Add EN-21:01 to EN-21:05, SA-21:01, and SA-21:02.

Approved by:	so

website/data/security/advisories.toml

@@ -1,6 +1,14 @@
 # Sort advisories by year, month and day
 # $FreeBSD$
 
+[[advisories]]
+name = "FreeBSD-SA-21:02.xenoom"
+date = "2021-01-29"
+
+[[advisories]]
+name = "FreeBSD-SA-21:01.fsdisclosure"
+date = "2021-01-29"
+
 [[advisories]]
 name = "FreeBSD-SA-20:33.openssl"
 date = "2020-12-08"

website/data/security/errata.toml

@@ -1,6 +1,26 @@
 # Sort errata notices by year, month and day
 # $FreeBSD$
 
+[[notices]]
+name = "FreeBSD-EN-21:05.libatomic"
+date = "2021-01-29"
+
+[[notices]]
+name = "FreeBSD-EN-21:04.zfs"
+date = "2021-01-29"
+
+[[notices]]
+name = "FreeBSD-EN-21:03.vnet"
+date = "2021-01-29"
+
+[[notices]]
+name = "FreeBSD-EN-21:02.extattr"
+date = "2021-01-29"
+
+[[notices]]
+name = "FreeBSD-EN-21:01.tzdata"
+date = "2021-01-29"
+
 [[notices]]
 name = "FreeBSD-EN-20:22.callout"
 date = "2020-12-01"

website/static/security/advisories/FreeBSD-EN-21:01.tzdata.asc

@@ -0,0 +1,148 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-21:01.tzdata                                         Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Timezone database information update
+
+Category:       contrib
+Module:         zoneinfo
+Announced:      2021-01-29
+Affects:        All supported versions of FreeBSD.
+Corrected:      2021-01-25 21:56:55 UTC (stable/12, 12.2-STABLE)
+                2021-01-29 01:20:49 UTC (releng/12.2, 12.2-RELEASE-p3)
+                2021-01-29 01:05:59 UTC (releng/12.1, 12.1-RELEASE-p13)
+                2021-01-25 21:57:06 UTC (stable/11, 11.4-STABLE)
+                2021-01-29 00:19:59 UTC (releng/11.4, 11.4-RELEASE-p7)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The tzsetup(8) program allows the user to specify the default local timezone.
+Based on the selected timezone, tzsetup(8) copies one of the files from
+/usr/share/zoneinfo to /etc/localtime.  This file actually controls the
+conversion.
+
+II.  Problem Description
+
+Several changes in Daylight Savings Time happened after previous FreeBSD
+releases were released that would affect many people who live in different
+countries.  Because of these changes, the data in the zoneinfo files need to
+be updated, and if the local timezone on the running system is affected,
+tzsetup(8) needs to be run so the /etc/localtime is updated.
+
+III. Impact
+
+An incorrect time will be displayed on a system configured to use one of the
+affected timezones if the /usr/share/zoneinfo and /etc/localtime files are
+not updated, and all applications on the system that rely on the system time,
+such as cron(8) and syslog(8), will be affected.
+
+IV.  Workaround
+
+The system administrator can install an updated timezone database from the
+misc/zoneinfo port and run tzsetup(8) to get the timezone database corrected.
+
+Applications that store and display times in Coordinated Universal Time (UTC)
+are not affected.
+
+V.   Solution
+
+Please note that some third party software, for instance PHP, Ruby, Java and
+Perl, may be using different zoneinfo data source, in such cases this
+software must be updated separately.  For software packages that is installed
+via binary packages, they can be upgraded by executing `pkg upgrade'.
+
+Following the instructions in this Errata Notice will update all of the
+zoneinfo files to be the same as what was released with FreeBSD release.
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.  Restart all the affected
+applications and daemons, or reboot the system.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Restart all the affected applications and daemons, or reboot the system.
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-21:01/tzdata-2021a.patch
+# fetch https://security.FreeBSD.org/patches/EN-21:01/tzdata-2021a.patch.asc
+# gpg --verify tzdata-2021a.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all the affected applications and daemons, or reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12                                                         r369143
+releng/12.2                                                       r369171
+releng/12.1                                                       r369162
+stable/11/                                                        r369144
+releng/11.4/                                                      r369153
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:01.tzdata.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbfZfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKOpA//Urdpqngx7TTrUYuIFijatPi+MWNWEgW04TPXfa7Vmp5bPFC/fJGJ0o2u
+lMUVwodrlfX5GUvPENwC/xVVxlzGCX4ljpFbocJIBWczA6LQ+P0u4ibdgSWuh9IS
+4Aj/MFrd6b+Ui7JY6LF+g0n9M6Tcprui9ZVef7AmcEAOcKQEdIA/kNEfOSnlBy8t
+HgSVQOmVRbsWYN9B7ZfrsztaiPzFwLfm4Wu62CyrN7H1uSGve9JLrz56W1t3t7u+
+pKaemOZM6g1efHWVYHUIJh7A7KPSNaLHY3tuQ5Sw6KetST9PCrGwwWVyn+0Cirwp
+kL/1tjBAB31hsBNJxpvw6NSAazsUfMmKwmtaO9+Gy11ay5neCD2CPUNLCIa7KbjC
+XT1PcrNnkodID0xdnNGy77toZwbjN81ADurLc+O63FycVugENB81ZtSJWTW7teIL
+sIfh4A6yf+0szPU9/TIOZx9Qhnp2+Az2C39bgqmeWiv4SwTJnxvYZ6gqGaimdHtX
+kIozG96X7qyBD4y1Zm45QRrABmb+3AbF1PyCj3pq1re/GpqFlm8ADog3VWE6FaWn
+f/TlgtQtbknMcnWtpqXlvajWFa6vvq/2o7M7TRGPInQr0SA4gk5K6U9OQtrdKRGe
+QugdkOMBRuJt1+RO/XAgtcTDpV7CI8QncCONWOItPq4+n5J7PyU=
+=irIL
+-----END PGP SIGNATURE-----

website/static/security/advisories/FreeBSD-EN-21:02.extattr.asc

@@ -0,0 +1,129 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-21:02.extattr                                        Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          UFS extattr corruption
+
+Category:       core
+Module:         UFS
+Announced:      2021-01-29
+Affects:        FreeBSD 11.4
+Corrected:      2021-01-18 18:54:32 UTC (stable/11, 11.4-STABLE)
+                2021-01-29 19:20:02 UTC (releng/11.4, 11.4-RELEASE-p7)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+Named extended attributes are meta-data associated with vnodes representing
+files and directories.  They exist as "name=value" pairs within a set of
+namespaces.  The UFS filesystem supports extended attributes.
+
+II.  Problem Description
+
+Under certain conditions FreeBSD 11.x releases may produce a corrupt extattr
+file, and later attempts to access these extended attributes may result in
+system misbehavior.  For example, lsextattr may spin at 100% CPU until the
+system is shut down.
+
+The issue that results in corrupt extattr data is not present in supported
+FreeBSD 12.x versions.
+
+III. Impact
+
+The system may not function as required with extended attributes in use.
+
+IV.  Workaround
+
+No workaround is available.  Systems not using extended attributes are not
+vulnerable.
+
+V.   Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date, and reboot.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for an errata update"
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 11.4]
+# fetch https://security.FreeBSD.org/patches/EN-12:02/extattr.patch
+# fetch https://security.FreeBSD.org/patches/EN-12:02/extattr.patch.asc
+# gpg --verify extattr.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/11/                                                        r369045
+releng/11.4/                                                      r369154
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=244089>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:02.extattr.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbiRfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKxMBAAjpesCOTrkqvjjKZmez8ACSUdaa7IYMLbJpeXW+0IbFVU/IQdK5/aq6r1
+j/LytAbQ0yDlzfEggCeIWKGkbvaNs0eUVCx/1AOjWdxWePvrlpJ2GQNsHGZeWzBc
+QUv9LEao0MQF9UGjd0JV81nTE2DT4a2F3WVdfuX2QfkWntfWwpXf3Uf3Cvi6Cpfy
+rbZTkFeBmFvfgJu13co4re1gur8eYvMyNqcp+FO9OttEr/Fg5D/okQfp+0uZ1uIl
+80WNZLwgnJG07FBVgcjbbVr/JJJqzVQh3opUa4+6UZaaHoRszs4jE4Mc22C0G4Ma
+8vtBp4Z/Ndznv04TvTNiAyS3aAe0ums4yotZJBJEuVr1rA1lC6YgRVT9+qfsPcWT
+SuVM16NS4VGVpN5SruptLbrbTHQARDAAWDbtP1fB8ccvBIonf0hh5AOcKFBxHHY3
+NoKHLV373zTauvxqy7RKRAtnB2oB0uMT4j0lwJmn7CM1h+lL1GcVy1PTDVQ4mk+N
+2/I51AcbURjmWqxTTORI6p8CgLsiwPfdsup5T2g/JPu2nc9COWL/WKCytP2pXji3
++Lu+SJldxUCx8JiiCSFma7ZG/sjB+B1vOajzULqBWUgTH6YpX8gV78amDHmzRq20
+2is7fa+63ImVHtCZAIeSs/PGU2v+MDQ6eBNqFTccbgVvINEmMNE=
+=XIov
+-----END PGP SIGNATURE-----

website/static/security/advisories/FreeBSD-EN-21:03.vnet.asc

@@ -0,0 +1,130 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-21:03.vnet                                           Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Panic when destroying VNET and epair simultaneously
+
+Category:       core
+Module:         kernel
+Announced:      2021-01-29
+Affects:        FreeBSD 12.1 and later.
+Corrected:      2020-12-15 15:33:28 UTC (stable/12, 12.2-STABLE)
+                2021-01-29 01:20:52 UTC (releng/12.2, 12.2-RELEASE-p3)
+                2021-01-29 01:06:03 UTC (releng/12.1, 12.1-RELEASE-p13)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+VNET permits systems to be configured with multiple instances of the in-kernel
+network stack.
+
+The epair(4) interface provides a pair of virtual back-to-back connected
+Ethernet interfaces.
+
+II.  Problem Description
+
+Insufficient locking in the kernel meant that destroying an epair and a vnet
+jail at the same time often resulted in panics.
+
+III. Impact
+
+Users with root level access (or the PRIV_NET_IFCREATE privilege) can panic
+the system.
+
+IV.  Workaround
+
+The panic can be avoided by ensuring that epair interfaces are fully destroyed
+before the vnet jails containing them are destroyed.
+
+Systems not using vnet jails are not affected.
+
+V.   Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date and reboot.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for an errata update"
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-21:03/vnet.patch
+# fetch https://security.FreeBSD.org/patches/EN-21:03/vnet.patch.asc
+# gpg --verify vnet.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r368663
+releng/12.2/                                                      r369172
+releng/12.1/                                                      r369163
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238870>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:03.vnet.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbipfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKE3Q/+KQ96Grm2zOsWHVAl5Oz2TBdc7nGkIYSk59zFcmVMqduvKSjiJ3S1yLdX
+NsPm3KyFYeU7L/QM9Owsk1DTSnRrlwhbcM3/x+662bcgP1RWe3XL6n9fQ2V5eESO
+9wAKtwrkE5btGxp6WLNAZ1Ximb1rKtOi4hqLK1Rhqhl93ecw7gyp+Qs6ukj41cnT
+8+9AwHjvzYokrUDP7lIsKMQ4C29Fw4o2/0RwCCEmLlGRWLOWGM910RjgaFat02Gi
+nOLXXlI9mSApthMnlTun4cSn+rbzawyTXD8AIa/kwEd00yDej4IceBlqWXot8Sjw
+aXqJuix5qs0aVJcrQ2g9bkytnSMeO79EpCLyy/PDMJ1NUcQG8oaN/EcxNjb/U9p2
+sbjWSf4t1leTl76TWsGsNAWHkjUwMPYHDstG4jsRv+Y+m4sSWa6gYYitaOtK4paO
+wDDqpWHFJXOCEIrL3+HJcwOWr4hxhmZFgKNXeZN6l5WCKY/Xqjxqt7zBSpixiz01
+VEn3uNs1ePuEA80Ae+D8v4yzjjfuE5/MDfEsoaxtP6dalNtJlIaFhVgZYcsxpOfK
+xKC8dzdnEyq970+ZW/2ESYBxGTcnVQMxASI73QYuaKbRkcVqgW6XjHJHh+0tNLkV
+sPhgxy/eOkbsu9qcIOn+tTbNTo3CjW0/ZmdE0YX9XItgbGHFQvg=
+=1ekp
+-----END PGP SIGNATURE-----

website/static/security/advisories/FreeBSD-EN-21:04.zfs.asc

@@ -0,0 +1,130 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-21:04.zfs                                            Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          zfs recv fails to propagate snapshot deletion
+
+Category:       core
+Module:         zfs
+Announced:      2021-01-29
+Affects:        FreeBSD 12.2
+Corrected:      2020-12-01 08:15:18 UTC (stable/12, 12.2-STABLE)
+                2021-01-29 01:20:55 UTC (releng/12.2, 12.2-RELEASE-p3)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The zfs send/receive commands are used to efficiently copy datasets from one
+location to another.  With the -i or -I flags, zfs send can incrementally
+update an already-copied dataset.  When using the -R flag with zfs send and the
+- -F flag with zfs receive, zfs receive will delete any snapshots on the
+destination that have already been deleted on the source.
+
+II.  Problem Description
+
+A regression in FreeBSD 12.2 causes zfs receive to fail to delete snapshots
+that have been deleted on the source side.
+
+III. Impact
+
+Backup and replication systems based on ZFS send/receive that manage snapshots
+solely on the source side will fail to delete snapshots on the destination
+side.  This may lead to out-of-space conditions on the destination.
+
+IV.  Workaround
+
+Errant snapshots can be manually removed from the destination with "zfs destroy".
+
+Backup and replication systems that don't use the -R flag with zfs send will be
+unaffected.  For example, sysutils/zrepl is unaffected.
+
+V.   Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-21:04/zfs.patch
+# fetch https://security.FreeBSD.org/patches/EN-21:04/zfs.patch.asc
+# gpg --verify zfs.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all daemons that link directly to libzfs.so.  A restart is not required
+for daemons that invoke the zfs executable.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r368233
+releng/12.2/                                                      r369173
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=249438>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:04.zfs.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbipfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJhhw//ajaGQV4/Ln4SmgsyYS01De9bXSI26dBcZlfGDUDL4l/W4qF1KnsTuPXx
+ubGoFDjAArT+AzAoTddQeKuty8VPR8UUCQfONgdWUvjlSZ3k1iLa6pTR/BHxSyZ3
+rh7olc8wSt13JBOoafCjGkuzRNLtz7oqP0qrGB/aKSbU3IzCW8fHSFnIFVaRK/Nh
+Zr9Lisp4mIBgBmAY3Oof50ONPrjoDEYff+G+52LSUSMIwGPVmEqFz1qrSzQ+SFO0
+kylegth1sBeEgPQZAuyXX6liJpsL/AEdYQvosykmBw3DGQqt9glo+hl6CU7/g2dn
+iA8O7tO0zgaHtWbAUQYdtHJKeqa5UbaDRKeDw3aXm6TwHmZN7BfQz6SWRK2QOhcc
+btn5yP6QhbpTFmWRkWtSehn+eISolDF4iCG9St664xpNV7l0AzSXm8saVrR2/Eix
+IPCK2nyhddyDyVCkkSaZw8rris5De8gAGsv0K+nvJqYhVMdbIyTnU62UzHrgPPXS
+kAe0Z/FnPmcQ7GXN/dSIzd17WMqKwGgsHMbLFw/BMP+kaM++mMY7ZdyPyx1gapB+
+qzvRhFoNKpNVGMaMK/y+BPB2Ak3OHj6lqPFptjd9HNlszVYuZ3Od25oQBO0dupQf
+jsTSler1ShPYyOwG8QE0sXjpMYVZhFgsZXiZVUrACkfunuDnXtI=
+=fhrM
+-----END PGP SIGNATURE-----

website/static/security/advisories/FreeBSD-EN-21:05.libatomic.asc

@@ -0,0 +1,125 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-21:05.libatomic                                      Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Addition of atomic and bswap functions to libcompiler_rt
+
+Category:       core
+Module:         libcompiler_rt
+Announced:      2021-01-29
+Affects:        FreeBSD 11.4
+Corrected:      2020-09-12 16:33:05 UTC (stable/11, 11.4-STABLE)
+                2021-01-29 00:20:06 UTC (releng/11.4, 11.4-RELEASE-p7)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+libcompiler_rt is a simple library that provides an implementation of low-level
+target-specific functionality required by the Clang compiler.
+
+II.  Problem Description
+
+The FreeBSD build system does not include all source files of libcompiler_rt.
+In particular, it misses the atomic.c file, which implements atomic memory
+routines for the i386 architecture.
+
+III. Impact
+
+When compiling software that makes use of atomic functions, as well as __bswap*
+functions, the compiler emits calls to them expecting that these will be
+available from libcompiler_rt.  Due to this, the linker fails to resolve
+mentioned functions and the build fails.
+
+The problem occurs only when targeting the i386 platform.
+
+IV.  Workaround
+
+The problem can be worked around by using GCC compiler to build the software.
+
+V.   Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-21:05/libatomic.patch
+# fetch https://security.FreeBSD.org/patches/EN-21:05/libatomic.patch.asc
+# gpg --verify libatomic.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all daemons that use the library, or reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/11/                                                        r365661
+releng/11.4/                                                      r369155
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:05.libatomic.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbipfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKteBAAicm8nXlOWYeIu2qcgqKVEhWNwleLdfnAGPcs0ALuUEnSGZ2DIfsdl4J0
+eTOeIJC9ELpHrSoaAtlrM7huEkdtMDRHrLWfSlW7Zev3B7ZQ+v+GsdYAw1h86Erf
+uNt3iCvfhltDGVHVb0bGHQw2biIn9UD36CVOC9WqMhubLU/sjEy4FbjwRvVWUyRc
+UtR+WUf6W8IZnd3iJOlF/YnxDcEWclMPFnEdKMgBByl0dSoVuwIQfwuWm6Wl4WjA
+p1KUs+l/AUn5IJB7U7dLmB5tIGgvElzONwPb9S3M1BQaLDjS2+PLrE6/pxSpDNHS
+y/Oo2652ZaGG1OWAGzemKinpllLelkywPjbQwEEkjelqPnPoVMWzjM4UwmF0S5gj
+hnlB17BvH5qomMFnAiyVQO9cH85G4sKcKgVQSMU/gRzlrSMyqZ5ImLfltMOJi27H
+U3SQ36LljP6cu55bDlswBmAe6Ria748d5z4efSs/DGfgeFSYlSYF7zTLZtbw8wcP
+bXjeDVTMcAEGGjDFWjy2hU2zUhgQVBOSb1+IB3ziOHizUdOe9U5NaEZSoTA/S4rp
+Hrf8P8LKN5BgWh6j+jXI18RpwGtRNbL4Ev0wP0iG7SXth8cRkjymzq4qcGsIBMh/
+GjyNqC1CzzvQz4YDf6GqkOZWE3kAzUM+iyGyYpZIDdCx32Ir/e4=
+=RTBx
+-----END PGP SIGNATURE-----

website/static/security/advisories/FreeBSD-SA-21:01.fsdisclosure.asc

@@ -0,0 +1,150 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-21:01.fsdisclosure                               Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Uninitialized kernel stack leaks in several file systems
+
+Category:       core
+Module:         fs
+Announced:      2021-01-29
+Credits:        Syed Faraz Abrar
+Affects:        All supported versions of FreeBSD.
+Corrected:      2021-01-06 14:58:41 UTC (stable/12, 12.2-STABLE)
+                2021-01-29 01:20:59 UTC (releng/12.2, 12.2-RELEASE-p3)
+                2021-01-29 01:06:09 UTC (releng/12.1, 12.1-RELEASE-p13)
+                2021-01-18 19:16:24 UTC (stable/11, 11.4-STABLE)
+                2021-01-29 00:20:09 UTC (releng/11.4, 11.4-RELEASE-p7)
+CVE Name:       CVE-2020-25578, CVE-2020-25579
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The FreeBSD kernel exports file system directory entries to userspace
+using the generic "dirent" structure.  Individual file systems implement
+VOP_READDIR to convert from the file system's internal directory entry
+layout to the generic form.  dirent structures can be fetched from
+userspace using the getdirentries(2) system call.
+
+II.  Problem Description
+
+Several file systems were not properly initializing the d_off field of
+the dirent structures returned by VOP_READDIR.  In particular, tmpfs(5),
+smbfs(5), autofs(5) and mqueuefs(5) were failing to do so.  As a result,
+eight uninitialized kernel stack bytes may be leaked to userspace by
+these file systems.  This problem is not present in FreeBSD 11.
+
+Additionally, msdosfs(5) was failing to zero-fill a pair of padding
+fields in the dirent structure, resulting in a leak of three
+uninitialized bytes.
+
+III. Impact
+
+Kernel stack disclosures may leak sensitive information which could be
+used to compromise the security of the system.
+
+IV.  Workaround
+
+Systems that do not have any of the affected file systems mounted are
+not affected.  To trigger the leaks, an unprivileged user must have read
+access to a directory belonging to one of the mounted file systems.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 12.x]
+# fetch https://security.FreeBSD.org/patches/SA-21:01/fsdisclosure.12.patch
+# fetch https://security.FreeBSD.org/patches/SA-21:01/fsdisclosure.12.patch.asc
+# gpg --verify fsdisclosure.12.patch.asc
+
+[FreeBSD 11.x]
+# fetch https://security.FreeBSD.org/patches/SA-21:01/fsdisclosure.11.patch
+# fetch https://security.FreeBSD.org/patches/SA-21:01/fsdisclosure.11.patch.asc
+# gpg --verify fsdisclosure.11.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r368969
+releng/12.2/                                                      r369175
+releng/12.1/                                                      r369165
+stable/11/                                                        r369047
+releng/11.4/                                                      r369156
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25578>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25579>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-21:01.fsdisclosure.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbjNfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJr9xAAkZz7B1xlb66yVYXmyIo8eFf2ZyYPXxoH9hIxx1N7PxY6l9MeU9xzcYrf
+tOYtsWyPxx+M+g0KZc2Q846zu3JySSBkGKT1Kx3aqMmfEqWMa6b2u/wM+rG/8NjR
+qzsU9SfnzgcBg0tu4m55en+7muuiO3JopCbQDdTSl0EgOFkMI6cuMXc2lm9BAEKj
+zpmKFbelSCIUjISpLASJzNKRfQV1UajpgyM/tWYSrlQwaejNkFOmBO1ylLBbigBo
+bqH5xCsttGGUC91QmsEdcrF3pSNuHEtW5nT8sbAlm6ue8bjY9AGhEB1fkV877KDG
+otN3sPe367uQA1AHWCq3qPseTgAV9pDW4Mctxi5VSz0P3tUzG+hqojtn+mDAvFob
+DnFWFJnMZC6mueunp555LXlgFzA79Vberjo15240kEvaf4B+PiCqVLr9baK/2KyW
+EEj3pn/ciGq/wBn5ZPoCDVk0hbcfVNxaXytHLDBZ7l/ti7ZC08SRyaPdhG8Tblbx
+ha/6+/viGbBHktuTU5Vz48cHja9RnDq0EUiTmplinUDhyouVyG4i2Yrn3anMnhd5
+atULlylJlEPGq1WNH0A7yiKqQa6Bu4OFMdJ69YIYskcn3FC2vjz0LpRb+soFOIAH
+2/o0UAMup9buG8CbPVLoCRPyPrEw0liaUJEUlxTVPDc3AJGM0xM=
+=gD1K
+-----END PGP SIGNATURE-----

website/static/security/advisories/FreeBSD-SA-21:02.xenoom.asc

@@ -0,0 +1,142 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-21:02.xenoom                                     Security Advisory
+                                                          The FreeBSD Project
+
+Topic:		Xen guests can triger backend Out Of Memory
+
+Category:       contrib
+Module:         Xen
+Announced:      2021-01-29
+Credits:	See Xen XSA-349 for details
+Affects:        All supported versions of FreeBSD.
+Corrected:      2021-01-18 16:26:36 UTC (stable/12, 12.2-STABLE)
+                2021-01-29 01:21:04 UTC (releng/12.2, 12.2-RELEASE-p3)
+                2021-01-29 01:06:16 UTC (releng/12.1, 12.1-RELEASE-p13)
+                2021-01-21 09:14:50 UTC (stable/11, 11.4-STABLE)
+                2021-01-29 00:20:16 UTC (releng/11.4, 11.4-RELEASE-p7)
+CVE Name:       CVE-2020-29568
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+Xen is a type-1 hypervisor which supports FreeBSD as a Dom0 (or host
+domain).
+
+II.  Problem Description
+
+Some OSes (including Linux, FreeBSD, and NetBSD) are processing watch
+events using a single thread.  If the events are received faster than
+the thread is able to handle, they will get queued.
+
+As the queue is unbound, a guest may be able to trigger a OOM in
+the backend.
+
+III. Impact
+
+A malicious guest can trigger an OOM in backends.
+
+IV.  Workaround
+
+No workaround is available.  FreeBSD systems not using Xen are not
+affected.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 12.x]
+# fetch https://security.FreeBSD.org/patches/SA-21:02/xenoom.12.patch
+# fetch https://security.FreeBSD.org/patches/SA-21:02/xenoom.12.patch.asc
+# gpg --verify xenoom.12.patch.asc
+
+[FreeBSD 11.x]
+# fetch https://security.FreeBSD.org/patches/SA-21:02/xenoom.11.patch
+# fetch https://security.FreeBSD.org/patches/SA-21:02/xenoom.11.patch.asc
+# gpg --verify xenoom.11.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r369038
+releng/12.2/                                                      r369177
+releng/12.1/                                                      r369167
+stable/11/                                                        r369072
+releng/11.4/                                                      r369158
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://xenbits.xen.org/xsa/advisory-349.html>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29568>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-21:02.xenoom.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbjNfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJjmhAAloDel7j9rgyDK8Ozk5wPJQlUM/1Ddc4e5Q5vdzT29mNdWKfXjH5SEkGq
+Jx7w4fUronf8vsXn+bNXwn1u5PWGVTVX/Y4ljQ4JVwJ+NdxhxTuhNsbg7j2AZmdO
+PsfI+eFX1xq8wr3oDUl3GTHHcUI1Ol259tsOgJE7ISriazgbRk8/QVowMgS3jdHA
+OYJS8ADFWSO6d4TC2B5pvgC6NAiZjhgTDtjxzTnaWoUb0157JyhRh3Z2FQTBxoxU
+3OQcTj7x7KBtbsiAI/Iq8Qu7JXyxtscVQfbXsk4Jt1uOskgsr8n9F+UGiP+GRIKb
+0IsgNUlsPavINlNJjAwQWHtB8VJqH7LpG9t3/EMizUXjZAuRLxEjAFiHV8ju1U++
+O9Xf9nB9auVrBn1WMYgH23bZ5D15W1HosEywifBw64R7CLDliD/HpJ3QaDEe3lCn
+pB0jgxuoE5RCbTppgUZM7tLUrtwgih+lOiZcLcA5xS9hQo8TWBLIJNBf5rRjJA6q
+/3vh5lOv/w8AHyBgA5395QIkkgw9dxy2o+LbtuVhdD/NbLX4GnNVMkQDsTF79PMT
+8rl0Zn6Ldo0ypHAwPAVHektl+izuMftNQuQXSbEjkw/Xr1VCjIjllJET3K2e9X6z
+4nPmq6t/0kuHWYSSDQAKdq/8Dosn3HLw1uQdst4ka7wf1Eon7Ow=
+=3L3L
+-----END PGP SIGNATURE-----

website/static/security/patches/EN-21:01/tzdata-2021a.patch.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbgVfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cL0kQ//RYNiBRCzjAawttj9Wz6ryKf1rTERp1FJ17NpLRzRHp/WnjTKZ4uyEqGn
+pb4VWPbhVjiiCCyA0zvwGAOF5Yviv1UR79i5U+G0ErxVPdQKapqoQ240CY09eObG
+rqKGLJIhdXIyEEPK9YrYYDUb0kAwOzpnvt3xgPH1sph0QT8fga0bffnr2sDthDu7
+b5NOKMA51JkB1G2tlevHGUXrTnh+gZntXApSYVZ8/c8jKqnzAdcm9Co80hb8oVuC
+yWwEM7s2v/HTF0NUPPIz3PfAETLWCzVHGb0ZjXdZO6rd1BV6Zm1TIZ4wRoNOzl5n
+4PQGmEQckxojDcDIUImF9EDS+8SxxnP3cDUyN3vIqmTKUkVjAIStqqq5AfFZBs0+
+CjvkX9v0LgaCNHfPPknUuldeORO4YLTc/6dj4Ern7gocHRE9/feBcHdV58XGQLB/
+jI92wckBD0G738TCKQg74rX21A3564h/cbThmsGUP05C2D1vW+jT+v9DJy15LpG6
+CIF9zU8IwLFKlzI28Oc8vLekgU/6E8z7V0+ObmpboRIVJTXetkRCN61SyIKSnJT+
+nZgIgvd22jTFXJh6j18SmQS6cN2kEq22AtYLimNKEgrsGcT7uMrWyTJQ6vJiooqc
+a5txbMB2R4uRNv810IpMl0li2J0kshNBsnmsv0UxNQcAVyORBm8=
+=ynES
+-----END PGP SIGNATURE-----

website/static/security/patches/EN-21:02/extattr.patch

@@ -0,0 +1,11 @@
+--- sys/ufs/ffs/ffs_vnops.c.orig
++++ sys/ufs/ffs/ffs_vnops.c
+@@ -1663,7 +1663,7 @@
+ 	*p++ = ap->a_attrnamespace;
+ 	*p++ = eapad2;
+ 	*p++ = strlen(ap->a_name);
+-	strcpy(p, ap->a_name);
++	memcpy(p, ap->a_name, strlen(ap->a_name));
+ 	p += strlen(ap->a_name);
+ 	bzero(p, eapad1);
+ 	p += eapad1;

website/static/security/patches/EN-21:02/extattr.patch.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbilfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cLRwQ//cPFjEPuSDNSMa6NcQnDKo7pZ+0jYON5t8CSMj9CqxKs3V/wa6F9rB78l
+px6lkasBBFClmXH/lnVBrg8KTTD699Q8q7SHbydC7cG3XVB73QJnDjJrm6XgdcFt
+RKF546+h50JQBXqlW5JRpCCzqMzqzdqa5eFGjJfPI16TjbAuz8ywOez1PHTuTmuS
+lSJaT+UN78s5tD2D2WgQzzTG/o8umuJXisfCGFLsK7RI3p7c9N8QcrIGikrose9R
+yu/NFpfs/5iIE40VtTb6J/4PcOBlzfdjDv4EgAyRKzhTkFxPDgh3cgfh/gtJg9CV
+AZtf5K0qOufD79l1PA25znU3nf761VFQIyPv/sIT5nuhITm1WkPtV4mvHlN+bb9C
+tVF4HkLx6raghE5XnIAg0cFndVlS+zwAmzety/75W0h0AUqofrn4jbdcmeFGogG+
+BAtaPE39xWGJMT4R9zXMnF+mojX2GOqSKOyfshBrolsnkT9oEQQAVGb0N3ZxRT/2
+tmvV2Q01d5NORvtBlD0yvJ/qkihiF0UrfG+I9GJ2+gMjibpU/iZik8y0msboBYIB
+2zjf3DdNZY/n+hSN8cxN32maU0ZYl+he394rmMt0Lj1Ff7EuUz5RsKtzHoYPHoWm
+mTnXK/PUrJTEdvYxUzMbOsfM41Pqq476XYl/7B6bU4ZnSNlTxNM=
+=ntJx
+-----END PGP SIGNATURE-----

website/static/security/patches/EN-21:03/vnet.patch

@@ -0,0 +1,291 @@
+--- sys/net/if.c.orig
++++ sys/net/if.c
+@@ -274,6 +274,8 @@
+ static void	if_delgroups(struct ifnet *);
+ static void	if_attach_internal(struct ifnet *, int, struct if_clone *);
+ static int	if_detach_internal(struct ifnet *, int, struct if_clone **);
++static void	if_link_ifnet(struct ifnet *);
++static bool	if_unlink_ifnet(struct ifnet *, bool);
+ #ifdef VIMAGE
+ static void	if_vmove(struct ifnet *, struct vnet *);
+ #endif
+@@ -305,12 +307,8 @@
+ 
+ /*
+  * The global network interface list (V_ifnet) and related state (such as
+- * if_index, if_indexlim, and ifindex_table) are protected by an sxlock and
+- * an rwlock.  Either may be acquired shared to stablize the list, but both
+- * must be acquired writable to modify the list.  This model allows us to
+- * both stablize the interface list during interrupt thread processing, but
+- * also to stablize it over long-running ioctls, without introducing priority
+- * inversions and deadlocks.
++ * if_index, if_indexlim, and ifindex_table) are protected by an sxlock.
++ * This may be acquired to stabilise the list, or we may rely on NET_EPOCH.
+  */
+ struct rwlock ifnet_rwlock;
+ RW_SYSINIT_FLAGS(ifnet_rw, &ifnet_rwlock, "ifnet_rw", RW_RECURSE);
+@@ -317,6 +315,9 @@
+ struct sx ifnet_sxlock;
+ SX_SYSINIT_FLAGS(ifnet_sx, &ifnet_sxlock, "ifnet_sx", SX_RECURSE);
+ 
++struct sx ifnet_detach_sxlock;
++SX_SYSINIT(ifnet_detach, &ifnet_detach_sxlock, "ifnet_detach_sx");
++
+ /*
+  * The allocation of network interfaces is a rather non-atomic affair; we
+  * need to select an index before we are ready to expose the interface for
+@@ -476,17 +477,87 @@
+ }
+ VNET_SYSUNINIT(vnet_if_uninit, SI_SUB_INIT_IF, SI_ORDER_FIRST,
+     vnet_if_uninit, NULL);
++#endif
+ 
+ static void
++if_link_ifnet(struct ifnet *ifp)
++{
++
++	IFNET_WLOCK();
++	CK_STAILQ_INSERT_TAIL(&V_ifnet, ifp, if_link);
++#ifdef VIMAGE
++	curvnet->vnet_ifcnt++;
++#endif
++	IFNET_WUNLOCK();
++}
++
++static bool
++if_unlink_ifnet(struct ifnet *ifp, bool vmove)
++{
++	struct ifnet *iter;
++	int found = 0;
++
++	IFNET_WLOCK();
++	CK_STAILQ_FOREACH(iter, &V_ifnet, if_link)
++		if (iter == ifp) {
++			CK_STAILQ_REMOVE(&V_ifnet, ifp, ifnet, if_link);
++			if (!vmove)
++				ifp->if_flags |= IFF_DYING;
++			found = 1;
++			break;
++		}
++#ifdef VIMAGE
++	curvnet->vnet_ifcnt--;
++#endif
++	IFNET_WUNLOCK();
++
++	return (found);
++}
++
++#ifdef VIMAGE
++static void
+ vnet_if_return(const void *unused __unused)
+ {
+ 	struct ifnet *ifp, *nifp;
++	struct ifnet **pending;
++	int found, i;
+ 
++	i = 0;
++
++	/*
++	 * We need to protect our access to the V_ifnet tailq. Ordinarily we'd
++	 * enter NET_EPOCH, but that's not possible, because if_vmove() calls
++	 * if_detach_internal(), which waits for NET_EPOCH callbacks to
++	 * complete. We can't do that from within NET_EPOCH.
++	 *
++	 * However, we can also use the IFNET_xLOCK, which is the V_ifnet
++	 * read/write lock. We cannot hold the lock as we call if_vmove()
++	 * though, as that presents LOR w.r.t ifnet_sx, in_multi_sx and iflib
++	 * ctx lock.
++	 */
++	IFNET_WLOCK();
++
++	pending = malloc(sizeof(struct ifnet *) * curvnet->vnet_ifcnt,
++	    M_IFNET, M_WAITOK | M_ZERO);
++
+ 	/* Return all inherited interfaces to their parent vnets. */
+ 	CK_STAILQ_FOREACH_SAFE(ifp, &V_ifnet, if_link, nifp) {
+-		if (ifp->if_home_vnet != ifp->if_vnet)
+-			if_vmove(ifp, ifp->if_home_vnet);
++		if (ifp->if_home_vnet != ifp->if_vnet) {
++			found = if_unlink_ifnet(ifp, true);
++			MPASS(found);
++
++			pending[i++] = ifp;
++		}
+ 	}
++	IFNET_WUNLOCK();
++
++	for (int j = 0; j < i; j++) {
++		sx_xlock(&ifnet_detach_sxlock);
++		if_vmove(pending[j], pending[j]->if_home_vnet);
++		sx_xunlock(&ifnet_detach_sxlock);
++	}
++
++	free(pending, M_IFNET);
+ }
+ VNET_SYSUNINIT(vnet_if_return, SI_SUB_VNET_DONE, SI_ORDER_ANY,
+     vnet_if_return, NULL);
+@@ -894,12 +965,7 @@
+ 	}
+ #endif
+ 
+-	IFNET_WLOCK();
+-	CK_STAILQ_INSERT_TAIL(&V_ifnet, ifp, if_link);
+-#ifdef VIMAGE
+-	curvnet->vnet_ifcnt++;
+-#endif
+-	IFNET_WUNLOCK();
++	if_link_ifnet(ifp);
+ 
+ 	if (domain_init_status >= 2)
+ 		if_attachdomain1(ifp);
+@@ -1037,9 +1103,15 @@
+ void
+ if_detach(struct ifnet *ifp)
+ {
++	bool found;
+ 
+ 	CURVNET_SET_QUIET(ifp->if_vnet);
+-	if_detach_internal(ifp, 0, NULL);
++	found = if_unlink_ifnet(ifp, false);
++	if (found) {
++		sx_slock(&ifnet_detach_sxlock);
++		if_detach_internal(ifp, 0, NULL);
++		sx_sunlock(&ifnet_detach_sxlock);
++	}
+ 	CURVNET_RESTORE();
+ }
+ 
+@@ -1059,8 +1131,6 @@
+ 	struct ifaddr *ifa;
+ 	int i;
+ 	struct domain *dp;
+- 	struct ifnet *iter;
+- 	int found = 0;
+ #ifdef VIMAGE
+ 	int shutdown;
+ 
+@@ -1067,39 +1137,11 @@
+ 	shutdown = (ifp->if_vnet->vnet_state > SI_SUB_VNET &&
+ 		 ifp->if_vnet->vnet_state < SI_SUB_VNET_DONE) ? 1 : 0;
+ #endif
+-	IFNET_WLOCK();
+-	CK_STAILQ_FOREACH(iter, &V_ifnet, if_link)
+-		if (iter == ifp) {
+-			CK_STAILQ_REMOVE(&V_ifnet, ifp, ifnet, if_link);
+-			if (!vmove)
+-				ifp->if_flags |= IFF_DYING;
+-			found = 1;
+-			break;
+-		}
+-	IFNET_WUNLOCK();
+-	if (!found) {
+-		/*
+-		 * While we would want to panic here, we cannot
+-		 * guarantee that the interface is indeed still on
+-		 * the list given we don't hold locks all the way.
+-		 */
+-		return (ENOENT);
+-#if 0
+-		if (vmove)
+-			panic("%s: ifp=%p not on the ifnet tailq %p",
+-			    __func__, ifp, &V_ifnet);
+-		else
+-			return; /* XXX this should panic as well? */
+-#endif
+-	}
+ 
+ 	/*
+ 	 * At this point we know the interface still was on the ifnet list
+ 	 * and we removed it so we are in a stable state.
+ 	 */
+-#ifdef VIMAGE
+-	curvnet->vnet_ifcnt--;
+-#endif
+ 	epoch_wait_preempt(net_epoch_preempt);
+ 
+ 	/*
+@@ -1326,6 +1368,7 @@
+ 	struct prison *pr;
+ 	struct ifnet *difp;
+ 	int shutdown;
++	bool found;
+ 
+ 	/* Try to find the prison within our visibility. */
+ 	sx_slock(&allprison_lock);
+@@ -1362,6 +1405,9 @@
+ 	}
+ 	CURVNET_RESTORE();
+ 
++	found = if_unlink_ifnet(ifp, true);
++	MPASS(found);
++
+ 	/* Move the interface into the child jail/vnet. */
+ 	if_vmove(ifp, pr->pr_vnet);
+ 
+@@ -1378,7 +1424,8 @@
+ 	struct prison *pr;
+ 	struct vnet *vnet_dst;
+ 	struct ifnet *ifp;
+- 	int shutdown;
++	int shutdown;
++	bool found;
+ 
+ 	/* Try to find the prison within our visibility. */
+ 	sx_slock(&allprison_lock);
+@@ -1416,6 +1463,8 @@
+ 	}
+ 
+ 	/* Get interface back from child jail/vnet. */
++	found = if_unlink_ifnet(ifp, true);
++	MPASS(found);
+ 	if_vmove(ifp, vnet_dst);
+ 	CURVNET_RESTORE();
+ 
+@@ -3100,8 +3149,12 @@
+ 		goto out_noref;
+ 	case SIOCIFDESTROY:
+ 		error = priv_check(td, PRIV_NET_IFDESTROY);
+-		if (error == 0)
++
++		if (error == 0) {
++			sx_slock(&ifnet_detach_sxlock);
+ 			error = if_clone_destroy(ifr->ifr_name);
++			sx_sunlock(&ifnet_detach_sxlock);
++		}
+ 		goto out_noref;
+ 
+ 	case SIOCIFGCLONERS:
+--- sys/net/if_var.h.orig
++++ sys/net/if_var.h
+@@ -569,27 +569,11 @@
+ extern	struct rwlock ifnet_rwlock;
+ extern	struct sx ifnet_sxlock;
+ 
+-#define	IFNET_WLOCK() do {						\
+-	sx_xlock(&ifnet_sxlock);					\
+-	rw_wlock(&ifnet_rwlock);					\
+-} while (0)
+-
+-#define	IFNET_WUNLOCK() do {						\
+-	rw_wunlock(&ifnet_rwlock);					\
+-	sx_xunlock(&ifnet_sxlock);					\
+-} while (0)
+-
+-/*
+- * To assert the ifnet lock, you must know not only whether it's for read or
+- * write, but also whether it was acquired with sleep support or not.
+- */
+-#define	IFNET_RLOCK_ASSERT()		sx_assert(&ifnet_sxlock, SA_SLOCKED)
++#define	IFNET_WLOCK()		sx_xlock(&ifnet_sxlock)
++#define	IFNET_WUNLOCK()		sx_xunlock(&ifnet_sxlock)
++#define	IFNET_RLOCK_ASSERT()	sx_assert(&ifnet_sxlock, SA_SLOCKED)
+ #define	IFNET_RLOCK_NOSLEEP_ASSERT()	MPASS(in_epoch(net_epoch_preempt))
+-#define	IFNET_WLOCK_ASSERT() do {					\
+-	sx_assert(&ifnet_sxlock, SA_XLOCKED);				\
+-	rw_assert(&ifnet_rwlock, RA_WLOCKED);				\
+-} while (0)
+-
++#define	IFNET_WLOCK_ASSERT()	sx_assert(&ifnet_sxlock, SA_XLOCKED)
+ #define	IFNET_RLOCK()		sx_slock(&ifnet_sxlock)
+ #define	IFNET_RLOCK_NOSLEEP()	struct epoch_tracker ifnet_rlock_et; epoch_enter_preempt(net_epoch_preempt, &ifnet_rlock_et)
+ #define	IFNET_RUNLOCK()		sx_sunlock(&ifnet_sxlock)

website/static/security/patches/EN-21:03/vnet.patch.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbipfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cLRyQ//du+e1JRQvV+xth02xPmDbklqvfsH9ge20DeExN/grbrqv1nLkGBP0I1j
+CnxMMDPsm33fATsxa6HndAcQXDO4bRf0E7qjE+bgC1gJevCrCptXI7LaOgTWrlpP
+0iszfjqF0DIJhXL7MiFVDYkt5EBvPkvJMBo1q3A7HKG8YKzZHI6EUa6g+yspHip0
+p4TKVexl7L4ERb0h8hDUIycAPSmK4lNn9SOlErD9mTUUYRp/xvkVdAV53xnuo2aD
+zt/sqO7lPRP1oiOCp/8D2ZiMbtg6dzOKyw0xhfnsW8a/h0k7nthWKWL+KpyOQVpj
+QZ/lYnzzqxu93/2cZSuGFpIUw3WKl67IlYNW0qtGsvXeFjpx85AqFyYueg00Wvew
+jUQk0lONd6k2XkyMS/mYgYXOuadA5uzJwgffRuKNP7aVxXIXM+4PJFleJ86c0q2b
+qRLUWeWC4l+1oYY+0YHEAzv0VWc+VQilcERgUXezwF40vbUIvc+AhAzUDIO919Yg
+PBz8vAGiDPSfeveihTtuD9FTugw4oaM6mgxFBSnkrHK6EyNuwMk5kvHjx25rjuzX
+eqVEE1gUaigGzXoy1FsFpUeaAr4/vZcwwVu9sZ2Oysyknm7c6j6q/kR1JzH8Y8am
+H0NX4nlccagnfTy5aGPQWPrV8QHAmOYuzw6LltUZxcIMDdLSGH4=
+=edmV
+-----END PGP SIGNATURE-----

website/static/security/patches/EN-21:04/zfs.patch

@@ -0,0 +1,150 @@
+--- cddl/contrib/opensolaris/lib/libzfs/common/libzfs_sendrecv.c.orig
++++ cddl/contrib/opensolaris/lib/libzfs/common/libzfs_sendrecv.c
+@@ -613,8 +613,8 @@
+ 	const char *fromsnap;
+ 	const char *tosnap;
+ 	boolean_t recursive;
+-	boolean_t verbose;
+ 	boolean_t replicate;
++	boolean_t verbose;
+ 
+ 	/*
+ 	 * The header nvlist is of the following format:
+@@ -848,36 +848,36 @@
+ 			rv = -1;
+ 			goto out;
+ 		}
+-		VERIFY(0 == nvlist_add_uint64(nvfs, "origin",
+-		    origin->zfs_dmustats.dds_guid));
++		fnvlist_add_uint64(nvfs, "origin",
++		    origin->zfs_dmustats.dds_guid);
+ 	}
+ 
+ 	/* iterate over props */
+-	VERIFY(0 == nvlist_alloc(&nv, NV_UNIQUE_NAME, 0));
++	nv = fnvlist_alloc();
+ 	send_iterate_prop(zhp, nv);
+-	VERIFY(0 == nvlist_add_nvlist(nvfs, "props", nv));
+-	nvlist_free(nv);
++	fnvlist_add_nvlist(nvfs, "props", nv);
++	fnvlist_free(nv);
+ 
+ 	/* iterate over snaps, and set sd->parent_fromsnap_guid */
++	sd->parent_fromsnap_guid = 0;
++	sd->parent_snaps = fnvlist_alloc();
++	sd->snapprops = fnvlist_alloc();
+ 	if (!sd->replicate && fromsnap_txg != 0)
+ 		min_txg = fromsnap_txg;
+ 	if (!sd->replicate && tosnap_txg != 0)
+ 		max_txg = tosnap_txg;
+-	sd->parent_fromsnap_guid = 0;
+-	VERIFY(0 == nvlist_alloc(&sd->parent_snaps, NV_UNIQUE_NAME, 0));
+-	VERIFY(0 == nvlist_alloc(&sd->snapprops, NV_UNIQUE_NAME, 0));
+ 	(void) zfs_iter_snapshots_sorted(zhp, send_iterate_snap, sd,
+ 	    min_txg, max_txg);
+-	VERIFY(0 == nvlist_add_nvlist(nvfs, "snaps", sd->parent_snaps));
+-	VERIFY(0 == nvlist_add_nvlist(nvfs, "snapprops", sd->snapprops));
++	fnvlist_add_nvlist(nvfs, "snaps", sd->parent_snaps);
++	fnvlist_add_nvlist(nvfs, "snapprops", sd->snapprops);
+ 	fnvlist_free(sd->parent_snaps);
+ 	fnvlist_free(sd->snapprops);
+ 
+ 	/* add this fs to nvlist */
+ 	(void) snprintf(guidstring, sizeof (guidstring),
+ 	    "0x%llx", (longlong_t)guid);
+-	VERIFY(0 == nvlist_add_nvlist(sd->fss, guidstring, nvfs));
+-	nvlist_free(nvfs);
++	fnvlist_add_nvlist(sd->fss, guidstring, nvfs);
++	fnvlist_free(nvfs);
+ 
+ 	/* iterate over children */
+ 	if (sd->recursive)
+@@ -894,13 +894,12 @@
+ 
+ static int
+ gather_nvlist(libzfs_handle_t *hdl, const char *fsname, const char *fromsnap,
+-    const char *tosnap, boolean_t recursive, boolean_t verbose,
+-    boolean_t replicate, nvlist_t **nvlp, avl_tree_t **avlp)
++    const char *tosnap, boolean_t recursive, boolean_t replicate,
++    boolean_t verbose, nvlist_t **nvlp, avl_tree_t **avlp)
+ {
+ 	zfs_handle_t *zhp;
+-	int error;
+-	uint64_t min_txg = 0, max_txg = 0;
+ 	send_data_t sd = { 0 };
++	int error;
+ 
+ 	zhp = zfs_open(hdl, fsname, ZFS_TYPE_FILESYSTEM | ZFS_TYPE_VOLUME);
+ 	if (zhp == NULL)
+@@ -911,8 +910,8 @@
+ 	sd.fromsnap = fromsnap;
+ 	sd.tosnap = tosnap;
+ 	sd.recursive = recursive;
+-	sd.verbose = verbose;
+ 	sd.replicate = replicate;
++	sd.verbose = verbose;
+ 
+ 	if ((error = send_iterate_fs(zhp, &sd)) != 0) {
+ 		nvlist_free(sd.fss);
+@@ -1349,10 +1348,10 @@
+ dump_filesystem(zfs_handle_t *zhp, void *arg)
+ {
+ 	int rv = 0;
+-	uint64_t min_txg = 0, max_txg = 0;
+ 	send_dump_data_t *sdd = arg;
+ 	boolean_t missingfrom = B_FALSE;
+ 	zfs_cmd_t zc = { 0 };
++	uint64_t min_txg = 0, max_txg = 0;
+ 
+ 	(void) snprintf(zc.zc_name, sizeof (zc.zc_name), "%s@%s",
+ 	    zhp->zfs_name, sdd->tosnap);
+@@ -1853,8 +1852,8 @@
+ 			}
+ 
+ 			err = gather_nvlist(zhp->zfs_hdl, zhp->zfs_name,
+-			    fromsnap, tosnap, flags->replicate, flags->verbose,
+-			    flags->replicate, &fss, &fsavl);
++			    fromsnap, tosnap, flags->replicate,
++			    flags->replicate, flags->verbose, &fss, &fsavl);
+ 			if (err)
+ 				goto err_out;
+ 			VERIFY(0 == nvlist_add_nvlist(hdrnv, "fss", fss));
+@@ -2497,7 +2496,7 @@
+ 	VERIFY(0 == nvlist_alloc(&deleted, NV_UNIQUE_NAME, 0));
+ 
+ 	if ((error = gather_nvlist(hdl, tofs, fromsnap, NULL,
+-	    recursive, B_FALSE, B_FALSE, &local_nv, &local_avl)) != 0)
++	    recursive, recursive, B_FALSE, &local_nv, &local_avl)) != 0)
+ 		return (error);
+ 
+ 	/*
+--- sys/cddl/contrib/opensolaris/uts/common/sys/fs/zfs.h.orig
++++ sys/cddl/contrib/opensolaris/uts/common/sys/fs/zfs.h
+@@ -881,6 +881,13 @@
+ 	VDEV_INITIALIZE_COMPLETE
+ } vdev_initializing_state_t;
+ 
++/*
++ * nvlist name constants. Facilitate restricting snapshot iteration range for
++ * the "list next snapshot" ioctl
++ */
++#define	SNAP_ITER_MIN_TXG	"snap_iter_min_txg"
++#define	SNAP_ITER_MAX_TXG	"snap_iter_max_txg"
++
+ /*
+  * Vdev statistics.  Note: all fields should be 64-bit because this
+  * is passed between kernel and userland as an nvlist uint64 array.
+@@ -1157,13 +1164,6 @@
+ #define	ZCP_DEFAULT_MEMLIMIT	(10 * 1024 * 1024)
+ #define	ZCP_MAX_MEMLIMIT	(10 * ZCP_DEFAULT_MEMLIMIT)
+ 
+-/*
+- * nvlist name constants. Facilitate restricting snapshot iteration range for
+- * the "list next snapshot" ioctl
+- */
+-#define	SNAP_ITER_MIN_TXG	"snap_iter_min_txg"
+-#define	SNAP_ITER_MAX_TXG	"snap_iter_max_txg"
+-
+ /*
+  * Sysevent payload members.  ZFS will generate the following sysevents with the
+  * given payloads:

website/static/security/patches/EN-21:04/zfs.patch.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbipfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJ9ow/9Hpft2BnP9cFpvRtXtc6J6Pw3s7iS36PHXJXiRTbif72pzUU0dhnGxXT1
+AA8YX8BvyoHOFxUDqTRFcG+/B6HOpjGEq9aqNiBsGxmA8OXPdtjg1nhR23QH+NNt
+tJ5YTVztO2tq/VHri41Ez0ttMMYDIpdPAGJIsnJwzFGMgsXKFcNGhG1IXhSzpJOo
+ZE3R0117MWETR07LJjK7aY5sAvCPA0rtWqosh8DtGa1Qz8k3nNVq91qikAdG2/Ea
+ymICIz/x1vp9J6SUlMt/2Y3t9V3pCyrL2VwyKbBzKZ+PrJUxM9HgA1w5sMn3ANe0
+sT+Ijk3TbAkSkV01PgQsYIwX2mHAH38MKO5foq3oU3bLWCGkxu0jDlSvEgLCE5U+
+4jcJpbH1k1uLOKaLXH3FcK3X0ahIWwOr7ckvcKmsem4f18VLcfQuZ7qHQq3oQT/B
+ooIvF4Xvv/3kfMK2mdMGza6x5AhkJHp4+cDJhw7CVvTWuo+jb+dQYSlrOVOaaaSl
+OQDEqSaja+xGh02asMrtdrCm5+DoMfQ+28jMkb2QyA6IHhUkEa8xa/JBka9o71rZ
+45KIlM7aFxiCACi4LScUNGh94qPnNkG9Mgez1O91nhiFMVCaUSdEDNkz4HMRseli
+hPD2/3rUJ9pRRFcXMbZHrtXK7gwJ+A8Fd++MgYvedwbjke+efe4=
+=mdRJ
+-----END PGP SIGNATURE-----

website/static/security/patches/EN-21:05/libatomic.patch

@@ -0,0 +1,71 @@
+--- contrib/llvm-project/compiler-rt/lib/builtins/atomic.c.orig
++++ contrib/llvm-project/compiler-rt/lib/builtins/atomic.c
+@@ -124,8 +124,8 @@
+ #define IS_LOCK_FREE_2 __c11_atomic_is_lock_free(2)
+ #define IS_LOCK_FREE_4 __c11_atomic_is_lock_free(4)
+ 
+-/// 32 bit PowerPC doesn't support 8-byte lock_free atomics
+-#if !defined(__powerpc64__) && defined(__powerpc__)
++/// 32 bit MIPS and PowerPC don't support 8-byte lock_free atomics
++#if defined(__mips__) || (!defined(__powerpc64__) && defined(__powerpc__))
+ #define IS_LOCK_FREE_8 0
+ #else
+ #define IS_LOCK_FREE_8 __c11_atomic_is_lock_free(8)
+--- lib/libcompiler_rt/Makefile.inc.orig
++++ lib/libcompiler_rt/Makefile.inc
+@@ -18,6 +18,8 @@
+ SRCF+=		ashlti3
+ SRCF+=		ashrdi3
+ SRCF+=		ashrti3
++SRCF+=		bswapdi2
++SRCF+=		bswapsi2
+ SRCF+=		clear_cache
+ SRCF+=		clzdi2
+ SRCF+=		clzsi2
+@@ -117,6 +119,14 @@
+ SRCF+=		umoddi3
+ SRCF+=		umodti3
+ 
++# Enable compiler-rt's atomic implementation only for clang, as it uses clang
++# specific builtins, and gcc packages usually come with their own libatomic.
++# Exclude arm which has its own implementations of atomic functions, below.
++.if "${COMPILER_TYPE}" == "clang" && \
++    !(${MACHINE_CPUARCH} == "arm" || ${MACHINE_CPUARCH} == "armv6")
++SRCF+=		atomic
++.endif
++
+ # Avoid using SSE2 instructions on i386, if unsupported.
+ .if ${MACHINE_CPUARCH} == "i386" && empty(MACHINE_CPU:Msse2)
+ SRCS+=		floatdidf.c
+@@ -215,12 +225,6 @@
+ SRCF+=		stdatomic
+ .endif
+ 
+-.if "${COMPILER_TYPE}" == "clang" && \
+-    (${MACHINE_ARCH} == "powerpc" || ${MACHINE_ARCH} == "powerpcspe")
+-SRCS+=          atomic.c
+-CFLAGS.atomic.c+=      -Wno-atomic-alignment
+-.endif
+-
+ .for file in ${SRCF}
+ .if ${MACHINE_ARCH:Marmv6*} && (!defined(CPUTYPE) || ${CPUTYPE:M*soft*} == "") \
+     && exists(${CRTSRC}/${CRTARCH}/${file}vfp.S)
+@@ -242,18 +246,9 @@
+ SRCS+=		aeabi_memset.S
+ SRCS+=		aeabi_uidivmod.S
+ SRCS+=		aeabi_uldivmod.S
+-SRCS+=		bswapdi2.S
+-SRCS+=		bswapsi2.S
+ SRCS+=		switch16.S
+ SRCS+=		switch32.S
+ SRCS+=		switch8.S
+ SRCS+=		switchu8.S
+ SRCS+=		sync_synchronize.S
+ .endif
+-
+-# GCC-6.3 on mips32 requires bswap32 built-in.
+-.if ${MACHINE_CPUARCH} == "mips"
+-SRCS+=		bswapdi2.c
+-SRCS+=		bswapsi2.c
+-.endif
+-

website/static/security/patches/EN-21:05/libatomic.patch.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbipfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cITKxAAipVfcvry45Ih14/dOrobd6s4NtFpck4x+CT9p/SMS5LLLFAJYpjazGtf
+1WytYOv305wZo0toQQDZwTOwGdjPCdZyXzJFXfQGX2KpVA/pqEqY+SBxBEDbzU0X
+4LKiijtGNDqikrb7Rs4m5DiOgcY0UFHvwisGvX4/1yHEx33cSPR6P90uLSwiIUlu
+qxTa400oN79ICecRibtr1rjTRZbSoP/9p3Si2UFVLZPD/mXaYU626T70yIARaach
+8oO8afQHVrvMfdDJrKIuas4DrbhORtZsst4mtmWRDuQlDAIcZuI43uLCjTjMVVjk
+VsQlS/YprSGkzVyBz/hyKqPa8eYkmpmWekSW8mvyNudfjqCfHh6qFAZD9yqqufRr
+am3nWKLqjIclLeF7/nBoyC9Vvhb+okCS3slkejm/4WDpgUoJWyd262Hj4jsviQ3f
+8/MkhkAahSJJTXf9CVDM5iz4DpobCMc27mX/uctfeQrMzw6JMZ3IcSZ/k9mPqlR/
+znhW4gSc1bCrN2t/UCaBeGvnL8eGa5ohhLIHGm3vekMvlpFmj3kPidmgjts1RoHA
+gW0MWfYod54/WceTGC/RVwUQyQjjj4qlLrWZCmU2SAK5Atw54w+l/skj9HZlGJC3
+0OBeQvqSOUszbn8H48+1l039t90rdCbYW5/suZfhoK6OeudbMmY=
+=DgCX
+-----END PGP SIGNATURE-----

website/static/security/patches/SA-21:01/fsdisclosure.11.patch

@@ -0,0 +1,10 @@
+--- sys/fs/msdosfs/msdosfs_vnops.c.orig
++++ sys/fs/msdosfs/msdosfs_vnops.c
+@@ -1701,6 +1701,7 @@
+ 				mbnambuf_flush(&nb, &dirbuf);
+ 			chksum = -1;
+ 			dirbuf.d_reclen = GENERIC_DIRSIZ(&dirbuf);
++			dirent_terminate(&dirbuf);
+ 			if (uio->uio_resid < dirbuf.d_reclen) {
+ 				brelse(bp);
+ 				goto out;

website/static/security/patches/SA-21:01/fsdisclosure.11.patch.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbjNfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJ8HA/+PgmcD+mXjlONm6S2iODbNlot81XtSJFZBVvGsuez3YnDt4NV4TVivf+A
+SFs/3olGaMxtAT/ME8dVrgAF8+cHcjBMj5Vd+SYEgYAS3gQsOm4jfzWTh+z0Wwm7
+SGDgW3h9wMb7WKevudvZ9kI5xV5uOD3IeCs8zag5eNoOp+BvgPbOgP9GdqgP1WmT
+vEFtk8g1PAXoOkDm89rdYf05oUHyC6FvVF1vxCTEypmHt97meIkOn71f+CBMBLTS
+qyFf/DHeXjuWg6XNZckbShRXgJufv8cf2GkK/dX37VzX5qXk4HKsOckQTwxXLjtc
+xQGXyhw2lCWlkJUS6yzeeH4elzl3Z+EPE9t1zrEq5fmwGCV2cGuDQbdgWTfr4LnZ
+5uTFJ6RtAT66hnbTu0LWhsBh7JWTYih6Vhq/RDS/HaIt0tgf20xaiVEwbtshAfsR
+djHU2KgFCua+Y0NHKsFlgE7wM1i7lcPC4oJQxVvgtK1Zac49VVgMn1M9V9K4iFrq
+D2j9mcW4Bi8bWPH2c3MdqSZZo5s1VfWWPH5CEDGyYRWC9TR8MLbeu5svnQrPgTcm
+CoQysqeP9/50LADgSwIgnEdyJizydAhecck5t6BbkimanUAfGKw4lH3d9xWP24y/
+F3MmYHkrAw88np2rlmaVFnydu4I1stzUiE5Nyrp00ATybc2vny0=
+=tSMc
+-----END PGP SIGNATURE-----

website/static/security/patches/SA-21:01/fsdisclosure.12.patch

@@ -0,0 +1,166 @@
+--- sys/fs/autofs/autofs_vnops.c.orig
++++ sys/fs/autofs/autofs_vnops.c
+@@ -369,6 +369,7 @@
+ 		return (EINVAL);
+ 
+ 	dirent.d_fileno = fileno;
++	dirent.d_off = uio->uio_offset + reclen;
+ 	dirent.d_reclen = reclen;
+ 	dirent.d_type = DT_DIR;
+ 	dirent.d_namlen = namlen;
+--- sys/fs/msdosfs/msdosfs_vnops.c.orig
++++ sys/fs/msdosfs/msdosfs_vnops.c
+@@ -1687,6 +1687,7 @@
+ 			dirbuf.d_reclen = GENERIC_DIRSIZ(&dirbuf);
+ 			/* NOTE: d_off is the offset of the *next* entry. */
+ 			dirbuf.d_off = offset + sizeof(struct direntry);
++			dirent_terminate(&dirbuf);
+ 			if (uio->uio_resid < dirbuf.d_reclen) {
+ 				brelse(bp);
+ 				goto out;
+--- sys/fs/smbfs/smbfs_io.c.orig
++++ sys/fs/smbfs/smbfs_io.c
+@@ -103,6 +103,7 @@
+ 		    (np->n_parent ? np->n_parentino : 2);
+ 		if (de.d_fileno == 0)
+ 			de.d_fileno = 0x7ffffffd + offset;
++		de.d_off = offset + 1;
+ 		de.d_namlen = offset + 1;
+ 		de.d_name[0] = '.';
+ 		de.d_name[1] = '.';
+@@ -153,6 +154,7 @@
+ 		bzero((caddr_t)&de, DE_SIZE);
+ 		de.d_reclen = DE_SIZE;
+ 		de.d_fileno = ctx->f_attr.fa_ino;
++		de.d_off = offset + 1;
+ 		de.d_type = (ctx->f_attr.fa_attr & SMB_FA_DIR) ? DT_DIR : DT_REG;
+ 		de.d_namlen = ctx->f_nmlen;
+ 		bcopy(ctx->f_name, de.d_name, de.d_namlen);
+--- sys/fs/tmpfs/tmpfs_subr.c.orig
++++ sys/fs/tmpfs/tmpfs_subr.c
+@@ -1188,6 +1188,7 @@
+ 	MPASS(uio->uio_offset == TMPFS_DIRCOOKIE_DOT);
+ 
+ 	dent.d_fileno = node->tn_id;
++	dent.d_off = TMPFS_DIRCOOKIE_DOTDOT;
+ 	dent.d_type = DT_DIR;
+ 	dent.d_namlen = 1;
+ 	dent.d_name[0] = '.';
+@@ -1213,7 +1214,7 @@
+  */
+ static int
+ tmpfs_dir_getdotdotdent(struct tmpfs_mount *tm, struct tmpfs_node *node,
+-    struct uio *uio)
++    struct uio *uio, off_t next)
+ {
+ 	struct tmpfs_node *parent;
+ 	struct dirent dent;
+@@ -1234,6 +1235,7 @@
+ 	dent.d_fileno = parent->tn_id;
+ 	TMPFS_NODE_UNLOCK(parent);
+ 
++	dent.d_off = next;
+ 	dent.d_type = DT_DIR;
+ 	dent.d_namlen = 2;
+ 	dent.d_name[0] = '.';
+@@ -1263,7 +1265,7 @@
+     struct uio *uio, int maxcookies, u_long *cookies, int *ncookies)
+ {
+ 	struct tmpfs_dir_cursor dc;
+-	struct tmpfs_dirent *de;
++	struct tmpfs_dirent *de, *nde;
+ 	off_t off;
+ 	int error;
+ 
+@@ -1284,18 +1286,19 @@
+ 		error = tmpfs_dir_getdotdent(tm, node, uio);
+ 		if (error != 0)
+ 			return (error);
+-		uio->uio_offset = TMPFS_DIRCOOKIE_DOTDOT;
++		uio->uio_offset = off = TMPFS_DIRCOOKIE_DOTDOT;
+ 		if (cookies != NULL)
+-			cookies[(*ncookies)++] = off = uio->uio_offset;
++			cookies[(*ncookies)++] = off;
+ 		/* FALLTHROUGH */
+ 	case TMPFS_DIRCOOKIE_DOTDOT:
+-		error = tmpfs_dir_getdotdotdent(tm, node, uio);
++		de = tmpfs_dir_first(node, &dc);
++		off = tmpfs_dirent_cookie(de);
++		error = tmpfs_dir_getdotdotdent(tm, node, uio, off);
+ 		if (error != 0)
+ 			return (error);
+-		de = tmpfs_dir_first(node, &dc);
+-		uio->uio_offset = tmpfs_dirent_cookie(de);
++		uio->uio_offset = off;
+ 		if (cookies != NULL)
+-			cookies[(*ncookies)++] = off = uio->uio_offset;
++			cookies[(*ncookies)++] = off;
+ 		/* EOF. */
+ 		if (de == NULL)
+ 			return (0);
+@@ -1310,13 +1313,17 @@
+ 			off = tmpfs_dirent_cookie(de);
+ 	}
+ 
+-	/* Read as much entries as possible; i.e., until we reach the end of
+-	 * the directory or we exhaust uio space. */
++	/*
++	 * Read as much entries as possible; i.e., until we reach the end of the
++	 * directory or we exhaust uio space.
++	 */
+ 	do {
+ 		struct dirent d;
+ 
+-		/* Create a dirent structure representing the current
+-		 * tmpfs_node and fill it. */
++		/*
++		 * Create a dirent structure representing the current tmpfs_node
++		 * and fill it.
++		 */
+ 		if (de->td_node == NULL) {
+ 			d.d_fileno = 1;
+ 			d.d_type = DT_WHT;
+@@ -1360,20 +1367,27 @@
+ 		MPASS(de->td_namelen < sizeof(d.d_name));
+ 		(void)memcpy(d.d_name, de->ud.td_name, de->td_namelen);
+ 		d.d_reclen = GENERIC_DIRSIZ(&d);
+-		dirent_terminate(&d);
+ 
+-		/* Stop reading if the directory entry we are treating is
+-		 * bigger than the amount of data that can be returned. */
++		/*
++		 * Stop reading if the directory entry we are treating is bigger
++		 * than the amount of data that can be returned.
++		 */
+ 		if (d.d_reclen > uio->uio_resid) {
+ 			error = EJUSTRETURN;
+ 			break;
+ 		}
+ 
+-		/* Copy the new dirent structure into the output buffer and
+-		 * advance pointers. */
++		nde = tmpfs_dir_next(node, &dc);
++		d.d_off = tmpfs_dirent_cookie(nde);
++		dirent_terminate(&d);
++
++		/*
++		 * Copy the new dirent structure into the output buffer and
++		 * advance pointers.
++		 */
+ 		error = uiomove(&d, d.d_reclen, uio);
+ 		if (error == 0) {
+-			de = tmpfs_dir_next(node, &dc);
++			de = nde;
+ 			if (cookies != NULL) {
+ 				off = tmpfs_dirent_cookie(de);
+ 				MPASS(*ncookies < maxcookies);
+--- sys/kern/uipc_mqueue.c.orig
++++ sys/kern/uipc_mqueue.c
+@@ -1426,6 +1426,7 @@
+ 		if (!pn->mn_fileno)
+ 			mqfs_fileno_alloc(mi, pn);
+ 		entry.d_fileno = pn->mn_fileno;
++		entry.d_off = offset + entry.d_reclen;
+ 		for (i = 0; i < MQFS_NAMELEN - 1 && pn->mn_name[i] != '\0'; ++i)
+ 			entry.d_name[i] = pn->mn_name[i];
+ 		entry.d_namlen = i;

website/static/security/patches/SA-21:01/fsdisclosure.12.patch.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbjNfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJY7A//cxfRPjkTLhctIEVx1PCFqEQ02Fj8rarjyKu8fWPrjB7zB9DuJPIMDfzs
+VEupOfXlw0R71n+6UV3EuplbHF7jodX5g79FG0AqjrhzKmGVmN3azx/erbAQj46Q
+ccRyGNltZLtji3iD9eespNNbuXkE0HB4hgR8uwbzTtEI12l9FybrRfR/Lo0EpakX
+avnwAMSmbUp8IHvXJmiae6jNqW5qbXH0j0wUaQGIhF/ZgJtvZhRN2xbXWb7A0Uqm
+DkUSatoFnTZ3YXKh1dY7wr9qUQujoO7tqvM1RMsgX+GGQNIwIzWsWJo6bcMNKmN+
+bjVRQgLp8o2okApFKbEX535tzudGwet9xJGCrz8znUhgN0riUVsPy8/AbVFiLoWi
+Rp8YlBTuuIQEG1naOlkdwbyoNXnIKajuA3s+BawdcpQEoB8o9OSd1jdQcdafZE6d
+E9Oo/yIetviAmcu4Xt/KYXT2NbLIezDO26EYLsLver1qF9QE2A8syy3qld/mz4+n
+Q90L/Qs4iN7nDzB0WenreA7YlG0rXjG5WyXxfxIpefdaSWvd51LUU56tGJEkGzAt
+VT1kOyNKKI5zfV6K+pN3+0G7MPmfMN7au7UoAnC3C2QnbvvZZ4kxd/8+FerWyHrT
+2CQAxwErn2hDLXJn9SDU8uQnXY3cJ3efO6lx9jwGQtCpJPzKd/A=
+=DVI2
+-----END PGP SIGNATURE-----

website/static/security/patches/SA-21:02/xenoom.11.patch

@@ -0,0 +1,255 @@
+--- sys/dev/xen/balloon/balloon.c.orig
++++ sys/dev/xen/balloon/balloon.c
+@@ -310,7 +310,8 @@
+ 
+ static struct xs_watch target_watch =
+ {
+-	.node = "memory/target"
++	.node = "memory/target",
++	.max_pending = 1,
+ };
+ 
+ /* React to a change in the target key */
+--- sys/dev/xen/blkback/blkback.c.orig
++++ sys/dev/xen/blkback/blkback.c
+@@ -3767,6 +3767,12 @@
+ 	xbb->hotplug_watch.callback = xbb_attach_disk;
+ 	KASSERT(xbb->hotplug_watch.node == NULL, ("watch node already setup"));
+ 	xbb->hotplug_watch.node = strdup(sbuf_data(watch_path), M_XENBLOCKBACK);
++	/*
++	 * We don't care about the path updated, just about the value changes
++	 * on that single node, hence there's no need to queue more that one
++	 * event.
++	 */
++	xbb->hotplug_watch.max_pending = 1;
+ 	sbuf_delete(watch_path);
+ 	error = xs_register_watch(&xbb->hotplug_watch);
+ 	if (error != 0) {
+--- sys/dev/xen/control/control.c.orig
++++ sys/dev/xen/control/control.c
+@@ -432,6 +432,12 @@
+ 	xctrl->xctrl_watch.node = "control/shutdown";
+ 	xctrl->xctrl_watch.callback = xctrl_on_watch_event;
+ 	xctrl->xctrl_watch.callback_data = (uintptr_t)xctrl;
++	/*
++	 * We don't care about the path updated, just about the value changes
++	 * on that single node, hence there's no need to queue more that one
++	 * event.
++	 */
++	xctrl->xctrl_watch.max_pending = 1;
+ 	xs_register_watch(&xctrl->xctrl_watch);
+ 
+ 	if (xen_pv_domain())
+--- sys/dev/xen/xenstore/xenstore.c.orig
++++ sys/dev/xen/xenstore/xenstore.c
+@@ -668,12 +668,17 @@
+ 		mtx_lock(&xs.registered_watches_lock);
+ 		msg->u.watch.handle = find_watch(
+ 		    msg->u.watch.vec[XS_WATCH_TOKEN]);
+-		if (msg->u.watch.handle != NULL) {
+-			mtx_lock(&xs.watch_events_lock);
++		mtx_lock(&xs.watch_events_lock);
++		if (msg->u.watch.handle != NULL &&
++		    (!msg->u.watch.handle->max_pending ||
++		    msg->u.watch.handle->pending <
++		    msg->u.watch.handle->max_pending)) {
++			msg->u.watch.handle->pending++;
+ 			TAILQ_INSERT_TAIL(&xs.watch_events, msg, list);
+ 			wakeup(&xs.watch_events);
+ 			mtx_unlock(&xs.watch_events_lock);
+ 		} else {
++			mtx_unlock(&xs.watch_events_lock);
+ 			free(msg->u.watch.vec, M_XENSTORE);
+ 			free(msg, M_XENSTORE);
+ 		}
+@@ -1045,8 +1050,10 @@
+ 
+ 		mtx_lock(&xs.watch_events_lock);
+ 		msg = TAILQ_FIRST(&xs.watch_events);
+-		if (msg)
++		if (msg) {
+ 			TAILQ_REMOVE(&xs.watch_events, msg, list);
++			msg->u.watch.handle->pending--;
++		}
+ 		mtx_unlock(&xs.watch_events_lock);
+ 
+ 		if (msg != NULL) {
+@@ -1629,6 +1636,7 @@
+ 	char token[sizeof(watch) * 2 + 1];
+ 	int error;
+ 
++	watch->pending = 0;
+ 	sprintf(token, "%lX", (long)watch);
+ 
+ 	sx_slock(&xs.suspend_mutex);
+--- sys/xen/xenbus/xenbus.c.orig
++++ sys/xen/xenbus/xenbus.c
+@@ -102,48 +102,6 @@
+ 	return ((state < (XenbusStateClosed + 1)) ? name[state] : "INVALID");
+ }
+ 
+-int 
+-xenbus_watch_path(device_t dev, char *path, struct xs_watch *watch, 
+-    xs_watch_cb_t *callback, uintptr_t callback_data)
+-{
+-	int error;
+-
+-	watch->node = path;
+-	watch->callback = callback;
+-	watch->callback_data = callback_data;
+-
+-	error = xs_register_watch(watch);
+-
+-	if (error) {
+-		watch->node = NULL;
+-		watch->callback = NULL;
+-		xenbus_dev_fatal(dev, error, "adding watch on %s", path);
+-	}
+-
+-	return (error);
+-}
+-
+-int
+-xenbus_watch_path2(device_t dev, const char *path,
+-    const char *path2, struct xs_watch *watch, 
+-    xs_watch_cb_t *callback, uintptr_t callback_data)
+-{
+-	int error;
+-	char *state = malloc(strlen(path) + 1 + strlen(path2) + 1,
+-	   M_XENBUS, M_WAITOK);
+-
+-	strcpy(state, path);
+-	strcat(state, "/");
+-	strcat(state, path2);
+-
+-	error = xenbus_watch_path(dev, state, watch, callback, callback_data);
+-	if (error) {
+-		free(state,M_XENBUS);
+-	}
+-
+-	return (error);
+-}
+-
+ void
+ xenbus_dev_verror(device_t dev, int err, const char *fmt, va_list ap)
+ {
+--- sys/xen/xenbus/xenbusb.c.orig
++++ sys/xen/xenbus/xenbusb.c
+@@ -702,10 +702,21 @@
+ 		ivars->xd_otherend_watch.node = statepath;
+ 		ivars->xd_otherend_watch.callback = xenbusb_otherend_watch_cb;
+ 		ivars->xd_otherend_watch.callback_data = (uintptr_t)ivars;
++		/*
++		 * Other end state node watch, limit to one pending event
++		 * to prevent frontends from queuing too many events that
++		 * could cause resource starvation.
++		 */
++		ivars->xd_otherend_watch.max_pending = 1;
+ 
+ 		ivars->xd_local_watch.node = ivars->xd_node;
+ 		ivars->xd_local_watch.callback = xenbusb_local_watch_cb;
+ 		ivars->xd_local_watch.callback_data = (uintptr_t)ivars;
++		/*
++		 * Watch our local path, only writable by us or a privileged
++		 * domain, no need to limit.
++		 */
++		ivars->xd_local_watch.max_pending = 0;
+ 
+ 		mtx_lock(&xbs->xbs_lock);
+ 		xbs->xbs_connecting_children++;
+@@ -764,6 +775,12 @@
+ 	xbs->xbs_device_watch.node = bus_node;
+ 	xbs->xbs_device_watch.callback = xenbusb_devices_changed;
+ 	xbs->xbs_device_watch.callback_data = (uintptr_t)xbs;
++	/*
++	 * Allow for unlimited pending watches, as those are local paths
++	 * either controlled by the guest or only writable by privileged
++	 * domains.
++	 */
++	xbs->xbs_device_watch.max_pending = 0;
+ 
+ 	TASK_INIT(&xbs->xbs_probe_children, 0, xenbusb_probe_children_cb, dev);
+ 
+--- sys/xen/xenbus/xenbusvar.h.orig
++++ sys/xen/xenbus/xenbusvar.h
+@@ -123,62 +123,6 @@
+ 	return (xenbus_read_driver_state(xenbus_get_otherend_path(dev)));
+ }
+ 
+-/**
+- * Initialize and register a watch on the given path (client suplied storage).
+- *
+- * \param dev       The XenBus device requesting the watch service.
+- * \param path      The XenStore path of the object to be watched.  The
+- *                  storage for this string must be stable for the lifetime
+- *                  of the watch.
+- * \param watch     The watch object to use for this request.  This object
+- *                  must be stable for the lifetime of the watch.
+- * \param callback  The function to call when XenStore objects at or below
+- *                  path are modified.
+- * \param cb_data   Client data that can be retrieved from the watch object
+- *                  during the callback.
+- *
+- * \return  On success, 0. Otherwise an errno value indicating the
+- *          type of failure.
+- *
+- * \note  On error, the device 'dev' will be switched to the XenbusStateClosing
+- *        state and the returned error is saved in the per-device error node
+- *        for dev in the XenStore.
+- */
+-int xenbus_watch_path(device_t dev, char *path,
+-		      struct xs_watch *watch, 
+-		      xs_watch_cb_t *callback,
+-		      uintptr_t cb_data);
+-
+-/**
+- * Initialize and register a watch at path/path2 in the XenStore.
+- *
+- * \param dev       The XenBus device requesting the watch service.
+- * \param path      The base XenStore path of the object to be watched.
+- * \param path2     The tail XenStore path of the object to be watched.
+- * \param watch     The watch object to use for this request.  This object
+- *                  must be stable for the lifetime of the watch.
+- * \param callback  The function to call when XenStore objects at or below
+- *                  path are modified.
+- * \param cb_data   Client data that can be retrieved from the watch object
+- *                  during the callback.
+- *
+- * \return  On success, 0. Otherwise an errno value indicating the
+- *          type of failure.
+- *
+- * \note  On error, \a dev will be switched to the XenbusStateClosing
+- *        state and the returned error is saved in the per-device error node
+- *        for \a dev in the XenStore.
+- *
+- * Similar to xenbus_watch_path, however the storage for the path to the
+- * watched object is allocated from the heap and filled with "path '/' path2".
+- * Should a call to this function succeed, it is the callers responsibility
+- * to free watch->node using the M_XENBUS malloc type.
+- */
+-int xenbus_watch_path2(device_t dev, const char *path,
+-		       const char *path2, struct xs_watch *watch, 
+-		       xs_watch_cb_t *callback,
+-		       uintptr_t cb_data);
+-
+ /**
+  * Grant access to the given ring_mfn to the peer of the given device.
+  *
+--- sys/xen/xenstore/xenstorevar.h.orig
++++ sys/xen/xenstore/xenstorevar.h
+@@ -72,6 +72,15 @@
+ 
+ 	/* Callback client data untouched by the XenStore watch mechanism. */
+ 	uintptr_t callback_data;
++
++	/* Maximum number of pending watch events to be delivered. */
++	unsigned int max_pending;
++
++	/*
++	 * Private counter used by xenstore to keep track of the pending
++	 * watches. Protected by xs.watch_events_lock.
++	 */
++	unsigned int pending;
+ };
+ LIST_HEAD(xs_watch_list, xs_watch);
+ 

website/static/security/patches/SA-21:02/xenoom.11.patch.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbjRfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKfghAAkrse02lN4PZizc0OEsABoBTpTLLNFTTQ+3alY9MeYmLzgoP6crG6nETa
+VwRh44ztjXeMB0/HUKu4rCcSbasYPLYAGZ+z8WCGmgVs30og7m6fC1eLb3zvlHxq
+O4J9E3JhvQIPbhFpZMDMyjj+aS4SncgB7Hswcr3FGuUQkl9ySm7frV6umDHkwaiN
+0wNEQVHQIQSVxawSG2+hMwVCDH/rxm2gLPpoTlQ4rwD3dsr6Ul8hCqPTTUV7vpRE
+88AAv+xPgglWjNFo2LAYvtXjTiO3/v+TfiNnf47uwbMpmEaUKRDDirMqrAd8k6x4
+UgbYC+Dils9Fbo+hc2P8kxwaDDb3xPk6RwPErCbQfyoF2w09YQeaIB5na9aRV43u
+qCOj/3OFcuZxEqY1pWLWutD6HM2qi72Btm2U4dp/zFa6V7x4hRKrxmimM07uJGRy
+/Pk3mBpLQLm0wbjSTR+8+RFM4fYRUQbJYZFINn99WDsL4zqD/KzL/ZW5e2pFjRcC
+n2DuuMULHQ1ivBZmdMBOIvx5JUllHn5vazDVErIdILJhAb4ypFpuyFdkBUNO72Hn
+dfrNrwABGi57nqxdAP8nIYTEUyUxm6q3vC4VXsoarYZvGECmWLrNWSADR7YtsMSi
+7C9lanrEy3CH4eFwXkPTYAvmLgubQTm5pMxCZfM/qHSkUhVocBQ=
+=6nop
+-----END PGP SIGNATURE-----

website/static/security/patches/SA-21:02/xenoom.12.patch

@@ -0,0 +1,300 @@
+--- sys/dev/xen/balloon/balloon.c.orig
++++ sys/dev/xen/balloon/balloon.c
+@@ -310,7 +310,8 @@
+ 
+ static struct xs_watch target_watch =
+ {
+-	.node = "memory/target"
++	.node = "memory/target",
++	.max_pending = 1,
+ };
+ 
+ /* React to a change in the target key */
+--- sys/dev/xen/blkback/blkback.c.orig
++++ sys/dev/xen/blkback/blkback.c
+@@ -3768,6 +3768,12 @@
+ 	xbb->hotplug_watch.callback = xbb_attach_disk;
+ 	KASSERT(xbb->hotplug_watch.node == NULL, ("watch node already setup"));
+ 	xbb->hotplug_watch.node = strdup(sbuf_data(watch_path), M_XENBLOCKBACK);
++	/*
++	 * We don't care about the path updated, just about the value changes
++	 * on that single node, hence there's no need to queue more that one
++	 * event.
++	 */
++	xbb->hotplug_watch.max_pending = 1;
+ 	sbuf_delete(watch_path);
+ 	error = xs_register_watch(&xbb->hotplug_watch);
+ 	if (error != 0) {
+--- sys/dev/xen/control/control.c.orig
++++ sys/dev/xen/control/control.c
+@@ -432,6 +432,12 @@
+ 	xctrl->xctrl_watch.node = "control/shutdown";
+ 	xctrl->xctrl_watch.callback = xctrl_on_watch_event;
+ 	xctrl->xctrl_watch.callback_data = (uintptr_t)xctrl;
++	/*
++	 * We don't care about the path updated, just about the value changes
++	 * on that single node, hence there's no need to queue more that one
++	 * event.
++	 */
++	xctrl->xctrl_watch.max_pending = 1;
+ 	xs_register_watch(&xctrl->xctrl_watch);
+ 
+ 	if (xen_pv_domain())
+--- sys/dev/xen/xenstore/xenstore.c.orig
++++ sys/dev/xen/xenstore/xenstore.c
+@@ -656,12 +656,17 @@
+ 		mtx_lock(&xs.registered_watches_lock);
+ 		msg->u.watch.handle = find_watch(
+ 		    msg->u.watch.vec[XS_WATCH_TOKEN]);
+-		if (msg->u.watch.handle != NULL) {
+-			mtx_lock(&xs.watch_events_lock);
++		mtx_lock(&xs.watch_events_lock);
++		if (msg->u.watch.handle != NULL &&
++		    (!msg->u.watch.handle->max_pending ||
++		    msg->u.watch.handle->pending <
++		    msg->u.watch.handle->max_pending)) {
++			msg->u.watch.handle->pending++;
+ 			TAILQ_INSERT_TAIL(&xs.watch_events, msg, list);
+ 			wakeup(&xs.watch_events);
+ 			mtx_unlock(&xs.watch_events_lock);
+ 		} else {
++			mtx_unlock(&xs.watch_events_lock);
+ 			free(msg->u.watch.vec, M_XENSTORE);
+ 			free(msg, M_XENSTORE);
+ 		}
+@@ -983,8 +988,10 @@
+ 
+ 		mtx_lock(&xs.watch_events_lock);
+ 		msg = TAILQ_FIRST(&xs.watch_events);
+-		if (msg)
++		if (msg) {
+ 			TAILQ_REMOVE(&xs.watch_events, msg, list);
++			msg->u.watch.handle->pending--;
++		}
+ 		mtx_unlock(&xs.watch_events_lock);
+ 
+ 		if (msg != NULL) {
+@@ -1578,6 +1585,7 @@
+ 	char token[sizeof(watch) * 2 + 1];
+ 	int error;
+ 
++	watch->pending = 0;
+ 	sprintf(token, "%lX", (long)watch);
+ 
+ 	mtx_lock(&xs.registered_watches_lock);
+--- sys/dev/xen/xenstore/xenstore_dev.c.orig
++++ sys/dev/xen/xenstore/xenstore_dev.c
+@@ -45,6 +45,7 @@
+ #include <sys/conf.h>
+ #include <sys/module.h>
+ #include <sys/selinfo.h>
++#include <sys/sysctl.h>
+ #include <sys/poll.h>
+ 
+ #include <xen/xen-os.h>
+@@ -53,6 +54,8 @@
+ #include <xen/xenstore/xenstorevar.h>
+ #include <xen/xenstore/xenstore_internal.h>
+ 
++static unsigned int max_pending_watches = 1000;
++
+ struct xs_dev_transaction {
+ 	LIST_ENTRY(xs_dev_transaction) list;
+ 	struct xs_transaction handle;
+@@ -335,6 +338,7 @@
+ 		watch->watch.node = strdup(wpath, M_XENSTORE);
+ 		watch->watch.callback = xs_dev_watch_cb;
+ 		watch->watch.callback_data = (uintptr_t)watch;
++		watch->watch.max_pending = max_pending_watches;
+ 		watch->token = strdup(wtoken, M_XENSTORE);
+ 		watch->user = u;
+ 
+@@ -511,6 +515,17 @@
+ xs_dev_attach(device_t dev)
+ {
+ 	struct cdev *xs_cdev;
++	struct sysctl_ctx_list *sysctl_ctx;
++	struct sysctl_oid *sysctl_tree;
++
++	sysctl_ctx = device_get_sysctl_ctx(dev);
++	sysctl_tree = device_get_sysctl_tree(dev);
++	if (sysctl_ctx == NULL || sysctl_tree == NULL)
++	    return (EINVAL);
++
++	SYSCTL_ADD_UINT(sysctl_ctx, SYSCTL_CHILDREN(sysctl_tree), OID_AUTO,
++	    "max_pending_watch_events", CTLFLAG_RW, &max_pending_watches, 0,
++	    "maximum amount of pending watch events to be delivered");
+ 
+ 	xs_cdev = make_dev_credf(MAKEDEV_ETERNAL, &xs_dev_cdevsw, 0, NULL,
+ 	    UID_ROOT, GID_WHEEL, 0400, "xen/xenstore");
+--- sys/xen/xenbus/xenbus.c.orig
++++ sys/xen/xenbus/xenbus.c
+@@ -102,48 +102,6 @@
+ 	return ((state < (XenbusStateClosed + 1)) ? name[state] : "INVALID");
+ }
+ 
+-int 
+-xenbus_watch_path(device_t dev, char *path, struct xs_watch *watch, 
+-    xs_watch_cb_t *callback, uintptr_t callback_data)
+-{
+-	int error;
+-
+-	watch->node = path;
+-	watch->callback = callback;
+-	watch->callback_data = callback_data;
+-
+-	error = xs_register_watch(watch);
+-
+-	if (error) {
+-		watch->node = NULL;
+-		watch->callback = NULL;
+-		xenbus_dev_fatal(dev, error, "adding watch on %s", path);
+-	}
+-
+-	return (error);
+-}
+-
+-int
+-xenbus_watch_path2(device_t dev, const char *path,
+-    const char *path2, struct xs_watch *watch, 
+-    xs_watch_cb_t *callback, uintptr_t callback_data)
+-{
+-	int error;
+-	char *state = malloc(strlen(path) + 1 + strlen(path2) + 1,
+-	   M_XENBUS, M_WAITOK);
+-
+-	strcpy(state, path);
+-	strcat(state, "/");
+-	strcat(state, path2);
+-
+-	error = xenbus_watch_path(dev, state, watch, callback, callback_data);
+-	if (error) {
+-		free(state,M_XENBUS);
+-	}
+-
+-	return (error);
+-}
+-
+ void
+ xenbus_dev_verror(device_t dev, int err, const char *fmt, va_list ap)
+ {
+--- sys/xen/xenbus/xenbusb.c.orig
++++ sys/xen/xenbus/xenbusb.c
+@@ -702,10 +702,21 @@
+ 		ivars->xd_otherend_watch.node = statepath;
+ 		ivars->xd_otherend_watch.callback = xenbusb_otherend_watch_cb;
+ 		ivars->xd_otherend_watch.callback_data = (uintptr_t)ivars;
++		/*
++		 * Other end state node watch, limit to one pending event
++		 * to prevent frontends from queuing too many events that
++		 * could cause resource starvation.
++		 */
++		ivars->xd_otherend_watch.max_pending = 1;
+ 
+ 		ivars->xd_local_watch.node = ivars->xd_node;
+ 		ivars->xd_local_watch.callback = xenbusb_local_watch_cb;
+ 		ivars->xd_local_watch.callback_data = (uintptr_t)ivars;
++		/*
++		 * Watch our local path, only writable by us or a privileged
++		 * domain, no need to limit.
++		 */
++		ivars->xd_local_watch.max_pending = 0;
+ 
+ 		mtx_lock(&xbs->xbs_lock);
+ 		xbs->xbs_connecting_children++;
+@@ -764,6 +775,12 @@
+ 	xbs->xbs_device_watch.node = bus_node;
+ 	xbs->xbs_device_watch.callback = xenbusb_devices_changed;
+ 	xbs->xbs_device_watch.callback_data = (uintptr_t)xbs;
++	/*
++	 * Allow for unlimited pending watches, as those are local paths
++	 * either controlled by the guest or only writable by privileged
++	 * domains.
++	 */
++	xbs->xbs_device_watch.max_pending = 0;
+ 
+ 	TASK_INIT(&xbs->xbs_probe_children, 0, xenbusb_probe_children_cb, dev);
+ 
+--- sys/xen/xenbus/xenbusvar.h.orig
++++ sys/xen/xenbus/xenbusvar.h
+@@ -123,62 +123,6 @@
+ 	return (xenbus_read_driver_state(xenbus_get_otherend_path(dev)));
+ }
+ 
+-/**
+- * Initialize and register a watch on the given path (client suplied storage).
+- *
+- * \param dev       The XenBus device requesting the watch service.
+- * \param path      The XenStore path of the object to be watched.  The
+- *                  storage for this string must be stable for the lifetime
+- *                  of the watch.
+- * \param watch     The watch object to use for this request.  This object
+- *                  must be stable for the lifetime of the watch.
+- * \param callback  The function to call when XenStore objects at or below
+- *                  path are modified.
+- * \param cb_data   Client data that can be retrieved from the watch object
+- *                  during the callback.
+- *
+- * \return  On success, 0. Otherwise an errno value indicating the
+- *          type of failure.
+- *
+- * \note  On error, the device 'dev' will be switched to the XenbusStateClosing
+- *        state and the returned error is saved in the per-device error node
+- *        for dev in the XenStore.
+- */
+-int xenbus_watch_path(device_t dev, char *path,
+-		      struct xs_watch *watch, 
+-		      xs_watch_cb_t *callback,
+-		      uintptr_t cb_data);
+-
+-/**
+- * Initialize and register a watch at path/path2 in the XenStore.
+- *
+- * \param dev       The XenBus device requesting the watch service.
+- * \param path      The base XenStore path of the object to be watched.
+- * \param path2     The tail XenStore path of the object to be watched.
+- * \param watch     The watch object to use for this request.  This object
+- *                  must be stable for the lifetime of the watch.
+- * \param callback  The function to call when XenStore objects at or below
+- *                  path are modified.
+- * \param cb_data   Client data that can be retrieved from the watch object
+- *                  during the callback.
+- *
+- * \return  On success, 0. Otherwise an errno value indicating the
+- *          type of failure.
+- *
+- * \note  On error, \a dev will be switched to the XenbusStateClosing
+- *        state and the returned error is saved in the per-device error node
+- *        for \a dev in the XenStore.
+- *
+- * Similar to xenbus_watch_path, however the storage for the path to the
+- * watched object is allocated from the heap and filled with "path '/' path2".
+- * Should a call to this function succeed, it is the callers responsibility
+- * to free watch->node using the M_XENBUS malloc type.
+- */
+-int xenbus_watch_path2(device_t dev, const char *path,
+-		       const char *path2, struct xs_watch *watch, 
+-		       xs_watch_cb_t *callback,
+-		       uintptr_t cb_data);
+-
+ /**
+  * Grant access to the given ring_mfn to the peer of the given device.
+  *
+--- sys/xen/xenstore/xenstorevar.h.orig
++++ sys/xen/xenstore/xenstorevar.h
+@@ -70,6 +70,15 @@
+ 
+ 	/* Callback client data untouched by the XenStore watch mechanism. */
+ 	uintptr_t callback_data;
++
++	/* Maximum number of pending watch events to be delivered. */
++	unsigned int max_pending;
++
++	/*
++	 * Private counter used by xenstore to keep track of the pending
++	 * watches. Protected by xs.watch_events_lock.
++	 */
++	unsigned int pending;
+ };
+ LIST_HEAD(xs_watch_list, xs_watch);
+ 

website/static/security/patches/SA-21:02/xenoom.12.patch.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmATbjRfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJXhg/8CoCazqYQC72fjKzdu5rTqi88S+LCO2/oQ8sB81Xd9994aTcCiCT16MgW
+oExB9ukEru7mz98ziwZiszkFGhnj8SvFqp8GaUdORILeLxN81Z8aUkXOAzZpk0yy
+Yd9yMxSL5YRcgcrxJKetArt97Pdkx0e5paNMniKWYxuGMGE0IJXc/OJmb1Gj+ZTe
+BSHInbD57GG6DYBDgLGm4Lu6FMrG+ukt2SUFxRQl0usgNE1zseXIjSxMPymh0I4j
+guCo0gNxHow44xgEXOUD1X2K1hsr8TNxwvl5i9Pwv8MFubPU4qPcBOcMvM/i5YR2
+3uvnK5oRqNjwS/EHUBZ2jonSmNN89mqdPjctaMNypcUPDsIqINw/Qd6TNnv3DjS1
+34cNBWzBYt9ccf5JC/KWfDyZxWpOku18DdFOcsi9MSubmQaxj5SRMfh0QamZPZ3p
+06JcJbcVZyRoMnD/NcFJTd6pfnrPKrJ9IVOvBesm3MpMsWywRQgVM79xly3HuhLV
+M8JTm9TKNVJPNGEeXW8MzjYJO2hDgTMwt6SWkxhNMQnajr3weqV5u+5X1wjZsAzr
+pWVXYZTkxNcyAcLvMahjuB6av4lc763MdqorgRHdpLdwr4w45pCLqxRR9O1OVY2g
+k0uKTKB1WQAIeK2VTpM/ZjPuNc+k0sVyYR9Sy70P0k76drICqUk=
+=5Wei
+-----END PGP SIGNATURE-----