Add SA-18:13 and EN-18:13 through EN-18:15.

Approved by:	so

share/security/advisories/FreeBSD-EN-18:13.icmp.asc

@@ -0,0 +1,135 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-18:13.icmp                                           Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          ICMP buffer underwrite
+
+Category:       core
+Module:         kernel
+Announced:      2018-11-27
+Affects:        All supported versions of FreeBSD.
+Corrected:      2018-11-08 21:58:51 UTC (stable/11, 11.2-STABLE)
+                2018-11-27 19:43:16 UTC (releng/11.2, 11.2-RELEASE-p5)
+CVE Name:       CVE-2018-17156
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+ICMP messages are control messages used to send error messages and 
+operational information.
+
+II.  Problem Description
+
+The icmp_error routine allocates either an mbuf or a cluster depending on the
+size of the data to be quoted in the ICMP reply, but the calculation failed
+to account for additional padding on 64-bit platforms when using a
+non-default sysctl value for net.inet.icmp.quotelen.
+
+III. Impact
+
+For systems that set net.inet.icmp.quotelen to a non-default value, a buffer
+underwrite condition occurs.
+
+IV.  Workaround
+
+Reset net.inet.icmp.quotelen to default value of 8 using sysctl(8):
+
+# sysctl net.inet.icmp.quotelen=8
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Afterwards, reboot the system.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Afterwards, reboot the system.
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 11.2]
+# fetch https://security.FreeBSD.org/patches/EN-18:13/icmp.patch
+# fetch https://security.FreeBSD.org/patches/EN-18:13/icmp.patch.asc
+# gpg --verify icmp.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/11/                                                        r340268
+releng/11.2/                                                      r341089
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<other info on the problem>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17156>
+
+<URL:https://www.reddit.com/r/BSD/comments/9v6xwg/remotely_triggerable_icmp_buffer_underwrite_in/>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-18:13.icmp.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlv9n+FfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKLuRAAqkua0loRn3k5N5OjGl1MFMiCX3Yg7pu7oQ0N/ZifqDOt8B8slp4+qjSO
+VyH07EFrk5FTz2WKXShqWcdZAL8+dBUHQaMATBI++ORiPBE+lBjYCZ1/+wrw7ie4
+bOjJ4F0d/4ijs+qkt/T0hFBPGMVbF8Xafbm29P6H0mjYPNSID64g+TQacVVUQfhN
+aLXCfkXFXusbOzFT0DRY8vy+SdsV2anqo3979W4G//+ytGvvwxqy6g+8N8CphUSM
+3vxCSvNxkd5o0C5EY53QbwueZ3A4nCnQQwGB2AFQnN9fDT1genIPzGjo0fQ8iY36
+lQiSeEg9VVSMLRiey8ix7JlLShVCUADt3dNamSMJiNz4Vo4dAjD4tKNPDGFfKhoQ
+edUEDTSBbqtN8BbW2e/hiHZSu6vQmXwgI6tKtuEcKPHZbnW/wr+XzyrwcwYBXsNA
+xK1aGokHr7W0T2FTOZ9b9i4mfZLL8gfr70FBi7/INEbmQYPDylT2VCsoQO7Wox8o
+uhbXRxtlwZ1ix3POlhzTotjJSou8ny2PZnBVzu/64fGbIFWS4bCk35HmRIlN4lt6
+ViAGBFJprJpcitFhOX51SBEgh689LKOuVUmucO2rpXAg53XzUR1xCvC3O2uY78AU
+fHp/0Gro0HeA45NY8zqQgv0VjbjTXw9mBOi2WCI9EKo+G3cYjOg=
+=kqz6
+-----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-EN-18:14.tzdata.asc

@@ -0,0 +1,143 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-18:14.tzdata                                         Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Timezone database information update
+
+Category:       contrib
+Module:         zoneinfo
+Announced:      2018-11-27
+Credits:        Philip Paeps
+Affects:        All supported versions of FreeBSD.
+Corrected:      2018-10-31 02:01:28 UTC (stable/11, 11.2-STABLE)
+                2018-11-27 19:44:39 UTC (releng/11.2, 11.2-RELEASE-p5)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The tzsetup(8) program allows the user to specify the default local timezone.
+Based on the selected timezone, tzsetup(8) copies one of the files from
+/usr/share/zoneinfo to /etc/localtime.  This file actually controls the
+conversion.
+
+II.  Problem Description
+
+Several changes in Daylight Savings Time happened after previous FreeBSD
+releases were released that would affect many people who live in different
+countries.  Because of these changes, the data in the zoneinfo files need to
+be updated, and if the local timezone on the running system is affected,
+tzsetup(8) needs to be run so the /etc/localtime is updated.
+
+III. Impact
+
+An incorrect time will be displayed on a system configured to use one of the
+affected timezones if the /usr/share/zoneinfo and /etc/localtime files are
+not updated, and all applications on the system that rely on the system time,
+such as cron(8) and syslog(8), will be affected.
+
+IV.  Workaround
+
+The system administrator can install an updated timezone database from the
+misc/zoneinfo port and run tzsetup(8) to get the timezone database corrected.
+
+Applications that store and display times in Coordinated Universal Time (UTC)
+are not affected.
+
+V.   Solution
+
+Please note that some third party software, for instance PHP, Ruby, Java and
+Perl, may be using different zoneinfo data source, in such cases this
+software must be updated separately.  For software packages that is installed
+via binary packages, they can be upgraded by executing `pkg upgrade'.
+
+Following the instructions in this Errata Notice will update all of the
+zoneinfo files to be the same as what was released with FreeBSD release.
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.  Restart all the affected
+applications and daemons, or reboot the system.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Restart all the affected applications and daemons, or reboot the system.
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-18:14/tzdata-2018g.patch
+# fetch https://security.FreeBSD.org/patches/EN-18:14/tzdata-2018g.patch.asc
+# gpg --verify tzdata-2018g.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all the affected applications and daemons, or reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/11/                                                        r339938
+releng/11.2/                                                      r341091
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-18:14.tzdata.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlv9n+ZfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKLTA//f+IoMMK1aLX9Dj1JxdapNpqDjAhL1G+K13uUaLFI8r5+2/WGkZXWvwfh
+8z9+KQA76gidGia4zac7DcXXogsqU2ld/JWOMKNgt5RxS43U4LvBAzyMnD1VxWUs
+1Z+aMre+h4FW0sB+Hx7/Uo2Mcd70mNEmGMFCilEO6P+XaYY98AGyLIkX7t5XW4cF
+6chmLy/gJAXKAsPv1sDHvlvvkLf8rdZuZ/Z5JID6nQsZU7RHKhr0IQqZ6SIURhEo
+9TZSnUy+F9CCBPQNz8Sv6S9i/7ggCjyAeaiXQUO4gEvsGUJiovt6MOdeeCQbTnOK
+0Gk7gCZ4SGF3nLXSKX4/AFLJn5Kro0v+88Lwoi/hJWhkEGQKgsE4BMMFXxI3Ukah
+AQ1snXG1/H9dgY1Os1XEjXx4Oxq2Qbeu+Hqppc+YY00Q9b3k8OAEVBDZlgtHlBGc
+oyOeffWw2nB/Vn8vOl3r+r2wUoTsjU8nVNXZLFMROQadRH2WPEpfSeHM/5PyBCW8
+0LPru9Nrt/GbR8wqXSY8Zr7KWIAEC5nLxT0HO8sfbYv6gbEHjUNPezalaTWRn4TZ
+0m2OHu2x2Tir5rcUgxsDvz0/LrB6RM8B0TPAqF77fIxvB+Hor6W3PCJbLuNnPiyK
+ELx2PeumYDKoSxpcQXFPku24SqMYY5du9x80aoFv1tGxZOAJfMw=
+=2jLJ
+-----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-EN-18:15.loader.asc

@@ -0,0 +1,132 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-18:15.loader                                         Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Deferred kernel loading breaks loader password
+
+Category:       core
+Module:         loader
+Announced:      2018-11-27
+Credits:        Devin Teske
+Affects:        All supported versions of FreeBSD.
+Corrected:      2018-10-24 23:17:17 UTC (stable/11, 11.2-STABLE)
+                2018-11-27 19:45:25 UTC (releng/11.2, 11.2-RELEASE-p5)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The loader is a FreeBSD component which is part of the boot sequence for a
+machine. The loader is most commonly visible with the "beastie" boot menu,
+allowing specification of different boot time parameters.
+
+II.  Problem Description
+
+A change in the loader to allow deferred loading of the kernel introduced a
+bug when using a loader password.  After this change and when the loader
+password is enabled, the menu is not loaded and instead the machine goes into
+the autoboot routine.  The autoboot routine then fails when the kernel has
+not yet been loaded, yielding a loader prompt where the user has full control
+of the boot process. 
+
+III. Impact
+
+Setting the loader password with the intention of preventing the user from
+bypassing the boot process instead causes the boot to fail and gives the user
+full control of the boot process.
+
+IV.  Workaround
+
+No workaround is available, but systems that do not use a loader password are
+not vulnerable.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Afterward, reboot the system.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Afterward, reboot the system.
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 11.2]
+# fetch https://security.FreeBSD.org/patches/EN-18:15/loader.patch
+# fetch https://security.FreeBSD.org/patches/EN-18:15/loader.patch.asc
+# gpg --verify loader.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html> and reboot
+the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/11/                                                        r339697
+releng/11.2/                                                      r341093
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-18:15.loader.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlv9n+tfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJRKQ//cJzGNBcKnH3cAltXRM2eWqv6L2UAPYfOs5QEArIB5x4IR+wqc53AbyG4
+AlpWAUf1KCwOFV+ceflihmYiWPPUqSV6nn+0My+uEFQebu8j00D5Mer/x9g6SikB
+x65zXS//rHidaf5KWOKMajEW+jtC9JS42ffdyk+KgEYM4UCNY60iKhJ74rtwRjun
+RwYKBXdtOcbS9Tp/SIIB3tQm1orhK5xe4w+kG4nM9Cz5OYk4j/GmcudWICjzjNzG
+QxGENiDePEjLoCZTHn2Rgntwp0AjNY5FxdR8CgN5GtYHIepJIscE7BlYA6kZDoG9
+e+01e3d7oAz92Dx8h59AkOGZPNI2lL4ZnBAcrpsZa+YkV67kxMHOIGp6faRYdWsf
++Ew8fh7AbVVhBO4yKWyoHkbREof07Iq3hXX7pi/Imb+nsYYPC6x0vax+qv823P4/
+jnqIryC3MWezOIkTD6B752yED3prP3TDFi+/Lo2ke2K4rPkVRsMfRojcKaKVnWLl
+HpgyffSiVv/dwv005Mdx0kCBnKtZthO9D0GHZSkRIXw2r5C5QQ8F7/EABfWFq1iN
+sM+J682zjJhbFgFzJGceAQGrgVlN91AIl3Ipp2ggi33qQTEOreItRJdN7WBgSI3s
+fTqA6OqgbknpWmCvusu/gi+SMjbO3Hk2hR6noB4bDVNPhPPCIZE=
+=om/y
+-----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-SA-18:13.nfs.asc

@@ -0,0 +1,139 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-18:13.nfs                                        Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Multiple vulnerabilities in NFS server code
+
+Category:       core
+Module:         nfs
+Announced:      2018-11-27
+Credits:        Jakub Jirasek, Secunia Research at Flexera
+Affects:        All supported versions of FreeBSD.
+Corrected:      2018-11-23 20:41:54 UTC (stable/11, 11.2-STABLE)
+                2018-11-27 19:42:16 UTC (releng/11.2, 11.2-RELEASE-p5)
+CVE Name:       CVE-2018-17157, CVE-2018-17158, CVE-2018-17159
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The Network File System (NFS) allows a host to export some or all of its file
+systems so that other hosts can access them over the network and mount them
+as if they were local.  FreeBSD includes both server and client
+implementations of NFS.
+
+II.  Problem Description
+
+Insufficient and improper checking in the NFS server code could cause a
+denial of service or possibly remote code execution via a specially crafted
+network packet.
+
+III. Impact
+
+A remote attacker could cause the NFS server to crash, resulting in a denial
+of service, or possibly execute arbitrary code on the server. 
+
+IV.  Workaround
+
+No workaround is available, but systems that do not provide NFS services are
+not vulnerable.
+
+Additionally, it is highly recommended the NFS service port (default port
+number 2049) is protected via a host or network based firewall to prevent
+arbitrary, untrusted clients from being able to connect.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Afterward, reboot the system.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Afterward, reboot the system.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 11.2]
+# fetch https://security.FreeBSD.org/patches/SA-18:13/nfs.patch
+# fetch https://security.FreeBSD.org/patches/SA-18:13/nfs.patch.asc
+# gpg --verify nfs.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/11/                                                        r340854
+releng/11.2/                                                      r341088
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://www.flexerasoftware.com/enterprise/company/about/secunia-research/>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17157>
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17158>
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17159>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:13.nfs.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlv9n85fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKJEg//Umbe1QOUgV0Z6EsdlQffNMo9MHbAz75vCqeaibI36Ng9vmkLKGlS6nCA
+5mKFS+BvM5CkekBaiQ6BR8t0xWsrFwX6JCUayQ2FsCSo4rwCZms3AIbvt68vjQAm
+xWuQIMJzYku5+kALtcXXvVkLhMCaioVDpZmuPCO+rY79OVM4xP1MsnTfqEZSNo+n
+Cz2urH4eO60YsM8w05coQ3hnOsUjTCk8yCh3+R/uYK1VouLDgD8q96T1eG2ozny6
+vwEMK3AjmcpvFkTIF3/2I6TTA5K+Zd+nqzhzPM5HjbLZmdQV02NHcoGaZrK1wsQw
+D+3wf8icBMfLt9rTUbEqVdvg5FRDkTo8/dH1wY85gWZ2wsSgCqI2wRuqBH4bp3bb
+Gcf2+D4vgX6YY5cZ/wFDcYWpghhrmXUbgnH7PnyVfYB0Ufta9utgMOQKMS0mUWwM
+DlHP+fL/A8lhPvXIhl1DtSa/TQAiAdMG1JwktzThKrUzjL8bntmjoqtr1Xcp2txJ
+hgALulqz9nzkHaHcEolgk5xFTvx4gCzhjII7XEU3/rLNPPlJK3Pfo0UvPLAUkdLj
+McnKqOyQ6uSl8/lNuVsd3JCZ3dlsES7VmdEu0YJ4goc/6/AB8KXnSqzheT7Cjn1p
+lGzbFYmXosUj9NEQl/SOg6O8LnRrJIw4Tbm9vfkDss1G+sjUdaA=
+=m/Lh
+-----END PGP SIGNATURE-----

share/security/patches/EN-18:13/icmp.patch

@@ -0,0 +1,21 @@
+--- sys/netinet/ip_icmp.c.orig
++++ sys/netinet/ip_icmp.c
+@@ -310,7 +310,8 @@
+ #endif
+ 	icmplen = min(icmplen, M_TRAILINGSPACE(m) -
+ 	    sizeof(struct ip) - ICMP_MINLEN);
+-	m_align(m, ICMP_MINLEN + icmplen);
++	m_align(m, sizeof(struct ip) + ICMP_MINLEN + icmplen);
++	m->m_data += sizeof(struct ip);
+ 	m->m_len = ICMP_MINLEN + icmplen;
+ 
+ 	/* XXX MRT  make the outgoing packet use the same FIB
+@@ -352,6 +353,8 @@
+ 	 * reply should bypass as well.
+ 	 */
+ 	m->m_flags |= n->m_flags & M_SKIP_FIREWALL;
++	KASSERT(M_LEADINGSPACE(m) >= sizeof(struct ip),
++	    ("insufficient space for ip header"));
+ 	m->m_data -= sizeof(struct ip);
+ 	m->m_len += sizeof(struct ip);
+ 	m->m_pkthdr.len = m->m_len;

share/security/patches/EN-18:13/icmp.patch.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlv9oBpfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJHYA//TFweS8EPSWTo+0jzir7aI3zg8rJUrle6cH0iGI36mNFFY3/+hlij2pNe
+XJ4K9O2m/v95sg0WbgVwCwP5jlMPYu7rEnyvzCEhHbmOrAXrQCnrbEan35QCXzEy
+ihceI//li414WxEd0W2RpTUS3fkWroxA7xf3TL0eKG51GYrBNdrTZUMTbleL8Zvp
+v24V0lB8gx1mZMI8+bOFgK/dW9Kay5tCAo75oOkafbba9ddtVgZrnYdCj6ikedWm
+CNAkFPW55c+G5yHXvtTxFTaw9mtz8rY6vy1ZA4DB7SI62AvCSbepOVB28Czo0+w3
+Rvs3UL2ia55se6jG4OlAWkASC4H8b3BaTDOoETh7Fm0VsA0drN+VarEdi0Tf6SVq
+yDveVsDJR2/qU6Np0eWUTto0J/9PElte6kiNsWBgPgI7L3aawJ9Czuxu5BIP3U5j
+7Mvnp2AsC75uku66UnejBQ67q5+jqWjqdXhis5Fs63s69GIFYWMpZa/+djLO2ZlG
+CLSHmzRwdgKhi6VKXO6q3OwWfOEncUTZJXdYIwKzSyr18LQHfxT1lkWsrV2Pq49S
+zcuSRZZxRFx0ADWGHg/90pgDAiyNFehmsn7sj0wFD104P/KU/avaFsTYb8at4osa
+IXLlJuYFG/dzIxk6FRkgUKG1Pt3in+CFJ0TAwZydx20EmWgqtmM=
+=PTdi
+-----END PGP SIGNATURE-----

share/security/patches/EN-18:14/tzdata-2018g.patch.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKSBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlv9oB5fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJjNQ/zB0Xir5wxp826vDBd+3RUdBbMRFQszzJnnz+3UVmXG2VdMMopSMXA6RUV
+kA/EoroTj5ksxU4XA80uRZ12Qq4vaFrnVSxbNK29XY9EMCMQtUJIxBL6ByorUuYX
+z7T+3WZhOOK7j7tqLzLmRHMhYc6f39lKgx1ilbKaa68pRqZN91JiKZDgRSiWVCPp
+0PSfHqVTTaMe1JeQxsr2RLNVQOf9VXtt0mNKXyRWYH/yginEx+oujxzlp9++xOe8
+81es8OIboPxlzLicjGD8bdszK/Ec7JaenWqqfua5kK0pg/5xnnobi6HrvzlmKzRo
+j8qt70ktgFxIynbvKN8R25ghZMRNTVAGNFqe9+F7Uwvj/kQatxmZNkkvUMp158R5
+TwZgl8xJ1+g+SnhMdwloKXWXi75g5UaXIn15upzlNjOrwf6b9IA71+PwGh/3LRZY
+m0lw8Ffk40nXD6yPGG2KFZi13uXqSwHGMJCbdXmkMGHX2pbPr36aHIpLP7iDd8R7
+0z5AOyFJTRNmMxSWM/BJQ9CxNAWBQL2dsyjAynsq78fP3ui7E81tT17X6vEprqlZ
+ueVLeu+fWFlqN4TBCIIyWxvWI2QYyViq5AcepoN8vxcBMzSAQ12n0G/AEKKQcR2t
+5rzx+FrSvGwX79+JsZ59ms/39a2PJBajVsnrlUTcKcVa+J7VUA==
+=7n42
+-----END PGP SIGNATURE-----

share/security/patches/EN-18:15/loader.patch

@@ -0,0 +1,19 @@
+--- stand/forth/check-password.4th.orig
++++ stand/forth/check-password.4th
+@@ -129,7 +129,7 @@
+ 	again \ Enter was not pressed; repeat
+ ;
+ 
+-only forth definitions also password-processing
++only forth definitions also password-processing also support-functions
+ 
+ : check-password ( -- )
+ 
+@@ -161,6 +161,7 @@
+ 	\ We should prevent the user from visiting the menu or dropping to the
+ 	\ interactive loader(8) prompt, but still allow the machine to boot...
+ 
++	any_conf_read? if load_kernel load_modules then
+ 	0 autoboot
+ 
+ 	\ Only reached if autoboot fails for any reason (including if/when

share/security/patches/EN-18:15/loader.patch.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlv9oCJfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cL3fhAAiIzTBcgNheH/EIt7DQjGnQoTbOo/jGDzJD/e3vfvJ7/E7pn2a6ZaIAtj
+INi+hFugFr/ePMHaOmcUHeevFG7IStpDuS9M5Pimn+UfDwARmTQUbWq83isKVxTW
+oM8PL9wwhgJJVHQdqHFScihZmOSFFb1GoV/Podsz7Um9vg9iXSEzQDtSHLUENpKP
+u99dM8QBPGvFyfidsBCujJtE4Yf5/x5zO2hExaGjRf9x4PsTnsKBRJDLivP3EZLe
+ksKaJ8tOZsGP8MS5AXlNjUiKwOVa1C/ElRkZPZvrQ02he6QJ+n6rIzrNBPR4ZtkT
+WwBTcquPkMJYoDZwK79YsyCkIrg3id0gEyPJvJ0ij2BN8bC2c6nh4ZVd01A84PCV
+u/lX1SLTx5sSmFqKQWaGYtt70WZa90mLxN5Qh5cikK4Icz6StHTrM/gEIV/mYkYM
+Q13azPsgrqUxWbnMjuGmugVjBJwIKN3TxvY0Rop2pkps2QIHEWkol3zPIuR2pMVt
+6wndKdqyxb6wiK2r6gN7xINX0T2NauXyO8VKDtr48qA5+4UJbH7M4xTMnS2yLJ1h
+voV3+l3HSfCBugAXQLRgzyZNcD0xy/EZ1fmuV82lE5yXhYPagXhLzKKVsJ747Qte
+5TdYTPZ4nEjBbK+dF8v1saIYzZi1YIiPFfFTzF2Yn3ZkJStvqxg=
+=9jnU
+-----END PGP SIGNATURE-----

share/security/patches/SA-18:13/nfs.patch

@@ -0,0 +1,70 @@
+Index: sys/fs/nfs/nfs_commonsubs.c
+===================================================================
+--- sys/fs/nfs/nfs_commonsubs.c	(revision 341005)
++++ sys/fs/nfs/nfs_commonsubs.c	(working copy)
+@@ -360,10 +360,14 @@
+ 	if (offs == 0)
+ 		goto out;
+ 	/*
+-	 * A negative offs should be considered a serious problem.
++	 * A negative offs might indicate a corrupted mbuf chain and,
++	 * as such, a printf is logged.
+ 	 */
+-	if (offs < 0)
+-		panic("nfsrv_advance");
++	if (offs < 0) {
++		printf("nfsrv_advance: negative offs\n");
++		error = EBADRPC;
++		goto out;
++	}
+ 
+ 	/*
+ 	 * If left == -1, calculate it here.
+Index: sys/fs/nfsserver/nfs_nfsdport.c
+===================================================================
+--- sys/fs/nfsserver/nfs_nfsdport.c	(revision 341005)
++++ sys/fs/nfsserver/nfs_nfsdport.c	(working copy)
+@@ -1858,9 +1858,15 @@
+ 	 * cookie) should be in the reply. At least one client "hints" 0,
+ 	 * so I set it to cnt for that case. I also round it up to the
+ 	 * next multiple of DIRBLKSIZ.
++	 * Since the size of a Readdirplus directory entry reply will always
++	 * be greater than a directory entry returned by VOP_READDIR(), it
++	 * does not make sense to read more than NFS_SRVMAXDATA() via
++	 * VOP_READDIR().
+ 	 */
+ 	if (siz <= 0)
+ 		siz = cnt;
++	else if (siz > NFS_SRVMAXDATA(nd))
++		siz = NFS_SRVMAXDATA(nd);
+ 	siz = ((siz + DIRBLKSIZ - 1) & ~(DIRBLKSIZ - 1));
+ 
+ 	if (nd->nd_flag & ND_NFSV4) {
+Index: sys/fs/nfsserver/nfs_nfsdsocket.c
+===================================================================
+--- sys/fs/nfsserver/nfs_nfsdsocket.c	(revision 341005)
++++ sys/fs/nfsserver/nfs_nfsdsocket.c	(working copy)
+@@ -758,11 +758,6 @@
+ 		*repp = *tl;
+ 		op = fxdr_unsigned(int, *tl);
+ 		NFSD_DEBUG(4, "op=%d\n", op);
+-
+-		binuptime(&start_time);
+-		nfsrvd_statstart(op, &start_time);
+-		statsinprog = 1;
+-
+ 		if (op < NFSV4OP_ACCESS ||
+ 		    (op >= NFSV4OP_NOPS && (nd->nd_flag & ND_NFSV41) == 0) ||
+ 		    (op >= NFSV41_NOPS && (nd->nd_flag & ND_NFSV41) != 0)) {
+@@ -774,6 +769,11 @@
+ 		} else {
+ 			repp++;
+ 		}
++
++		binuptime(&start_time);
++		nfsrvd_statstart(op, &start_time);
++		statsinprog = 1;
++
+ 		if (i == 0)
+ 			op0 = op;
+ 		if (i == numops - 1)

share/security/patches/SA-18:13/nfs.patch.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlv9oBVfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cI4iA/+IUgbkbDWjqR+gIrNVDVwfP4QiC46xwRvX0pahYqvF5LugXGO6Nrrw02X
+Uyj4o/Mcc09G1tcEY1By5/pfGdj78CclXsvsYgeMjFNpyYmz5lAfInMN3aFWCl5W
+EVW39Qw5Yt78qthYLvJW2Xt51fh0NhwFLKm7L/b5RIIDMKgO0iir+O4dXTlMk+6o
+0UldzE+utGQ50CimFMk0MtsjS9nsqLEXQUX2gxS/fYTGvQ+97JBN8mkcutobN2+T
+k+b1vQIxWsJKE7d1ak1ZmeMC6+aytp6miYvOTuQmsNr0t/iJQJhLGPcceCdgh4H3
+7/YLScMDgYifOMu0CiMa7G3yP8stlyJerX/QMMnP2dSWJmXLATVFsPBTwd9/ATFM
+XyM0qLKnLOuhwKN2tlWKSeg5A9riT1aQDu03oK+ObjX3/KF67F5kDoaIE/XcF4Ns
+Ha5svGj7nzszWrJh8+xSGcZwakPdLZo5MkypBZX4o70/pSXzrp5ceaZYX1U2GmpZ
+ZTWwOOgelISzkJs7Byr0SQszEGqd1pxm0o0BFC/TbplXLiPZ2zLCVSLdpQOuZNcw
+pASjsxnfMR3uNFUWK1sHZo7E69adCU7pMAVPH21EKR54ldZPH9fgtEtl6j8P0Hx8
+bq/CKsiPti8ZmGXCsCOFdB7KMOcboJCX0F/29Srmi1FAz4edFrU=
+=7Oqb
+-----END PGP SIGNATURE-----

share/xml/advisories.xml

@@ -7,6 +7,19 @@
   <year>
     <name>2018</name>
 
+    <month>
+      <name>11</name>
+
+      <day>
+	<name>27</name>
+
+	<advisory>
+	  <name>FreeBSD-SA-18:13.nfs</name>
+	</advisory>
+
+      </day>
+    </month>
+
     <month>
       <name>9</name>
 

share/xml/notices.xml

@@ -7,6 +7,27 @@
   <year>
     <name>2018</name>
 
+    <month>
+      <name>11</name>
+
+      <day>
+	<name>27</name>
+
+	<notice>
+	  <name>FreeBSD-EN-18:15.loader</name>
+	</notice>
+
+	<notice>
+	  <name>FreeBSD-EN-18:14.tzdata</name>
+	</notice>
+
+	<notice>
+	  <name>FreeBSD-EN-18:13.icmp</name>
+	</notice>
+
+      </day>
+    </month>
+
     <month>
       <name>9</name>