diff --git a/share/security/advisories/FreeBSD-EN-20:08.tzdata.asc b/share/security/advisories/FreeBSD-EN-20:08.tzdata.asc
new file mode 100644
index 0000000000..e1e8254671
--- /dev/null
+++ b/share/security/advisories/FreeBSD-EN-20:08.tzdata.asc
@@ -0,0 +1,150 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-20:08.tzdata Errata Notice
+ The FreeBSD Project
+
+Topic: Timezone database information update
+
+Category: contrib
+Module: zoneinfo
+Announced: 2020-05-12
+Affects: All supported versions of FreeBSD.
+Corrected: 2020-04-27 03:56:47 UTC (stable/12, 12.1-STABLE)
+ 2020-05-12 16:44:13 UTC (releng/12.1, 12.1-RELEASE-p5)
+ 2020-04-27 03:57:17 UTC (stable/11, 11.4-PRERELEASE)
+ 2020-05-12 16:44:13 UTC (releng/11.3, 11.3-RELEASE-p9)
+
+Note: The upcoming release of FreeBSD 11.4 was branched after the original
+commit to the stable branch and already includes the updated timezone
+information.
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+.
+
+I. Background
+
+The tzsetup(8) program allows the user to specify the default local timezone.
+Based on the selected timezone, tzsetup(8) copies one of the files from
+/usr/share/zoneinfo to /etc/localtime. This file actually controls the
+conversion.
+
+II. Problem Description
+
+Several changes in Daylight Savings Time happened after previous FreeBSD
+releases were released that would affect many people who live in different
+countries. Because of these changes, the data in the zoneinfo files need to
+be updated, and if the local timezone on the running system is affected,
+tzsetup(8) needs to be run so the /etc/localtime is updated.
+
+III. Impact
+
+An incorrect time will be displayed on a system configured to use one of the
+affected timezones if the /usr/share/zoneinfo and /etc/localtime files are
+not updated, and all applications on the system that rely on the system time,
+such as cron(8) and syslog(8), will be affected.
+
+IV. Workaround
+
+The system administrator can install an updated timezone database from the
+misc/zoneinfo port and run tzsetup(8) to get the timezone database corrected.
+
+Applications that store and display times in Coordinated Universal Time (UTC)
+are not affected.
+
+V. Solution
+
+Please note that some third party software, for instance PHP, Ruby, Java and
+Perl, may be using different zoneinfo data source, in such cases this
+software must be updated separately. For software packages that is installed
+via binary packages, they can be upgraded by executing `pkg upgrade'.
+
+Following the instructions in this Errata Notice will update all of the
+zoneinfo files to be the same as what was released with FreeBSD release.
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date. Restart all the affected
+applications and daemons, or reboot the system.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Restart all the affected applications and daemons, or reboot the system.
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-20:08/tzdata-2020a.patch
+# fetch https://security.FreeBSD.org/patches/EN-20:08/tzdata-2020a.patch.asc
+# gpg --verify tzdata-2020a.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in .
+
+Restart all the affected applications and daemons, or reboot the system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r360361
+releng/12.1/ r360969
+stable/11/ r360362
+releng/11.3/ r360969
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+
+
+VII. References
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl663tZfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cLsNw/9GPsAAKDQhjy0Y6hqfu8Jygd4sYUn/SghOFyaBvqfUdobKnPe+zy9ankg
+uM/Ytfwa/E7nKcI7z6kWiWGngmhkbMUlk4A16GmumSRV5bz/pHWYAusU8pVCtvsw
+4zrW14uK19s7Pl9KgdMf72fVGREAKQwbqL4iye9bwxUjP0yCa1VmI1RgAwhTXdqY
+fz7bCa8klq+R0oIV2JWnzw+IxwgbLYkV/1dQ5rc1IadciEmPvTls70SCKrzQ3orm
+wHpI8zvcle1JUooyQrqkf8sRTnTRNjVN+X9bFw5xMQFmVP0wahtQwXsE8wio73Ia
+J5bS40KkHUbKJ57ud+vRv3EQoArF4fhSsRUskK32C5S7ahGYIMDIdSCJcUHq7zTA
+gv9oaIgMSsoYq98M/JDdFsn49NNf4hitETChwQ2GdBpBXk77PSXz48kncm2TXPzn
+ibM8nufZxAG768sNAji4AtMb9/MiMoE2CDbmXV9pIc9XK/5hz91GDAdGY0BSH1q8
+LrwSpuOJvLHOQE1gVqxqB/DNkPOGMOqq62cagSxE4D0aGhHuTWq0h2BuF6TlbVs+
+cnog6eZ2BZcVsnkrSiWPQFPH1fg60bzmh6LdhIYRmTjWNxVu+fvm9yHUz3/SHt5N
+Kdll9Hy0QsXjtmwcgl55e4vint1ke4PeMc3sTbkpcodCRpg6faA=
+=Mxc9
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-EN-20:09.igb.asc b/share/security/advisories/FreeBSD-EN-20:09.igb.asc
new file mode 100644
index 0000000000..1c84204600
--- /dev/null
+++ b/share/security/advisories/FreeBSD-EN-20:09.igb.asc
@@ -0,0 +1,124 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-20:09.igb Errata Notice
+ The FreeBSD Project
+
+Topic: igb interfaces fail to switch to inactive state
+
+Category: core
+Module: kernel
+Announced: 2020-05-12
+Affects: FreeBSD 12.1
+Corrected: 2019-10-24 14:18:06 UTC (stable/12, 12.1-STABLE)
+ 2020-05-12 16:46:14 UTC (releng/12.1, 12.1-RELEASE-p5)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+.
+
+I. Background
+
+The igb driver supports Intel Gigabit Ethernet interfaces.
+
+II. Problem Description
+
+The igb driver does not detect link loss, and the interface does not
+transition to "inactive" upon link loss.
+
+III. Impact
+
+Incorrect link state may lead to system-level misbehaviour (for example, lagg
+interfaces may not transition to an alternate interface) and may cause
+confusion for system administrators.
+
+IV. Workaround
+
+Bringing the interface down and back up (e.g., "ifconfig igb0 down" followed
+by "ifconfig igb0 up") may cause the status to correctly change to inactive.
+Systems not using interfaces supported by the igb driver are not affected.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date, and reboot.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for errata update"
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-20:09/igb.patch
+# fetch https://security.FreeBSD.org/patches/EN-20:09/igb.patch.asc
+# gpg --verify igb.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+ and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r354021
+releng/12.1/ r360970
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+
+
+VII. References
+
+
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl663tZfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cIXkQ/7Bd9xjLiBJI3yG/8iCaAsQcqLPAvxS4cwtBTvzcOTs9iDs71YbiVy0IcU
+ffcorkOmlwMKPSlDmgZPNxW9l8k1eOrBp2m+8UVZ0bUxA/Vp2fv9Er0A7RPoZO17
+o8fqvTFc3OPuF4LAQ+cC/lH2yiB/F/m6qqph6GisQWUARH1CLvf2FwQFbgBJ5HMN
+jqiL71M3TTnoM9ZwKWelsaOLa2eGDb1zUJ/JcM33uBQ5WTMO7zcN0yxmD0i0dCrJ
+4ZeewKijLWEjJucsqflSEJhc4fo01SRkii66O0r7VLff7gqiCMbieWNr1BF578l5
+fT36r/C06YlivbNErRrZ13LOP5uLre7t4z0cg7fwkRNYfbA7f5o9YRQIp1t7QXN3
+E/6DOr7r5YTfdM6pd7gm5CDprIjZuQcc4hvBXg2FeM9dkZnoVnAKSU9zfNk8N5ly
++YrF3Sl/b/jGI0CI5AuYNzDH3lZf2tdicO9kM8qp8f8IkchAxLrZ4sZmoPqrX8O1
+n5a/e9bgfPAMMJO3PZFbI3haS0wsdkFFuDvrI/raaC/gbBVDwQ25YvKa+OP/Oej7
+H3ao1MPs0Y1FnO/104aVDbNMrDrbDPQnTrwUdF5+DVa1Y9FuBhr8QStsT8oH6il1
+tBKDVjEGb0aT8tF3T+x0Ugaow0pr05MnfipwZe6xUhfpvXEaLU0=
+=LGyL
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-EN-20:10.build.asc b/share/security/advisories/FreeBSD-EN-20:10.build.asc
new file mode 100644
index 0000000000..36ae4360e2
--- /dev/null
+++ b/share/security/advisories/FreeBSD-EN-20:10.build.asc
@@ -0,0 +1,138 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-20:10.build Errata Notice
+ The FreeBSD Project
+
+Topic: Incorrect build host Clang version detection
+
+Category: core
+Module: build
+Announced: 2020-05-12
+Affects: All supported versions of FreeBSD
+Corrected: 2020-02-18 18:03:04 UTC (stable/12, 12.1-STABLE)
+ 2020-04-29 18:51:34 UTC (releng/12.1, 12.1-RELEASE-p5)
+ 2020-02-18 18:03:04 UTC (stable/11, 11.3-STABLE)
+ 2020-04-29 18:59:37 UTC (releng/11.3, 11.3-RELEASE-p9)
+
+Note: The upcoming release of FreeBSD 11.4 was branched after the original
+commit to the stable branch and already includes this errata.
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+.
+
+I. Background
+
+FreeBSD's build system detects the host compiler version and uses that to
+control certain actions during the build.
+
+II. Problem Description
+
+The Clang and LLD version detection accepted only versions matching the shell
+glob pattern [1-9].[0-9]*, which notably does not include 10.0. The build
+then proceeded as if the compiler or linker version was 0.0.
+
+III. Impact
+
+Attempting to build 12.1-RELEASE on 13-CURRENT failed. The version detection
+issue also affects 11.3-RELEASE (although the build does not fail).
+
+This issue only affects attempts to build FreeBSD 12.1 or 11.3 on a -CURRENT
+host.
+
+IV. Workaround
+
+Install 11.3-RELEASE or 12.1-RELEASE on the build host. No action is
+required when building 11.3 on an 11.3 host, or 12.1 on a 12.1 host.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 12.1]
+# fetch https://security.FreeBSD.org/patches/EN-20:10/build.12.patch
+# fetch https://security.FreeBSD.org/patches/EN-20:10/build.12.patch.asc
+# gpg --verify build.12.patch.asc
+
+[FreeBSD 11.3]
+# fetch https://security.FreeBSD.org/patches/EN-20:10/build.11.patch
+# fetch https://security.FreeBSD.org/patches/EN-20:10/build.11.patch.asc
+# gpg --verify build.11.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in .
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r358076
+releng/12.1/ r360473
+stable/11/ r358076
+releng/11.3/ r360474
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+
+
+VII. References
+
+
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl663tZfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cIpBQ//Z3C6D2fP/MifBXt4ueGydxnImlZ3nh8J363j45Yla2SrG1ojLS3ld47a
+sz6mpMKOfXGtxd/oV64rnx+87ZiMygTTGnzQHclE3FZzYm2WmeMmXcyznq0ap0tt
+OJltwJY3KM/7znhJs+dRGIWVrHWStcT0oDmJzSE4u8+zZp4+psFSeBvJlWmZUgUt
+iIWQMrYUh6s6zGFpjL+6Qy3qDReVXB/+Lc/Wo1RNxff+7VOhYhzDIBr3JooIFy1C
+TG3AqtW2PC59B4cZHWUUVxnRyBAuyvlPxf+yWa7JRP/06m0YJlzWNpoKkvkdo4+x
+gG7ulHZU35QLc/NJVX+osTGaGJ7j3pmh1O0npPWbdmsXsR9ugMIZ6rv7+zxq0EX7
+C/7d3fpLw4UcOGbHEI2mZH266IOt/5PaADXjcRO0d/EZRU5zeArWP0vbKF1Hmjg+
+0rdNTv5rPxAVqGSzxC/dpaXCUCGbw0oZz2V6YDL/cxtHdqZwcuNx7nARpWh4H1tE
+0XG3McL8WejJELUb1KtyKrLNQRJ9QzM6tkvTupZcD/7ztL3cVL4tm5Gnfuo/Ui+i
+VcilDPJnm1aT6r3b5Yzz15VkvAP6bf924lXrJZP19pJMXv90wmKsHUzqgIRG9DsB
+iWLVJND9lALxcrW4ZBD+KmIOYukDrzNZJQBM8NzLiaRGgJDFCHg=
+=///S
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-SA-20:12.libalias.asc b/share/security/advisories/FreeBSD-SA-20:12.libalias.asc
new file mode 100644
index 0000000000..6855001093
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-20:12.libalias.asc
@@ -0,0 +1,146 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-20:12.libalias Security Advisory
+ The FreeBSD Project
+
+Topic: Insufficient packet length validation in libalias
+
+Category: core
+Module: libalias
+Announced: 2020-05-12
+Credits: Lucas Leong (@_wmliang_) of Trend Micro Zero Day Initiative
+ Vishnu working with Trend Micro Zero Day Initiative
+Affects: All supported versions of FreeBSD.
+Corrected: 2020-05-12 16:49:04 UTC (stable/12, 12.1-STABLE)
+ 2020-05-12 16:51:11 UTC (releng/12.1, 12.1-RELEASE-p5)
+ 2020-05-12 16:49:04 UTC (stable/11, 11.4-STABLE)
+ 2020-05-12 16:51:11 UTC (releng/11.4, 11.4-BETA1-p1)
+ 2020-05-12 16:51:11 UTC (releng/11.3, 11.3-RELEASE-p9)
+CVE Name: CVE-2020-7454
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit .
+
+I. Background
+
+The ipfw(4) system facility allows IP packet filtering, redirecting, and
+traffic accounting. The ipfw(4) packet filter also contains two different
+methods of accomplishing network address translation (NAT): in-kernel and
+userspace. Both implementations use the same functions provided by libalias.
+
+The libalias(3) library is a collection of functions for aliasing and
+dealiasing of IP packets, intended for masquerading and NAT. Additionally,
+libalias(3) includes modules to support protocols that require additional
+logic to support address translation.
+
+Note: libalias(3) is not used by either the pf(4) or ipf(4) firewalls.
+
+II. Problem Description
+
+libalias(3) packet handlers do not properly validate the packet length before
+accessing the protocol headers. As a result, if a libalias(3) module does
+not properly validate the packet length before accessing the protocol header,
+it is possible for an out of bound read or write condition to occur.
+
+III. Impact
+
+A malicious attacker could send specially constructed packets that exploit
+the lack of validation allowing the attacker to read or write memory either
+from the kernel (for the in-kernel NAT implementation) or from the process
+space for natd (for the userspace implementation).
+
+IV. Workaround
+
+No workaround is available. Only systems using NAT and ipfw together are
+affected. Systems using ipfw(4) without NAT, or systems leveraging pf(4) or
+ipf(4) are not affected.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-20:12/libalias.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:12/libalias.patch.asc
+# gpg --verify libalias.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+ and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r360971
+releng/12.1/ r360972
+stable/11/ r360971
+releng/11.4/ r360972
+releng/11.3/ r360972
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+
+
+VII. References
+
+
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl663tdfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cK1Iw/7BpU400GeYsWt6xd+tUuBqGGB6a28+4G/e2GkqMF83vwAaf9+M4siM4Md
+t0RUDLhcC3irLtGehLcXmVdWZUakmacGa3pGza3E8qdCSQC6+VdO4ghzk5fRlVf0
+jmcvCi7zml0YhmATkfMBscPeOJmvENUpouVIwzn4CXMwCKMofjKXdW8+tiT6ppsD
+RVVeUrGdslVo40KZ8wqxx4y2IMKZ7qW/UZnqWQFAAD3d3iQBJXORpy1xn0AZStY2
+ddnhkKdBOyKs5JLoJfSwP8vyTi4iMXPFILP1spuTAqxEFBRTZ3rTE81jimznhp5N
+/OXI92khj6deiTc1kun+ef3n89e1w6KO4Dt1LUNL08N4mpEwLwvBGLS/5v/3KVpm
+Q6XknASLY4RaWdj1D5zbPY6F+JFUv22la5mdia4Gn1zxjsyZNMGgM6nx8OCZn4qg
+JTr7RT4f+EubkEwYD1sw60iTYsqM3o1gFUzkFdEAotWU4tl3nxRkUwusikX7Uu7e
+2QY46Sg/6NxW+oelx1qDGjMlP2CIlEsEqj4ND3eJzJT6nef1xmmTUUu+kQF4TBtX
+J7XqmuTzST2ySPhBUEIOKbjmzdbe+zpbraADhq5BS3zKKmcVSqmqJxkXPxzCwIwb
+uMcg2spQ5fzP/BquOGdQSx0rD3dQ5lTNX6QZyDaKHZR78ZAEiVE=
+=I9Vz
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-SA-20:13.libalias.asc b/share/security/advisories/FreeBSD-SA-20:13.libalias.asc
new file mode 100644
index 0000000000..6b169ec5cf
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-20:13.libalias.asc
@@ -0,0 +1,145 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-20:13.libalias Security Advisory
+ The FreeBSD Project
+
+Topic: Memory disclosure vulnerability in libalias
+
+Category: core
+Module: libalias
+Announced: 2020-05-12
+Credits: Vishnu Dev TJ working with Trend Micro Zero Day Initiative
+Affects: All supported versions of FreeBSD
+Corrected: 2020-05-12 16:52:08 UTC (stable/12, 12.1-STABLE)
+ 2020-05-12 16:54:39 UTC (releng/12.1, 12.1-RELEASE-p5)
+ 2020-05-12 16:52:08 UTC (stable/11, 11.4-STABLE)
+ 2020-05-12 16:54:39 UTC (releng/11.4, 11.4-BETA1-p1)
+ 2020-05-12 16:54:39 UTC (releng/11.3, 11.3-RELEASE-p9)
+CVE Name: CVE-2020-7455
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit .
+
+I. Background
+
+The ipfw(4) system facility allows IP packet filtering, redirecting, and
+traffic accounting. The ipfw(4) packet filter also contains two different
+methods of accomplishing network address translation (NAT): in-kernel and
+userspace. Both implementations use the same functions provided by libalias.
+
+The libalias(3) library is a collection of functions for aliasing and
+dealiasing of IP packets, intended for masquerading and NAT. Additionally,
+libalias(3) includes modules to support protocols that require additional
+logic to support address translation.
+
+Note: libalias(3) is not used by either the pf(4) or ipf(4) firewalls.
+
+II. Problem Description
+
+The FTP packet handler in libalias incorrectly calculates some packet
+lengths. This may result in disclosing small amounts of memory from the
+kernel (for the in-kernel NAT implementation) or from the process space for
+natd (for the userspace implementation).
+
+III. Impact
+
+A malicious attacker could send specially constructed packets that exploit the
+erroneous calculation allowing the attacker to disclose small amount of memory
+either from the kernel (for the in-kernel NAT implementation) or from the
+process space for natd (for the userspace implementation).
+
+IV. Workaround
+
+No workaround is available. Only systems using NAT and ipfw together are
+affected. Systems using ipfw without NAT, or systems leveraging pf(4) or
+ipf(4) are not affected.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-20:13/libalias.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:13/libalias.patch.asc
+# gpg --verify libalias.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+ and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r360973
+releng/12.1/ r360974
+stable/11/ r360973
+releng/11.4/ r360974
+releng/11.3/ r360974
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+
+
+VII. References
+
+
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl663tdfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cK3hhAAlkHMjDluGni1AaDicw5jZuyrdGLEMfgH2OdxcrTQvrBN6ZEkfLsiFvLV
+KWgUS+rx3GJApz4rZ6DFwsb+DG+kMCwYGevbT5zH5IUwe1HklyMLmjw48z47DVhx
+8tpjCKNb4ttqBzb6RMURoJgo+2NAUQOZLnFGLSGOkquqeW9AhA97ZIGv7TyOPC1p
+rJD/ic1IxTUXniNu4soexsRqVoMqv1nA1DLrN4TTooFVCQTHaBUBxSTFlaAsBXyb
+7L5GIEydZ2429spQACnFGW4RDveOGB/6Jbt2yHEuu+ASOrwl9sRSu79PYijcz28v
+yXjI0zG4A+78qmeCMbGHIySrLjc8XaWgr13Kp4S+40MWQhoGHJ2ZZVdLX010WTvm
+nbGs9NQ60sytxdJn1QRTleiBIKjJiVqNEADfS4DhXa/0HouN3L8dVR/+jPfLMFmT
+/7GZjhdbn4u0a1ZlgUZ62oHoo8NLop49KY4LHtHd7VpJZ8OfK0qkCN0DL4Ep+Wrg
+oZWJL5HGhFOEA4TDYuypJ58yIPsTDVa9MuLMx/SBF30jVZcS1LtbiMXXuZs6clig
+oOk4ZE0hpSRdA69xgX459kcTjU6XVJRnTPWyepG3sNljktwk8jyfwKHXOUpJONos
+0jWu0ngj60djS8qCrxdkMn3t26fk0IhbA4leBEM+wAKmWsARt/M=
+=woOx
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-SA-20:14.sctp.asc b/share/security/advisories/FreeBSD-SA-20:14.sctp.asc
new file mode 100644
index 0000000000..8f3d82f66b
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-20:14.sctp.asc
@@ -0,0 +1,138 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-20:14.sctp Security Advisory
+ The FreeBSD Project
+
+Topic: Improper checking in SCTP-AUTH shared key update
+
+Category: core
+Module: kernel
+Announced: 2020-05-12
+Credits: da_cheng_shao@yeah.net
+Affects: FreeBSD 11.3
+Corrected: 2019-09-19 10:01:19 UTC (stable/12, 12.1-STABLE)
+ 2019-09-19 10:06:18 UTC (stable/11, 11.3-STABLE)
+ 2020-05-12 16:55:32 UTC (releng/11.3, 11.3-RELEASE-p9)
+CVE Name: CVE-2019-15878
+
+Note: The upcoming release of FreeBSD 11.4 was branched after the original
+commit to the stable branch and already includes the fix for this advisory.
+Similarly, the 12.1 branch was created shortly after the original commit to
+the stable branch and already includes the fix.
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit .
+
+I. Background
+
+The Stream Control Transmission Protocol (SCTP) is a transport protocol
+supporting the socket API. An SCTP packet consists of an SCTP common header
+and a number of SCTP chunks.
+
+The SCTP extension SCTP-AUTH can be used to authenticate SCTP chunks. It
+uses shared keys which can be managed via the socket API by the application
+using an SCTP association.
+
+II. Problem Description
+
+The SCTP layer does improper checking when an application tries to update
+a shared key. Therefore an unprivileged local user can trigger a use-after-
+free situation, for example by specific sequences of updating shared keys and
+closing the SCTP association.
+
+III. Impact
+
+Tiggering the use-after-free situation may result in unintended kernel
+behaviour including a kernel panic.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-20:14/sctp.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:14/sctp.patch.asc
+# gpg --verify sctp.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+ and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r352509
+stable/11/ r352509
+releng/11.3/ r360975
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+
+
+VII. References
+
+
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl663tdfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKMHQ/8C9QgTd37kgGUaKlZ2YpgIWj25acum87au89KvNxID1Kvd9jMOFkfvGOq
+YVEqJ5ZwnOPbqme6FpLI2UDM4E2N1aMxEZcTZspWR5U/4butu4+4yy4dGudn0LQ9
+EYwTag0ocCypB/c8tBh0SfN9KHM6JqCgnWFBlwyedHTjdVCUvAgwcZJEi4ne2D3G
+S7DgVes6x0gifXY897YQJlfEMfJEtdfLe9SMkIzSltjTD9PJhZ7WD5uqHYNGOFOv
+Xh6JNHlAGuFxUpL94Tvr3o8Ptx0oOIo0cMw9fvqZq/Hp48jSEDfMIqhcqbEWmygW
+sJo4NaZkqmA3hYCOqiOYSXFGeaSOYQanBduIA2m5BGjy5vHQBgTabSo9yH/ttrC8
+8vBkGAUOyrC+dH5kguT6Q194BwDWuloKr38oQ2PrVbfCRwHtG8SEk/BC3glPCSdE
+cWj5h4Eh1+z1GadgQ4JllmH5UBY702Vm1PhqZpGRbtRTbEWL84hT+4XCokq4wmQS
+uB2M/Ew77FPBeZxVzE063Zk5/TLOfl2CFywekTX6C8too2YmIqEgl0DX7DYyr+fC
+15t2bNkbfvFyS5iPti2rjOSIZG684i39nnk0YcC396azveQRCvDp6Q6E25jsl0pR
+P4ARjQkw5cY3MBXtdSXMFON35swHTqZnL4gy134pjGyNVR+A0/k=
+=fwNs
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-SA-20:15.cryptodev.asc b/share/security/advisories/FreeBSD-SA-20:15.cryptodev.asc
new file mode 100644
index 0000000000..d4abb0ac8e
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-20:15.cryptodev.asc
@@ -0,0 +1,144 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-20:15.cryptodev Security Advisory
+ The FreeBSD Project
+
+Topic: Use after free in cryptodev module
+
+Category: core
+Module: cryptodev
+Announced: 2020-05-12
+Credits: Yuval Kanarenstein
+Affects: All supported versions of FreeBSD.
+Corrected: 2020-01-20 11:19:55 UTC (stable/12, 12.1-STABLE)
+ 2020-05-12 16:57:47 UTC (releng/12.1, 12.1-RELEASE-p5)
+ 2020-01-20 11:19:55 UTC (stable/11, 11.3-STABLE)
+ 2020-05-12 16:57:47 UTC (releng/11.3, 11.3-RELEASE-p9)
+CVE Name: CVE-2019-15879
+
+Note: The upcoming release of FreeBSD 11.4 was branched after the original
+commit to the stable branch and already includes the fix for this advisory.
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit .
+
+I. Background
+
+The cryptodev module permits userland applications to offload
+cryptographic requests to device drivers in the kernel. Applications
+create sessions via file descriptors opened from /dev/crypto.
+
+II. Problem Description
+
+A race condition permitted a data structure in the kernel to be used
+after it was freed by the cryptodev module.
+
+III. Impact
+
+An unprivileged process can overwrite arbitrary kernel memory.
+
+IV. Workaround
+
+Unload the cryptodev kernel module if it is loaded:
+
+# kldunload cryptodev
+
+Note that the cryptodev module is not loaded by default and is not
+used by most applications. Specificially, use of accelerated software
+cryptography, such as AES-NI, in userland applications via libraries such
+as OpenSSL do not make use of the cryptodev module.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date, and
+reboot the system.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 12.1]
+# fetch https://security.FreeBSD.org/patches/SA-20:15/cryptodev.12.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:15/cryptodev.12.patch.asc
+# gpg --verify cryptodev.12.patch.asc
+
+[FreeBSD 11.3]
+# fetch https://security.FreeBSD.org/patches/SA-20:15/cryptodev.11.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:15/cryptodev.11.patch.asc
+# gpg --verify cryptodev.11.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+ and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r356908
+releng/12.1/ r360976
+stable/11/ r356908
+releng/11.3/ r360976
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+
+
+VII. References
+
+
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl663tdfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cLW2A//VW8iJqNaBHhMnCrpl+oDTadzGM3gYVxnM+EEQYzru2Ze0z0tShiAkXrQ
+NryjwBpMA3r1nyWDYaWMgbHjcG+jQdsIvoiA+fSU9hXEUbpxwX9ZKlaSZUBDX48X
+YScJMewgHCXNpgkTnIckaIyIadOXX+zWhi5T0LN2tS5M5oejTLndAKo9mQm1Ni50
+PYiHFkLzO7v4H6K0cKuJRuHF8+kU1IhvOinZuXwZXoGqmPGTVsA0+T27dWhosaWv
+Yqh3Pbp5oS1y3NbbOadLPhY146pT2Qrb2mQOEiHvsXMFRgjIEQzH1MYXx5gvpa4K
+CkMwCV/MuNotscVZ00qhVQEGEVlrhgi2IXinzxde5HYCc3mD/KdcYnYz9zOCeIfb
+9RfdvKk8uzUITLyz8ZinZBqIHghnSG3M9/cNj2o/97yRfFJazXF/SI41YoV3hcyE
+Gb1ncYfaAJ4rL9U6xHMw7V+1LSlMrVsIcWxCM2PS4NTwWcZ8K7mEX51ARjx4k7lx
+IBEsJ+ExSfZHNkS6/DLZiuLEQKFxIOKlRyZQTALnzNaNTp763idW7zA+9k8ceBRH
+VO7x3EGNqNPhIss+JHOxDUaXTFfJTcd7XGv291unkZwBJuFhJBfH3S+ZCcF38xVK
+aweHOoJW5V+D9GKygb9oLjOxOupRkFuRrHFQcvj57FYqs9/GDVc=
+=8E1l
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-SA-20:16.cryptodev.asc b/share/security/advisories/FreeBSD-SA-20:16.cryptodev.asc
new file mode 100644
index 0000000000..6e1d8f4fad
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-20:16.cryptodev.asc
@@ -0,0 +1,132 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-20:16.cryptodev Security Advisory
+ The FreeBSD Project
+
+Topic: Insufficient cryptodev MAC key length check
+
+Category: core
+Module: cryptodev
+Announced: 2020-05-12
+Credits: Yuval Kanarenstein
+Affects: FreeBSD 12.1
+Corrected: 2020-01-20 11:54:00 UTC (stable/12, 12.1-STABLE)
+ 2020-05-12 16:59:09 UTC (releng/12.1, 12.1-RELEASE-p5)
+CVE Name: CVE-2019-15880
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit .
+
+I. Background
+
+The cryptodev module permits userland applications to offload cryptographic
+requests to device drivers in the kernel. Applications create sessions via
+file descriptors opened from /dev/crypto.
+
+II. Problem Description
+
+Requests to create cryptography sessions using a MAC did not validate the
+user-supplied MAC key length. The cryptodev module allocates a buffer whose
+size is this user-suppled length.
+
+III. Impact
+
+An unprivileged process can trigger a kernel panic.
+
+IV. Workaround
+
+Unload the cryptodev kernel module if it is loaded:
+
+# kldunload cryptodev
+
+Note that the cryptodev module is not loaded by default and is not
+used by most applications. Specificially, use of accelerated software
+cryptography (e.g. AES-NI) in userland applications via libraries such
+as OpenSSL does not make use of the cryptodev module.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date, and
+reboot the system.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-20:16/cryptodev.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:16/cryptodev.patch.asc
+# gpg --verify cryptodev.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+ and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r356911
+releng/12.1/ r360977
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+
+
+VII. References
+
+
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl663tdfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKFbg/+Ou239S9yDp+FTyDlqq4w8p08kh8nHqB6FO6Q6aIxkEgSu/yO9IZsKSnM
+o05O8iOVOTRR5xSIBN/aW5d4adH81AV6X66NKUZ0bJwAp16v7YIyivY3ySLOB093
+oOTy/wlv0jxAYVzOlqMTuVm4dr9dh+9I9kwF94SDY7/maY0pCuUmVCRi2Y5gvCqu
+LYkDdG0Mq0pka1sGY8aFvG63oMyZ98gkbBNk666SzJnBDq/QDSL0FASCgYDjG1fE
+R/BciJpucIFi3JPZgSaKi4j56HiN/LaX63A1rdjza3aRh/sLMr7+GHFI3sn474tu
+xrkRjwnxr7/dghjspHAvsv+8U1oRIGVxeyaQB+Hd4WvNcVzp2McNBJ9c/z7Ugt1r
+affyXl0JBBkdVa45xDf/weGwwxcmCWxXxv7gDPelf07p3MNjl5G3pPUCUoRA3XE5
+Am1v5E0Eui5s/H4ncodY/ECIAHuOfenzdcpK5xCQUMHkgikfiLftNfLWSVOrqEJn
+Wxl8/ttKWLYYwYDSYrN0kNvQWc6LHsuA1I7Zt7wpRW09wB2OlZ7Hn2nZebTrXjKG
+P/AeGa+JVCJ2HZzj1+8qxcFHgq8IRINICvq743e2vIQak0KsgqmtvnLavAlv/p3d
+zPxFJOPAw0bhJj14qLT+cXGC9u3/qrZWWR0b4S7qeMlLG3Cw4fk=
+=j3X1
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/EN-20:08/tzdata-2020a.patch b/share/security/patches/EN-20:08/tzdata-2020a.patch
new file mode 100644
index 0000000000..acc56b4635
--- /dev/null
+++ b/share/security/patches/EN-20:08/tzdata-2020a.patch
@@ -0,0 +1,1074 @@
+--- contrib/tzdata/Makefile.orig
++++ contrib/tzdata/Makefile
+@@ -150,6 +150,15 @@
+
+ REDO= posix_right
+
++# Whether to put an "Expires" line in the leapseconds file.
++# Use EXPIRES_LINE=1 to put the line in, 0 to omit it.
++# The EXPIRES_LINE value matters only if REDO's value contains "right".
++# If you change EXPIRES_LINE, remove the leapseconds file before running "make".
++# zic's support for the Expires line was introduced in tzdb 2020a,
++# and EXPIRES_LINE defaults to 0 for now so that the leapseconds file
++# can be given to older zic implementations.
++EXPIRES_LINE= 0
++
+ # To install data in text form that has all the information of the TZif data,
+ # (optionally incorporating leap second information), use
+ # TZDATA_TEXT= tzdata.zi leapseconds
+@@ -295,8 +304,9 @@
+ # than TM_GMTOFF and TM_ZONE. However, most of them are standardized.
+ # #
+ # # To omit or support the external variable "tzname", add one of:
+-# # -DHAVE_TZNAME=0
+-# # -DHAVE_TZNAME=1
++# # -DHAVE_TZNAME=0 # do not support "tzname"
++# # -DHAVE_TZNAME=1 # support "tzname", which is defined by system library
++# # -DHAVE_TZNAME=2 # support and define "tzname"
+ # # to the "CFLAGS=" line. "tzname" is required by POSIX 1988 and later.
+ # # If not defined, the code attempts to guess HAVE_TZNAME from other macros.
+ # # Warning: unless time_tz is also defined, HAVE_TZNAME=1 can cause
+@@ -304,16 +314,20 @@
+ # # presumably due to memory allocation issues.
+ # #
+ # # To omit or support the external variables "timezone" and "daylight", add
+-# # -DUSG_COMPAT=0
+-# # -DUSG_COMPAT=1
++# # -DUSG_COMPAT=0 # do not support
++# # -DUSG_COMPAT=1 # support, and variables are defined by system library
++# # -DUSG_COMPAT=2 # support and define variables
+ # # to the "CFLAGS=" line; "timezone" and "daylight" are inspired by
+ # # Unix Systems Group code and are required by POSIX 2008 (with XSI) and later.
+ # # If not defined, the code attempts to guess USG_COMPAT from other macros.
+ # #
+ # # To support the external variable "altzone", add
+-# # -DALTZONE
++# # -DALTZONE=0 # do not support
++# # -DALTZONE=1 # support "altzone", which is defined by system library
++# # -DALTZONE=2 # support and define "altzone"
+ # # to the end of the "CFLAGS=" line; although "altzone" appeared in
+ # # System V Release 3.1 it has not been standardized.
++# # If not defined, the code attempts to guess ALTZONE from other macros.
+ #
+ # If you want functions that were inspired by early versions of X3J11's work,
+ # add
+@@ -321,9 +335,7 @@
+ # to the end of the "CFLAGS=" line. This arranges for the functions
+ # "tzsetwall", "offtime", "timelocal", "timegm", "timeoff",
+ # "posix2time", and "time2posix" to be added to the time conversion library.
+-# "tzsetwall" is like "tzset" except that it arranges for local wall clock
+-# time (rather than the timezone specified in the TZ environment variable)
+-# to be used.
++# "tzsetwall" is deprecated and is intended to be removed soon; see NEWS.
+ # "offtime" is like "gmtime" except that it accepts a second (long) argument
+ # that gives an offset to add to the time_t when converting it.
+ # "timelocal" is equivalent to "mktime".
+@@ -333,7 +345,6 @@
+ # that gives an offset to use when converting to a time_t.
+ # "posix2time" and "time2posix" are described in an included manual page.
+ # X3J11's work does not describe any of these functions.
+-# Sun has provided "tzsetwall", "timelocal", and "timegm" in SunOS 4.0.
+ # These functions may well disappear in future releases of the time
+ # conversion package.
+ #
+@@ -505,11 +516,11 @@
+ TZCOBJS= zic.o
+ TZDOBJS= zdump.o localtime.o asctime.o strftime.o
+ DATEOBJS= date.o localtime.o strftime.o asctime.o
+-LIBSRCS= localtime.c asctime.c difftime.c
+-LIBOBJS= localtime.o asctime.o difftime.o
++LIBSRCS= localtime.c asctime.c difftime.c strftime.c
++LIBOBJS= localtime.o asctime.o difftime.o strftime.o
+ HEADERS= tzfile.h private.h
+ NONLIBSRCS= zic.c zdump.c
+-NEWUCBSRCS= date.c strftime.c
++NEWUCBSRCS= date.c
+ SOURCES= $(HEADERS) $(LIBSRCS) $(NONLIBSRCS) $(NEWUCBSRCS) \
+ tzselect.ksh workman.sh
+ MANS= newctime.3 newstrftime.3 newtzset.3 time2posix.3 \
+@@ -651,7 +662,8 @@
+ chmod +x yearistype
+
+ leapseconds: $(LEAP_DEPS)
+- $(AWK) -f leapseconds.awk leap-seconds.list >$@.out
++ $(AWK) -v EXPIRES_LINE=$(EXPIRES_LINE) \
++ -f leapseconds.awk leap-seconds.list >$@.out
+ mv $@.out $@
+
+ # Arguments to pass to submakes of install_data.
+--- contrib/tzdata/NEWS.orig
++++ contrib/tzdata/NEWS
+@@ -1,5 +1,87 @@
+ News for the tz database
+
++Release 2020a - 2020-04-23 16:03:47 -0700
++
++ Briefly:
++ Morocco springs forward on 2020-05-31, not 2020-05-24.
++ Canada's Yukon advanced to -07 year-round on 2020-03-08.
++ America/Nuuk renamed from America/Godthab.
++ zic now supports expiration dates for leap second lists.
++
++ Changes to future timestamps
++
++ Morocco's second spring-forward transition in 2020 will be May 31,
++ not May 24 as predicted earlier. (Thanks to Semlali Naoufal.)
++ Adjust future-year predictions to use the first Sunday after the
++ day after Ramadan, not the first Sunday after Ramadan.
++
++ Canada's Yukon, represented by America/Whitehorse and
++ America/Dawson, advanced to -07 year-round, beginning with its
++ spring-forward transition on 2020-03-08, and will not fall back on
++ 2020-11-01. Although a government press release calls this
++ "permanent Pacific Daylight Saving Time", we prefer MST for
++ consistency with nearby Dawson Creek, Creston, and Fort Nelson.
++ (Thanks to Tim Parenti.)
++
++ Changes to past timestamps
++
++ Shanghai observed DST in 1919. (Thanks to Phake Nick.)
++
++ Changes to timezone identifiers
++
++ To reflect current usage in English better, America/Godthab has
++ been renamed to America/Nuuk. A backwards-compatibility link
++ remains for the old name.
++
++ Changes to code
++
++ localtime.c no longer mishandles timestamps after the last
++ transition in a TZif file with leap seconds and with daylight
++ saving time transitions projected into the indefinite future.
++ For example, with TZ='America/Los_Angeles' with leap seconds,
++ zdump formerly reported a DST transition on 2038-03-14
++ from 01:59:32.999... to 02:59:33 instead of the correct transition
++ from 01:59:59.999... to 03:00:00.
++
++ zic -L now supports an Expires line in the leapseconds file, and
++ truncates the TZif output accordingly. This propagates leap
++ second expiration information into the TZif file, and avoids the
++ abovementioned localtime.c bug as well as similar bugs present in
++ many client implementations. If no Expires line is present, zic
++ -L instead truncates the TZif output based on the #expires comment
++ present in leapseconds files distributed by tzdb 2018f and later;
++ however, this usage is obsolescent. For now, the distributed
++ leapseconds file has an Expires line that is commented out, so
++ that the file can be fed to older versions of zic which ignore the
++ commented-out line. Future tzdb distributions are planned to
++ contain a leapseconds file with an Expires line.
++
++ The configuration macros HAVE_TZNAME and USG_COMPAT should now be
++ set to 1 if the system library supports the feature, and 2 if not.
++ As before, these macros are nonzero if tzcode should support the
++ feature, zero otherwise.
++
++ The configuration macro ALTZONE now has the same values with the
++ same meaning as HAVE_TZNAME and USG_COMPAT.
++
++ The code's defense against CRLF in leap-seconds.list is now
++ portable to POSIX awk. (Problem reported by Deborah Goldsmith.)
++
++ Although the undocumented tzsetwall function is not changed in
++ this release, it is now deprecated in preparation for removal in
++ future releases. Due to POSIX requirements, tzsetwall has not
++ worked for some time. Any code that uses it should instead use
++ tzalloc(NULL) or, if portability trumps thread-safety, should
++ unset the TZ environment variable.
++
++ Changes to commentary
++
++ The Îles-de-la-Madeleine and the Listuguj reserve are noted as
++ following America/Halifax, and comments about Yukon's "south" and
++ "north" have been corrected to say "east" and "west". (Thanks to
++ Jeffery Nichols.)
++
++
+ Release 2019c - 2019-09-11 08:59:48 -0700
+
+ Briefly:
+--- contrib/tzdata/africa.orig
++++ contrib/tzdata/africa
+@@ -867,19 +867,25 @@
+ # Morocco will be on GMT starting from Sunday, May 5th 2019 at 3am.
+ # The switch to GMT+1 will occur on Sunday, June 9th 2019 at 2am....
+ # http://fr.le360.ma/societe/voici-la-date-du-retour-a-lheure-legale-au-maroc-188222
++
++# From Semlali Naoufal (2020-04-14):
++# Following the announcement by the Moroccan government, the switch to
++# GMT time will take place on Sunday, April 19, 2020 from 3 a.m. and
++# the return to GMT+1 time will take place on Sunday, May 31, 2020 at 2 a.m....
++# https://maroc-diplomatique.net/maroc-le-retour-a-lheure-gmt-est-prevu-dimanche-prochain/
++# http://aujourdhui.ma/actualite/gmt1-retour-a-lheure-normale-dimanche-prochain-1
+ #
+-# From Paul Eggert (2019-05-20):
+-# This agrees with our 2018-11-01 guess that the Moroccan government
+-# would continue the practice of falling back at 03:00 the last Sunday
+-# before Ramadan, and of springing forward at 02:00 the first Sunday after
+-# Ramadan, as this has been the practice since 2012. To implement this,
+-# transition dates for 2019 through 2087 were determined by running the
+-# following program under GNU Emacs 26.2.
+-# (let ((islamic-year 1440))
++# From Paul Eggert (2020-04-14):
++# For now, guess that in the future Morocco will fall back at 03:00
++# the last Sunday before Ramadan, and spring forward at 02:00 the
++# first Sunday after the day after Ramadan. To implement this,
++# transition dates for 2021 through 2087 were determined by running
++# the following program under GNU Emacs 26.3.
++# (let ((islamic-year 1442))
+ # (require 'cal-islam)
+ # (while (< islamic-year 1511)
+ # (let ((a (calendar-islamic-to-absolute (list 9 1 islamic-year)))
+-# (b (calendar-islamic-to-absolute (list 10 1 islamic-year)))
++# (b (1+ (calendar-islamic-to-absolute (list 10 1 islamic-year))))
+ # (sunday 0))
+ # (while (/= sunday (mod (setq a (1- a)) 7)))
+ # (while (/= sunday (mod b 7))
+@@ -939,7 +945,7 @@
+ Rule Morocco 2019 only - May 5 3:00 -1:00 -
+ Rule Morocco 2019 only - Jun 9 2:00 0 -
+ Rule Morocco 2020 only - Apr 19 3:00 -1:00 -
+-Rule Morocco 2020 only - May 24 2:00 0 -
++Rule Morocco 2020 only - May 31 2:00 0 -
+ Rule Morocco 2021 only - Apr 11 3:00 -1:00 -
+ Rule Morocco 2021 only - May 16 2:00 0 -
+ Rule Morocco 2022 only - Mar 27 3:00 -1:00 -
+@@ -955,7 +961,7 @@
+ Rule Morocco 2027 only - Feb 7 3:00 -1:00 -
+ Rule Morocco 2027 only - Mar 14 2:00 0 -
+ Rule Morocco 2028 only - Jan 23 3:00 -1:00 -
+-Rule Morocco 2028 only - Feb 27 2:00 0 -
++Rule Morocco 2028 only - Mar 5 2:00 0 -
+ Rule Morocco 2029 only - Jan 14 3:00 -1:00 -
+ Rule Morocco 2029 only - Feb 18 2:00 0 -
+ Rule Morocco 2029 only - Dec 30 3:00 -1:00 -
+@@ -971,7 +977,7 @@
+ Rule Morocco 2034 only - Nov 5 3:00 -1:00 -
+ Rule Morocco 2034 only - Dec 17 2:00 0 -
+ Rule Morocco 2035 only - Oct 28 3:00 -1:00 -
+-Rule Morocco 2035 only - Dec 2 2:00 0 -
++Rule Morocco 2035 only - Dec 9 2:00 0 -
+ Rule Morocco 2036 only - Oct 19 3:00 -1:00 -
+ Rule Morocco 2036 only - Nov 23 2:00 0 -
+ Rule Morocco 2037 only - Oct 4 3:00 -1:00 -
+@@ -987,7 +993,7 @@
+ Rule Morocco 2042 only - Aug 10 3:00 -1:00 -
+ Rule Morocco 2042 only - Sep 21 2:00 0 -
+ Rule Morocco 2043 only - Aug 2 3:00 -1:00 -
+-Rule Morocco 2043 only - Sep 6 2:00 0 -
++Rule Morocco 2043 only - Sep 13 2:00 0 -
+ Rule Morocco 2044 only - Jul 24 3:00 -1:00 -
+ Rule Morocco 2044 only - Aug 28 2:00 0 -
+ Rule Morocco 2045 only - Jul 9 3:00 -1:00 -
+@@ -1003,7 +1009,7 @@
+ Rule Morocco 2050 only - May 15 3:00 -1:00 -
+ Rule Morocco 2050 only - Jun 26 2:00 0 -
+ Rule Morocco 2051 only - May 7 3:00 -1:00 -
+-Rule Morocco 2051 only - Jun 11 2:00 0 -
++Rule Morocco 2051 only - Jun 18 2:00 0 -
+ Rule Morocco 2052 only - Apr 28 3:00 -1:00 -
+ Rule Morocco 2052 only - Jun 2 2:00 0 -
+ Rule Morocco 2053 only - Apr 13 3:00 -1:00 -
+@@ -1019,7 +1025,7 @@
+ Rule Morocco 2058 only - Feb 17 3:00 -1:00 -
+ Rule Morocco 2058 only - Mar 31 2:00 0 -
+ Rule Morocco 2059 only - Feb 9 3:00 -1:00 -
+-Rule Morocco 2059 only - Mar 16 2:00 0 -
++Rule Morocco 2059 only - Mar 23 2:00 0 -
+ Rule Morocco 2060 only - Feb 1 3:00 -1:00 -
+ Rule Morocco 2060 only - Mar 7 2:00 0 -
+ Rule Morocco 2061 only - Jan 16 3:00 -1:00 -
+@@ -1029,13 +1035,13 @@
+ Rule Morocco 2062 only - Dec 31 3:00 -1:00 -
+ Rule Morocco 2063 only - Feb 4 2:00 0 -
+ Rule Morocco 2063 only - Dec 16 3:00 -1:00 -
+-Rule Morocco 2064 only - Jan 20 2:00 0 -
++Rule Morocco 2064 only - Jan 27 2:00 0 -
+ Rule Morocco 2064 only - Dec 7 3:00 -1:00 -
+ Rule Morocco 2065 only - Jan 11 2:00 0 -
+ Rule Morocco 2065 only - Nov 22 3:00 -1:00 -
+ Rule Morocco 2066 only - Jan 3 2:00 0 -
+ Rule Morocco 2066 only - Nov 14 3:00 -1:00 -
+-Rule Morocco 2066 only - Dec 19 2:00 0 -
++Rule Morocco 2066 only - Dec 26 2:00 0 -
+ Rule Morocco 2067 only - Nov 6 3:00 -1:00 -
+ Rule Morocco 2067 only - Dec 11 2:00 0 -
+ Rule Morocco 2068 only - Oct 21 3:00 -1:00 -
+@@ -1045,13 +1051,13 @@
+ Rule Morocco 2070 only - Oct 5 3:00 -1:00 -
+ Rule Morocco 2070 only - Nov 9 2:00 0 -
+ Rule Morocco 2071 only - Sep 20 3:00 -1:00 -
+-Rule Morocco 2071 only - Oct 25 2:00 0 -
++Rule Morocco 2071 only - Nov 1 2:00 0 -
+ Rule Morocco 2072 only - Sep 11 3:00 -1:00 -
+ Rule Morocco 2072 only - Oct 16 2:00 0 -
+ Rule Morocco 2073 only - Aug 27 3:00 -1:00 -
+ Rule Morocco 2073 only - Oct 8 2:00 0 -
+ Rule Morocco 2074 only - Aug 19 3:00 -1:00 -
+-Rule Morocco 2074 only - Sep 23 2:00 0 -
++Rule Morocco 2074 only - Sep 30 2:00 0 -
+ Rule Morocco 2075 only - Aug 11 3:00 -1:00 -
+ Rule Morocco 2075 only - Sep 15 2:00 0 -
+ Rule Morocco 2076 only - Jul 26 3:00 -1:00 -
+@@ -1061,7 +1067,7 @@
+ Rule Morocco 2078 only - Jul 10 3:00 -1:00 -
+ Rule Morocco 2078 only - Aug 14 2:00 0 -
+ Rule Morocco 2079 only - Jun 25 3:00 -1:00 -
+-Rule Morocco 2079 only - Jul 30 2:00 0 -
++Rule Morocco 2079 only - Aug 6 2:00 0 -
+ Rule Morocco 2080 only - Jun 16 3:00 -1:00 -
+ Rule Morocco 2080 only - Jul 21 2:00 0 -
+ Rule Morocco 2081 only - Jun 1 3:00 -1:00 -
+@@ -1077,7 +1083,7 @@
+ Rule Morocco 2086 only - Apr 14 3:00 -1:00 -
+ Rule Morocco 2086 only - May 19 2:00 0 -
+ Rule Morocco 2087 only - Mar 30 3:00 -1:00 -
+-Rule Morocco 2087 only - May 4 2:00 0 -
++Rule Morocco 2087 only - May 11 2:00 0 -
+ # For dates after the somewhat-arbitrary cutoff of 2087, assume that
+ # Morocco will no longer observe DST. At some point this table will
+ # need to be extended, though quite possibly Morocco will change the
+@@ -1179,7 +1185,7 @@
+ Rule Namibia 1994 only - Mar 21 0:00 -1:00 WAT
+ Rule Namibia 1994 2017 - Sep Sun>=1 2:00 0 CAT
+ Rule Namibia 1995 2017 - Apr Sun>=1 2:00 -1:00 WAT
+-# Rearguard section, for parsers that do not support negative DST.
++# Rearguard section, for parsers lacking negative DST; see ziguard.awk.
+ #Rule Namibia 1994 only - Mar 21 0:00 0 WAT
+ #Rule Namibia 1994 2017 - Sep Sun>=1 2:00 1:00 CAT
+ #Rule Namibia 1995 2017 - Apr Sun>=1 2:00 0 WAT
+@@ -1193,7 +1199,7 @@
+ 2:00 - SAST 1990 Mar 21 # independence
+ # Vanguard section, for zic and other parsers that support negative DST.
+ 2:00 Namibia %s
+-# Rearguard section, for parsers that do not support negative DST.
++# Rearguard section, for parsers lacking negative DST; see ziguard.awk.
+ # 2:00 - CAT 1994 Mar 21 0:00
+ # From Paul Eggert (2017-04-07):
+ # The official date of the 2017 rule change was 2017-10-24. See:
+--- contrib/tzdata/asia.orig
++++ contrib/tzdata/asia
+@@ -286,6 +286,27 @@
+
+ # China
+
++# From Phake Nick (2020-04-15):
++# According to this news report:
++# http://news.sina.com.cn/c/2004-09-01/19524201403.shtml
++# on April 11, 1919, newspaper in Shanghai said clocks in Shanghai will spring
++# forward for an hour starting from midnight of that Saturday. The report did
++# not mention what happened in Shanghai thereafter, but it mentioned that a
++# similar trial in Tianjin which ended at October 1st as citizens are told to
++# recede the clock on September 30 from 12:00pm to 11:00pm. The trial at
++# Tianjin got terminated in 1920.
++#
++# From Paul Eggert (2020-04-15):
++# The Returns of Trade and Trade Reports, page 711, says "Daylight saving was
++# given a trial during the year, and from the 12th April to the 1st October
++# the clocks were all set one hour ahead of sun time. Though the scheme was
++# generally esteemed a success, it was announced early in 1920 that it would
++# not be repeated."
++#
++# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S
++Rule Shang 1919 only - Apr 12 24:00 1:00 D
++Rule Shang 1919 only - Sep 30 24:00 0 S
++
+ # From Paul Eggert (2018-10-02):
+ # The following comes from Table 1 of:
+ # Li Yu. Research on the daylight saving movement in 1940s Shanghai.
+@@ -294,7 +315,90 @@
+ # The table lists dates only; I am guessing 00:00 and 24:00 transition times.
+ # Also, the table lists the planned end of DST in 1949, but the corresponding
+ # zone line cuts this off on May 28, when the Communists took power.
++
++# From Phake Nick (2020-04-15):
+ #
++# For the history of time in Shanghai between 1940-1942, the situation is
++# actually slightly more complex than the table [below].... At the time,
++# there were three different authorities in Shanghai, including Shanghai
++# International Settlement, a settlement established by western countries with
++# its own westernized form of government, Shanghai French Concession, similar
++# to the international settlement but is controlled by French, and then the
++# rest of the city of Shanghai, which have already been controlled by Japanese
++# force through a puppet local government (Wang Jingwei regime). It was
++# additionally complicated by the circumstances that, according to the 1940s
++# Shanghai summer time essay cited in the database, some
++# departments/businesses/people in the Shanghai city itself during that time
++# period, refused to change their clock and instead only changed their opening
++# hours.
++#
++# For example, as quoted in the article, in 1940, other than the authority
++# itself, power, tram, bus companies, cinema, department stores, and other
++# public service organizations have all decided to follow the summer time and
++# spring forward the clock. On the other hand, the custom office refused to
++# spring forward the clock because of worry on mechanical wear to the physical
++# clock, postal office refused to spring forward because of disruption to
++# business and log-keeping, although they did changed their office hour to
++# match rest of the city. So is travel agents, and also weather
++# observatory. It is said both time standards had their own supporters in the
++# city at the time, those who prefer new time standard would have moved their
++# clock while those who prefer the old time standard would keep their clock
++# unchange, and there were different clocks that use different time standard
++# in the city at the time for people who use different time standard to adjust
++# their clock to their preferred time.
++#
++# a. For the 1940 May 31 spring forward, the essay claim that it was
++# coordinared between the international settlement authority and the French
++# concession authority and have gathered support from Hong Kong and Xiamen,
++# that it would spring forward an hour from May 31 "midnight", and the essay
++# claim "Hong Kong government implemented the spring forward in the same time
++# on the same date as Shanghai".
++#
++# b. For the 1940 fall back, it was said that they initially intended to do
++# so on September 30 00:59 at night, however they postponed it to October 12
++# after discussion with relevant parties. However schools restored to the
++# original schedule ten days earlier.
++#
++# c. For the 1941 spring forward, it is said to start from March 15
++# "following the previous year's method", and in addition to that the essay
++# cited an announcement in 1941 from the Wang regime which said the Special
++# City of Shanghai under Wang regime control will follow the DST rule set by
++# the Settlements, irrespective of the original DST plan announced by the Wang
++# regime for other area under its control(April 1 to September 30). (no idea
++# to situation before that announcement)
++#
++# d. For the 1941 fall back, it was said that the fall back would occurs at
++# the end of September (A newspaper headline cited by the essay, published on
++# October 1, 1941, have the headlines which said "French Concession would
++# rewind to the old clock this morning), but it ultimately didn't happen due
++# to disagreement between the international settlement authority and the
++# French concession authority, and the fall back ultimately occurred on
++# November 1.
++#
++# e. In 1941 December, Japan have officially started war with the United
++# States and the United Kingdom, and in Shanghai they have marched into the
++# international settlement, taken over its control
++#
++# f. For the 1942 spring forward, the essay said that the spring forward
++# started on January 31. It said this time the custom office and postal
++# department will also change their clocks, unlike before.
++#
++# g. The essay itself didn't cover any specific changes thereafter until the
++# end of the war, it quoted a November 1942 command from the government of the
++# Wang regime, which claim the daylight saving time applies year round during
++# the war. However, the essay ambiguously said the period is "February 1 to
++# September 30", which I don't really understand what is the meaning of such
++# period in the context of year round implementation here.. More researches
++# might be needed to show exactly what happened during that period of time.
++
++# From Phake Nick (2020-04-15):
++# According to a Japanese tour bus pamphlet in Nanjing area believed to be
++# from around year 1941: http://www.tt-museum.jp/tairiku_0280_nan1941.html ,
++# the schedule listed was in the format of Japanese time. Which indicate some
++# use of the Japanese time (instead of syncing by DST) might have occurred in
++# the Yangtze river delta area during that period of time although the scope
++# of such use will need to be investigated to determine.
++#
+ # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S
+ Rule Shang 1940 only - Jun 1 0:00 1:00 D
+ Rule Shang 1940 only - Oct 12 24:00 0 S
+@@ -572,7 +676,7 @@
+ 6:00 - +06
+
+
+-# Hong Kong (Xianggang)
++# Hong Kong
+
+ # Milne gives 7:36:41.7; round this.
+
+@@ -582,9 +686,7 @@
+ # it is not [an] observatory, but the official meteorological agency of HK,
+ # and also serves as the official timing agency), there are some missing
+ # and incorrect rules. Although the exact switch over time is missing, I
+-# think 3:30 is correct. The official DST record for Hong Kong can be
+-# obtained from
+-# http://www.hko.gov.hk/gts/time/Summertime.htm
++# think 3:30 is correct.
+
+ # From Phake Nick (2018-10-27):
+ # According to Singaporean newspaper
+@@ -695,10 +797,10 @@
+ # Resolution of the Legislative Council passed on 9 May 1979
+ # https://www.legco.gov.hk/yr78-79/english/lc_sitg/hansard/h790509.pdf#page=39
+
+-# From Paul Eggert (2019-05-31):
++# From Paul Eggert (2020-04-15):
+ # Here are the dates given at
+-# https://www.hko.gov.hk/gts/time/Summertime.htm
+-# as of 2014-06-19:
++# https://www.hko.gov.hk/en/gts/time/Summertime.htm
++# as of 2020-02-10:
+ # Year Period
+ # 1941 15 Jun to 30 Sep
+ # 1942 Whole year
+@@ -1828,6 +1930,47 @@
+
+ # '9:00' and 'JST' is from Guy Harris.
+
++# From Paul Eggert (2020-01-19):
++# Starting in the 7th century, Japan generally followed an ancient Chinese
++# timekeeping system that divided night and day into six hours each,
++# with hour length depending on season. In 1873 the government
++# started requiring the use of a Western style 24-hour clock. See:
++# Yulia Frumer, "Making Time: Astronomical Time Measurement in Tokugawa Japan"
++# . As the tzdb code and
++# data support only 24-hour clocks, its tables model timestamps before
++# 1873 using Western-style local mean time.
++
++# From Hideyuki Suzuki (1998-11-09):
++# 'Tokyo' usually stands for the former location of Tokyo Astronomical
++# Observatory: 139° 44' 40.90" E (9h 18m 58.727s), 35° 39' 16.0" N.
++# This data is from 'Rika Nenpyou (Chronological Scientific Tables) 1996'
++# edited by National Astronomical Observatory of Japan....
++# JST (Japan Standard Time) has been used since 1888-01-01 00:00 (JST).
++# The law is enacted on 1886-07-07.
++
++# From Hideyuki Suzuki (1998-11-16):
++# The ordinance No. 51 (1886) established "standard time" in Japan,
++# which stands for the time on 135° E.
++# In the ordinance No. 167 (1895), "standard time" was renamed to "central
++# standard time". And the same ordinance also established "western standard
++# time", which stands for the time on 120° E.... But "western standard
++# time" was abolished in the ordinance No. 529 (1937). In the ordinance No.
++# 167, there is no mention regarding for what place western standard time is
++# standard....
++#
++# I wrote "ordinance" above, but I don't know how to translate.
++# In Japanese it's "chokurei", which means ordinance from emperor.
++
++# From Yu-Cheng Chuang (2013-07-12):
++# ...the Meiji Emperor announced Ordinance No. 167 of Meiji Year 28 "The clause
++# about standard time" ... The adoption began from Jan 1, 1896.
++# https://ja.wikisource.org/wiki/標準時ニ關スル件_(公布時)
++#
++# ...the Showa Emperor announced Ordinance No. 529 of Showa Year 12 ... which
++# means the whole Japan territory, including later occupations, adopt Japan
++# Central Time (UT+9). The adoption began on Oct 1, 1937.
++# https://ja.wikisource.org/wiki/明治二十八年勅令第百六十七號標準時ニ關スル件中改正ノ件
++
+ # From Paul Eggert (1995-03-06):
+ # Today's _Asahi Evening News_ (page 4) reports that Japan had
+ # daylight saving between 1948 and 1951, but "the system was discontinued
+@@ -1876,37 +2019,6 @@
+ Rule Japan 1949 only - Apr Sat>=1 24:00 1:00 D
+ Rule Japan 1950 1951 - May Sat>=1 24:00 1:00 D
+
+-# From Hideyuki Suzuki (1998-11-09):
+-# 'Tokyo' usually stands for the former location of Tokyo Astronomical
+-# Observatory: 139° 44' 40.90" E (9h 18m 58.727s), 35° 39' 16.0" N.
+-# This data is from 'Rika Nenpyou (Chronological Scientific Tables) 1996'
+-# edited by National Astronomical Observatory of Japan....
+-# JST (Japan Standard Time) has been used since 1888-01-01 00:00 (JST).
+-# The law is enacted on 1886-07-07.
+-
+-# From Hideyuki Suzuki (1998-11-16):
+-# The ordinance No. 51 (1886) established "standard time" in Japan,
+-# which stands for the time on 135° E.
+-# In the ordinance No. 167 (1895), "standard time" was renamed to "central
+-# standard time". And the same ordinance also established "western standard
+-# time", which stands for the time on 120° E.... But "western standard
+-# time" was abolished in the ordinance No. 529 (1937). In the ordinance No.
+-# 167, there is no mention regarding for what place western standard time is
+-# standard....
+-#
+-# I wrote "ordinance" above, but I don't know how to translate.
+-# In Japanese it's "chokurei", which means ordinance from emperor.
+-
+-# From Yu-Cheng Chuang (2013-07-12):
+-# ...the Meiji Emperor announced Ordinance No. 167 of Meiji Year 28 "The clause
+-# about standard time" ... The adoption began from Jan 1, 1896.
+-# https://ja.wikisource.org/wiki/標準時ニ關スル件_(公布時)
+-#
+-# ...the Showa Emperor announced Ordinance No. 529 of Showa Year 12 ... which
+-# means the whole Japan territory, including later occupations, adopt Japan
+-# Central Time (UT+9). The adoption began on Oct 1, 1937.
+-# https://ja.wikisource.org/wiki/明治二十八年勅令第百六十七號標準時ニ關スル件中改正ノ件
+-
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+ Zone Asia/Tokyo 9:18:59 - LMT 1887 Dec 31 15:00u
+ 9:00 Japan J%sT
+@@ -3086,22 +3198,9 @@
+ # [T]he Palestinian cabinet decision (Mar 8th 2016) published on
+ # http://www.palestinecabinet.gov.ps/WebSite/Upload/Decree/GOV_17/16032016134830.pdf
+ # states that summer time will end on Oct 29th at 01:00.
+-#
+-# From Tim Parenti (2016-10-19):
+-# Predict fall transitions on October's last Saturday at 01:00 from now on.
+-# This is consistent with the 2016 transition as well as our spring
+-# predictions.
+-#
+-# From Paul Eggert (2016-10-19):
+-# It's also consistent with predictions in the following URLs today:
+-# https://www.timeanddate.com/time/change/gaza-strip/gaza
+-# https://www.timeanddate.com/time/change/west-bank/hebron
+
+ # From Sharef Mustafa (2018-03-16):
+-# Palestine summer time will start on Mar 24th 2018 by advancing the
+-# clock by 60 minutes as per Palestinian cabinet decision published on
+-# the official website, though the decree did not specify the exact
+-# time of the time shift.
++# Palestine summer time will start on Mar 24th 2018 ...
+ # http://www.palestinecabinet.gov.ps/Website/AR/NDecrees/ViewFile.ashx?ID=e7a42ab7-ee23-435a-b9c8-a4f7e81f3817
+
+ # From Even Scharning (2019-03-23):
+@@ -3111,15 +3210,20 @@
+ # From Sharif Mustafa (2019-03-26):
+ # The Palestinian cabinet announced today that the switch to DST will
+ # be on Fri Mar 29th 2019 by advancing the clock by 60 minutes.
+-# The decree signing date is Mar 12th but it was not published till today.
+-# The decree does not specify the exact time of switch.
+ # http://palestinecabinet.gov.ps/Website/AR/NDecrees/ViewFile.ashx?ID=e54e9ea1-50ee-4137-84df-0d6c78da259b
+ #
+ # From Even Scharning (2019-04-10):
+ # Our source in Palestine said it happened Friday 29 at 00:00 local time....
++
++# From Sharef Mustafa (2019-10-18):
++# Palestine summer time will end on midnight Oct 26th 2019 ...
++# http://www.palestinecabinet.gov.ps/website/ar/ViewDetails?ID=43948
+ #
+ # From Paul Eggert (2019-04-10):
+ # For now, guess spring-ahead transitions are March's last Friday at 00:00.
++#
++# From Tim Parenti (2016-10-19):
++# Predict fall transitions on October's last Saturday at 01:00 from now on.
+
+ # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S
+ Rule EgyptAsia 1957 only - May 10 0:00 1:00 S
+--- contrib/tzdata/backward.orig
++++ contrib/tzdata/backward
+@@ -17,6 +17,7 @@
+ Link America/Argentina/Cordoba America/Cordoba
+ Link America/Tijuana America/Ensenada
+ Link America/Indiana/Indianapolis America/Fort_Wayne
++Link America/Nuuk America/Godthab
+ Link America/Indiana/Indianapolis America/Indianapolis
+ Link America/Argentina/Jujuy America/Jujuy
+ Link America/Indiana/Knox America/Knox_IN
+--- contrib/tzdata/backzone.orig
++++ contrib/tzdata/backzone
+@@ -33,6 +33,35 @@
+ # assumes rules from other files. In the tz distribution, use
+ # 'make PACKRATDATA=backzone zones' to compile and install this file.
+
++
++# From Paul Eggert (2020-04-15):
++# The following remarks should be incorporated into this table sometime.
++# Patches in 'git format-patch' format would be welcome.
++#
++# From Phake Nick (2020-04-15):
++# ... the historical timezone data for those China zones seems to be
++# incorrect. The transition to GMT+8 date given there for these zones
++# were 1980 which also contradict the file description that they do
++# not disagree with normal zone after 1970. According to sources that
++# have also been cited in the asia file, except Xinjiang and Tibet,
++# they should have adopted the Beijing Time from around 1949/1950
++# depends on exactly when each of those cities were taken over by the
++# communist army. And they should also follow the DST setting of
++# Asia/Shanghai after that point of time. In addition,
++# http://gaz.ncl.edu.tw/detail.jsp?sysid=E1091792 the document from
++# Chongqing Nationalist government say in year 1945 all of China
++# should adopt summer time due to the war (not sure whether it
++# continued after WWII ends)(Probably only enforced in area under
++# their rule at the time?) The Asia/Harbin's 1932 and 1940 entry
++# should also be incorrect. As per sources recorded at
++# https://wiki.suikawiki.org/n/%E6%BA%80%E5%B7%9E%E5%9B%BD%E3%81%AE%E6%A8%99%E6%BA%96%E6%99%82
++# , in 1932 Harbin should have adopted UTC+8:00 instead of data
++# currently listed in the tz database according to official
++# announcement from Manchuko. And they should have adopted GMT+9 in
++# 1937 January 1st according to official announcement at the time
++# being cited on the webpage.
++
++
+ # Zones are sorted by zone name. Each zone is preceded by the
+ # name of the country that the zone is in, along with any other
+ # commentary and rules associated with the entry.
+--- contrib/tzdata/europe.orig
++++ contrib/tzdata/europe
+@@ -549,12 +549,13 @@
+ 0:00 1:00 IST 1947 Nov 2 2:00s
+ 0:00 - GMT 1948 Apr 18 2:00s
+ 0:00 GB-Eire GMT/IST 1968 Oct 27
+-# The next line is for when negative SAVE values are used.
++# Vanguard section, for zic and other parsers that support negative DST.
+ 1:00 Eire IST/GMT
+-# These three lines are for when SAVE values are always nonnegative.
++# Rearguard section, for parsers lacking negative DST; see ziguard.awk.
+ # 1:00 - IST 1971 Oct 31 2:00u
+ # 0:00 GB-Eire GMT/IST 1996
+ # 0:00 EU GMT/IST
++# End of rearguard section.
+
+
+ ###############################################################################
+@@ -1018,7 +1019,7 @@
+ 1:00 Czech CE%sT 1946 Dec 1 3:00
+ # Vanguard section, for zic and other parsers that support negative DST.
+ 1:00 -1:00 GMT 1947 Feb 23 2:00
+-# Rearguard section, for parsers that do not support negative DST.
++# Rearguard section, for parsers lacking negative DST; see ziguard.awk.
+ # 0:00 - GMT 1947 Feb 23 2:00
+ # End of rearguard section.
+ 1:00 Czech CE%sT 1979
+@@ -1175,14 +1176,17 @@
+ -3:00 - -03 1980 Apr 6 2:00
+ -3:00 EU -03/-02 1996
+ 0:00 - GMT
++#
++# Use the old name Scoresbysund, as the current name Ittoqqortoormiit
++# exceeds tzdb's 14-letter limit and has no common English abbreviation.
+ Zone America/Scoresbysund -1:27:52 - LMT 1916 Jul 28 # Ittoqqortoormiit
+ -2:00 - -02 1980 Apr 6 2:00
+ -2:00 C-Eur -02/-01 1981 Mar 29
+ -1:00 EU -01/+00
+-Zone America/Godthab -3:26:56 - LMT 1916 Jul 28 # Nuuk
++Zone America/Nuuk -3:26:56 - LMT 1916 Jul 28 # Godthåb
+ -3:00 - -03 1980 Apr 6 2:00
+ -3:00 EU -03/-02
+-Zone America/Thule -4:35:08 - LMT 1916 Jul 28 # Pituffik air base
++Zone America/Thule -4:35:08 - LMT 1916 Jul 28 # Pituffik
+ -4:00 Thule A%sT
+
+ # Estonia
+@@ -1552,7 +1556,7 @@
+ #
+ # From January 1st, 1908 the whole of Iceland was standardised at 1 hour
+ # behind GMT. Previously, local mean solar time was used in different parts
+-# of Iceland, the almanak had been based on Reykjavik mean solar time which
++# of Iceland, the almanak had been based on Reykjavík mean solar time which
+ # was 1 hour and 28 minutes behind GMT.
+ #
+ # "first day of winter" referred to [below] means the first day of the 26 weeks
+--- contrib/tzdata/leap-seconds.list.orig
++++ contrib/tzdata/leap-seconds.list
+@@ -62,7 +62,7 @@
+ # Terry Quinn, "The BIPM and the Accurate Measurement
+ # of Time," Proc. of the IEEE, Vol. 79, pp. 894-905,
+ # July, 1991.
+-# reprinted in:
++# reprinted in:
+ # Christine Hackman and Donald B Sullivan (eds.)
+ # Time and Frequency Measurement
+ # American Association of Physics Teachers (1996)
+@@ -204,10 +204,10 @@
+ # current -- the update time stamp, the data and the name of the file
+ # will not change.
+ #
+-# Updated through IERS Bulletin C58
+-# File expires on: 28 June 2020
++# Updated through IERS Bulletin C59
++# File expires on: 28 December 2020
+ #
+-#@ 3802291200
++#@ 3818102400
+ #
+ 2272060800 10 # 1 Jan 1972
+ 2287785600 11 # 1 Jul 1972
+@@ -252,4 +252,4 @@
+ # the hash line is also ignored in the
+ # computation.
+ #
+-#h f28827d2 f263b6c3 ec0f19eb a3e0dbf0 97f3fa30
++#h a1c168ae 27c79a7d 9dddcfc3 bcfe616b 2e2c44ea
+--- contrib/tzdata/leapseconds.orig
++++ contrib/tzdata/leapseconds
+@@ -64,9 +64,15 @@
+ Leap 2015 Jun 30 23:59:60 + S
+ Leap 2016 Dec 31 23:59:60 + S
+
++# UTC timestamp when this leap second list expires.
++# Any additional leap seconds will come after this.
++# This Expires line is commented out for now,
++# so that pre-2020a zic implementations do not reject this file.
++#Expires 2020 Dec 28 00:00:00
++
+ # POSIX timestamps for the data in this file:
+ #updated 1467936000 (2016-07-08 00:00:00 UTC)
+-#expires 1593302400 (2020-06-28 00:00:00 UTC)
++#expires 1609113600 (2020-12-28 00:00:00 UTC)
+
+-# Updated through IERS Bulletin C58
+-# File expires on: 28 June 2020
++# Updated through IERS Bulletin C59
++# File expires on: 28 December 2020
+--- contrib/tzdata/leapseconds.awk.orig
++++ contrib/tzdata/leapseconds.awk
+@@ -68,12 +68,12 @@
+ monthabbr[11] = "Nov"
+ monthabbr[12] = "Dec"
+
+- # Strip trailing CR, in case the input has CRLF form a la NIST.
+- RS = "\r?\n"
+-
+ sstamp_init()
+ }
+
++# In case the input has CRLF form a la NIST.
++{ sub(/\r$/, "") }
++
+ /^#[ \t]*[Uu]pdated through/ || /^#[ \t]*[Ff]ile expires on/ {
+ last_lines = last_lines $0 "\n"
+ }
+@@ -100,6 +100,17 @@
+ }
+
+ END {
++ sstamp_to_ymdhMs(expires, ss_NTP)
++
++ print ""
++ print "# UTC timestamp when this leap second list expires."
++ print "# Any additional leap seconds will come after this."
++ print "# This Expires line is commented out for now,"
++ print "# so that pre-2020a zic implementations do not reject this file."
++ printf "%sExpires %.4d\t%s\t%.2d\t%.2d:%.2d:%.2d\n", \
++ EXPIRES_LINE ? "" : "#", \
++ ss_year, monthabbr[ss_month], ss_mday, ss_hour, ss_min, ss_sec
++
+ # The difference between the NTP and POSIX epochs is 70 years
+ # (including 17 leap days), each 24 hours of 60 minutes of 60
+ # seconds each.
+--- contrib/tzdata/northamerica.orig
++++ contrib/tzdata/northamerica
+@@ -86,7 +86,7 @@
+ # For more about the first ten years of DST in the United States, see
+ # Robert Garland, Ten years of daylight saving from the Pittsburgh standpoint
+ # (Carnegie Library of Pittsburgh, 1927).
+-# http://www.clpgh.org/exhibit/dst.html
++# https://web.archive.org/web/20160517155308/http://www.clpgh.org/exhibit/dst.html
+ #
+ # Shanks says that DST was called "War Time" in the US in 1918 and 1919.
+ # However, DST was imposed by the Standard Time Act of 1918, which
+@@ -1470,7 +1470,8 @@
+ -4:00 Canada A%sT
+
+
+-# west Labrador, Nova Scotia, Prince Edward I
++# west Labrador, Nova Scotia, Prince Edward I,
++# Îles-de-la-Madeleine, Listuguj reserve
+
+ # From Brian Inglis (2015-07-20):
+ # From the historical weather station records available at:
+@@ -1489,6 +1490,13 @@
+ # in Canada to observe DST in 1971 but not 1970; for now we'll assume
+ # this is a typo.
+
++# From Jeffery Nichols (2020-01-09):
++# America/Halifax ... also applies to Îles-de-la-Madeleine and the Listuguj
++# reserve in Quebec. Officially, this came into effect on January 1, 2007
++# (Legal Time Act, CQLR c T-5.1), but the legislative debates surrounding that
++# bill say that it is "accommodating the customs and practices" of those
++# regions, which suggests that they have always been in-line with Halifax.
++
+ # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S
+ Rule Halifax 1916 only - Apr 1 0:00 1:00 D
+ Rule Halifax 1916 only - Oct 1 0:00 0 S
+@@ -1582,8 +1590,9 @@
+
+ # Quebec
+
+-# From Paul Eggert (2015-03-24):
++# From Paul Eggert (2020-01-10):
+ # See America/Toronto for most of Quebec, including Montreal.
++# See America/Halifax for the Îles de la Madeleine and the Listuguj reserve.
+ #
+ # Matthews and Vincent (1998) also write that Quebec east of the -63
+ # meridian is supposed to observe AST, but residents as far east as
+@@ -1590,11 +1599,11 @@
+ # Natashquan use EST/EDT, and residents east of Natashquan use AST.
+ # The Quebec department of justice writes in
+ # "The situation in Minganie and Basse-Côte-Nord"
+-# http://www.justice.gouv.qc.ca/english/publications/generale/temps-minganie-a.htm
++# https://www.justice.gouv.qc.ca/en/department/ministre/functions-and-responsabilities/legal-time-in-quebec/the-situation-in-minganie-and-basse-cote-nord/
+ # that the coastal strip from just east of Natashquan to Blanc-Sablon
+ # observes Atlantic standard time all year round.
+-# https://www.assnat.qc.ca/Media/Process.aspx?MediaId=ANQ.Vigie.Bll.DocumentGenerique_8845en
+-# says this common practice was codified into law as of 2007.
++# This common practice was codified into law as of 2007; see Legal Time Act,
++# CQLR c T-5.1 .
+ # For lack of better info, guess this practice began around 1970, contra to
+ # Shanks & Pottenger who have this region observing AST/ADT.
+
+@@ -1613,6 +1622,15 @@
+ # Nipigon (EST) and Rainy River (CST) are the largest that we know of.
+ # Far west Ontario is like Winnipeg; far east Quebec is like Halifax.
+
++# From Jeffery Nichols (2020-02-06):
++# According to the [Shanks] atlas, those western Ontario zones are huge,
++# covering most of Ontario northwest of Sault Ste Marie and Timmins.
++# The zones seem to include towns bigger than the ones they're named after,
++# like Dryden in America/Rainy_River and Wawa (and maybe Attawapiskat) in
++# America/Nipigon. I assume it's too much trouble to change the name of the
++# zone (like when you found out that America/Glace_Bay includes Sydney, Nova
++# Scotia)....
++
+ # From Mark Brader (2003-07-26):
+ # [According to the Toronto Star] Orillia, Ontario, adopted DST
+ # effective Saturday, 1912-06-22, 22:00; the article mentions that
+@@ -2419,6 +2437,18 @@
+ # obtained in November 2008 should be ignored...
+ # I apologize for reporting incorrect information in 2008.
+
++# From Tim Parenti (2020-03-05):
++# The government of Yukon announced [yesterday] the cessation of seasonal time
++# changes. "After clocks are pushed ahead one hour on March 8, the territory
++# will remain on [UTC-07]. ... [The government] found 93 per cent of
++# respondents wanted to end seasonal time changes and, of that group, 70 per
++# cent wanted 'permanent Pacific Daylight Saving Time.'"
++# https://www.cbc.ca/news/canada/north/yukon-end-daylight-saving-time-1.5486358
++#
++# Although the government press release prefers PDT, we prefer MST for
++# consistency with nearby Dawson Creek, Creston, and Fort Nelson.
++# https://yukon.ca/en/news/yukon-end-seasonal-time-change
++
+ # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S
+ Rule NT_YK 1918 only - Apr 14 2:00 1:00 D
+ Rule NT_YK 1918 only - Oct 27 2:00 0 S
+@@ -2473,11 +2503,13 @@
+ Zone America/Whitehorse -9:00:12 - LMT 1900 Aug 20
+ -9:00 NT_YK Y%sT 1967 May 28 0:00
+ -8:00 NT_YK P%sT 1980
+- -8:00 Canada P%sT
++ -8:00 Canada P%sT 2020 Mar 8 2:00
++ -7:00 - MST
+ Zone America/Dawson -9:17:40 - LMT 1900 Aug 20
+ -9:00 NT_YK Y%sT 1973 Oct 28 0:00
+ -8:00 NT_YK P%sT 1980
+- -8:00 Canada P%sT
++ -8:00 Canada P%sT 2020 Mar 8 2:00
++ -7:00 - MST
+
+
+ ###############################################################################
+--- contrib/tzdata/theory.html.orig
++++ contrib/tzdata/theory.html
+@@ -298,6 +298,10 @@
+ If a name is changed, put its old spelling in the
+ 'backward' file.
+ This means old spellings will continue to work.
++ Ordinarily a name change should occur only in the rare case when
++ a location's consensus English-language spelling changes; for example,
++ in 2008 Asia/Calcutta was renamed to Asia/Kolkata
++ due to long-time widespread use of the new city name instead of the old.
+
+
+
+@@ -1054,23 +1058,6 @@
+ The functions were inspired by NetBSD.
+
+
+- A function tzsetwall has been added to arrange for the
+- system's best approximation to local (wall clock) time to be delivered
+- by subsequent calls to localtime.
+- Source code for portable applications that "must" run on local
+- time should call tzsetwall;
+- if such code is moved to "old" systems that do not
+- provide tzsetwall, you will not be able to generate an
+- executable program.
+- (These functions also arrange for local time to
+- be used if tzset is called – directly or
+- indirectly – and there is no TZ environment
+- variable; portable applications should not, however, rely on this
+- behavior since it is not the way SVR2
+- systems behave.)
+-
+-
+ Negative time_t values are supported, on systems
+ where time_t is signed.
+
+@@ -1137,7 +1124,7 @@
+ may now examine localtime(&clock)->tm_zone
+ (if TM_ZONE is defined) or
+ tzname[localtime(&clock)->tm_isdst]
+- (if HAVE_TZNAME is defined) to learn the correct time
++ (if HAVE_TZNAME is nonzero) to learn the correct time
+ zone abbreviation to use.
+
+
+--- contrib/tzdata/version.orig
++++ contrib/tzdata/version
+@@ -1 +1 @@
+-2019c
++2020a
+--- contrib/tzdata/zone.tab.orig
++++ contrib/tzdata/zone.tab
+@@ -131,8 +131,8 @@
+ CA +5946-12014 America/Dawson_Creek MST - BC (Dawson Cr, Ft St John)
+ CA +5848-12242 America/Fort_Nelson MST - BC (Ft Nelson)
+ CA +4916-12307 America/Vancouver Pacific - BC (most areas)
+-CA +6043-13503 America/Whitehorse Pacific - Yukon (south)
+-CA +6404-13925 America/Dawson Pacific - Yukon (north)
++CA +6043-13503 America/Whitehorse Pacific - Yukon (east)
++CA +6404-13925 America/Dawson Pacific - Yukon (west)
+ CC -1210+09655 Indian/Cocos
+ CD -0418+01518 Africa/Kinshasa Dem. Rep. of Congo (west)
+ CD -1140+02728 Africa/Lubumbashi Dem. Rep. of Congo (east)
+@@ -189,7 +189,7 @@
+ GG +492717-0023210 Europe/Guernsey
+ GH +0533-00013 Africa/Accra
+ GI +3608-00521 Europe/Gibraltar
+-GL +6411-05144 America/Godthab Greenland (most areas)
++GL +6411-05144 America/Nuuk Greenland (most areas)
+ GL +7646-01840 America/Danmarkshavn National Park (east coast)
+ GL +7029-02158 America/Scoresbysund Scoresbysund/Ittoqqortoormiit
+ GL +7634-06847 America/Thule Thule/Pituffik
+@@ -335,7 +335,7 @@
+ # The obsolescent zone.tab format cannot represent Europe/Simferopol well.
+ # Put it in RU section and list as UA. See "territorial claims" above.
+ # Programs should use zone1970.tab instead; see above.
+-UA +4457+03406 Europe/Simferopol MSK+00 - Crimea
++UA +4457+03406 Europe/Simferopol Crimea
+ RU +5836+04939 Europe/Kirov MSK+00 - Kirov
+ RU +4621+04803 Europe/Astrakhan MSK+01 - Astrakhan
+ RU +4844+04425 Europe/Volgograd MSK+01 - Volgograd
+@@ -399,8 +399,8 @@
+ TW +2503+12130 Asia/Taipei
+ TZ -0648+03917 Africa/Dar_es_Salaam
+ UA +5026+03031 Europe/Kiev Ukraine (most areas)
+-UA +4837+02218 Europe/Uzhgorod Ruthenia
+-UA +4750+03510 Europe/Zaporozhye Zaporozh'ye/Zaporizhia; Lugansk/Luhansk (east)
++UA +4837+02218 Europe/Uzhgorod Transcarpathia
++UA +4750+03510 Europe/Zaporozhye Zaporozhye and east Lugansk
+ UG +0019+03225 Africa/Kampala
+ UM +2813-17722 Pacific/Midway Midway Islands
+ UM +1917+16637 Pacific/Wake Wake Island
+--- contrib/tzdata/zone1970.tab.orig
++++ contrib/tzdata/zone1970.tab
+@@ -129,8 +129,8 @@
+ CA +5946-12014 America/Dawson_Creek MST - BC (Dawson Cr, Ft St John)
+ CA +5848-12242 America/Fort_Nelson MST - BC (Ft Nelson)
+ CA +4916-12307 America/Vancouver Pacific - BC (most areas)
+-CA +6043-13503 America/Whitehorse Pacific - Yukon (south)
+-CA +6404-13925 America/Dawson Pacific - Yukon (north)
++CA +6043-13503 America/Whitehorse Pacific - Yukon (east)
++CA +6404-13925 America/Dawson Pacific - Yukon (west)
+ CC -1210+09655 Indian/Cocos
+ CH,DE,LI +4723+00832 Europe/Zurich Swiss time
+ CI,BF,GM,GN,ML,MR,SH,SL,SN,TG +0519-00402 Africa/Abidjan
+@@ -174,7 +174,7 @@
+ GF +0456-05220 America/Cayenne
+ GH +0533-00013 Africa/Accra
+ GI +3608-00521 Europe/Gibraltar
+-GL +6411-05144 America/Godthab Greenland (most areas)
++GL +6411-05144 America/Nuuk Greenland (most areas)
+ GL +7646-01840 America/Danmarkshavn National Park (east coast)
+ GL +7029-02158 America/Scoresbysund Scoresbysund/Ittoqqortoormiit
+ GL +7634-06847 America/Thule Thule/Pituffik
+@@ -291,7 +291,7 @@
+ RU +5443+02030 Europe/Kaliningrad MSK-01 - Kaliningrad
+ RU +554521+0373704 Europe/Moscow MSK+00 - Moscow area
+ # Mention RU and UA alphabetically. See "territorial claims" above.
+-RU,UA +4457+03406 Europe/Simferopol MSK+00 - Crimea
++RU,UA +4457+03406 Europe/Simferopol Crimea
+ RU +5836+04939 Europe/Kirov MSK+00 - Kirov
+ RU +4621+04803 Europe/Astrakhan MSK+01 - Astrakhan
+ RU +4844+04425 Europe/Volgograd MSK+01 - Volgograd
+@@ -342,8 +342,8 @@
+ TV -0831+17913 Pacific/Funafuti
+ TW +2503+12130 Asia/Taipei
+ UA +5026+03031 Europe/Kiev Ukraine (most areas)
+-UA +4837+02218 Europe/Uzhgorod Ruthenia
+-UA +4750+03510 Europe/Zaporozhye Zaporozh'ye/Zaporizhia; Lugansk/Luhansk (east)
++UA +4837+02218 Europe/Uzhgorod Transcarpathia
++UA +4750+03510 Europe/Zaporozhye Zaporozhye and east Lugansk
+ UM +1917+16637 Pacific/Wake Wake Island
+ US +404251-0740023 America/New_York Eastern (most areas)
+ US +421953-0830245 America/Detroit Eastern - MI (most areas)
diff --git a/share/security/patches/EN-20:08/tzdata-2020a.patch.asc b/share/security/patches/EN-20:08/tzdata-2020a.patch.asc
new file mode 100644
index 0000000000..4a185f385e
--- /dev/null
+++ b/share/security/patches/EN-20:08/tzdata-2020a.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl664A5fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKODw//cJQJmbbx8gQCJ1d1PkK6RE6kOjTdk7QVEJarhhfar3FF9qm/ZmGpkD0P
+7o4EST7BraN2sTXxEmwh7Fd+ai+3z3SnxXE2DdnvC/Tw4bGxx42nn9iquCuedZrm
+C7A8s9I+H1IguIMnB5kvsvaANVUC0Aa/8KTgMu5uCzPmFvaOnrnZTiYewJzy9Syr
+LXcUYzykxp3c8ypWiL8CXtyFhoh+J6zXMIphKBl6kF+w+f0dROUEdFpR8iQdg24I
+ZbV0IqHKjExnpOeANgpKFPXMVL5D7lw9r++aFCpEypjHI7x+bvhMmTpsWc5AvOdg
+Gqm6sik8JszEC5H+mMmUMTPadlEUzsaIgz9JaqB4xPmkIRbJ3jes+bytmCgbnJ3a
+WMeGCyQscb1FVOQ7hLL7RzTj5CfwoF1muCu/sQhN7MkYkAEwghKezCaXY0z8THwU
+geyno2Fc13Htg/L+Msb5zZIANASNjocNx9+oOtnIkTNeYed3kSjyLiLPwm+/E4t4
+kB/5BbXigAiS8n2pFPEnqqlzXP43yxRp+AI6gjDbL1nVoF+7nLUGO1rdPfaVvmXC
+HzoBoFkDcuMWz69ctMFZOo3Y7Qty+i5vVgkf0EHj3CpgZPQvgcfy1m0jSgZw2+ti
+R2UTj+ps9PfAW0tqNHaOGAMdRhfZYGhRWSRyI3f66OO/r4tlkao=
+=083Y
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/EN-20:09/igb.patch b/share/security/patches/EN-20:09/igb.patch
new file mode 100644
index 0000000000..b73d3091c7
--- /dev/null
+++ b/share/security/patches/EN-20:09/igb.patch
@@ -0,0 +1,84 @@
+--- sys/dev/e1000/if_em.c.orig
++++ sys/dev/e1000/if_em.c
+@@ -1395,10 +1395,8 @@
+ IFDI_INTR_DISABLE(ctx);
+
+ /* Link status change */
+- if (reg_icr & (E1000_ICR_RXSEQ | E1000_ICR_LSC)) {
+- adapter->hw.mac.get_link_status = 1;
+- iflib_admin_intr_deferred(ctx);
+- }
++ if (reg_icr & (E1000_ICR_RXSEQ | E1000_ICR_LSC))
++ em_handle_link(ctx);
+
+ if (reg_icr & E1000_ICR_RXO)
+ adapter->rx_overruns++;
+@@ -1481,22 +1479,24 @@
+
+ if (reg_icr & (E1000_ICR_RXSEQ | E1000_ICR_LSC)) {
+ em_handle_link(adapter->ctx);
+- } else {
+- E1000_WRITE_REG(&adapter->hw, E1000_IMS,
+- EM_MSIX_LINK | E1000_IMS_LSC);
+- if (adapter->hw.mac.type >= igb_mac_min)
+- E1000_WRITE_REG(&adapter->hw, E1000_EIMS, adapter->link_mask);
++ } else if (adapter->hw.mac.type == e1000_82574) {
++ /* Only re-arm 82574 if em_if_update_admin_status() won't. */
++ E1000_WRITE_REG(&adapter->hw, E1000_IMS, EM_MSIX_LINK |
++ E1000_IMS_LSC);
+ }
+
+- /*
+- * Because we must read the ICR for this interrupt
+- * it may clear other causes using autoclear, for
+- * this reason we simply create a soft interrupt
+- * for all these vectors.
+- */
+- if (reg_icr && adapter->hw.mac.type < igb_mac_min) {
+- E1000_WRITE_REG(&adapter->hw,
+- E1000_ICS, adapter->ims);
++ if (adapter->hw.mac.type == e1000_82574) {
++ /*
++ * Because we must read the ICR for this interrupt it may
++ * clear other causes using autoclear, for this reason we
++ * simply create a soft interrupt for all these vectors.
++ */
++ if (reg_icr)
++ E1000_WRITE_REG(&adapter->hw, E1000_ICS, adapter->ims);
++ } else {
++ /* Re-arm unconditionally */
++ E1000_WRITE_REG(&adapter->hw, E1000_IMS, E1000_IMS_LSC);
++ E1000_WRITE_REG(&adapter->hw, E1000_EIMS, adapter->link_mask);
+ }
+
+ return (FILTER_HANDLED);
+@@ -1512,7 +1512,6 @@
+ iflib_admin_intr_deferred(ctx);
+ }
+
+-
+ /*********************************************************************
+ *
+ * Media Ioctl callback
+@@ -1829,14 +1828,15 @@
+ em_update_stats_counters(adapter);
+
+ /* Reset LAA into RAR[0] on 82571 */
+- if ((adapter->hw.mac.type == e1000_82571) &&
+- e1000_get_laa_state_82571(&adapter->hw))
+- e1000_rar_set(&adapter->hw, adapter->hw.mac.addr, 0);
++ if (hw->mac.type == e1000_82571 && e1000_get_laa_state_82571(hw))
++ e1000_rar_set(hw, hw->mac.addr, 0);
+
+- if (adapter->hw.mac.type < em_mac_min)
++ if (hw->mac.type < em_mac_min)
+ lem_smartspeed(adapter);
+-
+- E1000_WRITE_REG(&adapter->hw, E1000_IMS, EM_MSIX_LINK | E1000_IMS_LSC);
++ else if (hw->mac.type == e1000_82574 &&
++ adapter->intr_type == IFLIB_INTR_MSIX)
++ E1000_WRITE_REG(&adapter->hw, E1000_IMS, EM_MSIX_LINK |
++ E1000_IMS_LSC);
+ }
+
+ static void
diff --git a/share/security/patches/EN-20:09/igb.patch.asc b/share/security/patches/EN-20:09/igb.patch.asc
new file mode 100644
index 0000000000..70017cd21f
--- /dev/null
+++ b/share/security/patches/EN-20:09/igb.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl664A5fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKm0w//cglvZ8m6vivLMk2uiLy+itM6yKXO2NSHtRY4aRguAv3HaQoEs6+BupfI
+tYZdqrfdi1BIOD6+ANWwwghhx/8T6Hw7VYOr7C9X5Di3YuErpgz87V6uF6+hRqcI
+A7mQ0CRXS+7s98w9IIOIirdAXkP9S7ASDAgP6kzN1ym6zCkeGaMctgaEDbTdICUq
+nSKNpgA0XVG86HetEu7OZm2laxgdItPFRKQvoNp0VpQ5rya4XYagw6PhAjY0rH3g
+Wc6JdIwhRrSs4XkfmsNXVNTy87vI+gTVSYNZD3K+uvGIO/RBvwPo5QtbR/EoGZHY
+D3hK/4xQWd7Pd2nPUkZhRZ3hqc4vEdNlqKcNBhh8LSGB/qFuDsaqJd8UF83Sfpsy
+UuJiauksB0U29QHhWYef3tMGjaiQjJ/Alt9KN/+aX+h30uFUTHZMnK1d3VLEXKdh
+rV60ezQGuUjGlayICVl0fYCEhvMfQAdYvM+VorZCReznpzcv0nZBBjj/cBVl+pzu
+VlzU3J9kRSPShIWfHPxBzdaTaIWvD3WFIUUkYRzOLrLoDKI5IbDODh09ySrvsFEs
+z3Q1TKtYHySqlNP+MhegFn5LkqqGElJQxmVLdMG1f5ELs6Zg8HnYWhDfHVWXnRe9
+52/PolRWMxy0D5S/5JNO4lIp+hcV1G0Pwnney/sTtyK/o77HH34=
+=L1Qp
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/EN-20:10/build.11.patch b/share/security/patches/EN-20:10/build.11.patch
new file mode 100644
index 0000000000..f752de71e1
--- /dev/null
+++ b/share/security/patches/EN-20:10/build.11.patch
@@ -0,0 +1,31 @@
+--- share/mk/bsd.compiler.mk.orig
++++ share/mk/bsd.compiler.mk
+@@ -156,7 +156,7 @@
+ . endif
+ .endif
+ .if !defined(${X_}COMPILER_VERSION)
+-${X_}COMPILER_VERSION!=echo "${_v:M[1-9].[0-9]*}" | awk -F. '{print $$1 * 10000 + $$2 * 100 + $$3;}'
++${X_}COMPILER_VERSION!=echo "${_v:M[1-9]*.[0-9]*}" | awk -F. '{print $$1 * 10000 + $$2 * 100 + $$3;}'
+ .endif
+ .undef _v
+ .endif
+--- share/mk/bsd.linker.mk.orig
++++ share/mk/bsd.linker.mk
+@@ -55,7 +55,7 @@
+ .endif
+ .if ${_ld_version:[1..2]} == "GNU ld"
+ ${X_}LINKER_TYPE= bfd
+-_v= ${_ld_version:M[1-9].[0-9]*:[1]}
++_v= ${_ld_version:M[1-9]*.[0-9]*:[1]}
+ .elif ${_ld_version:[1]} == "LLD"
+ ${X_}LINKER_TYPE= lld
+ _v= ${_ld_version:[2]}
+@@ -64,7 +64,7 @@
+ ${X_}LINKER_TYPE= bfd
+ _v= 2.17.50
+ .endif
+-${X_}LINKER_VERSION!= echo "${_v:M[1-9].[0-9]*}" | \
++${X_}LINKER_VERSION!= echo "${_v:M[1-9]*.[0-9]*}" | \
+ awk -F. '{print $$1 * 10000 + $$2 * 100 + $$3;}'
+ .undef _ld_version
+ .undef _v
diff --git a/share/security/patches/EN-20:10/build.11.patch.asc b/share/security/patches/EN-20:10/build.11.patch.asc
new file mode 100644
index 0000000000..60aa4ac085
--- /dev/null
+++ b/share/security/patches/EN-20:10/build.11.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl664A5fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cK1cg/8DXuUVvVWSFUqO+GP7+Nz/S1HTP0sFYirRzKgKtkuCdu6+3KIpTiYAUCI
+igWBSfCRnLX2YS8otVWWvMqhiggmo2y5z8Wb4nuEugdpGy8wDPiJUO9QgfjbBvgb
+LJFb05UxKXNJXCsMn6n+GEcA/Mt0RoMTRjKrBWkFf8ePXkWYdfKJQSX2M9n9QYQZ
+nfL6SqPufPHk3wCAJLNq8i36SPI/6yrCtEHscx90lnD+a06Ou5LZ5GYcJ+0y60SR
++TTsXcESIiwkGbyhocSAs5D2+m/mOzgy5ILElNB4y6LAYslPtc2CpYO+pvc8l989
+BM6YolAX55pIw1mTn51TLiDMBIOrBnzKrqHKTHnScuG+qyen721zBvV1ocdO+Knz
+elVLgWIxZ2UNbx6VcCQ7LXx2rJ/2RQuPY2yr5eFzGaxQmI39f/yWPx2/074DwMwk
+RuVMnX4p8O9LIu2oSXNpYl37ebaQ9p6r/+xop/peId39rrMOqDkv1U/IFqxNOEjf
+V4dgx/pYZ9riZnpguIjBRDnCzVbl7zBYl/akTxQ2Ch/gOfI8lgqlB+yEDyv5OFfN
+QO5Ciy/9j2yLn/HB885haDdPqrmaeOXzyNoeD65qDFTYm7Pil2TGKeQ+yNviSo68
+Bor061/uEF9ADmL6FRRkIBxdfX9VfCuUG2KslPL25YH/VjnSe2k=
+=m6X7
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/EN-20:10/build.12.patch b/share/security/patches/EN-20:10/build.12.patch
new file mode 100644
index 0000000000..5d278d242c
--- /dev/null
+++ b/share/security/patches/EN-20:10/build.12.patch
@@ -0,0 +1,31 @@
+--- share/mk/bsd.compiler.mk.orig
++++ share/mk/bsd.compiler.mk
+@@ -168,7 +168,7 @@
+ . endif
+ .endif
+ .if !defined(${X_}COMPILER_VERSION)
+-${X_}COMPILER_VERSION!=echo "${_v:M[1-9].[0-9]*}" | awk -F. '{print $$1 * 10000 + $$2 * 100 + $$3;}'
++${X_}COMPILER_VERSION!=echo "${_v:M[1-9]*.[0-9]*}" | awk -F. '{print $$1 * 10000 + $$2 * 100 + $$3;}'
+ .endif
+ .undef _v
+ .endif
+--- share/mk/bsd.linker.mk.orig
++++ share/mk/bsd.linker.mk
+@@ -59,7 +59,7 @@
+ .if ${_ld_version:[1..2]} == "GNU ld"
+ ${X_}LINKER_TYPE= bfd
+ ${X_}LINKER_FREEBSD_VERSION= 0
+-_v= ${_ld_version:M[1-9].[0-9]*:[1]}
++_v= ${_ld_version:M[1-9]*.[0-9]*:[1]}
+ .elif ${_ld_version:[1]} == "LLD"
+ ${X_}LINKER_TYPE= lld
+ _v= ${_ld_version:[2]}
+@@ -71,7 +71,7 @@
+ ${X_}LINKER_TYPE= bfd
+ _v= 2.17.50
+ .endif
+-${X_}LINKER_VERSION!= echo "${_v:M[1-9].[0-9]*}" | \
++${X_}LINKER_VERSION!= echo "${_v:M[1-9]*.[0-9]*}" | \
+ awk -F. '{print $$1 * 10000 + $$2 * 100 + $$3;}'
+ .undef _ld_version
+ .undef _v
diff --git a/share/security/patches/EN-20:10/build.12.patch.asc b/share/security/patches/EN-20:10/build.12.patch.asc
new file mode 100644
index 0000000000..d6b82270e1
--- /dev/null
+++ b/share/security/patches/EN-20:10/build.12.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl664A5fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKV8w/+IAon7mFVyRP8oTn+3/tw9yfAzJEuOHYr4Tdbrrx0jtR/Om7BdQ8Q/cd9
+L8e6XcEKdlY9ZN/6duawFRQkFeGZDrgqoxrPm3/KkV4ri2oDpVwQj0GAgAJlFxRz
+o9jT9KbhMhPkzBVl1GB7+dfdf34AwrhOYIPmnQyxrSCFiyrPq1MMPVEzNcyR41uk
+XvqRfX++MBYPUyL6BhjqjcuGBZlfuPyaiXRMGsjHsHJVVVzfOvT0C3D4Yrpqc/++
+rVwWd4Wc9kMF5SMS4njW1H716Vm/aTjOaENbAA6341Itb1Qmq/IHyaghNSlJvOMG
+9suDjBSXkvwVzegtc/tUEDquRLWz72wqH+Cs6zFX+5oQX8DLeN31eibRlF87J8pK
+XehhFQaVzlxQoHwS2+QCluSesYRJXjjHupZOdXpZBH/yN14c9T0ArLghf32WONhW
+c4SuA+AVZqTbGx+yj1anJ501ppjED4NRPwdjJ7ASsQvgG7CRGeP1TbkTI+HI9cQW
+p3TjLjGstHKHtWz9/JSq48swDir6HiyJztUpheS8EaQ5Gydi6JBS21XOhVM9yMMb
+mfpXIRFo+XqlvIkzkzhOZ2cIzJ8PfNuOio+PwEZTGS692cIT/Vm6sTXfF1jKFN1o
+QlDyj+uv5GRAqo5ioXNdMWQKgImbglxo2JCgqi9yUjBdtdNRDfc=
+=0/gQ
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-20:12/libalias.patch b/share/security/patches/SA-20:12/libalias.patch
new file mode 100644
index 0000000000..1d7314190b
--- /dev/null
+++ b/share/security/patches/SA-20:12/libalias.patch
@@ -0,0 +1,102 @@
+--- sys/netinet/libalias/alias.c.orig
++++ sys/netinet/libalias/alias.c
+@@ -442,10 +442,15 @@
+ static int
+ IcmpAliasIn(struct libalias *la, struct ip *pip)
+ {
+- int iresult;
+ struct icmp *ic;
++ int dlen, iresult;
+
+ LIBALIAS_LOCK_ASSERT(la);
++
++ dlen = ntohs(pip->ip_len) - (pip->ip_hl << 2);
++ if (dlen < ICMP_MINLEN)
++ return (PKT_ALIAS_IGNORED);
++
+ /* Return if proxy-only mode is enabled */
+ if (la->packetAliasMode & PKT_ALIAS_PROXY_ONLY)
+ return (PKT_ALIAS_OK);
+@@ -464,6 +469,9 @@
+ case ICMP_SOURCEQUENCH:
+ case ICMP_TIMXCEED:
+ case ICMP_PARAMPROB:
++ if (dlen < ICMP_ADVLENMIN ||
++ dlen < ICMP_ADVLEN(ic))
++ return (PKT_ALIAS_IGNORED);
+ iresult = IcmpAliasIn2(la, pip);
+ break;
+ case ICMP_ECHO:
+@@ -732,10 +740,17 @@
+ {
+ struct udphdr *ud;
+ struct alias_link *lnk;
++ int dlen;
+
+ LIBALIAS_LOCK_ASSERT(la);
+
++ dlen = ntohs(pip->ip_len) - (pip->ip_hl << 2);
++ if (dlen < sizeof(struct udphdr))
++ return (PKT_ALIAS_IGNORED);
++
+ ud = (struct udphdr *)ip_next(pip);
++ if (dlen < ntohs(ud->uh_ulen))
++ return (PKT_ALIAS_IGNORED);
+
+ lnk = FindUdpTcpIn(la, pip->ip_src, pip->ip_dst,
+ ud->uh_sport, ud->uh_dport,
+@@ -824,12 +839,19 @@
+ u_short dest_port;
+ u_short proxy_server_port;
+ int proxy_type;
+- int error;
++ int dlen, error;
+
+ LIBALIAS_LOCK_ASSERT(la);
+
+ /* Return if proxy-only mode is enabled and not proxyrule found.*/
++ dlen = ntohs(pip->ip_len) - (pip->ip_hl << 2);
++ if (dlen < sizeof(struct udphdr))
++ return (PKT_ALIAS_IGNORED);
++
+ ud = (struct udphdr *)ip_next(pip);
++ if (dlen < ntohs(ud->uh_ulen))
++ return (PKT_ALIAS_IGNORED);
++
+ proxy_type = ProxyCheck(la, &proxy_server_address,
+ &proxy_server_port, pip->ip_src, pip->ip_dst,
+ ud->uh_dport, pip->ip_p);
+@@ -922,8 +944,13 @@
+ {
+ struct tcphdr *tc;
+ struct alias_link *lnk;
++ int dlen;
+
+ LIBALIAS_LOCK_ASSERT(la);
++
++ dlen = ntohs(pip->ip_len) - (pip->ip_hl << 2);
++ if (dlen < sizeof(struct tcphdr))
++ return (PKT_ALIAS_IGNORED);
+ tc = (struct tcphdr *)ip_next(pip);
+
+ lnk = FindUdpTcpIn(la, pip->ip_src, pip->ip_dst,
+@@ -1042,7 +1069,7 @@
+ static int
+ TcpAliasOut(struct libalias *la, struct ip *pip, int maxpacketsize, int create)
+ {
+- int proxy_type, error;
++ int dlen, proxy_type, error;
+ u_short dest_port;
+ u_short proxy_server_port;
+ struct in_addr dest_address;
+@@ -1051,6 +1078,10 @@
+ struct alias_link *lnk;
+
+ LIBALIAS_LOCK_ASSERT(la);
++
++ dlen = ntohs(pip->ip_len) - (pip->ip_hl << 2);
++ if (dlen < sizeof(struct tcphdr))
++ return (PKT_ALIAS_IGNORED);
+ tc = (struct tcphdr *)ip_next(pip);
+
+ if (create)
diff --git a/share/security/patches/SA-20:12/libalias.patch.asc b/share/security/patches/SA-20:12/libalias.patch.asc
new file mode 100644
index 0000000000..ea6ef4a59f
--- /dev/null
+++ b/share/security/patches/SA-20:12/libalias.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl664A5fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJE6xAAgd59+RRjasSyo+Idi+R+LUEFLy+LYmQGYHyWCMdqUv/7m7hOMOT9oDBu
+QGSNpYUDaNJuEB84iiiZiAR5KLwjj25voqRxqTmLhxNbyeXgtSUxcceygHuTm17j
++4CIyjP15/aBpVIWjx8jdGwtej0RcFYvkO9RP3hQrjlm0XbPWufRXe0hLXCYC46o
+uBqQeEPQzScGMrdbc8dlkZBkT8rblUlyaqBAEqmr4ZQVhKffAmor7PCQL2819p/f
+J+x6Jww3FuF8i5IGLs1/IIC8YSwjhN/H8DX4ITpDuNxsQpBSYpcX975sNgeqCZHX
+kwY1jrkBEP4VEQp5u8LD3JIfQPwjuOzBnWa4Y6pQkT1wvsoCQL7hBcRswa8fiGJ+
+BrAsgJgLV/DriyCxs5eMbY0qQ26wFjbbzoi3aBTjc4UulySV3F760YPXgnDxgzqJ
+O67lPSKwYSi1syMcdOIJM9UiH2VsQ6RbHvQ4HH+KnNF+obyNU3uiG9M25YMTe3Bw
+1uniEMyd4R5zNoppzf3X1PDZHVqZRKTUuaBTzMbSzBi03sAW73ZcvOd1rf1XgFjO
+WdwCgJLwjLVwcobcs2PVZ8ngYlTnIcPBi7MiuXgZJ6NkMdMXlzLGWGc5q7Xq8jvB
+HH+RNXYcOGeCX/u/cGNYlWGgIsK6sl1VZN3oCiSlISYam2BCcI0=
+=1oQk
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-20:13/libalias.patch b/share/security/patches/SA-20:13/libalias.patch
new file mode 100644
index 0000000000..38bed35130
--- /dev/null
+++ b/share/security/patches/SA-20:13/libalias.patch
@@ -0,0 +1,12 @@
+--- sys/netinet/libalias/alias_ftp.c.orig
++++ sys/netinet/libalias/alias_ftp.c
+@@ -754,7 +754,8 @@
+ {
+ u_short new_len;
+
+- new_len = htons(hlen + slen);
++ new_len = htons(hlen +
++ MIN(slen, maxpacketsize - hlen));
+ DifferentialChecksum(&pip->ip_sum,
+ &new_len,
+ &pip->ip_len,
diff --git a/share/security/patches/SA-20:13/libalias.patch.asc b/share/security/patches/SA-20:13/libalias.patch.asc
new file mode 100644
index 0000000000..d7eb97f52b
--- /dev/null
+++ b/share/security/patches/SA-20:13/libalias.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl664A9fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cL3YRAAhnKuI7oF3fed+H1H4eI4e8uqyeeajkOJZDEquxlYEP6+HxHlgynDWKfG
+9CaM5lwnceYuLjqzEecfQNbkap4sRNSP4QjkJJJ67mK8v01++azjuOJJOu3x3uFK
+ldU/1s9vNWZvnhW88yIJIoR3OopdLfxiM4Mbj/alDOnpFXvym7z6FcKyy7FmuP+M
+AqEzHwhni4LG4sD8UrLCidOP4TTw24nokSycu7XzTaP7S/Ilyvtj4ccyI4IvNg2J
+N5AwawDEvgMU/xxJzp22TYFK496QKVFmFOO9R3Xm1gYoN+J+Ecxp5sm4aafHykFx
+zM18Uik7nENDWspIzTLpZIabwW8Zc3hBxn+diBtdPG2htD7m6KFIeJRSF7WqiFkR
+u6odCKqXOPqtoD/sKRrIGYvAhZ2fJdtvyuKdMw0kRir7cjZYPeowad8jI6hsYF1A
+pi4IR9FoDXlicoQqRO8PGhg9ULs6aVXTl22N9J4nFdPeEnrup7GEIpVy34ii3E76
+SHYNbJCU36aNLelwNoUSviPUeR1yaxy4IGqXa6ELuh04RzVz38rRsUQE1cMCNBOx
+vnee30NXLaTA3H4V3xOmo+iFodG+UGysSKABdCHz5vSfSMalt86u5c6G0DAlMBj/
+ptpBvlIlcS2kSUfq1eFpWBf7OtViF+mtncBdNYD5YcEoMOfYSjM=
+=yrxB
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-20:14/sctp.patch b/share/security/patches/SA-20:14/sctp.patch
new file mode 100644
index 0000000000..43532878ed
--- /dev/null
+++ b/share/security/patches/SA-20:14/sctp.patch
@@ -0,0 +1,11 @@
+--- sys/netinet/sctp_auth.c.orig
++++ sys/netinet/sctp_auth.c
+@@ -523,7 +523,7 @@
+ } else if (new_skey->keyid == skey->keyid) {
+ /* replace the existing key */
+ /* verify this key *can* be replaced */
+- if ((skey->deactivated) && (skey->refcount > 1)) {
++ if ((skey->deactivated) || (skey->refcount > 1)) {
+ SCTPDBG(SCTP_DEBUG_AUTH1,
+ "can't replace shared key id %u\n",
+ new_skey->keyid);
diff --git a/share/security/patches/SA-20:14/sctp.patch.asc b/share/security/patches/SA-20:14/sctp.patch.asc
new file mode 100644
index 0000000000..895375e218
--- /dev/null
+++ b/share/security/patches/SA-20:14/sctp.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl664A9fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cI+yw/9G0uF81zxIW5o9EmwgbvfNXWq75phJn+q8Y8qnpbJtTj9QIKkWzcCIA5C
+h9jQy/hyq5w7D6c+u0DR9qkMU2f25sooYQYDoz2KQi2rryqlJOFGhD0PVvVRWe9R
+jVztdazpxSJCs89wl25bXpFnSihFYkpg2iZpKEsStZQPkXTZcf5SnxczI8uPOlxf
+EslzFJNVcRp+jZQSX4bQ3kzkVP0873npn/CBNlRLM2Xw7xi6GO4fVgkHfgh0CsRi
+cvdXxM0bYr8RkHQAA9a5bQJQGo4Co4Fo5XFX9t8SLdN6FHuijxgXa0PDSRSTS/ek
+r3thIlKGH7pa5Zc6GDOSAV7zXfShVVZEcTezhjwDC5/Ngsy/bcHPkHWofvlpnZBY
+1r1+wTIbZHqp1fygMSa7F1+l+v6DaIUB8ScgZH/ybYJiwTAayE1oBkqDJVt2SmdN
+guGKK28GHp5SdHAtiziAdAHDCtly1qyp3g04RCo1CSCe1vsF1HlPzTPInnF81pw8
+ileE4Grq4mTuvbZb6MexX9UijlY5FAvXS75APa8KTVDBRDVQEFszZuZkfYXvYBrJ
+1HwU9K3ySePu0Dto+dRmGyOk5KgN/7NTat036+dFgADC5Ykw0VvJDUkkVpGkwMb0
+k6hyRdw1nm1eaRMAVmbrxlwJ6GeH9BX50cKLObzt9JteKjBe1oE=
+=Atod
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-20:15/cryptodev.11.patch b/share/security/patches/SA-20:15/cryptodev.11.patch
new file mode 100644
index 0000000000..243dc5c1ad
--- /dev/null
+++ b/share/security/patches/SA-20:15/cryptodev.11.patch
@@ -0,0 +1,166 @@
+--- sys/opencrypto/cryptodev.c.orig
++++ sys/opencrypto/cryptodev.c
+@@ -268,6 +268,7 @@
+ struct csession {
+ TAILQ_ENTRY(csession) next;
+ u_int64_t sid;
++ volatile u_int refs;
+ u_int32_t ses;
+ struct mtx lock; /* for op submission */
+
+@@ -294,6 +295,7 @@
+ struct fcrypt {
+ TAILQ_HEAD(csessionlist, csession) csessions;
+ int sesn;
++ struct mtx lock;
+ };
+
+ static int cryptof_ioctl(struct file *, u_long, void *,
+@@ -320,8 +322,7 @@
+ };
+
+ static struct csession *csefind(struct fcrypt *, u_int);
+-static int csedelete(struct fcrypt *, struct csession *);
+-static struct csession *cseadd(struct fcrypt *, struct csession *);
++static int csedelete(struct fcrypt *, u_int);
+ static struct csession *csecreate(struct fcrypt *, u_int64_t, caddr_t,
+ u_int64_t, caddr_t, u_int64_t, u_int32_t, u_int32_t, struct enc_xform *,
+ struct auth_hash *);
+@@ -612,13 +613,9 @@
+ break;
+ case CIOCFSESSION:
+ ses = *(u_int32_t *)data;
+- cse = csefind(fcr, ses);
+- if (cse == NULL) {
++ error = csedelete(fcr, ses);
++ if (error != 0)
+ SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
+- return (EINVAL);
+- }
+- csedelete(fcr, cse);
+- error = csefree(cse);
+ break;
+ case CIOCCRYPT:
+ #ifdef COMPAT_FREEBSD32
+@@ -635,6 +632,7 @@
+ return (EINVAL);
+ }
+ error = cryptodev_op(cse, cop, active_cred, td);
++ (void)csefree(cse);
+ #ifdef COMPAT_FREEBSD32
+ if (error == 0 && cmd == CIOCCRYPT32)
+ crypt_op_to_32(cop, data);
+@@ -701,6 +699,7 @@
+ return (EINVAL);
+ }
+ error = cryptodev_aead(cse, caead, active_cred, td);
++ (void)csefree(cse);
+ break;
+ default:
+ error = EINVAL;
+@@ -1275,6 +1274,9 @@
+
+ while ((cse = TAILQ_FIRST(&fcr->csessions))) {
+ TAILQ_REMOVE(&fcr->csessions, cse, next);
++ KASSERT(cse->refs == 1,
++ ("%s: crypto session %p with %d refs", __func__, cse,
++ cse->refs));
+ (void)csefree(cse);
+ }
+ free(fcr, M_XDATA);
+@@ -1295,34 +1297,35 @@
+ {
+ struct csession *cse;
+
+- TAILQ_FOREACH(cse, &fcr->csessions, next)
+- if (cse->ses == ses)
++ mtx_lock(&fcr->lock);
++ TAILQ_FOREACH(cse, &fcr->csessions, next) {
++ if (cse->ses == ses) {
++ refcount_acquire(&cse->refs);
++ mtx_unlock(&fcr->lock);
+ return (cse);
++ }
++ }
++ mtx_unlock(&fcr->lock);
+ return (NULL);
+ }
+
+ static int
+-csedelete(struct fcrypt *fcr, struct csession *cse_del)
++csedelete(struct fcrypt *fcr, u_int ses)
+ {
+ struct csession *cse;
+
++ mtx_lock(&fcr->lock);
+ TAILQ_FOREACH(cse, &fcr->csessions, next) {
+- if (cse == cse_del) {
++ if (cse->ses == ses) {
+ TAILQ_REMOVE(&fcr->csessions, cse, next);
+- return (1);
++ mtx_unlock(&fcr->lock);
++ return (csefree(cse));
+ }
+ }
+- return (0);
++ mtx_unlock(&fcr->lock);
++ return (EINVAL);
+ }
+
+-static struct csession *
+-cseadd(struct fcrypt *fcr, struct csession *cse)
+-{
+- TAILQ_INSERT_TAIL(&fcr->csessions, cse, next);
+- cse->ses = fcr->sesn++;
+- return (cse);
+-}
+-
+ struct csession *
+ csecreate(struct fcrypt *fcr, u_int64_t sid, caddr_t key, u_int64_t keylen,
+ caddr_t mackey, u_int64_t mackeylen, u_int32_t cipher, u_int32_t mac,
+@@ -1334,6 +1337,7 @@
+ if (cse == NULL)
+ return NULL;
+ mtx_init(&cse->lock, "cryptodev", "crypto session lock", MTX_DEF);
++ refcount_init(&cse->refs, 1);
+ cse->key = key;
+ cse->keylen = keylen/8;
+ cse->mackey = mackey;
+@@ -1343,7 +1347,10 @@
+ cse->mac = mac;
+ cse->txform = txform;
+ cse->thash = thash;
+- cseadd(fcr, cse);
++ mtx_lock(&fcr->lock);
++ TAILQ_INSERT_TAIL(&fcr->csessions, cse, next);
++ cse->ses = fcr->sesn++;
++ mtx_unlock(&fcr->lock);
+ return (cse);
+ }
+
+@@ -1352,6 +1359,8 @@
+ {
+ int error;
+
++ if (!refcount_release(&cse->refs))
++ return (0);
+ error = crypto_freesession(cse->sid);
+ mtx_destroy(&cse->lock);
+ if (cse->key)
+@@ -1389,13 +1398,14 @@
+
+ switch (cmd) {
+ case CRIOGET:
+- fcr = malloc(sizeof(struct fcrypt), M_XDATA, M_WAITOK);
++ fcr = malloc(sizeof(struct fcrypt), M_XDATA, M_WAITOK | M_ZERO);
+ TAILQ_INIT(&fcr->csessions);
+- fcr->sesn = 0;
++ mtx_init(&fcr->lock, "fcrypt", NULL, MTX_DEF);
+
+ error = falloc(td, &f, &fd, 0);
+
+ if (error) {
++ mtx_destroy(&fcr->lock);
+ free(fcr, M_XDATA);
+ return (error);
+ }
diff --git a/share/security/patches/SA-20:15/cryptodev.11.patch.asc b/share/security/patches/SA-20:15/cryptodev.11.patch.asc
new file mode 100644
index 0000000000..ef59c06b5a
--- /dev/null
+++ b/share/security/patches/SA-20:15/cryptodev.11.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl664A9fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJp/Q/6Aik1+ye69Sgz3v1HwCBut/CJNoQglaftRNE7kaIFw3qDWLk8qOpI3s1f
+3Q6m9taVd29KhzAP4VmPf/iTUGGHHiLdA3tmgpK0WK6/HV9v/Y5GhLtObmysYldi
+d9jrF0xIEqRhvX173Ly1zFonkUqZ+fWwgTkmwLTGOWh0cc7gpAR+NBmdmnand1tw
+olJDc2dNCAIugEp+tbg0Imd3j1ZF35PJPnWwTNviigoCFIGknS7yo6CPL67LaIjN
+1Ogz0ve4885JvdSSbJFoMKEx1ehiYxU/FBvkz6pTHSDxLAooNgXO4rWG+YUN7oJs
+31/kWYvtWWSkif3uDAJmQKeXudg05ukA0bksBAk/1pdwxkD2GNeAzm3mwKkPV8LX
+tAMepLKg8GEUeG+9RX/zk6913H4AJJZ4q9eyDo+Dd/KEEMlVDmvtns7cCPQvUoNA
+KjEaCZvNCil21khXAoWTI0Yy5os5TG620a+22AjDIiUIHYoj57FeMU/6YQD4J/Si
+7ZdlB/5o9zrcq/OF7bxf7dM+9S93Nr0gMPlzZd2DFG4h2XUnpDQES1rT5v5VD5Pf
+vcQA9KRMzPI35ZUieGKAqjOJ3vcSnaKChjbyXMJoz8ztn7Xf+wSd5KkSIq7ansfW
+7SVtDBN0EFdTcrnHu5G/W2L3Ipw67i6fHdv5n3mAj/dyYjIdLHQ=
+=r7Z1
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-20:15/cryptodev.12.patch b/share/security/patches/SA-20:15/cryptodev.12.patch
new file mode 100644
index 0000000000..5035f1e093
--- /dev/null
+++ b/share/security/patches/SA-20:15/cryptodev.12.patch
@@ -0,0 +1,167 @@
+--- sys/opencrypto/cryptodev.c.orig
++++ sys/opencrypto/cryptodev.c
+@@ -266,6 +266,7 @@
+ struct csession {
+ TAILQ_ENTRY(csession) next;
+ crypto_session_t cses;
++ volatile u_int refs;
+ u_int32_t ses;
+ struct mtx lock; /* for op submission */
+
+@@ -292,6 +293,7 @@
+ struct fcrypt {
+ TAILQ_HEAD(csessionlist, csession) csessions;
+ int sesn;
++ struct mtx lock;
+ };
+
+ static struct timeval warninterval = { .tv_sec = 60, .tv_usec = 0 };
+@@ -323,8 +325,7 @@
+ };
+
+ static struct csession *csefind(struct fcrypt *, u_int);
+-static int csedelete(struct fcrypt *, struct csession *);
+-static struct csession *cseadd(struct fcrypt *, struct csession *);
++static bool csedelete(struct fcrypt *, u_int);
+ static struct csession *csecreate(struct fcrypt *, crypto_session_t, caddr_t,
+ u_int64_t, caddr_t, u_int64_t, u_int32_t, u_int32_t, struct enc_xform *,
+ struct auth_hash *);
+@@ -685,13 +686,10 @@
+ break;
+ case CIOCFSESSION:
+ ses = *(u_int32_t *)data;
+- cse = csefind(fcr, ses);
+- if (cse == NULL) {
++ if (!csedelete(fcr, ses)) {
+ SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
+ return (EINVAL);
+ }
+- csedelete(fcr, cse);
+- csefree(cse);
+ break;
+ case CIOCCRYPT:
+ #ifdef COMPAT_FREEBSD32
+@@ -708,6 +706,7 @@
+ return (EINVAL);
+ }
+ error = cryptodev_op(cse, cop, active_cred, td);
++ csefree(cse);
+ #ifdef COMPAT_FREEBSD32
+ if (error == 0 && cmd == CIOCCRYPT32)
+ crypt_op_to_32(cop, data);
+@@ -774,6 +773,7 @@
+ return (EINVAL);
+ }
+ error = cryptodev_aead(cse, caead, active_cred, td);
++ csefree(cse);
+ break;
+ default:
+ error = EINVAL;
+@@ -1349,6 +1349,9 @@
+
+ while ((cse = TAILQ_FIRST(&fcr->csessions))) {
+ TAILQ_REMOVE(&fcr->csessions, cse, next);
++ KASSERT(cse->refs == 1,
++ ("%s: crypto session %p with %d refs", __func__, cse,
++ cse->refs));
+ csefree(cse);
+ }
+ free(fcr, M_XDATA);
+@@ -1369,34 +1372,36 @@
+ {
+ struct csession *cse;
+
+- TAILQ_FOREACH(cse, &fcr->csessions, next)
+- if (cse->ses == ses)
++ mtx_lock(&fcr->lock);
++ TAILQ_FOREACH(cse, &fcr->csessions, next) {
++ if (cse->ses == ses) {
++ refcount_acquire(&cse->refs);
++ mtx_unlock(&fcr->lock);
+ return (cse);
++ }
++ }
++ mtx_unlock(&fcr->lock);
+ return (NULL);
+ }
+
+-static int
+-csedelete(struct fcrypt *fcr, struct csession *cse_del)
++static bool
++csedelete(struct fcrypt *fcr, u_int ses)
+ {
+ struct csession *cse;
+
++ mtx_lock(&fcr->lock);
+ TAILQ_FOREACH(cse, &fcr->csessions, next) {
+- if (cse == cse_del) {
++ if (cse->ses == ses) {
+ TAILQ_REMOVE(&fcr->csessions, cse, next);
+- return (1);
++ mtx_unlock(&fcr->lock);
++ csefree(cse);
++ return (true);
+ }
+ }
+- return (0);
++ mtx_unlock(&fcr->lock);
++ return (false);
+ }
+
+-static struct csession *
+-cseadd(struct fcrypt *fcr, struct csession *cse)
+-{
+- TAILQ_INSERT_TAIL(&fcr->csessions, cse, next);
+- cse->ses = fcr->sesn++;
+- return (cse);
+-}
+-
+ struct csession *
+ csecreate(struct fcrypt *fcr, crypto_session_t cses, caddr_t key, u_int64_t keylen,
+ caddr_t mackey, u_int64_t mackeylen, u_int32_t cipher, u_int32_t mac,
+@@ -1408,6 +1413,7 @@
+ if (cse == NULL)
+ return NULL;
+ mtx_init(&cse->lock, "cryptodev", "crypto session lock", MTX_DEF);
++ refcount_init(&cse->refs, 1);
+ cse->key = key;
+ cse->keylen = keylen/8;
+ cse->mackey = mackey;
+@@ -1417,7 +1423,10 @@
+ cse->mac = mac;
+ cse->txform = txform;
+ cse->thash = thash;
+- cseadd(fcr, cse);
++ mtx_lock(&fcr->lock);
++ TAILQ_INSERT_TAIL(&fcr->csessions, cse, next);
++ cse->ses = fcr->sesn++;
++ mtx_unlock(&fcr->lock);
+ return (cse);
+ }
+
+@@ -1425,6 +1434,8 @@
+ csefree(struct csession *cse)
+ {
+
++ if (!refcount_release(&cse->refs))
++ return;
+ crypto_freesession(cse->cses);
+ mtx_destroy(&cse->lock);
+ if (cse->key)
+@@ -1461,13 +1472,14 @@
+
+ switch (cmd) {
+ case CRIOGET:
+- fcr = malloc(sizeof(struct fcrypt), M_XDATA, M_WAITOK);
++ fcr = malloc(sizeof(struct fcrypt), M_XDATA, M_WAITOK | M_ZERO);
+ TAILQ_INIT(&fcr->csessions);
+- fcr->sesn = 0;
++ mtx_init(&fcr->lock, "fcrypt", NULL, MTX_DEF);
+
+ error = falloc(td, &f, &fd, 0);
+
+ if (error) {
++ mtx_destroy(&fcr->lock);
+ free(fcr, M_XDATA);
+ return (error);
+ }
diff --git a/share/security/patches/SA-20:15/cryptodev.12.patch.asc b/share/security/patches/SA-20:15/cryptodev.12.patch.asc
new file mode 100644
index 0000000000..0a6f3941fc
--- /dev/null
+++ b/share/security/patches/SA-20:15/cryptodev.12.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl664A9fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cItUg/9GXYa9/yDoRW9fmReyZM8jEmYhG0CAzkoHR7In5uXKTkcNmJRN6EeO0n6
+P7WvAei7Xyt/Uf4gwdi8SJz3rklJmF7kRw/w3IAa1+fo3GwglO97E4VEjuttJnZh
+RgLuj7RAtaItKmKYERos0W32poao93zc1+mDQdnPVXwY0Krd61WWWeCpp3Qvy7GQ
+C4EqLyrPrwLXjIv99sZVSWm5zwW63ZyRYwh3IyB2TyIAcBSaU+12RMdpL3GpdsUu
+7fr9RlaAvC1yzCcrqFCojP5UE2AW+GSFs1NX/fj+9yP566YuDfqZDFGYeVsFAWLu
+tkzXavVwbot8zvVixnRLZoXrX5rvI1LwWx8Kk4LQx9FyJ4wX5alHe0VrnZSPAlyn
+k9eck9VF+VzFcSfPtMn0QJUy+UEiI58AEUiY0c2+6cJa3/3vGUDSQA9+QnnRc+iE
+a6xVBxAQpx4ZAO7ea3xZqN38FKtR8tFk1cuyl4QfgGf7YRQCmMiI+QMu40m8jGG+
+kn78tbKAzGcoayH+INlmKxpdTH2j95xYqB+TC/Eqhlj+njsDjezkpIwn775hUuH/
+BkAi4Pf6j2vdsVDm+w57hnIBQ4FtHOn1Le5e5ajTz4StGpTzohiav0bg4EQLq6kQ
+sX8IfGi3MibhMkBu9wHv2MMeCrA31anhGAFDjVo/F2JkYbttJhs=
+=1ToN
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-20:16/cryptodev.patch b/share/security/patches/SA-20:16/cryptodev.patch
new file mode 100644
index 0000000000..d514c90979
--- /dev/null
+++ b/share/security/patches/SA-20:16/cryptodev.patch
@@ -0,0 +1,13 @@
+--- sys/opencrypto/cryptodev.c.orig
++++ sys/opencrypto/cryptodev.c
+@@ -585,8 +585,8 @@
+ if (thash) {
+ cria.cri_alg = thash->type;
+ cria.cri_klen = sop->mackeylen * 8;
+- if (thash->keysize != 0 &&
+- sop->mackeylen > thash->keysize) {
++ if (sop->mackeylen > thash->keysize ||
++ sop->mackeylen < 0) {
+ CRYPTDEB("invalid mac key length");
+ error = EINVAL;
+ SDT_PROBE1(opencrypto, dev, ioctl, error,
diff --git a/share/security/patches/SA-20:16/cryptodev.patch.asc b/share/security/patches/SA-20:16/cryptodev.patch.asc
new file mode 100644
index 0000000000..9525e1df4a
--- /dev/null
+++ b/share/security/patches/SA-20:16/cryptodev.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl664A9fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cLSyg//U3VUulGkSepGhmQDqg2CHHIUorPXT2vmR46o1mGKvhaoLle7zAx3qhqc
+NU/Mf9XpGfqsLRXu71NXzCgK8doBSHb0xmAXuIUKC72kYEQ6wUtzxg1+fu9vUxQD
+P85Yfm0ZIZj0dDeD7unojl6rtVQDVLzobeJeAoQnIT0tQTNujqrVn/MFqd0jtfOs
+N1VHctqoaYRgp5noMRcG5T8ZTQCNfvz2SWLgZN7/xmQf+2+CHMr80TW5GchYacUu
+QSexwO1Jk/VyiowCkQ3ck/coFzZ60NQVMEOfFqx0qwDC1UlhiLA3YlQVFtf730pY
+sohPlPTGBHjoIRuQqEBriW3ajY6XwYRoI5Eb+TAWHPE1UYbDYYceT0rBk7nbAJdf
+AM2IBqv3wDQbC5hU1hRT1tVRmuMtayvpj0tOxUbNAF2lWjRIU6E28rz3vZPdYCLn
+qPuQPN8SJC4Eh+A2caT4N+A6Vy/TpQHsoSRZs3MXA0NbYGZvSxlk5IL+5kbEomZm
+Qbqlw4RuW5KldpSkvLCIeJ1wfHhglRhE8YQuGnVh8zWjpVH9m874X4P2HYYHGCpA
+5cI/l7iMWPL7u+covJzMEl0+RfPE+FrFbPykJ3Uxf5dLLMcTSEOSNmlq2bqoFIGI
+IrOzx4PVPYw6pHhWC7T7pFjX01Lw2OgvRW+c76VTdkesVZyDLsM=
+=tX1Z
+-----END PGP SIGNATURE-----
diff --git a/share/xml/advisories.xml b/share/xml/advisories.xml
index 6147080510..882a78d1d4 100644
--- a/share/xml/advisories.xml
+++ b/share/xml/advisories.xml
@@ -7,6 +7,35 @@
2020
+
+ 5
+
+
+ 12
+
+
+ FreeBSD-SA-20:16.cryptodev
+
+
+
+ FreeBSD-SA-20:15.cryptodev
+
+
+
+ FreeBSD-SA-20:14.sctp
+
+
+
+ FreeBSD-SA-20:13.libalias
+
+
+
+ FreeBSD-SA-20:12.libalias
+
+
+
+
+
4
diff --git a/share/xml/notices.xml b/share/xml/notices.xml
index 8c3aa1131e..8fd565e083 100644
--- a/share/xml/notices.xml
+++ b/share/xml/notices.xml
@@ -7,6 +7,27 @@
2020
+
+ 5
+
+
+ 12
+
+
+ FreeBSD-EN-20:10.build
+
+
+
+ FreeBSD-EN-20:09.igb
+
+
+
+ FreeBSD-EN-20:08.tzdata
+
+
+
+
+
4