYT9cm3qLNR1
+3+aznvpM6R74QZku6kGuYEN6b4iTXsL2BWaGQBNV/KVq2H4qJMqPaYpjJp7yiCj7
+LV3DN+ugYiWuE//llmhDW+WImqdMJ3FALkcwYMvvz3mOEc33B68A/d0t/jU9xUpY
+gStzI7Ze/hI54wvpPg+plTtqTrPAAqwN1uBUfBuboQ5XjZsURGeqE6jZJOIOuQR2
+r6tTb/wYnM0a69YcZKaePdvsNE4bJlsZ7+NbjRcSjJzHPLiFVdGwhYQZjYgfeqP5
+tqt/PuawGkwz08rtfQ7T6BoHoB7/oQzbYNaVlzy8UckwXI41EMM=
+=x3mt
+-----END PGP SIGNATURE-----

share/security/patches/SA-20:19/unbound.11.3.patch.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl8GLo1fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cLeNg//ffrD/D0vJjq4WCzCZ9Bgl9Epb+hlEZtHTQN8UP3qE55as0k0YWxa6OQR
+aBK0Y+AjHLziWPvZHIZpvTaK2g/ZzskBYQkIcntRidWDUJ81D/9FrtFshRbqsy8B
+9vr94DZZeFrx3pPImnmoUecKGmvTgSUU7P1OTPx5OnuGQfodu3mGpeu+GBAhfnyL
+XLNQ0iAjpvfYruOxwxJ0Mi4qhebZkU6i9XWvjhg1Mfj1dUxMxJFRAviaCTe6shOA
+hIlc/jqEtQv0ECKM6++3HKZERI0qHOWx9X/1KKm4PHER/84ZvvBPXySIsDoqAhTG
+TTtwTksKhqUkBYt42Unfyhtra1QNwqRR5Kit4vSctYkqMJQdqJXS52YKdZIoO2p6
+98WMU7tdxtKJKTLxu+Uwz2Ej26J18DcwETx6zz1Piz/GUUIo5weAx6pJMWC9hTyo
+XUxTxCo7WXDns1Y4fJsT+4gfYxT1Jyrm9oC9v/gSrlflEctTF3B5+J0ftwN19BKb
+de/FePND9ehfG5wnmcdxuAXv41WT0634vE0BoxM7E3hnGaPbDFuEb6OCHL1TCRav
+f4iS9ygWTtSzxRHZyFtpx/kGIFgVuxX6F2XSLu4nKlUDQPA8xBmr1wPATLvfUne4
+Gi55CvtiMA0E0YDodQt3QM6q9QSXjXeMnO0eBgP3KSREF494/gw=
+=awG7
+-----END PGP SIGNATURE-----

share/security/patches/SA-20:19/unbound.11.4.patch.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl8GLo1fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cLAEg//TU8NX44Dq/Urt5hW93wPxC5zYncnC9LSx58QctcMIPvd7PnzBkpv36HQ
+14lVfmFgOxDxyrBOjeFJYquKUyMQZW3E7RWkGJM6lsQ7VJ+dp9yTgSTBWh/nHv97
+BLLvyrKSgVaxMz3IZmtiAorMsCfuptcsumpVyjQ80EZ7ojt9NNpILbUxdE6D2m0d
+FbaylMjqhcwWKdOzm4CLj7SfTZG0NKWtJg5lWQAMibefVvqpJAppWyckv+fbs3ec
+p4q0EEIX5GfaYrx5nkdzn6Lo/7UIiR+y0mRHyQwg8FHRddxu+WfiTjtvgEutqFaS
+amGNleWfaTBPHpLw9MGbCqPt8SGEptPd1XVD1hABz1jIrVpESg6u19QXlrUrOWVW
+9f57Y+Uk5uQZPqYgaECQswBCetUsRzU1ZjPppMOThRMwcmoFZlgXMru/e+7Trhfg
+yJjuYvCJL46bK1WtDkyUPpbSU3mz65nogvOziJTzs5PYYak83z7inV0TknFHifDW
+um0lY+9NR3FO1vXKOzu42Kt0QutPSgEndv+lkOsnjewOfrwtCxUop2AZ3hFaP+zu
+RFXvH0sSlkVMlM8B8Klw25tOaSWrlQJAyoVw+U3gsIwUc8pxn8Me/92g3xZ6IT9/
+7BoYlj+NMhl0mPbwmPl7ctvQIpv/pVnvYdA+HxfOhhijV+87L6I=
+=IbE6
+-----END PGP SIGNATURE-----

share/security/patches/SA-20:19/unbound.12.1.patch.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl8GLo1fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJU2w//SoITpoMMV09v7g4cn/4Z9qszCvnA2uZ6+yYU9IxZp5s796q5ZrXHR1Oq
+dmh0bFz8D/vC6Wx6AdG30ccC3cFkSPRi/IRmG3YuUjTec1fqursq0ocD95RPGBiI
+i77XjIvo4XSAkfYuhyv3mttRZvPLDnS0cEtOFxQsQw94N62k1EfCbh9fARLzd6tS
+VDxLh5vhQeILiuvokcpopkdo2zc0WvOZLM5r7Ioz6aboUnYUpe9P46Uox6pCUsaA
+tPqiwSyNCYH0+fw1HdRZcyPUU/H4MDm/35tMIiTFSP1TRd9a8umKa2DGEDx3EVK7
+98kbv8fFtb+94WtrHnD/81wiJr5j+X/Zbcoj81EzuSJbclS//6KVGXtCyXLs00YN
+QUgkOj/3MlRWKHbSzctbcuY5V2IeC5TKwhFwZjEllFwb1KGfvmNcBgxqL8gkz3w5
+XIFMJodRJDFwNq8htJ25AWhAXs2L7RNwNSByLP7+NlZ3SmQ4ExvL3+Yyn4pPP/Py
+lqS2YZ+KvtBLMXUe2iqtkvxc5Ro9iBKRJpnn0bLHL7asd7qzDd67Ca8FyUHHw9sb
+vvl99dAa+xZkZ6D9ARGNxE78G3HyNP3NPF11ttVm4t05FKP+mxkg8dHhEQ6NFK+C
+IoIIK7wXfi7absrWma60yAANv27DAwkG5vsOHW0/8X+zras6Trw=
+=1zp6
+-----END PGP SIGNATURE-----

share/security/patches/SA-20:20/ipv6.patch

@@ -0,0 +1,27 @@
+--- sys/netinet6/ip6_output.c.orig
++++ sys/netinet6/ip6_output.c
+@@ -1514,8 +1514,10 @@
+ 				error = soopt_mcopyin(sopt, m); /* XXX */
+ 				if (error != 0)
+ 					break;
++				INP_WLOCK(in6p);
+ 				error = ip6_pcbopts(&in6p->in6p_outputopts,
+ 						    m, so, sopt);
++				INP_WUNLOCK(in6p);
+ 				m_freem(m); /* XXX */
+ 				break;
+ 			}
+@@ -2260,8 +2262,11 @@
+ 			printf("ip6_pcbopts: all specified options are cleared.\n");
+ #endif
+ 		ip6_clearpktopts(opt, -1);
+-	} else
+-		opt = malloc(sizeof(*opt), M_IP6OPT, M_WAITOK);
++	} else {
++		opt = malloc(sizeof(*opt), M_IP6OPT, M_NOWAIT);
++		if (opt == NULL)
++			return (ENOMEM);
++	}
+ 	*pktopt = NULL;
+ 
+ 	if (!m || m->m_len == 0) {

share/security/patches/SA-20:20/ipv6.patch.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl8GLpFfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cLuFQ/+OI6NT4dKZuEWqqmvdchoH8bPQegnDBCOTsvuJ+6efer8a8YECdjifSOH
+bE0HaC0YYsRgfI60kl3SM0RLNQMs1+r3kdbn539NMCCRigMfrwHkxsKInvSnZzLu
+GnKfgWE/AbdGZ5/dIG6V2UN5zhpUhu0DUJzlA1GOsFAjs1SE7Yg8vTYjA5AbOwal
+mzUM06p8ZR/I7KleEGuQXUQCAzUld9dT3ocikwLdd5q0Oi6wPnZjyijhUK8A+C1k
+xNkjzqgfeL0k8GhjuMWyMuxNhr6tgny1cyGkZCXY/xWZ0zwXmL2/Nd90s3av9rcH
+plq2BJ1ej4iW6LzYJEKRex72ub3j0KpF/kBSRFpyOe8j0lYXlUJ1y0LN1p8OG8yB
+OUjv6n4UgPBKZRG45H2MoNE0xoaiOiOM/mUaQEa9Z8P2wW74ksH9dceEP3xAw3l+
+4jZ5NQ+y17vsNbnZmaCxV8EdCnDWtd7PRMr6lWAyU2BcnoWQ6NKFJ3HKsNlWlyU+
+GQJvQvShahwkjUSKURUPTzTdZ7mpXgHNcRry93R15kcU7beS2uIwtpt8mpY22GZw
+Wb0bMEP9rma1GeDHSgojAX5Vqb/yBXgUrJMAfGZyr6r8GG33S5iksVPQoj4gpLJb
+rbrHHHaAoqcFcJfiUjAt8shsLfykTuitFVF+UlGBKvSJSG6WQbQ=
+=raf4
+-----END PGP SIGNATURE-----

share/xml/advisories.xml

@@ -7,6 +7,27 @@
   <year>
     <name>2020</name>
 
+    <month>
+      <name>7</name>
+
+      <day>
+	<name>8</name>
+
+	<advisory>
+	  <name>FreeBSD-SA-20:20.ipv6</name>
+	</advisory>
+
+	<advisory>
+	  <name>FreeBSD-SA-20:19.unbound</name>
+	</advisory>
+
+	<advisory>
+	  <name>FreeBSD-SA-20:18.posix_spawnp</name>
+	</advisory>
+
+      </day>
+    </month>
+
     <month>
       <name>6</name>
 

share/xml/notices.xml

@@ -7,6 +7,27 @@
   <year>
     <name>2020</name>
 
+    <month>
+      <name>7</name>
+
+      <day>
+	<name>8</name>
+
+	<notice>
+	  <name>FreeBSD-EN-20:15.mps</name>
+	</notice>
+
+	<notice>
+	  <name>FreeBSD-EN-20:14.linuxkpi</name>
+	</notice>
+
+	<notice>
+	  <name>FreeBSD-EN-20:13.bhyve</name>
+	</notice>
+
+      </day>
+    </month>
+
     <month>
       <name>6</name>