diff --git a/share/security/advisories/FreeBSD-EN-20:07.quotad.asc b/share/security/advisories/FreeBSD-EN-20:07.quotad.asc
new file mode 100644
index 0000000000..7c6bd65fc5
--- /dev/null
+++ b/share/security/advisories/FreeBSD-EN-20:07.quotad.asc
@@ -0,0 +1,133 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-20:07.quotad Errata Notice
+ The FreeBSD Project
+
+Topic: Regression in rpc.rquotad with certain NFS servers
+
+Category: core
+Module: rpc.quotad
+Announced: 2020-04-21
+Affects: All supported versions of FreeBSD
+Corrected: 2019-09-21 14:03:41 UTC (stable/12, 12.1-STABLE)
+ 2020-04-21 15:50:57 UTC (releng/12.1, 12.1-RELEASE-p4)
+ 2019-09-21 14:06:16 UTC (stable/11, 11.3-STABLE)
+ 2020-04-21 15:50:57 UTC (releng/11.3, 11.3-RELEASE-p8)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+.
+
+I. Background
+
+The Network File System (NFS) allows a system to share directories and files
+with others over a network. By using this, users and programs can access
+files on remote systems almost as if they were local files.
+
+The rpc.rquotad utility is an rpc(3) server which returns quotas for a user
+of a local file system which is NFS-mounted onto a remote machine.
+
+II. Problem Description
+
+A change in rpc.rquotad made it send RQUOTA v2 requests instead of RQUOTA v1
+requests. Some vendors would send RPC_PROGNOTREGISTERED ("Program Not
+Registered") response instead of the desired RPC_PROGVERSMISMATCH ("Program
+Version Mismatch") response, preventing the mechanism from working.
+
+III. Impact
+
+The quota(8) command will not be able obtain quota information for some NFS
+server vendors.
+
+IV. Workaround
+
+No workaround is available. Systems not using quotas on NFS mounted file
+systems are unaffected.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-20:07/quotad.patch
+# fetch https://security.FreeBSD.org/patches/EN-20:07/quotad.patch.asc
+# gpg --verify quotad.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in .
+
+Restart the applicable daemons, or reboot the system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r352575
+releng/12.1/ r360148
+stable/11/ r352576
+releng/11.3/ r360148
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+
+
+VII. References
+
+
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl6fHKNfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKrMg/+LLZH7D0fPM2gvxxgDi078N0yfnb4hjbJxI+xdDrbWMEqy/Y9k5hi6+AD
+iEnSdQ1/Ak6n174b4Xz2L+Dpih4BEzLumfwb9oFCudUFvyuxNwQmO9tkGLCdu9ps
+wRp2quYw0T/whnIS2tTsOM/TPCNZa72mym19OTZi9pgSh82Z+raUeRlfXyOS6HlL
+8GkIqkMBBEXRYEQnWX7FAcN+4G1kUHCzHIsyLImCaic8YL/+rX2bqalhFGdLGbJd
+epKQQ8FvT1kMns6XVkzSfL35LDoOfbOYjWYTwp3D5Fxk0I5gSK1u3LTrhVZpEV0p
+EBO7l2ivee/cwtdOjkIZR1NF+Lp+gHeXxWaJFz0tE6skB2fCYdZq4EeIjXg1okqQ
+piWmiesIDpmzz5P2e1OEbkrh5yKr/FeLYDOlge3D1jFZd7iBxeS/BvdGGhSVZI4F
+wssveFUnGiKm47kFRzXJnSPz0Nji2R2KyKaaNSB6dqZGW0ZelgPgjh09j09FijbH
+mvFPSsxWSKH3rD0CE2QeWIvwk0dbtAhti1TM0gJque8D50IZB8VlNNtOa4V+fyQ6
+puH+5+haHzwfUXwSrLcYK+v0xMdQ71oYqC5G5tV/eYXJCbzIu1Y3hbgmbLzAx+xf
+LwW3uCcm1cDQpzs2WxirHE+jS4DbYIMqS/K2c5+tj9kAEtXX1b0=
+=mFhE
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-SA-20:10.ipfw.asc b/share/security/advisories/FreeBSD-SA-20:10.ipfw.asc
new file mode 100644
index 0000000000..9289035564
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-20:10.ipfw.asc
@@ -0,0 +1,141 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-20:10.ipfw Security Advisory
+ The FreeBSD Project
+
+Topic: ipfw invalid mbuf handling
+
+Category: core
+Module: kernel
+Announced: 2020-04-21
+Credits: Maxime Villard
+ All supported versions of FreeBSD.
+Corrected: 2019-12-23 10:02:55 UTC (stable/12, 12.1-STABLE)
+ 2020-04-21 15:52:22 UTC (releng/12.1, 12.1-RELEASE-p4)
+ 2019-12-23 10:06:32 UTC (stable/11, 11.3-STABLE)
+ 2020-04-21 15:52:22 UTC (releng/11.3, 11.3-RELEASE-p8)
+CVE Name: CVE-2019-5614, CVE-2019-15874
+
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit .
+
+I. Background
+
+The ipfw system facility allows filtering, redirecting, and other operations
+on IP packets travelling through network interfaces.
+
+II. Problem Description
+
+Incomplete packet data validation may result in accessing out-of-bounds
+memory (CVE-2019-5614) or may access memory after it has been freed
+(CVE-2019-15874).
+
+III. Impact
+
+Access to out of bounds or freed mbuf data can lead to a kernel panic or
+other unpredictable results.
+
+IV. Workaround
+
+No workaround is available. Systems not using the ipfw firewall are
+not vulnerable.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 11.3]
+# fetch https://security.FreeBSD.org/patches/SA-20:10/ipfw.11.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:10/ipfw.11.patch.asc
+# gpg --verify ipfw.11.patch.asc
+
+[FreeBSD 12.1]
+# fetch https://security.FreeBSD.org/patches/SA-20:10/ipfw.12.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:10/ipfw.12.patch.asc
+# gpg --verify ipfw.12.patch.asc
+
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+ and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r356035
+releng/12.1/ r360149
+stable/11/ r356036
+releng/11.3/ r360149
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+
+
+VII. References
+
+
+
+
+
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl6fHK1fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJnFA//Zqygqhfo2vs/FBe67+/MILbAn5KeZoha6jbhr7YGD//Yzdy0+LtiaMpL
+DskM6z2bF6VKMuB5XQufUcAPTqzf8m3pgdFoPBT2P47ndkqDsF7/EDe5IaYCQZq+
+CB0tTuD6m3/8qYXvKyD+c6WV92Tn75GOpguKEYWnoBlOe8YVoVWxIknl+wuG+w4h
+D6hGGntvvs7RyXVITo9wzW70W8b57fIszVHTvH0YoFwBLGeie/uNomkcawti6jcp
+h703a4VsGeM1FFqb8hrNgKdDMC8Xmddjd78PMxl4wjC4WrrziQ1M8RxEoLHCSrH0
+4hLSjQOIVuI+OoEArn533QyHWQa1KbeECc2GgSlUrq6rlNk3SELWl72tugETT0JJ
+EYWFaLUGLUV5PMeuv7c6HfuXXtaVOEP/Gyvf9Rduesohdzw+DYrzXSyVv9wsRbfx
+34H9Xcjlu+BzYrHyKJkgdILwEFpEHCZmxRLxeJLGBjPAsudhN2XzGfKEQNd8olTr
+pe0Cw+C/sBhe0jh42REDRXW/Vr0YF4ivZf6L8d1zdG462GMn9aZteCjRmfMOWN1D
+BjU0+qY6mkWU0bVep0sjPU9ON8T9vnEinjhfqIb/A9XOvKag7cehpxWC+PJyf3I4
+eAjdzQeq0FH08XMWFfFWDqa7VmGYhmp/e53HNbHb90NtW07GtHE=
+=p+5n
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-SA-20:11.openssl.asc b/share/security/advisories/FreeBSD-SA-20:11.openssl.asc
new file mode 100644
index 0000000000..d5d26440ec
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-20:11.openssl.asc
@@ -0,0 +1,132 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-20:11.openssl Security Advisory
+ The FreeBSD Project
+
+Topic: OpenSSL remote denial of service vulnerability
+
+Category: contrib
+Module: openssl
+Announced: 2020-04-21
+Credits: Bernd Edlinger
+Affects: FreeBSD 12.1
+Corrected: 2020-04-21 15:47:58 UTC (stable/12, 12.1-STABLE)
+ 2020-04-21 15:53:08 UTC (releng/12.1, 12.1-RELEASE-p4)
+CVE Name: CVE-2020-1967
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit .
+
+I. Background
+
+FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a
+collaborative effort to develop a robust, commercial-grade, full-featured
+Open Source toolkit for the Transport Layer Security (TLS) and Secure Sockets
+Layer (SSL) protocols. It is also a full-strength general purpose
+cryptography library.
+
+II. Problem Description
+
+Server or client applications that call the SSL_check_chain() function during
+or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a
+result of incorrect handling of the "signature_algorithms_cert" TLS
+extension. The crash occurs if an invalid or unrecognized signature
+algorithm is received from the peer.
+
+III. Impact
+
+A malicious peer could exploit the NULL pointer dereference crash, causing a
+denial of service attack.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-20:11/openssl.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:11/openssl.patch.asc
+# gpg --verify openssl.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in .
+
+Restart all daemons that use the library, or reboot the system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r360147
+releng/12.1/ r360150
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+
+
+VII. References
+
+
+
+
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl6fHLBfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJEGw/7BWgBW3Vi98Sj0OFQnKUyckFaKxOY5WNl+N2k1MC5QIwtFRknS/i4xiBe
+wfpudj8PRiYe5sXC7C0vpHBB6LAq9RCflZAu3auRD/r/wShAq1wVY6nC7zJ+nXKX
+r7OuUj0NBQK7Gc5k89LEeRI8qjcJv7XwUY63msVvDUzqWwZeVDufrRnSwoUi0LR/
+qbya9ICb9qt7o52QNpECccEUVB4Qc1mfdESpDi/7h/JYXvLptsa/W6DtTZRlJ2n/
+f/hi2ja7xUD78NlQ6Sbc17+QUFWWIvyljl255Nhi3YhjWpFSWewmJg3aLqQ3O4uB
+g632jncGVFtRiDWHvUPqIx0Ephs3Ubd0llBsWXJ4uEQzeqVVVk05oomWDBjUoxW/
+Iw7kfVJDBNrrIuNikhOaf3lmUEJ8iXUhg8NxLwoyq6v2SM2eFLqYxx9MLwH5RQkV
+nAuWszYSnxkReUE4oGrm7Vn3Mq7yhiM8KpNS08BSADeWRWEJSsdeA5BC2bLIUgE+
+UKRDYaTyLSl9knHNmCd9W/8b3w03k2E4lrosc+hiaYoVB9l83e5elQm/tgdBynmL
+w653iJIoATgApXXresLW3x/by9+BhCq1fLkipDoaRZTrsg7zaYCyseDmfvmaV6Pn
+x8nm+i+VHeB8hp+vurijO9wuaisPs4LNv7pPcler2LmtAGYV3Lg=
+=231J
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/EN-20:07/quotad.patch b/share/security/patches/EN-20:07/quotad.patch
new file mode 100644
index 0000000000..65d4859799
--- /dev/null
+++ b/share/security/patches/EN-20:07/quotad.patch
@@ -0,0 +1,11 @@
+--- usr.bin/quota/quota.c.orig
++++ usr.bin/quota/quota.c
+@@ -606,7 +606,7 @@
+ call_stat = callaurpc(host, RQUOTAPROG, EXT_RQUOTAVERS,
+ RQUOTAPROC_GETQUOTA, (xdrproc_t)xdr_ext_getquota_args, (char *)&gq_args,
+ (xdrproc_t)xdr_getquota_rslt, (char *)&gq_rslt);
+- if (call_stat == RPC_PROGVERSMISMATCH) {
++ if (call_stat == RPC_PROGVERSMISMATCH || call_stat == RPC_PROGNOTREGISTERED) {
+ if (quotatype == USRQUOTA) {
+ old_gq_args.gqa_pathp = cp + 1;
+ old_gq_args.gqa_uid = id;
diff --git a/share/security/patches/EN-20:07/quotad.patch.asc b/share/security/patches/EN-20:07/quotad.patch.asc
new file mode 100644
index 0000000000..347f1de6b6
--- /dev/null
+++ b/share/security/patches/EN-20:07/quotad.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl6fHMNfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cI6Hg/+IjHObivifL7eLY2O8ydr8fj8q735PmFvWCzWdUl2vhNC64Rb3jcELcCo
+L+8CkBtWNklTZo4HWB5R+6oQSfDwLnW9tHQ/aVg308IZOZ8b680RT0SI83mwfmG9
+SwzPj8SqINTRUO0pWaKtS3sP4tXytCVBu70uet3L57cozP9ylVmC4z+ecwkXosq+
+bnIe1gJMs5xTTkX1JierutJ/cMlma/nJ0aenW2um85CSuTsQBTsEPxug7NCm8UeG
+1ABpzQ3TdkSciRQNoPjM5VrUkm05PA+zHrHE0tTyN3wwef4Pcyte2dnfJ8gBjUzI
+PveME1u1DSxSRwaBSNdUVJtXgLDTdeeN/OjTQFRSxT5BJi7a5ux4CI8OIbXkS4gE
+nRTcl0VKbDnQ2R16OPzEIzHvItXomHTnRvcuzT8oLZj/9pRdr6kWuAYsAx4jU1wn
+/QE7LtqNS89X9+tGjfbqO1kgnMb6SfNJ0me2U+L7Syw+SRWa9lVxdGUe0Oantexu
+Xe0hZ+DOMDH+ntcAEenmZ2lsMCGH1triQINW/laA9gz1Ad045yleC33V/RSYwGiU
+cw4+0M9kxMTB7vMCMP0+788VE382aTzi5t8tZNM98iGsA4UrlUg4K/XX9KI0PI/0
+qrNyUNGTpDqey7mbSE1sYiih1Etx8UO4k+ryvabNydhC4sJICzQ=
+=9zFb
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-20:10/ipfw.11.patch b/share/security/patches/SA-20:10/ipfw.11.patch
new file mode 100644
index 0000000000..05305fa8fd
--- /dev/null
+++ b/share/security/patches/SA-20:10/ipfw.11.patch
@@ -0,0 +1,136 @@
+--- sys/netpfil/ipfw/ip_fw2.c.orig
++++ sys/netpfil/ipfw/ip_fw2.c
+@@ -328,50 +328,71 @@
+ return (flags_match(cmd, bits));
+ }
+
++/*
++ * Parse TCP options. The logic copied from tcp_dooptions().
++ */
+ static int
+-tcpopts_match(struct tcphdr *tcp, ipfw_insn *cmd)
++tcpopts_parse(const struct tcphdr *tcp, uint16_t *mss)
+ {
++ const u_char *cp = (const u_char *)(tcp + 1);
+ int optlen, bits = 0;
+- u_char *cp = (u_char *)(tcp + 1);
+- int x = (tcp->th_off << 2) - sizeof(struct tcphdr);
++ int cnt = (tcp->th_off << 2) - sizeof(struct tcphdr);
+
+- for (; x > 0; x -= optlen, cp += optlen) {
++ for (; cnt > 0; cnt -= optlen, cp += optlen) {
+ int opt = cp[0];
+ if (opt == TCPOPT_EOL)
+ break;
+ if (opt == TCPOPT_NOP)
+ optlen = 1;
+ else {
++ if (cnt < 2)
++ break;
+ optlen = cp[1];
+- if (optlen <= 0)
++ if (optlen < 2 || optlen > cnt)
+ break;
+ }
+
+ switch (opt) {
+-
+ default:
+ break;
+
+ case TCPOPT_MAXSEG:
++ if (optlen != TCPOLEN_MAXSEG)
++ break;
+ bits |= IP_FW_TCPOPT_MSS;
++ if (mss != NULL)
++ *mss = be16dec(cp + 2);
+ break;
+
+ case TCPOPT_WINDOW:
+- bits |= IP_FW_TCPOPT_WINDOW;
++ if (optlen == TCPOLEN_WINDOW)
++ bits |= IP_FW_TCPOPT_WINDOW;
+ break;
+
+ case TCPOPT_SACK_PERMITTED:
++ if (optlen == TCPOLEN_SACK_PERMITTED)
++ bits |= IP_FW_TCPOPT_SACK;
++ break;
++
+ case TCPOPT_SACK:
+- bits |= IP_FW_TCPOPT_SACK;
++ if (optlen > 2 && (optlen - 2) % TCPOLEN_SACK == 0)
++ bits |= IP_FW_TCPOPT_SACK;
+ break;
+
+ case TCPOPT_TIMESTAMP:
+- bits |= IP_FW_TCPOPT_TS;
++ if (optlen == TCPOLEN_TIMESTAMP)
++ bits |= IP_FW_TCPOPT_TS;
+ break;
+-
+ }
+ }
+- return (flags_match(cmd, bits));
++ return (bits);
++}
++
++static int
++tcpopts_match(struct tcphdr *tcp, ipfw_insn *cmd)
++{
++
++ return (flags_match(cmd, tcpopts_parse(tcp, NULL)));
+ }
+
+ static int
+@@ -1419,17 +1440,31 @@
+ * this way).
+ */
+ #define PULLUP_TO(_len, p, T) PULLUP_LEN(_len, p, sizeof(T))
+-#define PULLUP_LEN(_len, p, T) \
++#define _PULLUP_LOCKED(_len, p, T, unlock) \
+ do { \
+ int x = (_len) + T; \
+ if ((m)->m_len < x) { \
+ args->m = m = m_pullup(m, x); \
+- if (m == NULL) \
++ if (m == NULL) { \
++ unlock; \
+ goto pullup_failed; \
++ } \
+ } \
+ p = (mtod(m, char *) + (_len)); \
+ } while (0)
+
++#define PULLUP_LEN(_len, p, T) _PULLUP_LOCKED(_len, p, T, )
++#define PULLUP_LEN_LOCKED(_len, p, T) \
++ _PULLUP_LOCKED(_len, p, T, IPFW_PF_RUNLOCK(chain)); \
++ UPDATE_POINTERS()
++/*
++ * In case pointers got stale after pullups, update them.
++ */
++#define UPDATE_POINTERS() \
++do { \
++ ip = mtod(m, struct ip *); \
++} while (0)
++
+ /*
+ * if we have an ether header,
+ */
+@@ -2255,7 +2290,7 @@
+
+ case O_TCPOPTS:
+ if (proto == IPPROTO_TCP && offset == 0 && ulp){
+- PULLUP_LEN(hlen, ulp,
++ PULLUP_LEN_LOCKED(hlen, ulp,
+ (TCP(ulp)->th_off << 2));
+ match = tcpopts_match(TCP(ulp), cmd);
+ }
+@@ -3106,6 +3141,7 @@
+
+ } /* end of inner loop, scan opcodes */
+ #undef PULLUP_LEN
++#undef PULLUP_LEN_LOCKED
+
+ if (done)
+ break;
diff --git a/share/security/patches/SA-20:10/ipfw.11.patch.asc b/share/security/patches/SA-20:10/ipfw.11.patch.asc
new file mode 100644
index 0000000000..4c3667a965
--- /dev/null
+++ b/share/security/patches/SA-20:10/ipfw.11.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl6fHNNfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKVEhAApEcxwYJh0IP2/JPsfaNkAKLflaiaTY1MHd0SK4icoGYgbUFXGfYFFx5y
+V+xYyzJ6hqufaLgRDlOUWy7QLqkSD5iuNas7ZC9Sorge24uVYS9QKoQETAUc4EsA
+puyWWfFA8jD/cUIzmLpuTlz8qUFT2n4j28djmbYvH46jgoOyMGrUzoTKfeyPSvMR
+LCkzyzsnkfauwl8lpAkyWqhi3VPmCLtzd4boVmG2UnpaKKny0l3M2/CRHJhCute4
+3+15ilzONzcr0J38hd6sM11HZIVEUK3DywefMhiMx9sQQD71sqisvADCxZ8cdML/
+he+mBB38YzGyy/qezb/ZC1oXfPHmNKlJjxHzCyZkgkLd03GSrviykj4o8I9HOgty
+X2NmrUoi22j3nezE4lEqh+6f6yXRVsBmJjzFGUXTSgjP6vGIewZiwmQReadGzcZk
+nwCdtZSMbPAFLt6EBXMfU/pvLAokYk87XCyivAPkrbojrbDKg0ucUfttgPjwuAkN
+G3s4xsmC+XuAbGrzCJwDr1o8zPcDLJlfPijJAmzWlQReHHAaVSgVt0jRoFvznZjh
+QCI3b9aRPHayGBoJxFNripYdggF9jcaUA7OGrLjw86VHBFvAl2fKZxZexUbKVFqX
+c8wvkiWbAvknV18pbVlifSdjKgylY8vwi39dj8zDxpWULRXFLYg=
+=aOrU
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-20:10/ipfw.12.patch b/share/security/patches/SA-20:10/ipfw.12.patch
new file mode 100644
index 0000000000..c584c41a4f
--- /dev/null
+++ b/share/security/patches/SA-20:10/ipfw.12.patch
@@ -0,0 +1,132 @@
+--- sys/netpfil/ipfw/ip_fw2.c.orig
++++ sys/netpfil/ipfw/ip_fw2.c
+@@ -330,22 +330,27 @@
+ return (flags_match(cmd, bits));
+ }
+
++/*
++ * Parse TCP options. The logic copied from tcp_dooptions().
++ */
+ static int
+-tcpopts_parse(struct tcphdr *tcp, uint16_t *mss)
++tcpopts_parse(const struct tcphdr *tcp, uint16_t *mss)
+ {
+- u_char *cp = (u_char *)(tcp + 1);
++ const u_char *cp = (const u_char *)(tcp + 1);
+ int optlen, bits = 0;
+- int x = (tcp->th_off << 2) - sizeof(struct tcphdr);
++ int cnt = (tcp->th_off << 2) - sizeof(struct tcphdr);
+
+- for (; x > 0; x -= optlen, cp += optlen) {
++ for (; cnt > 0; cnt -= optlen, cp += optlen) {
+ int opt = cp[0];
+ if (opt == TCPOPT_EOL)
+ break;
+ if (opt == TCPOPT_NOP)
+ optlen = 1;
+ else {
++ if (cnt < 2)
++ break;
+ optlen = cp[1];
+- if (optlen <= 0)
++ if (optlen < 2 || optlen > cnt)
+ break;
+ }
+
+@@ -354,22 +359,31 @@
+ break;
+
+ case TCPOPT_MAXSEG:
++ if (optlen != TCPOLEN_MAXSEG)
++ break;
+ bits |= IP_FW_TCPOPT_MSS;
+ if (mss != NULL)
+ *mss = be16dec(cp + 2);
+ break;
+
+ case TCPOPT_WINDOW:
+- bits |= IP_FW_TCPOPT_WINDOW;
++ if (optlen == TCPOLEN_WINDOW)
++ bits |= IP_FW_TCPOPT_WINDOW;
+ break;
+
+ case TCPOPT_SACK_PERMITTED:
++ if (optlen == TCPOLEN_SACK_PERMITTED)
++ bits |= IP_FW_TCPOPT_SACK;
++ break;
++
+ case TCPOPT_SACK:
+- bits |= IP_FW_TCPOPT_SACK;
++ if (optlen > 2 && (optlen - 2) % TCPOLEN_SACK == 0)
++ bits |= IP_FW_TCPOPT_SACK;
+ break;
+
+ case TCPOPT_TIMESTAMP:
+- bits |= IP_FW_TCPOPT_TS;
++ if (optlen == TCPOLEN_TIMESTAMP)
++ bits |= IP_FW_TCPOPT_TS;
+ break;
+ }
+ }
+@@ -1427,18 +1441,32 @@
+ * pointer might become stale after other pullups (but we never use it
+ * this way).
+ */
+-#define PULLUP_TO(_len, p, T) PULLUP_LEN(_len, p, sizeof(T))
+-#define PULLUP_LEN(_len, p, T) \
++#define PULLUP_TO(_len, p, T) PULLUP_LEN(_len, p, sizeof(T))
++#define _PULLUP_LOCKED(_len, p, T, unlock) \
+ do { \
+ int x = (_len) + T; \
+ if ((m)->m_len < x) { \
+ args->m = m = m_pullup(m, x); \
+- if (m == NULL) \
++ if (m == NULL) { \
++ unlock; \
+ goto pullup_failed; \
++ } \
+ } \
+ p = (mtod(m, char *) + (_len)); \
+ } while (0)
+
++#define PULLUP_LEN(_len, p, T) _PULLUP_LOCKED(_len, p, T, )
++#define PULLUP_LEN_LOCKED(_len, p, T) \
++ _PULLUP_LOCKED(_len, p, T, IPFW_PF_RUNLOCK(chain)); \
++ UPDATE_POINTERS()
++/*
++ * In case pointers got stale after pullups, update them.
++ */
++#define UPDATE_POINTERS() \
++do { \
++ ip = mtod(m, struct ip *); \
++} while (0)
++
+ /*
+ * if we have an ether header,
+ */
+@@ -2269,7 +2297,7 @@
+
+ case O_TCPOPTS:
+ if (proto == IPPROTO_TCP && offset == 0 && ulp){
+- PULLUP_LEN(hlen, ulp,
++ PULLUP_LEN_LOCKED(hlen, ulp,
+ (TCP(ulp)->th_off << 2));
+ match = tcpopts_match(TCP(ulp), cmd);
+ }
+@@ -2294,7 +2322,7 @@
+ uint16_t mss, *p;
+ int i;
+
+- PULLUP_LEN(hlen, ulp,
++ PULLUP_LEN_LOCKED(hlen, ulp,
+ (TCP(ulp)->th_off << 2));
+ if ((tcpopts_parse(TCP(ulp), &mss) &
+ IP_FW_TCPOPT_MSS) == 0)
+@@ -3145,6 +3173,7 @@
+
+ } /* end of inner loop, scan opcodes */
+ #undef PULLUP_LEN
++#undef PULLUP_LEN_LOCKED
+
+ if (done)
+ break;
diff --git a/share/security/patches/SA-20:10/ipfw.12.patch.asc b/share/security/patches/SA-20:10/ipfw.12.patch.asc
new file mode 100644
index 0000000000..c789c4f772
--- /dev/null
+++ b/share/security/patches/SA-20:10/ipfw.12.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl6fHNVfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJiwQ/+Lpt5TbpgVsZBpwt/LlMngD3jQzuP4NR41LSpynro/diN4ZKyUIDZ2y1r
+RMOy2kVVEQfaO3TdzQzA290ZIZevoZeMWzchG3N23Ya9Ddyz4ChLNWdhdqJwX0Lf
+tIgYuOh3Nd90FP+BSx5KbKC4P9Y2DiXOX6FmzKbCBvNH+etAs8hshbqty1Fcahtv
+aBOjYGvB1tBAl29brsxpSROd0aMVayxbk+2zs4nfrU7RuIHcjjNT0tWlDYrrFZ4a
+qBUucxtv/+UgTDiXIOao55tx2cw4st9Kj6mUp5h3RMNTkB2piztFpH8XLOYq6PLK
+7HzJFbji9sFHQyEjtoa/OoM+o52yfDqEU4YXfKtjvA21xjzfi00shnPY9Cp96CY5
+Q7zjXJsV2J6rvMXm9DY3Dis2cbkgt8nBU2B3ftSFWrCkblmeS49dCUzv+YtJ/J22
+eU7Tkc/bw8dqcZZgiJhEiOTRjSDZzNM9UJBeHpQBcppIltG3TdzDD3YY6KFIBjae
+FwijjljfyA0wAEJREO+km2KpQca1wYyQKFNOVOimenazI+qsSvZg+xotyaGjYKWf
+sDxnieRHzkqrp+6z3fMbo+n7Xz+KLQAxTBAN4YOAv04cePVOVx0/YeiWqWiy7LEk
+Ponji3sfgPmuze/T785zIumLbo7HmoJQJg5o34wRtuF/1ANx0Bg=
+=e2S6
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-20:11/openssl.patch b/share/security/patches/SA-20:11/openssl.patch
new file mode 100644
index 0000000000..3ccde741be
--- /dev/null
+++ b/share/security/patches/SA-20:11/openssl.patch
@@ -0,0 +1,11 @@
+--- crypto/openssl/ssl/t1_lib.c.orig
++++ crypto/openssl/ssl/t1_lib.c
+@@ -2099,7 +2099,7 @@
+ sigalg = use_pc_sigalgs
+ ? tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i])
+ : s->shared_sigalgs[i];
+- if (sig_nid == sigalg->sigandhash)
++ if (sigalg != NULL && sig_nid == sigalg->sigandhash)
+ return 1;
+ }
+ return 0;
diff --git a/share/security/patches/SA-20:11/openssl.patch.asc b/share/security/patches/SA-20:11/openssl.patch.asc
new file mode 100644
index 0000000000..cb196b27df
--- /dev/null
+++ b/share/security/patches/SA-20:11/openssl.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl6fHMlfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cL1OxAAgpwan3XY96qOUx5NVpagPkYkqtGrJsXS4PFwYl3UbWFx6iLXIQCFZxVV
+N5aODi0ixr0oMSlzM8hUhn590LG8UnU2UbUK2WwyhlzDMQaB04kT1xK1V0fqU0vy
+BdRx0sIOGDz38qHLkGKEjJI7M41k5f/2wj65I16YCD3LDaUNzYQvHHRA4nMWa/iG
+g/arSEBSXWEOmAdtazTGzb4x7umLfTzR7fkVBKW5RsaQrPNDaKsGvfkvgi9ZCpc0
+nqcDV07ivPMoM/DkYMO1RYrqHuGch8hejaDrJrf9hu5oYeUFRsl+XqUjVi1H33T6
+Wov9/FzzMEUxwkBm9wzH1vn2rGFncDa6/WR00iHMEKOcGM6B9lCqBNNnpNVC7vEC
+/KVZasjRRwcRGpHMYte0R6rqoxJ4Pas6iaUUJwmv10S1mBaIPLV0k30o5J9G4euf
+r2tsRBQCcY0dyyqO89k1krdFSQw36PDCe/vGoGoIUHsvIWcn894EBW6BdKeky6ns
+PyON5G0/oM+oeyzL+bmocqj479S1poyRY++gGRpkgtVWoOV1+GaiyEhqfJK0srGZ
+vbln/FMvL1mHstM6pyGwYFcd8aYZM+tkp9+hv4T2JCZ0Wj/zEEbGg72vClU+Fuji
+XJsBJu435h0Kl/SZTUYcudwjLai9oHfxAOopyffsfV6NrZU53iE=
+=1JP9
+-----END PGP SIGNATURE-----
diff --git a/share/xml/advisories.xml b/share/xml/advisories.xml
index 48fd505d48..6147080510 100644
--- a/share/xml/advisories.xml
+++ b/share/xml/advisories.xml
@@ -7,6 +7,23 @@
2020
+
+ 4
+
+
+ 21
+
+
+ FreeBSD-SA-20:11.openssl
+
+
+
+ FreeBSD-SA-20:10.ipfw
+
+
+
+
+
3
diff --git a/share/xml/notices.xml b/share/xml/notices.xml
index 7b867cbc5a..8c3aa1131e 100644
--- a/share/xml/notices.xml
+++ b/share/xml/notices.xml
@@ -7,6 +7,19 @@
2020
+
+ 4
+
+
+ 21
+
+
+ FreeBSD-EN-20:07.quotad
+
+
+
+
+
3