From a670bd985211dd2536b55fc1b3fb26ee9be1225c Mon Sep 17 00:00:00 2001
From: Xin LI <delphij@FreeBSD.org>
Date: Tue, 28 Jul 2015 20:17:10 +0000
Subject: [PATCH] Add SA-15:14 - SA-15:17.

---
 .../advisories/FreeBSD-SA-15:14.bsdpatch.asc  | 134 ++++++++++++
 .../advisories/FreeBSD-SA-15:15.tcp.asc       | 187 ++++++++++++++++
 .../advisories/FreeBSD-SA-15:16.openssh.asc   | 188 ++++++++++++++++
 .../advisories/FreeBSD-SA-15:17.bind.asc      | 139 ++++++++++++
 .../security/patches/SA-15:14/bsdpatch.patch  | 188 ++++++++++++++++
 .../patches/SA-15:14/bsdpatch.patch.asc       |  17 ++
 share/security/patches/SA-15:15/tcp-8.patch   | 203 ++++++++++++++++++
 .../security/patches/SA-15:15/tcp-8.patch.asc |  17 ++
 .../patches/SA-15:15/tcp-9.3-10.1.patch       | 194 +++++++++++++++++
 .../patches/SA-15:15/tcp-9.3-10.1.patch.asc   |  17 ++
 share/security/patches/SA-15:15/tcp.patch     | 194 +++++++++++++++++
 share/security/patches/SA-15:15/tcp.patch.asc |  17 ++
 .../security/patches/SA-15:16/openssh-8.patch |  89 ++++++++
 .../patches/SA-15:16/openssh-8.patch.asc      |  17 ++
 share/security/patches/SA-15:16/openssh.patch |  90 ++++++++
 .../patches/SA-15:16/openssh.patch.asc        |  17 ++
 share/security/patches/SA-15:17/bind.patch    |  12 ++
 .../security/patches/SA-15:17/bind.patch.asc  |  17 ++
 share/xml/advisories.xml                      |  20 ++
 19 files changed, 1757 insertions(+)
 create mode 100644 share/security/advisories/FreeBSD-SA-15:14.bsdpatch.asc
 create mode 100644 share/security/advisories/FreeBSD-SA-15:15.tcp.asc
 create mode 100644 share/security/advisories/FreeBSD-SA-15:16.openssh.asc
 create mode 100644 share/security/advisories/FreeBSD-SA-15:17.bind.asc
 create mode 100644 share/security/patches/SA-15:14/bsdpatch.patch
 create mode 100644 share/security/patches/SA-15:14/bsdpatch.patch.asc
 create mode 100644 share/security/patches/SA-15:15/tcp-8.patch
 create mode 100644 share/security/patches/SA-15:15/tcp-8.patch.asc
 create mode 100644 share/security/patches/SA-15:15/tcp-9.3-10.1.patch
 create mode 100644 share/security/patches/SA-15:15/tcp-9.3-10.1.patch.asc
 create mode 100644 share/security/patches/SA-15:15/tcp.patch
 create mode 100644 share/security/patches/SA-15:15/tcp.patch.asc
 create mode 100644 share/security/patches/SA-15:16/openssh-8.patch
 create mode 100644 share/security/patches/SA-15:16/openssh-8.patch.asc
 create mode 100644 share/security/patches/SA-15:16/openssh.patch
 create mode 100644 share/security/patches/SA-15:16/openssh.patch.asc
 create mode 100644 share/security/patches/SA-15:17/bind.patch
 create mode 100644 share/security/patches/SA-15:17/bind.patch.asc

diff --git a/share/security/advisories/FreeBSD-SA-15:14.bsdpatch.asc b/share/security/advisories/FreeBSD-SA-15:14.bsdpatch.asc
new file mode 100644
index 0000000000..348df29f80
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-15:14.bsdpatch.asc
@@ -0,0 +1,134 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-15:14.bsdpatch                                   Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          shell injection vulnerability in patch(1)
+
+Category:       contrib
+Module:         patch
+Announced:      2015-07-28
+Credits:        Martin Natano
+Affects:        FreeBSD 10.x.
+Corrected:      2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE)
+                2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2)
+                2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1)
+                2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16)
+CVE Name:       CVE-2015-1416
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The patch(1) utility takes a patch file produced by the diff(1) program and
+apply the differences to an original file, producing a patched version.
+
+The patch(1) utility supports certain version control systems, namely SCCS
+and RCS, and attempts to get or check out the file before applying a patch,
+if the original file do not already exist.
+
+II.  Problem Description
+
+Due to insufficient sanitization of the input patch stream, it is possible
+for a patch file to cause patch(1) to run commands in addition to the desired
+SCCS or RCS commands.
+
+III. Impact
+
+This issue could be exploited to execute arbitrary commands as the user
+invoking patch(1) against a specically crafted patch file, which could be
+leveraged to obtain elevated privileges.
+
+IV.  Workaround
+
+No workaround is available, but systems where a privileged user does not
+make use of patches without proper validation are not affected.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+A reboot is not required after updating.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+A reboot is not required after updating.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-15:14/bsdpatch.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:14/bsdpatch.patch.asc
+# gpg --verify bsdpatch.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/10/                                                        r285976
+releng/10.1/                                                      r285978
+releng/10.2/                                                      r285979
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1416>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:14.bsdpatch.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.6 (FreeBSD)
+
+iQIcBAEBCgAGBQJVt+JfAAoJEO1n7NZdz2rnmAAP/37DmuKX127SHD4Au3a1xy2F
+90RP1doqTzpq2w3wzn8JPPK/IUxG6yjDWUk097/aadSMSiUWi/RyTERe68ZNHDia
+IkcTnvF1308OM91yAJDogTKyCpomZwWqkhDhT8qRIkRijr7gr0q3SYF2Uqrj+QKy
+fvhJrEEjhv9Lgw8I1qmnxWCpcmkKaW2Fm1eqplYlPOIwJky+2+Ddzv5PcjtQTjye
+tNIkF9D+ILmGFbotKbNPDKSxapreLOsyDnf0W9QMURi7UolF9AClZnerfVZUWy78
+4lJdbC9q5bf/FNUDv2o928hMgG+cc+blaH8AGXGOgxOx3ok0XWp3xEWRJnggyrZX
+P6NN39u6yFSIrYaNHEwYLFGCIeA0nGWVLupq5h6WwJ+mhCpHz90kMw/5unlXc/wS
+mfFVMeoFiqL227qBgB4azQkiBjN/fVsqPcMv/xk0PNYHaRPS/DASRYPSJF2gXY7h
+fjemohKs9wmyc78nyrnayffPQ6hkXvVzw9zMfLJ1XWg/Fa/5X4u/POggivzGI4ia
+yrvp3zd4avNbEVwlirTxxYgQJ1X44JwTP3Tkq11fea9WJcJtjLTWpIwrHSd8PHEg
+n3r4bo52iPyaGORGUw3Zhx93gOse+I3ayXmBEVJLGDONlEdUf/uju0kSIyCXn4ab
+LvnW7evT5KHA0rh5B07E
+=JTtx
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-SA-15:15.tcp.asc b/share/security/advisories/FreeBSD-SA-15:15.tcp.asc
new file mode 100644
index 0000000000..830c4d2488
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-15:15.tcp.asc
@@ -0,0 +1,187 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-15:15.tcp                                        Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Resource exhaustion in TCP reassembly 
+
+Category:       core
+Module:         inet
+Announced:      2015-07-28
+Credits:        Patrick Kelsey (Norse Corporation)
+Affects:        All supported versions of FreeBSD.
+Corrected:      2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE)
+                2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2)
+                2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1)
+                2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16)
+                2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE)
+                2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21)
+                2015-07-28 19:58:54 UTC (stable/8, 8.4-STABLE)
+                2015-07-28 19:59:22 UTC (releng/8.4, 8.4-RELEASE-p35)
+CVE Name:       CVE-2015-1417
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The Transmission Control Protocol (TCP) of the TCP/IP protocol suite
+provides a connection-oriented, reliable, sequence-preserving data
+stream service.
+
+The underlying simple and potentially unreliable IP datagram
+communication protocol may deliver segments out of order, therefore,
+the TCP receiver would need to reassemble the segments into their
+original sequence to provide a reliable octet stream.  Because the
+reassembly requires additional resources to keep the queued segments,
+historically resource exhaustion in the TCP reassembly path has been
+prevented by limiting the total number of segments that could belong
+to reassembly queues to a small fraction (1/16) of the total number of
+mbuf clusters in the system.
+
+VNET is a technique to virtualize the network stack, first introduced in
+FreeBSD 8.0.  It changes global resources in the network stack into per
+network stack resources, so that a virtual network stack can be attached
+to a jailed prison and the prison can have unrestricted access to the
+virtual network stack.  VNET is not enabled by default and has to be
+enabled by recompiling the kernel.
+
+II.  Problem Description
+
+There is a mistake with the introduction of VNET, which converted the
+global limit on the number of segments that could belong to reassembly
+queues into a per-VNET limit.  Because mbufs are allocated from a
+global pool, in the presence of a sufficient number of VNETs, the
+total number of mbufs attached to reassembly queues can grow to the
+total number of mbufs in the system, at which point all network
+traffic would cease.
+
+III. Impact
+
+An attacker who can establish concurrent TCP connections across a
+sufficient number of VNETs and manipulate the inbound packet streams
+such that the maximum number of mbufs are enqueued on each reassembly
+queue can cause mbuf cluster exhaustion on the target system, resulting
+in a Denial of Service condition.
+
+As the default per-VNET limit on the number of segments that can
+belong to reassembly queues is 1/16 of the total number of mbuf
+clusters in the system, only systems that have 16 or more VNET
+instances are vulnerable.
+
+IV.  Workaround
+
+FreeBSD 8.x, 9.x and 10.x systems that do not make use of VNETs
+(option VIMAGE) are not affected.  The support has to be specifically
+compiled into a custom kernel, so its use is not common.
+
+For affected systems, the system administrators may consider reducing
+the net.inet.tcp.reass.maxsegments tunable to the value of
+kern.ipc.nmbclusters divided by one greater than the total number of
+VNETs that are going to be used in the system in order to prevent a
+Denial of Service via this vulnerability.  For example, if there are
+16 VNETs in the system, the net.inet.tcp.reass.maxsegments tunable
+should be set to kern.ipc.nmbclusters / 17.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot the system.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+And reboot the system.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 10.2]
+# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp.patch.asc
+# gpg --verify tcp.patch.asc
+
+[FreeBSD 9.3 and 10.1]
+# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-9.3-10.1.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-9.3-10.1.patch.asc
+# gpg --verify tcp-9.3-10.1.patch.asc
+
+[FreeBSD 8.4]
+# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-8.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-8.patch.asc
+# gpg --verify tcp-8.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/8/                                                         r285977
+releng/8.4/                                                       r285980
+stable/9/                                                         r285977
+releng/9.3/                                                       r285980
+stable/10/                                                        r285976
+releng/10.1/                                                      r285979
+releng/10.2/                                                      r285978
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1417>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:15.tcp.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.6 (FreeBSD)
+
+iQIcBAEBCgAGBQJVt+FcAAoJEO1n7NZdz2rnOAgQAKw0jR1Eb/USmcXlFpfMrmUr
+Z6UWHsPqE9CwDJaFddrFBRyjCsbeBv4LmPyVcOKJoqspEb8P52GtBNDe9vqcco1U
+C+KpcQQKWTQmu170AdLAIRVvLjoNEX0C09ig4XMbKpisrmQ8zLXavTbTw8FlbPXq
+o9t0nFgPKsDfaXJF3Oas41K/NsBj4hdqnfx+R7KeOaJ6sSwiFGbRxqQ+GG3k+79a
+RI+KVLpw4QV/IkhXKzl416o6uk7eWnJu72GohdrxPvXYWHBVSBkSiT7pLl3O5C7r
+7+dpYyF9f4K0gnXLuATNixNS2/lL2WaJANb75ku7WnY2I5Yjx1oM2r5kE2eJ6Z/c
+WXGnDE9/8SOVURqMwnpQgzVGopKZags0+X7FJAYKeW4/nWyUEAmDlQ+9dY7o/I0M
+urFD+bsSxnrlGLLzjX55zKM1qyGlhNokowSusVeNlSEOl8/QV57CuyQDZ0wdAiUd
+R2yl+fFxRKn4AeCMuKkEsoExLhISI7Uuz8Hjia7g0yJWfYjEjAWLcFpan/QmhwcP
+4PMg+2ZuPC0uUoXqCMBqu3d0NAaae4cOCzx8WCZUaaF3DwhRnUcld+XesV/h3SNo
+kn3ygFyOVWrCd7bSsEd00qqUwUN/cp/uYTqlbI9im89Emaa7/mYR/i3sq2/MRagr
+2oio8OdZ8wwRuER4Jpq9
+=PC1V
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-SA-15:16.openssh.asc b/share/security/advisories/FreeBSD-SA-15:16.openssh.asc
new file mode 100644
index 0000000000..38de3b2a6b
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-15:16.openssh.asc
@@ -0,0 +1,188 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-15:16.openssh                                    Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          OpenSSH multiple vulnerabilities
+
+Category:       contrib
+Module:         openssh
+Announced:      2015-07-28
+Affects:        All supported versions of FreeBSD.
+Corrected:      2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE)
+                2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2)
+                2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1)
+                2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16)
+                2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE)
+                2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21)
+                2015-07-28 19:58:54 UTC (stable/8, 8.4-STABLE)
+                2015-07-28 19:59:22 UTC (releng/8.4, 8.4-RELEASE-p35)
+CVE Name:       CVE-2014-2653, CVE-2015-5600
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+OpenSSH is an implementation of the SSH protocol suite, providing an
+encrypted and authenticated transport for a variety of services,
+including remote shell access.
+
+The security of the SSH connection relies on the server authenticating
+itself to the client as well as the user authenticating itself to the
+server.  SSH servers uses host keys to verify their identity.
+
+RFC 4255 has defined a method of verifying SSH host keys using Domain
+Name System Security (DNSSEC), by publishing the key fingerprint using
+DNS with "SSHFP" resource record.  RFC 6187 has defined methods to use
+a signature by a trusted certification authority to bind a given public
+key to a given digital identity with X.509v3 certificates.
+
+The PAM (Pluggable Authentication Modules) library provides a flexible
+framework for user authentication and session setup / teardown.
+
+OpenSSH uses PAM for password authentication by default.
+
+II.  Problem Description
+
+OpenSSH clients does not correctly verify DNS SSHFP records when a server
+offers a certificate. [CVE-2014-2653]
+
+OpenSSH servers which are configured to allow password authentication
+using PAM (default) would allow many password attempts.
+
+III. Impact
+
+A malicious server may be able to force a connecting client to skip DNS
+SSHFP record check and require the user to perform manual host verification
+of the host key fingerprint.  This could allow man-in-the-middle attack
+if the user does not carefully check the fingerprint.  [CVE-2014-2653]
+
+A remote attacker may effectively bypass MaxAuthTries settings, which would
+enable them to brute force passwords. [CVE-2015-5600]
+
+IV.  Workaround
+
+Systems that do not use OpenSSH are not affected.
+
+There is no workaround for CVE-2014-2653, but the problem only affects
+networks where DNSsec and SSHFP is properly configured.  Users who uses
+SSH should always check server host key fingerprints carefully when
+prompted.
+
+System administrators can set:
+
+	UsePAM no
+
+In their /etc/ssh/sshd_config and restart sshd service to workaround the
+problem described as CVE-2015-5600 at expense of losing features provided
+by the PAM framework.
+
+We recommend system administrators to disable password based authentication
+completely, and use key based authentication exclusively in their SSH server
+configuration, when possible.  This would eliminate the possibility of being
+ever exposed to password brute force attack.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+SSH service has to be restarted after the update.  A reboot is recommended
+but not required.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+SSH service has to be restarted after the update.  A reboot is recommended
+but not required.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 9.3, 10.1, 10.2]
+# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch.asc
+# gpg --verify openssh.patch.asc
+
+[FreeBSD 8.4]
+# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch.asc
+# gpg --verify openssh-8.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the SSH service, or reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/8/                                                         r285977
+releng/8.4/                                                       r285980
+stable/9/                                                         r285977
+releng/9.3/                                                       r285980
+stable/10/                                                        r285976
+releng/10.1/                                                      r285979
+releng/10.2/                                                      r285978
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2653>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5600>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:16.openssh.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.6 (FreeBSD)
+
+iQIcBAEBCgAGBQJVt+FdAAoJEO1n7NZdz2rnPxEQAIFMhBzUuAEEeG3GoO6o6DQn
+7ZVPdd+EdijDk0VAZbaa3NyeVGTNSEQhjpL/lSkIQUQT+yEAUUsUCVWu0T8OpCN0
+UT6JlYhV+AwQVyWujlTjspQ3Ba3Kn3o76MCzvdIQWPTzD1yCZqRmpZ1eSjonmySZ
+ts+kVDCV2ZJyWACOdG2GXHSmTraIErn0J1YaLg++c8nHUvb+TNo2/8viBGJINhdP
+bvA6fzYPpAzgaq5EEKevySLUnUfUE2Nx5LGD2CUx/hMu7K8y2h4SR2fKmpyBauNS
+4VHSssX6KjxZCYctCEsUgCokWYzt9fepyBsCiS9Vx4mTwat8Vuiz2zB1lCOwM97v
+iDbkcmR/ixElrXSBb5+wrhOpBLnYtHFTNPx8dRz39wdb1MxJQqyOOb8KtDSlFMmQ
+l5Lk1vTEcZQjWvmCV9XjVlPqcHnX4wNnV+IgUnQTnhQlbe0YgszdLAi5XZDGBmtA
+DHuLfBy1091KYBoP641GRuldsq6/r6DUzyZuQJ+p30BDUEfkUAptIEnQWA2l3Y8W
+/10eels29WJhV9N7WWo4pbADA54+DLvi0T/46R9WRbM9bA/dsqK9G5wmREaKCqmX
+ccQUFrruxJTn7TV4QbN69ABEkOFCyQjqecP2GqA2N/5AAUsV47WC/VtKgOPp4FZ6
+E0SkAoNzIighyNk54U9p
+=6PBw
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-SA-15:17.bind.asc b/share/security/advisories/FreeBSD-SA-15:17.bind.asc
new file mode 100644
index 0000000000..c3feadb691
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-15:17.bind.asc
@@ -0,0 +1,139 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-15:17.bind                                       Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          BIND remote denial of service vulnerability
+
+Category:       contrib
+Module:         bind
+Announced:      2015-07-28
+Credits:        ISC
+Affects:        FreeBSD 8.x and FreeBSD 9.x.
+Corrected:      2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE)
+                2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21)
+                2015-07-28 19:58:54 UTC (stable/8, 8.4-STABLE)
+                2015-07-28 19:59:22 UTC (releng/8.4, 8.4-RELEASE-p35)
+CVE Name:       CVE-2015-5477
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+BIND 9 is an implementation of the Domain Name System (DNS) protocols.
+The named(8) daemon is an Internet Domain Name Server.
+
+II.  Problem Description
+
+An error in the handling of TKEY queries can be exploited by an attacker
+for use as a denial-of-service vector, as a constructed packet can use
+the defect to trigger a REQUIRE assertion failure, causing BIND to exit.
+
+III. Impact
+
+A remote attacker can trigger a crash of a name server.  Both recursive and
+authoritative servers are affected, and the exposure can not be mitigated
+by either ACLs or configuration options limiting or denying service because
+the exploitable code occurs early in the packet handling, before checks
+enforcing those boundaries.
+
+IV.  Workaround
+
+No workaround is available, but systems that are not running BIND are not
+vulnerable.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+The named service has to be restarted after the update.  A reboot is
+recommended but not required.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+The named service has to be restarted after the update.  A reboot is
+recommended but not required.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-15:17/bind.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:17/bind.patch.asc
+# gpg --verify bind.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the applicable daemons, or reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/8/                                                         r285977
+releng/8.4/                                                       r285980
+stable/9/                                                         r285977
+releng/9.3/                                                       r285980
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://kb.isc.org/article/AA-01272>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5477>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:17.bind.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.6 (FreeBSD)
+
+iQIcBAEBCgAGBQJVt+FdAAoJEO1n7NZdz2rnmAQQAK66bHEYirTecgswG+eiePfU
+lcX46GdLU/OQ/3MHpmc6XQKz9kpJ+Inh8K8IvAJ1SXH41zk/xOtUgqbkUcgkGrS1
+gBVKUC8SF82ll/1FUlORoJc+g+TQgax00Il/GweRVoL0RpU9S/YSnc6OLc0nWzBq
+osweYaHBNRL6lBmUtAHYu1tyvGvHLlfTNk6NCtUxtWeXKe+urYFx4ViJKCU8dJ+U
+F26nQb/3vH93WOEaNjSDHYWypl9qtous5hpOtXr76ofhID67EyOKmPPEC5+6jP/6
+wkdMu7loVewI5K7ZF+zaNxr8CQESurCRkMX3qJSBNCfSw55sdcfKl4BO65SCxLH7
+vXoh+B+Wbof2n3xAcEJNufOdiRQfTxlP1UMWIy00wvdB+VcOCDdD7TUB1kksxzpy
+aXxePRdKLjvkPDiWy17BBpxq8JIfy+41a+N7Fm/hDgUJOYGDAMr27WJLx8MHzY3k
++B014IVvTnHkf0yo5ue5raTpgUr0TVCfwD3eqJOM9iUuOI8vj9h44FpP6R8KNyQA
+mVI/wikVJfYAgmAkHqqRVEHeA8aWJsVNkmrKLHFDkLDdw6umr7oOHfXQo1hk7k7V
++2JEa09kp2AYNGYZkiFG/7jiCZ9GLCvAzKW1v1g8fRsBl+QA1PjW0Rg7HcRmZiwM
+VfNsARSWl2y/t8Gnrfgx
+=40iD
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-15:14/bsdpatch.patch b/share/security/patches/SA-15:14/bsdpatch.patch
new file mode 100644
index 0000000000..9aaa91c1f8
--- /dev/null
+++ b/share/security/patches/SA-15:14/bsdpatch.patch
@@ -0,0 +1,188 @@
+Index: usr.bin/patch/common.h
+===================================================================
+--- usr.bin/patch/common.h	(revision 285926)
++++ usr.bin/patch/common.h	(working copy)
+@@ -43,12 +43,10 @@
+ #define	LINENUM_MAX LONG_MAX
+ 
+ #define	SCCSPREFIX "s."
+-#define	GET "get -e %s"
+-#define	SCCSDIFF "get -p %s | diff - %s >/dev/null"
+ 
+ #define	RCSSUFFIX ",v"
+-#define	CHECKOUT "co -l %s"
+-#define	RCSDIFF "rcsdiff %s > /dev/null"
++#define	CHECKOUT "/usr/bin/co"
++#define	RCSDIFF "/usr/bin/rcsdiff"
+ 
+ #define	ORIGEXT ".orig"
+ #define	REJEXT ".rej"
+Index: usr.bin/patch/inp.c
+===================================================================
+--- usr.bin/patch/inp.c	(revision 285926)
++++ usr.bin/patch/inp.c	(working copy)
+@@ -31,8 +31,10 @@
+ #include <sys/file.h>
+ #include <sys/stat.h>
+ #include <sys/mman.h>
++#include <sys/wait.h>
+ 
+ #include <ctype.h>
++#include <errno.h>
+ #include <libgen.h>
+ #include <stddef.h>
+ #include <stdint.h>
+@@ -133,12 +135,14 @@ reallocate_lines(size_t *lines_allocated)
+ static bool
+ plan_a(const char *filename)
+ {
+-	int		ifd, statfailed;
++	int		ifd, statfailed, devnull, pstat;
+ 	char		*p, *s, lbuf[INITLINELEN];
+ 	struct stat	filestat;
+ 	ptrdiff_t	sz;
+ 	size_t		i;
+ 	size_t		iline, lines_allocated;
++	pid_t		pid;
++	char		*argp[4] = {NULL};
+ 
+ #ifdef DEBUGGING
+ 	if (debug & 8)
+@@ -166,13 +170,14 @@ plan_a(const char *filename)
+ 	}
+ 	if (statfailed && check_only)
+ 		fatal("%s not found, -C mode, can't probe further\n", filename);
+-	/* For nonexistent or read-only files, look for RCS or SCCS versions.  */
++	/* For nonexistent or read-only files, look for RCS versions.  */
++
+ 	if (statfailed ||
+ 	    /* No one can write to it.  */
+ 	    (filestat.st_mode & 0222) == 0 ||
+ 	    /* I can't write to it.  */
+ 	    ((filestat.st_mode & 0022) == 0 && filestat.st_uid != getuid())) {
+-		const char	*cs = NULL, *filebase, *filedir;
++		char	*filebase, *filedir;
+ 		struct stat	cstat;
+ 		char *tmp_filename1, *tmp_filename2;
+ 
+@@ -180,43 +185,26 @@ plan_a(const char *filename)
+ 		tmp_filename2 = strdup(filename);
+ 		if (tmp_filename1 == NULL || tmp_filename2 == NULL)
+ 			fatal("strdupping filename");
++
+ 		filebase = basename(tmp_filename1);
+ 		filedir = dirname(tmp_filename2);
+ 
+-		/* Leave room in lbuf for the diff command.  */
+-		s = lbuf + 20;
+-
+ #define try(f, a1, a2, a3) \
+-	(snprintf(s, buf_size - 20, f, a1, a2, a3), stat(s, &cstat) == 0)
++	(snprintf(lbuf, sizeof(lbuf), f, a1, a2, a3), stat(lbuf, &cstat) == 0)
+ 
+-		if (try("%s/RCS/%s%s", filedir, filebase, RCSSUFFIX) ||
+-		    try("%s/RCS/%s%s", filedir, filebase, "") ||
+-		    try("%s/%s%s", filedir, filebase, RCSSUFFIX)) {
+-			snprintf(buf, buf_size, CHECKOUT, filename);
+-			snprintf(lbuf, sizeof lbuf, RCSDIFF, filename);
+-			cs = "RCS";
+-		} else if (try("%s/SCCS/%s%s", filedir, SCCSPREFIX, filebase) ||
+-		    try("%s/%s%s", filedir, SCCSPREFIX, filebase)) {
+-			snprintf(buf, buf_size, GET, s);
+-			snprintf(lbuf, sizeof lbuf, SCCSDIFF, s, filename);
+-			cs = "SCCS";
+-		} else if (statfailed)
+-			fatal("can't find %s\n", filename);
+-
+-		free(tmp_filename1);
+-		free(tmp_filename2);
+-
+ 		/*
+ 		 * else we can't write to it but it's not under a version
+ 		 * control system, so just proceed.
+ 		 */
+-		if (cs) {
++		if (try("%s/RCS/%s%s", filedir, filebase, RCSSUFFIX) ||
++		    try("%s/RCS/%s%s", filedir, filebase, "") ||
++		    try("%s/%s%s", filedir, filebase, RCSSUFFIX)) {
+ 			if (!statfailed) {
+ 				if ((filestat.st_mode & 0222) != 0)
+ 					/* The owner can write to it.  */
+ 					fatal("file %s seems to be locked "
+-					    "by somebody else under %s\n",
+-					    filename, cs);
++					    "by somebody else under RCS\n",
++					    filename);
+ 				/*
+ 				 * It might be checked out unlocked.  See if
+ 				 * it's safe to check out the default version
+@@ -224,21 +212,59 @@ plan_a(const char *filename)
+ 				 */
+ 				if (verbose)
+ 					say("Comparing file %s to default "
+-					    "%s version...\n",
+-					    filename, cs);
+-				if (system(lbuf))
++					    "RCS version...\n", filename);
++
++				switch (pid = fork()) {
++				case -1:
++					fatal("can't fork: %s\n",
++					    strerror(errno));
++				case 0:
++					devnull = open("/dev/null", O_RDONLY);
++					if (devnull == -1) {
++						fatal("can't open /dev/null: %s",
++						    strerror(errno));
++					}
++					(void)dup2(devnull, STDOUT_FILENO);
++					argp[0] = strdup(RCSDIFF);
++					argp[1] = strdup(filename);
++					execv(RCSDIFF, argp);
++					exit(127);
++				}
++				pid = waitpid(pid, &pstat, 0);
++				if (pid == -1 || WEXITSTATUS(pstat) != 0) {
+ 					fatal("can't check out file %s: "
+-					    "differs from default %s version\n",
+-					    filename, cs);
++					    "differs from default RCS version\n",
++					    filename);
++				}
+ 			}
++
+ 			if (verbose)
+-				say("Checking out file %s from %s...\n",
+-				    filename, cs);
+-			if (system(buf) || stat(filename, &filestat))
+-				fatal("can't check out file %s from %s\n",
+-				    filename, cs);
++				say("Checking out file %s from RCS...\n",
++				    filename);
++
++			switch (pid = fork()) {
++			case -1:
++				fatal("can't fork: %s\n", strerror(errno));
++			case 0:
++				argp[0] = strdup(CHECKOUT);
++				argp[1] = strdup("-l");
++				argp[2] = strdup(filename);
++				execv(CHECKOUT, argp);
++				exit(127);
++			}
++			pid = waitpid(pid, &pstat, 0);
++			if (pid == -1 || WEXITSTATUS(pstat) != 0 ||
++			    stat(filename, &filestat)) {
++				fatal("can't check out file %s from RCS\n",
++				    filename);
++			}
++		} else if (statfailed) {
++			fatal("can't find %s\n", filename);
+ 		}
++		free(tmp_filename1);
++		free(tmp_filename2);
+ 	}
++
+ 	filemode = filestat.st_mode;
+ 	if (!S_ISREG(filemode))
+ 		fatal("%s is not a normal file--can't patch\n", filename);
diff --git a/share/security/patches/SA-15:14/bsdpatch.patch.asc b/share/security/patches/SA-15:14/bsdpatch.patch.asc
new file mode 100644
index 0000000000..0095d71f41
--- /dev/null
+++ b/share/security/patches/SA-15:14/bsdpatch.patch.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.6 (FreeBSD)
+
+iQIcBAABCgAGBQJVt+FwAAoJEO1n7NZdz2rno1wP/1dqyumvREi7i84Ab2ew+X+x
+YNbhqkhP/Q0+uwF68nbV1StAyuPZ85fSTy//19W0L3YU31vkZgz2B5N6Vl1Walpx
+UGk/6LGm2U8xzRRSOgThSthbUbXI4cAAjxmAuUkgd5br9g8KZo+h9LQNKpv+6Caa
+OCsTKZMwA81ImiOODCvJ9FQy7hQVBSQhssCVEZScU7aR+86FRhNy0a6tHX1Y8dkk
+LLhOJprZgG6JHR9fr+g0fCSjerYWKml4QlgpbXy/Fp3mIYfsnf8K9MaKa3KBLjOZ
+AoggAB/tNA+e9imXy8En/J5aZqMwhjDZNrWHACaDXB9kMrNEE8Nwp3gFMgpURGWf
+NFd8x+5SDv6yG+1xM1X/ywP9mVDQqySactLnGoEF77ANNEFVat9KafbPESckiqa7
+qw83IaO5/9P/IaZik+19SzOsJ9sZGRaco70HfAZA9r/SD+SLc+4U1PAdY0QxGdB6
+n7Ap088KK/GfiIF4ra5AqNDFquEWTPdkVqb+55Lv7eKgg1/S0rm7Ou7Z/lbBQerw
+QIJzcem/KDcPJxM3tkxumqMdzggwUCPtrxB6vDEjLMKSN/33I2iYD47UhP+rFjw5
+cdnrrqVgw0zt+p5vAubJJegk+aVWfy7QRcHaQb/FA5MYkOVKQP69lboa7PX4M+Pn
+EjipG4vadjqdZaYzuBhF
+=fzsn
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-15:15/tcp-8.patch b/share/security/patches/SA-15:15/tcp-8.patch
new file mode 100644
index 0000000000..fcacd065e0
--- /dev/null
+++ b/share/security/patches/SA-15:15/tcp-8.patch
@@ -0,0 +1,203 @@
+Index: sys/netinet/tcp_reass.c
+===================================================================
+--- sys/netinet/tcp_reass.c	(revision 285923)
++++ sys/netinet/tcp_reass.c	(working copy)
+@@ -80,29 +80,25 @@ static int tcp_reass_sysctl_qsize(SYSCTL_HANDLER_A
+ SYSCTL_NODE(_net_inet_tcp, OID_AUTO, reass, CTLFLAG_RW, 0,
+     "TCP Segment Reassembly Queue");
+ 
+-static VNET_DEFINE(int, tcp_reass_maxseg) = 0;
+-#define	V_tcp_reass_maxseg		VNET(tcp_reass_maxseg)
++static int tcp_reass_maxseg = 0;
+ SYSCTL_VNET_PROC(_net_inet_tcp_reass, OID_AUTO, maxsegments,
+     CTLTYPE_INT | CTLFLAG_RDTUN,
+-    &VNET_NAME(tcp_reass_maxseg), 0, &tcp_reass_sysctl_maxseg, "I",
++    &tcp_reass_maxseg, 0, &tcp_reass_sysctl_maxseg, "I",
+     "Global maximum number of TCP Segments in Reassembly Queue");
+ 
+-static VNET_DEFINE(int, tcp_reass_qsize) = 0;
+-#define	V_tcp_reass_qsize		VNET(tcp_reass_qsize)
+-SYSCTL_VNET_PROC(_net_inet_tcp_reass, OID_AUTO, cursegments,
++static int tcp_reass_qsize = 0;
++SYSCTL_PROC(_net_inet_tcp_reass, OID_AUTO, cursegments,
+     CTLTYPE_INT | CTLFLAG_RD,
+-    &VNET_NAME(tcp_reass_qsize), 0, &tcp_reass_sysctl_qsize, "I",
++    &tcp_reass_qsize, 0, &tcp_reass_sysctl_qsize, "I",
+     "Global number of TCP Segments currently in Reassembly Queue");
+ 
+-static VNET_DEFINE(int, tcp_reass_overflows) = 0;
+-#define	V_tcp_reass_overflows		VNET(tcp_reass_overflows)
+-SYSCTL_VNET_INT(_net_inet_tcp_reass, OID_AUTO, overflows,
++static int tcp_reass_overflows = 0;
++SYSCTL_INT(_net_inet_tcp_reass, OID_AUTO, overflows,
+     CTLTYPE_INT | CTLFLAG_RD,
+-    &VNET_NAME(tcp_reass_overflows), 0,
++    &tcp_reass_overflows, 0,
+     "Global number of TCP Segment Reassembly Queue Overflows");
+ 
+-static VNET_DEFINE(uma_zone_t, tcp_reass_zone);
+-#define	V_tcp_reass_zone		VNET(tcp_reass_zone)
++static uma_zone_t tcp_reass_zone;
+ 
+ /* Initialize TCP reassembly queue */
+ static void
+@@ -109,34 +105,25 @@ static void
+ tcp_reass_zone_change(void *tag)
+ {
+ 
+-	V_tcp_reass_maxseg = nmbclusters / 16;
+-	uma_zone_set_max(V_tcp_reass_zone, V_tcp_reass_maxseg);
++	tcp_reass_maxseg = nmbclusters / 16;
++	uma_zone_set_max(tcp_reass_zone, tcp_reass_maxseg);
+ }
+ 
+ void
+-tcp_reass_init(void)
++tcp_reass_global_init(void)
+ {
+ 
+-	V_tcp_reass_maxseg = nmbclusters / 16;
++	tcp_reass_maxseg = nmbclusters / 16;
+ 	TUNABLE_INT_FETCH("net.inet.tcp.reass.maxsegments",
+-	    &V_tcp_reass_maxseg);
+-	V_tcp_reass_zone = uma_zcreate("tcpreass", sizeof (struct tseg_qent),
++	    &tcp_reass_maxseg);
++	tcp_reass_zone = uma_zcreate("tcpreass", sizeof (struct tseg_qent),
+ 	    NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
+-	uma_zone_set_max(V_tcp_reass_zone, V_tcp_reass_maxseg);
++	uma_zone_set_max(tcp_reass_zone, tcp_reass_maxseg);
+ 	EVENTHANDLER_REGISTER(nmbclusters_change,
+ 	    tcp_reass_zone_change, NULL, EVENTHANDLER_PRI_ANY);
+ }
+ 
+-#ifdef VIMAGE
+ void
+-tcp_reass_destroy(void)
+-{
+-
+-	uma_zdestroy(V_tcp_reass_zone);
+-}
+-#endif
+-
+-void
+ tcp_reass_flush(struct tcpcb *tp)
+ {
+ 	struct tseg_qent *qe;
+@@ -146,7 +133,7 @@ tcp_reass_flush(struct tcpcb *tp)
+ 	while ((qe = LIST_FIRST(&tp->t_segq)) != NULL) {
+ 		LIST_REMOVE(qe, tqe_q);
+ 		m_freem(qe->tqe_m);
+-		uma_zfree(V_tcp_reass_zone, qe);
++		uma_zfree(tcp_reass_zone, qe);
+ 		tp->t_segqlen--;
+ 	}
+ 
+@@ -158,7 +145,7 @@ tcp_reass_flush(struct tcpcb *tp)
+ static int
+ tcp_reass_sysctl_maxseg(SYSCTL_HANDLER_ARGS)
+ {
+-	V_tcp_reass_maxseg = uma_zone_get_max(V_tcp_reass_zone);
++	tcp_reass_maxseg = uma_zone_get_max(tcp_reass_zone);
+ 	return (sysctl_handle_int(oidp, arg1, arg2, req));
+ }
+ 
+@@ -165,7 +152,7 @@ tcp_reass_sysctl_maxseg(SYSCTL_HANDLER_ARGS)
+ static int
+ tcp_reass_sysctl_qsize(SYSCTL_HANDLER_ARGS)
+ {
+-	V_tcp_reass_qsize = uma_zone_get_cur(V_tcp_reass_zone);
++	tcp_reass_qsize = uma_zone_get_cur(tcp_reass_zone);
+ 	return (sysctl_handle_int(oidp, arg1, arg2, req));
+ }
+ 
+@@ -213,7 +200,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
+ 	 */
+ 	if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) &&
+ 	    tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) {
+-		V_tcp_reass_overflows++;
++		tcp_reass_overflows++;
+ 		TCPSTAT_INC(tcps_rcvmemdrop);
+ 		m_freem(m);
+ 		*tlenp = 0;
+@@ -232,7 +219,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
+ 	 * Use a temporary structure on the stack for the missing segment
+ 	 * when the zone is exhausted. Otherwise we may get stuck.
+ 	 */
+-	te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT);
++	te = uma_zalloc(tcp_reass_zone, M_NOWAIT);
+ 	if (te == NULL) {
+ 		if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) {
+ 			TCPSTAT_INC(tcps_rcvmemdrop);
+@@ -283,7 +270,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
+ 				TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp);
+ 				m_freem(m);
+ 				if (te != &tqs)
+-					uma_zfree(V_tcp_reass_zone, te);
++					uma_zfree(tcp_reass_zone, te);
+ 				tp->t_segqlen--;
+ 				/*
+ 				 * Try to present any queued data
+@@ -320,7 +307,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
+ 		nq = LIST_NEXT(q, tqe_q);
+ 		LIST_REMOVE(q, tqe_q);
+ 		m_freem(q->tqe_m);
+-		uma_zfree(V_tcp_reass_zone, q);
++		uma_zfree(tcp_reass_zone, q);
+ 		tp->t_segqlen--;
+ 		q = nq;
+ 	}
+@@ -359,7 +346,7 @@ present:
+ 		else
+ 			sbappendstream_locked(&so->so_rcv, q->tqe_m);
+ 		if (q != &tqs)
+-			uma_zfree(V_tcp_reass_zone, q);
++			uma_zfree(tcp_reass_zone, q);
+ 		tp->t_segqlen--;
+ 		q = nq;
+ 	} while (q && q->tqe_th->th_seq == tp->rcv_nxt);
+Index: sys/netinet/tcp_subr.c
+===================================================================
+--- sys/netinet/tcp_subr.c	(revision 285923)
++++ sys/netinet/tcp_subr.c	(working copy)
+@@ -375,7 +375,6 @@ tcp_init(void)
+ 	tcp_tw_init();
+ 	syncache_init();
+ 	tcp_hc_init();
+-	tcp_reass_init();
+ 
+ 	TUNABLE_INT_FETCH("net.inet.tcp.sack.enable", &V_tcp_do_sack);
+ 	V_sack_hole_zone = uma_zcreate("sackhole", sizeof(struct sackhole),
+@@ -385,6 +384,8 @@ tcp_init(void)
+ 	if (!IS_DEFAULT_VNET(curvnet))
+ 		return;
+ 
++	tcp_reass_global_init();
++
+ 	/* XXX virtualize those bellow? */
+ 	tcp_delacktime = TCPTV_DELACK;
+ 	tcp_keepinit = TCPTV_KEEP_INIT;
+@@ -424,7 +425,6 @@ void
+ tcp_destroy(void)
+ {
+ 
+-	tcp_reass_destroy();
+ 	tcp_hc_destroy();
+ 	syncache_destroy();
+ 	tcp_tw_destroy();
+Index: sys/netinet/tcp_var.h
+===================================================================
+--- sys/netinet/tcp_var.h	(revision 285923)
++++ sys/netinet/tcp_var.h	(working copy)
+@@ -653,11 +653,8 @@ char 	*tcp_log_addrs(struct in_conninfo *, struct
+ char	*tcp_log_vain(struct in_conninfo *, struct tcphdr *, void *,
+ 	    const void *);
+ int	 tcp_reass(struct tcpcb *, struct tcphdr *, int *, struct mbuf *);
+-void	 tcp_reass_init(void);
++void	 tcp_reass_global_init(void);
+ void	 tcp_reass_flush(struct tcpcb *);
+-#ifdef VIMAGE
+-void	 tcp_reass_destroy(void);
+-#endif
+ void	 tcp_input(struct mbuf *, int);
+ u_long	 tcp_maxmtu(struct in_conninfo *, int *);
+ u_long	 tcp_maxmtu6(struct in_conninfo *, int *);
diff --git a/share/security/patches/SA-15:15/tcp-8.patch.asc b/share/security/patches/SA-15:15/tcp-8.patch.asc
new file mode 100644
index 0000000000..2952c27726
--- /dev/null
+++ b/share/security/patches/SA-15:15/tcp-8.patch.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.6 (FreeBSD)
+
+iQIcBAABCgAGBQJVt+FwAAoJEO1n7NZdz2rn4a0QAJNILy1kqMl42ffd2sO4NOmy
+hHJ18P1zAEFb2Q5HdbQOVnY8ssJWlbXK8kf0S0m/gw+xQ+SXnz6JtLDIqxhM/4kP
+r+s3ae3hVOLoNf0oz9Qdpbv/eZcfqfZSTFxiPXZC8J1pRH7qE7pH6jybfTHpNczg
+7NrtgmK2poMgOrIkDUoUK8Xb5Pjg2Pfz07nEYuESA6yVUrlEk8izZq9HFos2eOff
+gpfwjVr1zm5s8rIX/YP0oUKBcsdUlgk6zF6JCnOhO5cysy0rzMcz+HBMo0CigDS/
+kmeQu59JpHVY4E//LGvNTXAVqOSEnERdSSZqcc7sZaqyEfJXRSYrrnq/57c9YnVm
+qc/Q9D0kvEQhwzQgGJUG6OmKG3fkBTT44+rwlzB3TVBNXNoZNeY7uoOi/OyPu4JT
+ejZse+Qq7X/f5oZT2CNScHkW/jLYBnFGwHGmyg5AZUf0evN8GvO6Z1yMxmnUzBqE
+6J3oO6re/8I7L78PqTjXGh36rK6a2MZF/J5t24JilSvLgyhZx4VNDDHgv87KqCdA
+fSMKaoyn6UwvVR/j1XP3ACcukBLjuFjsgH25Q97ESgijnte050DgabOBmsBawwVb
+MCAZdSw3iczhCE9nrpNehX5zdnw9XYy70HJN8hVVfGjdyjzJazEkC8a+U+teHrTp
+v3p8ijYPt0dRz8siZusT
+=ETv1
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-15:15/tcp-9.3-10.1.patch b/share/security/patches/SA-15:15/tcp-9.3-10.1.patch
new file mode 100644
index 0000000000..cd69cc357a
--- /dev/null
+++ b/share/security/patches/SA-15:15/tcp-9.3-10.1.patch
@@ -0,0 +1,194 @@
+Index: sys/netinet/tcp_reass.c
+===================================================================
+--- sys/netinet/tcp_reass.c	(revision 285923)
++++ sys/netinet/tcp_reass.c	(working copy)
+@@ -79,25 +79,22 @@ static int tcp_reass_sysctl_qsize(SYSCTL_HANDLER_A
+ static SYSCTL_NODE(_net_inet_tcp, OID_AUTO, reass, CTLFLAG_RW, 0,
+     "TCP Segment Reassembly Queue");
+ 
+-static VNET_DEFINE(int, tcp_reass_maxseg) = 0;
+-#define	V_tcp_reass_maxseg		VNET(tcp_reass_maxseg)
+-SYSCTL_VNET_INT(_net_inet_tcp_reass, OID_AUTO, maxsegments, CTLFLAG_RDTUN,
+-    &VNET_NAME(tcp_reass_maxseg), 0,
++static int tcp_reass_maxseg = 0;
++SYSCTL_INT(_net_inet_tcp_reass, OID_AUTO, maxsegments, CTLFLAG_RDTUN,
++    &tcp_reass_maxseg, 0,
+     "Global maximum number of TCP Segments in Reassembly Queue");
+ 
+-SYSCTL_VNET_PROC(_net_inet_tcp_reass, OID_AUTO, cursegments,
++SYSCTL_PROC(_net_inet_tcp_reass, OID_AUTO, cursegments,
+     (CTLTYPE_INT | CTLFLAG_RD), NULL, 0, &tcp_reass_sysctl_qsize, "I",
+     "Global number of TCP Segments currently in Reassembly Queue");
+ 
+-static VNET_DEFINE(int, tcp_reass_overflows) = 0;
+-#define	V_tcp_reass_overflows		VNET(tcp_reass_overflows)
+-SYSCTL_VNET_INT(_net_inet_tcp_reass, OID_AUTO, overflows,
++static int tcp_reass_overflows = 0;
++SYSCTL_INT(_net_inet_tcp_reass, OID_AUTO, overflows,
+     CTLTYPE_INT | CTLFLAG_RD,
+-    &VNET_NAME(tcp_reass_overflows), 0,
++    &tcp_reass_overflows, 0,
+     "Global number of TCP Segment Reassembly Queue Overflows");
+ 
+-static VNET_DEFINE(uma_zone_t, tcp_reass_zone);
+-#define	V_tcp_reass_zone		VNET(tcp_reass_zone)
++static uma_zone_t tcp_reass_zone;
+ 
+ /* Initialize TCP reassembly queue */
+ static void
+@@ -105,37 +102,28 @@ tcp_reass_zone_change(void *tag)
+ {
+ 
+ 	/* Set the zone limit and read back the effective value. */
+-	V_tcp_reass_maxseg = nmbclusters / 16;
+-	V_tcp_reass_maxseg = uma_zone_set_max(V_tcp_reass_zone,
+-	    V_tcp_reass_maxseg);
++	tcp_reass_maxseg = nmbclusters / 16;
++	tcp_reass_maxseg = uma_zone_set_max(tcp_reass_zone,
++	    tcp_reass_maxseg);
+ }
+ 
+ void
+-tcp_reass_init(void)
++tcp_reass_global_init(void)
+ {
+ 
+-	V_tcp_reass_maxseg = nmbclusters / 16;
++	tcp_reass_maxseg = nmbclusters / 16;
+ 	TUNABLE_INT_FETCH("net.inet.tcp.reass.maxsegments",
+-	    &V_tcp_reass_maxseg);
+-	V_tcp_reass_zone = uma_zcreate("tcpreass", sizeof (struct tseg_qent),
++	    &tcp_reass_maxseg);
++	tcp_reass_zone = uma_zcreate("tcpreass", sizeof (struct tseg_qent),
+ 	    NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
+ 	/* Set the zone limit and read back the effective value. */
+-	V_tcp_reass_maxseg = uma_zone_set_max(V_tcp_reass_zone,
+-	    V_tcp_reass_maxseg);
++	tcp_reass_maxseg = uma_zone_set_max(tcp_reass_zone,
++	    tcp_reass_maxseg);
+ 	EVENTHANDLER_REGISTER(nmbclusters_change,
+ 	    tcp_reass_zone_change, NULL, EVENTHANDLER_PRI_ANY);
+ }
+ 
+-#ifdef VIMAGE
+ void
+-tcp_reass_destroy(void)
+-{
+-
+-	uma_zdestroy(V_tcp_reass_zone);
+-}
+-#endif
+-
+-void
+ tcp_reass_flush(struct tcpcb *tp)
+ {
+ 	struct tseg_qent *qe;
+@@ -145,7 +133,7 @@ tcp_reass_flush(struct tcpcb *tp)
+ 	while ((qe = LIST_FIRST(&tp->t_segq)) != NULL) {
+ 		LIST_REMOVE(qe, tqe_q);
+ 		m_freem(qe->tqe_m);
+-		uma_zfree(V_tcp_reass_zone, qe);
++		uma_zfree(tcp_reass_zone, qe);
+ 		tp->t_segqlen--;
+ 	}
+ 
+@@ -159,7 +147,7 @@ tcp_reass_sysctl_qsize(SYSCTL_HANDLER_ARGS)
+ {
+ 	int qsize;
+ 
+-	qsize = uma_zone_get_cur(V_tcp_reass_zone);
++	qsize = uma_zone_get_cur(tcp_reass_zone);
+ 	return (sysctl_handle_int(oidp, &qsize, 0, req));
+ }
+ 
+@@ -207,7 +195,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
+ 	 */
+ 	if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) &&
+ 	    tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) {
+-		V_tcp_reass_overflows++;
++		tcp_reass_overflows++;
+ 		TCPSTAT_INC(tcps_rcvmemdrop);
+ 		m_freem(m);
+ 		*tlenp = 0;
+@@ -226,7 +214,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
+ 	 * Use a temporary structure on the stack for the missing segment
+ 	 * when the zone is exhausted. Otherwise we may get stuck.
+ 	 */
+-	te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT);
++	te = uma_zalloc(tcp_reass_zone, M_NOWAIT);
+ 	if (te == NULL) {
+ 		if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) {
+ 			TCPSTAT_INC(tcps_rcvmemdrop);
+@@ -277,7 +265,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
+ 				TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp);
+ 				m_freem(m);
+ 				if (te != &tqs)
+-					uma_zfree(V_tcp_reass_zone, te);
++					uma_zfree(tcp_reass_zone, te);
+ 				tp->t_segqlen--;
+ 				/*
+ 				 * Try to present any queued data
+@@ -314,7 +302,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
+ 		nq = LIST_NEXT(q, tqe_q);
+ 		LIST_REMOVE(q, tqe_q);
+ 		m_freem(q->tqe_m);
+-		uma_zfree(V_tcp_reass_zone, q);
++		uma_zfree(tcp_reass_zone, q);
+ 		tp->t_segqlen--;
+ 		q = nq;
+ 	}
+@@ -353,7 +341,7 @@ present:
+ 		else
+ 			sbappendstream_locked(&so->so_rcv, q->tqe_m);
+ 		if (q != &tqs)
+-			uma_zfree(V_tcp_reass_zone, q);
++			uma_zfree(tcp_reass_zone, q);
+ 		tp->t_segqlen--;
+ 		q = nq;
+ 	} while (q && q->tqe_th->th_seq == tp->rcv_nxt);
+Index: sys/netinet/tcp_subr.c
+===================================================================
+--- sys/netinet/tcp_subr.c	(revision 285923)
++++ sys/netinet/tcp_subr.c	(working copy)
+@@ -375,7 +375,6 @@ tcp_init(void)
+ 	tcp_tw_init();
+ 	syncache_init();
+ 	tcp_hc_init();
+-	tcp_reass_init();
+ 
+ 	TUNABLE_INT_FETCH("net.inet.tcp.sack.enable", &V_tcp_do_sack);
+ 	V_sack_hole_zone = uma_zcreate("sackhole", sizeof(struct sackhole),
+@@ -385,6 +384,8 @@ tcp_init(void)
+ 	if (!IS_DEFAULT_VNET(curvnet))
+ 		return;
+ 
++	tcp_reass_global_init();
++
+ 	/* XXX virtualize those bellow? */
+ 	tcp_delacktime = TCPTV_DELACK;
+ 	tcp_keepinit = TCPTV_KEEP_INIT;
+@@ -432,7 +433,6 @@ void
+ tcp_destroy(void)
+ {
+ 
+-	tcp_reass_destroy();
+ 	tcp_hc_destroy();
+ 	syncache_destroy();
+ 	tcp_tw_destroy();
+Index: sys/netinet/tcp_var.h
+===================================================================
+--- sys/netinet/tcp_var.h	(revision 285923)
++++ sys/netinet/tcp_var.h	(working copy)
+@@ -666,11 +666,8 @@ char	*tcp_log_addrs(struct in_conninfo *, struct t
+ char	*tcp_log_vain(struct in_conninfo *, struct tcphdr *, void *,
+ 	    const void *);
+ int	 tcp_reass(struct tcpcb *, struct tcphdr *, int *, struct mbuf *);
+-void	 tcp_reass_init(void);
++void	 tcp_reass_global_init(void);
+ void	 tcp_reass_flush(struct tcpcb *);
+-#ifdef VIMAGE
+-void	 tcp_reass_destroy(void);
+-#endif
+ void	 tcp_input(struct mbuf *, int);
+ u_long	 tcp_maxmtu(struct in_conninfo *, struct tcp_ifcap *);
+ u_long	 tcp_maxmtu6(struct in_conninfo *, struct tcp_ifcap *);
diff --git a/share/security/patches/SA-15:15/tcp-9.3-10.1.patch.asc b/share/security/patches/SA-15:15/tcp-9.3-10.1.patch.asc
new file mode 100644
index 0000000000..6684465062
--- /dev/null
+++ b/share/security/patches/SA-15:15/tcp-9.3-10.1.patch.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.6 (FreeBSD)
+
+iQIcBAABCgAGBQJVt+FwAAoJEO1n7NZdz2rn4MsP/1RRuWMRR2G2slK+cuaUhzHI
+Zmr11d2Wf3MfnV4gyS36bei8RKUSlg1HpPoztjheMerfFuK+vV+thkysakKdAAkC
+P5p5rqZSoQZ4rLjFFQwDkM0tm5CZQeVMiosz2KGHzEHUF/RVKeQ3tuOFWrEIyUdq
+DzHsrS67CBW7KQzoauN/7p+RDtepajSgRPMcsIZ6SyMqhHCX/3ugSXANnexJw5It
+YBbImj3PnIsMsKNvPLFx8zAvJxM4aEIhUfiJfpYlVXEVeSyIoxMRmrjDcrW8zrU9
+1c1qx4s0nRRsnv7qKK79W4XES4ebppNUbtFk6wdJKdt1kzMvEAFNm0P5Li86aTTn
+hksIS3DW3zcFFgMCHl6levunXKBv/Jot7DP8sfYGbxMRHbAI/Gs+QnxzLEPFeU7I
+1BGrrVbE3f+sRgDirblhfVQdUsjTNQN7UzEs1Da4jTnfqKiE9o+cLe9uoXoRNLjJ
+tnI/lK/XFh7fAczIaloOzClwid63W8cVe7SRIYFa2edAGzcnR4+AK+ZFFVadxUJ1
+kQiO12nfnDFA00/FYrgm8jfwL4luINUrq9iQQCoSH6FJZ8H/W2jgZd/s6VCAd/bN
+lwDok1Mn1r3Mkr8MAnh7XhAHWUFdEjXljPkcRTCOj4+NRmfpalLBnMroH12ofzl4
+1C+wnnPtqXm2GysW0U/K
+=KVcG
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-15:15/tcp.patch b/share/security/patches/SA-15:15/tcp.patch
new file mode 100644
index 0000000000..2663db8d01
--- /dev/null
+++ b/share/security/patches/SA-15:15/tcp.patch
@@ -0,0 +1,194 @@
+Index: sys/netinet/tcp_reass.c
+===================================================================
+--- sys/netinet/tcp_reass.c	(revision 285923)
++++ sys/netinet/tcp_reass.c	(working copy)
+@@ -79,25 +79,22 @@ static int tcp_reass_sysctl_qsize(SYSCTL_HANDLER_A
+ static SYSCTL_NODE(_net_inet_tcp, OID_AUTO, reass, CTLFLAG_RW, 0,
+     "TCP Segment Reassembly Queue");
+ 
+-static VNET_DEFINE(int, tcp_reass_maxseg) = 0;
+-#define	V_tcp_reass_maxseg		VNET(tcp_reass_maxseg)
+-SYSCTL_VNET_INT(_net_inet_tcp_reass, OID_AUTO, maxsegments, CTLFLAG_RDTUN,
+-    &VNET_NAME(tcp_reass_maxseg), 0,
++static int tcp_reass_maxseg = 0;
++SYSCTL_INT(_net_inet_tcp_reass, OID_AUTO, maxsegments, CTLFLAG_RDTUN,
++    &tcp_reass_maxseg, 0,
+     "Global maximum number of TCP Segments in Reassembly Queue");
+ 
+-SYSCTL_VNET_PROC(_net_inet_tcp_reass, OID_AUTO, cursegments,
++SYSCTL_PROC(_net_inet_tcp_reass, OID_AUTO, cursegments,
+     (CTLTYPE_INT | CTLFLAG_RD), NULL, 0, &tcp_reass_sysctl_qsize, "I",
+     "Global number of TCP Segments currently in Reassembly Queue");
+ 
+-static VNET_DEFINE(int, tcp_reass_overflows) = 0;
+-#define	V_tcp_reass_overflows		VNET(tcp_reass_overflows)
+-SYSCTL_VNET_INT(_net_inet_tcp_reass, OID_AUTO, overflows,
++static int tcp_reass_overflows = 0;
++SYSCTL_INT(_net_inet_tcp_reass, OID_AUTO, overflows,
+     CTLFLAG_RD,
+-    &VNET_NAME(tcp_reass_overflows), 0,
++    &tcp_reass_overflows, 0,
+     "Global number of TCP Segment Reassembly Queue Overflows");
+ 
+-static VNET_DEFINE(uma_zone_t, tcp_reass_zone);
+-#define	V_tcp_reass_zone		VNET(tcp_reass_zone)
++static uma_zone_t tcp_reass_zone;
+ 
+ /* Initialize TCP reassembly queue */
+ static void
+@@ -105,37 +102,28 @@ tcp_reass_zone_change(void *tag)
+ {
+ 
+ 	/* Set the zone limit and read back the effective value. */
+-	V_tcp_reass_maxseg = nmbclusters / 16;
+-	V_tcp_reass_maxseg = uma_zone_set_max(V_tcp_reass_zone,
+-	    V_tcp_reass_maxseg);
++	tcp_reass_maxseg = nmbclusters / 16;
++	tcp_reass_maxseg = uma_zone_set_max(tcp_reass_zone,
++	    tcp_reass_maxseg);
+ }
+ 
+ void
+-tcp_reass_init(void)
++tcp_reass_global_init(void)
+ {
+ 
+-	V_tcp_reass_maxseg = nmbclusters / 16;
++	tcp_reass_maxseg = nmbclusters / 16;
+ 	TUNABLE_INT_FETCH("net.inet.tcp.reass.maxsegments",
+-	    &V_tcp_reass_maxseg);
+-	V_tcp_reass_zone = uma_zcreate("tcpreass", sizeof (struct tseg_qent),
++	    &tcp_reass_maxseg);
++	tcp_reass_zone = uma_zcreate("tcpreass", sizeof (struct tseg_qent),
+ 	    NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
+ 	/* Set the zone limit and read back the effective value. */
+-	V_tcp_reass_maxseg = uma_zone_set_max(V_tcp_reass_zone,
+-	    V_tcp_reass_maxseg);
++	tcp_reass_maxseg = uma_zone_set_max(tcp_reass_zone,
++	    tcp_reass_maxseg);
+ 	EVENTHANDLER_REGISTER(nmbclusters_change,
+ 	    tcp_reass_zone_change, NULL, EVENTHANDLER_PRI_ANY);
+ }
+ 
+-#ifdef VIMAGE
+ void
+-tcp_reass_destroy(void)
+-{
+-
+-	uma_zdestroy(V_tcp_reass_zone);
+-}
+-#endif
+-
+-void
+ tcp_reass_flush(struct tcpcb *tp)
+ {
+ 	struct tseg_qent *qe;
+@@ -145,7 +133,7 @@ tcp_reass_flush(struct tcpcb *tp)
+ 	while ((qe = LIST_FIRST(&tp->t_segq)) != NULL) {
+ 		LIST_REMOVE(qe, tqe_q);
+ 		m_freem(qe->tqe_m);
+-		uma_zfree(V_tcp_reass_zone, qe);
++		uma_zfree(tcp_reass_zone, qe);
+ 		tp->t_segqlen--;
+ 	}
+ 
+@@ -159,7 +147,7 @@ tcp_reass_sysctl_qsize(SYSCTL_HANDLER_ARGS)
+ {
+ 	int qsize;
+ 
+-	qsize = uma_zone_get_cur(V_tcp_reass_zone);
++	qsize = uma_zone_get_cur(tcp_reass_zone);
+ 	return (sysctl_handle_int(oidp, &qsize, 0, req));
+ }
+ 
+@@ -207,7 +195,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
+ 	 */
+ 	if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) &&
+ 	    tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) {
+-		V_tcp_reass_overflows++;
++		tcp_reass_overflows++;
+ 		TCPSTAT_INC(tcps_rcvmemdrop);
+ 		m_freem(m);
+ 		*tlenp = 0;
+@@ -226,7 +214,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
+ 	 * Use a temporary structure on the stack for the missing segment
+ 	 * when the zone is exhausted. Otherwise we may get stuck.
+ 	 */
+-	te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT);
++	te = uma_zalloc(tcp_reass_zone, M_NOWAIT);
+ 	if (te == NULL) {
+ 		if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) {
+ 			TCPSTAT_INC(tcps_rcvmemdrop);
+@@ -277,7 +265,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
+ 				TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp);
+ 				m_freem(m);
+ 				if (te != &tqs)
+-					uma_zfree(V_tcp_reass_zone, te);
++					uma_zfree(tcp_reass_zone, te);
+ 				tp->t_segqlen--;
+ 				/*
+ 				 * Try to present any queued data
+@@ -314,7 +302,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
+ 		nq = LIST_NEXT(q, tqe_q);
+ 		LIST_REMOVE(q, tqe_q);
+ 		m_freem(q->tqe_m);
+-		uma_zfree(V_tcp_reass_zone, q);
++		uma_zfree(tcp_reass_zone, q);
+ 		tp->t_segqlen--;
+ 		q = nq;
+ 	}
+@@ -353,7 +341,7 @@ present:
+ 		else
+ 			sbappendstream_locked(&so->so_rcv, q->tqe_m);
+ 		if (q != &tqs)
+-			uma_zfree(V_tcp_reass_zone, q);
++			uma_zfree(tcp_reass_zone, q);
+ 		tp->t_segqlen--;
+ 		q = nq;
+ 	} while (q && q->tqe_th->th_seq == tp->rcv_nxt);
+Index: sys/netinet/tcp_subr.c
+===================================================================
+--- sys/netinet/tcp_subr.c	(revision 285923)
++++ sys/netinet/tcp_subr.c	(working copy)
+@@ -376,7 +376,6 @@ tcp_init(void)
+ 	tcp_tw_init();
+ 	syncache_init();
+ 	tcp_hc_init();
+-	tcp_reass_init();
+ 
+ 	TUNABLE_INT_FETCH("net.inet.tcp.sack.enable", &V_tcp_do_sack);
+ 	V_sack_hole_zone = uma_zcreate("sackhole", sizeof(struct sackhole),
+@@ -386,6 +385,8 @@ tcp_init(void)
+ 	if (!IS_DEFAULT_VNET(curvnet))
+ 		return;
+ 
++	tcp_reass_global_init();
++
+ 	/* XXX virtualize those bellow? */
+ 	tcp_delacktime = TCPTV_DELACK;
+ 	tcp_keepinit = TCPTV_KEEP_INIT;
+@@ -433,7 +434,6 @@ void
+ tcp_destroy(void)
+ {
+ 
+-	tcp_reass_destroy();
+ 	tcp_hc_destroy();
+ 	syncache_destroy();
+ 	tcp_tw_destroy();
+Index: sys/netinet/tcp_var.h
+===================================================================
+--- sys/netinet/tcp_var.h	(revision 285923)
++++ sys/netinet/tcp_var.h	(working copy)
+@@ -679,11 +679,8 @@ char	*tcp_log_addrs(struct in_conninfo *, struct t
+ char	*tcp_log_vain(struct in_conninfo *, struct tcphdr *, void *,
+ 	    const void *);
+ int	 tcp_reass(struct tcpcb *, struct tcphdr *, int *, struct mbuf *);
+-void	 tcp_reass_init(void);
++void	 tcp_reass_global_init(void);
+ void	 tcp_reass_flush(struct tcpcb *);
+-#ifdef VIMAGE
+-void	 tcp_reass_destroy(void);
+-#endif
+ void	 tcp_input(struct mbuf *, int);
+ u_long	 tcp_maxmtu(struct in_conninfo *, struct tcp_ifcap *);
+ u_long	 tcp_maxmtu6(struct in_conninfo *, struct tcp_ifcap *);
diff --git a/share/security/patches/SA-15:15/tcp.patch.asc b/share/security/patches/SA-15:15/tcp.patch.asc
new file mode 100644
index 0000000000..3701f84438
--- /dev/null
+++ b/share/security/patches/SA-15:15/tcp.patch.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.6 (FreeBSD)
+
+iQIcBAABCgAGBQJVt+FwAAoJEO1n7NZdz2rnao8P/jUT5a0o9qZ9PjyVQCaMYGpz
+y7HZylgcfVMxLGipVqS0H9vwoF7EgGwHSPn5U3YT3LxXJ5ptuGrDUfOHy5vtm6eT
+AEDGKrR22sd7Thz+U821jlTKo9PLQr51bBwUjRhs4FHuAbCNX8A+Enjdb7Fo1oox
+1AJBLbnvcZAwfRdURAtj864Mx81lQ58+AC1tKW4vlagd75tsoew7MEjPrW1ObTSy
+Pl7R9SV8EnTianAyuoMZSQaGgA9kkPuG8e21+PhfQG9+enP3D2Sgad4VWfcV8KAd
+CwyJDJ7Tu8mY7FvYmd0XZr5GfM634FGV9M/wGnDXslSZgFNSt83IULmnKIuKNnjJ
+p3Map3//tZchR4/DT04q5fxcX1rWiGN+RbjYzHtttfr8i/h1rRq7BK2BWn1oM4h0
+AzMKR4N1AEaa1huTZoucuaPWZ4P+6pMUm1uSd0SuJkhZuF2Lj/BlD+SlSANEYAjr
+ajWh5hjTordmV/HXaNIcwZDIn5EN9pVm4UHcPD4x5z5eQ3r2w2kssfKusNWa5EUL
+Hqh+PuNS00e2Opp6cF+tBUF+1zJyOYEWSMlYmYDG/J+MhlRWmOr5FobGCa7dUHYt
+KvgkHmef/5Z45mTFIiD5jygNYNuxs3L0xUXFxd+2XlXPu9fKfXHtaV7aS1VozIpR
+rSHM3bqswflAY+A0FHK1
+=kwzI
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-15:16/openssh-8.patch b/share/security/patches/SA-15:16/openssh-8.patch
new file mode 100644
index 0000000000..90a73c2e88
--- /dev/null
+++ b/share/security/patches/SA-15:16/openssh-8.patch
@@ -0,0 +1,89 @@
+Index: crypto/openssh/auth2-chall.c
+===================================================================
+--- crypto/openssh/auth2-chall.c	(revision 285923)
++++ crypto/openssh/auth2-chall.c	(working copy)
+@@ -82,6 +82,7 @@ struct KbdintAuthctxt
+ 	void *ctxt;
+ 	KbdintDevice *device;
+ 	u_int nreq;
++	u_int devices_done;
+ };
+ 
+ #ifdef USE_PAM
+@@ -169,9 +170,14 @@ kbdint_next_device(KbdintAuthctxt *kbdintctxt)
+ 
+ 		if (len == 0)
+ 			break;
+-		for (i = 0; devices[i]; i++)
+-			if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
++		for (i = 0; devices[i]; i++) {
++			if ((kbdintctxt->devices_done & (1 << i)) != 0)
++				continue;
++			if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0) {
+ 				kbdintctxt->device = devices[i];
++				kbdintctxt->devices_done |= 1 << i;
++			}
++		}
+ 		t = kbdintctxt->devices;
+ 		kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
+ 		xfree(t);
+Index: crypto/openssh/sshconnect.c
+===================================================================
+--- crypto/openssh/sshconnect.c	(revision 285923)
++++ crypto/openssh/sshconnect.c	(working copy)
+@@ -1141,29 +1141,39 @@ verify_host_key(char *host, struct sockaddr *hosta
+ {
+ 	int flags = 0;
+ 	char *fp;
++	Key *plain = NULL;
+ 
+ 	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+ 	debug("Server host key: %s %s", key_type(host_key), fp);
+ 	xfree(fp);
+ 
+-	/* XXX certs are not yet supported for DNS */
+-	if (!key_is_cert(host_key) && options.verify_host_key_dns &&
+-	    verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
+-		if (flags & DNS_VERIFY_FOUND) {
+-
+-			if (options.verify_host_key_dns == 1 &&
+-			    flags & DNS_VERIFY_MATCH &&
+-			    flags & DNS_VERIFY_SECURE)
+-				return 0;
+-
+-			if (flags & DNS_VERIFY_MATCH) {
+-				matching_host_key_dns = 1;
+-			} else {
+-				warn_changed_key(host_key);
+-				error("Update the SSHFP RR in DNS with the new "
+-				    "host key to get rid of this message.");
++	if (options.verify_host_key_dns) {
++		/*
++		 * XXX certs are not yet supported for DNS, so downgrade
++		 * them and try the plain key.
++		 */
++		plain = key_from_private(host_key);
++		if (key_is_cert(plain))
++			key_drop_cert(plain);
++		if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
++			if (flags & DNS_VERIFY_FOUND) {
++				if (options.verify_host_key_dns == 1 &&
++				    flags & DNS_VERIFY_MATCH &&
++				    flags & DNS_VERIFY_SECURE) {
++					key_free(plain);
++					return 0;
++				}
++				if (flags & DNS_VERIFY_MATCH) {
++					matching_host_key_dns = 1;
++				} else {
++					warn_changed_key(plain);
++					error("Update the SSHFP RR in DNS "
++					    "with the new host key to get rid "
++					    "of this message.");
++				}
+ 			}
+ 		}
++		key_free(plain);
+ 	}
+ 
+ 	return check_host_key(host, hostaddr, options.port, host_key, RDRW,
diff --git a/share/security/patches/SA-15:16/openssh-8.patch.asc b/share/security/patches/SA-15:16/openssh-8.patch.asc
new file mode 100644
index 0000000000..4b6a65a8aa
--- /dev/null
+++ b/share/security/patches/SA-15:16/openssh-8.patch.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.6 (FreeBSD)
+
+iQIcBAABCgAGBQJVt+FxAAoJEO1n7NZdz2rnH7cP/2bAQDMzE4S6t+gt28nd7aSh
+GquAc96zD52sDz+IKyOBqQA9wsrHDnoaVQjQpavhx2qxsf+rsEvEejtvX1zdtH5o
+DfNz5kArYTgw5F/MuvgXBAgwEZqPamRZdi96KuL8gGCu0nFlTx7S/jayyickPrsk
+S03hXfDSZsFUi6bGHo+lMK0aaunZ26wSRuVU7Pb0JjtUiGgsM/YDy9uW2STTzGMl
+E8iyjHUM8gfM7q/xmFXFIxWC3L5IkurjvCGd7RXltyagHRPxzj1N6NYu4jXQgogZ
+yr9N2lDSZZaS3yoextvpR9lg+J2qDysgMEbsR0GPG1fsc/po8YuPvpT1cak8Vtk8
+fQVs4MJMMwMfUW2QwIBnjNqA0V8unHCtd5ViDOnpHM7g+enHqCXNWxhidKSasZi/
+0+RwFnyYi+JZs2aSpmAJdeQXuPKcNkXg8fhiU/SaRo7jFWwfgHhfj600b/To+l2J
+0h6U5RmXi0RAJiibm6NqgJ/q7/lJTDNGyauM22AAWd47m75/2aO5uH0k4nZRaLbd
+yi69978sXpw15jflP674lFOjVWMDZf2hZcNr2E8TJsriuYSymX0FcA/zSQ/3NhaR
+1AqutoKu2zpqk5diXEKdov+rJ+kaEp0S+0tRxSWNh4eRORlt8ORvvtTS4UgaJHZg
+yGBXrZcEks5bxpFSI2ys
+=NdGQ
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-15:16/openssh.patch b/share/security/patches/SA-15:16/openssh.patch
new file mode 100644
index 0000000000..774f4ed450
--- /dev/null
+++ b/share/security/patches/SA-15:16/openssh.patch
@@ -0,0 +1,90 @@
+Index: crypto/openssh/auth2-chall.c
+===================================================================
+--- crypto/openssh/auth2-chall.c	(revision 285923)
++++ crypto/openssh/auth2-chall.c	(working copy)
+@@ -82,6 +82,7 @@ struct KbdintAuthctxt
+ 	void *ctxt;
+ 	KbdintDevice *device;
+ 	u_int nreq;
++	u_int devices_done;
+ };
+ 
+ #ifdef USE_PAM
+@@ -168,11 +169,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthc
+ 		if (len == 0)
+ 			break;
+ 		for (i = 0; devices[i]; i++) {
+-			if (!auth2_method_allowed(authctxt,
++			if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
++			    !auth2_method_allowed(authctxt,
+ 			    "keyboard-interactive", devices[i]->name))
+ 				continue;
+-			if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
++			if (strncmp(kbdintctxt->devices, devices[i]->name,
++			    len) == 0) {
+ 				kbdintctxt->device = devices[i];
++				kbdintctxt->devices_done |= 1 << i;
++			}
+ 		}
+ 		t = kbdintctxt->devices;
+ 		kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
+Index: crypto/openssh/sshconnect.c
+===================================================================
+--- crypto/openssh/sshconnect.c	(revision 285923)
++++ crypto/openssh/sshconnect.c	(working copy)
+@@ -1247,29 +1247,39 @@ verify_host_key(char *host, struct sockaddr *hosta
+ {
+ 	int flags = 0;
+ 	char *fp;
++	Key *plain = NULL;
+ 
+ 	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+ 	debug("Server host key: %s %s", key_type(host_key), fp);
+ 	free(fp);
+ 
+-	/* XXX certs are not yet supported for DNS */
+-	if (!key_is_cert(host_key) && options.verify_host_key_dns &&
+-	    verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
+-		if (flags & DNS_VERIFY_FOUND) {
+-
+-			if (options.verify_host_key_dns == 1 &&
+-			    flags & DNS_VERIFY_MATCH &&
+-			    flags & DNS_VERIFY_SECURE)
+-				return 0;
+-
+-			if (flags & DNS_VERIFY_MATCH) {
+-				matching_host_key_dns = 1;
+-			} else {
+-				warn_changed_key(host_key);
+-				error("Update the SSHFP RR in DNS with the new "
+-				    "host key to get rid of this message.");
++	if (options.verify_host_key_dns) {
++		/*
++		 * XXX certs are not yet supported for DNS, so downgrade
++		 * them and try the plain key.
++		 */
++		plain = key_from_private(host_key);
++		if (key_is_cert(plain))
++			key_drop_cert(plain);
++		if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
++			if (flags & DNS_VERIFY_FOUND) {
++				if (options.verify_host_key_dns == 1 &&
++				    flags & DNS_VERIFY_MATCH &&
++				    flags & DNS_VERIFY_SECURE) {
++					key_free(plain);
++					return 0;
++				}
++				if (flags & DNS_VERIFY_MATCH) {
++					matching_host_key_dns = 1;
++				} else {
++					warn_changed_key(plain);
++					error("Update the SSHFP RR in DNS "
++					    "with the new host key to get rid "
++					    "of this message.");
++				}
+ 			}
+ 		}
++		key_free(plain);
+ 	}
+ 
+ 	return check_host_key(host, hostaddr, options.port, host_key, RDRW,
diff --git a/share/security/patches/SA-15:16/openssh.patch.asc b/share/security/patches/SA-15:16/openssh.patch.asc
new file mode 100644
index 0000000000..1d03cf8853
--- /dev/null
+++ b/share/security/patches/SA-15:16/openssh.patch.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.6 (FreeBSD)
+
+iQIcBAABCgAGBQJVt+FxAAoJEO1n7NZdz2rn2NkP/RBSyWex/lwblNKDYQpEu2jZ
+Gc+opzaFAVfWHrlKNhcQDb9haoeuLo7+lJwIS/e1CvtV0opT2AKR/RFLtsYGOAmp
+ydLPigTkw2kfEH/gyDiRxfFcqZ5UzlKIQGPre1/FE2HNjYHOUSnJp+K+cPJ81cJQ
+bYICXuSvnhhpasak/3CwHKGgGKv7YyrE1pGfE79e52M404484VkW1dCqfE+URRr0
+fiDIchhHFKjNM/Ycgr5iyZmisBgtupLC/aIHJzBE+h/tCUjApSTJMyroUB6P70lx
+zeRPVEgcMJQi2K9MPXvuK78Ko4MjqrhVc05ufaqb0aEbBFMBGDyuFf8s5yHiluhK
+YU047m2bbjDny7DJPrqEyg0X7vRCcHXjw0gBju1P3D2lpLdL+t5VX9VEvh0pfnDi
+u7uXZGejhm4Nr5GsNZoNAiLL7wScOS6MVB52Fy0HPL1TqUcCddiyw+rc2rmj4VbH
+ZwlHs4ecMeNyPYGmXvt7Kg4fZ3T19S8EypjrUdKqZbgI+0keNu77QD7/llEck9nu
+ArM/386qrUX+F6V74PpSMNpjN49fMccKqPnImUyrc7EofeTinIfT5Z9Rw+K1xw+D
+QkZtKhQXENNG3FeBWg11jvWywGkfj+4arlxDyfx04SwVYMHlTwMVj37NNaRrUjJ9
+/1HdVB06GZS5dA5thOzB
+=d3dY
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-15:17/bind.patch b/share/security/patches/SA-15:17/bind.patch
new file mode 100644
index 0000000000..90fab68626
--- /dev/null
+++ b/share/security/patches/SA-15:17/bind.patch
@@ -0,0 +1,12 @@
+Index: contrib/bind9/lib/dns/tkey.c
+===================================================================
+--- contrib/bind9/lib/dns/tkey.c	(revision 285922)
++++ contrib/bind9/lib/dns/tkey.c	(working copy)
+@@ -650,6 +650,7 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkey
+ 		 * Try the answer section, since that's where Win2000
+ 		 * puts it.
+ 		 */
++		name = NULL;
+ 		if (dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
+ 					 dns_rdatatype_tkey, 0, &name,
+ 					 &tkeyset) != ISC_R_SUCCESS) {
diff --git a/share/security/patches/SA-15:17/bind.patch.asc b/share/security/patches/SA-15:17/bind.patch.asc
new file mode 100644
index 0000000000..ec78f76408
--- /dev/null
+++ b/share/security/patches/SA-15:17/bind.patch.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.6 (FreeBSD)
+
+iQIcBAABCgAGBQJVt+FxAAoJEO1n7NZdz2rnse8P/2/topHY/AW0sJmsMFGDcCQl
+6nYAyoriO354QXif99lFSMVjY6PeI35N8gLb9560Pcv2RBvyv55Bk9wPsCLIAzId
+KZKmIlgw14kT5n1usyLoMRPbXcn37sKi3xdLOGIrGBP9d8VaCvRWUxC9Qh3pg4fQ
+9dGsbso+5BI15/lqATI5xawu8lljHufwM46BUXpWqK63xyqBAsVNHbOoj+fhneNI
+Bw14K6x1qOQNuv4Ri/39TWp5UCfPrhwZ2qpsIEp9oT7Jgvvs16ErqbY7UoxnD4pF
+Jo4DCH2lZjesSlz05w9iam/PkQed5ltYvCK0rdyTfhjqB/Px6zd0xUvy40Pg+w5G
+VY25+LSSJMtkQe88TbOW+SzcopPYwUZ88CgExoUPyn5Cd7Sv5GsNCAmoXhFA/0Of
+BRT9h9KFD9VE1juAnlgB2Hp1MkBlfoqG2/ytomctvUjFLKRUGLmvkFTgshNqYgD1
+6NDYri4sqDEHeKMhVvVVqTPciCg8kwAX2h1sLBca8fbXsyanzvEieM5RrxJdyaeH
+856lhb2fnRECUdWA9vKModtqI3mUF76tP6/4GI7GdxaCmWWCRpPsJY7eubNEKqVX
+jNT20ymBkchl/GAPshedz+xG7yGdO54wE14dwV9lgFLlup41w83DKQH4vm0DS+q/
+GCgaLCun78PU/GjzYQh7
+=uz3V
+-----END PGP SIGNATURE-----
diff --git a/share/xml/advisories.xml b/share/xml/advisories.xml
index 2bed6cc37a..f4b597842a 100644
--- a/share/xml/advisories.xml
+++ b/share/xml/advisories.xml
@@ -10,6 +10,26 @@
     <month>
       <name>7</name>
 
+      <day>
+        <name>28</name>
+
+        <advisory>
+          <name>FreeBSD-SA-15:17.bind</name>
+        </advisory>
+
+        <advisory>
+          <name>FreeBSD-SA-15:16.openssh</name>
+        </advisory>
+
+        <advisory>
+          <name>FreeBSD-SA-15:15.tcp</name>
+        </advisory>
+
+        <advisory>
+          <name>FreeBSD-SA-15:14.bsdpatch</name>
+        </advisory>
+      </day>
+
       <day>
         <name>21</name>