Add SA-20:27 to SA-20:30.

Approved by:	so

share/security/advisories/FreeBSD-SA-20:27.ure.asc

@@ -0,0 +1,149 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-20:27.ure                                        Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          ure device driver susceptible to packet-in-packet attack
+
+Category:       core
+Module:         ure
+Announced:      2020-09-15
+Credits:        John-Mark Gurney
+Affects:        All supported versions of FreeBSD.
+Corrected:      2020-09-14 19:39:43 UTC (stable/12, 12.2-STABLE)
+                2020-09-15 21:42:05 UTC (releng/12.2, 12.2-BETA1-p1)
+                2020-09-15 21:42:05 UTC (releng/12.1, 12.1-RELEASE-p10)
+                2020-09-15 00:22:30 UTC (stable/11, 11.4-STABLE)
+                2020-09-15 21:42:05 UTC (releng/11.4, 11.4-RELEASE-p4)
+                2020-09-15 21:42:05 UTC (releng/11.3, 11.3-RELEASE-p14)
+CVE Name:       CVE-2020-7464
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The ure(4) driver provides support for USB Ethernet adapters based on the
+Realtek RTL8152 and RTL8153 USB Ethernet controllers.
+
+II.  Problem Description
+
+A programming error in the ure(4) device driver caused some Realtek USB
+Ethernet interfaces to incorrectly report packets with more than 2048 bytes
+in a single USB transfer as having a length of only 2048 bytes.
+
+An adversary can exploit this to cause the driver to misinterpret part of the
+payload of a large packet as a separate packet, and thereby inject packets
+across security boundaries such as VLANs.
+
+III. Impact
+
+An attacker that can send large frames (larger than 2048 bytes in size) to be
+received by the host (be it VLAN, or non-VLAN tagged packet), can inject
+arbitrary packets to be received and processed by the host.  This includes
+spoofing packets from other hosts, or injecting packets to other VLANs than
+the host is on.
+
+IV.  Workaround
+
+No workaround is available.  However, an attacker needs to be able to inject
+large frames.  If a switch can prevent large frames (>2048 bytes) from being
+received, or connecting the machine to a switch that does not forward large
+frames will mitigate this attack.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 12.1, FreeBSD 12.2]
+# fetch https://security.FreeBSD.org/patches/SA-20:27/ure.12.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:27/ure.12.patch.asc
+# gpg --verify ure.12.patch.asc
+
+[FreeBSD 11.3, FreeBSD 11.4]
+# fetch https://security.FreeBSD.org/patches/SA-20:27/ure.11.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:27/ure.11.patch.asc
+# gpg --verify ure.11.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r365730
+releng/12.2/                                                      r365778
+releng/12.1/                                                      r365778
+stable/11/                                                        r365738
+releng/11.4/                                                      r365778
+releng/11.3/                                                      r365778
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7464>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:27.ure.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9hOIxfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJY9A//Z+Rt20iUnM79er+CYF4EQNrzR8dOKr2/6L5ho5L1kJt0MdZtamN+f5Bq
+Jpzem060oAv+0mgAiK3VR7unlkEk+wFNvMwhgItvI8l2TME3+n/A0nsYQkP9QPPp
+SwHmKcIAbwkdtv913zy7AGc/vE+2+D8x84WHp6WDhRmDVgU5QAPGgP4yv0qhgkpy
+L8ndLDte3tXMk0eWArxWTpMfxqKGmp9Cgy88QRoIpguazS+ocSVt6h3emxQPtTc/
+7SQOEqjg4IiEXW/t2SSDqB1cvNPmN82yJt4mQg1m8v/SjFjFQ2qgFC+47cYezI1F
+nLuoDw16kYUu65DyePiXfCsBwSjkLU1IgpBSgmmxjMzwoVgE7/9AtRqiCwe2xkEF
+E6c1VWAQAw2AiZmsISv8T9RNLegLnNjyhO9iSsaeuOfLbTIeQ9zbcUL6xgZB6AxO
+tk/fkt+NHwuRoXNx2SC959r+hwhdnrpgxTEphjCFuuMdMGKsxm3TQGdwD6ZvQ1r2
+HkVV1m4ukgpxw8ONa88Lgo+2f1HZhZKWLzp3EsTA3LMpgk+5uJjIuL/ctuddscWY
+Do9VapPTIGxjZqABGtxJL7NrzCz2pXE0CHzAjFWD830kujgcdihe6FbJx0cJe3m8
++CxaGBXvSINHyPwgDArnKR3Hrd57/T6RSUWqsksB7fBCpmFdQaI=
+=S9sW
+-----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-SA-20:28.bhyve_vmcs.asc

@@ -0,0 +1,137 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-20:28.bhyve_vmcs                                 Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          bhyve privilege escalation via VMCS access
+
+Category:       core
+Module:         bhyve
+Announced:      2020-09-15
+Credits:        Patrick Mooney
+Affects:        All supported versions of FreeBSD.
+Corrected:      2020-09-15 21:28:47 UTC (stable/12, 12.2-STABLE)
+                2020-09-15 21:43:41 UTC (releng/12.2, 12.2-BETA1-p1)
+                2020-09-15 21:43:41 UTC (releng/12.1, 12.1-RELEASE-p10)
+                2020-09-15 21:28:47 UTC (stable/11, 11.4-STABLE)
+                2020-09-15 21:43:41 UTC (releng/11.4, 11.4-RELEASE-p4)
+                2020-09-15 21:43:41 UTC (releng/11.3, 11.3-RELEASE-p14)
+CVE Name:       CVE-2020-24718
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+bhyve(8) is a hypervisor that supports running a variety of guest operating
+systems in virtual machines on AMD and Intel CPUs.
+
+II.  Problem Description
+
+AMD and Intel CPUs support hardware virtualization using specialized data
+structures that control various aspects of guest operation.  These are the
+Virtual Machine Control Structure (VMCS) on Intel CPUs, and the Virtual
+Machine Control Block (VMCB) on AMD CPUs.  Insufficient access controls allow
+root users, including those running in a jail, to change these data
+structures.
+
+III. Impact
+
+An attacker with host root access (including to a jailed bhyve instance) can
+use this vulnerability to achieve kernel code execution.
+
+IV.  Workaround
+
+No workaround is available.  This issue is likely of concern only to systems
+relying on running bhyve in jail(8) for security domain separation.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-20:28/bhyve_vmcs.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:28/bhyve_vmcs.patch.asc
+# gpg --verify bhyve_vmcs.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r365777
+releng/12.2/                                                      r365779
+releng/12.1/                                                      r365779
+stable/11/                                                        r365777
+releng/11.4/                                                      r365779
+releng/11.3/                                                      r365779
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24718>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:28.bhyve_vmcs.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9hOJdfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKJBQ//UOwIgcc2n+Yr0MrNIs2XzLjmKBsuVfIrFni0GGJFFSAUd7Kzw7oeY4ng
+e9JURtfV6NlU63QkaRw+QqgvnXm5vLbgO+oWuedsj33eNgUNdUinZinieZuFAyAt
+BBgfMJ3D9X7HffIw1iKN/DWaealFJ1SHtKYzVssTBx/7ju+SFj5HkwLh/7QzKBYO
+CoeNE7RN2kSDmvvEKMdN17QyM4+H3wYpsnylWHa89slIe1xj0eVqgnGw2NrjjKlV
+N2DAQM+MvdJ+W8oA0idEvBZj55uHV9OlgIwJCDi0/u5yHPJkhuYYuHsf0oyW+NT6
+gWvzwTI27IAAyYKK57pGVP7x4sy8VhsDItzqubhDqa/zjNZM9SYOtLYiOnDjev2B
+nqC2mV08XpC9lfwd3EDPGv+FYbTTe9OzirlJBnbMnwhj/p0sPMYCtuWKp/MyQyyD
+1yhUJJlZgI6HdrTOOeqhObNDtEz75MI1bpLVmjq9VMLz1PtzdNFDcNmyvtTOpMut
+vZDFgCqtkpcukqxfqV1EJAWr0UWnaUyPc0klbmLwrQCpTWDOBT7QK+S5ZtNLQqu4
+c6UJ7CQLNPn9nEjf16D8dZ1Iy3AJyPmtv7ehEkKFjJtNIwitCx/AIzKiXXzzxe56
+boJoQL0pmgJkv3tjP5dEMeSx5SA4mrhtKCL+ri3/ZFXHxtcDNsQ=
+=Jluz
+-----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-SA-20:29.bhyve_svm.asc

@@ -0,0 +1,136 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-20:29.bhyve_svm                                  Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          bhyve SVM guest escape
+
+Category:       core
+Module:         bhyve
+Announced:      2020-09-15
+Credits:        Maxime Villard
+Affects:        All supported versions of FreeBSD.
+Corrected:      2020-09-15 20:25:30 UTC (stable/12, 12.2-STABLE)
+                2020-09-15 21:46:39 UTC (releng/12.2, 12.2-BETA1-p1)
+                2020-09-15 21:46:39 UTC (releng/12.1, 12.1-RELEASE-p10)
+                2020-09-15 20:26:31 UTC (stable/11, 11.4-STABLE)
+                2020-09-15 21:46:39 UTC (releng/11.4, 11.4-RELEASE-p4)
+                2020-09-15 21:46:39 UTC (releng/11.3, 11.3-RELEASE-p14)
+CVE Name:       CVE-2020-7467
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+bhyve(8) is a hypervisor that supports running a variety of guest operating
+systems in virtual machines on AMD and Intel CPUs.  AMD and Intel provide
+broadly similar virtualization interfaces, but each provides its own specific
+instructions for manipulating virtual machine state.
+
+II.  Problem Description
+
+A number of AMD virtualization instructions operate on host physical
+addresses, are not subject to nested page table translation, and guest use of
+these instructions was not trapped.
+
+III. Impact
+
+- From kernel mode a malicious guest can write to arbitrary host memory (with
+some constraints), affording the guest full control of the host.
+
+IV.  Workaround
+
+No workaround is available.  Systems not using bhyve, and systems that
+use bhyve with an Intel CPU, are not vulnerable.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-20:29/bhyve_svm.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:29/bhyve_svm.patch.asc
+# gpg --verify bhyve_svm.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r365767
+releng/12.2/                                                      r365780
+releng/12.1/                                                      r365780
+stable/11/                                                        r365769
+releng/11.4/                                                      r365780
+releng/11.3/                                                      r365780
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7467>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:29.bhyve_svm.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9hOJhfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJxjxAAjy783UUnVvhtiJt4p5TGMpaU+ZrLnKaOASiTDdbp6z3IFuLZ1VbkekAM
+aMGgZNmYkRotcTM0mbhoeRROSrYlmO2ZHNmJyxchbOaIfKXL3iTFYP5gRirN1r+Q
+i8+Gr5HzTL5SkvTEx0wKUp6uRqD26nf7i4KrdOWmf5ivhB66Z2vk/56aX53eSNJ5
+iPZYvlFnVIcy1wKPE1RIP67H+nqqWBApavWUMK6f01cAMr5w0BE+f4RdSvzEFnuG
+p2Id8A3ptt0VoIdZzbJkLKog4/dlC1C+PVPPLND2gcCY2c/+gG0nNTy9Fjdvsoor
+AnmRvlarCCcEVOSxGk+WNUwWdQnQPFykpZxGtid53km3Yjw1smPmfOVwvNhTkzoP
+tPZ568wFyaBGLI+39hC0u0AtLT93MBHpxpCMpQZ9rlFauxn5OuyBFkxgCuEyq728
+GcrMVggyrzOetW7GqdlOEzFDj3nxHme+08qmbLXjv5X8N1RK+TGZDAjYFqLU1NXi
+cyPhbGqV4SuYw3dW7E0C8eOocuVmpXTEW82R9ff1pobUZUNVGKZse1rjT344VTSc
+DazL/q2TIo5fyDWEaNWsPad8mdyQGWft2cfYHYrO+Y6Smn/oKS3LmX61bGC37FEF
+b0rqunbDdq4775q6H6KKbRgVTKGiVyC/Nt/2xkg//GymzNnuFvY=
+=lplz
+-----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-SA-20:30.ftpd.asc

@@ -0,0 +1,140 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-20:30.ftpd                                       Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          ftpd privilege escalation via ftpchroot feature
+
+Category:       core
+Module:         ftpd
+Announced:      2020-09-15
+Credits:        Anonymous working with Trend Micro Zero Day Initiative
+Affects:        All supported versions of FreeBSD.
+Corrected:      2020-09-15 20:55:13 UTC (stable/12, 12.2-STABLE)
+                2020-09-15 21:47:44 UTC (releng/12.2, 12.2-BETA1-p1)
+                2020-09-15 21:47:44 UTC (releng/12.1, 12.1-RELEASE-p10)
+                2020-09-15 20:56:14 UTC (stable/11, 11.4-STABLE)
+                2020-09-15 21:47:44 UTC (releng/11.4, 11.4-RELEASE-p4)
+                2020-09-15 21:47:44 UTC (releng/11.3, 11.3-RELEASE-p14)
+CVE Name:       CVE-2020-7468
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+ftpd(8) is a daemon that implements an FTP server.  To restrict
+filesystem access of authenticated clients, ftpd(8) supports the
+ftpchroot(5) feature, which allows the system administrator to designate
+a root directory for each FTP user.  This is implemented using the
+chroot(2) system call.
+
+II.  Problem Description
+
+A ftpd(8) bug in the implementation of the file system sandbox, combined
+with capabilities available to an authenticated FTP user, can be used to
+escape the file system restriction configured in ftpchroot(5).
+Moreover, the bug allows a malicious client to gain root privileges.
+
+III. Impact
+
+A malicious FTP user can gain privileged access to an affected system.
+
+IV.  Workaround
+
+No workaround is available.  Systems not running ftpd(8) or not making
+use of ftpchroot(5) are not affected.  Exploitation of the bug requires
+that a malicious FTP client have login access to the server.  Anonymous
+access is not sufficient.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Restart the applicable daemons, or reboot the system.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-20:30/ftpd.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:30/ftpd.patch.asc
+# gpg --verify ftpd.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the applicable daemons, or reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r365772
+releng/12.2/                                                      r365781
+releng/12.1/                                                      r365781
+stable/11/                                                        r365773
+releng/11.4/                                                      r365781
+releng/11.3/                                                      r365781
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7468>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:30.ftpd.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9hOJhfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJCRA//Zuuqyaim3BnR0Qs9mSI3fm37AQN9NyV0GzaP6ayAeCu7xuyzMzFD58jU
+SZAkrH16buh34dfelwofPSO8ZIAHZ0X6PpVWHwrTkrT8ADHCuJwEe0imG5MDDJn4
+mMJSA9OVyQXgHXApnOhJ4hHMUfGF0QJvsOvPQ4f8J3J9K9pTa78HgekaNWkgpTzo
+eAGV+lug/UwsK//FrcyYaifZF1xl0ZKSAl6RVFVaqxxVXZGZ2txlew4I03NEfqjJ
+PAmviQ1p0BO5tMqVSG+/VkuYFJNyUGvuSrvUeIoQnoWljvKx5VnAq5KVCD6La1nn
+o5JzNEvlqzOC1ClribxALyv/VJHJt6PDBF4S26ATwIdr8TCzSpe2Byjj9KN/qC94
+JuT6hScERpT4ARIsJiDIDe0+9zBeglJuS/3sJozI+ani+VL/7uBL6MB50twgioFG
+4+5MNgc4VYgX35U0z+fStncZAScByXWdxaMDYx9brfZeaeEhiZA6wXYCf8kpaW94
+zDOvBCH+GR1O2nALdlMVFrThQdTkq1AtMQ58Uuaxpu1LBGrMVfz/VCDEurWog+U1
+7uxRwx9o6lJvno3oPQTfHkcuHZosOE0KdfdJ1Tcmj1pVZVjeaxu7HEW2H73YRhBN
+Fc4XIxaO7URyYwtzxzH9yU18wKCp+g/mm5apgbbcz1kBS+fR3Go=
+=zvW4
+-----END PGP SIGNATURE-----

share/security/patches/SA-20:27/ure.11.patch

@@ -0,0 +1,13 @@
+--- sys/dev/usb/net/if_ure.c.orig
++++ sys/dev/usb/net/if_ure.c
+@@ -710,7 +710,9 @@
+ 	    ~URE_RXDY_GATED_EN);
+ 
+ 	/* Set Rx mode. */
+-	rxmode = URE_RCR_APM;
++	rxmode = ure_read_4(sc, URE_PLA_RCR, URE_MCU_TYPE_PLA);
++	rxmode &= ~URE_RCR_ACPT_ALL;
++	rxmode |= URE_RCR_APM;
+ 
+ 	/* If we want promiscuous mode, set the allframes bit. */
+ 	if (ifp->if_flags & IFF_PROMISC)

share/security/patches/SA-20:27/ure.11.patch.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9hOJdfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cIisRAAlVB+hNBKrmr7kjc+cOeeLofnAppEywIJsQoKus4y7P23K2gguL+zJX6p
+UTMSysmDXJG1OVEzpLpq7R6mGWD18vOMvKyNgijnGJeeIwjGqACHK68v2tFosW61
+g4kRKIuuLMxeqrySn4P8IgKRVV6Em+/LuYkqr5v3BuKFpAzPxNmvmLEVzaoqh+wS
+SJgVucuogTxjYwb2pTcIig+rtkE3FHD+x5WxS5DzfCDlp3mqaMSCyoNeF8JMzs7y
+EXV57iDRjRC5IDBnr2dB55uHFielJioVmfLjMCMRAHlBX7q4Fu3Hobt8oHaOKtTD
+mk2q3efR3MeIIfLTqwu/Xrzz7c+vCucg9ccpyjK561Kt38W8bUBhMUxN2nQXtUyR
+ABsWQK8tE7Ie5cJhwF3ajcESEZ8nx0s9NrQYdFE/od+MVlWeXpGNsBoFDUoGILqS
+sgpn+2QUoruEVUujUyfMK8H5bG4DrPeoN8Tn9VopA8VR0N7p00lyfKX3g1knGMyh
+Bq778Est5lKi++h02YV8c25/T2pVd6rhPqpebggxVKaGoTgsTd7i5ty8/ExqOgUF
+Y8CAF3MwAVwn0kdeUkcwexykPnb1VFPDmBFrN2EoJYERRqh+fTp44ifldeYr7dhl
+hYHJDvtRY7mlTPekn0oXBJYuY1NJ77nOmxhXVBoVOuWJrjMcl5A=
+=NUJu
+-----END PGP SIGNATURE-----

share/security/patches/SA-20:27/ure.12.patch

@@ -0,0 +1,16 @@
+--- sys/dev/usb/net/if_ure.c.orig
++++ sys/dev/usb/net/if_ure.c
+@@ -816,9 +816,10 @@
+ 
+ 	URE_LOCK_ASSERT(sc, MA_OWNED);
+ 
+-	rxmode = URE_RCR_APM;
+-	if (ifp->if_flags & IFF_BROADCAST)
+-		 rxmode |= URE_RCR_AB;
++	rxmode = ure_read_4(sc, URE_PLA_RCR, URE_MCU_TYPE_PLA);
++	rxmode &= ~(URE_RCR_AAP | URE_RCR_AM);
++	rxmode |= URE_RCR_APM;	/* accept physical match packets */
++	rxmode |= URE_RCR_AB;	/* always accept broadcasts */
+ 	if (ifp->if_flags & (IFF_ALLMULTI | IFF_PROMISC)) {
+ 		if (ifp->if_flags & IFF_PROMISC)
+ 			rxmode |= URE_RCR_AAP;

share/security/patches/SA-20:27/ure.12.patch.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9hOJdfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJpVQ//c2z6nk+LDQaFYnDyg9Fkl0GqmVsJ0Ml3Wog1lUU0nOqacAhBmZTwq3Oq
+dzQ2jstcf1dqj9Bt/6Q525Odt8Bk5zzzN6qHFL+kJiHDWB0aYCfACucYykVH7uIM
+LF5XVX8zzHrCW3kvcAwukRB4XhN5eo4uPGpVcm9css5yIEYL++Bxq5UrrL6LgXd3
+kDNMeCXe/RjhnUjwcfjSw+EgUhNlvWmWjV6d2tTxhzqtIfsovTfJuw6tqHsLFhCG
+PGUmNi7dH1/OmdzPCrVuxzPy2VaZe8H8s6VXL8orbpw+RWZ6W8E/WOktK2S6HHLb
+X0jv3fZ37K3SnydCKlCl5ATPhvhZWhVGSGXVEg4jA7MTU/rjMh1VlH8cPmH66z1x
+DxhGH1dO9v/E6v4/YQ6fwMMGnmH0fDRRNs9rodPi6goj70OxvHPAIpbPvm4ZS26c
+XvENpnz7rVZyJ8+iehnLQvsarNQ/neJipI7SpIVb1+2g/tHMbq77Mw6wpkB1kKyn
+jB9uZZwVn7SlK3XvXZN3jTgTrMhuvTzPJ/0Ek3qYSqWbAPIen+GUC8XJZlO1QLoL
+ShkEKWFZBuLmx+/emDG8tiu4WidmeCRHva3gjgOMijyNWETiajMFk7sVbKk974zi
+DBquYG/wHWnsOOtSbOTAtIWopZdaxaA7HQVEcGY/6iB8/twlOl8=
+=Adwg
+-----END PGP SIGNATURE-----

share/security/patches/SA-20:28/bhyve_vmcs.patch

@@ -0,0 +1,29 @@
+--- sys/amd64/vmm/amd/svm.c.orig
++++ sys/amd64/vmm/amd/svm.c
+@@ -2198,8 +2198,11 @@
+ 		return (svm_modify_intr_shadow(svm_sc, vcpu, val));
+ 	}
+ 
+-	if (vmcb_write(svm_sc, vcpu, ident, val) == 0) {
+-		return (0);
++	/* Do not permit user write access to VMCB fields by offset. */
++	if (!VMCB_ACCESS_OK(ident)) {
++		if (vmcb_write(svm_sc, vcpu, ident, val) == 0) {
++			return (0);
++		}
+ 	}
+ 
+ 	reg = swctx_regptr(svm_get_guest_regctx(svm_sc, vcpu), ident);
+--- sys/amd64/vmm/intel/vmx.c.orig
++++ sys/amd64/vmm/intel/vmx.c
+@@ -3341,6 +3341,10 @@
+ 	if (vmxctx_setreg(&vmx->ctx[vcpu], reg, val) == 0)
+ 		return (0);
+ 
++	/* Do not permit user write access to VMCS fields by offset. */
++	if (reg < 0)
++		return (EINVAL);
++
+ 	error = vmcs_setreg(&vmx->vmcs[vcpu], running, reg, val);
+ 
+ 	if (error == 0) {

share/security/patches/SA-20:28/bhyve_vmcs.patch.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9hOJhfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJOpA//d8gbQS8I5HdY/xWmt4RoQ8yhvE1v3AmOqt7o14CfKCfMSMFqu7lGXcB/
+rkpIgKmGGS/j+XMeLAvmHtw4zdM1PdkJ4bk71GLfpT91YF9cC7eKHJreidDiMD9z
+48DTlCz0lWg7sGLpas5viXZkX7WRhtHHLBzMAHh6k1Ew4N1A/668cH/ZU1C4w4pm
+yXzY+su5yXKgdqhibOPlpvuYhITVkqHnkDyMqlppo/hxfjYNKBii+sDBAieGJBmp
+1+sW6iCEXdZK+m9LCfiNPOWLE2dkZEqwOazoFBJDmjyp/EZW4sdGhkEgVsADodym
+WOqZi8Ca2qfWm7NumGr20zsVbVe9Qx4dspRGLYcs3POaqa1LOg82lcys/h47t4Vw
+0uM2UBRGS5XD1V5bB0BWOLYZc7ZlGljASzzZmhBt7MiBJcuzeTwhDGQO3L2otVG6
+SAV1H46onKOU997Br9wH5yFNFgvHf26OjDrE4b9hgSDZsXafSk9mE1rWLLxKRKWT
+//ZhN7F/L5JHmRtFMsHa2kKbYiwrxX/T17s9yupn/iOUdu0er+ECqER629PATrxx
+5bQxE9geVD7LIEIyYSs7u9H0gP00N656gXIRTr4yQ77O7+AHfJYelHEo6XJNRSdb
+Lql9kgsikbH3G2V4HdGBLdxOR/FeCuC5kP9Qoa2L0YVUbfadpUY=
+=nYIH
+-----END PGP SIGNATURE-----

share/security/patches/SA-20:29/bhyve_svm.patch

@@ -0,0 +1,163 @@
+--- sys/amd64/vmm/amd/svm.c.orig
++++ sys/amd64/vmm/amd/svm.c
+@@ -488,10 +488,23 @@
+ 	svm_enable_intercept(sc, vcpu, VMCB_CTRL1_INTCPT, VMCB_INTCPT_SHUTDOWN);
+ 	svm_enable_intercept(sc, vcpu, VMCB_CTRL1_INTCPT,
+ 	    VMCB_INTCPT_FERR_FREEZE);
++	svm_enable_intercept(sc, vcpu, VMCB_CTRL1_INTCPT, VMCB_INTCPT_INVD);
++	svm_enable_intercept(sc, vcpu, VMCB_CTRL1_INTCPT, VMCB_INTCPT_INVLPGA);
+ 
+ 	svm_enable_intercept(sc, vcpu, VMCB_CTRL2_INTCPT, VMCB_INTCPT_MONITOR);
+ 	svm_enable_intercept(sc, vcpu, VMCB_CTRL2_INTCPT, VMCB_INTCPT_MWAIT);
+ 
++	/*
++	 * Intercept SVM instructions since AMD enables them in guests otherwise.
++	 * Non-intercepted VMMCALL causes #UD, skip it.
++	 */
++	svm_enable_intercept(sc, vcpu, VMCB_CTRL2_INTCPT, VMCB_INTCPT_VMLOAD);
++	svm_enable_intercept(sc, vcpu, VMCB_CTRL2_INTCPT, VMCB_INTCPT_VMSAVE);
++	svm_enable_intercept(sc, vcpu, VMCB_CTRL2_INTCPT, VMCB_INTCPT_STGI);
++	svm_enable_intercept(sc, vcpu, VMCB_CTRL2_INTCPT, VMCB_INTCPT_CLGI);
++	svm_enable_intercept(sc, vcpu, VMCB_CTRL2_INTCPT, VMCB_INTCPT_SKINIT);
++	svm_enable_intercept(sc, vcpu, VMCB_CTRL2_INTCPT, VMCB_INTCPT_ICEBP);
++
+ 	/*
+ 	 * From section "Canonicalization and Consistency Checks" in APMv2
+ 	 * the VMRUN intercept bit must be set to pass the consistency check.
+@@ -1236,43 +1249,45 @@
+ static const char *
+ exit_reason_to_str(uint64_t reason)
+ {
++	int i;
+ 	static char reasonbuf[32];
+-
+-	switch (reason) {
+-	case VMCB_EXIT_INVALID:
+-		return ("invalvmcb");
+-	case VMCB_EXIT_SHUTDOWN:
+-		return ("shutdown");
+-	case VMCB_EXIT_NPF:
+-		return ("nptfault");
+-	case VMCB_EXIT_PAUSE:
+-		return ("pause");
+-	case VMCB_EXIT_HLT:
+-		return ("hlt");
+-	case VMCB_EXIT_CPUID:
+-		return ("cpuid");
+-	case VMCB_EXIT_IO:
+-		return ("inout");
+-	case VMCB_EXIT_MC:
+-		return ("mchk");
+-	case VMCB_EXIT_INTR:
+-		return ("extintr");
+-	case VMCB_EXIT_NMI:
+-		return ("nmi");
+-	case VMCB_EXIT_VINTR:
+-		return ("vintr");
+-	case VMCB_EXIT_MSR:
+-		return ("msr");
+-	case VMCB_EXIT_IRET:
+-		return ("iret");
+-	case VMCB_EXIT_MONITOR:
+-		return ("monitor");
+-	case VMCB_EXIT_MWAIT:
+-		return ("mwait");
+-	default:
+-		snprintf(reasonbuf, sizeof(reasonbuf), "%#lx", reason);
+-		return (reasonbuf);
++	static const struct {
++		int reason;
++		const char *str;
++	} reasons[] = {
++		{ .reason = VMCB_EXIT_INVALID,	.str = "invalvmcb" },
++		{ .reason = VMCB_EXIT_SHUTDOWN,	.str = "shutdown" },
++		{ .reason = VMCB_EXIT_NPF, 	.str = "nptfault" },
++		{ .reason = VMCB_EXIT_PAUSE,	.str = "pause" },
++		{ .reason = VMCB_EXIT_HLT,	.str = "hlt" },
++		{ .reason = VMCB_EXIT_CPUID,	.str = "cpuid" },
++		{ .reason = VMCB_EXIT_IO,	.str = "inout" },
++		{ .reason = VMCB_EXIT_MC,	.str = "mchk" },
++		{ .reason = VMCB_EXIT_INTR,	.str = "extintr" },
++		{ .reason = VMCB_EXIT_NMI,	.str = "nmi" },
++		{ .reason = VMCB_EXIT_VINTR,	.str = "vintr" },
++		{ .reason = VMCB_EXIT_MSR,	.str = "msr" },
++		{ .reason = VMCB_EXIT_IRET,	.str = "iret" },
++		{ .reason = VMCB_EXIT_MONITOR,	.str = "monitor" },
++		{ .reason = VMCB_EXIT_MWAIT,	.str = "mwait" },
++		{ .reason = VMCB_EXIT_VMRUN,	.str = "vmrun" },
++		{ .reason = VMCB_EXIT_VMMCALL,	.str = "vmmcall" },
++		{ .reason = VMCB_EXIT_VMLOAD,	.str = "vmload" },
++		{ .reason = VMCB_EXIT_VMSAVE,	.str = "vmsave" },
++		{ .reason = VMCB_EXIT_STGI,	.str = "stgi" },
++		{ .reason = VMCB_EXIT_CLGI,	.str = "clgi" },
++		{ .reason = VMCB_EXIT_SKINIT,	.str = "skinit" },
++		{ .reason = VMCB_EXIT_ICEBP,	.str = "icebp" },
++		{ .reason = VMCB_EXIT_INVD,	.str = "invd" },
++		{ .reason = VMCB_EXIT_INVLPGA,	.str = "invlpga" },
++	};
++
++	for (i = 0; i < nitems(reasons); i++) {
++		if (reasons[i].reason == reason)
++			return (reasons[i].str);
+ 	}
++	snprintf(reasonbuf, sizeof(reasonbuf), "%#lx", reason);
++	return (reasonbuf);
+ }
+ #endif	/* KTR */
+ 
+@@ -1524,6 +1539,20 @@
+ 	case VMCB_EXIT_MWAIT:
+ 		vmexit->exitcode = VM_EXITCODE_MWAIT;
+ 		break;
++	case VMCB_EXIT_SHUTDOWN:
++	case VMCB_EXIT_VMRUN:
++	case VMCB_EXIT_VMMCALL:
++	case VMCB_EXIT_VMLOAD:
++	case VMCB_EXIT_VMSAVE:
++	case VMCB_EXIT_STGI:
++	case VMCB_EXIT_CLGI:
++	case VMCB_EXIT_SKINIT:
++	case VMCB_EXIT_ICEBP:
++	case VMCB_EXIT_INVD:
++	case VMCB_EXIT_INVLPGA:
++		vm_inject_ud(svm_sc->vm, vcpu);
++		handled = 1;
++		break;
+ 	default:
+ 		vmm_stat_incr(svm_sc->vm, vcpu, VMEXIT_UNKNOWN, 1);
+ 		break;
+--- sys/amd64/vmm/amd/vmcb.h.orig
++++ sys/amd64/vmm/amd/vmcb.h
+@@ -71,8 +71,8 @@
+ #define	VMCB_INTCPT_INVD		BIT(22)
+ #define	VMCB_INTCPT_PAUSE		BIT(23)
+ #define	VMCB_INTCPT_HLT			BIT(24)
+-#define	VMCB_INTCPT_INVPG		BIT(25)
+-#define	VMCB_INTCPT_INVPGA		BIT(26)
++#define	VMCB_INTCPT_INVLPG		BIT(25)
++#define	VMCB_INTCPT_INVLPGA		BIT(26)
+ #define	VMCB_INTCPT_IO			BIT(27)
+ #define	VMCB_INTCPT_MSR			BIT(28)
+ #define	VMCB_INTCPT_TASK_SWITCH		BIT(29)
+@@ -134,12 +134,21 @@
+ #define	VMCB_EXIT_POPF			0x71
+ #define	VMCB_EXIT_CPUID			0x72
+ #define	VMCB_EXIT_IRET			0x74
++#define	VMCB_EXIT_INVD			0x76
+ #define	VMCB_EXIT_PAUSE			0x77
+ #define	VMCB_EXIT_HLT			0x78
++#define	VMCB_EXIT_INVLPGA		0x7A
+ #define	VMCB_EXIT_IO			0x7B
+ #define	VMCB_EXIT_MSR			0x7C
+ #define	VMCB_EXIT_SHUTDOWN		0x7F
++#define	VMCB_EXIT_VMRUN			0x80
++#define	VMCB_EXIT_VMMCALL		0x81
++#define	VMCB_EXIT_VMLOAD		0x82
+ #define	VMCB_EXIT_VMSAVE		0x83
++#define	VMCB_EXIT_STGI			0x84
++#define	VMCB_EXIT_CLGI			0x85
++#define	VMCB_EXIT_SKINIT		0x86
++#define	VMCB_EXIT_ICEBP			0x88
+ #define	VMCB_EXIT_MONITOR		0x8A
+ #define	VMCB_EXIT_MWAIT			0x8B
+ #define	VMCB_EXIT_NPF			0x400

share/security/patches/SA-20:29/bhyve_svm.patch.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9hOJhfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cI5PhAAgsXuFNy2fRvNjAgJoY41AIwBr/5T+0WM09YykMcTC1EQBm1AjRI9jgAm
+V4HUQeH7ygs9TVkn+F02iLHSSCJAneu2nPNIalCxyKwhpXpJiYktrJ5wLVC7Q2DC
+63Lc7WrfJ858+9ehXh4bvCTJeOJxOIyvaoOLEPslaGje/YD+plqdNWO036D0w+7j
+Fbx2rvCILLKIaxVYLCmhm/6V46dT1HHwXJP1dGuKr1ZSq6MGley3KGl7b5b7xb0E
+gfZh09QBH7tfATTHnAv2FvLzSBCDn4aZlFZl0uvK8qbK5ZFyfEPicu4SGHtXrMzK
+0tBATwLwf1JwgBvYKLR+kywxceVgbLTY0iAo354/GcjHzXR3JE4hxDD4/2FL+r10
+Q8A75AV1/SPf4UOczgapzvqY1zj6M8/ibOPEU+0qaN8YotabGEUr3DLR0d5nWWm1
+BQnBifkyb9ux8AfWjtWHYu6zY5r4sHCZQQXUJHOyCUGpG0mX2p+MxZWCuTJGrYOs
+PZyZoJw1vH2rpUcgLikDYkDXCpWNCzwUH7p+tmOAC7EnlFCfxzuv4qgzC538XB76
+wMkfVM2W1h5BXJQP/G+ELCvXX0REQRO1cMn4rIxmO0EOWpL9SVYUHQ53/MbEOBkf
+QBkb0COWyNblj6eKG8Cigv0OP1p8iXNXT3zmG6eXeOHckgt6tPA=
+=+DkR
+-----END PGP SIGNATURE-----

share/security/patches/SA-20:30/ftpd.patch

@@ -0,0 +1,27 @@
+--- libexec/ftpd/ftpd.c.orig
++++ libexec/ftpd/ftpd.c
+@@ -1596,13 +1596,20 @@
+ 	 *    (uid 0 has no root power over NFS if not mapped explicitly.)
+ 	 */
+ 	if (seteuid(pw->pw_uid) < 0) {
+-		reply(550, "Can't set uid.");
+-		goto bad;
++		if (guest || dochroot) {
++			fatalerror("Can't set uid.");
++		} else {
++			reply(550, "Can't set uid.");
++			goto bad;
++		}
+ 	}
++	/*
++	 * Do not allow the session to live if we're chroot()'ed and chdir()
++	 * fails. Otherwise the chroot jail can be escaped.
++	 */
+ 	if (chdir(homedir) < 0) {
+ 		if (guest || dochroot) {
+-			reply(550, "Can't change to base directory.");
+-			goto bad;
++			fatalerror("Can't change to base directory.");
+ 		} else {
+ 			if (chdir("/") < 0) {
+ 				reply(550, "Root is inaccessible.");

share/security/patches/SA-20:30/ftpd.patch.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9hOJhfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKBCQ//ZA1qgbTQomNYbe+s3EsrdvULsyheLjx/Do9P8FjN84pASt4ILIDCykRf
+vGEMeAB5u4ngvHIUuTm2C0DWeLyyzy9kqoRT8l8CiN7TjAkzHc12vI/c9ruO9nbk
+f4C7ia01AaRhaktHjz3vgctzGKHAFEKZ9EvjHftW4Qbv4FOLWrCV2ys2icfW2wEI
+ZLuDZIrcMbQj60mO62h+HJUcAIZ+ssOPEM1+tLhmCd3qvqaiHYeTgnm5llAZAS6X
+hfH44FgZ/YRXXPj0Asx9aI/RQX8sLIVW7frgDdn6/n3xffl7pdvWjhRf5q4Cy2pl
+w9hkc1KGUtACaVoz8SlT+FxeKKwdwX1xlX1sb8vrAuyskZmy1Ne05p0xGX5YDrL0
+QVGEQjndhgi6k2OXjvukME1C7SotC8guMbZtanhCVIsnyE2HdOlsySXvBY4txAl8
+FgbDhrHnGFRdLFAFdwNaxooKkEG6oiF5FcSkfkOCcW43yh6zEJvybC7BVpzJd7Ry
+PUZOfytXZAyzB9fqWnku93O4qRakY/do9q3olfk0hRzqoFBpakZ/kMp0dpdWS7Nt
+DKdUUtf7MKkt3dxxLSqVNvLkLICnzTjj+E5hRU6Y9XDhvs89/Ut5nDNUJE8crQf2
+juy1ajNlmo5/Pp/0wI9fybDen2YEBPzqN1U1Gm9qKKuyb76POzc=
+=IcX7
+-----END PGP SIGNATURE-----

share/xml/advisories.xml

@@ -10,6 +10,27 @@
     <month>
       <name>9</name>
 
+      <day>
+	<name>15</name>
+
+	<advisory>
+	  <name>FreeBSD-SA-20:30.ftpd</name>
+	</advisory>
+
+	<advisory>
+	  <name>FreeBSD-SA-20:29.bhyve_svm</name>
+	</advisory>
+
+	<advisory>
+	  <name>FreeBSD-SA-20:28.bhyve_vmcs</name>
+	</advisory>
+
+	<advisory>
+	  <name>FreeBSD-SA-20:27.ure</name>
+	</advisory>
+
+      </day>
+
       <day>
 	<name>2</name>