diff --git a/share/security/advisories/FreeBSD-SA-17:04.ipfilter.asc b/share/security/advisories/FreeBSD-SA-17:04.ipfilter.asc
new file mode 100644
index 0000000000..e6ea143841
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-17:04.ipfilter.asc
@@ -0,0 +1,147 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-17:04.ipfilter Security Advisory
+ The FreeBSD Project
+
+Topic: ipfilter(4) fragment handling panic
+
+Category: contrib
+Module: ipfilter
+Announced: 2017-04-27
+Credits: Cy Schubert
+Affects: All supported versions of FreeBSD.
+Corrected: 2017-04-21 01:51:49 UTC (stable/11, 11.0-STABLE)
+ 2017-04-27 06:52:30 UTC (releng/11.0, 11.0-RELEASE-p10)
+ 2017-04-21 01:51:49 UTC (stable/10, 10.3-STABLE)
+ 2017-04-27 06:52:30 UTC (releng/10.3, 10.3-RELEASE-p19)
+CVE Name: CVE-2017-1081
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit .
+
+I. Background
+
+IP Filter, also known as ipfilter(4), is a cross-platform, open source packet
+filter (firewall) originally written for BSD operating systems, including
+FreeBSD, NetBSD, and OpenBSD, and for Solaris. ipfilter(4) is one of three
+firewalls included in FreeBSD (the others being ipfw(4) and pf(4)). It
+performs firewall and NAT functions using the pfil(9) framework as do the
+other firewalls in FreeBSD in the kernel.
+
+II. Problem Description
+
+ipfilter(4), capable of stateful packet inspection, using the "keep state"
+or "keep frags" rule options, will not only maintain the state of
+connections, such as TCP streams or UDP communication, it also maintains
+the state of fragmented packets. When a packet fragments are received they
+are cached in a hash table (and linked list). When a fragment is received it
+is compared with fragments already cached in the hash table for a match. If
+it does not match the new entry is used to create a new entry in the hash
+table. If on the other hand it does match, unfortunately the wrong entry is
+freed, the entry in the hash table. This results in use after free panic
+(and for a brief moment prior to the panic a memory leak due to the wrong
+entry being freed).
+
+III. Impact
+
+Carefully feeding fragments that are allowed to pass by an ipfilter(4)
+firewall can be used to cause a panic followed by reboot loop denial of
+service attack.
+
+IV. Workaround
+
+No workaround is available, but systems not using ipfilter(4) are not
+vulnerable. A default installation doesn't enable ipfilter(4).
+ipfilter(4) configurations not using "keep state" pr "keep frags" are not
+vulnerable. Users may be able to temporarily replace stateful inspection
+with stateless rules however this is not as secure as stateful inspection.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Reload the ipl.ko kernel module or reboot the system.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Reload the ipl.ko kernel module or reboot the system.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-17:04/ipfilter.patch
+# fetch https://security.FreeBSD.org/patches/SA-17:04/ipfilter.patch.asc
+# gpg --verify ipfilter.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+ and reboot the
+system or reload the ipl.ko kernel module.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/10/ r317241
+releng/10.3/ r317487
+stable/11/ r317241
+releng/11.0/ r317487
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+
+
+VII. References
+
+
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.20 (FreeBSD)
+
+iQIzBAEBCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlkBlbAACgkQ7Wfs1l3P
+auejpBAAtsITE8qn04H5gT8EGq/ntkN8DQydmVHn0OpmwDGg/XD4Wrwye8jqHhFb
+XdOj5aMb0QbEK3WjDZwbvHNqTkyzl5QXc3PPs7V5mHdYGHsMRWvSyXutRmopgmsp
+ee59qLeKxvWGss0gqkUWZQQcbdIVN8hTXnumBZ8ncrpjluaYZuO8DvyZQ1Cy4f+f
+sd6PCZHemjs4MtSriV4AKOtM1QPuBQEkrQ6clA5j55Txk6fkcy1CUoyP0KmW20Iu
+VFY/UyrfvbVDgbsFMMFsSn/F9DlKVLLtgjpXqztuOu1QhLbAs7spMnUjRnilfOE6
+rsyOh26sjEIlQ3sNf7IrFsXdoqLWgn7CDToZEk5xfyv7MyEuEd5INfAkcLz9Mcp+
+AymVRmC29CDt8dIJlEaXPyYXDLx5PGPB+SUR2VghzPQkHM9X9EOnJcVEbAn3QnQ1
+sFkh4mlsh3cQ9iw2+RYzIybgBzv0OjxIasU3QtnbRNXgdNVnoV/yTeEUFSyVzvC2
+6JcjJCq7WZ3U9EBKbPoVzRBsHAal/3EWMnXMprcdNPuxjd+9357K5OnMXiP9ab9G
+KthAVRN1y+bZ/SNEtqE/T1vrxH9JV/BEqQjtx+DMp7v7TzGgK8rqSJT8H/bIu2h3
+IecRnQRkDipqITFQKSoPiqJZeuoVcXaYw8Cp5gUpL618m4DwZ3w=
+=C7OI
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-17:04/ipfilter.patch b/share/security/patches/SA-17:04/ipfilter.patch
new file mode 100644
index 0000000000..d2ee49cda9
--- /dev/null
+++ b/share/security/patches/SA-17:04/ipfilter.patch
@@ -0,0 +1,11 @@
+--- sys/contrib/ipfilter/netinet/ip_frag.c.orig
++++ sys/contrib/ipfilter/netinet/ip_frag.c
+@@ -474,7 +474,7 @@
+ IPFR_CMPSZ)) {
+ RWLOCK_EXIT(lock);
+ FBUMPD(ifs_exists);
+- KFREE(fra);
++ KFREE(fran);
+ return NULL;
+ }
+
diff --git a/share/security/patches/SA-17:04/ipfilter.patch.asc b/share/security/patches/SA-17:04/ipfilter.patch.asc
new file mode 100644
index 0000000000..5bff01fd07
--- /dev/null
+++ b/share/security/patches/SA-17:04/ipfilter.patch.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.20 (FreeBSD)
+
+iQIzBAABCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlkBlcIACgkQ7Wfs1l3P
+audqyBAAgRyBZtlZ8/VZ/nF+JG/aIutr2sQrgIrKT7/3Tnc3fU/+gN35T44A2pjD
+04mtVe1LsBxNnyeqjb5sxu/ppFgmT6JxhVpARAey7m8fJS0VPbk6K57RtbQUAOTZ
+B54VE15y+Eh8MAveJvnxd5gqjxZW69j3jpZ5aIKYOWoIWNs+OeOu8x4HAyVGPksA
+L93+AqbRRN56t++ief6SCTErukWjj6HYF1KSf+9CDncouMgKY2e4+Dr6I1fmNOUg
+tCZDtnyOM6dcxVI+dz4I88xl3RpGSPZFaXgVpkbeLw8NO+w6g8OV7wPqTPZ+WvdC
+pQ/A2MDUJgNWrLFHYUwdra/RENi6pYjixiTK4Qv7bN8QBGQcFdDU53HAco/yT3pe
+6G1nz+SVYtJRjUGPOeej1YtFxTFSI/I0ACo3S7ohDTy4BbAeTHb3s2OXaNUQGxE2
+KwvwCatsqX74FDkSXlk4bYaCFJNI/8mL3W+lkSxOkJX4d+lsxI/iBcBNmphzBM5A
+WGPtvBnXVNhLRe2o0KNFL7KGp/2es8EZjhf23G9bU3faUCoSgLEQADSz2UVfw7+O
+EjjtNHR0ZDKi7FTJhwLfokE3151mMjD04D8V0Tw68TeoUFJE1//AzElxEH/gxufi
+bjhA1kK7+Z6ML5uZke+nYpUvyolmYJitmmGFd+HObFDfUEn4Nks=
+=wUgH
+-----END PGP SIGNATURE-----
diff --git a/share/xml/advisories.xml b/share/xml/advisories.xml
index 60c8c9044e..a724bcfc88 100644
--- a/share/xml/advisories.xml
+++ b/share/xml/advisories.xml
@@ -10,6 +10,14 @@
4
+
+ 27
+
+
+ FreeBSD-SA-17:04.ipfilter
+
+
+
12