Add EN-21:06 to EN-21:08 and SA-21:03 to SA-21:06.

Approved by:	so

website/data/security/advisories.toml

@@ -1,6 +1,22 @@
 # Sort advisories by year, month and day
 # $FreeBSD$
 
+[[advisories]]
+name = "FreeBSD-SA-21:06.xen"
+date = "2021-02-24"
+
+[[advisories]]
+name = "FreeBSD-SA-21:05.jail_chdir"
+date = "2021-02-24"
+
+[[advisories]]
+name = "FreeBSD-SA-21:04.jail_remove"
+date = "2021-02-24"
+
+[[advisories]]
+name = "FreeBSD-SA-21:03.pam_login_access"
+date = "2021-02-24"
+
 [[advisories]]
 name = "FreeBSD-SA-21:02.xenoom"
 date = "2021-01-29"

website/data/security/errata.toml

@@ -1,6 +1,18 @@
 # Sort errata notices by year, month and day
 # $FreeBSD$
 
+[[notices]]
+name = "FreeBSD-EN-21:08.freebsd-update"
+date = "2021-02-24"
+
+[[notices]]
+name = "FreeBSD-EN-21:07.caroot"
+date = "2021-02-24"
+
+[[notices]]
+name = "FreeBSD-EN-21:06.microcode"
+date = "2021-02-24"
+
 [[notices]]
 name = "FreeBSD-EN-21:05.libatomic"
 date = "2021-01-29"

website/static/security/advisories/FreeBSD-EN-21:06.microcode.asc

@@ -0,0 +1,128 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-21:06.microcode                                      Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Boot-time microcode loading causes a boot hang
+
+Category:       core
+Module:         x86
+Announced:      2021-02-24
+Affects:        FreeBSD 12.2
+Corrected:      2021-02-19 20:57:34 UTC (stable/12, 12.2-STABLE)
+                2021-02-24 01:43:50 UTC (releng/12.2, 12.2-RELEASE-p4)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+CPU microcode updates may include security fixes or mitigations.  The
+boot-time microcode loader applies CPU microcode as early in the boot process
+as possible, minimizing the amount of code executed without updated
+microcode.
+
+Microcode updates for many different CPU types are concatenated into one file
+and loaded by the boot loader.  After the kernel has determined the correct
+update to apply, it frees the memory containing unused microcode updates,
+keeping only the update for the CPU on which the kernel is running.
+
+II.  Problem Description
+
+An interaction between the code which frees the unused portions of the
+microcode file and the rest of the system can cause boot hangs.
+
+III. Impact
+
+The kernel may hang during boot if boot-time microcode updates are configured.
+
+IV.  Workaround
+
+Systems not configured to load microcode at boot-time are unaffected.
+Boot-time microcode loading is currently only supported with Intel CPUs.
+
+On systems that are configured to load microcode at boot-time, setting the
+"debug.ucode.release" loader tunable to 0 will prevent the microcode update
+file from being freed, working around the problem.
+
+V.   Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-21:06/microcode.patch
+# fetch https://security.FreeBSD.org/patches/EN-21:06/microcode.patch.asc
+# gpg --verify microcode.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r369310
+releng/12.2/                                                      r369355
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:06.microcode.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15bwACgkQ05eS9J6n
+5cLgbg//cottS8aQLl6YmSFs6JIyZwE4RutM2tSrkwkdQmuYLfba3tEyYs3R2iAK
+x9y5bf9jFG5m7mUVr9QhEPRGrFlKTdTtW682T5ClLrZO1TIWwTUZlEC9omIpAPV3
+/A2tFFK253Zhufh2bKol8y8LwEle9MrO2xURj8KOo5dFa0HxSrMeCb+YlINV/iCy
+hEJPuGvVWr+1rTP0hbKT+lHwtsgV2yB73FuG85p3FtJ4nr7OBlrzDnVgAKANvGTG
+VTE/g/mqKfQlYqrNccw8Si/K5vh9PNiFjXiercSyMWV1eaYT6WU/a3x94RlISvR7
+6t56uWyJ9YTs3+E1bwplIZ/0qrCOvcgYqsv6ANu5/2gysFCNaNACDcAtidcly2UB
+AL0hDjEQ7sAmsGmjAXfg7bbgUD/1h3saTmI3UmuWayZodMt1w6A0d/3A4bb/yZid
+rF3gVvgmLBSjsgSXSqYtnS3N+af/rr01/tLaZh/yvO8d0EwFteyGar/dduSCoXbU
+EK636ZNy+df7k6eCfqeh2/WixqSE7pKw2anQXmn11vHMBWDyuF919jMxrm64OdzT
+sLlVrGOH8FHbUwnTsNUAfggqO7VUowvfRnYk+CzDElpXqn0Pteq8UCGABLmRKW9u
+kISBhJwAjnnybyZ5/nvFaAN5UtvG5he0qhpbvArposyvqLdsgZ0=
+=j/+s
+-----END PGP SIGNATURE-----

website/static/security/advisories/FreeBSD-EN-21:07.caroot.asc

@@ -0,0 +1,121 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-21:07.caroot                                         Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Root certificate bundle update
+
+Category:       core
+Module:         caroot
+Announced:      2021-02-24
+Affects:        FreeBSD 12.2
+Corrected:      2020-12-15 21:50:05 UTC (stable/12, 12.2-STABLE)
+                2021-02-24 01:43:56 UTC (releng/12.2, 12.2-RELEASE-p4)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The root certificate bundle is the trust store that is used by OpenSSL
+programs and libraries to aide in determining whether it should trust
+a given SSL certificate.
+
+II.  Problem Description
+
+Several certificates were removed from the bundle after the latest release
+of FreeBSD 12.2.
+
+III. Impact
+
+Certificates are often removed from the root bundle due to a failure to
+meet the standards established by Mozilla for being considered a trusted
+Certificate Authority.
+
+IV.  Workaround
+
+No workaround is available.  Software that uses an internal trust store
+is not affected.
+
+V.   Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-21:07/caroot.patch
+# fetch https://security.FreeBSD.org/patches/EN-21:07/caroot.patch.asc
+# gpg --verify caroot.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all applications that may be using OpenSSL, or reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r368678
+releng/12.2/                                                      r369357
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:07.caroot.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15ccACgkQ05eS9J6n
+5cJUlRAAnoqim9czLfJS8ooYVSmB2Q3Td+vg+/QrS1ftwGBI3hXAwzFtlsCn4P35
+7k5tJQL3sVv3/nFfJ6/S5T832tVAfBgxFyzbu1C8zP2fYDLJ7uKKCtluoaHchB1y
+KMOE11SPfdPtG0WeWUI1QEqCAhy91mZo1+B4zTMNazZ2AdLs7YSaovrBeYMcAR+K
+xSGxvRndtX+4BvtGpehO3F+JMYsjpA06W3HP1gCsg9JnKo1whzrth83ar4V0aONS
+Gcl90oyOy4IGHYPDm3vYahtKXmsO8FI3IpuuNDdkeL1KPbrUaCOvmnnTZWS9pAoT
+S0DxUtHqfNz+iRuTLRO0/RIaopLADqx0fmDaRqGPy3MFUp1hevRCpPn8o5rtsjEK
+hpsaWhhxrD3edGdu459JvM5cMT9Xr9/QxCneeJF96lgDP17IrB57RmNGu048ARbQ
+Myb4G5+ypjnQJ4Y4ctGGlIJQcjfI7dVpSRXdj+qTLBdh2BCeL3d4UC267AgGA3mz
+uspX/AxIcdHAvsiHGicbhV+tSw0LY1zPLCP9fgWcfDw8jyzY+Jrtj+B4TBsmTStu
+qUpbq6WU7SJ4b7inV0RDmugyDAPFwROuc0u8+VSwI7Kt4VuzAPeSgvcythS88/47
+huwCdkRE5Gh6RFy+gTg0tSyv5znQarif6E6pmETSnB8Cr4IbaBk=
+=LVRY
+-----END PGP SIGNATURE-----

website/static/security/advisories/FreeBSD-EN-21:08.freebsd-update.asc

@@ -0,0 +1,126 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-21:08.freebsd-update                                 Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          freebsd-update passwd regeneration
+
+Category:       core
+Module:         freebsd-update
+Announced:      2021-02-24
+Affects:        All supported versions of FreeBSD.
+Corrected:      2020-12-27 20:50:53 UTC (stable/12, 12.2-STABLE)
+                2021-02-24 01:43:52 UTC (releng/12.2, 12.2-RELEASE-p4)
+                2020-12-27 20:52:37 UTC (stable/11, 11.4-STABLE)
+                2021-02-24 01:41:49 UTC (releng/11.4, 11.4-RELEASE-p8)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+freebsd-update provides binary updates for supported releases of FreeBSD on
+amd64 and i386.
+
+II.  Problem Description
+
+The existing logic to try and avoid regenerating passwd/login.conf files
+relies on timestamp comparisons between old and new files, with the caveat
+that it's comparing the installed with a timestamp that has been clobbered to
+do the comparison.
+
+III. Impact
+
+User and login.conf changes coming in from a binary update may not properly
+regenerate the databases for the changes to take effect.
+
+IV.  Workaround
+
+To workaround this issue, one may regenerate databases manually with
+pwd_mkdb(8) and cap_mkdb(1), e.g.,
+
+pwd_mkdb -p /etc/master.passwd
+cap_mkdb /etc/login.conf
+
+V.   Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.  No reboot is required.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-21:08/freebsd-update.patch
+# fetch https://security.FreeBSD.org/patches/EN-21:08/freebsd-update.patch.asc
+# gpg --verify freebsd-update.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r368873
+releng/12.2/                                                      r369356
+stable/11/                                                        r368824
+releng/11.4/                                                      r369349
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:08.freebsd-update.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15cgACgkQ05eS9J6n
+5cJRqA/+NMSpCafAMdn0T3ZFbZ+AwN3nHS5t/2UBBRnpUks0CWXR1XnZ7CqeTZUc
+vCy3+QR93bQYDVCW7tNCOVs0bL7dVyyT9qLrmaJC1LFBtMAaM091A3gXdlhaL5I9
+mATPs/Qy3/HFDjeWWZDNeg0RsXhzEnM3I/FPhhWYkA/iO++5Og1VuBWFpuPGUZbG
+VuRRVuazHzqVKjlQL7XUKHJk2PGJIXTBAZHQkBn4cwux9iDxjhowtvN3hMJSPTPI
+GAu3YD1YrM7UIyguh3WieVOVuHtwUdj+mccw3iifn02crq93H2Wyj4nDDYaUQXz5
+Ab9HjuVGE/VjPMgfqRtouQieGTJIMCo8Y/4ytPe+Dhvtxrd4LYBHuYhZFfMFTITC
+lAXUhtdF5l/PJWNG24BE3BWjPEgU3vwTtuL56PHcpO08lKgwzidvOtPV2hM2mbw/
+RRJWZ0AYe8q624NwpC96WUvW5DoBA2thBXxmUaQ4KBK06tiSg/jXzmG9em4WfaQH
+z2aAeg+MURBaecTfl1gWZFdkOOwNcn089T/XhLh2FuzX4NGIQChvo1gEj7thsXQp
+jWF+HUpxfZ9ZZIRuNCdAjCCAY2R3pkAZSGAUvi7TTqZfbPQtAb0SgT6QXj6OslCG
+w4puBrBQl+R3g3dN1Q9NSDqmob1g8MrN7mUv8Nl7LFNpnWDh4Bs=
+=C5YV
+-----END PGP SIGNATURE-----

website/static/security/advisories/FreeBSD-SA-21:03.pam_login_access.asc

@@ -0,0 +1,144 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-21:03.pam_login_access                           Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          login.access fails to apply rules
+
+Category:       core
+Module:         pam_login_access
+Announced:      2021-02-24
+Affects:        All supported versions of FreeBSD.
+Corrected:      2021-02-24 01:20:53 UTC (stable/13, 13.0-STABLE)
+                2021-02-24 01:42:42 UTC (releng/13.0, 13.0-BETA3-p1)
+                2021-02-24 01:40:36 UTC (stable/12, 12.2-STABLE)
+                2021-02-24 01:44:01 UTC (releng/12.2, 12.2-RELEASE-p4)
+                2021-02-24 01:39:53 UTC (stable/11, 11.4-STABLE)
+                2021-02-24 01:41:53 UTC (releng/11.4, 11.4-RELEASE-p8)
+CVE Name:       CVE-2020-25580
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+login.access(5) is a system configuration file allowing administrators to
+define policy around system login access by specific users and groups.  It
+is implemented by a pam(3) module, pam_login_access(8), and is configured
+by default for accesses via sshd(8), telnetd(8) and the system console.
+
+II.  Problem Description
+
+A regression in the login.access(5) rule processor has the effect of causing
+rules to fail to match even when they should not.  This means that rules
+denying access may be ignored.
+
+III. Impact
+
+The configuration in login.access(5) may not be applied, permitting login
+access to users even when the system is configured to deny it.
+
+IV.  Workaround
+
+No workaround is available.  Systems not relying on login.access(5) to
+enforce custom login policies are not affected.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-21:03/pam_login_access.patch
+# fetch https://security.FreeBSD.org/patches/SA-21:03/pam_login_access.patch.asc
+# gpg --verify pam_login_access.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all daemons that use the library, or reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/13/                       8cf559d6b9b4782bf67eb868ea480f47fc8c64a4
+releng/13.0/                     f82cffcf2f44c909bec00d18549826f5d1d62205
+stable/12/                                                        r369346
+releng/12.2/                                                      r369359
+stable/11/                                                        r369345
+releng/11.4/                                                      r369351
+- -------------------------------------------------------------------------
+
+[FreeBSD 13.x]
+To see which files were modified by a particular revision, run the following
+command in a checked out git repository, replacing NNNNNN with the revision
+hash:
+
+# git show --stat NNNNNN
+
+Or visit the following URL, replace NNNNNN with the revision hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+[FreeBSD 11.x, FreeBSD 12.x]
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25580>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-21:03.pam_login_access.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15dYACgkQ05eS9J6n
+5cKg1A/+MKN4Gf9ndHqjEUKiquiUGAE63RJC3wZRpN/GsxP2qLArX4QDOXLJxFZ3
++T+u3lb0vxhhowvp23vFegmQbmWA6ZHI4M+NBsgMnPLTEWkwy4tRTfZDma1Q9j3k
+RNPJFnzJ5HTKBXtZom/yKcxuXw1JGlqmxuJYfveBEBIN6PmH5nz3qwcRVV8j+gAM
+1CtmnWpUVHm8aOqEGhOPr/eNRbAX14S/rdrtETmyyKm7WlYtiFD8GN5Px+eTTZcM
+khZhyhlpvEPU0tLNahnDGiPBmlr8VpysT0+0ZdGsT6qMME8WQne3pvJeM2HaZs8a
+ob35quA5tH241NjNBvoYmMj50/UOFS8RZKb6VILX7+PVsYOiuoGKR8ikr6n09SZs
+LYThBcnWx5Bwcn08DXbd2bPn48aSFnbe0UMTzwrTC0L/5lp2FLv9j+bhwb3gF6W1
+9hmRHOb+Cvdxxqw/djFCQsxODC9qZzneRW012PTsEZcwB8UjvG+OEVahz5iOfiGC
+tXNQ6rdbdTEr7QY+JCx0ngyHkQyDrOEJGd8UTIavr0CiuSdSWzi2zrppqZzvjBIp
+MENgB7uWf0MvzkYbxqwlRFr+25MLPGPYNfcLR/NnoWZcEuXR9VUL9Nb+ozH1HGs2
+oziYLqXp3yvDGrHXdItOz5sVsgsZCZLLVD4SVI7Y31Ctxd6MlcM=
+=WQ8j
+-----END PGP SIGNATURE-----

website/static/security/advisories/FreeBSD-SA-21:04.jail_remove.asc

@@ -0,0 +1,161 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-21:04.jail_remove                                Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          jail_remove(2) fails to kill all jailed processes
+
+Category:       core
+Module:         jail
+Announced:      2021-02-24
+Credits:        Mateusz Guzik
+Affects:        All supported versions of FreeBSD.
+Corrected:      2021-02-19 01:22:08 UTC (stable/13, 13.0-STABLE)
+                2021-02-19 21:53:07 UTC (releng/13.0, 13.0-BETA3-p1)
+                2021-02-19 21:46:31 UTC (stable/12, 12.2-STABLE)
+                2021-02-24 01:43:39 UTC (releng/12.2, 12.2-RELEASE-p4)
+                2021-02-19 21:50:26 UTC (stable/11, 11.4-STABLE)
+                2021-02-24 01:41:41 UTC (releng/11.4, 11.4-RELEASE-p8)
+CVE Name:       CVE-2020-25581
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The jail(2) system call allows a system administrator to lock a process
+and all of its descendants inside an environment with a very limited
+ability to affect the system outside that environment, even for
+processes with superuser privileges.  It is an extension of, but
+far more powerful than, the traditional UNIX chroot(2) system call.
+
+The jail_remove(2) system call, which was introduced in FreeBSD 8.0,
+allows a non-jailed process to remove a jail, which includes terminating
+all the processes running in that jail.
+
+II.  Problem Description
+
+Due to a race condition in the jail_remove(2) implementation, it may fail
+to kill some of the processes.
+
+III. Impact
+
+A process running inside a jail can avoid being killed during jail termination.
+If a jail is subsequently started with the same root path, a lingering jailed
+process may be able to exploit the window during which a devfs filesystem is
+mounted but the jail's devfs ruleset has not been applied, to access device
+nodes which are ordinarily inaccessible.  If the process is privileged, it may
+be able to escape the jail and gain full access to the system.
+
+IV.  Workaround
+
+The problem is limited to scenarios where a jail containing an untrusted,
+privileged process is stopped, and a jail is subsequently started with the same
+root path.  Users not running jails are not affected, and the problem can be
+avoided by not starting a jail with the same path as a previously stopped jail.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 13.x]
+# fetch https://security.FreeBSD.org/patches/SA-21:04/jail_remove.13.patch
+# fetch https://security.FreeBSD.org/patches/SA-21:04/jail_remove.13.patch.asc
+# gpg --verify jail_remove.13.patch.asc
+
+[FreeBSD 11.x, FreeBSD 12.x]
+# fetch https://security.FreeBSD.org/patches/SA-21:04/jail_remove.patch
+# fetch https://security.FreeBSD.org/patches/SA-21:04/jail_remove.patch.asc
+# gpg --verify jail_remove.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/13/                       894360bacd42f021551f76518edd445f6d299f2e
+releng/13.0/                     9f00cb5fa8a438e7b9efb2158f2e2edc730badd1
+stable/12/                                                        r369312
+releng/12.2/                                                      r369353
+stable/11/                                                        r369313
+releng/11.4/                                                      r369347
+- -------------------------------------------------------------------------
+
+[FreeBSD 13.x]
+To see which files were modified by a particular revision, run the following
+command in a checked out git repository, replacing NNNNNN with the revision
+hash:
+
+# git show --stat NNNNNN
+
+Or visit the following URL, replace NNNNNN with the revision hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+[FreeBSD 11.x, FreeBSD 12.x]
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25581>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-21:04.jail_remove.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15dYACgkQ05eS9J6n
+5cK69Q//UI2SeHrGXytm6ScQzCIbFPlUXlhkCX51WSOJmr/LUXpF9bcUhW73qqov
+/c70VGF876woMXHkbfYnCVdB4ETLIqTbGOl2aw/c8fuwrmFdtyeDEQ4SRRfWgdC4
+L6jEgMvB/fMO9e662k19f6RFXrdMspK4rOz3/aowTFbOEvD3Q0HpBUnFbWWg3Iiy
+I190M0jbytFuZ2EJQ563bbRFFjEafZ51SKYz1FcR3cJAbVo/q75G3uDrjeNhnHxZ
+0VqcTGHmF4Lh+RocUeW0v/1wHL8lBpoAKXmo4IL+FhFIR8fjVpKbGSm/IHSueatT
+Tr6xOg93Ef+sETWVn9Jv26BAU06LEM/ZuXz+HS7T7DwnJJeKa3d74KTJnnGauE24
+67OO0i4Fok9Yyy2ArBH8V8mnzdW96dJyHrwdG0UUBddYlEyzArxkUQZyoIdj1Gb1
+fns8ndY8t5tky2fxHZG2UMBWwQKBtbMZY027JRylAJWExsG6wH7DcUJ51FpcnbNe
+r3QvCB+ifOBGzFd2S4PduttxHW+xldWknah8513u9mRNCwnSFbY9ZXTpSeDmJaPo
+hYAZ2WlDodkaJxbTTMbJ+4fr6wMkmWf32g5pRh+wDfMAd0Wvbzmu/+fUQVf54FNU
+Qb91AAtVBuIE0J8jKqZxw+dtno+e6etmO1pXoZXvPHUr2N2BJmI=
+=yxgm
+-----END PGP SIGNATURE-----

website/static/security/advisories/FreeBSD-SA-21:05.jail_chdir.asc

@@ -0,0 +1,162 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-21:05.jail_chdir                                 Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          jail_attach(2) relies on the caller to change the cwd
+
+Category:       core
+Module:         jail
+Announced:      2021-02-24
+Credits:        Mateusz Guzik
+Affects:        All supported versions of FreeBSD.
+Corrected:      2021-02-22 05:49:40 UTC (stable/13, 13.0-STABLE)
+                2021-02-22 18:25:23 UTC (releng/13.0, 13.0-BETA3-p1)
+                2021-02-22 19:03:43 UTC (stable/12, 12.2-STABLE)
+                2021-02-24 01:43:47 UTC (releng/12.2, 12.2-RELEASE-p4)
+                2021-02-22 19:08:27 UTC (stable/11, 11.4-STABLE)
+                2021-02-24 01:41:46 UTC (releng/11.4, 11.4-RELEASE-p8)
+CVE Name:       CVE-2020-25582
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The jail(2) system call allows a system administrator to lock a process
+and all of its descendants inside an environment with a very limited
+ability to affect the system outside that environment, even for
+processes with superuser privileges.  It is an extension of, but
+far more powerful than, the traditional UNIX chroot(2) system call.
+
+The jail_attach(2) system call, which was introduced in FreeBSD 5
+before 5.1-RELEASE, allows a non-jailed process to permanently move
+into an existing jail.
+
+The ptrace(2) system call provides tracing and debugging facilities by
+allowing one process (the tracing process) to watch and control
+another (the traced process).
+
+II.  Problem Description
+
+When a process, such as jexec(8) or killall(1), calls jail_attach(2)
+to enter a jail, the jailed root can attach to it using ptrace(2) before
+the current working directory is changed.
+
+III. Impact
+
+A process with superuser privileges running inside a jail could change
+the root directory outside of the jail, thereby gaining full read and
+writing access to all files and directories in the system.
+
+IV.  Workaround
+
+No workaround is available, but systems that are not running jails with
+untrusted root users are not vulnerable.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 13.x]
+# fetch https://security.FreeBSD.org/patches/SA-21:05/jail_chdir.13.patch
+# fetch https://security.FreeBSD.org/patches/SA-21:05/jail_chdir.13.patch.asc
+# gpg --verify jail_chdir.13.patch.asc
+
+[FreeBSD 11.x, FreeBSD 12.x]
+# fetch https://security.FreeBSD.org/patches/SA-21:05/jail_chdir.patch
+# fetch https://security.FreeBSD.org/patches/SA-21:05/jail_chdir.patch.asc
+# gpg --verify jail_chdir.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/13/                       5dbb407145c8128753fa30b695bc266dc671e433
+releng/13.0/                     f3f042d850baaeda1bed19e00c2b3b578644b7e9
+stable/12/                                                        r369334
+releng/12.2/                                                      r369354
+stable/11/                                                        r369335
+releng/11.4/                                                      r369348
+- -------------------------------------------------------------------------
+
+[FreeBSD 13.x]
+To see which files were modified by a particular revision, run the following
+command in a checked out git repository, replacing NNNNNN with the revision
+hash:
+
+# git show --stat NNNNNN
+
+Or visit the following URL, replace NNNNNN with the revision hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+[FreeBSD 11.x, FreeBSD 12.x]
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25582>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-21:05.jail_chdir.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15dYACgkQ05eS9J6n
+5cKj/xAAjbGc0bV3Ua8PuIFoDk7ADnwNotFV9PlXknWpeM4fXVVrt5EDncMfgHdw
+XeKHOjzKNocOCtDioDhOcev9hhLeiYJjGHKrOQeKv34hJoufd6Wr0nvLgv/IVlMr
+iZRVndvG1eBlnkwzlbx0xh1OY9zhffqjEiVkQNxXZV0iz/P2ndG0wP7N/bTG2QW3
+1mZmp4Fh9AsbjLPVGyutoLZXiypuroGPLQZrth3n7Cz8HklwyPzoAgPOYx7mMW3D
+x1Th6kYIEx1aCe+ZBsgOuPsKeZ4SSB5o1w2F5y+mor/rslgQJAppNakBMmyDkSEI
+UhEqLGNA469P0qonCHhGY83wfkuUedFTuWLrdnh97J7yr+WIn1ik1/jBXxv3+1kS
+bKivBd/oj6hEFULE7r6T/UVomJjU+dPPBm+ewljJFVib+3zIQsbxauLdqUuqWlob
+QUkQc4mu7fjVSAMyVbYVrjBAgwQJit0KfX+JSbEcLndmPv1RCK8wnxIf0zbmV2m/
+DMg9QGqwfcJkba6Y/JCAFZcl+HUCfEGUqZ7pEqGuwsp3wnMwO7Qg9IAEmDt8i2lf
+6kaqAatJ5Reo/D+j6KJFvGCajnEfD0n+jDx8cdJFNY2Zzbo3/lRGd8dque5OEbTA
+O0UZu2hRv5YMIagMf57WWzGrF+ACtgYbath710IKfVUfP/OiCIM=
+=/d5L
+-----END PGP SIGNATURE-----

website/static/security/advisories/FreeBSD-SA-21:06.xen.asc

@@ -0,0 +1,154 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-21:06.xen                                        Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Xen grant mapping error handling issues
+
+Category:       contrib
+Module:         xen
+Announced:      2021-02-24
+Credits:        See Xen XSA-361 for details
+Affects:        All supported versions of FreeBSD.
+Corrected:      2021-02-23 00:55:14 UTC (stable/13, 13.0-STABLE)
+                2021-02-24 01:42:35 UTC (releng/13.0, 13.0-BETA3-p1)
+                2021-02-23 00:58:03 UTC (stable/12, 12.2-STABLE)
+                2021-02-24 01:43:59 UTC (releng/12.2, 12.2-RELEASE-p4)
+                2021-02-23 00:59:23 UTC (stable/11, 11.4-STABLE)
+                2021-02-24 01:41:51 UTC (releng/11.4, 11.4-RELEASE-p8)
+CVE Name:       CVE-2021-26932
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+Xen is a type-1 hypervisor which supports FreeBSD as a Dom0 (or host domain).
+
+II.  Problem Description
+
+Grant mapping operations often occur in batch hypercalls, where a number of
+operations are done in a single hypercall, the success or failure of each one
+reported to the backend driver, and the backend driver then loops over the
+results, performing follow-up actions based on the success or failure of each
+operation.
+
+Unfortunately, when running in HVM/PVH mode, the FreeBSD backend drivers
+mishandle this: Some errors are ignored, effectively implying their success
+from the success of related batch elements.  In other cases, errors resulting
+from one batch element lead to further batch elements not being inspected,
+and hence successful ones to not be possible to properly unmap upon error
+recovery.
+
+III. Impact
+
+A malicious or buggy frontend driver may be able to cause resource leaks
+in the domain running the corresponding backend driver.
+
+IV.  Workaround
+
+No workaround is available.  FreeBSD systems not using Xen are not
+affected.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-21:06/xen.patch
+# fetch https://security.FreeBSD.org/patches/SA-21:06/xen.patch.asc
+# gpg --verify xen.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/13/                       ab3e1bd3c22a222520c23c2793cc39e3a23c9b46
+releng/13.0/                     ce9af53d0897a1cb926bd244f499fc09b1626b27
+stable/12/                                                        r369341
+releng/12.2/                                                      r369358
+stable/11/                                                        r369342
+releng/11.4/                                                      r369350
+- -------------------------------------------------------------------------
+
+[FreeBSD 13.x]
+To see which files were modified by a particular revision, run the following
+command in a checked out git repository, replacing NNNNNN with the revision
+hash:
+
+# git show --stat NNNNNN
+
+Or visit the following URL, replace NNNNNN with the revision hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+[FreeBSD 11.x, FreeBSD 12.x]
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://xenbits.xen.org/xsa/advisory-361.html>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26932>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-21:06.xen.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15dcACgkQ05eS9J6n
+5cKBJg//aACyR6yp/rs1MaAMj2QIm53y+s1/0qRQmAYTq7QVnMNhauGLIUdd7BPQ
+O3Gj1fsdpg3iNpKXn20YweUpTQqt4xHxNg+A+cYxexHJ/mepVVnY4OMwWh2est17
+2p9Sj3k0vNQ/AdYXELyKW7UA5/tHncFv6EGzdAsGYf4kGUL89bnmWkmcBLR9JZ9a
+iF83WhKhLe3O7KzkryMzCh72nbHnKicjrgvun4VH4p5/FrjqNjoPESvGhT6hyObK
+80aKN610j/ZdDNdjD0wO62IGB8QGzx/hpr3TIIQ05ydGsuurFKJQYwknYL7rbpuf
+GaINHkQTcB+8aWsqSQxq3HTy3P7hEdA3HDzounpAOtYHk+Ff8ZeuH0ZVtJYXP6FP
+lbFZoYzXak8odKZp5tNBO8Vu9qiuzthY/ImhZ0d5e+gQ5Bk2Nu68vwie2TGRpLEN
+EQYIiIS1AnFsEhDx78UuEojUT/UmMIbv7GNyryv2ElThf1uIH86wtXonie8OFjPp
+EGYu4OS/m+FO5fTcEty5ayEsQI0i4mnj83BBdq8sq2lpQbdJjKDSaykHfJ4PEMKi
+/WRWiWjlS6fhu+rPC7rJ5b7FoDLXh6hm3uFuD/zNjOmpFFyjNE/O4JCH2zoAdH3C
+ygVMUqa4qFalsC3vntk2YweBX4D7za95z4oCDwrFBm4ZWGYcwgs=
+=fN2Q
+-----END PGP SIGNATURE-----

website/static/security/patches/EN-21:06/microcode.patch

@@ -0,0 +1,11 @@
+--- sys/x86/x86/ucode.c.orig
++++ sys/x86/x86/ucode.c
+@@ -260,7 +260,7 @@
+ 		goto restart;
+ 	}
+ }
+-SYSINIT(ucode_release, SI_SUB_KMEM + 1, SI_ORDER_ANY, ucode_release, NULL);
++SYSINIT(ucode_release, SI_SUB_SMP + 1, SI_ORDER_ANY, ucode_release, NULL);
+ 
+ void
+ ucode_load_ap(int cpu)

website/static/security/patches/EN-21:06/microcode.patch.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15bwACgkQ05eS9J6n
+5cLvPQ//T1YzSmE1XBUT4S1qQsYQSmVMQbf2cZ7RCy1Pg2ocg6pvKeCH5+VZN2HF
+ycLEcVDik5UmI/SzFTUaJ6I2hkYyCEqxi4eb3+dlm0ZhZKwqeb11eE8sd2K8KIVM
+DZF83w9/gxrlnI5V17M6SgNZmCOLkdvd3re7FCqUJVXJXD32XHBwjeedcqGCdyoW
+YBzDJ14x/eXYm+FMMaqvMs6f6HCEP57NOa1Osgvp57upDAN28mtTDGkqPAdiq7c+
+RXo0Xz5VXvjQeiVgCpJuwcVGMc02RlhUXYZcqm1jbVLxAgU9e7z3a1KX0GKTixel
+l5JYT/xkdiqAnuQ0/cxd7+d6PFv1WtGvuO/uJ3XYV9U8M2YJnChZV6Wq2MOME2hR
+jsLv31IYZ6T2ydTQ1kIbgDopkIiBRLC10MffnGy8ocRAD6vhljOlrUiKnHRHl18r
+gINyhaNUuwjEO1cyNtpKSHZPXUm+u9zJQZFhw2YwcsTkiBaxWgKimqECkYYU4M82
+Nx5x0HC/Px1a051Xjwra5hcNqPvNTmurUSjag4AFYiYqU7sYaaYVzyophkukFkH8
+qY/0meRq4IaU2ZVmo3ooBl0rV4053FoFUcgXxpwEWAldFbNgnEFmXvkL5ifK2ZNS
+I1QLgloiucrM+5dTVZfyPvcY3JE7I3Ebt9Oc1n0ES3o+Pt56xF4=
+=ZywK
+-----END PGP SIGNATURE-----

website/static/security/patches/EN-21:07/caroot.patch.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15ccACgkQ05eS9J6n
+5cJfWA//clMkAVKk0mQUZyeY1Zy1p7IIvvAzAKhqZP3YW/Fu6169zLZpNvnvliPj
+Prex6zldlcpdLm4xcae+nDM8VfqhrLcRM4XEZS9cVBPx4e/lTUXaCoUAVrZqW0gw
+BgYZTkH0iPPbsc0NBnUldt+jmNy23InCzpLMcrGLjnJwH62IWVX7/7WZE1pDwp6T
+3XhX9W60Xk1gX2HzJ04xnxx43qHDasDRi6YL0iIPef035TFB2O13r0KMNogPoqcd
+yp4HJ/99hYK1XFYrA//gVMjjoHr2xUkNne0Ox3JEmBXUZZaYyS7YB+kJNNUnYMa5
+6oTsQZ/0hHpuzPnRD5LfwiX6NHMTGRNkB7fFeMwjHfTz5pCE3w7LrvlxVdqzmyj2
+cwvDK/ZLDYzWagtZtNvZ+gDpx4TjLyRQ/sFq7I6JCF62UO/4x4jlznlbcltipcot
+kwnAGqIruMMeivwskT5aTCjfVPYuL6HR0Ynyw50XWlXBKYbivATTWhEbfIxtNT/3
+V5litBTdQ3mqBCG+gybqgi4TdjUnPTCobpjj2+PnMTjDABjyr+naW3elU4bHU8EN
+2LR6ArVVOfYiS7KblydJ+79zIdzlQtAiFtvmAjhP+OJl3iuCRB6/ychv72tDlc2R
+zAWMy/WvCMrAC3eb3tHnDPM7qL61agba/YXSgGTl6sW076D7ipk=
+=fnR5
+-----END PGP SIGNATURE-----

website/static/security/patches/EN-21:08/freebsd-update.patch

@@ -0,0 +1,23 @@
+--- usr.sbin/freebsd-update/freebsd-update.sh.orig
++++ usr.sbin/freebsd-update/freebsd-update.sh
+@@ -2949,17 +2949,9 @@
+ 			env DESTDIR=${BASEDIR} certctl rehash
+ 		fi
+ 
+-		# Rebuild generated pwd files.
+-		if [ ${BASEDIR}/etc/master.passwd -nt ${BASEDIR}/etc/spwd.db ] ||
+-		    [ ${BASEDIR}/etc/master.passwd -nt ${BASEDIR}/etc/pwd.db ] ||
+-		    [ ${BASEDIR}/etc/master.passwd -nt ${BASEDIR}/etc/passwd ]; then
+-			pwd_mkdb -d ${BASEDIR}/etc -p ${BASEDIR}/etc/master.passwd
+-		fi
+-
+-		# Rebuild /etc/login.conf.db if necessary.
+-		if [ ${BASEDIR}/etc/login.conf -nt ${BASEDIR}/etc/login.conf.db ]; then
+-			cap_mkdb ${BASEDIR}/etc/login.conf
+-		fi
++		# Rebuild generated pwd files and /etc/login.conf.db.
++		pwd_mkdb -d ${BASEDIR}/etc -p ${BASEDIR}/etc/master.passwd
++		cap_mkdb ${BASEDIR}/etc/login.conf
+ 
+ 		# Rebuild man page databases, if necessary.
+ 		for D in /usr/share/man /usr/share/openssl/man; do

website/static/security/patches/EN-21:08/freebsd-update.patch.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15cgACgkQ05eS9J6n
+5cLGsw/+IJCLJ0BrT+mN2UpTJMrCzbafYvAVAxUNxoMByHKg0jAYWUwLmifRPeaA
+3cu3y4iEkcCCY8pDFSDa/cOf/FyQKDbECCPZNGEDjrd8a/UYgkRlv11mfhKaDTL2
+u+GzkIw2YrF+1uIPB3uwQdKC/ArWtpaG4s8O+SQP4gRXfmqnIwel1bQThPW6ITbJ
+1nJ1UAObtg7wsB+8SUVjwhjKxBk0UGh1pnpNU20dtyNMEOepa3Yds9R+lTA77Xm7
+o+hWL8z6JIXC88L8vbzAPdOhdLZk//KwG4kVqXk50pFYbPoM/gw0F+53qsEYkuB9
+CvgNwuaFtqYyMu5fF3rdW4zruXcrCxrLdqAu195vyklxUjqwozm0K+lwcEixOkEE
+JugNchJ69PsSt4DQwjf+fZ/VIr9RZRJTp6c6My5xzy5uTmmWMZKx3dtkyvBusrgo
+qcgv8CnTlq6yF2TPwK3TQ8PosHZdnkeVvuELn6KviBa0G7YjiYIYlC+J6iSkHBn2
+nwxq01kFcvRXgqTP4twmuq4jPGD8KWa9w/LFI52CI+SRfSHTRF+I2kVlrnBGbex7
+vbJtpnu/hVKerekNF30G7AwouuQGf9vQo84sXbZy9sgk6b2JFULkfHH/ACdNPK8G
+E/uS5P/+dZAjDcx7KfwuEU9wG7/Xa+9BnIuCvg5T79TAsn0JtGY=
+=OcHp
+-----END PGP SIGNATURE-----

website/static/security/patches/SA-21:03/pam_login_access.patch

@@ -0,0 +1,16 @@
+--- lib/libpam/modules/pam_login_access/login_access.c.orig
++++ lib/libpam/modules/pam_login_access/login_access.c
+@@ -137,10 +137,10 @@
+     if (match != NO) {
+ 	while ((tok = strtok((char *) 0, listsep)) && strcmp(tok, "EXCEPT")) {
+ 	     /* VOID */ ;
+-	    if (tok == NULL || list_match((char *) 0, item, match_fn,
+-		login_access_opts) == NO) {
++	}
++	if (tok == NULL ||
++	    list_match((char *) 0, item, match_fn, login_access_opts) == NO) {
+ 		return (match);
+-	    }
+ 	}
+     }
+     return (NO);

website/static/security/patches/SA-21:03/pam_login_access.patch.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15dYACgkQ05eS9J6n
+5cLfBhAAoq8be40mOb4phT4bkAKR8mcmhLWDL91R/ZmAlVJJ9sSO0YOTc3Pb9z5d
+KqwkSy0QOXFt2k5bVt9xTNIge7sKR7+wCyUSxBbSrvLMuAegzND2/teQuiaQ8ms0
+D0SgwAchqvtUcpRd2fIVG9XoFRsfbpuRdDGVDz2q2QygG/FpKWnLH0YI6C9EeKhX
+GnJXeQCOKCFfU3Ciqk5rAzLfc+7FuvaE0gZNthoKbfvj2eaqzQcGtpsYpqOv09Tv
+sj9rWyMiQGCFRUn+HhRxBGEh8hg/i8u+7H+A0DFiy9kHr93+oeqLc4nEz4fccpTj
+ve+3xjkmmbndm4/X6CdpTii1+jVHN+P/zDk//+J3MNXxDfc3JwHvebjpr88xEs3Z
+fWR0zXZy3uRdEpcnUgJi5uYbhTP91DsXMVSZQl09Eq5o1iHPBgd4Vgmsb0Jlhcco
+nZYfzbBw1uox5vL0AsFiWJoDWLETAcZ+GEri/MJ5ilSg37dil7wIgr7LUTq7hQeb
+kRrjjQXjl99btLuYyJsy4a+rh/tI3XOr7fk95q21hSV2hDd3wnfyQYQKqbGsZa/s
+E37AZPM71jx6I8YM+Y6qtL1M8HhIGpDQwh6yhtN5Mei7Yx94UQzR/riVk4OefPEh
+RaQT1tLtDSeavBQo8YbiiNEVVZoosdYVIUM3JgHSJlLeASZnbss=
+=iTAi
+-----END PGP SIGNATURE-----

website/static/security/patches/SA-21:04/jail_remove.13.patch

@@ -0,0 +1,95 @@
+--- sys/kern/kern_fork.c.orig
++++ sys/kern/kern_fork.c
+@@ -1126,6 +1126,12 @@
+ 		PROC_UNLOCK(p);
+ 	}
+ 
++	/*
++	 * If the prison was killed mid-fork, die along with it.
++	 */
++	if (!prison_isalive(td->td_ucred->cr_prison))
++		exit1(td, 0, SIGKILL);
++
+ 	userret(td, frame);
+ 
+ #ifdef KTRACE
+--- sys/kern/kern_jail.c.orig
++++ sys/kern/kern_jail.c
+@@ -1764,6 +1764,7 @@
+ 		}
+ 	}
+ 	pr->pr_flags = (pr->pr_flags & ~ch_flags) | pr_flags;
++	pr->pr_flags &= ~PR_REMOVE;
+ 	mtx_unlock(&pr->pr_mtx);
+ 	drflags &= ~PD_LOCKED;
+ 
+@@ -2368,6 +2369,12 @@
+ 
+ 	drflags = PD_DEREF | PD_LOCKED | PD_LIST_XLOCKED;
+ 
++	/*
++	 * Mark the prison as doomed, so it doesn't accidentally come back
++	 * to life.  It may still be explicitly brought back by jail_set(2).
++	 */
++	pr->pr_flags |= PR_REMOVE;
++
+ 	/* If the prison was persistent, it is not anymore. */
+ 	if (pr->pr_flags & PR_PERSIST) {
+ 		refcount_release(&pr->pr_ref);
+@@ -2508,6 +2515,17 @@
+ #endif
+ 	prison_deref(oldcred->cr_prison, PD_DEREF | PD_DEUREF);
+ 	crfree(oldcred);
++
++	/*
++	 * If the prison was killed while changing credentials, die along
++	 * with it.
++	 */
++	if (!prison_isalive(pr)) {
++		PROC_LOCK(p);
++		kern_psignal(p, SIGKILL);
++		PROC_UNLOCK(p);
++	}
++
+ 	return (0);
+ 
+  e_unlock:
+@@ -3038,17 +3056,18 @@
+ 
+ /*
+  * Return true if the prison is currently alive.  A prison is alive if it is
+- * valid and it holds user references.
++ * valid and holds user references, and it isn't being removed.
+  */
+ bool
+ prison_isalive(struct prison *pr)
+ {
+ 
+-	mtx_assert(&pr->pr_mtx, MA_OWNED);
+ 	if (__predict_false(refcount_load(&pr->pr_ref) == 0))
+ 		return (false);
+ 	if (__predict_false(refcount_load(&pr->pr_uref) == 0))
+ 		return (false);
++	if (__predict_false(pr->pr_flags & PR_REMOVE))
++		return (false);
+ 	return (true);
+ }
+ 
+@@ -3061,7 +3080,6 @@
+ prison_isvalid(struct prison *pr)
+ {
+ 
+-	mtx_assert(&pr->pr_mtx, MA_OWNED);
+ 	if (__predict_false(refcount_load(&pr->pr_ref) == 0))
+ 		return (false);
+ 	return (true);
+--- sys/sys/jail.h.orig
++++ sys/sys/jail.h
+@@ -216,6 +216,7 @@
+ 					/* primary jail address. */
+ 
+ /* Internal flag bits */
++#define	PR_REMOVE	0x01000000	/* In process of being removed */
+ #define	PR_IP4		0x02000000	/* IPv4 restricted or disabled */
+ 					/* by this jail or an ancestor */
+ #define	PR_IP6		0x04000000	/* IPv6 restricted or disabled */

website/static/security/patches/SA-21:04/jail_remove.13.patch.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15dYACgkQ05eS9J6n
+5cLERg//UAJF8f+jYz1unA6nFL1nWsGQ5QoQxqlJmbC8vqL3hTYdpiiYlr7AGf2X
+vc8is4uencAmT1eZrkdMiagz5R0LYLHtuMsy6QEjD3sJFYEkxfR/8jxlavKMicvd
+HdXNpd92hr7WqLhCXZMwSq/qKAnNKNCvtQ5qH0/201T7Ac3k6aG8JMINoeqBFeHC
+pIf4QGrX9gxzBrJ6UKOi+DqkJHi2pB+L53PVUaX5oProbgIr5EKiIEx7bPAswr8R
+wp5D4GXeoIujK5mir/HPdImBRDfUBVrx9QP/TMq0clShsVPJVxVWKOEG7mQKNa8o
+aAoTdP1TjKmzvFvAGn80dc1Abn4U3TCKV0DmhZvsAjtJU8yTd/DBFv7+HHLmka5l
+bFQJXiNqQvEcwHejb2gMesUYJ12h/NM5h3f411kn3DEsSwuznhuTO3YIUHDPzrCg
+Jz/XV1jOj8G0e3J8ahmNkd7FeiOjALUpb4O5ZvDaTCN7PeQ8clY2STWkmZxw5UOw
+g7xzYDqoJ/XJj0fcypraejhE0XiDlxwiMAw5+hRkBym60Ywu7xVYOy8h+XUzI041
+G5UKFtRRBnflI6T4W2Zxohzf1tGy2io442nRhrAsftn+sWoJyrwjp8dMQbDf2VYk
+wVEAcbe5aYwW58h+Pczcah43SyiDqtMleAlWE3mO0puIIkcF8C4=
+=l+7o
+-----END PGP SIGNATURE-----

website/static/security/patches/SA-21:04/jail_remove.patch

@@ -0,0 +1,66 @@
+--- sys/kern/kern_fork.c.orig
++++ sys/kern/kern_fork.c
+@@ -1138,6 +1138,12 @@
+ 		PROC_UNLOCK(p);
+ 	}
+ 
++	/*
++	 * If the prison was killed mid-fork, die along with it.
++	 */
++	if (td->td_ucred->cr_prison->pr_flags & PR_REMOVE)
++		exit1(td, 0, SIGKILL);
++
+ 	userret(td, frame);
+ 
+ #ifdef KTRACE
+--- sys/kern/kern_jail.c.orig
++++ sys/kern/kern_jail.c
+@@ -1768,6 +1768,7 @@
+ 		}
+ 	}
+ 	pr->pr_flags = (pr->pr_flags & ~ch_flags) | pr_flags;
++	pr->pr_flags &= ~PR_REMOVE;
+ 	mtx_unlock(&pr->pr_mtx);
+ 
+ #ifdef RACCT
+@@ -2306,6 +2307,12 @@
+ 	struct proc *p;
+ 	int deuref;
+ 
++	/*
++	 * Mark the prison as doomed, so it doesn't accidentally come back
++	 * to life.  It may still be explicitly brought back by jail_set(2).
++	 */
++	pr->pr_flags |= PR_REMOVE;
++
+ 	/* If the prison was persistent, it is not anymore. */
+ 	deuref = 0;
+ 	if (pr->pr_flags & PR_PERSIST) {
+@@ -2450,6 +2457,17 @@
+ #endif
+ 	prison_deref(oldcred->cr_prison, PD_DEREF | PD_DEUREF);
+ 	crfree(oldcred);
++
++	/*
++	 * If the prison was killed while changing credentials, die along
++	 * with it.
++	 */
++	if (pr->pr_flags & PR_REMOVE) {
++		PROC_LOCK(p);
++		kern_psignal(p, SIGKILL);
++		PROC_UNLOCK(p);
++	}
++
+ 	return (0);
+ 
+  e_unlock:
+--- sys/sys/jail.h.orig
++++ sys/sys/jail.h
+@@ -213,6 +213,7 @@
+ 					/* primary jail address. */
+ 
+ /* Internal flag bits */
++#define	PR_REMOVE	0x01000000	/* In process of being removed */
+ #define	PR_IP4		0x02000000	/* IPv4 restricted or disabled */
+ 					/* by this jail or an ancestor */
+ #define	PR_IP6		0x04000000	/* IPv6 restricted or disabled */

website/static/security/patches/SA-21:04/jail_remove.patch.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15dYACgkQ05eS9J6n
+5cLspA//YgWoLetTx3ovwxV9soXbC+DTUVkRLmZ7D7ohem7dKrKAYu3HK7ZzDDrD
+ZyG6OD0QRf1MqKYxao+Cq6X0M4WZtkKKwIEBLEvh8ck91+m0na8Sj44mA/QLbnEI
+KrXJhZKHGmJNtn01J1dBjn9Zwq1MN7/qxy79RZLyKmBYKLeXrosKe12ty/V7TMTE
+hALXbuQ+aTHBbWC2AiMFIpkbuivxO86DfGRqGshNVERW3hoZys6XCQsHAeN2mN2w
+b8SmBozKJ6S4i49pcWrdQRRdIf9sdhyc2QQ1LvPTKqTxedjf8J92YPZZGSEYpAh2
+she9sreXo7rGWNhmyGYbVquYatkMAeZhrtwrSfbljjNZQ8jGS9M+n9Yy7aFcXzrS
+a4zAbumPx4n8FhRLGBBxmWRVqdrSdLwoge9tAWnHLBejN0CbH/H+ybE400mP8UkJ
+QReoQxbv88ENObSJoP/Dn6yGQGgTOD8fJB3C3YLdenXupuWp435ZkJan6NQoab7f
+YRjZiq7q8nnCDlrBZVEZ+EOyCXOyFnc2raBIDPy4v4c63rGT/TBENu3/cV9xW97v
+ldT45S2vLqFFB1upqBk3mxmVhXONp4dd27rPv6mvql3h9P7UQkbWV2Z/6tTpzKAa
+1FoUp+1si4J/zufDbMa9uHknohB9awRK6aerKo7Wm6qiZEiKErk=
+=DBYw
+-----END PGP SIGNATURE-----

website/static/security/patches/SA-21:05/jail_chdir.13.patch

@@ -0,0 +1,103 @@
+--- lib/libc/sys/jail.2.orig
++++ lib/libc/sys/jail.2
+@@ -25,7 +25,7 @@
+ .\"
+ .\" $FreeBSD$
+ .\"
+-.Dd February 8, 2012
++.Dd February 19, 2021
+ .Dt JAIL 2
+ .Os
+ .Sh NAME
+@@ -228,6 +228,9 @@
+ system call attaches the current process to an existing jail,
+ identified by
+ .Fa jid .
++It changes the process's root and current directories to the jail's
++.Va path
++directory.
+ .Pp
+ The
+ .Fn jail_remove
+--- sys/kern/kern_descrip.c.orig
++++ sys/kern/kern_descrip.c
+@@ -3795,9 +3795,8 @@
+ }
+ 
+ /*
+-* Common routine for kern_chroot() and jail_attach().  The caller is
+-* responsible for invoking priv_check() and mac_vnode_check_chroot() to
+-* authorize this operation.
++* The caller is responsible for invoking priv_check() and
++* mac_vnode_check_chroot() to authorize this operation.
+ */
+ int
+ pwd_chroot(struct thread *td, struct vnode *vp)
+@@ -3859,6 +3858,46 @@
+ 	pwd_drop(oldpwd);
+ }
+ 
++/*
++ * jail_attach(2) changes both root and working directories.
++ */
++int
++pwd_chroot_chdir(struct thread *td, struct vnode *vp)
++{
++	struct pwddesc *pdp;
++	struct filedesc *fdp;
++	struct pwd *newpwd, *oldpwd;
++	int error;
++
++	fdp = td->td_proc->p_fd;
++	pdp = td->td_proc->p_pd;
++	newpwd = pwd_alloc();
++	FILEDESC_SLOCK(fdp);
++	PWDDESC_XLOCK(pdp);
++	oldpwd = PWDDESC_XLOCKED_LOAD_PWD(pdp);
++	error = chroot_refuse_vdir_fds(fdp);
++	FILEDESC_SUNLOCK(fdp);
++	if (error != 0) {
++		PWDDESC_XUNLOCK(pdp);
++		pwd_drop(newpwd);
++		return (error);
++	}
++
++	vrefact(vp);
++	newpwd->pwd_rdir = vp;
++	vrefact(vp);
++	newpwd->pwd_cdir = vp;
++	if (oldpwd->pwd_jdir == NULL) {
++		vrefact(vp);
++		newpwd->pwd_jdir = vp;
++	}
++	pwd_fill(oldpwd, newpwd);
++	pwd_set(pdp, newpwd);
++	PWDDESC_XUNLOCK(pdp);
++	pwd_drop(oldpwd);
++	return (0);
++}
++
+ void
+ pwd_ensure_dirs(void)
+ {
+--- sys/kern/kern_jail.c.orig
++++ sys/kern/kern_jail.c
+@@ -2495,7 +2495,7 @@
+ 		goto e_unlock;
+ #endif
+ 	VOP_UNLOCK(pr->pr_root);
+-	if ((error = pwd_chroot(td, pr->pr_root)))
++	if ((error = pwd_chroot_chdir(td, pr->pr_root)))
+ 		goto e_revert_osd;
+ 
+ 	newcred = crget();
+--- sys/sys/filedesc.h.orig
++++ sys/sys/filedesc.h
+@@ -333,6 +333,7 @@
+ 
+ void	pwd_chdir(struct thread *td, struct vnode *vp);
+ int	pwd_chroot(struct thread *td, struct vnode *vp);
++int	pwd_chroot_chdir(struct thread *td, struct vnode *vp);
+ void	pwd_ensure_dirs(void);
+ void	pwd_set_rootvnode(void);
+ 

website/static/security/patches/SA-21:05/jail_chdir.13.patch.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15dYACgkQ05eS9J6n
+5cJbWw//bRqnxdq9srjPktUXSqKc0ix0ATFU/MK/oYHFTS+Xhl9BDx5tHxW7cRCo
+PtP6zXWO0qJryNoi/Dr3j969uAcYJyVpS9oeqK2PL8KN9hqMzCo59M0NzkQJeWxP
+fpym77ZeU8VFMLxyPS1BxcyB5XOKvfJ8dv6mxi7S3ytmrNWPpqkHdw+JM/X9grUH
+BYW5uRasuz4lzgeWCwaNlWVdZpGKd9vpgrRs8ZsSZWaCR5RxG0cArMXpYglggrnJ
+G7sF9MmAHato5dsW9EuQf9r16ypbQe2qDDpTk4jUGwB2GhlFuc3o1aIop38fjDJy
+c+ARz/qWdtJm5vMvuhOLGHUl5+hMXNDERaRH3MFnTMY5mCU/0cLpIyUOMylUTF/o
+Ek7gvsA+sm1PtPs5s8v9KynmKH0Sdsv29Izq7aczYNnIKCmtOFQpokAiTQG5RSfE
+17eEvKSoVxMOXzeEjO5iIGS1fatGohLHHC44wwRR4WTccVxVFSWX0HMOt8v1Co1i
+P0psCcBOqKZcrAwYDIClPHgKz3kGa46tfKhwtdNHD1jF0wkItSQySnSPc7/a7x/s
+ZA6zLPSL4hA7KL7oeS7MirpScsNLTOI0sH6Tf/jVAURzrwxxQmbWCBS8/A39ODUY
+frsbj+xHNRP7o/foBMwR0lPSQIjXZ97YTXk8/fMGQ5j1VMTuZOg=
+=kPvY
+-----END PGP SIGNATURE-----

website/static/security/patches/SA-21:05/jail_chdir.patch

@@ -0,0 +1,98 @@
+--- lib/libc/sys/jail.2.orig
++++ lib/libc/sys/jail.2
+@@ -25,7 +25,7 @@
+ .\"
+ .\" $FreeBSD$
+ .\"
+-.Dd February 8, 2012
++.Dd February 19, 2021
+ .Dt JAIL 2
+ .Os
+ .Sh NAME
+@@ -228,6 +228,9 @@
+ system call attaches the current process to an existing jail,
+ identified by
+ .Fa jid .
++It changes the process's root and current directories to the jail's
++.Va path
++directory.
+ .Pp
+ The
+ .Fn jail_remove
+--- sys/kern/kern_descrip.c.orig
++++ sys/kern/kern_descrip.c
+@@ -3242,10 +3242,9 @@
+ }
+ 
+ /*
+- * Common routine for kern_chroot() and jail_attach().  The caller is
+- * responsible for invoking priv_check() and mac_vnode_check_chroot() to
+- * authorize this operation.
+- */
++* The caller is responsible for invoking priv_check() and
++* mac_vnode_check_chroot() to authorize this operation.
++*/
+ int
+ pwd_chroot(struct thread *td, struct vnode *vp)
+ {
+@@ -3291,6 +3290,39 @@
+ 	vrele(oldvp);
+ }
+ 
++/*
++ * jail_attach(2) changes both root and working directories.
++ */
++int
++pwd_chroot_chdir(struct thread *td, struct vnode *vp)
++{
++	struct filedesc *fdp;
++	struct vnode *oldvrp, *oldvcp;
++	int error;
++
++	fdp = td->td_proc->p_fd;
++	FILEDESC_XLOCK(fdp);
++	error = chroot_refuse_vdir_fds(fdp);
++	if (error != 0) {
++		FILEDESC_XUNLOCK(fdp);
++		return (error);
++	}
++	oldvrp = fdp->fd_rdir;
++	vrefact(vp);
++	fdp->fd_rdir = vp;
++	oldvcp = fdp->fd_cdir;
++	vrefact(vp);
++	fdp->fd_cdir = vp;
++	if (fdp->fd_jdir == NULL) {
++		vrefact(vp);
++		fdp->fd_jdir = vp;
++	}
++	FILEDESC_XUNLOCK(fdp);
++	vrele(oldvrp);
++	vrele(oldvcp);
++	return (0);
++}
++
+ /*
+  * Scan all active processes and prisons to see if any of them have a current
+  * or root directory of `olddp'. If so, replace them with the new mount point.
+--- sys/kern/kern_jail.c.orig
++++ sys/kern/kern_jail.c
+@@ -2437,7 +2437,7 @@
+ 		goto e_unlock;
+ #endif
+ 	VOP_UNLOCK(pr->pr_root, 0);
+-	if ((error = pwd_chroot(td, pr->pr_root)))
++	if ((error = pwd_chroot_chdir(td, pr->pr_root)))
+ 		goto e_revert_osd;
+ 
+ 	newcred = crget();
+--- sys/sys/filedesc.h.orig
++++ sys/sys/filedesc.h
+@@ -243,6 +243,7 @@
+ /* cdir/rdir/jdir manipulation functions. */
+ void	pwd_chdir(struct thread *td, struct vnode *vp);
+ int	pwd_chroot(struct thread *td, struct vnode *vp);
++int	pwd_chroot_chdir(struct thread *td, struct vnode *vp);
+ void	pwd_ensure_dirs(void);
+ 
+ #endif /* _KERNEL */

website/static/security/patches/SA-21:05/jail_chdir.patch.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15dcACgkQ05eS9J6n
+5cJ5fw//UPe63jyCB84gKv+VhMsurnIkhZrvisIG4++ifC8Iv+sxF+XiGTamFV3b
+f3aH4fdh/wPjfcs5yDdLdxkTeOp8VGEiU0l7d9EZvlHQk3+sH74RbZv2+Z3ybUmM
+xf3vJlpxOrCluaO9yK2ecSoNhOuqR2i/b0czWEauRFhcwRJVd6qw8KSPx8GUUrk4
+u5bwD0FIq8papwg4yzgjX6x/tKSE3Y0Zo4L3aW4QZQvoZfKLM1N0iCsgs8MqicrS
+v8YzuO7GQTy5s4Yz/baQCCBtW15LU/EbqGNAcVMCxNZ7lBY/SHSn92lohSpkU1kE
+IW3gKxgQkIu/QQPCBnRF11JdZ/3/dsoaBkvcKxrhguwjyX0vUHHpHiBcgs3LjaAC
+6u0O4Gm+YWGa2ob5nuPg2j6H8gQCouMaDkvATJluwVwaoWfA/cg6m+JSXZVTlPIk
+TcZO6kuEcZOcac4hsoCCEz/kfYzaoyq89wTVAKlis2OKsf3wZwcVixNfovnSSgcj
+RqMUoItgdwC9T+6wn45P4NgcXnKnjYo3BjFPBKsKjt8NnU6ldr8i7Fg7rxMREdvA
+nOQvHFxmG1zH4788ksZ4++rmW0XH7gXBUivbjGqQVmKk+hGuOzRXQwvTBfhuvCBD
+f9QXVOa5dnmT868wvLouotX4TIXE5vBX2WIBa4mgOkSn2Cg9AsU=
+=a1qK
+-----END PGP SIGNATURE-----

website/static/security/patches/SA-21:06/xen.patch

@@ -0,0 +1,34 @@
+--- sys/dev/xen/blkback/blkback.c.orig
++++ sys/dev/xen/blkback/blkback.c
+@@ -2912,10 +2912,31 @@
+ 	     ring_idx < xbb->ring_config.ring_pages;
+ 	     ring_idx++, gnt++) {
+ 		if (gnt->status != 0) {
++			struct gnttab_unmap_grant_ref unmap[XBB_MAX_RING_PAGES];
++			unsigned int i, j;
++
+ 			xbb->ring_config.va = 0;
+ 			xenbus_dev_fatal(xbb->dev, EACCES,
+ 					 "Ring shared page mapping failed. "
+ 					 "Status %d.", gnt->status);
++
++			/* Unmap everything to avoid leaking grant table maps */
++			for (i = 0, j = 0; i < xbb->ring_config.ring_pages;
++			    i++) {
++				if (gnts[i].status != GNTST_okay)
++					continue;
++
++				unmap[j].host_addr = gnts[i].host_addr;
++				unmap[j].dev_bus_addr = gnts[i].dev_bus_addr;
++				unmap[j++].handle = gnts[i].handle;
++			}
++			if (j != 0) {
++				error = HYPERVISOR_grant_table_op(
++				    GNTTABOP_unmap_grant_ref, unmap, j);
++				if (error != 0)
++					panic("Unable to unmap grants (%d)",
++					    error);
++			}
+ 			return (EACCES);
+ 		}
+ 		xbb->ring_config.handle[ring_idx]   = gnt->handle;

website/static/security/patches/SA-21:06/xen.patch.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15dcACgkQ05eS9J6n
+5cLcAQ/+PDWS6WNlOHpdybJ8UM1SYZ5JthUPd1MBgqgGEu7/cB2bu+g5rbKix7KN
+kQubVbYwTT0eBXcqYhk9f9OKrbE9khXuP7Uw808jEtxmREipandiQvI1LoNJDKOv
+1CNcGodP1yb2Q+hR/wS6dydGIgcoNyDkF7Uc0RaCK3oZGpI1zdlA2vTUN5IjDwZs
+DoHknm28F2M+7/jBssvoRlBh0fsNsj9s1twT2x2BP0QWMsbHhGMkXOs28TaLv7of
+5wyt1L02HaUZL8q6wE+MpJ0fvjUJcIa1cYSP8QtUac0iu8mJfEr33vdWmvqlr3BX
+TAMTw+pAQxZpfBNtfMVQKloeF4wqJQ7hJWDd9qzXATdtbZEr2urw1/2+jlAfPsrT
+Sy6jT1o+yoUpYdqlJOv0y0oDrp07k+Dya4UlvK3g2TI/4v5ZZCPe9sYNLZ7rdWEe
+bQsKk+X9nNeLw4B/EDvllovYGqNavGLj/rFf+1X0pAoZd4YH3nXaboa3WijC+fXP
+e8/NsPJ7SXdw4paOA0XqMp2GXNEF6zkMI7BgsCkh5XUqS8R8MfAfMgNpV4QxFWUA
+Rgmu6oClEVwAmeyrHnw1vHO3HzT5ebXvFenMid5NxOpuCcko4QHl2dQgU7Uu1exT
+2dTo/s2RWYfHQZaUhc3daZuKdWfnAe+OoUOKF6ODAqC3mMdgIEI=
+=OLTt
+-----END PGP SIGNATURE-----