From 9030a72250f232686e22d8e36a51cf196221c361 Mon Sep 17 00:00:00 2001
From: Gordon Tetlow <gordon@FreeBSD.org>
Date: Thu, 28 Jan 2021 18:17:45 -0800
Subject: [PATCH] Add EN-21:01 to EN-21:05, SA-21:01, and SA-21:02.
Approved by: so
---
website/data/security/advisories.toml | 8 +
website/data/security/errata.toml | 20 +
.../advisories/FreeBSD-EN-21:01.tzdata.asc | 148 ++
.../advisories/FreeBSD-EN-21:02.extattr.asc | 129 ++
.../advisories/FreeBSD-EN-21:03.vnet.asc | 130 ++
.../advisories/FreeBSD-EN-21:04.zfs.asc | 130 ++
.../advisories/FreeBSD-EN-21:05.libatomic.asc | 125 ++
.../FreeBSD-SA-21:01.fsdisclosure.asc | 150 ++
.../advisories/FreeBSD-SA-21:02.xenoom.asc | 142 ++
.../patches/EN-21:01/tzdata-2021a.patch | 1498 +++++++++++++++++
.../patches/EN-21:01/tzdata-2021a.patch.asc | 18 +
.../security/patches/EN-21:02/extattr.patch | 11 +
.../patches/EN-21:02/extattr.patch.asc | 18 +
.../security/patches/EN-21:03/vnet.patch | 291 ++++
.../security/patches/EN-21:03/vnet.patch.asc | 18 +
.../security/patches/EN-21:04/zfs.patch | 150 ++
.../security/patches/EN-21:04/zfs.patch.asc | 18 +
.../security/patches/EN-21:05/libatomic.patch | 71 +
.../patches/EN-21:05/libatomic.patch.asc | 18 +
.../patches/SA-21:01/fsdisclosure.11.patch | 10 +
.../SA-21:01/fsdisclosure.11.patch.asc | 18 +
.../patches/SA-21:01/fsdisclosure.12.patch | 166 ++
.../SA-21:01/fsdisclosure.12.patch.asc | 18 +
.../security/patches/SA-21:02/xenoom.11.patch | 255 +++
.../patches/SA-21:02/xenoom.11.patch.asc | 18 +
.../security/patches/SA-21:02/xenoom.12.patch | 300 ++++
.../patches/SA-21:02/xenoom.12.patch.asc | 18 +
27 files changed, 3896 insertions(+)
create mode 100644 website/static/security/advisories/FreeBSD-EN-21:01.tzdata.asc
create mode 100644 website/static/security/advisories/FreeBSD-EN-21:02.extattr.asc
create mode 100644 website/static/security/advisories/FreeBSD-EN-21:03.vnet.asc
create mode 100644 website/static/security/advisories/FreeBSD-EN-21:04.zfs.asc
create mode 100644 website/static/security/advisories/FreeBSD-EN-21:05.libatomic.asc
create mode 100644 website/static/security/advisories/FreeBSD-SA-21:01.fsdisclosure.asc
create mode 100644 website/static/security/advisories/FreeBSD-SA-21:02.xenoom.asc
create mode 100644 website/static/security/patches/EN-21:01/tzdata-2021a.patch
create mode 100644 website/static/security/patches/EN-21:01/tzdata-2021a.patch.asc
create mode 100644 website/static/security/patches/EN-21:02/extattr.patch
create mode 100644 website/static/security/patches/EN-21:02/extattr.patch.asc
create mode 100644 website/static/security/patches/EN-21:03/vnet.patch
create mode 100644 website/static/security/patches/EN-21:03/vnet.patch.asc
create mode 100644 website/static/security/patches/EN-21:04/zfs.patch
create mode 100644 website/static/security/patches/EN-21:04/zfs.patch.asc
create mode 100644 website/static/security/patches/EN-21:05/libatomic.patch
create mode 100644 website/static/security/patches/EN-21:05/libatomic.patch.asc
create mode 100644 website/static/security/patches/SA-21:01/fsdisclosure.11.patch
create mode 100644 website/static/security/patches/SA-21:01/fsdisclosure.11.patch.asc
create mode 100644 website/static/security/patches/SA-21:01/fsdisclosure.12.patch
create mode 100644 website/static/security/patches/SA-21:01/fsdisclosure.12.patch.asc
create mode 100644 website/static/security/patches/SA-21:02/xenoom.11.patch
create mode 100644 website/static/security/patches/SA-21:02/xenoom.11.patch.asc
create mode 100644 website/static/security/patches/SA-21:02/xenoom.12.patch
create mode 100644 website/static/security/patches/SA-21:02/xenoom.12.patch.asc
diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml
index db5d4bcb24..95683bed85 100644
--- a/website/data/security/advisories.toml
+++ b/website/data/security/advisories.toml
@@ -1,6 +1,14 @@
# Sort advisories by year, month and day
# $FreeBSD$
+[[advisories]]
+name = "FreeBSD-SA-21:02.xenoom"
+date = "2021-01-29"
+
+[[advisories]]
+name = "FreeBSD-SA-21:01.fsdisclosure"
+date = "2021-01-29"
+
[[advisories]]
name = "FreeBSD-SA-20:33.openssl"
date = "2020-12-08"
diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml
index 6dc8406ef5..eb4071d077 100644
--- a/website/data/security/errata.toml
+++ b/website/data/security/errata.toml
@@ -1,6 +1,26 @@
# Sort errata notices by year, month and day
# $FreeBSD$
+[[notices]]
+name = "FreeBSD-EN-21:05.libatomic"
+date = "2021-01-29"
+
+[[notices]]
+name = "FreeBSD-EN-21:04.zfs"
+date = "2021-01-29"
+
+[[notices]]
+name = "FreeBSD-EN-21:03.vnet"
+date = "2021-01-29"
+
+[[notices]]
+name = "FreeBSD-EN-21:02.extattr"
+date = "2021-01-29"
+
+[[notices]]
+name = "FreeBSD-EN-21:01.tzdata"
+date = "2021-01-29"
+
[[notices]]
name = "FreeBSD-EN-20:22.callout"
date = "2020-12-01"
diff --git a/website/static/security/advisories/FreeBSD-EN-21:01.tzdata.asc b/website/static/security/advisories/FreeBSD-EN-21:01.tzdata.asc
new file mode 100644
index 0000000000..dc16699e8e
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-21:01.tzdata.asc
@@ -0,0 +1,148 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-21:01.tzdata Errata Notice
+ The FreeBSD Project
+
+Topic: Timezone database information update
+
+Category: contrib
+Module: zoneinfo
+Announced: 2021-01-29
+Affects: All supported versions of FreeBSD.
+Corrected: 2021-01-25 21:56:55 UTC (stable/12, 12.2-STABLE)
+ 2021-01-29 01:20:49 UTC (releng/12.2, 12.2-RELEASE-p3)
+ 2021-01-29 01:05:59 UTC (releng/12.1, 12.1-RELEASE-p13)
+ 2021-01-25 21:57:06 UTC (stable/11, 11.4-STABLE)
+ 2021-01-29 00:19:59 UTC (releng/11.4, 11.4-RELEASE-p7)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The tzsetup(8) program allows the user to specify the default local timezone.
+Based on the selected timezone, tzsetup(8) copies one of the files from
+/usr/share/zoneinfo to /etc/localtime. This file actually controls the
+conversion.
+
+II. Problem Description
+
+Several changes in Daylight Savings Time happened after previous FreeBSD
+releases were released that would affect many people who live in different
+countries. Because of these changes, the data in the zoneinfo files need to
+be updated, and if the local timezone on the running system is affected,
+tzsetup(8) needs to be run so the /etc/localtime is updated.
+
+III. Impact
+
+An incorrect time will be displayed on a system configured to use one of the
+affected timezones if the /usr/share/zoneinfo and /etc/localtime files are
+not updated, and all applications on the system that rely on the system time,
+such as cron(8) and syslog(8), will be affected.
+
+IV. Workaround
+
+The system administrator can install an updated timezone database from the
+misc/zoneinfo port and run tzsetup(8) to get the timezone database corrected.
+
+Applications that store and display times in Coordinated Universal Time (UTC)
+are not affected.
+
+V. Solution
+
+Please note that some third party software, for instance PHP, Ruby, Java and
+Perl, may be using different zoneinfo data source, in such cases this
+software must be updated separately. For software packages that is installed
+via binary packages, they can be upgraded by executing `pkg upgrade'.
+
+Following the instructions in this Errata Notice will update all of the
+zoneinfo files to be the same as what was released with FreeBSD release.
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date. Restart all the affected
+applications and daemons, or reboot the system.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Restart all the affected applications and daemons, or reboot the system.
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-21:01/tzdata-2021a.patch
+# fetch https://security.FreeBSD.org/patches/EN-21:01/tzdata-2021a.patch.asc
+# gpg --verify tzdata-2021a.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all the affected applications and daemons, or reboot the system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12 r369143
+releng/12.2 r369171
+releng/12.1 r369162
+stable/11/ r369144
+releng/11.4/ r369153
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:01.tzdata.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbfZfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKOpA//Urdpqngx7TTrUYuIFijatPi+MWNWEgW04TPXfa7Vmp5bPFC/fJGJ0o2u
+lMUVwodrlfX5GUvPENwC/xVVxlzGCX4ljpFbocJIBWczA6LQ+P0u4ibdgSWuh9IS
+4Aj/MFrd6b+Ui7JY6LF+g0n9M6Tcprui9ZVef7AmcEAOcKQEdIA/kNEfOSnlBy8t
+HgSVQOmVRbsWYN9B7ZfrsztaiPzFwLfm4Wu62CyrN7H1uSGve9JLrz56W1t3t7u+
+pKaemOZM6g1efHWVYHUIJh7A7KPSNaLHY3tuQ5Sw6KetST9PCrGwwWVyn+0Cirwp
+kL/1tjBAB31hsBNJxpvw6NSAazsUfMmKwmtaO9+Gy11ay5neCD2CPUNLCIa7KbjC
+XT1PcrNnkodID0xdnNGy77toZwbjN81ADurLc+O63FycVugENB81ZtSJWTW7teIL
+sIfh4A6yf+0szPU9/TIOZx9Qhnp2+Az2C39bgqmeWiv4SwTJnxvYZ6gqGaimdHtX
+kIozG96X7qyBD4y1Zm45QRrABmb+3AbF1PyCj3pq1re/GpqFlm8ADog3VWE6FaWn
+f/TlgtQtbknMcnWtpqXlvajWFa6vvq/2o7M7TRGPInQr0SA4gk5K6U9OQtrdKRGe
+QugdkOMBRuJt1+RO/XAgtcTDpV7CI8QncCONWOItPq4+n5J7PyU=
+=irIL
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-21:02.extattr.asc b/website/static/security/advisories/FreeBSD-EN-21:02.extattr.asc
new file mode 100644
index 0000000000..d30949a2ad
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-21:02.extattr.asc
@@ -0,0 +1,129 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-21:02.extattr Errata Notice
+ The FreeBSD Project
+
+Topic: UFS extattr corruption
+
+Category: core
+Module: UFS
+Announced: 2021-01-29
+Affects: FreeBSD 11.4
+Corrected: 2021-01-18 18:54:32 UTC (stable/11, 11.4-STABLE)
+ 2021-01-29 19:20:02 UTC (releng/11.4, 11.4-RELEASE-p7)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+Named extended attributes are meta-data associated with vnodes representing
+files and directories. They exist as "name=value" pairs within a set of
+namespaces. The UFS filesystem supports extended attributes.
+
+II. Problem Description
+
+Under certain conditions FreeBSD 11.x releases may produce a corrupt extattr
+file, and later attempts to access these extended attributes may result in
+system misbehavior. For example, lsextattr may spin at 100% CPU until the
+system is shut down.
+
+The issue that results in corrupt extattr data is not present in supported
+FreeBSD 12.x versions.
+
+III. Impact
+
+The system may not function as required with extended attributes in use.
+
+IV. Workaround
+
+No workaround is available. Systems not using extended attributes are not
+vulnerable.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date, and reboot.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for an errata update"
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 11.4]
+# fetch https://security.FreeBSD.org/patches/EN-12:02/extattr.patch
+# fetch https://security.FreeBSD.org/patches/EN-12:02/extattr.patch.asc
+# gpg --verify extattr.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/11/ r369045
+releng/11.4/ r369154
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=244089>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:02.extattr.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbiRfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKxMBAAjpesCOTrkqvjjKZmez8ACSUdaa7IYMLbJpeXW+0IbFVU/IQdK5/aq6r1
+j/LytAbQ0yDlzfEggCeIWKGkbvaNs0eUVCx/1AOjWdxWePvrlpJ2GQNsHGZeWzBc
+QUv9LEao0MQF9UGjd0JV81nTE2DT4a2F3WVdfuX2QfkWntfWwpXf3Uf3Cvi6Cpfy
+rbZTkFeBmFvfgJu13co4re1gur8eYvMyNqcp+FO9OttEr/Fg5D/okQfp+0uZ1uIl
+80WNZLwgnJG07FBVgcjbbVr/JJJqzVQh3opUa4+6UZaaHoRszs4jE4Mc22C0G4Ma
+8vtBp4Z/Ndznv04TvTNiAyS3aAe0ums4yotZJBJEuVr1rA1lC6YgRVT9+qfsPcWT
+SuVM16NS4VGVpN5SruptLbrbTHQARDAAWDbtP1fB8ccvBIonf0hh5AOcKFBxHHY3
+NoKHLV373zTauvxqy7RKRAtnB2oB0uMT4j0lwJmn7CM1h+lL1GcVy1PTDVQ4mk+N
+2/I51AcbURjmWqxTTORI6p8CgLsiwPfdsup5T2g/JPu2nc9COWL/WKCytP2pXji3
++Lu+SJldxUCx8JiiCSFma7ZG/sjB+B1vOajzULqBWUgTH6YpX8gV78amDHmzRq20
+2is7fa+63ImVHtCZAIeSs/PGU2v+MDQ6eBNqFTccbgVvINEmMNE=
+=XIov
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-21:03.vnet.asc b/website/static/security/advisories/FreeBSD-EN-21:03.vnet.asc
new file mode 100644
index 0000000000..c9832e1268
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-21:03.vnet.asc
@@ -0,0 +1,130 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-21:03.vnet Errata Notice
+ The FreeBSD Project
+
+Topic: Panic when destroying VNET and epair simultaneously
+
+Category: core
+Module: kernel
+Announced: 2021-01-29
+Affects: FreeBSD 12.1 and later.
+Corrected: 2020-12-15 15:33:28 UTC (stable/12, 12.2-STABLE)
+ 2021-01-29 01:20:52 UTC (releng/12.2, 12.2-RELEASE-p3)
+ 2021-01-29 01:06:03 UTC (releng/12.1, 12.1-RELEASE-p13)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+VNET permits systems to be configured with multiple instances of the in-kernel
+network stack.
+
+The epair(4) interface provides a pair of virtual back-to-back connected
+Ethernet interfaces.
+
+II. Problem Description
+
+Insufficient locking in the kernel meant that destroying an epair and a vnet
+jail at the same time often resulted in panics.
+
+III. Impact
+
+Users with root level access (or the PRIV_NET_IFCREATE privilege) can panic
+the system.
+
+IV. Workaround
+
+The panic can be avoided by ensuring that epair interfaces are fully destroyed
+before the vnet jails containing them are destroyed.
+
+Systems not using vnet jails are not affected.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date and reboot.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for an errata update"
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-21:03/vnet.patch
+# fetch https://security.FreeBSD.org/patches/EN-21:03/vnet.patch.asc
+# gpg --verify vnet.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r368663
+releng/12.2/ r369172
+releng/12.1/ r369163
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238870>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:03.vnet.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbipfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKE3Q/+KQ96Grm2zOsWHVAl5Oz2TBdc7nGkIYSk59zFcmVMqduvKSjiJ3S1yLdX
+NsPm3KyFYeU7L/QM9Owsk1DTSnRrlwhbcM3/x+662bcgP1RWe3XL6n9fQ2V5eESO
+9wAKtwrkE5btGxp6WLNAZ1Ximb1rKtOi4hqLK1Rhqhl93ecw7gyp+Qs6ukj41cnT
+8+9AwHjvzYokrUDP7lIsKMQ4C29Fw4o2/0RwCCEmLlGRWLOWGM910RjgaFat02Gi
+nOLXXlI9mSApthMnlTun4cSn+rbzawyTXD8AIa/kwEd00yDej4IceBlqWXot8Sjw
+aXqJuix5qs0aVJcrQ2g9bkytnSMeO79EpCLyy/PDMJ1NUcQG8oaN/EcxNjb/U9p2
+sbjWSf4t1leTl76TWsGsNAWHkjUwMPYHDstG4jsRv+Y+m4sSWa6gYYitaOtK4paO
+wDDqpWHFJXOCEIrL3+HJcwOWr4hxhmZFgKNXeZN6l5WCKY/Xqjxqt7zBSpixiz01
+VEn3uNs1ePuEA80Ae+D8v4yzjjfuE5/MDfEsoaxtP6dalNtJlIaFhVgZYcsxpOfK
+xKC8dzdnEyq970+ZW/2ESYBxGTcnVQMxASI73QYuaKbRkcVqgW6XjHJHh+0tNLkV
+sPhgxy/eOkbsu9qcIOn+tTbNTo3CjW0/ZmdE0YX9XItgbGHFQvg=
+=1ekp
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-21:04.zfs.asc b/website/static/security/advisories/FreeBSD-EN-21:04.zfs.asc
new file mode 100644
index 0000000000..2e090bc9ee
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-21:04.zfs.asc
@@ -0,0 +1,130 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-21:04.zfs Errata Notice
+ The FreeBSD Project
+
+Topic: zfs recv fails to propagate snapshot deletion
+
+Category: core
+Module: zfs
+Announced: 2021-01-29
+Affects: FreeBSD 12.2
+Corrected: 2020-12-01 08:15:18 UTC (stable/12, 12.2-STABLE)
+ 2021-01-29 01:20:55 UTC (releng/12.2, 12.2-RELEASE-p3)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The zfs send/receive commands are used to efficiently copy datasets from one
+location to another. With the -i or -I flags, zfs send can incrementally
+update an already-copied dataset. When using the -R flag with zfs send and the
+- -F flag with zfs receive, zfs receive will delete any snapshots on the
+destination that have already been deleted on the source.
+
+II. Problem Description
+
+A regression in FreeBSD 12.2 causes zfs receive to fail to delete snapshots
+that have been deleted on the source side.
+
+III. Impact
+
+Backup and replication systems based on ZFS send/receive that manage snapshots
+solely on the source side will fail to delete snapshots on the destination
+side. This may lead to out-of-space conditions on the destination.
+
+IV. Workaround
+
+Errant snapshots can be manually removed from the destination with "zfs destroy".
+
+Backup and replication systems that don't use the -R flag with zfs send will be
+unaffected. For example, sysutils/zrepl is unaffected.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-21:04/zfs.patch
+# fetch https://security.FreeBSD.org/patches/EN-21:04/zfs.patch.asc
+# gpg --verify zfs.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all daemons that link directly to libzfs.so. A restart is not required
+for daemons that invoke the zfs executable.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r368233
+releng/12.2/ r369173
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=249438>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:04.zfs.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbipfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJhhw//ajaGQV4/Ln4SmgsyYS01De9bXSI26dBcZlfGDUDL4l/W4qF1KnsTuPXx
+ubGoFDjAArT+AzAoTddQeKuty8VPR8UUCQfONgdWUvjlSZ3k1iLa6pTR/BHxSyZ3
+rh7olc8wSt13JBOoafCjGkuzRNLtz7oqP0qrGB/aKSbU3IzCW8fHSFnIFVaRK/Nh
+Zr9Lisp4mIBgBmAY3Oof50ONPrjoDEYff+G+52LSUSMIwGPVmEqFz1qrSzQ+SFO0
+kylegth1sBeEgPQZAuyXX6liJpsL/AEdYQvosykmBw3DGQqt9glo+hl6CU7/g2dn
+iA8O7tO0zgaHtWbAUQYdtHJKeqa5UbaDRKeDw3aXm6TwHmZN7BfQz6SWRK2QOhcc
+btn5yP6QhbpTFmWRkWtSehn+eISolDF4iCG9St664xpNV7l0AzSXm8saVrR2/Eix
+IPCK2nyhddyDyVCkkSaZw8rris5De8gAGsv0K+nvJqYhVMdbIyTnU62UzHrgPPXS
+kAe0Z/FnPmcQ7GXN/dSIzd17WMqKwGgsHMbLFw/BMP+kaM++mMY7ZdyPyx1gapB+
+qzvRhFoNKpNVGMaMK/y+BPB2Ak3OHj6lqPFptjd9HNlszVYuZ3Od25oQBO0dupQf
+jsTSler1ShPYyOwG8QE0sXjpMYVZhFgsZXiZVUrACkfunuDnXtI=
+=fhrM
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-21:05.libatomic.asc b/website/static/security/advisories/FreeBSD-EN-21:05.libatomic.asc
new file mode 100644
index 0000000000..5a88888bf5
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-21:05.libatomic.asc
@@ -0,0 +1,125 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-21:05.libatomic Errata Notice
+ The FreeBSD Project
+
+Topic: Addition of atomic and bswap functions to libcompiler_rt
+
+Category: core
+Module: libcompiler_rt
+Announced: 2021-01-29
+Affects: FreeBSD 11.4
+Corrected: 2020-09-12 16:33:05 UTC (stable/11, 11.4-STABLE)
+ 2021-01-29 00:20:06 UTC (releng/11.4, 11.4-RELEASE-p7)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+libcompiler_rt is a simple library that provides an implementation of low-level
+target-specific functionality required by the Clang compiler.
+
+II. Problem Description
+
+The FreeBSD build system does not include all source files of libcompiler_rt.
+In particular, it misses the atomic.c file, which implements atomic memory
+routines for the i386 architecture.
+
+III. Impact
+
+When compiling software that makes use of atomic functions, as well as __bswap*
+functions, the compiler emits calls to them expecting that these will be
+available from libcompiler_rt. Due to this, the linker fails to resolve
+mentioned functions and the build fails.
+
+The problem occurs only when targeting the i386 platform.
+
+IV. Workaround
+
+The problem can be worked around by using GCC compiler to build the software.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-21:05/libatomic.patch
+# fetch https://security.FreeBSD.org/patches/EN-21:05/libatomic.patch.asc
+# gpg --verify libatomic.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all daemons that use the library, or reboot the system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/11/ r365661
+releng/11.4/ r369155
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:05.libatomic.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbipfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKteBAAicm8nXlOWYeIu2qcgqKVEhWNwleLdfnAGPcs0ALuUEnSGZ2DIfsdl4J0
+eTOeIJC9ELpHrSoaAtlrM7huEkdtMDRHrLWfSlW7Zev3B7ZQ+v+GsdYAw1h86Erf
+uNt3iCvfhltDGVHVb0bGHQw2biIn9UD36CVOC9WqMhubLU/sjEy4FbjwRvVWUyRc
+UtR+WUf6W8IZnd3iJOlF/YnxDcEWclMPFnEdKMgBByl0dSoVuwIQfwuWm6Wl4WjA
+p1KUs+l/AUn5IJB7U7dLmB5tIGgvElzONwPb9S3M1BQaLDjS2+PLrE6/pxSpDNHS
+y/Oo2652ZaGG1OWAGzemKinpllLelkywPjbQwEEkjelqPnPoVMWzjM4UwmF0S5gj
+hnlB17BvH5qomMFnAiyVQO9cH85G4sKcKgVQSMU/gRzlrSMyqZ5ImLfltMOJi27H
+U3SQ36LljP6cu55bDlswBmAe6Ria748d5z4efSs/DGfgeFSYlSYF7zTLZtbw8wcP
+bXjeDVTMcAEGGjDFWjy2hU2zUhgQVBOSb1+IB3ziOHizUdOe9U5NaEZSoTA/S4rp
+Hrf8P8LKN5BgWh6j+jXI18RpwGtRNbL4Ev0wP0iG7SXth8cRkjymzq4qcGsIBMh/
+GjyNqC1CzzvQz4YDf6GqkOZWE3kAzUM+iyGyYpZIDdCx32Ir/e4=
+=RTBx
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-21:01.fsdisclosure.asc b/website/static/security/advisories/FreeBSD-SA-21:01.fsdisclosure.asc
new file mode 100644
index 0000000000..c6bab78916
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-21:01.fsdisclosure.asc
@@ -0,0 +1,150 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-21:01.fsdisclosure Security Advisory
+ The FreeBSD Project
+
+Topic: Uninitialized kernel stack leaks in several file systems
+
+Category: core
+Module: fs
+Announced: 2021-01-29
+Credits: Syed Faraz Abrar
+Affects: All supported versions of FreeBSD.
+Corrected: 2021-01-06 14:58:41 UTC (stable/12, 12.2-STABLE)
+ 2021-01-29 01:20:59 UTC (releng/12.2, 12.2-RELEASE-p3)
+ 2021-01-29 01:06:09 UTC (releng/12.1, 12.1-RELEASE-p13)
+ 2021-01-18 19:16:24 UTC (stable/11, 11.4-STABLE)
+ 2021-01-29 00:20:09 UTC (releng/11.4, 11.4-RELEASE-p7)
+CVE Name: CVE-2020-25578, CVE-2020-25579
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The FreeBSD kernel exports file system directory entries to userspace
+using the generic "dirent" structure. Individual file systems implement
+VOP_READDIR to convert from the file system's internal directory entry
+layout to the generic form. dirent structures can be fetched from
+userspace using the getdirentries(2) system call.
+
+II. Problem Description
+
+Several file systems were not properly initializing the d_off field of
+the dirent structures returned by VOP_READDIR. In particular, tmpfs(5),
+smbfs(5), autofs(5) and mqueuefs(5) were failing to do so. As a result,
+eight uninitialized kernel stack bytes may be leaked to userspace by
+these file systems. This problem is not present in FreeBSD 11.
+
+Additionally, msdosfs(5) was failing to zero-fill a pair of padding
+fields in the dirent structure, resulting in a leak of three
+uninitialized bytes.
+
+III. Impact
+
+Kernel stack disclosures may leak sensitive information which could be
+used to compromise the security of the system.
+
+IV. Workaround
+
+Systems that do not have any of the affected file systems mounted are
+not affected. To trigger the leaks, an unprivileged user must have read
+access to a directory belonging to one of the mounted file systems.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 12.x]
+# fetch https://security.FreeBSD.org/patches/SA-21:01/fsdisclosure.12.patch
+# fetch https://security.FreeBSD.org/patches/SA-21:01/fsdisclosure.12.patch.asc
+# gpg --verify fsdisclosure.12.patch.asc
+
+[FreeBSD 11.x]
+# fetch https://security.FreeBSD.org/patches/SA-21:01/fsdisclosure.11.patch
+# fetch https://security.FreeBSD.org/patches/SA-21:01/fsdisclosure.11.patch.asc
+# gpg --verify fsdisclosure.11.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r368969
+releng/12.2/ r369175
+releng/12.1/ r369165
+stable/11/ r369047
+releng/11.4/ r369156
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25578>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25579>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-21:01.fsdisclosure.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbjNfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJr9xAAkZz7B1xlb66yVYXmyIo8eFf2ZyYPXxoH9hIxx1N7PxY6l9MeU9xzcYrf
+tOYtsWyPxx+M+g0KZc2Q846zu3JySSBkGKT1Kx3aqMmfEqWMa6b2u/wM+rG/8NjR
+qzsU9SfnzgcBg0tu4m55en+7muuiO3JopCbQDdTSl0EgOFkMI6cuMXc2lm9BAEKj
+zpmKFbelSCIUjISpLASJzNKRfQV1UajpgyM/tWYSrlQwaejNkFOmBO1ylLBbigBo
+bqH5xCsttGGUC91QmsEdcrF3pSNuHEtW5nT8sbAlm6ue8bjY9AGhEB1fkV877KDG
+otN3sPe367uQA1AHWCq3qPseTgAV9pDW4Mctxi5VSz0P3tUzG+hqojtn+mDAvFob
+DnFWFJnMZC6mueunp555LXlgFzA79Vberjo15240kEvaf4B+PiCqVLr9baK/2KyW
+EEj3pn/ciGq/wBn5ZPoCDVk0hbcfVNxaXytHLDBZ7l/ti7ZC08SRyaPdhG8Tblbx
+ha/6+/viGbBHktuTU5Vz48cHja9RnDq0EUiTmplinUDhyouVyG4i2Yrn3anMnhd5
+atULlylJlEPGq1WNH0A7yiKqQa6Bu4OFMdJ69YIYskcn3FC2vjz0LpRb+soFOIAH
+2/o0UAMup9buG8CbPVLoCRPyPrEw0liaUJEUlxTVPDc3AJGM0xM=
+=gD1K
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-21:02.xenoom.asc b/website/static/security/advisories/FreeBSD-SA-21:02.xenoom.asc
new file mode 100644
index 0000000000..4d8560498a
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-21:02.xenoom.asc
@@ -0,0 +1,142 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-21:02.xenoom Security Advisory
+ The FreeBSD Project
+
+Topic: Xen guests can triger backend Out Of Memory
+
+Category: contrib
+Module: Xen
+Announced: 2021-01-29
+Credits: See Xen XSA-349 for details
+Affects: All supported versions of FreeBSD.
+Corrected: 2021-01-18 16:26:36 UTC (stable/12, 12.2-STABLE)
+ 2021-01-29 01:21:04 UTC (releng/12.2, 12.2-RELEASE-p3)
+ 2021-01-29 01:06:16 UTC (releng/12.1, 12.1-RELEASE-p13)
+ 2021-01-21 09:14:50 UTC (stable/11, 11.4-STABLE)
+ 2021-01-29 00:20:16 UTC (releng/11.4, 11.4-RELEASE-p7)
+CVE Name: CVE-2020-29568
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+Xen is a type-1 hypervisor which supports FreeBSD as a Dom0 (or host
+domain).
+
+II. Problem Description
+
+Some OSes (including Linux, FreeBSD, and NetBSD) are processing watch
+events using a single thread. If the events are received faster than
+the thread is able to handle, they will get queued.
+
+As the queue is unbound, a guest may be able to trigger a OOM in
+the backend.
+
+III. Impact
+
+A malicious guest can trigger an OOM in backends.
+
+IV. Workaround
+
+No workaround is available. FreeBSD systems not using Xen are not
+affected.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 12.x]
+# fetch https://security.FreeBSD.org/patches/SA-21:02/xenoom.12.patch
+# fetch https://security.FreeBSD.org/patches/SA-21:02/xenoom.12.patch.asc
+# gpg --verify xenoom.12.patch.asc
+
+[FreeBSD 11.x]
+# fetch https://security.FreeBSD.org/patches/SA-21:02/xenoom.11.patch
+# fetch https://security.FreeBSD.org/patches/SA-21:02/xenoom.11.patch.asc
+# gpg --verify xenoom.11.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r369038
+releng/12.2/ r369177
+releng/12.1/ r369167
+stable/11/ r369072
+releng/11.4/ r369158
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://xenbits.xen.org/xsa/advisory-349.html>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29568>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-21:02.xenoom.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbjNfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJjmhAAloDel7j9rgyDK8Ozk5wPJQlUM/1Ddc4e5Q5vdzT29mNdWKfXjH5SEkGq
+Jx7w4fUronf8vsXn+bNXwn1u5PWGVTVX/Y4ljQ4JVwJ+NdxhxTuhNsbg7j2AZmdO
+PsfI+eFX1xq8wr3oDUl3GTHHcUI1Ol259tsOgJE7ISriazgbRk8/QVowMgS3jdHA
+OYJS8ADFWSO6d4TC2B5pvgC6NAiZjhgTDtjxzTnaWoUb0157JyhRh3Z2FQTBxoxU
+3OQcTj7x7KBtbsiAI/Iq8Qu7JXyxtscVQfbXsk4Jt1uOskgsr8n9F+UGiP+GRIKb
+0IsgNUlsPavINlNJjAwQWHtB8VJqH7LpG9t3/EMizUXjZAuRLxEjAFiHV8ju1U++
+O9Xf9nB9auVrBn1WMYgH23bZ5D15W1HosEywifBw64R7CLDliD/HpJ3QaDEe3lCn
+pB0jgxuoE5RCbTppgUZM7tLUrtwgih+lOiZcLcA5xS9hQo8TWBLIJNBf5rRjJA6q
+/3vh5lOv/w8AHyBgA5395QIkkgw9dxy2o+LbtuVhdD/NbLX4GnNVMkQDsTF79PMT
+8rl0Zn6Ldo0ypHAwPAVHektl+izuMftNQuQXSbEjkw/Xr1VCjIjllJET3K2e9X6z
+4nPmq6t/0kuHWYSSDQAKdq/8Dosn3HLw1uQdst4ka7wf1Eon7Ow=
+=3L3L
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-21:01/tzdata-2021a.patch b/website/static/security/patches/EN-21:01/tzdata-2021a.patch
new file mode 100644
index 0000000000..194ec24461
--- /dev/null
+++ b/website/static/security/patches/EN-21:01/tzdata-2021a.patch
@@ -0,0 +1,1498 @@
+--- contrib/tzdata/Makefile.orig
++++ contrib/tzdata/Makefile
+@@ -583,11 +583,19 @@
+ cp date '$(DESTDIR)$(BINDIR)/.'
+ cp -f date.1 '$(DESTDIR)$(MANDIR)/man1/.'
+
++# Calculate version number from git, if available.
++# Otherwise, use $(VERSION) unless it is "unknown" and there is already
++# a 'version' file, in which case reuse the existing 'version' contents
++# and append "-dirty" if the contents do not already end in "-dirty".
+ version: $(VERSION_DEPS)
+ { (type git) >/dev/null 2>&1 && \
+ V=`git describe --match '[0-9][0-9][0-9][0-9][a-z]*' \
+ --abbrev=7 --dirty` || \
+- V='$(VERSION)'; } && \
++ if test '$(VERSION)' = unknown && V=`cat $@`; then \
++ case $$V in *-dirty);; *) V=$$V-dirty;; esac; \
++ else \
++ V='$(VERSION)'; \
++ fi; } && \
+ printf '%s\n' "$$V" >$@.out
+ mv $@.out $@
+
+@@ -872,11 +880,34 @@
+ LC_ALL=C sh workman.sh `expr $@ : '\(.*\)\.txt$$'` >$@.out
+ mv $@.out $@
+
++# Set file timestamps deterministically if possible,
++# so that tarballs containing the timestamps are reproducible.
++#
++# '$(SET_TIMESTAMP_N) N DEST A B C ...' sets the timestamp of the
++# file DEST to the maximum of the timestamps of the files A B C ...,
++# plus N if GNU ls and touch are available.
++SET_TIMESTAMP_N = sh -c '\
++ n=$$0 dest=$$1; shift; \
++ touch -cmr `ls -t "$$@" | sed 1q` "$$dest" && \
++ if test $$n != 0 && \
++ lsout=`ls -n --time-style="+%s" "$$dest" 2>/dev/null`; then \
++ set x $$lsout && \
++ touch -cmd @`expr $$7 + $$n` "$$dest"; \
++ else :; fi'
++# If DEST depends on A B C ... in this Makefile, callers should use
++# $(SET_TIMESTAMP_DEP) DEST A B C ..., for the benefit of any
++# downstream 'make' that considers equal timestamps to be out of date.
++# POSIX allows this 'make' behavior, and HP-UX 'make' does it.
++# If all that matters is that the timestamp be reproducible
++# and plausible, use $(SET_TIMESTAMP).
++SET_TIMESTAMP = $(SET_TIMESTAMP_N) 0
++SET_TIMESTAMP_DEP = $(SET_TIMESTAMP_N) 1
++
+ # Set the timestamps to those of the git repository, if available,
+ # and if the files have not changed since then.
+-# This uses GNU 'touch' syntax 'touch -d@N FILE',
+-# where N is the number of seconds since 1970.
+-# If git or GNU 'touch' is absent, don't bother to sync with git timestamps.
++# This uses GNU 'ls --time-style=+%s', which outputs the seconds count,
++# and GNU 'touch -d@N FILE', where N is the number of seconds since 1970.
++# If git or GNU is absent, don't bother to sync with git timestamps.
+ # Also, set the timestamp of each prebuilt file like 'leapseconds'
+ # to be the maximum of the files it depends on.
+ set-timestamps.out: $(EIGHT_YARDS)
+@@ -894,16 +925,16 @@
+ fi || exit; \
+ done; \
+ fi
+- touch -cmr `ls -t $(LEAP_DEPS) | sed 1q` leapseconds
++ $(SET_TIMESTAMP_DEP) leapseconds $(LEAP_DEPS)
+ for file in `ls $(MANTXTS) | sed 's/\.txt$$//'`; do \
+- touch -cmr `ls -t $$file workman.sh | sed 1q` $$file.txt || \
++ $(SET_TIMESTAMP_DEP) $$file.txt $$file workman.sh || \
+ exit; \
+ done
+- touch -cmr `ls -t $(TZDATA_ZI_DEPS) | sed 1q` tzdata.zi
+- touch -cmr `ls -t $(VERSION_DEPS) | sed 1q` version
++ $(SET_TIMESTAMP_DEP) version $(VERSION_DEPS)
++ $(SET_TIMESTAMP_DEP) tzdata.zi $(TZDATA_ZI_DEPS)
+ touch $@
+ set-tzs-timestamp.out: $(TZS)
+- touch -cmr `ls -t $(TZS_DEPS) | sed 1q` $(TZS)
++ $(SET_TIMESTAMP_DEP) $(TZS) $(TZS_DEPS)
+ touch $@
+
+ # The zics below ensure that each data file can stand on its own.
+@@ -914,7 +945,10 @@
+ mkdir public.dir
+ ln $(VERSION_DEPS) public.dir
+ cd public.dir && $(MAKE) CFLAGS='$(GCC_DEBUG_FLAGS)' ALL
+- for i in $(TDATA_TO_CHECK) public.dir/tzdata.zi; do \
++ for i in $(TDATA_TO_CHECK) public.dir/tzdata.zi \
++ public.dir/vanguard.zi public.dir/main.zi \
++ public.dir/rearguard.zi; \
++ do \
+ public.dir/zic -v -d public.dir/zoneinfo $$i 2>&1 || exit; \
+ done
+ public.dir/zic -v -d public.dir/zoneinfo-all $(TDATA_TO_CHECK)
+@@ -981,7 +1015,7 @@
+ signatures rearguard_signatures traditional_signatures: \
+ version set-timestamps.out rearguard.zi
+ VERSION=`cat version` && \
+- $(MAKE) VERSION="$$VERSION" $@_version
++ $(MAKE) AWK='$(AWK)' VERSION="$$VERSION" $@_version
+
+ # These *_version rules are intended for use if VERSION is set by some
+ # other means. Ordinarily these rules are used only by the above
+@@ -1018,7 +1052,7 @@
+ for f in $(TDATA) $(PACKRATDATA); do \
+ rearf=tzdata$(VERSION)-rearguard.dir/$$f; \
+ $(AWK) -v DATAFORM=rearguard -f ziguard.awk $$f >$$rearf && \
+- touch -cmr `ls -t ziguard.awk $$f` $$rearf || exit; \
++ $(SET_TIMESTAMP_DEP) $$rearf ziguard.awk $$f || exit; \
+ done
+ sed '1s/$$/-rearguard/' \
+ <version >tzdata$(VERSION)-rearguard.dir/version
+@@ -1037,7 +1071,7 @@
+ rm -fr tzdb-$(VERSION)
+ mkdir tzdb-$(VERSION)
+ ln $(ENCHILADA) tzdb-$(VERSION)
+- touch -cmr `ls -t tzdb-$(VERSION)/* | sed 1q` tzdb-$(VERSION)
++ $(SET_TIMESTAMP) tzdb-$(VERSION) tzdb-$(VERSION)/*
+ LC_ALL=C && export LC_ALL && \
+ tar $(TARFLAGS) -cf - tzdb-$(VERSION) | lzip -9 >$@.out
+ mv $@.out $@
+@@ -1079,8 +1113,6 @@
+ zdump.o: version.h
+ zic.o: private.h tzfile.h version.h
+
+-.KEEP_STATE:
+-
+ .PHONY: ALL INSTALL all
+ .PHONY: check check_time_t_alternatives
+ .PHONY: check_web check_zishrink
+--- contrib/tzdata/NEWS.orig
++++ contrib/tzdata/NEWS
+@@ -1,5 +1,67 @@
+ News for the tz database
+
++Release 2021a - 2021-01-24 10:54:57 -0800
++
++ Changes to future timestamps
++
++ South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.
++ (Thanks to Steffen Thorsen.)
++
++
++Release 2020f - 2020-12-29 00:17:46 -0800
++
++ Change to build procedure
++
++ 'make rearguard_tarballs' no longer generates a bad rearguard.zi,
++ fixing a 2020e bug. (Problem reported by Deborah Goldsmith.)
++
++
++Release 2020e - 2020-12-22 15:14:34 -0800
++
++ Briefly:
++ Volgograd switches to Moscow time on 2020-12-27 at 02:00.
++
++ Changes to future timestamps
++
++ Volgograd changes time zone from +04 to +03 on 2020-12-27 at 02:00.
++ (Thanks to Alexander Krivenyshev and Stepan Golosunov.)
++
++ Changes to past timestamps
++
++ Correct many pre-1986 transitions, fixing entries originally
++ derived from Shanks. The fixes include:
++ - Australia: several 1917 through 1971 transitions
++ - Bahamas: several 1941 through 1945 transitions
++ - Bermuda: several 1917 through 1956 transitions
++ - Belize: several 1942 through 1968 transitions
++ - Ghana: several 1915 through 1956 transitions
++ - Israel and Palestine: several 1940 through 1985 transitions
++ - Kenya and adjacent: several 1908 through 1960 transitions
++ - Nigeria and adjacent: correcting LMT in Lagos, and several 1905
++ through 1919 transitions
++ - Seychelles: the introduction of standard time in 1907, not 1906
++ - Vanuatu: DST in 1973-1974, and a corrected 1984 transition
++ (Thanks to P Chan.)
++
++ Because of the Australia change, Australia/Currie (King Island) is
++ no longer needed, as it is identical to Australia/Hobart for all
++ timestamps since 1970 and was therefore created by mistake.
++ Australia/Currie has been moved to the 'backward' file and its
++ corrected data moved to the 'backzone' file.
++
++ Changes to past time zone abbreviations and DST flags
++
++ To better match legislation in Turks and Caicos, the 2015 shift to
++ year-round observance of -04 is now modeled as AST throughout before
++ returning to Eastern Time with US DST in 2018, rather than as
++ maintaining EDT until 2015-11-01. (Thanks to P Chan.)
++
++ Changes to documentation
++
++ The zic man page now documents zic's coalescing of transitions
++ when a zone falls back just before DST springs forward.
++
++
+ Release 2020d - 2020-10-21 11:24:13 -0700
+
+ Briefly:
+--- contrib/tzdata/africa.orig
++++ contrib/tzdata/africa
+@@ -386,36 +386,87 @@
+
+ # Ghana
+
+-# From Paul Eggert (2018-01-30):
+-# Whitman says DST was observed from 1931 to "the present";
+-# Shanks & Pottenger say 1936 to 1942 with 20 minutes of DST,
+-# with transitions on 09-01 and 12-31 at 00:00.
+-# Page 33 of Parish GCB, Colonial Reports - Annual. No. 1066. Gold
+-# Coast. Report for 1919. (March 1921), OCLC 784024077
+-# http://libsysdigi.library.illinois.edu/ilharvest/africana/books2011-05/5530214/5530214_1919/5530214_1919_opt.pdf
+-# lists the Determination of the Time Ordinance, 1919, No. 18,
+-# "to advance the time observed locally by the space of twenty minutes
+-# during the last four months of each year; the object in view being
+-# to extend during those months the period of daylight-time available
+-# for evening recreation after office hours."
+-# Vanessa Ogle, The Global Transformation of Time, 1870-1950 (2015), p 33,
+-# writes "In 1919, the Gold Coast (Ghana as of 1957) made Greenwich
+-# time its legal time and simultaneously legalized a summer time of
+-# UTC - 00:20 minutes from March to October."; a footnote lists
+-# the ordinance as being dated 1919-11-24.
+-# The Crown Colonist, Volume 12 (1942), p 176, says "the Government
+-# intend advancing Gold Coast time half an hour ahead of G.M.T.
+-# The actual date of the alteration has not yet been announced."
+-# These sources are incomplete and contradictory. Possibly what is
+-# now Ghana observed different DST regimes in different years. For
+-# lack of better info, use Shanks except treat the minus sign as a
+-# typo, and assume DST started in 1920 not 1936.
++# From P Chan (2020-11-20):
++# Interpretation Amendment Ordinance, 1915 (No.24 of 1915) [1915-11-02]
++# Ordinances of the Gold Coast, Ashanti, Northern Territories 1915, p 69-71
++# https://books.google.com/books?id=ErA-AQAAIAAJ&pg=PA70
++# This Ordinance added "'Time' shall mean Greenwich Mean Time" to the
++# Interpretation Ordinance, 1876.
++#
++# Determination of the Time Ordinance, 1919 (No. 18 of 1919) [1919-11-24]
++# Ordinances of the Gold Coast, Ashanti, Northern Territories 1919, p 75-76
++# https://books.google.com/books?id=MbA-AQAAIAAJ&pg=PA75
++# This Ordinance removed the previous definition of time and introduced DST.
++#
++# Time Determination Ordinance (Cap. 214)
++# The Laws of the Gold Coast (including Togoland Under British Mandate)
++# Vol. II (1937), p 2328
++# https://books.google.com/books?id=Z7M-AQAAIAAJ&pg=PA2328
++# Revised edition of the 1919 Ordinance.
++#
++# Time Determination (Amendment) Ordinance, 1940 (No. 9 of 1940) [1940-04-06]
++# Annual Volume of the Laws of the Gold Coast:
++# Containing All Legislation Enacted During Year 1940, p 22
++# https://books.google.com/books?id=1ao-AQAAIAAJ&pg=PA22
++# This Ordinance changed the forward transition from September to May.
++#
++# Defence (Time Determination Ordinance Amendment) Regulations, 1942
++# (Regulations No. 6 of 1942) [1942-01-31, commenced on 1942-02-08]
++# Annual Volume of the Laws of the Gold Coast:
++# Containing All Legislation Enacted During Year 1942, p 48
++# https://books.google.com/books?id=Das-AQAAIAAJ&pg=PA48
++# These regulations advanced the [standard] time by thirty minutes.
++#
++# Defence (Time Determination Ordinance Amendment (No.2)) Regulations,
++# 1942 (Regulations No. 28 of 1942) [1942-04-25]
++# Annual Volume of the Laws of the Gold Coast:
++# Containing All Legislation Enacted During Year 1942, p 87
++# https://books.google.com/books?id=Das-AQAAIAAJ&pg=PA87
++# These regulations abolished DST and changed the time to GMT+0:30.
++#
++# Defence (Revocation) (No.4) Regulations, 1945 (Regulations No. 45 of
++# 1945) [1945-10-24, commenced on 1946-01-06]
++# Annual Volume of the Laws of the Gold Coast:
++# Containing All Legislation Enacted During Year 1945, p 256
++# https://books.google.com/books?id=9as-AQAAIAAJ&pg=PA256
++# These regulations revoked the previous two sets of Regulations.
++#
++# Time Determination (Amendment) Ordinance, 1945 (No. 18 of 1945) [1946-01-06]
++# Annual Volume of the Laws of the Gold Coast:
++# Containing All Legislation Enacted During Year 1945, p 69
++# https://books.google.com/books?id=9as-AQAAIAAJ&pg=PA69
++# This Ordinance abolished DST.
++#
++# Time Determination (Amendment) Ordinance, 1950 (No. 26 of 1950) [1950-07-22]
++# Annual Volume of the Laws of the Gold Coast:
++# Containing All Legislation Enacted During Year 1950, p 35
++# https://books.google.com/books?id=e60-AQAAIAAJ&pg=PA35
++# This Ordinance restored DST but with thirty minutes offset.
++#
++# Time Determination Ordinance (Cap. 264)
++# The Laws of the Gold Coast, Vol. V (1954), p 380
++# https://books.google.com/books?id=Mqc-AQAAIAAJ&pg=PA380
++# Revised edition of the Time Determination Ordinance.
++#
++# Time Determination (Amendment) Ordinance, 1956 (No. 21 of 1956) [1956-08-29]
++# Annual Volume of the Ordinances of the Gold Coast Enacted During the
++# Year 1956, p 83
++# https://books.google.com/books?id=VLE-AQAAIAAJ&pg=PA83
++# This Ordinance abolished DST.
++
+ # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
+-Rule Ghana 1920 1942 - Sep 1 0:00 0:20 -
+-Rule Ghana 1920 1942 - Dec 31 0:00 0 -
++Rule Ghana 1919 only - Nov 24 0:00 0:20 +0020
++Rule Ghana 1920 1942 - Jan 1 2:00 0 GMT
++Rule Ghana 1920 1939 - Sep 1 2:00 0:20 +0020
++Rule Ghana 1940 1941 - May 1 2:00 0:20 +0020
++Rule Ghana 1950 1955 - Sep 1 2:00 0:30 +0030
++Rule Ghana 1951 1956 - Jan 1 2:00 0 GMT
++
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone Africa/Accra -0:00:52 - LMT 1918
+- 0:00 Ghana GMT/+0020
++Zone Africa/Accra -0:00:52 - LMT 1915 Nov 2
++ 0:00 Ghana %s 1942 Feb 8
++ 0:30 - +0030 1946 Jan 6
++ 0:00 Ghana %s
+
+ # Guinea
+ # See Africa/Abidjan.
+@@ -433,11 +484,54 @@
+ 0:00 - GMT
+
+ # Kenya
++
++# From P Chan (2020-10-24):
++#
++# The standard time of GMT+2:30 was adopted in the East Africa Protectorate....
++# [The Official Gazette, 1908-05-01, p 274]
++# https://books.google.com/books?id=e-cAC-sjPSEC&pg=PA274
++#
++# At midnight on 30 June 1928 the clocks throughout Kenya was put forward
++# half an hour by the Alteration of Time Ordinance, 1928.
++# https://gazettes.africa/archive/ke/1928/ke-government-gazette-dated-1928-05-11-no-28.pdf
++# [Ordinance No. 11 of 1928, The Offical Gazette, 1928-06-26, p 813]
++# https://books.google.com/books?id=2S0S6os32ZUC&pg=PA813
++#
++# The 1928 ordinance was repealed by the Alteration of Time (repeal) Ordinance,
++# 1929 and the time was restored to GMT+2:30 at midnight on 4 January 1930.
++# [Ordinance No. 97 of 1929, The Official Gazette, 1929-12-31, p 2701]
++# https://books.google.com/books?id=_g18jIZQlwwC&pg=PA2701
++#
++# The Alteration of Time Ordinance, 1936 changed the time to GMT+2:45
++# and repealed the previous ordinance at midnight on 31 December 1936.
++# [The Official Gazette, 1936-07-21, p 705]
++# https://books.google.com/books?id=K7j41z0aC5wC&pg=PA705
++#
++# The Defence (Amendment of Laws No. 120) Regulations changed the time
++# to GMT+3 at midnight on 31 July 1942.
++# [Kenya Official Gazette Supplement No. 32, 1942-07-21, p 331]
++# https://books.google.com/books?hl=zh-TW&id=c_E-AQAAIAAJ&pg=PA331
++# The provision of the 1936 ordinance was not repealed and was later
++# incorporated in the Interpretation and General Clauses Ordinance in 1948.
++# Although it was overridden by the 1942 regulations.
++# [The Laws of Kenya in force on 1948-09-21, Title I, Chapter 1, 31]
++# https://dds.crl.edu/item/217517 (p.101)
++# In 1950 the Interpretation and General Clauses Ordinance was amended to adopt
++# GMT+3 permanently as the 1942 regulations were due to expire on 10 December.
++# https://books.google.com/books?id=jvR8mUDAwR0C&pg=PA787
++# [Ordinance No. 44 of 1950, Kenya Ordinances 1950, Vol. XXIX, p 294]
++# https://books.google.com/books?id=-_dQAQAAMAAJ&pg=PA294
++
++# From Paul Eggert (2020-10-24):
++# The 1908-05-01 announcement does not give an effective date,
++# so just say "1908 May".
++
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone Africa/Nairobi 2:27:16 - LMT 1928 Jul
+- 3:00 - EAT 1930
+- 2:30 - +0230 1940
+- 2:45 - +0245 1960
++Zone Africa/Nairobi 2:27:16 - LMT 1908 May
++ 2:30 - +0230 1928 Jun 30 24:00
++ 3:00 - EAT 1930 Jan 4 24:00
++ 2:30 - +0230 1936 Dec 31 24:00
++ 2:45 - +0245 1942 Jul 31 24:00
+ 3:00 - EAT
+ Link Africa/Nairobi Africa/Addis_Ababa # Ethiopia
+ Link Africa/Nairobi Africa/Asmara # Eritrea
+@@ -1224,8 +1318,69 @@
+ # See Africa/Lagos.
+
+ # Nigeria
++
++# From P Chan (2020-12-03):
++# GMT was adopted as the standard time of Lagos on 1905-07-01.
++# Lagos Weekly Record, 1905-06-24, p 3
++# http://ddsnext.crl.edu/titles/31558#?c=0&m=668&s=0&cv=2&r=0&xywh=1446%2C5221%2C1931%2C1235
++# says "It is officially notified that on and after the 1st of July 1905
++# Greenwich Mean Solar Time will be adopted thought the Colony and
++# Protectorate, and that it will be necessary to put all clocks 13 minutes and
++# 35 seconds back, recording local mean time."
++#
++# It seemed that Lagos returned to LMT on 1908-07-01.
++# [The Lagos Standard], 1908-07-01, p 5
++# http://ddsnext.crl.edu/titles/31556#?c=0&m=78&s=0&cv=4&r=0&xywh=-92%2C3590%2C3944%2C2523
++# says "Scarcely have the people become accustomed to this new time, when
++# another official notice has now appeared announcing that from and after the
++# 1st July next, return will be made to local mean time."
++#
++# From P Chan (2020-11-27):
++# On 1914-01-01, standard time of GMT+0:30 was adopted for the unified Nigeria.
++# Colonial Reports - Annual. No. 878. Nigeria. Report for 1914. (April 1916),
++# p 27
++# https://libsysdigi.library.illinois.edu/ilharvest/Africana/Books2011-05/3064634/3064634_1914/3064634_1914_opt.pdf#page=27
++# "On January 1st [1914], a universal standard time for Nigeria was adopted,
++# viz., half an hour fast on Greenwich mean time, corresponding to the meridian
++# 7 [degrees] 30' E. long."
++# Lloyd's Register of Shipping (1915) says "Hitherto the time observed in Lagos
++# was the local mean time. On 1st January, 1914, standard time for the whole of
++# Nigeria was introduced ... Lagos time has been advanced about 16 minutes
++# accordingly."
++#
++# In 1919, standard time was changed to GMT+1.
++# Interpretation Ordinance (Cap 2)
++# The Laws of Nigeria, Containing the Ordinances of Nigeria, in Force on the
++# 1st Day of January, 1923, Vol.I [p 16]
++# https://books.google.com/books?id=BOMrAQAAMAAJ&pg=PA16
++# "The expression 'Standard time' means standard time as used in Nigeria:
++# namely, 60 minutes in advance of Greenwich mean time. (As amended by 18 of
++# 1919, s. 2.)"
++# From Tim Parenti (2020-12-10):
++# The Lagos Weekly Record, 1919-09-20, p 3 details discussion on the first
++# reading of this Bill by the Legislative Council of the Colony of Nigeria on
++# Thursday 1919-08-28:
++# http://ddsnext.crl.edu/titles/31558?terms&item_id=303484#?m=1118&c=1&s=0&cv=2&r=0&xywh=1261%2C3408%2C2994%2C1915
++# "The proposal is that the Globe should be divided into twelve zones East and
++# West of Greenwich, of one hour each, Nigeria falling into the zone with a
++# standard of one hour fast on Greenwich Mean Time. Nigeria standard time is
++# now 30 minutes in advance of Greenwich Mean Time ... according to the new
++# proposal, standard time will be advanced another 30 minutes". It was further
++# proposed that the firing of the time guns likewise be adjusted by 30 minutes
++# to compensate.
++# From Tim Parenti (2020-12-10), per P Chan (2020-12-11):
++# The text of Ordinance 18 of 1919, published in Nigeria Gazette, Vol 6, No 52,
++# shows that the change was assented to the following day and took effect "on
++# the 1st day of September, 1919."
++# Nigeria Gazette and Supplements 1919 Jan-Dec, Reference: 73266B-40,
++# img 245-246
++# https://microform.digital/boa/collections/77/volumes/539/nigeria-lagos-1887-1919
++
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone Africa/Lagos 0:13:36 - LMT 1919 Sep
++Zone Africa/Lagos 0:13:35 - LMT 1905 Jul 1
++ 0:00 - GMT 1908 Jul 1
++ 0:13:35 - LMT 1914 Jan 1
++ 0:30 - +0030 1919 Sep 1
+ 1:00 - WAT
+ Link Africa/Lagos Africa/Bangui # Central African Republic
+ Link Africa/Lagos Africa/Brazzaville # Rep. of the Congo
+@@ -1298,8 +1453,21 @@
+ # See Africa/Abidjan.
+
+ # Seychelles
++
++# From P Chan (2020-11-27):
++# Standard Time was adopted on 1907-01-01.
++#
++# Standard Time Ordinance (Chapter 237)
++# The Laws of Seychelles in Force on the 31st December, 1971, Vol. 6, p 571
++# https://books.google.com/books?id=efE-AQAAIAAJ&pg=PA571
++#
++# From Tim Parenti (2020-12-05):
++# A footnote on https://books.google.com/books?id=DYdDAQAAMAAJ&pg=PA1689
++# confirms that Ordinance No. 9 of 1906 "was brought into force on the 1st
++# January, 1907."
++
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone Indian/Mahe 3:41:48 - LMT 1906 Jun # Victoria
++Zone Indian/Mahe 3:41:48 - LMT 1907 Jan 1 # Victoria
+ 4:00 - +04
+ # From Paul Eggert (2001-05-30):
+ # Aldabra, Farquhar, and Desroches, originally dependencies of the
+@@ -1359,11 +1527,17 @@
+ 3:00 - EAT 2017 Nov 1
+ 2:00 - CAT
+
++# From Steffen Thorsen (2021-01-18):
++# "South Sudan will change its time zone by setting the clock back 1
++# hour on February 1, 2021...."
++# from https://eyeradio.org/south-sudan-adopts-new-time-zone-makuei/
++
+ # South Sudan
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+ Zone Africa/Juba 2:06:28 - LMT 1931
+ 2:00 Sudan CA%sT 2000 Jan 15 12:00
+- 3:00 - EAT
++ 3:00 - EAT 2021 Feb 1 00:00
++ 2:00 - CAT
+
+ # Tanzania
+ # See Africa/Nairobi.
+--- contrib/tzdata/asia.orig
++++ contrib/tzdata/asia
+@@ -1723,40 +1723,180 @@
+ # high on my favorite-country list (and not only because my wife's
+ # family is from India).
+
+-# From Shanks & Pottenger:
++# From P Chan (2020-10-27), with corrections:
++#
++# 1940-1946 Supplement No. 2 to the Palestine Gazette
++# # issue page Order No. dated start end note
++# 1 1010 729 67 of 1940 1940-05-22 1940-05-31* 1940-09-30* revoked by #2
++# 2 1013 758 73 of 1940 1940-05-31 1940-05-31 1940-09-30
++# 3 1055 1574 196 of 1940 1940-11-06 1940-11-16 1940-12-31
++# 4 1066 1811 208 of 1940 1940-12-17 1940-12-31 1941-12-31
++# 5 1156 1967 116 of 1941 1941-12-16 1941-12-31 1942-12-31* amended by #6
++# 6 1228 1608 86 of 1942 1942-10-14 1941-12-31 1942-10-31
++# 7 1256 279 21 of 1943 1943-03-18 1943-03-31 1943-10-31
++# 8 1323 249 19 of 1944 1944-03-13 1944-03-31 1944-10-31
++# 9 1402 328 20 of 1945 1945-04-05 1945-04-15 1945-10-31
++#10 1487 596 14 of 1946 1946-04-04 1946-04-15 1946-10-31
++#
++# 1948 Iton Rishmi (Official Gazette of the Provisional Government)
++# # issue page dated start end
++#11 2 7 1948-05-20 1948-05-22 1948-10-31*
++# ^This moved timezone to +04, replaced by #12 from 1948-08-31 24:00 GMT.
++#12 17 (Annex B) 84 1948-08-22 1948-08-31 1948-10-31
++#
++# 1949-2000 Kovetz HaTakanot (Collection of Regulations)
++# # issue page dated start end note
++#13 6 133 1949-03-23 1949-04-30 1949-10-31
++#14 80 755 1950-03-17 1950-04-15 1950-09-14
++#15 164 782 1951-03-22 1951-03-31 1951-09-29* amended by #16
++#16 206 1940 1951-09-23 ---------- 1951-10-22* amended by #17
++#17 212 78 1951-10-19 ---------- 1951-11-10
++#18 254 652 1952-03-03 1952-04-19 1952-09-27* amended by #19
++#19 300 11 1952-09-15 ---------- 1952-10-18
++#20 348 817 1953-03-03 1953-04-11 1953-09-12
++#21 420 385 1954-02-17 1954-06-12 1954-09-11
++#22 497 548 1955-01-14 1955-06-11 1955-09-10
++#23 591 608 1956-03-12 1956-06-02 1956-09-29
++#24 680 957 1957-02-08 1957-04-27 1957-09-21
++#25 3192 1418 1974-06-28 1974-07-06 1974-10-12
++#26 3322 1389 1975-04-03 1975-04-19 1975-08-30
++#27 4146 2089 1980-07-15 1980-08-02 1980-09-13
++#28 4604 1081 1984-02-22 1984-05-05* 1984-08-25* revoked by #29
++#29 4619 1312 1984-04-06 1984-05-05 1984-08-25
++#30 4744 475 1984-12-23 1985-04-13 1985-09-14* amended by #31
++#31 4851 1848 1985-08-18 ---------- 1985-08-31
++#32 4932 899 1986-04-22 1986-05-17 1986-09-06
++#33 5013 580 1987-02-15 1987-04-18* 1987-08-22* revoked by #34
++#34 5021 744 1987-03-30 1987-04-14 1987-09-12
++#35 5096 659 1988-02-14 1988-04-09 1988-09-03
++#36 5167 514 1989-02-03 1989-04-29 1989-09-02
++#37 5248 375 1990-01-23 1990-03-24 1990-08-25
++#38 5335 612 1991-02-10 1991-03-09* 1991-08-31 amended by #39
++# 1992-03-28 1992-09-05
++#39 5339 709 1991-03-04 1991-03-23 ----------
++#40 5506 503 1993-02-18 1993-04-02 1993-09-05
++# 1994-04-01 1994-08-28
++# 1995-03-31 1995-09-03
++#41 5731 438 1996-01-01 1996-03-14 1996-09-15
++# 1997-03-13* 1997-09-18* overridden by 1997 Temp Prov
++# 1998-03-19* 1998-09-17* revoked by #42
++#42 5853 1243 1997-09-18 1998-03-19 1998-09-05
++#43 5937 77 1998-10-18 1999-04-02 1999-09-03
++# 2000-04-14* 2000-09-15* revoked by #44
++# 2001-04-13* 2001-09-14* revoked by #44
++#44 6024 39 2000-03-14 2000-04-14 2000-10-22* overridden by 2000 Temp Prov
++# 2001-04-06* 2001-10-10* overridden by 2000 Temp Prov
++# 2002-03-29* 2002-10-29* overridden by 2000 Temp Prov
++#
++# These are laws enacted by the Knesset since the Minister could only alter the
++# transition dates at least six months in advanced under the 1992 Law.
++# dated start end
++# 1997 Temporary Provisions 1997-03-06 1997-03-20 1997-09-13
++# 2000 Temporary Provisions 2000-07-28 ---------- 2000-10-06
++# 2001-04-09 2001-09-24
++# 2002-03-29 2002-10-07
++# 2003-03-28 2003-10-03
++# 2004-04-07 2004-09-22
++# Note:
++# Transition times in 1940-1957 (#1-#24) were midnight GMT,
++# in 1974-1998 (#25-#42 and the 1997 Temporary Provisions) were midnight,
++# in 1999-April 2000 (#43,#44) were 02:00,
++# in the 2000 Temporary Provisions were 01:00.
++#
++# -----------------------------------------------------------------------------
++# Links:
++# 1 https://findit.library.yale.edu/images_layout/view?parentoid=15537490&increment=687
++# 2 https://findit.library.yale.edu/images_layout/view?parentoid=15537490&increment=716
++# 3 https://findit.library.yale.edu/images_layout/view?parentoid=15537491&increment=721
++# 4 https://findit.library.yale.edu/images_layout/view?parentoid=15537491&increment=958
++# 5 https://findit.library.yale.edu/images_layout/view?parentoid=15537502&increment=558
++# 6 https://findit.library.yale.edu/images_layout/view?parentoid=15537511&increment=105
++# 7 https://findit.library.yale.edu/images_layout/view?parentoid=15537516&increment=278
++# 8 https://findit.library.yale.edu/images_layout/view?parentoid=15537522&increment=248
++# 9 https://findit.library.yale.edu/images_layout/view?parentoid=15537530&increment=329
++#10 https://findit.library.yale.edu/images_layout/view?parentoid=15537537&increment=601
++#11 https://www.nevo.co.il/law_word/law12/er-002.pdf#page=3
++#12 https://www.nevo.co.il/law_word/law12/er-017-t2.pdf#page=4
++#13 https://www.nevo.co.il/law_word/law06/tak-0006.pdf#page=3
++#14 https://www.nevo.co.il/law_word/law06/tak-0080.pdf#page=7
++#15 https://www.nevo.co.il/law_word/law06/tak-0164.pdf#page=10
++#16 https://www.nevo.co.il/law_word/law06/tak-0206.pdf#page=4
++#17 https://www.nevo.co.il/law_word/law06/tak-0212.pdf#page=2
++#18 https://www.nevo.co.il/law_word/law06/tak-0254.pdf#page=4
++#19 https://www.nevo.co.il/law_word/law06/tak-0300.pdf#page=5
++#20 https://www.nevo.co.il/law_word/law06/tak-0348.pdf#page=3
++#21 https://www.nevo.co.il/law_word/law06/tak-0420.pdf#page=5
++#22 https://www.nevo.co.il/law_word/law06/tak-0497.pdf#page=10
++#23 https://www.nevo.co.il/law_word/law06/tak-0591.pdf#page=6
++#24 https://www.nevo.co.il/law_word/law06/tak-0680.pdf#page=3
++#25 https://www.nevo.co.il/law_word/law06/tak-3192.pdf#page=2
++#26 https://www.nevo.co.il/law_word/law06/tak-3322.pdf#page=5
++#27 https://www.nevo.co.il/law_word/law06/tak-4146.pdf#page=2
++#28 https://www.nevo.co.il/law_word/law06/tak-4604.pdf#page=7
++#29 https://www.nevo.co.il/law_word/law06/tak-4619.pdf#page=2
++#30 https://www.nevo.co.il/law_word/law06/tak-4744.pdf#page=11
++#31 https://www.nevo.co.il/law_word/law06/tak-4851.pdf#page=2
++#32 https://www.nevo.co.il/law_word/law06/tak-4932.pdf#page=19
++#33 https://www.nevo.co.il/law_word/law06/tak-5013.pdf#page=8
++#34 https://www.nevo.co.il/law_word/law06/tak-5021.pdf#page=8
++#35 https://www.nevo.co.il/law_word/law06/tak-5096.pdf#page=3
++#36 https://www.nevo.co.il/law_word/law06/tak-5167.pdf#page=2
++#37 https://www.nevo.co.il/law_word/law06/tak-5248.pdf#page=7
++#38 https://www.nevo.co.il/law_word/law06/tak-5335.pdf#page=6
++#39 https://www.nevo.co.il/law_word/law06/tak-5339.pdf#page=7
++#40 https://www.nevo.co.il/law_word/law06/tak-5506.pdf#page=19
++#41 https://www.nevo.co.il/law_word/law06/tak-5731.pdf#page=2
++#42 https://www.nevo.co.il/law_word/law06/tak-5853.pdf#page=3
++#43 https://www.nevo.co.il/law_word/law06/tak-5937.pdf#page=9
++#44 https://www.nevo.co.il/law_word/law06/tak-6024.pdf#page=4
++#
++# Time Determination (Temporary Provisions) Law, 1997
++# https://www.nevo.co.il/law_html/law19/p201_003.htm
++#
++# Time Determination (Temporary Provisions) Law, 2000
++# https://www.nevo.co.il/law_html/law19/p201_004.htm
++#
++# Time Determination Law, 1992 and amendments
++# https://www.nevo.co.il/law_html/law01/p201_002.htm
++# https://main.knesset.gov.il/Activity/Legislation/Laws/Pages/LawPrimary.aspx?lawitemid=2001174
++
++# From Paul Eggert (2020-10-27):
++# Several of the midnight transitions mentioned above are ambiguous;
++# are they 00:00, 00:00s, 24:00, or 24:00s? When resolving these ambiguities,
++# try to minimize changes from previous tzdb versions, for lack of better info.
++# Commentary from previous versions is included below, to help explain this.
++
+ # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
+-Rule Zion 1940 only - Jun 1 0:00 1:00 D
+-Rule Zion 1942 1944 - Nov 1 0:00 0 S
+-Rule Zion 1943 only - Apr 1 2:00 1:00 D
+-Rule Zion 1944 only - Apr 1 0:00 1:00 D
+-Rule Zion 1945 only - Apr 16 0:00 1:00 D
+-Rule Zion 1945 only - Nov 1 2:00 0 S
+-Rule Zion 1946 only - Apr 16 2:00 1:00 D
+-Rule Zion 1946 only - Nov 1 0:00 0 S
+-Rule Zion 1948 only - May 23 0:00 2:00 DD
+-Rule Zion 1948 only - Sep 1 0:00 1:00 D
+-Rule Zion 1948 1949 - Nov 1 2:00 0 S
+-Rule Zion 1949 only - May 1 0:00 1:00 D
+-Rule Zion 1950 only - Apr 16 0:00 1:00 D
+-Rule Zion 1950 only - Sep 15 3:00 0 S
+-Rule Zion 1951 only - Apr 1 0:00 1:00 D
+-Rule Zion 1951 only - Nov 11 3:00 0 S
+-Rule Zion 1952 only - Apr 20 2:00 1:00 D
+-Rule Zion 1952 only - Oct 19 3:00 0 S
+-Rule Zion 1953 only - Apr 12 2:00 1:00 D
+-Rule Zion 1953 only - Sep 13 3:00 0 S
+-Rule Zion 1954 only - Jun 13 0:00 1:00 D
+-Rule Zion 1954 only - Sep 12 0:00 0 S
+-Rule Zion 1955 only - Jun 11 2:00 1:00 D
+-Rule Zion 1955 only - Sep 11 0:00 0 S
+-Rule Zion 1956 only - Jun 3 0:00 1:00 D
+-Rule Zion 1956 only - Sep 30 3:00 0 S
+-Rule Zion 1957 only - Apr 29 2:00 1:00 D
+-Rule Zion 1957 only - Sep 22 0:00 0 S
+-Rule Zion 1974 only - Jul 7 0:00 1:00 D
+-Rule Zion 1974 only - Oct 13 0:00 0 S
+-Rule Zion 1975 only - Apr 20 0:00 1:00 D
+-Rule Zion 1975 only - Aug 31 0:00 0 S
++Rule Zion 1940 only - May 31 24:00u 1:00 D
++Rule Zion 1940 only - Sep 30 24:00u 0 S
++Rule Zion 1940 only - Nov 16 24:00u 1:00 D
++Rule Zion 1942 1946 - Oct 31 24:00u 0 S
++Rule Zion 1943 1944 - Mar 31 24:00u 1:00 D
++Rule Zion 1945 1946 - Apr 15 24:00u 1:00 D
++Rule Zion 1948 only - May 22 24:00u 2:00 DD
++Rule Zion 1948 only - Aug 31 24:00u 1:00 D
++Rule Zion 1948 1949 - Oct 31 24:00u 0 S
++Rule Zion 1949 only - Apr 30 24:00u 1:00 D
++Rule Zion 1950 only - Apr 15 24:00u 1:00 D
++Rule Zion 1950 only - Sep 14 24:00u 0 S
++Rule Zion 1951 only - Mar 31 24:00u 1:00 D
++Rule Zion 1951 only - Nov 10 24:00u 0 S
++Rule Zion 1952 only - Apr 19 24:00u 1:00 D
++Rule Zion 1952 only - Oct 18 24:00u 0 S
++Rule Zion 1953 only - Apr 11 24:00u 1:00 D
++Rule Zion 1953 only - Sep 12 24:00u 0 S
++Rule Zion 1954 only - Jun 12 24:00u 1:00 D
++Rule Zion 1954 only - Sep 11 24:00u 0 S
++Rule Zion 1955 only - Jun 11 24:00u 1:00 D
++Rule Zion 1955 only - Sep 10 24:00u 0 S
++Rule Zion 1956 only - Jun 2 24:00u 1:00 D
++Rule Zion 1956 only - Sep 29 24:00u 0 S
++Rule Zion 1957 only - Apr 27 24:00u 1:00 D
++Rule Zion 1957 only - Sep 21 24:00u 0 S
++Rule Zion 1974 only - Jul 6 24:00 1:00 D
++Rule Zion 1974 only - Oct 12 24:00 0 S
++Rule Zion 1975 only - Apr 19 24:00 1:00 D
++Rule Zion 1975 only - Aug 30 24:00 0 S
+
+ # From Alois Treindl (2019-03-06):
+ # http://www.moin.gov.il/Documents/שעון%20קיץ/clock-50-years-7-2014.pdf
+@@ -1769,25 +1909,24 @@
+ # From Paul Eggert (2019-03-06):
+ # Also see this thread about the moin.gov.il URL:
+ # https://mm.icann.org/pipermail/tz/2018-November/027194.html
+-Rule Zion 1980 only - Aug 2 0:00 1:00 D
+-Rule Zion 1980 only - Sep 13 1:00 0 S
+-Rule Zion 1984 only - May 5 0:00 1:00 D
+-Rule Zion 1984 only - Aug 25 1:00 0 S
+-
+-# From Shanks & Pottenger:
+-Rule Zion 1985 only - Apr 14 0:00 1:00 D
+-Rule Zion 1985 only - Sep 15 0:00 0 S
+-Rule Zion 1986 only - May 18 0:00 1:00 D
+-Rule Zion 1986 only - Sep 7 0:00 0 S
+-Rule Zion 1987 only - Apr 15 0:00 1:00 D
+-Rule Zion 1987 only - Sep 13 0:00 0 S
++Rule Zion 1980 only - Aug 2 24:00s 1:00 D
++Rule Zion 1980 only - Sep 13 24:00s 0 S
++Rule Zion 1984 only - May 5 24:00s 1:00 D
++Rule Zion 1984 only - Aug 25 24:00s 0 S
++
++Rule Zion 1985 only - Apr 13 24:00 1:00 D
++Rule Zion 1985 only - Aug 31 24:00 0 S
++Rule Zion 1986 only - May 17 24:00 1:00 D
++Rule Zion 1986 only - Sep 6 24:00 0 S
++Rule Zion 1987 only - Apr 14 24:00 1:00 D
++Rule Zion 1987 only - Sep 12 24:00 0 S
+
+ # From Avigdor Finkelstein (2014-03-05):
+ # I check the Parliament (Knesset) records and there it's stated that the
+ # [1988] transition should take place on Saturday night, when the Sabbath
+ # ends and changes to Sunday.
+-Rule Zion 1988 only - Apr 10 0:00 1:00 D
+-Rule Zion 1988 only - Sep 4 0:00 0 S
++Rule Zion 1988 only - Apr 9 24:00 1:00 D
++Rule Zion 1988 only - Sep 3 24:00 0 S
+
+ # From Ephraim Silverberg
+ # (1997-03-04, 1998-03-16, 1998-12-28, 2000-01-17, 2000-07-25, 2004-12-22,
+@@ -1817,14 +1956,14 @@
+ # (the eve of the 7th of Tishrei in the lunar Hebrew calendar).
+
+ # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
+-Rule Zion 1989 only - Apr 30 0:00 1:00 D
+-Rule Zion 1989 only - Sep 3 0:00 0 S
+-Rule Zion 1990 only - Mar 25 0:00 1:00 D
+-Rule Zion 1990 only - Aug 26 0:00 0 S
+-Rule Zion 1991 only - Mar 24 0:00 1:00 D
+-Rule Zion 1991 only - Sep 1 0:00 0 S
+-Rule Zion 1992 only - Mar 29 0:00 1:00 D
+-Rule Zion 1992 only - Sep 6 0:00 0 S
++Rule Zion 1989 only - Apr 29 24:00 1:00 D
++Rule Zion 1989 only - Sep 2 24:00 0 S
++Rule Zion 1990 only - Mar 24 24:00 1:00 D
++Rule Zion 1990 only - Aug 25 24:00 0 S
++Rule Zion 1991 only - Mar 23 24:00 1:00 D
++Rule Zion 1991 only - Aug 31 24:00 0 S
++Rule Zion 1992 only - Mar 28 24:00 1:00 D
++Rule Zion 1992 only - Sep 5 24:00 0 S
+ Rule Zion 1993 only - Apr 2 0:00 1:00 D
+ Rule Zion 1993 only - Sep 5 0:00 0 S
+
+@@ -1853,10 +1992,10 @@
+ # where YYYY is the relevant year.
+
+ # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
+-Rule Zion 1996 only - Mar 15 0:00 1:00 D
+-Rule Zion 1996 only - Sep 16 0:00 0 S
+-Rule Zion 1997 only - Mar 21 0:00 1:00 D
+-Rule Zion 1997 only - Sep 14 0:00 0 S
++Rule Zion 1996 only - Mar 14 24:00 1:00 D
++Rule Zion 1996 only - Sep 15 24:00 0 S
++Rule Zion 1997 only - Mar 20 24:00 1:00 D
++Rule Zion 1997 only - Sep 13 24:00 0 S
+ Rule Zion 1998 only - Mar 20 0:00 1:00 D
+ Rule Zion 1998 only - Sep 6 0:00 0 S
+ Rule Zion 1999 only - Apr 2 2:00 1:00 D
+@@ -1908,14 +2047,15 @@
+ Rule Zion 2011 only - Oct 2 2:00 0 S
+ Rule Zion 2012 only - Sep 23 2:00 0 S
+
+-# From Ephraim Silverberg (2013-06-27):
+-# On June 23, 2013, the Israeli government approved changes to the
+-# Time Decree Law. The next day, the changes passed the First Reading
+-# in the Knesset. The law is expected to pass the Second and Third
+-# (final) Readings by the beginning of September 2013.
+-#
+-# As of 2013, DST starts at 02:00 on the Friday before the last Sunday
+-# in March. DST ends at 02:00 on the last Sunday of October.
++# From Ephraim Silverberg (2020-10-26):
++# The current time law (2013) from the State of Israel can be viewed
++# (in Hebrew) at:
++# ftp://ftp.cs.huji.ac.il/pub/tz/israel/announcements/2013+law.pdf
++# It translates to:
++# Every year, in the period from the Friday before the last Sunday in
++# the month of March at 02:00 a.m. until the last Sunday of the month
++# of October at 02:00 a.m., Israel Time will be advanced an additional
++# hour such that it will be UTC+3.
+
+ # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
+ Rule Zion 2013 max - Mar Fri>=23 2:00 1:00 D
+--- contrib/tzdata/australasia.orig
++++ contrib/tzdata/australasia
+@@ -14,16 +14,13 @@
+ # Please see the notes below for the controversy about "EST" versus "AEST" etc.
+
+ # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
+-Rule Aus 1917 only - Jan 1 0:01 1:00 D
+-Rule Aus 1917 only - Mar 25 2:00 0 S
+-Rule Aus 1942 only - Jan 1 2:00 1:00 D
+-Rule Aus 1942 only - Mar 29 2:00 0 S
+-Rule Aus 1942 only - Sep 27 2:00 1:00 D
+-Rule Aus 1943 1944 - Mar lastSun 2:00 0 S
+-Rule Aus 1943 only - Oct 3 2:00 1:00 D
+-# Go with Whitman and the Australian National Standards Commission, which
+-# says W Australia didn't use DST in 1943/1944. Ignore Whitman's claim that
+-# 1944/1945 was just like 1943/1944.
++Rule Aus 1917 only - Jan 1 2:00s 1:00 D
++Rule Aus 1917 only - Mar lastSun 2:00s 0 S
++Rule Aus 1942 only - Jan 1 2:00s 1:00 D
++Rule Aus 1942 only - Mar lastSun 2:00s 0 S
++Rule Aus 1942 only - Sep 27 2:00s 1:00 D
++Rule Aus 1943 1944 - Mar lastSun 2:00s 0 S
++Rule Aus 1943 only - Oct 3 2:00s 1:00 D
+
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+ # Northern Territory
+@@ -115,8 +112,12 @@
+ # says King Island didn't observe DST from WWII until late 1971.
+ #
+ # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
++Rule AT 1916 only - Oct Sun>=1 2:00s 1:00 D
++Rule AT 1917 only - Mar lastSun 2:00s 0 S
++Rule AT 1917 1918 - Oct Sun>=22 2:00s 1:00 D
++Rule AT 1918 1919 - Mar Sun>=1 2:00s 0 S
+ Rule AT 1967 only - Oct Sun>=1 2:00s 1:00 D
+-Rule AT 1968 only - Mar lastSun 2:00s 0 S
++Rule AT 1968 only - Mar Sun>=29 2:00s 0 S
+ Rule AT 1968 1985 - Oct lastSun 2:00s 1:00 D
+ Rule AT 1969 1971 - Mar Sun>=8 2:00s 0 S
+ Rule AT 1972 only - Feb lastSun 2:00s 0 S
+@@ -136,15 +137,9 @@
+ Rule AT 2008 max - Apr Sun>=1 2:00s 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+ Zone Australia/Hobart 9:49:16 - LMT 1895 Sep
+- 10:00 - AEST 1916 Oct 1 2:00
+- 10:00 1:00 AEDT 1917 Feb
++ 10:00 AT AE%sT 1919 Oct 24
+ 10:00 Aus AE%sT 1967
+ 10:00 AT AE%sT
+-Zone Australia/Currie 9:35:28 - LMT 1895 Sep
+- 10:00 - AEST 1916 Oct 1 2:00
+- 10:00 1:00 AEDT 1917 Feb
+- 10:00 Aus AE%sT 1971 Jul
+- 10:00 AT AE%sT
+
+ # Victoria
+ # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
+@@ -873,13 +868,36 @@
+
+
+ # Vanuatu
++
++# From P Chan (2020-11-27):
++# Joint Daylight Saving Regulation No 59 of 1973
++# New Hebrides Condominium Gazette No 336. December 1973
++# http://www.paclii.org/vu/other/VUNHGovGaz//1973/11.pdf#page=15
++#
++# Joint Daylight Saving (Repeal) Regulation No 10 of 1974
++# New Hebrides Condominium Gazette No 336. March 1974
++# http://www.paclii.org/vu/other/VUNHGovGaz//1974/3.pdf#page=11
++#
++# Summer Time Act No. 35 of 1982 [commenced 1983-09-01]
++# http://www.paclii.org/vu/other/VUGovGaz/1982/32.pdf#page=48
++#
++# Summer Time Act (Cap 157)
++# Laws of the Republic of Vanuatu Revised Edition 1988
++# http://www.paclii.org/cgi-bin/sinodisp/vu/legis/consol_act1988/sta147/sta147.html
++#
++# Summer Time (Amendment) Act No. 6 of 1991 [commenced 1991-11-11]
++# http://www.paclii.org/vu/legis/num_act/sta1991227/
++#
++# Summer Time (Repeal) Act No. 4 of 1993 [commenced 1993-05-03]
++# http://www.paclii.org/vu/other/VUGovGaz/1993/15.pdf#page=59
++
+ # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
+-Rule Vanuatu 1983 only - Sep 25 0:00 1:00 -
+-Rule Vanuatu 1984 1991 - Mar Sun>=23 0:00 0 -
+-Rule Vanuatu 1984 only - Oct 23 0:00 1:00 -
+-Rule Vanuatu 1985 1991 - Sep Sun>=23 0:00 1:00 -
+-Rule Vanuatu 1992 1993 - Jan Sun>=23 0:00 0 -
+-Rule Vanuatu 1992 only - Oct Sun>=23 0:00 1:00 -
++Rule Vanuatu 1973 only - Dec 22 12:00u 1:00 -
++Rule Vanuatu 1974 only - Mar 30 12:00u 0 -
++Rule Vanuatu 1983 1991 - Sep Sat>=22 24:00 1:00 -
++Rule Vanuatu 1984 1991 - Mar Sat>=22 24:00 0 -
++Rule Vanuatu 1992 1993 - Jan Sat>=22 24:00 0 -
++Rule Vanuatu 1992 only - Oct Sat>=22 24:00 1:00 -
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+ Zone Pacific/Efate 11:13:16 - LMT 1912 Jan 13 # Vila
+ 11:00 Vanuatu +11/+12
+@@ -958,6 +976,25 @@
+ # Electronic Journal of Australian and New Zealand History (1997-03-03)
+ # http://www.jcu.edu.au/aff/history/reviews/davison.htm
+
++# From P Chan (2020-11-20):
++# Daylight Saving Act 1916 (No. 40 of 1916) [1916-12-21, commenced 1917-01-01]
++# http://classic.austlii.edu.au/au/legis/cth/num_act/dsa1916401916192/
++#
++# Daylight Saving Repeal Act 1917 (No. 35 of 1917) [1917-09-25]
++# http://classic.austlii.edu.au/au/legis/cth/num_act/dsra1917351917243/
++#
++# Statutory Rules 1941, No. 323 [1941-12-24]
++# https://www.legislation.gov.au/Details/C1941L00323
++#
++# Statutory Rules 1942, No. 392 [1942-09-10]
++# https://www.legislation.gov.au/Details/C1942L00392
++#
++# Statutory Rules 1943, No. 241 [1943-09-29]
++# https://www.legislation.gov.au/Details/C1943L00241
++#
++# All transition times should be 02:00 standard time.
++
++
+ # From Paul Eggert (2005-12-08):
+ # Implementation Dates of Daylight Saving Time within Australia
+ # http://www.bom.gov.au/climate/averages/tables/dst_times.shtml
+@@ -1350,6 +1387,27 @@
+
+ # Tasmania
+
++# From P Chan (2020-11-20):
++# Tasmania observed DST in 1916-1919.
++#
++# Daylight Saving Act, 1916 (7 Geo V, No 2) [1916-09-22]
++# http://classic.austlii.edu.au/au/legis/tas/num_act/tdsa19167gvn2267/
++#
++# Daylight Saving Amendment Act, 1917 (8 Geo V, No 5) [1917-10-01]
++# http://classic.austlii.edu.au/au/legis/tas/num_act/tdsaa19178gvn5347/
++#
++# Daylight Saving Act Repeal Act, 1919 (10 Geo V, No 9) [1919-10-24]
++# http://classic.austlii.edu.au/au/legis/tas/num_act/tdsara191910gvn9339/
++#
++# King Island is mentioned in the 1967 Act but not the 1968 Act.
++# Therefore it possibly observed DST from 1968/69.
++#
++# Daylight Saving Act 1967 (No. 33 of 1967) [1967-09-22]
++# http://classic.austlii.edu.au/au/legis/tas/num_act/dsa196733o1967211/
++#
++# Daylight Saving Act 1968 (No. 42 of 1968) [1968-10-15]
++# http://classic.austlii.edu.au/au/legis/tas/num_act/dsa196842o1968211/
++
+ # The rules for 1967 through 1991 were reported by George Shepherd
+ # via Simon Woodhead via Robert Elz (1991-03-06):
+ # # The state of TASMANIA.. [Courtesy Tasmanian Dept of Premier + Cabinet ]
+--- contrib/tzdata/backward.orig
++++ contrib/tzdata/backward
+@@ -49,6 +49,7 @@
+ Link Europe/Oslo Atlantic/Jan_Mayen
+ Link Australia/Sydney Australia/ACT
+ Link Australia/Sydney Australia/Canberra
++Link Australia/Hobart Australia/Currie
+ Link Australia/Lord_Howe Australia/LHI
+ Link Australia/Sydney Australia/NSW
+ Link Australia/Darwin Australia/North
+--- contrib/tzdata/backzone.orig
++++ contrib/tzdata/backzone
+@@ -623,6 +623,12 @@
+ -0:22:48 - JMT 1951 # Jamestown Mean Time
+ 0:00 - GMT
+
++# King Island
++Zone Australia/Currie 9:35:28 - LMT 1895 Sep
++ 10:00 AT AE%sT 1919 Oct 24
++ 10:00 Aus AE%sT 1968 Oct 15
++ 10:00 AT AE%sT
++
+ # Northern Ireland
+ Zone Europe/Belfast -0:23:40 - LMT 1880 Aug 2
+ -0:25:21 - DMT 1916 May 21 2:00
+--- contrib/tzdata/etcetera.orig
++++ contrib/tzdata/etcetera
+@@ -3,12 +3,11 @@
+ # This file is in the public domain, so clarified as of
+ # 2009-05-17 by Arthur David Olson.
+
+-# These entries are mostly present for historical reasons, so that
+-# people in areas not otherwise covered by the tz files could "zic -l"
+-# to a timezone that was right for their area. These days, the
+-# tz files cover almost all the inhabited world, and the only practical
+-# need now for the entries that are not on UTC are for ships at sea
+-# that cannot use POSIX TZ settings.
++# These entries are for uses not otherwise covered by the tz database.
++# Their main practical use is for platforms like Android that lack
++# support for POSIX-style TZ strings. On such platforms these entries
++# can be useful if the timezone database is wrong or if a ship or
++# aircraft at sea is not in a timezone.
+
+ # Starting with POSIX 1003.1-2001, the entries below are all
+ # unnecessary as settings for the TZ environment variable. E.g.,
+--- contrib/tzdata/europe.orig
++++ contrib/tzdata/europe
+@@ -2892,6 +2892,19 @@
+ # The law has been published today on
+ # http://publication.pravo.gov.ru/Document/View/0001201810110037
+
++# From Alexander Krivenyshev (2020-11-27):
++# The State Duma approved (Nov 24, 2020) the transition of the Volgograd
++# region to the Moscow time zone....
++# https://sozd.duma.gov.ru/bill/1012130-7
++#
++# From Stepan Golosunov (2020-12-05):
++# Currently proposed text for the second reading (expected on December 8) ...
++# changes the date to December 27. https://v1.ru/text/gorod/2020/12/04/69601031/
++#
++# From Stepan Golosunov (2020-12-22):
++# The law was published today on
++# http://publication.pravo.gov.ru/Document/View/0001202012220002
++
+ Zone Europe/Volgograd 2:57:40 - LMT 1920 Jan 3
+ 3:00 - +03 1930 Jun 21
+ 4:00 - +04 1961 Nov 11
+@@ -2901,7 +2914,8 @@
+ 3:00 Russia +03/+04 2011 Mar 27 2:00s
+ 4:00 - +04 2014 Oct 26 2:00s
+ 3:00 - +03 2018 Oct 28 2:00s
+- 4:00 - +04
++ 4:00 - +04 2020 Dec 27 2:00s
++ 3:00 - +03
+
+ # From Paul Eggert (2016-11-11):
+ # Europe/Saratov covers:
+--- contrib/tzdata/leap-seconds.list.orig
++++ contrib/tzdata/leap-seconds.list
+@@ -204,10 +204,10 @@
+ # current -- the update time stamp, the data and the name of the file
+ # will not change.
+ #
+-# Updated through IERS Bulletin C60
+-# File expires on: 28 June 2021
++# Updated through IERS Bulletin C61
++# File expires on: 28 December 2021
+ #
+-#@ 3833827200
++#@ 3849638400
+ #
+ 2272060800 10 # 1 Jan 1972
+ 2287785600 11 # 1 Jul 1972
+@@ -252,4 +252,4 @@
+ # the hash line is also ignored in the
+ # computation.
+ #
+-#h 064356a8 39268b92 76e4d5ef 3e22fae1 0cca529c
++#h 2ab8253d d4380d28 75f01343 381504f8 8f8a4bfc
+--- contrib/tzdata/leapseconds.orig
++++ contrib/tzdata/leapseconds
+@@ -6,6 +6,10 @@
+ # NIST format leap-seconds.list file, which can be copied from
+ # <ftp://ftp.nist.gov/pub/time/leap-seconds.list>
+ # or <ftp://ftp.boulder.nist.gov/pub/time/leap-seconds.list>.
++# The NIST file is used instead of its IERS upstream counterpart
++# <https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list>
++# because under US law the NIST file is public domain
++# whereas the IERS file's copyright and license status is unclear.
+ # For more about leap-seconds.list, please see
+ # The NTP Timescale and Leap Seconds
+ # <https://www.eecis.udel.edu/~mills/leap.html>.
+@@ -68,11 +72,11 @@
+ # Any additional leap seconds will come after this.
+ # This Expires line is commented out for now,
+ # so that pre-2020a zic implementations do not reject this file.
+-#Expires 2021 Jun 28 00:00:00
++#Expires 2021 Dec 28 00:00:00
+
+ # POSIX timestamps for the data in this file:
+ #updated 1467936000 (2016-07-08 00:00:00 UTC)
+-#expires 1624838400 (2021-06-28 00:00:00 UTC)
++#expires 1640649600 (2021-12-28 00:00:00 UTC)
+
+-# Updated through IERS Bulletin C60
+-# File expires on: 28 June 2021
++# Updated through IERS Bulletin C61
++# File expires on: 28 December 2021
+--- contrib/tzdata/leapseconds.awk.orig
++++ contrib/tzdata/leapseconds.awk
+@@ -24,6 +24,10 @@
+ print "# NIST format leap-seconds.list file, which can be copied from"
+ print "# <ftp://ftp.nist.gov/pub/time/leap-seconds.list>"
+ print "# or <ftp://ftp.boulder.nist.gov/pub/time/leap-seconds.list>."
++ print "# The NIST file is used instead of its IERS upstream counterpart"
++ print "# <https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list>"
++ print "# because under US law the NIST file is public domain"
++ print "# whereas the IERS file's copyright and license status is unclear."
+ print "# For more about leap-seconds.list, please see"
+ print "# The NTP Timescale and Leap Seconds"
+ print "# <https://www.eecis.udel.edu/~mills/leap.html>."
+--- contrib/tzdata/northamerica.orig
++++ contrib/tzdata/northamerica
+@@ -2234,7 +2234,7 @@
+ # to say eight hours behind Greenwich Time.
+ #
+ # * O.I.C. 1980/02 INTERPRETATION ACT
+-# [no online source found]
++# https://mm.icann.org/pipermail/tz/attachments/20201125/d5adc93b/CAYTOIC1980-02DST1980-01-04-0001.pdf
+ #
+ # * Yukon Daylight Saving Time, YOIC 1987/56
+ # https://www.canlii.org/en/yk/laws/regu/yoic-1987-56/latest/yoic-1987-56.html
+@@ -2935,12 +2935,38 @@
+ #
+ # For 1899 Milne gives -5:09:29.5; round that.
+ #
++# From P Chan (2020-11-27, corrected on 2020-12-02):
++# There were two periods of DST observed in 1942-1945: 1942-05-01
++# midnight to 1944-12-31 midnight and 1945-02-01 to 1945-10-17 midnight.
++# "midnight" should mean 24:00 from the context.
++#
++# War Time Order 1942 [1942-05-01] and War Time (No. 2) Order 1942 [1942-09-29]
++# Appendix to the Statutes of 7 George VI. and the Year 1942. p 34, 43
++# https://books.google.com/books?id=5rlNAQAAIAAJ&pg=RA3-PA34
++# https://books.google.com/books?id=5rlNAQAAIAAJ&pg=RA3-PA43
++#
++# War Time Order 1943 [1943-03-31] and War Time Order 1944 [1943-12-29]
++# Appendix to the Statutes of 8 George VI. and the Year 1943. p 9-10, 28-29
++# https://books.google.com/books?id=5rlNAQAAIAAJ&pg=RA4-PA9
++# https://books.google.com/books?id=5rlNAQAAIAAJ&pg=RA4-PA28
++#
++# War Time Order 1945 [1945-01-31] and the Order which revoke War Time Order
++# 1945 [1945-10-16] Appendix to the Statutes of 9 George VI. and the Year
++# 1945. p 160, 247-248
++# https://books.google.com/books?id=5rlNAQAAIAAJ&pg=RA6-PA160
++# https://books.google.com/books?id=5rlNAQAAIAAJ&pg=RA6-PA247
++#
+ # From Sue Williams (2006-12-07):
+ # The Bahamas announced about a month ago that they plan to change their DST
+ # rules to sync with the U.S. starting in 2007....
+ # http://www.jonesbahamas.com/?c=45&a=10412
+
+ # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
++Rule Bahamas 1942 only - May 1 24:00 1:00 W
++Rule Bahamas 1944 only - Dec 31 24:00 0 S
++Rule Bahamas 1945 only - Feb 1 0:00 1:00 W
++Rule Bahamas 1945 only - Aug 14 23:00u 1:00 P # Peace
++Rule Bahamas 1945 only - Oct 17 24:00 0 S
+ Rule Bahamas 1964 1975 - Oct lastSun 2:00 0 S
+ Rule Bahamas 1964 1975 - Apr lastSun 2:00 1:00 D
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+@@ -2964,34 +2990,161 @@
+ -4:00 Barb A%sT
+
+ # Belize
+-# Whitman entirely disagrees with Shanks; go with Shanks & Pottenger.
++
++# From P Chan (2020-11-03):
++# Below are some laws related to the time in British Honduras/Belize:
++#
++# Definition of Time Ordinance, 1927 (No.4 of 1927) [1927-04-01]
++# Ordinances of British Honduras Passed in the Year 1927, p 19-20
++# https://books.google.com/books?id=LqEpAQAAMAAJ&pg=RA3-PA19
++#
++# Definition of Time (Amendment) Ordinance, 1942 (No. 5 of 1942) [1942-06-27]
++# Ordinances of British Honduras Passed in the Year 1942, p 31-32
++# https://books.google.com/books?id=h6MpAQAAMAAJ&pg=RA6-PA95-IA44
++#
++# Definition of Time Ordinance, 1945 (No. 19 of 1945) [1945-12-15]
++# Ordinances of British Honduras Passed in the Year 1945, p 49-50
++# https://books.google.com/books?id=xaMpAQAAMAAJ&pg=RA2-PP1
++#
++# Definition of Time Ordinance, 1947 (No. 1 of 1947) [1947-03-11]
++# Ordinances of British Honduras Passed in the Year 1947, p 1-2
++# https://books.google.com/books?id=xaMpAQAAMAAJ&pg=RA3-PA1
++#
++# Time (Definition of) Ordinance (Chapter 180)
++# The Laws of British Honduras in Force on the 15th Day of September, 1958 , Volume IV, p 2580
++# https://books.google.com/books?id=v5QpAQAAMAAJ&pg=PA2580
++#
++# Time (Definition of) (Amendment) Ordinance, 1968 (No. 13 of 1968) [1968-08-03]
++# https://books.google.com/books?id=xij7KEB_58wC&pg=RA1-PA428-IA9
++#
++# Definition of Time Act (Chapter 339)
++# Law of Belize, Revised Edition 2000
++# http://www.belizelaw.org/web/lawadmin/PDF%20files/cap339.pdf
++
++# From Paul Eggert (2020-11-03):
++# The transitions below are derived from P Chan's sources, except that the
++# 1973 through 1983 transitions are from Shanks & Pottenger since we have
++# no better data there.
++
+ # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
+-Rule Belize 1918 1942 - Oct Sun>=2 0:00 0:30 -0530
+-Rule Belize 1919 1943 - Feb Sun>=9 0:00 0 CST
++Rule Belize 1918 1941 - Oct Sat>=1 24:00 0:30 -0530
++Rule Belize 1919 1942 - Feb Sat>=8 24:00 0 CST
++Rule Belize 1942 only - Jun 27 24:00 1:00 CWT
++Rule Belize 1945 only - Aug 14 23:00u 1:00 CPT
++Rule Belize 1945 only - Dec 15 24:00 0 CST
++Rule Belize 1947 1967 - Oct Sat>=1 24:00 0:30 -0530
++Rule Belize 1948 1968 - Feb Sat>=8 24:00 0 CST
+ Rule Belize 1973 only - Dec 5 0:00 1:00 CDT
+ Rule Belize 1974 only - Feb 9 0:00 0 CST
+ Rule Belize 1982 only - Dec 18 0:00 1:00 CDT
+ Rule Belize 1983 only - Feb 12 0:00 0 CST
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Belize -5:52:48 - LMT 1912 Apr
++Zone America/Belize -5:52:48 - LMT 1912 Apr 1
+ -6:00 Belize %s
+
+ # Bermuda
+
++# From Paul Eggert (2020-11-24):
+ # For 1899 Milne gives -4:19:18.3 as the meridian of the clock tower,
+-# Bermuda dockyard, Ireland I; round that.
++# Bermuda dockyard, Ireland I. This agrees with standard offset given in the
++# Daylight Saving Act, 1917 cited below. Round that to the nearest second.
++# It is not known when this time became standard for Bermuda; guess 1890.
++# The transition to -04 was specified by:
++# 1930: The Time Zone Act, 1929 (1929: No. 39) [1929-11-08]
++# https://books.google.com/books?id=7tdMAQAAIAAJ&pg=RA54-PP1
++
++# From P Chan (2020-11-20):
++# Most of the information can be found online from the Bermuda National
++# Library - Digital Collection which includes The Royal Gazette (RG) until 1957
++# https://bnl.contentdm.oclc.org/digital/
++# I will cite the ID. For example, [10000] means
++# https://bnl.contentdm.oclc.org/digital/collection/BermudaNP02/id/10000
++#
++# 1917: Apr 5 midnight to Sep 30 midnight
++# Daylight Saving Act, 1917 (1917 No. 13) [1917-04-02]
++# Bermuda Acts and Resolves 1917, p 37-38
++# https://books.google.com/books?id=M-lCAQAAMAAJ&pg=PA36-IA2
++# RG, 1917-04-04, p 6 [42340] gives the spring forward date.
++#
++# 1918: Apr 13 midnight to Sep 15 midnight
++# Daylight Saving Act, 1918 (1918 No. 9) [1918-04-06]
++# Bermuda Acts and Resolves 1917, p 13
++# https://books.google.com/books?id=K-lCAQAAMAAJ&pg=RA1-PA7
++#
++# Note that local mean time was still used before 1930.
++#
++# During WWII, DST was introduced by Defence Regulations
++# 1942: Jan 11 02:00 to Oct 18 02:00 [113646], [115726]
++# 1943: Mar 21 02:00 to Oct 31 02:00 [116704], [118193]
++# 1944: Mar 12 02:00 to Nov 5 02:00 [119225], [121593]
++# 1945: Mar 11 02:00 to Nov 4 02:00 [122369], [124461]
++# RG, 1942-01-08, p 2, 1942-10-12, p 2 , 1943-03-06, p 2, 1943-09-03, p 1,
++# 1944-02-29, p 6, 1944-09-20, p 2, 1945-02-13, p 2, 1945-11-03, p 1
++#
++# In 1946, the House of Assembly rejected DST twice. [128686], [128076]
++# RG, 1946-03-16 p 1,1946-04-13 p 1
++#
++# 1947: third Sunday in May 02:00 to second Sunday in September 02:00
++# DST in 1947 was defined in the Daylight Saving Act, 1947 (1947: No. 12)
++# which expired at the end of the year. [125784] ,[132405], [144454], [138226]
++# RG, 1947-02-27, p 1, 1947-05-15, p 1, 1947-09-13, p 1, 1947-12-30, p 1
++#
++# 1948-1952: fourth Sunday in May 02:00 to first Sunday in September 02:00
++# DST in 1948 was defined in the Daylight Saving Act, 1948 (1948 : No. 12)
++# which was set to expired at the end of the year but it was extended until
++# the end of 1952 and was not further extended.
++# [129802], [139403], [146008], [135240], [144330], [139049], [143309],
++# [148271], [149773], [153589], [153802], [155924]
++# RG, 1948-04-13, p 1, 1948-05-22, p 1, 1948-09-04, p 1, 1949-05-21, p1,
++# 1949-09-03, p 1, 1950-05-27 p 1, 1950-09-02, p 1, 1951-05-27, p 1,
++# 1951-09-01, p 1, 1952-05-23, p 1, 1952-09-26, p 1, 1952-12-21, p 8
++#
++# In 1953-1955, the House of Assembly rejected DST each year. [158996],
++# [162620], [166720] RG, 1953-05-02, p 1, 1954-04-01 p 1, 1955-03-12, p 1
++#
++# 1956: fourth Sunday in May 02:00 to last Sunday in October 02:00
++# Time Zone (Seasonal Variation) Act, 1956 (1956: No.44) [1956-05-25]
++# Bermuda Public Acts 1956, p 331-332
++# https://books.google.com/books?id=Xs1AlmD_cEwC&pg=PA63
++#
++# The extension of the Act was rejected by the House of Assembly. [176218]
++# RG, 1956-12-13, p 1
++#
++# From the Chronological Table of Public and Private Acts up to 1985, it seems
++# that there does not exist other Acts related to DST before 1973.
++# https://books.google.com/books?id=r9hMAQAAIAAJ&pg=RA23-PA1
++# Public Acts of the Legislature of the Islands of Bermuda, Together with
++# Statutory Instruments in Force Thereunder, Vol VII
+
+ # From Dan Jones, reporting in The Royal Gazette (2006-06-26):
+-
+ # Next year, however, clocks in the US will go forward on the second Sunday
+ # in March, until the first Sunday in November. And, after the Time Zone
+ # (Seasonal Variation) Bill 2006 was passed in the House of Assembly on
+ # Friday, the same thing will happen in Bermuda.
+ # http://www.theroyalgazette.com/apps/pbcs.dll/article?AID=/20060529/NEWS/105290135
+
++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S
++Rule Bermuda 1917 only - Apr 5 24:00 1:00 -
++Rule Bermuda 1917 only - Sep 30 24:00 0 -
++Rule Bermuda 1918 only - Apr 13 24:00 1:00 -
++Rule Bermuda 1918 only - Sep 15 24:00 0 S
++Rule Bermuda 1942 only - Jan 11 2:00 1:00 D
++Rule Bermuda 1942 only - Oct 18 2:00 0 S
++Rule Bermuda 1943 only - Mar 21 2:00 1:00 D
++Rule Bermuda 1943 only - Oct 31 2:00 0 S
++Rule Bermuda 1944 1945 - Mar Sun>=8 2:00 1:00 D
++Rule Bermuda 1944 1945 - Nov Sun>=1 2:00 0 S
++Rule Bermuda 1947 only - May Sun>=15 2:00 1:00 D
++Rule Bermuda 1947 only - Sep Sun>=8 2:00 0 S
++Rule Bermuda 1948 1952 - May Sun>=22 2:00 1:00 D
++Rule Bermuda 1948 1952 - Sep Sun>=1 2:00 0 S
++Rule Bermuda 1956 only - May Sun>=22 2:00 1:00 D
++Rule Bermuda 1956 only - Oct lastSun 2:00 0 S
++
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone Atlantic/Bermuda -4:19:18 - LMT 1930 Jan 1 2:00 # Hamilton
+- -4:00 - AST 1974 Apr 28 2:00
++Zone Atlantic/Bermuda -4:19:18 - LMT 1890 # Hamilton
++ -4:19:18 Bermuda BMT/BST 1930 Jan 1 2:00
++ -4:00 Bermuda A%sT 1974 Apr 28 2:00
+ -4:00 Canada A%sT 1976
+ -4:00 US A%sT
+
+@@ -3574,7 +3727,7 @@
+ # "Eastern Standard Times Begins 2007
+ # Clocks are set back one hour at 2:00 a.m. local Daylight Saving Time"
+ # indicating that the normal ET rules are followed.
+-#
++
+ # From Paul Eggert (2014-08-19):
+ # The 2014-08-13 Cabinet meeting decided to stay on UT -04 year-round. See:
+ # http://tcweeklynews.com/daylight-savings-time-to-be-maintained-p5353-127.htm
+@@ -3589,19 +3742,42 @@
+ # during the summer months and Standard Time, also known as Local
+ # Time, during the winter months with effect from April 2018 ...
+ # https://www.gov.uk/government/news/turks-and-caicos-post-cabinet-meeting-statement--3
+-#
+ # From Paul Eggert (2017-08-26):
+ # The date of effect of the spring 2018 change appears to be March 11,
+ # which makes more sense. See: Hamilton D. Time change back
+ # by March 2018 for TCI. Magnetic Media. 2017-08-25.
+ # http://magneticmediatv.com/2017/08/time-change-back-by-march-2018-for-tci/
+ #
++# From P Chan (2020-11-27):
++# Standard Time Declaration Order 2015 (L.N. 15/2015)
++# http://online.fliphtml5.com/fizd/czin/#p=2
++#
++# Standard Time Declaration Order 2017 (L.N. 31/2017)
++# http://online.fliphtml5.com/fizd/dmcu/#p=2
++#
++# From Tim Parenti (2020-12-05):
++# Although L.N. 31/2017 reads that it "shall come into operation at 2:00 a.m.
++# on 11th March 2018", a precise interpretation here poses some problems. The
++# order states that "the standard time to be observed throughout the Turks and
++# Caicos Islands shall be the same time zone as the Eastern United States of
++# America" and further clarifies "[f]or the avoidance of doubt" that it
++# "applies to the Eastern Standard Time as well as any changes thereto for
++# Daylight Saving Time." However, as clocks in Turks and Caicos approached
++# 02:00 -04, and thus the declared implementation time, it was still 01:00 EST
++# (-05), as DST in the Eastern US would not start until an hour later.
++#
++# Since it is unlikely that those on the islands switched their clocks twice in
++# the span of an hour, we assume instead that the adoption of EDT actually took
++# effect once clocks in the Eastern US had sprung forward, from 03:00 -04.
++# This discrepancy only affects the time zone abbreviation and DST flag for the
++# intervening hour, not wall clock times, as -04 was maintained throughout.
++
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+ Zone America/Grand_Turk -4:44:32 - LMT 1890
+ -5:07:10 - KMT 1912 Feb # Kingston Mean Time
+ -5:00 - EST 1979
+- -5:00 US E%sT 2015 Nov Sun>=1 2:00
+- -4:00 - AST 2018 Mar 11 3:00
++ -5:00 US E%sT 2015 Mar 8 2:00
++ -4:00 - AST 2018 Mar 11 3:00
+ -5:00 US E%sT
+
+ # British Virgin Is
+--- contrib/tzdata/theory.html.orig
++++ contrib/tzdata/theory.html
+@@ -474,8 +474,8 @@
+ <p>
+ <small>These abbreviations are:
+ AMT Amsterdam, Asunción, Athens;
+- BMT Baghdad, Bangkok, Batavia, Bern, Bogotá, Bridgetown, Brussels,
+- Bucharest;
++ BMT Baghdad, Bangkok, Batavia, Bermuda, Bern, Bogotá, Bridgetown,
++ Brussels, Bucharest;
+ CMT Calamarca, Caracas, Chisinau, Colón, Copenhagen, Córdoba;
+ DMT Dublin/Dunsink;
+ EMT Easter;
+@@ -506,6 +506,7 @@
+ <small>A few abbreviations also follow the pattern that
+ <abbr>GMT</abbr>/<abbr>BST</abbr> established for time in the UK.
+ They are:
++ BMT/BST for Bermuda 1890–1930,
+ CMT/BST for Calamarca Mean Time and Bolivian Summer Time
+ 1890–1932,
+ DMT/IST for Dublin/Dunsink Mean Time and Irish Summer Time
+--- contrib/tzdata/version.orig
++++ contrib/tzdata/version
+@@ -1 +1 @@
+-2020d
++2021a
+--- contrib/tzdata/ziguard.awk.orig
++++ contrib/tzdata/ziguard.awk
+@@ -37,7 +37,7 @@
+
+ # If this line should differ due to Czechoslovakia using negative SAVE values,
+ # uncomment the desired version and comment out the undesired one.
+- if (zone == "Europe/Prague" && /1947 Feb 23/) {
++ if (zone == "Europe/Prague" && /^#?[\t ]+[01]:00[\t ]/ && /1947 Feb 23/) {
+ if (($(in_comment + 2) != "-") == vanguard) {
+ uncomment = in_comment
+ } else {
+@@ -65,10 +65,11 @@
+ # uncomment the desired version and comment out the undesired one.
+ Rule_Namibia = /^#?Rule[\t ]+Namibia[\t ]/
+ Zone_using_Namibia_rule \
+- = (zone == "Africa/Windhoek" \
++ = (zone == "Africa/Windhoek" && /^#?[\t ]+[12]:00[\t ]/ \
+ && ($(in_comment + 2) == "Namibia" \
+- || (1994 <= $(in_comment + 4) && $(in_comment + 4) <= 2017) \
+- || in_comment + 3 == NF))
++ || ($(in_comment + 2) == "-" && $(in_comment + 3) == "CAT" \
++ && ((1994 <= $(in_comment + 4) && $(in_comment + 4) <= 2017) \
++ || in_comment + 3 == NF))))
+ if (Rule_Namibia || Zone_using_Namibia_rule) {
+ if ((Rule_Namibia \
+ ? ($(in_comment + 9) ~ /^-/ \
+--- contrib/tzdata/zone.tab.orig
++++ contrib/tzdata/zone.tab
+@@ -56,8 +56,7 @@
+ AT +4813+01620 Europe/Vienna
+ AU -3133+15905 Australia/Lord_Howe Lord Howe Island
+ AU -5430+15857 Antarctica/Macquarie Macquarie Island
+-AU -4253+14719 Australia/Hobart Tasmania (most areas)
+-AU -3956+14352 Australia/Currie Tasmania (King Island)
++AU -4253+14719 Australia/Hobart Tasmania
+ AU -3749+14458 Australia/Melbourne Victoria
+ AU -3352+15113 Australia/Sydney New South Wales (most areas)
+ AU -3157+14127 Australia/Broken_Hill New South Wales (Yancowinna)
+@@ -130,9 +129,9 @@
+ CA +4906-11631 America/Creston MST - BC (Creston)
+ CA +5946-12014 America/Dawson_Creek MST - BC (Dawson Cr, Ft St John)
+ CA +5848-12242 America/Fort_Nelson MST - BC (Ft Nelson)
++CA +6043-13503 America/Whitehorse MST - Yukon (east)
++CA +6404-13925 America/Dawson MST - Yukon (west)
+ CA +4916-12307 America/Vancouver Pacific - BC (most areas)
+-CA +6043-13503 America/Whitehorse Pacific - Yukon (east)
+-CA +6404-13925 America/Dawson Pacific - Yukon (west)
+ CC -1210+09655 Indian/Cocos
+ CD -0418+01518 Africa/Kinshasa Dem. Rep. of Congo (west)
+ CD -1140+02728 Africa/Lubumbashi Dem. Rep. of Congo (east)
+@@ -337,8 +336,8 @@
+ # Programs should use zone1970.tab instead; see above.
+ UA +4457+03406 Europe/Simferopol Crimea
+ RU +5836+04939 Europe/Kirov MSK+00 - Kirov
++RU +4844+04425 Europe/Volgograd MSK+00 - Volgograd
+ RU +4621+04803 Europe/Astrakhan MSK+01 - Astrakhan
+-RU +4844+04425 Europe/Volgograd MSK+01 - Volgograd
+ RU +5134+04602 Europe/Saratov MSK+01 - Saratov
+ RU +5420+04824 Europe/Ulyanovsk MSK+01 - Ulyanovsk
+ RU +5312+05009 Europe/Samara MSK+01 - Samara, Udmurtia
+--- contrib/tzdata/zone1970.tab.orig
++++ contrib/tzdata/zone1970.tab
+@@ -64,8 +64,7 @@
+ AT +4813+01620 Europe/Vienna
+ AU -3133+15905 Australia/Lord_Howe Lord Howe Island
+ AU -5430+15857 Antarctica/Macquarie Macquarie Island
+-AU -4253+14719 Australia/Hobart Tasmania (most areas)
+-AU -3956+14352 Australia/Currie Tasmania (King Island)
++AU -4253+14719 Australia/Hobart Tasmania
+ AU -3749+14458 Australia/Melbourne Victoria
+ AU -3352+15113 Australia/Sydney New South Wales (most areas)
+ AU -3157+14127 Australia/Broken_Hill New South Wales (Yancowinna)
+@@ -128,9 +127,9 @@
+ CA +4906-11631 America/Creston MST - BC (Creston)
+ CA +5946-12014 America/Dawson_Creek MST - BC (Dawson Cr, Ft St John)
+ CA +5848-12242 America/Fort_Nelson MST - BC (Ft Nelson)
++CA +6043-13503 America/Whitehorse MST - Yukon (east)
++CA +6404-13925 America/Dawson MST - Yukon (west)
+ CA +4916-12307 America/Vancouver Pacific - BC (most areas)
+-CA +6043-13503 America/Whitehorse Pacific - Yukon (east)
+-CA +6404-13925 America/Dawson Pacific - Yukon (west)
+ CC -1210+09655 Indian/Cocos
+ CH,DE,LI +4723+00832 Europe/Zurich Swiss time
+ CI,BF,GM,GN,ML,MR,SH,SL,SN,TG +0519-00402 Africa/Abidjan
+@@ -293,8 +292,8 @@
+ # Mention RU and UA alphabetically. See "territorial claims" above.
+ RU,UA +4457+03406 Europe/Simferopol Crimea
+ RU +5836+04939 Europe/Kirov MSK+00 - Kirov
++RU +4844+04425 Europe/Volgograd MSK+00 - Volgograd
+ RU +4621+04803 Europe/Astrakhan MSK+01 - Astrakhan
+-RU +4844+04425 Europe/Volgograd MSK+01 - Volgograd
+ RU +5134+04602 Europe/Saratov MSK+01 - Saratov
+ RU +5420+04824 Europe/Ulyanovsk MSK+01 - Ulyanovsk
+ RU +5312+05009 Europe/Samara MSK+01 - Samara, Udmurtia
diff --git a/website/static/security/patches/EN-21:01/tzdata-2021a.patch.asc b/website/static/security/patches/EN-21:01/tzdata-2021a.patch.asc
new file mode 100644
index 0000000000..ae76c0013c
--- /dev/null
+++ b/website/static/security/patches/EN-21:01/tzdata-2021a.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbgVfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cL0kQ//RYNiBRCzjAawttj9Wz6ryKf1rTERp1FJ17NpLRzRHp/WnjTKZ4uyEqGn
+pb4VWPbhVjiiCCyA0zvwGAOF5Yviv1UR79i5U+G0ErxVPdQKapqoQ240CY09eObG
+rqKGLJIhdXIyEEPK9YrYYDUb0kAwOzpnvt3xgPH1sph0QT8fga0bffnr2sDthDu7
+b5NOKMA51JkB1G2tlevHGUXrTnh+gZntXApSYVZ8/c8jKqnzAdcm9Co80hb8oVuC
+yWwEM7s2v/HTF0NUPPIz3PfAETLWCzVHGb0ZjXdZO6rd1BV6Zm1TIZ4wRoNOzl5n
+4PQGmEQckxojDcDIUImF9EDS+8SxxnP3cDUyN3vIqmTKUkVjAIStqqq5AfFZBs0+
+CjvkX9v0LgaCNHfPPknUuldeORO4YLTc/6dj4Ern7gocHRE9/feBcHdV58XGQLB/
+jI92wckBD0G738TCKQg74rX21A3564h/cbThmsGUP05C2D1vW+jT+v9DJy15LpG6
+CIF9zU8IwLFKlzI28Oc8vLekgU/6E8z7V0+ObmpboRIVJTXetkRCN61SyIKSnJT+
+nZgIgvd22jTFXJh6j18SmQS6cN2kEq22AtYLimNKEgrsGcT7uMrWyTJQ6vJiooqc
+a5txbMB2R4uRNv810IpMl0li2J0kshNBsnmsv0UxNQcAVyORBm8=
+=ynES
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-21:02/extattr.patch b/website/static/security/patches/EN-21:02/extattr.patch
new file mode 100644
index 0000000000..ce1908786d
--- /dev/null
+++ b/website/static/security/patches/EN-21:02/extattr.patch
@@ -0,0 +1,11 @@
+--- sys/ufs/ffs/ffs_vnops.c.orig
++++ sys/ufs/ffs/ffs_vnops.c
+@@ -1663,7 +1663,7 @@
+ *p++ = ap->a_attrnamespace;
+ *p++ = eapad2;
+ *p++ = strlen(ap->a_name);
+- strcpy(p, ap->a_name);
++ memcpy(p, ap->a_name, strlen(ap->a_name));
+ p += strlen(ap->a_name);
+ bzero(p, eapad1);
+ p += eapad1;
diff --git a/website/static/security/patches/EN-21:02/extattr.patch.asc b/website/static/security/patches/EN-21:02/extattr.patch.asc
new file mode 100644
index 0000000000..a8d0eb4d21
--- /dev/null
+++ b/website/static/security/patches/EN-21:02/extattr.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbilfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cLRwQ//cPFjEPuSDNSMa6NcQnDKo7pZ+0jYON5t8CSMj9CqxKs3V/wa6F9rB78l
+px6lkasBBFClmXH/lnVBrg8KTTD699Q8q7SHbydC7cG3XVB73QJnDjJrm6XgdcFt
+RKF546+h50JQBXqlW5JRpCCzqMzqzdqa5eFGjJfPI16TjbAuz8ywOez1PHTuTmuS
+lSJaT+UN78s5tD2D2WgQzzTG/o8umuJXisfCGFLsK7RI3p7c9N8QcrIGikrose9R
+yu/NFpfs/5iIE40VtTb6J/4PcOBlzfdjDv4EgAyRKzhTkFxPDgh3cgfh/gtJg9CV
+AZtf5K0qOufD79l1PA25znU3nf761VFQIyPv/sIT5nuhITm1WkPtV4mvHlN+bb9C
+tVF4HkLx6raghE5XnIAg0cFndVlS+zwAmzety/75W0h0AUqofrn4jbdcmeFGogG+
+BAtaPE39xWGJMT4R9zXMnF+mojX2GOqSKOyfshBrolsnkT9oEQQAVGb0N3ZxRT/2
+tmvV2Q01d5NORvtBlD0yvJ/qkihiF0UrfG+I9GJ2+gMjibpU/iZik8y0msboBYIB
+2zjf3DdNZY/n+hSN8cxN32maU0ZYl+he394rmMt0Lj1Ff7EuUz5RsKtzHoYPHoWm
+mTnXK/PUrJTEdvYxUzMbOsfM41Pqq476XYl/7B6bU4ZnSNlTxNM=
+=ntJx
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-21:03/vnet.patch b/website/static/security/patches/EN-21:03/vnet.patch
new file mode 100644
index 0000000000..0f875b029d
--- /dev/null
+++ b/website/static/security/patches/EN-21:03/vnet.patch
@@ -0,0 +1,291 @@
+--- sys/net/if.c.orig
++++ sys/net/if.c
+@@ -274,6 +274,8 @@
+ static void if_delgroups(struct ifnet *);
+ static void if_attach_internal(struct ifnet *, int, struct if_clone *);
+ static int if_detach_internal(struct ifnet *, int, struct if_clone **);
++static void if_link_ifnet(struct ifnet *);
++static bool if_unlink_ifnet(struct ifnet *, bool);
+ #ifdef VIMAGE
+ static void if_vmove(struct ifnet *, struct vnet *);
+ #endif
+@@ -305,12 +307,8 @@
+
+ /*
+ * The global network interface list (V_ifnet) and related state (such as
+- * if_index, if_indexlim, and ifindex_table) are protected by an sxlock and
+- * an rwlock. Either may be acquired shared to stablize the list, but both
+- * must be acquired writable to modify the list. This model allows us to
+- * both stablize the interface list during interrupt thread processing, but
+- * also to stablize it over long-running ioctls, without introducing priority
+- * inversions and deadlocks.
++ * if_index, if_indexlim, and ifindex_table) are protected by an sxlock.
++ * This may be acquired to stabilise the list, or we may rely on NET_EPOCH.
+ */
+ struct rwlock ifnet_rwlock;
+ RW_SYSINIT_FLAGS(ifnet_rw, &ifnet_rwlock, "ifnet_rw", RW_RECURSE);
+@@ -317,6 +315,9 @@
+ struct sx ifnet_sxlock;
+ SX_SYSINIT_FLAGS(ifnet_sx, &ifnet_sxlock, "ifnet_sx", SX_RECURSE);
+
++struct sx ifnet_detach_sxlock;
++SX_SYSINIT(ifnet_detach, &ifnet_detach_sxlock, "ifnet_detach_sx");
++
+ /*
+ * The allocation of network interfaces is a rather non-atomic affair; we
+ * need to select an index before we are ready to expose the interface for
+@@ -476,17 +477,87 @@
+ }
+ VNET_SYSUNINIT(vnet_if_uninit, SI_SUB_INIT_IF, SI_ORDER_FIRST,
+ vnet_if_uninit, NULL);
++#endif
+
+ static void
++if_link_ifnet(struct ifnet *ifp)
++{
++
++ IFNET_WLOCK();
++ CK_STAILQ_INSERT_TAIL(&V_ifnet, ifp, if_link);
++#ifdef VIMAGE
++ curvnet->vnet_ifcnt++;
++#endif
++ IFNET_WUNLOCK();
++}
++
++static bool
++if_unlink_ifnet(struct ifnet *ifp, bool vmove)
++{
++ struct ifnet *iter;
++ int found = 0;
++
++ IFNET_WLOCK();
++ CK_STAILQ_FOREACH(iter, &V_ifnet, if_link)
++ if (iter == ifp) {
++ CK_STAILQ_REMOVE(&V_ifnet, ifp, ifnet, if_link);
++ if (!vmove)
++ ifp->if_flags |= IFF_DYING;
++ found = 1;
++ break;
++ }
++#ifdef VIMAGE
++ curvnet->vnet_ifcnt--;
++#endif
++ IFNET_WUNLOCK();
++
++ return (found);
++}
++
++#ifdef VIMAGE
++static void
+ vnet_if_return(const void *unused __unused)
+ {
+ struct ifnet *ifp, *nifp;
++ struct ifnet **pending;
++ int found, i;
+
++ i = 0;
++
++ /*
++ * We need to protect our access to the V_ifnet tailq. Ordinarily we'd
++ * enter NET_EPOCH, but that's not possible, because if_vmove() calls
++ * if_detach_internal(), which waits for NET_EPOCH callbacks to
++ * complete. We can't do that from within NET_EPOCH.
++ *
++ * However, we can also use the IFNET_xLOCK, which is the V_ifnet
++ * read/write lock. We cannot hold the lock as we call if_vmove()
++ * though, as that presents LOR w.r.t ifnet_sx, in_multi_sx and iflib
++ * ctx lock.
++ */
++ IFNET_WLOCK();
++
++ pending = malloc(sizeof(struct ifnet *) * curvnet->vnet_ifcnt,
++ M_IFNET, M_WAITOK | M_ZERO);
++
+ /* Return all inherited interfaces to their parent vnets. */
+ CK_STAILQ_FOREACH_SAFE(ifp, &V_ifnet, if_link, nifp) {
+- if (ifp->if_home_vnet != ifp->if_vnet)
+- if_vmove(ifp, ifp->if_home_vnet);
++ if (ifp->if_home_vnet != ifp->if_vnet) {
++ found = if_unlink_ifnet(ifp, true);
++ MPASS(found);
++
++ pending[i++] = ifp;
++ }
+ }
++ IFNET_WUNLOCK();
++
++ for (int j = 0; j < i; j++) {
++ sx_xlock(&ifnet_detach_sxlock);
++ if_vmove(pending[j], pending[j]->if_home_vnet);
++ sx_xunlock(&ifnet_detach_sxlock);
++ }
++
++ free(pending, M_IFNET);
+ }
+ VNET_SYSUNINIT(vnet_if_return, SI_SUB_VNET_DONE, SI_ORDER_ANY,
+ vnet_if_return, NULL);
+@@ -894,12 +965,7 @@
+ }
+ #endif
+
+- IFNET_WLOCK();
+- CK_STAILQ_INSERT_TAIL(&V_ifnet, ifp, if_link);
+-#ifdef VIMAGE
+- curvnet->vnet_ifcnt++;
+-#endif
+- IFNET_WUNLOCK();
++ if_link_ifnet(ifp);
+
+ if (domain_init_status >= 2)
+ if_attachdomain1(ifp);
+@@ -1037,9 +1103,15 @@
+ void
+ if_detach(struct ifnet *ifp)
+ {
++ bool found;
+
+ CURVNET_SET_QUIET(ifp->if_vnet);
+- if_detach_internal(ifp, 0, NULL);
++ found = if_unlink_ifnet(ifp, false);
++ if (found) {
++ sx_slock(&ifnet_detach_sxlock);
++ if_detach_internal(ifp, 0, NULL);
++ sx_sunlock(&ifnet_detach_sxlock);
++ }
+ CURVNET_RESTORE();
+ }
+
+@@ -1059,8 +1131,6 @@
+ struct ifaddr *ifa;
+ int i;
+ struct domain *dp;
+- struct ifnet *iter;
+- int found = 0;
+ #ifdef VIMAGE
+ int shutdown;
+
+@@ -1067,39 +1137,11 @@
+ shutdown = (ifp->if_vnet->vnet_state > SI_SUB_VNET &&
+ ifp->if_vnet->vnet_state < SI_SUB_VNET_DONE) ? 1 : 0;
+ #endif
+- IFNET_WLOCK();
+- CK_STAILQ_FOREACH(iter, &V_ifnet, if_link)
+- if (iter == ifp) {
+- CK_STAILQ_REMOVE(&V_ifnet, ifp, ifnet, if_link);
+- if (!vmove)
+- ifp->if_flags |= IFF_DYING;
+- found = 1;
+- break;
+- }
+- IFNET_WUNLOCK();
+- if (!found) {
+- /*
+- * While we would want to panic here, we cannot
+- * guarantee that the interface is indeed still on
+- * the list given we don't hold locks all the way.
+- */
+- return (ENOENT);
+-#if 0
+- if (vmove)
+- panic("%s: ifp=%p not on the ifnet tailq %p",
+- __func__, ifp, &V_ifnet);
+- else
+- return; /* XXX this should panic as well? */
+-#endif
+- }
+
+ /*
+ * At this point we know the interface still was on the ifnet list
+ * and we removed it so we are in a stable state.
+ */
+-#ifdef VIMAGE
+- curvnet->vnet_ifcnt--;
+-#endif
+ epoch_wait_preempt(net_epoch_preempt);
+
+ /*
+@@ -1326,6 +1368,7 @@
+ struct prison *pr;
+ struct ifnet *difp;
+ int shutdown;
++ bool found;
+
+ /* Try to find the prison within our visibility. */
+ sx_slock(&allprison_lock);
+@@ -1362,6 +1405,9 @@
+ }
+ CURVNET_RESTORE();
+
++ found = if_unlink_ifnet(ifp, true);
++ MPASS(found);
++
+ /* Move the interface into the child jail/vnet. */
+ if_vmove(ifp, pr->pr_vnet);
+
+@@ -1378,7 +1424,8 @@
+ struct prison *pr;
+ struct vnet *vnet_dst;
+ struct ifnet *ifp;
+- int shutdown;
++ int shutdown;
++ bool found;
+
+ /* Try to find the prison within our visibility. */
+ sx_slock(&allprison_lock);
+@@ -1416,6 +1463,8 @@
+ }
+
+ /* Get interface back from child jail/vnet. */
++ found = if_unlink_ifnet(ifp, true);
++ MPASS(found);
+ if_vmove(ifp, vnet_dst);
+ CURVNET_RESTORE();
+
+@@ -3100,8 +3149,12 @@
+ goto out_noref;
+ case SIOCIFDESTROY:
+ error = priv_check(td, PRIV_NET_IFDESTROY);
+- if (error == 0)
++
++ if (error == 0) {
++ sx_slock(&ifnet_detach_sxlock);
+ error = if_clone_destroy(ifr->ifr_name);
++ sx_sunlock(&ifnet_detach_sxlock);
++ }
+ goto out_noref;
+
+ case SIOCIFGCLONERS:
+--- sys/net/if_var.h.orig
++++ sys/net/if_var.h
+@@ -569,27 +569,11 @@
+ extern struct rwlock ifnet_rwlock;
+ extern struct sx ifnet_sxlock;
+
+-#define IFNET_WLOCK() do { \
+- sx_xlock(&ifnet_sxlock); \
+- rw_wlock(&ifnet_rwlock); \
+-} while (0)
+-
+-#define IFNET_WUNLOCK() do { \
+- rw_wunlock(&ifnet_rwlock); \
+- sx_xunlock(&ifnet_sxlock); \
+-} while (0)
+-
+-/*
+- * To assert the ifnet lock, you must know not only whether it's for read or
+- * write, but also whether it was acquired with sleep support or not.
+- */
+-#define IFNET_RLOCK_ASSERT() sx_assert(&ifnet_sxlock, SA_SLOCKED)
++#define IFNET_WLOCK() sx_xlock(&ifnet_sxlock)
++#define IFNET_WUNLOCK() sx_xunlock(&ifnet_sxlock)
++#define IFNET_RLOCK_ASSERT() sx_assert(&ifnet_sxlock, SA_SLOCKED)
+ #define IFNET_RLOCK_NOSLEEP_ASSERT() MPASS(in_epoch(net_epoch_preempt))
+-#define IFNET_WLOCK_ASSERT() do { \
+- sx_assert(&ifnet_sxlock, SA_XLOCKED); \
+- rw_assert(&ifnet_rwlock, RA_WLOCKED); \
+-} while (0)
+-
++#define IFNET_WLOCK_ASSERT() sx_assert(&ifnet_sxlock, SA_XLOCKED)
+ #define IFNET_RLOCK() sx_slock(&ifnet_sxlock)
+ #define IFNET_RLOCK_NOSLEEP() struct epoch_tracker ifnet_rlock_et; epoch_enter_preempt(net_epoch_preempt, &ifnet_rlock_et)
+ #define IFNET_RUNLOCK() sx_sunlock(&ifnet_sxlock)
diff --git a/website/static/security/patches/EN-21:03/vnet.patch.asc b/website/static/security/patches/EN-21:03/vnet.patch.asc
new file mode 100644
index 0000000000..bac6f744af
--- /dev/null
+++ b/website/static/security/patches/EN-21:03/vnet.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbipfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cLRyQ//du+e1JRQvV+xth02xPmDbklqvfsH9ge20DeExN/grbrqv1nLkGBP0I1j
+CnxMMDPsm33fATsxa6HndAcQXDO4bRf0E7qjE+bgC1gJevCrCptXI7LaOgTWrlpP
+0iszfjqF0DIJhXL7MiFVDYkt5EBvPkvJMBo1q3A7HKG8YKzZHI6EUa6g+yspHip0
+p4TKVexl7L4ERb0h8hDUIycAPSmK4lNn9SOlErD9mTUUYRp/xvkVdAV53xnuo2aD
+zt/sqO7lPRP1oiOCp/8D2ZiMbtg6dzOKyw0xhfnsW8a/h0k7nthWKWL+KpyOQVpj
+QZ/lYnzzqxu93/2cZSuGFpIUw3WKl67IlYNW0qtGsvXeFjpx85AqFyYueg00Wvew
+jUQk0lONd6k2XkyMS/mYgYXOuadA5uzJwgffRuKNP7aVxXIXM+4PJFleJ86c0q2b
+qRLUWeWC4l+1oYY+0YHEAzv0VWc+VQilcERgUXezwF40vbUIvc+AhAzUDIO919Yg
+PBz8vAGiDPSfeveihTtuD9FTugw4oaM6mgxFBSnkrHK6EyNuwMk5kvHjx25rjuzX
+eqVEE1gUaigGzXoy1FsFpUeaAr4/vZcwwVu9sZ2Oysyknm7c6j6q/kR1JzH8Y8am
+H0NX4nlccagnfTy5aGPQWPrV8QHAmOYuzw6LltUZxcIMDdLSGH4=
+=edmV
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-21:04/zfs.patch b/website/static/security/patches/EN-21:04/zfs.patch
new file mode 100644
index 0000000000..f83ce9229d
--- /dev/null
+++ b/website/static/security/patches/EN-21:04/zfs.patch
@@ -0,0 +1,150 @@
+--- cddl/contrib/opensolaris/lib/libzfs/common/libzfs_sendrecv.c.orig
++++ cddl/contrib/opensolaris/lib/libzfs/common/libzfs_sendrecv.c
+@@ -613,8 +613,8 @@
+ const char *fromsnap;
+ const char *tosnap;
+ boolean_t recursive;
+- boolean_t verbose;
+ boolean_t replicate;
++ boolean_t verbose;
+
+ /*
+ * The header nvlist is of the following format:
+@@ -848,36 +848,36 @@
+ rv = -1;
+ goto out;
+ }
+- VERIFY(0 == nvlist_add_uint64(nvfs, "origin",
+- origin->zfs_dmustats.dds_guid));
++ fnvlist_add_uint64(nvfs, "origin",
++ origin->zfs_dmustats.dds_guid);
+ }
+
+ /* iterate over props */
+- VERIFY(0 == nvlist_alloc(&nv, NV_UNIQUE_NAME, 0));
++ nv = fnvlist_alloc();
+ send_iterate_prop(zhp, nv);
+- VERIFY(0 == nvlist_add_nvlist(nvfs, "props", nv));
+- nvlist_free(nv);
++ fnvlist_add_nvlist(nvfs, "props", nv);
++ fnvlist_free(nv);
+
+ /* iterate over snaps, and set sd->parent_fromsnap_guid */
++ sd->parent_fromsnap_guid = 0;
++ sd->parent_snaps = fnvlist_alloc();
++ sd->snapprops = fnvlist_alloc();
+ if (!sd->replicate && fromsnap_txg != 0)
+ min_txg = fromsnap_txg;
+ if (!sd->replicate && tosnap_txg != 0)
+ max_txg = tosnap_txg;
+- sd->parent_fromsnap_guid = 0;
+- VERIFY(0 == nvlist_alloc(&sd->parent_snaps, NV_UNIQUE_NAME, 0));
+- VERIFY(0 == nvlist_alloc(&sd->snapprops, NV_UNIQUE_NAME, 0));
+ (void) zfs_iter_snapshots_sorted(zhp, send_iterate_snap, sd,
+ min_txg, max_txg);
+- VERIFY(0 == nvlist_add_nvlist(nvfs, "snaps", sd->parent_snaps));
+- VERIFY(0 == nvlist_add_nvlist(nvfs, "snapprops", sd->snapprops));
++ fnvlist_add_nvlist(nvfs, "snaps", sd->parent_snaps);
++ fnvlist_add_nvlist(nvfs, "snapprops", sd->snapprops);
+ fnvlist_free(sd->parent_snaps);
+ fnvlist_free(sd->snapprops);
+
+ /* add this fs to nvlist */
+ (void) snprintf(guidstring, sizeof (guidstring),
+ "0x%llx", (longlong_t)guid);
+- VERIFY(0 == nvlist_add_nvlist(sd->fss, guidstring, nvfs));
+- nvlist_free(nvfs);
++ fnvlist_add_nvlist(sd->fss, guidstring, nvfs);
++ fnvlist_free(nvfs);
+
+ /* iterate over children */
+ if (sd->recursive)
+@@ -894,13 +894,12 @@
+
+ static int
+ gather_nvlist(libzfs_handle_t *hdl, const char *fsname, const char *fromsnap,
+- const char *tosnap, boolean_t recursive, boolean_t verbose,
+- boolean_t replicate, nvlist_t **nvlp, avl_tree_t **avlp)
++ const char *tosnap, boolean_t recursive, boolean_t replicate,
++ boolean_t verbose, nvlist_t **nvlp, avl_tree_t **avlp)
+ {
+ zfs_handle_t *zhp;
+- int error;
+- uint64_t min_txg = 0, max_txg = 0;
+ send_data_t sd = { 0 };
++ int error;
+
+ zhp = zfs_open(hdl, fsname, ZFS_TYPE_FILESYSTEM | ZFS_TYPE_VOLUME);
+ if (zhp == NULL)
+@@ -911,8 +910,8 @@
+ sd.fromsnap = fromsnap;
+ sd.tosnap = tosnap;
+ sd.recursive = recursive;
+- sd.verbose = verbose;
+ sd.replicate = replicate;
++ sd.verbose = verbose;
+
+ if ((error = send_iterate_fs(zhp, &sd)) != 0) {
+ nvlist_free(sd.fss);
+@@ -1349,10 +1348,10 @@
+ dump_filesystem(zfs_handle_t *zhp, void *arg)
+ {
+ int rv = 0;
+- uint64_t min_txg = 0, max_txg = 0;
+ send_dump_data_t *sdd = arg;
+ boolean_t missingfrom = B_FALSE;
+ zfs_cmd_t zc = { 0 };
++ uint64_t min_txg = 0, max_txg = 0;
+
+ (void) snprintf(zc.zc_name, sizeof (zc.zc_name), "%s@%s",
+ zhp->zfs_name, sdd->tosnap);
+@@ -1853,8 +1852,8 @@
+ }
+
+ err = gather_nvlist(zhp->zfs_hdl, zhp->zfs_name,
+- fromsnap, tosnap, flags->replicate, flags->verbose,
+- flags->replicate, &fss, &fsavl);
++ fromsnap, tosnap, flags->replicate,
++ flags->replicate, flags->verbose, &fss, &fsavl);
+ if (err)
+ goto err_out;
+ VERIFY(0 == nvlist_add_nvlist(hdrnv, "fss", fss));
+@@ -2497,7 +2496,7 @@
+ VERIFY(0 == nvlist_alloc(&deleted, NV_UNIQUE_NAME, 0));
+
+ if ((error = gather_nvlist(hdl, tofs, fromsnap, NULL,
+- recursive, B_FALSE, B_FALSE, &local_nv, &local_avl)) != 0)
++ recursive, recursive, B_FALSE, &local_nv, &local_avl)) != 0)
+ return (error);
+
+ /*
+--- sys/cddl/contrib/opensolaris/uts/common/sys/fs/zfs.h.orig
++++ sys/cddl/contrib/opensolaris/uts/common/sys/fs/zfs.h
+@@ -881,6 +881,13 @@
+ VDEV_INITIALIZE_COMPLETE
+ } vdev_initializing_state_t;
+
++/*
++ * nvlist name constants. Facilitate restricting snapshot iteration range for
++ * the "list next snapshot" ioctl
++ */
++#define SNAP_ITER_MIN_TXG "snap_iter_min_txg"
++#define SNAP_ITER_MAX_TXG "snap_iter_max_txg"
++
+ /*
+ * Vdev statistics. Note: all fields should be 64-bit because this
+ * is passed between kernel and userland as an nvlist uint64 array.
+@@ -1157,13 +1164,6 @@
+ #define ZCP_DEFAULT_MEMLIMIT (10 * 1024 * 1024)
+ #define ZCP_MAX_MEMLIMIT (10 * ZCP_DEFAULT_MEMLIMIT)
+
+-/*
+- * nvlist name constants. Facilitate restricting snapshot iteration range for
+- * the "list next snapshot" ioctl
+- */
+-#define SNAP_ITER_MIN_TXG "snap_iter_min_txg"
+-#define SNAP_ITER_MAX_TXG "snap_iter_max_txg"
+-
+ /*
+ * Sysevent payload members. ZFS will generate the following sysevents with the
+ * given payloads:
diff --git a/website/static/security/patches/EN-21:04/zfs.patch.asc b/website/static/security/patches/EN-21:04/zfs.patch.asc
new file mode 100644
index 0000000000..f386991ee1
--- /dev/null
+++ b/website/static/security/patches/EN-21:04/zfs.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbipfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJ9ow/9Hpft2BnP9cFpvRtXtc6J6Pw3s7iS36PHXJXiRTbif72pzUU0dhnGxXT1
+AA8YX8BvyoHOFxUDqTRFcG+/B6HOpjGEq9aqNiBsGxmA8OXPdtjg1nhR23QH+NNt
+tJ5YTVztO2tq/VHri41Ez0ttMMYDIpdPAGJIsnJwzFGMgsXKFcNGhG1IXhSzpJOo
+ZE3R0117MWETR07LJjK7aY5sAvCPA0rtWqosh8DtGa1Qz8k3nNVq91qikAdG2/Ea
+ymICIz/x1vp9J6SUlMt/2Y3t9V3pCyrL2VwyKbBzKZ+PrJUxM9HgA1w5sMn3ANe0
+sT+Ijk3TbAkSkV01PgQsYIwX2mHAH38MKO5foq3oU3bLWCGkxu0jDlSvEgLCE5U+
+4jcJpbH1k1uLOKaLXH3FcK3X0ahIWwOr7ckvcKmsem4f18VLcfQuZ7qHQq3oQT/B
+ooIvF4Xvv/3kfMK2mdMGza6x5AhkJHp4+cDJhw7CVvTWuo+jb+dQYSlrOVOaaaSl
+OQDEqSaja+xGh02asMrtdrCm5+DoMfQ+28jMkb2QyA6IHhUkEa8xa/JBka9o71rZ
+45KIlM7aFxiCACi4LScUNGh94qPnNkG9Mgez1O91nhiFMVCaUSdEDNkz4HMRseli
+hPD2/3rUJ9pRRFcXMbZHrtXK7gwJ+A8Fd++MgYvedwbjke+efe4=
+=mdRJ
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-21:05/libatomic.patch b/website/static/security/patches/EN-21:05/libatomic.patch
new file mode 100644
index 0000000000..959e24bd51
--- /dev/null
+++ b/website/static/security/patches/EN-21:05/libatomic.patch
@@ -0,0 +1,71 @@
+--- contrib/llvm-project/compiler-rt/lib/builtins/atomic.c.orig
++++ contrib/llvm-project/compiler-rt/lib/builtins/atomic.c
+@@ -124,8 +124,8 @@
+ #define IS_LOCK_FREE_2 __c11_atomic_is_lock_free(2)
+ #define IS_LOCK_FREE_4 __c11_atomic_is_lock_free(4)
+
+-/// 32 bit PowerPC doesn't support 8-byte lock_free atomics
+-#if !defined(__powerpc64__) && defined(__powerpc__)
++/// 32 bit MIPS and PowerPC don't support 8-byte lock_free atomics
++#if defined(__mips__) || (!defined(__powerpc64__) && defined(__powerpc__))
+ #define IS_LOCK_FREE_8 0
+ #else
+ #define IS_LOCK_FREE_8 __c11_atomic_is_lock_free(8)
+--- lib/libcompiler_rt/Makefile.inc.orig
++++ lib/libcompiler_rt/Makefile.inc
+@@ -18,6 +18,8 @@
+ SRCF+= ashlti3
+ SRCF+= ashrdi3
+ SRCF+= ashrti3
++SRCF+= bswapdi2
++SRCF+= bswapsi2
+ SRCF+= clear_cache
+ SRCF+= clzdi2
+ SRCF+= clzsi2
+@@ -117,6 +119,14 @@
+ SRCF+= umoddi3
+ SRCF+= umodti3
+
++# Enable compiler-rt's atomic implementation only for clang, as it uses clang
++# specific builtins, and gcc packages usually come with their own libatomic.
++# Exclude arm which has its own implementations of atomic functions, below.
++.if "${COMPILER_TYPE}" == "clang" && \
++ !(${MACHINE_CPUARCH} == "arm" || ${MACHINE_CPUARCH} == "armv6")
++SRCF+= atomic
++.endif
++
+ # Avoid using SSE2 instructions on i386, if unsupported.
+ .if ${MACHINE_CPUARCH} == "i386" && empty(MACHINE_CPU:Msse2)
+ SRCS+= floatdidf.c
+@@ -215,12 +225,6 @@
+ SRCF+= stdatomic
+ .endif
+
+-.if "${COMPILER_TYPE}" == "clang" && \
+- (${MACHINE_ARCH} == "powerpc" || ${MACHINE_ARCH} == "powerpcspe")
+-SRCS+= atomic.c
+-CFLAGS.atomic.c+= -Wno-atomic-alignment
+-.endif
+-
+ .for file in ${SRCF}
+ .if ${MACHINE_ARCH:Marmv6*} && (!defined(CPUTYPE) || ${CPUTYPE:M*soft*} == "") \
+ && exists(${CRTSRC}/${CRTARCH}/${file}vfp.S)
+@@ -242,18 +246,9 @@
+ SRCS+= aeabi_memset.S
+ SRCS+= aeabi_uidivmod.S
+ SRCS+= aeabi_uldivmod.S
+-SRCS+= bswapdi2.S
+-SRCS+= bswapsi2.S
+ SRCS+= switch16.S
+ SRCS+= switch32.S
+ SRCS+= switch8.S
+ SRCS+= switchu8.S
+ SRCS+= sync_synchronize.S
+ .endif
+-
+-# GCC-6.3 on mips32 requires bswap32 built-in.
+-.if ${MACHINE_CPUARCH} == "mips"
+-SRCS+= bswapdi2.c
+-SRCS+= bswapsi2.c
+-.endif
+-
diff --git a/website/static/security/patches/EN-21:05/libatomic.patch.asc b/website/static/security/patches/EN-21:05/libatomic.patch.asc
new file mode 100644
index 0000000000..8b650be0d2
--- /dev/null
+++ b/website/static/security/patches/EN-21:05/libatomic.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbipfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cITKxAAipVfcvry45Ih14/dOrobd6s4NtFpck4x+CT9p/SMS5LLLFAJYpjazGtf
+1WytYOv305wZo0toQQDZwTOwGdjPCdZyXzJFXfQGX2KpVA/pqEqY+SBxBEDbzU0X
+4LKiijtGNDqikrb7Rs4m5DiOgcY0UFHvwisGvX4/1yHEx33cSPR6P90uLSwiIUlu
+qxTa400oN79ICecRibtr1rjTRZbSoP/9p3Si2UFVLZPD/mXaYU626T70yIARaach
+8oO8afQHVrvMfdDJrKIuas4DrbhORtZsst4mtmWRDuQlDAIcZuI43uLCjTjMVVjk
+VsQlS/YprSGkzVyBz/hyKqPa8eYkmpmWekSW8mvyNudfjqCfHh6qFAZD9yqqufRr
+am3nWKLqjIclLeF7/nBoyC9Vvhb+okCS3slkejm/4WDpgUoJWyd262Hj4jsviQ3f
+8/MkhkAahSJJTXf9CVDM5iz4DpobCMc27mX/uctfeQrMzw6JMZ3IcSZ/k9mPqlR/
+znhW4gSc1bCrN2t/UCaBeGvnL8eGa5ohhLIHGm3vekMvlpFmj3kPidmgjts1RoHA
+gW0MWfYod54/WceTGC/RVwUQyQjjj4qlLrWZCmU2SAK5Atw54w+l/skj9HZlGJC3
+0OBeQvqSOUszbn8H48+1l039t90rdCbYW5/suZfhoK6OeudbMmY=
+=DgCX
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/SA-21:01/fsdisclosure.11.patch b/website/static/security/patches/SA-21:01/fsdisclosure.11.patch
new file mode 100644
index 0000000000..fea427e96e
--- /dev/null
+++ b/website/static/security/patches/SA-21:01/fsdisclosure.11.patch
@@ -0,0 +1,10 @@
+--- sys/fs/msdosfs/msdosfs_vnops.c.orig
++++ sys/fs/msdosfs/msdosfs_vnops.c
+@@ -1701,6 +1701,7 @@
+ mbnambuf_flush(&nb, &dirbuf);
+ chksum = -1;
+ dirbuf.d_reclen = GENERIC_DIRSIZ(&dirbuf);
++ dirent_terminate(&dirbuf);
+ if (uio->uio_resid < dirbuf.d_reclen) {
+ brelse(bp);
+ goto out;
diff --git a/website/static/security/patches/SA-21:01/fsdisclosure.11.patch.asc b/website/static/security/patches/SA-21:01/fsdisclosure.11.patch.asc
new file mode 100644
index 0000000000..1bf6b21c8a
--- /dev/null
+++ b/website/static/security/patches/SA-21:01/fsdisclosure.11.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbjNfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJ8HA/+PgmcD+mXjlONm6S2iODbNlot81XtSJFZBVvGsuez3YnDt4NV4TVivf+A
+SFs/3olGaMxtAT/ME8dVrgAF8+cHcjBMj5Vd+SYEgYAS3gQsOm4jfzWTh+z0Wwm7
+SGDgW3h9wMb7WKevudvZ9kI5xV5uOD3IeCs8zag5eNoOp+BvgPbOgP9GdqgP1WmT
+vEFtk8g1PAXoOkDm89rdYf05oUHyC6FvVF1vxCTEypmHt97meIkOn71f+CBMBLTS
+qyFf/DHeXjuWg6XNZckbShRXgJufv8cf2GkK/dX37VzX5qXk4HKsOckQTwxXLjtc
+xQGXyhw2lCWlkJUS6yzeeH4elzl3Z+EPE9t1zrEq5fmwGCV2cGuDQbdgWTfr4LnZ
+5uTFJ6RtAT66hnbTu0LWhsBh7JWTYih6Vhq/RDS/HaIt0tgf20xaiVEwbtshAfsR
+djHU2KgFCua+Y0NHKsFlgE7wM1i7lcPC4oJQxVvgtK1Zac49VVgMn1M9V9K4iFrq
+D2j9mcW4Bi8bWPH2c3MdqSZZo5s1VfWWPH5CEDGyYRWC9TR8MLbeu5svnQrPgTcm
+CoQysqeP9/50LADgSwIgnEdyJizydAhecck5t6BbkimanUAfGKw4lH3d9xWP24y/
+F3MmYHkrAw88np2rlmaVFnydu4I1stzUiE5Nyrp00ATybc2vny0=
+=tSMc
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/SA-21:01/fsdisclosure.12.patch b/website/static/security/patches/SA-21:01/fsdisclosure.12.patch
new file mode 100644
index 0000000000..cee40d343f
--- /dev/null
+++ b/website/static/security/patches/SA-21:01/fsdisclosure.12.patch
@@ -0,0 +1,166 @@
+--- sys/fs/autofs/autofs_vnops.c.orig
++++ sys/fs/autofs/autofs_vnops.c
+@@ -369,6 +369,7 @@
+ return (EINVAL);
+
+ dirent.d_fileno = fileno;
++ dirent.d_off = uio->uio_offset + reclen;
+ dirent.d_reclen = reclen;
+ dirent.d_type = DT_DIR;
+ dirent.d_namlen = namlen;
+--- sys/fs/msdosfs/msdosfs_vnops.c.orig
++++ sys/fs/msdosfs/msdosfs_vnops.c
+@@ -1687,6 +1687,7 @@
+ dirbuf.d_reclen = GENERIC_DIRSIZ(&dirbuf);
+ /* NOTE: d_off is the offset of the *next* entry. */
+ dirbuf.d_off = offset + sizeof(struct direntry);
++ dirent_terminate(&dirbuf);
+ if (uio->uio_resid < dirbuf.d_reclen) {
+ brelse(bp);
+ goto out;
+--- sys/fs/smbfs/smbfs_io.c.orig
++++ sys/fs/smbfs/smbfs_io.c
+@@ -103,6 +103,7 @@
+ (np->n_parent ? np->n_parentino : 2);
+ if (de.d_fileno == 0)
+ de.d_fileno = 0x7ffffffd + offset;
++ de.d_off = offset + 1;
+ de.d_namlen = offset + 1;
+ de.d_name[0] = '.';
+ de.d_name[1] = '.';
+@@ -153,6 +154,7 @@
+ bzero((caddr_t)&de, DE_SIZE);
+ de.d_reclen = DE_SIZE;
+ de.d_fileno = ctx->f_attr.fa_ino;
++ de.d_off = offset + 1;
+ de.d_type = (ctx->f_attr.fa_attr & SMB_FA_DIR) ? DT_DIR : DT_REG;
+ de.d_namlen = ctx->f_nmlen;
+ bcopy(ctx->f_name, de.d_name, de.d_namlen);
+--- sys/fs/tmpfs/tmpfs_subr.c.orig
++++ sys/fs/tmpfs/tmpfs_subr.c
+@@ -1188,6 +1188,7 @@
+ MPASS(uio->uio_offset == TMPFS_DIRCOOKIE_DOT);
+
+ dent.d_fileno = node->tn_id;
++ dent.d_off = TMPFS_DIRCOOKIE_DOTDOT;
+ dent.d_type = DT_DIR;
+ dent.d_namlen = 1;
+ dent.d_name[0] = '.';
+@@ -1213,7 +1214,7 @@
+ */
+ static int
+ tmpfs_dir_getdotdotdent(struct tmpfs_mount *tm, struct tmpfs_node *node,
+- struct uio *uio)
++ struct uio *uio, off_t next)
+ {
+ struct tmpfs_node *parent;
+ struct dirent dent;
+@@ -1234,6 +1235,7 @@
+ dent.d_fileno = parent->tn_id;
+ TMPFS_NODE_UNLOCK(parent);
+
++ dent.d_off = next;
+ dent.d_type = DT_DIR;
+ dent.d_namlen = 2;
+ dent.d_name[0] = '.';
+@@ -1263,7 +1265,7 @@
+ struct uio *uio, int maxcookies, u_long *cookies, int *ncookies)
+ {
+ struct tmpfs_dir_cursor dc;
+- struct tmpfs_dirent *de;
++ struct tmpfs_dirent *de, *nde;
+ off_t off;
+ int error;
+
+@@ -1284,18 +1286,19 @@
+ error = tmpfs_dir_getdotdent(tm, node, uio);
+ if (error != 0)
+ return (error);
+- uio->uio_offset = TMPFS_DIRCOOKIE_DOTDOT;
++ uio->uio_offset = off = TMPFS_DIRCOOKIE_DOTDOT;
+ if (cookies != NULL)
+- cookies[(*ncookies)++] = off = uio->uio_offset;
++ cookies[(*ncookies)++] = off;
+ /* FALLTHROUGH */
+ case TMPFS_DIRCOOKIE_DOTDOT:
+- error = tmpfs_dir_getdotdotdent(tm, node, uio);
++ de = tmpfs_dir_first(node, &dc);
++ off = tmpfs_dirent_cookie(de);
++ error = tmpfs_dir_getdotdotdent(tm, node, uio, off);
+ if (error != 0)
+ return (error);
+- de = tmpfs_dir_first(node, &dc);
+- uio->uio_offset = tmpfs_dirent_cookie(de);
++ uio->uio_offset = off;
+ if (cookies != NULL)
+- cookies[(*ncookies)++] = off = uio->uio_offset;
++ cookies[(*ncookies)++] = off;
+ /* EOF. */
+ if (de == NULL)
+ return (0);
+@@ -1310,13 +1313,17 @@
+ off = tmpfs_dirent_cookie(de);
+ }
+
+- /* Read as much entries as possible; i.e., until we reach the end of
+- * the directory or we exhaust uio space. */
++ /*
++ * Read as much entries as possible; i.e., until we reach the end of the
++ * directory or we exhaust uio space.
++ */
+ do {
+ struct dirent d;
+
+- /* Create a dirent structure representing the current
+- * tmpfs_node and fill it. */
++ /*
++ * Create a dirent structure representing the current tmpfs_node
++ * and fill it.
++ */
+ if (de->td_node == NULL) {
+ d.d_fileno = 1;
+ d.d_type = DT_WHT;
+@@ -1360,20 +1367,27 @@
+ MPASS(de->td_namelen < sizeof(d.d_name));
+ (void)memcpy(d.d_name, de->ud.td_name, de->td_namelen);
+ d.d_reclen = GENERIC_DIRSIZ(&d);
+- dirent_terminate(&d);
+
+- /* Stop reading if the directory entry we are treating is
+- * bigger than the amount of data that can be returned. */
++ /*
++ * Stop reading if the directory entry we are treating is bigger
++ * than the amount of data that can be returned.
++ */
+ if (d.d_reclen > uio->uio_resid) {
+ error = EJUSTRETURN;
+ break;
+ }
+
+- /* Copy the new dirent structure into the output buffer and
+- * advance pointers. */
++ nde = tmpfs_dir_next(node, &dc);
++ d.d_off = tmpfs_dirent_cookie(nde);
++ dirent_terminate(&d);
++
++ /*
++ * Copy the new dirent structure into the output buffer and
++ * advance pointers.
++ */
+ error = uiomove(&d, d.d_reclen, uio);
+ if (error == 0) {
+- de = tmpfs_dir_next(node, &dc);
++ de = nde;
+ if (cookies != NULL) {
+ off = tmpfs_dirent_cookie(de);
+ MPASS(*ncookies < maxcookies);
+--- sys/kern/uipc_mqueue.c.orig
++++ sys/kern/uipc_mqueue.c
+@@ -1426,6 +1426,7 @@
+ if (!pn->mn_fileno)
+ mqfs_fileno_alloc(mi, pn);
+ entry.d_fileno = pn->mn_fileno;
++ entry.d_off = offset + entry.d_reclen;
+ for (i = 0; i < MQFS_NAMELEN - 1 && pn->mn_name[i] != '\0'; ++i)
+ entry.d_name[i] = pn->mn_name[i];
+ entry.d_namlen = i;
diff --git a/website/static/security/patches/SA-21:01/fsdisclosure.12.patch.asc b/website/static/security/patches/SA-21:01/fsdisclosure.12.patch.asc
new file mode 100644
index 0000000000..fe012400fa
--- /dev/null
+++ b/website/static/security/patches/SA-21:01/fsdisclosure.12.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbjNfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJY7A//cxfRPjkTLhctIEVx1PCFqEQ02Fj8rarjyKu8fWPrjB7zB9DuJPIMDfzs
+VEupOfXlw0R71n+6UV3EuplbHF7jodX5g79FG0AqjrhzKmGVmN3azx/erbAQj46Q
+ccRyGNltZLtji3iD9eespNNbuXkE0HB4hgR8uwbzTtEI12l9FybrRfR/Lo0EpakX
+avnwAMSmbUp8IHvXJmiae6jNqW5qbXH0j0wUaQGIhF/ZgJtvZhRN2xbXWb7A0Uqm
+DkUSatoFnTZ3YXKh1dY7wr9qUQujoO7tqvM1RMsgX+GGQNIwIzWsWJo6bcMNKmN+
+bjVRQgLp8o2okApFKbEX535tzudGwet9xJGCrz8znUhgN0riUVsPy8/AbVFiLoWi
+Rp8YlBTuuIQEG1naOlkdwbyoNXnIKajuA3s+BawdcpQEoB8o9OSd1jdQcdafZE6d
+E9Oo/yIetviAmcu4Xt/KYXT2NbLIezDO26EYLsLver1qF9QE2A8syy3qld/mz4+n
+Q90L/Qs4iN7nDzB0WenreA7YlG0rXjG5WyXxfxIpefdaSWvd51LUU56tGJEkGzAt
+VT1kOyNKKI5zfV6K+pN3+0G7MPmfMN7au7UoAnC3C2QnbvvZZ4kxd/8+FerWyHrT
+2CQAxwErn2hDLXJn9SDU8uQnXY3cJ3efO6lx9jwGQtCpJPzKd/A=
+=DVI2
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/SA-21:02/xenoom.11.patch b/website/static/security/patches/SA-21:02/xenoom.11.patch
new file mode 100644
index 0000000000..057a656114
--- /dev/null
+++ b/website/static/security/patches/SA-21:02/xenoom.11.patch
@@ -0,0 +1,255 @@
+--- sys/dev/xen/balloon/balloon.c.orig
++++ sys/dev/xen/balloon/balloon.c
+@@ -310,7 +310,8 @@
+
+ static struct xs_watch target_watch =
+ {
+- .node = "memory/target"
++ .node = "memory/target",
++ .max_pending = 1,
+ };
+
+ /* React to a change in the target key */
+--- sys/dev/xen/blkback/blkback.c.orig
++++ sys/dev/xen/blkback/blkback.c
+@@ -3767,6 +3767,12 @@
+ xbb->hotplug_watch.callback = xbb_attach_disk;
+ KASSERT(xbb->hotplug_watch.node == NULL, ("watch node already setup"));
+ xbb->hotplug_watch.node = strdup(sbuf_data(watch_path), M_XENBLOCKBACK);
++ /*
++ * We don't care about the path updated, just about the value changes
++ * on that single node, hence there's no need to queue more that one
++ * event.
++ */
++ xbb->hotplug_watch.max_pending = 1;
+ sbuf_delete(watch_path);
+ error = xs_register_watch(&xbb->hotplug_watch);
+ if (error != 0) {
+--- sys/dev/xen/control/control.c.orig
++++ sys/dev/xen/control/control.c
+@@ -432,6 +432,12 @@
+ xctrl->xctrl_watch.node = "control/shutdown";
+ xctrl->xctrl_watch.callback = xctrl_on_watch_event;
+ xctrl->xctrl_watch.callback_data = (uintptr_t)xctrl;
++ /*
++ * We don't care about the path updated, just about the value changes
++ * on that single node, hence there's no need to queue more that one
++ * event.
++ */
++ xctrl->xctrl_watch.max_pending = 1;
+ xs_register_watch(&xctrl->xctrl_watch);
+
+ if (xen_pv_domain())
+--- sys/dev/xen/xenstore/xenstore.c.orig
++++ sys/dev/xen/xenstore/xenstore.c
+@@ -668,12 +668,17 @@
+ mtx_lock(&xs.registered_watches_lock);
+ msg->u.watch.handle = find_watch(
+ msg->u.watch.vec[XS_WATCH_TOKEN]);
+- if (msg->u.watch.handle != NULL) {
+- mtx_lock(&xs.watch_events_lock);
++ mtx_lock(&xs.watch_events_lock);
++ if (msg->u.watch.handle != NULL &&
++ (!msg->u.watch.handle->max_pending ||
++ msg->u.watch.handle->pending <
++ msg->u.watch.handle->max_pending)) {
++ msg->u.watch.handle->pending++;
+ TAILQ_INSERT_TAIL(&xs.watch_events, msg, list);
+ wakeup(&xs.watch_events);
+ mtx_unlock(&xs.watch_events_lock);
+ } else {
++ mtx_unlock(&xs.watch_events_lock);
+ free(msg->u.watch.vec, M_XENSTORE);
+ free(msg, M_XENSTORE);
+ }
+@@ -1045,8 +1050,10 @@
+
+ mtx_lock(&xs.watch_events_lock);
+ msg = TAILQ_FIRST(&xs.watch_events);
+- if (msg)
++ if (msg) {
+ TAILQ_REMOVE(&xs.watch_events, msg, list);
++ msg->u.watch.handle->pending--;
++ }
+ mtx_unlock(&xs.watch_events_lock);
+
+ if (msg != NULL) {
+@@ -1629,6 +1636,7 @@
+ char token[sizeof(watch) * 2 + 1];
+ int error;
+
++ watch->pending = 0;
+ sprintf(token, "%lX", (long)watch);
+
+ sx_slock(&xs.suspend_mutex);
+--- sys/xen/xenbus/xenbus.c.orig
++++ sys/xen/xenbus/xenbus.c
+@@ -102,48 +102,6 @@
+ return ((state < (XenbusStateClosed + 1)) ? name[state] : "INVALID");
+ }
+
+-int
+-xenbus_watch_path(device_t dev, char *path, struct xs_watch *watch,
+- xs_watch_cb_t *callback, uintptr_t callback_data)
+-{
+- int error;
+-
+- watch->node = path;
+- watch->callback = callback;
+- watch->callback_data = callback_data;
+-
+- error = xs_register_watch(watch);
+-
+- if (error) {
+- watch->node = NULL;
+- watch->callback = NULL;
+- xenbus_dev_fatal(dev, error, "adding watch on %s", path);
+- }
+-
+- return (error);
+-}
+-
+-int
+-xenbus_watch_path2(device_t dev, const char *path,
+- const char *path2, struct xs_watch *watch,
+- xs_watch_cb_t *callback, uintptr_t callback_data)
+-{
+- int error;
+- char *state = malloc(strlen(path) + 1 + strlen(path2) + 1,
+- M_XENBUS, M_WAITOK);
+-
+- strcpy(state, path);
+- strcat(state, "/");
+- strcat(state, path2);
+-
+- error = xenbus_watch_path(dev, state, watch, callback, callback_data);
+- if (error) {
+- free(state,M_XENBUS);
+- }
+-
+- return (error);
+-}
+-
+ void
+ xenbus_dev_verror(device_t dev, int err, const char *fmt, va_list ap)
+ {
+--- sys/xen/xenbus/xenbusb.c.orig
++++ sys/xen/xenbus/xenbusb.c
+@@ -702,10 +702,21 @@
+ ivars->xd_otherend_watch.node = statepath;
+ ivars->xd_otherend_watch.callback = xenbusb_otherend_watch_cb;
+ ivars->xd_otherend_watch.callback_data = (uintptr_t)ivars;
++ /*
++ * Other end state node watch, limit to one pending event
++ * to prevent frontends from queuing too many events that
++ * could cause resource starvation.
++ */
++ ivars->xd_otherend_watch.max_pending = 1;
+
+ ivars->xd_local_watch.node = ivars->xd_node;
+ ivars->xd_local_watch.callback = xenbusb_local_watch_cb;
+ ivars->xd_local_watch.callback_data = (uintptr_t)ivars;
++ /*
++ * Watch our local path, only writable by us or a privileged
++ * domain, no need to limit.
++ */
++ ivars->xd_local_watch.max_pending = 0;
+
+ mtx_lock(&xbs->xbs_lock);
+ xbs->xbs_connecting_children++;
+@@ -764,6 +775,12 @@
+ xbs->xbs_device_watch.node = bus_node;
+ xbs->xbs_device_watch.callback = xenbusb_devices_changed;
+ xbs->xbs_device_watch.callback_data = (uintptr_t)xbs;
++ /*
++ * Allow for unlimited pending watches, as those are local paths
++ * either controlled by the guest or only writable by privileged
++ * domains.
++ */
++ xbs->xbs_device_watch.max_pending = 0;
+
+ TASK_INIT(&xbs->xbs_probe_children, 0, xenbusb_probe_children_cb, dev);
+
+--- sys/xen/xenbus/xenbusvar.h.orig
++++ sys/xen/xenbus/xenbusvar.h
+@@ -123,62 +123,6 @@
+ return (xenbus_read_driver_state(xenbus_get_otherend_path(dev)));
+ }
+
+-/**
+- * Initialize and register a watch on the given path (client suplied storage).
+- *
+- * \param dev The XenBus device requesting the watch service.
+- * \param path The XenStore path of the object to be watched. The
+- * storage for this string must be stable for the lifetime
+- * of the watch.
+- * \param watch The watch object to use for this request. This object
+- * must be stable for the lifetime of the watch.
+- * \param callback The function to call when XenStore objects at or below
+- * path are modified.
+- * \param cb_data Client data that can be retrieved from the watch object
+- * during the callback.
+- *
+- * \return On success, 0. Otherwise an errno value indicating the
+- * type of failure.
+- *
+- * \note On error, the device 'dev' will be switched to the XenbusStateClosing
+- * state and the returned error is saved in the per-device error node
+- * for dev in the XenStore.
+- */
+-int xenbus_watch_path(device_t dev, char *path,
+- struct xs_watch *watch,
+- xs_watch_cb_t *callback,
+- uintptr_t cb_data);
+-
+-/**
+- * Initialize and register a watch at path/path2 in the XenStore.
+- *
+- * \param dev The XenBus device requesting the watch service.
+- * \param path The base XenStore path of the object to be watched.
+- * \param path2 The tail XenStore path of the object to be watched.
+- * \param watch The watch object to use for this request. This object
+- * must be stable for the lifetime of the watch.
+- * \param callback The function to call when XenStore objects at or below
+- * path are modified.
+- * \param cb_data Client data that can be retrieved from the watch object
+- * during the callback.
+- *
+- * \return On success, 0. Otherwise an errno value indicating the
+- * type of failure.
+- *
+- * \note On error, \a dev will be switched to the XenbusStateClosing
+- * state and the returned error is saved in the per-device error node
+- * for \a dev in the XenStore.
+- *
+- * Similar to xenbus_watch_path, however the storage for the path to the
+- * watched object is allocated from the heap and filled with "path '/' path2".
+- * Should a call to this function succeed, it is the callers responsibility
+- * to free watch->node using the M_XENBUS malloc type.
+- */
+-int xenbus_watch_path2(device_t dev, const char *path,
+- const char *path2, struct xs_watch *watch,
+- xs_watch_cb_t *callback,
+- uintptr_t cb_data);
+-
+ /**
+ * Grant access to the given ring_mfn to the peer of the given device.
+ *
+--- sys/xen/xenstore/xenstorevar.h.orig
++++ sys/xen/xenstore/xenstorevar.h
+@@ -72,6 +72,15 @@
+
+ /* Callback client data untouched by the XenStore watch mechanism. */
+ uintptr_t callback_data;
++
++ /* Maximum number of pending watch events to be delivered. */
++ unsigned int max_pending;
++
++ /*
++ * Private counter used by xenstore to keep track of the pending
++ * watches. Protected by xs.watch_events_lock.
++ */
++ unsigned int pending;
+ };
+ LIST_HEAD(xs_watch_list, xs_watch);
+
diff --git a/website/static/security/patches/SA-21:02/xenoom.11.patch.asc b/website/static/security/patches/SA-21:02/xenoom.11.patch.asc
new file mode 100644
index 0000000000..3b7f0b10ef
--- /dev/null
+++ b/website/static/security/patches/SA-21:02/xenoom.11.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbjRfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKfghAAkrse02lN4PZizc0OEsABoBTpTLLNFTTQ+3alY9MeYmLzgoP6crG6nETa
+VwRh44ztjXeMB0/HUKu4rCcSbasYPLYAGZ+z8WCGmgVs30og7m6fC1eLb3zvlHxq
+O4J9E3JhvQIPbhFpZMDMyjj+aS4SncgB7Hswcr3FGuUQkl9ySm7frV6umDHkwaiN
+0wNEQVHQIQSVxawSG2+hMwVCDH/rxm2gLPpoTlQ4rwD3dsr6Ul8hCqPTTUV7vpRE
+88AAv+xPgglWjNFo2LAYvtXjTiO3/v+TfiNnf47uwbMpmEaUKRDDirMqrAd8k6x4
+UgbYC+Dils9Fbo+hc2P8kxwaDDb3xPk6RwPErCbQfyoF2w09YQeaIB5na9aRV43u
+qCOj/3OFcuZxEqY1pWLWutD6HM2qi72Btm2U4dp/zFa6V7x4hRKrxmimM07uJGRy
+/Pk3mBpLQLm0wbjSTR+8+RFM4fYRUQbJYZFINn99WDsL4zqD/KzL/ZW5e2pFjRcC
+n2DuuMULHQ1ivBZmdMBOIvx5JUllHn5vazDVErIdILJhAb4ypFpuyFdkBUNO72Hn
+dfrNrwABGi57nqxdAP8nIYTEUyUxm6q3vC4VXsoarYZvGECmWLrNWSADR7YtsMSi
+7C9lanrEy3CH4eFwXkPTYAvmLgubQTm5pMxCZfM/qHSkUhVocBQ=
+=6nop
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/SA-21:02/xenoom.12.patch b/website/static/security/patches/SA-21:02/xenoom.12.patch
new file mode 100644
index 0000000000..f8797b1123
--- /dev/null
+++ b/website/static/security/patches/SA-21:02/xenoom.12.patch
@@ -0,0 +1,300 @@
+--- sys/dev/xen/balloon/balloon.c.orig
++++ sys/dev/xen/balloon/balloon.c
+@@ -310,7 +310,8 @@
+
+ static struct xs_watch target_watch =
+ {
+- .node = "memory/target"
++ .node = "memory/target",
++ .max_pending = 1,
+ };
+
+ /* React to a change in the target key */
+--- sys/dev/xen/blkback/blkback.c.orig
++++ sys/dev/xen/blkback/blkback.c
+@@ -3768,6 +3768,12 @@
+ xbb->hotplug_watch.callback = xbb_attach_disk;
+ KASSERT(xbb->hotplug_watch.node == NULL, ("watch node already setup"));
+ xbb->hotplug_watch.node = strdup(sbuf_data(watch_path), M_XENBLOCKBACK);
++ /*
++ * We don't care about the path updated, just about the value changes
++ * on that single node, hence there's no need to queue more that one
++ * event.
++ */
++ xbb->hotplug_watch.max_pending = 1;
+ sbuf_delete(watch_path);
+ error = xs_register_watch(&xbb->hotplug_watch);
+ if (error != 0) {
+--- sys/dev/xen/control/control.c.orig
++++ sys/dev/xen/control/control.c
+@@ -432,6 +432,12 @@
+ xctrl->xctrl_watch.node = "control/shutdown";
+ xctrl->xctrl_watch.callback = xctrl_on_watch_event;
+ xctrl->xctrl_watch.callback_data = (uintptr_t)xctrl;
++ /*
++ * We don't care about the path updated, just about the value changes
++ * on that single node, hence there's no need to queue more that one
++ * event.
++ */
++ xctrl->xctrl_watch.max_pending = 1;
+ xs_register_watch(&xctrl->xctrl_watch);
+
+ if (xen_pv_domain())
+--- sys/dev/xen/xenstore/xenstore.c.orig
++++ sys/dev/xen/xenstore/xenstore.c
+@@ -656,12 +656,17 @@
+ mtx_lock(&xs.registered_watches_lock);
+ msg->u.watch.handle = find_watch(
+ msg->u.watch.vec[XS_WATCH_TOKEN]);
+- if (msg->u.watch.handle != NULL) {
+- mtx_lock(&xs.watch_events_lock);
++ mtx_lock(&xs.watch_events_lock);
++ if (msg->u.watch.handle != NULL &&
++ (!msg->u.watch.handle->max_pending ||
++ msg->u.watch.handle->pending <
++ msg->u.watch.handle->max_pending)) {
++ msg->u.watch.handle->pending++;
+ TAILQ_INSERT_TAIL(&xs.watch_events, msg, list);
+ wakeup(&xs.watch_events);
+ mtx_unlock(&xs.watch_events_lock);
+ } else {
++ mtx_unlock(&xs.watch_events_lock);
+ free(msg->u.watch.vec, M_XENSTORE);
+ free(msg, M_XENSTORE);
+ }
+@@ -983,8 +988,10 @@
+
+ mtx_lock(&xs.watch_events_lock);
+ msg = TAILQ_FIRST(&xs.watch_events);
+- if (msg)
++ if (msg) {
+ TAILQ_REMOVE(&xs.watch_events, msg, list);
++ msg->u.watch.handle->pending--;
++ }
+ mtx_unlock(&xs.watch_events_lock);
+
+ if (msg != NULL) {
+@@ -1578,6 +1585,7 @@
+ char token[sizeof(watch) * 2 + 1];
+ int error;
+
++ watch->pending = 0;
+ sprintf(token, "%lX", (long)watch);
+
+ mtx_lock(&xs.registered_watches_lock);
+--- sys/dev/xen/xenstore/xenstore_dev.c.orig
++++ sys/dev/xen/xenstore/xenstore_dev.c
+@@ -45,6 +45,7 @@
+ #include <sys/conf.h>
+ #include <sys/module.h>
+ #include <sys/selinfo.h>
++#include <sys/sysctl.h>
+ #include <sys/poll.h>
+
+ #include <xen/xen-os.h>
+@@ -53,6 +54,8 @@
+ #include <xen/xenstore/xenstorevar.h>
+ #include <xen/xenstore/xenstore_internal.h>
+
++static unsigned int max_pending_watches = 1000;
++
+ struct xs_dev_transaction {
+ LIST_ENTRY(xs_dev_transaction) list;
+ struct xs_transaction handle;
+@@ -335,6 +338,7 @@
+ watch->watch.node = strdup(wpath, M_XENSTORE);
+ watch->watch.callback = xs_dev_watch_cb;
+ watch->watch.callback_data = (uintptr_t)watch;
++ watch->watch.max_pending = max_pending_watches;
+ watch->token = strdup(wtoken, M_XENSTORE);
+ watch->user = u;
+
+@@ -511,6 +515,17 @@
+ xs_dev_attach(device_t dev)
+ {
+ struct cdev *xs_cdev;
++ struct sysctl_ctx_list *sysctl_ctx;
++ struct sysctl_oid *sysctl_tree;
++
++ sysctl_ctx = device_get_sysctl_ctx(dev);
++ sysctl_tree = device_get_sysctl_tree(dev);
++ if (sysctl_ctx == NULL || sysctl_tree == NULL)
++ return (EINVAL);
++
++ SYSCTL_ADD_UINT(sysctl_ctx, SYSCTL_CHILDREN(sysctl_tree), OID_AUTO,
++ "max_pending_watch_events", CTLFLAG_RW, &max_pending_watches, 0,
++ "maximum amount of pending watch events to be delivered");
+
+ xs_cdev = make_dev_credf(MAKEDEV_ETERNAL, &xs_dev_cdevsw, 0, NULL,
+ UID_ROOT, GID_WHEEL, 0400, "xen/xenstore");
+--- sys/xen/xenbus/xenbus.c.orig
++++ sys/xen/xenbus/xenbus.c
+@@ -102,48 +102,6 @@
+ return ((state < (XenbusStateClosed + 1)) ? name[state] : "INVALID");
+ }
+
+-int
+-xenbus_watch_path(device_t dev, char *path, struct xs_watch *watch,
+- xs_watch_cb_t *callback, uintptr_t callback_data)
+-{
+- int error;
+-
+- watch->node = path;
+- watch->callback = callback;
+- watch->callback_data = callback_data;
+-
+- error = xs_register_watch(watch);
+-
+- if (error) {
+- watch->node = NULL;
+- watch->callback = NULL;
+- xenbus_dev_fatal(dev, error, "adding watch on %s", path);
+- }
+-
+- return (error);
+-}
+-
+-int
+-xenbus_watch_path2(device_t dev, const char *path,
+- const char *path2, struct xs_watch *watch,
+- xs_watch_cb_t *callback, uintptr_t callback_data)
+-{
+- int error;
+- char *state = malloc(strlen(path) + 1 + strlen(path2) + 1,
+- M_XENBUS, M_WAITOK);
+-
+- strcpy(state, path);
+- strcat(state, "/");
+- strcat(state, path2);
+-
+- error = xenbus_watch_path(dev, state, watch, callback, callback_data);
+- if (error) {
+- free(state,M_XENBUS);
+- }
+-
+- return (error);
+-}
+-
+ void
+ xenbus_dev_verror(device_t dev, int err, const char *fmt, va_list ap)
+ {
+--- sys/xen/xenbus/xenbusb.c.orig
++++ sys/xen/xenbus/xenbusb.c
+@@ -702,10 +702,21 @@
+ ivars->xd_otherend_watch.node = statepath;
+ ivars->xd_otherend_watch.callback = xenbusb_otherend_watch_cb;
+ ivars->xd_otherend_watch.callback_data = (uintptr_t)ivars;
++ /*
++ * Other end state node watch, limit to one pending event
++ * to prevent frontends from queuing too many events that
++ * could cause resource starvation.
++ */
++ ivars->xd_otherend_watch.max_pending = 1;
+
+ ivars->xd_local_watch.node = ivars->xd_node;
+ ivars->xd_local_watch.callback = xenbusb_local_watch_cb;
+ ivars->xd_local_watch.callback_data = (uintptr_t)ivars;
++ /*
++ * Watch our local path, only writable by us or a privileged
++ * domain, no need to limit.
++ */
++ ivars->xd_local_watch.max_pending = 0;
+
+ mtx_lock(&xbs->xbs_lock);
+ xbs->xbs_connecting_children++;
+@@ -764,6 +775,12 @@
+ xbs->xbs_device_watch.node = bus_node;
+ xbs->xbs_device_watch.callback = xenbusb_devices_changed;
+ xbs->xbs_device_watch.callback_data = (uintptr_t)xbs;
++ /*
++ * Allow for unlimited pending watches, as those are local paths
++ * either controlled by the guest or only writable by privileged
++ * domains.
++ */
++ xbs->xbs_device_watch.max_pending = 0;
+
+ TASK_INIT(&xbs->xbs_probe_children, 0, xenbusb_probe_children_cb, dev);
+
+--- sys/xen/xenbus/xenbusvar.h.orig
++++ sys/xen/xenbus/xenbusvar.h
+@@ -123,62 +123,6 @@
+ return (xenbus_read_driver_state(xenbus_get_otherend_path(dev)));
+ }
+
+-/**
+- * Initialize and register a watch on the given path (client suplied storage).
+- *
+- * \param dev The XenBus device requesting the watch service.
+- * \param path The XenStore path of the object to be watched. The
+- * storage for this string must be stable for the lifetime
+- * of the watch.
+- * \param watch The watch object to use for this request. This object
+- * must be stable for the lifetime of the watch.
+- * \param callback The function to call when XenStore objects at or below
+- * path are modified.
+- * \param cb_data Client data that can be retrieved from the watch object
+- * during the callback.
+- *
+- * \return On success, 0. Otherwise an errno value indicating the
+- * type of failure.
+- *
+- * \note On error, the device 'dev' will be switched to the XenbusStateClosing
+- * state and the returned error is saved in the per-device error node
+- * for dev in the XenStore.
+- */
+-int xenbus_watch_path(device_t dev, char *path,
+- struct xs_watch *watch,
+- xs_watch_cb_t *callback,
+- uintptr_t cb_data);
+-
+-/**
+- * Initialize and register a watch at path/path2 in the XenStore.
+- *
+- * \param dev The XenBus device requesting the watch service.
+- * \param path The base XenStore path of the object to be watched.
+- * \param path2 The tail XenStore path of the object to be watched.
+- * \param watch The watch object to use for this request. This object
+- * must be stable for the lifetime of the watch.
+- * \param callback The function to call when XenStore objects at or below
+- * path are modified.
+- * \param cb_data Client data that can be retrieved from the watch object
+- * during the callback.
+- *
+- * \return On success, 0. Otherwise an errno value indicating the
+- * type of failure.
+- *
+- * \note On error, \a dev will be switched to the XenbusStateClosing
+- * state and the returned error is saved in the per-device error node
+- * for \a dev in the XenStore.
+- *
+- * Similar to xenbus_watch_path, however the storage for the path to the
+- * watched object is allocated from the heap and filled with "path '/' path2".
+- * Should a call to this function succeed, it is the callers responsibility
+- * to free watch->node using the M_XENBUS malloc type.
+- */
+-int xenbus_watch_path2(device_t dev, const char *path,
+- const char *path2, struct xs_watch *watch,
+- xs_watch_cb_t *callback,
+- uintptr_t cb_data);
+-
+ /**
+ * Grant access to the given ring_mfn to the peer of the given device.
+ *
+--- sys/xen/xenstore/xenstorevar.h.orig
++++ sys/xen/xenstore/xenstorevar.h
+@@ -70,6 +70,15 @@
+
+ /* Callback client data untouched by the XenStore watch mechanism. */
+ uintptr_t callback_data;
++
++ /* Maximum number of pending watch events to be delivered. */
++ unsigned int max_pending;
++
++ /*
++ * Private counter used by xenstore to keep track of the pending
++ * watches. Protected by xs.watch_events_lock.
++ */
++ unsigned int pending;
+ };
+ LIST_HEAD(xs_watch_list, xs_watch);
+
diff --git a/website/static/security/patches/SA-21:02/xenoom.12.patch.asc b/website/static/security/patches/SA-21:02/xenoom.12.patch.asc
new file mode 100644
index 0000000000..ba479a4258
--- /dev/null
+++ b/website/static/security/patches/SA-21:02/xenoom.12.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbjRfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJXhg/8CoCazqYQC72fjKzdu5rTqi88S+LCO2/oQ8sB81Xd9994aTcCiCT16MgW
+oExB9ukEru7mz98ziwZiszkFGhnj8SvFqp8GaUdORILeLxN81Z8aUkXOAzZpk0yy
+Yd9yMxSL5YRcgcrxJKetArt97Pdkx0e5paNMniKWYxuGMGE0IJXc/OJmb1Gj+ZTe
+BSHInbD57GG6DYBDgLGm4Lu6FMrG+ukt2SUFxRQl0usgNE1zseXIjSxMPymh0I4j
+guCo0gNxHow44xgEXOUD1X2K1hsr8TNxwvl5i9Pwv8MFubPU4qPcBOcMvM/i5YR2
+3uvnK5oRqNjwS/EHUBZ2jonSmNN89mqdPjctaMNypcUPDsIqINw/Qd6TNnv3DjS1
+34cNBWzBYt9ccf5JC/KWfDyZxWpOku18DdFOcsi9MSubmQaxj5SRMfh0QamZPZ3p
+06JcJbcVZyRoMnD/NcFJTd6pfnrPKrJ9IVOvBesm3MpMsWywRQgVM79xly3HuhLV
+M8JTm9TKNVJPNGEeXW8MzjYJO2hDgTMwt6SWkxhNMQnajr3weqV5u+5X1wjZsAzr
+pWVXYZTkxNcyAcLvMahjuB6av4lc763MdqorgRHdpLdwr4w45pCLqxRR9O1OVY2g
+k0uKTKB1WQAIeK2VTpM/ZjPuNc+k0sVyYR9Sy70P0k76drICqUk=
+=5Wei
+-----END PGP SIGNATURE-----