diff --git a/share/security/advisories/FreeBSD-EN-19:16.bhyve.asc b/share/security/advisories/FreeBSD-EN-19:16.bhyve.asc
new file mode 100644
index 0000000000..1256cb3ee7
--- /dev/null
+++ b/share/security/advisories/FreeBSD-EN-19:16.bhyve.asc
@@ -0,0 +1,134 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-19:16.bhyve Errata Notice
+ The FreeBSD Project
+
+Topic: Bhyve instruction emulation improvements (opcode 03H and F7H)
+
+Category: core
+Module: bhyve
+Announced: 2019-08-20
+Credits: John Baldwin, Jason Tubnor
+Affects: All supported versions of FreeBSD.
+Corrected: 2019-07-07 17:30:23 UTC (stable/12, 12.0-STABLE)
+ 2019-08-20 17:45:44 UTC (releng/12.0, 12.0-RELEASE-p10)
+ 2019-07-07 17:31:13 UTC (stable/11, 11.3-STABLE)
+ 2019-08-20 17:45:44 UTC (releng/11.3, 11.3-RELEASE-p3)
+
+Note: This errata notice does not update FreeBSD 11.2. FreeBSD 11.2
+users affected by this update should upgrade to FreeBSD 11.3.
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+.
+
+I. Background
+
+bhyve(8) is a hypervisor that supports running a variety of guest operating
+systems in virtual machines, using hardware virtualization in Intel and AMD
+CPUs. Some instructions are not handled by hardware virtualization and must
+be emulated by the hypervisor.
+
+II. Problem Description
+
+Some newer software uses instructions previously not handled by bhyve's
+instruction emulation. This errata notice adds emulation for two instruction
+opcodes, to enable flash variable storage in OVMF and to support guest
+operating systems compiled with Clang 8.0.0 that use the TEST instruction
+against local APIC registers (such as OpenBSD 6.6).
+
+III. Impact
+
+Guest firmware or operating systems using unsupported instructions caused
+bhyve to exit with a "Failed to emulate instruction" error.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 11.3, FreeBSD 12.0]
+# fetch https://security.FreeBSD.org/patches/EN-19:16/bhyve.patch
+# fetch https://security.FreeBSD.org/patches/EN-19:16/bhyve.patch.asc
+# gpg --verify bhyve.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in .
+
+Start the applicable virtual machines.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r349808
+releng/12.0/ r351256
+stable/11/ r349809
+releng/11.3/ r351256
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+
+
+VII. References
+
+
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPfFfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJzqA//XiWRn/psT+I8r7MSiS6K2bJASZlFGUDnVqLsFAnj2XoZlSp265dZw0R7
+t++kBPu0Q9vm3FphkE/J3e4fR9PyCsa5QpEvTeXE9v1RixrkmmLT56ukR3BgivKa
+rmCTjkwLikmRb8qrRMly9ERjwySKlUZmOMHX1xte33WTi2eVwZUfNg9xNq1c4YGi
+QvIABOa1xTZHr0oyeZfmuEyhSDRD+jzb+mOboX9TFQSfAUwC16VDCAHu5SwXNeQS
+l4/FxrYf0yupf2bqwWmfeRlAE25nHGErsaXiQwqdPZB3SUTECpDcl5BCwPwA+pr3
+Jf7lxTPrp/NLi7sghgofOX5AwbiVacYxN45P4JNjBB5OpDut+e196VkzO1IAXVRb
+spyc/zKE6BWYRT2KOeNlMzmQXmDIjZERuumV98DQQEAAw52p+RWdEU3IlfZ+plW7
+bF8P/OmJ5DDcdW1XeONIzFaal4VFjauDsmPt5QTyb/SpX/20hvTT3/QCbDJJiRu3
+5Lf7RPMK63r+uFwLz58XrGJwimYdKCn67nC+o1k/j9Izc63+At9h0tU2XR2u7V8c
+iuQaGkeBT/OjtVg6/IjCs4SbT24wbmP1LecUtQyFzZkHdNkdw7+67Ty2Y3jGE3GG
+sCpU88b0PIh2pJ+4oJ28WwH2M55VnxuId5N0uosrAGSo/C1kYWY=
+=CkK1
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-EN-19:17.ipfw.asc b/share/security/advisories/FreeBSD-EN-19:17.ipfw.asc
new file mode 100644
index 0000000000..396880603a
--- /dev/null
+++ b/share/security/advisories/FreeBSD-EN-19:17.ipfw.asc
@@ -0,0 +1,130 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-19:17.ipfw Errata Notice
+ The FreeBSD Project
+
+Topic: ipfw(8) jail keyword broken prior to jail startup
+
+Category: core
+Module: ipfw
+Announced: 2019-08-20
+Affects: FreeBSD 11.3
+Corrected: 2019-08-15 17:40:48 UTC (stable/12, 12.0-STABLE)
+ 2019-08-15 17:40:48 UTC (stable/11, 11.3-STABLE)
+ 2019-08-20 17:46:40 UTC (releng/11.3, 11.3-RELEASE-p3)
+
+Note that this issue was introduced after the FreeBSD 11.2 and 12.0 releases.
+FreeBSD 11.3 is the only affected release.
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+.
+
+I. Background
+
+The ipfw(8) utility configures rules for the ipfw(4) firewall. The jail
+keyword applies the rule for packets pertaining to the given jail, named by
+the argument.
+
+II. Problem Description
+
+The jail argument no longer allowed jids to be specified before a jail was
+created. Attempts to use the jail keyword in this scenario would result in
+"jail not found" errors, when previously these rules would apply to
+any jail with the given jid that was subsequently started.
+
+III. Impact
+
+The ipfw(4) firewall will reject rules that attempt to use the jail
+keyword prior to jail startup, and these rules will not be applied.
+
+IV. Workaround
+
+The system administrator can apply jail-based firewall rules after jail
+creation.
+
+Systems that do not use ipfw(4) are not affected.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-19:17/ipfw.patch
+# fetch https://security.FreeBSD.org/patches/EN-19:17/ipfw.patch.asc
+# gpg --verify ipfw.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in .
+Restart jails to apply firewall rules, if required.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r351094
+stable/11/ r351094
+releng/11.3/ r351258
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+
+
+VII. References
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPf5fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cIDTg//ca9BaMVV04yzSaIqgcuxCs5nM6eQMJehRKWP+Ibt6bUUnUYlS8V1HOBD
+eUS0eW9GiO2QkrVmttxrC2IwJSutVzUXMP/zkLEyb91LJ13+YkuLKSaj14pucA+S
+VNy1CH8Sry/PnA+bcFQxgpTAl8EGaTAzT0znRgdvooe26JbHw0y8941t88Mr3giN
+vCPnfAdaT0MjKSdKgykA+xKKgY1+fwA1vUFOYybNzg+eN10gU2qRQfksFc4VpnNd
+7J3j5I2n/1Y1KxsbEagGXK0JOztZa1PhqsAYuj4iAMhM8Nw+vdAtVX8DYyqHEe2m
+hjJyGPu1Lrihrx2PUH5GVv0KXHbLVRnZ/N7Xs3hPsUZWBuSrcU2r3cdqe1nB055D
+PQMr6m+Ydr0DXnySShd5Kow26IBDVJQ+YrGkK88CdMT2YGnarqcg/RaT/eIoJ654
+lKvl5XeOL/P9apU567HzYoAUVlvxMAD2pEd2+NGr9gi3bXfAg2Usjeekwo7BRRMo
+Ddmec7Ql/wBU0RED67l+TYIM2IDNj5ofua6WrSrs8QCIeNXnYi8kBLTBwKBiz5Fw
+scisoACv92zexrIpac1RoAT/+OdWUgwtCx7axyLybbEsAC2FDfSDVqlJfq0m+DFY
+/R3Bezk1Ek+U4KUpQr6I1DSBU+1Uo8DljfwkwH8DVn+aWy3194Q=
+=8VPw
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-SA-19:22.mbuf.asc b/share/security/advisories/FreeBSD-SA-19:22.mbuf.asc
new file mode 100644
index 0000000000..427fece356
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-19:22.mbuf.asc
@@ -0,0 +1,138 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-19:22.mbuf Security Advisory
+ The FreeBSD Project
+
+Topic: IPv6 remote Denial-of-Service
+
+Category: kernel
+Module: net
+Announced: 2019-08-20
+Credits: Clement Lecigne
+Affects: All supported versions of FreeBSD.
+Corrected: 2019-08-10 00:01:25 UTC (stable/12, 12.0-STABLE)
+ 2019-08-20 17:49:33 UTC (releng/12.0, 12.0-RELEASE-p10)
+ 2019-08-10 00:02:45 UTC (stable/11, 11.3-STABLE)
+ 2019-08-20 17:49:33 UTC (releng/11.3, 11.3-RELEASE-p3)
+ 2019-08-20 17:49:33 UTC (releng/11.2, 11.2-RELEASE-p14)
+CVE Name: CVE-2019-5611
+
+For general information regarding FreeBSD Security Advisories, including
+descriptions of the fields above, security branches, and the following
+sections, please visit .
+
+I. Background
+
+mbufs are a unit of memory management mostly used in the kernel for network
+packets and socket buffers. m_pulldown(9) is a function to arrange the data
+in a chain of mbufs.
+
+II. Problem Description
+
+Due do a missing check in the code of m_pulldown(9) data returned may not be
+contiguous as requested by the caller.
+
+III. Impact
+
+Extra checks in the IPv6 code catch the error condition and trigger a kernel
+panic leading to a remote DoS (denial-of-service) attack with certain
+Ethernet interfaces. At this point it is unknown if any other than the IPv6
+code paths can trigger a similar condition.
+
+IV. Workaround
+
+For the currently known attack vector systems with IPv6 not enabled are not
+vulnerable.
+
+On systems with IPv6 active, IPv6 fragmentation may be disabled, or
+a firewall can be used to filter out packets with certain or excessive
+amounts of extension headers in a first fragment. These rules may be
+dependent on the operational needs of each site.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot.
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-19:22/mbuf.patch
+# fetch https://security.FreeBSD.org/patches/SA-19:22/mbuf.patch.asc
+# gpg --verify mbuf.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+ and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r350828
+releng/12.0/ r351259
+stable/11/ r350829
+releng/11.3/ r351259
+releng/11.2/ r351259
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+
+
+VII. References
+
+
+
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPgFfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cK+4w/7BCGyLpeSCIaHMpKdZvSqKc6RptLyxPq1q6XO/5fUxQiBXuwxfZIUO45o
+VyQCsuVf0QDeT/HaMJAdTr450RlSs1ozyzEmd2iLfwqmpc8JRemihrzHkNMfny1U
+Y4ffN6zyrOLyFeyQcdbgHUKHwuAvGZFhR/PtPJfWDmULi0vW5PHBGjxOQmxKbbUr
+6zcR+gKrm5E3vLW4vD2gvsB1RGyOzUBOaEeQU36LE1/W6hhgwtXAkZacEP+W4BiB
+jPbG7u23C3a2KcRImCWM2vJ5dZFoa0Mz5+vHzaSMwPT49KRRRRkcd7+azqUfbGg0
+k9Py6KuwGhclNmehpUth0NlvR89JV58Fbkh7TaCWHV51hAWoH/1EQdJNY9yb0eAZ
+AgsvAiotWU1VNDcF2xWaf5m3VE87jl0/Bz9BgpVFI0kHuof4OwiG9PkdFI1q0Yl2
+TdkksZj1iRETN8/Qt5HGzY1pGQFRc7b+nE9GIfIUcEH1B7d7Gb58DVElZ95Og+EF
+bGwR6/e7r39mBsqs0qloYgk/2c6B4vuFyt8b9Yhuw4ns0SpO4cP9XYXawUff7+p3
+oLo7dqPKn8fMRLhT0/QZfPRyluUshVvJW1Yg9HWdYMYm7wFAilemnMWMxJKIUOmt
+pkQx3e6Tvk3VNkls4yv7GbApO5iMNXaBvC2JYMP0GUiQ1FOkB9M=
+=ip7/
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-SA-19:23.midi.asc b/share/security/advisories/FreeBSD-SA-19:23.midi.asc
new file mode 100644
index 0000000000..a280b59f18
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-19:23.midi.asc
@@ -0,0 +1,138 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-19:23.midi Security Advisory
+ The FreeBSD Project
+
+Topic: kernel memory disclosure from /dev/midistat
+
+Category: core
+Module: sound
+Announced: 2019-08-20
+Credits: Peter Holm, Mark Johnston
+Affects: All supported versions of FreeBSD.
+Corrected: 2019-08-20 17:53:16 UTC (stable/12, 12.0-STABLE)
+ 2019-08-20 17:50:33 UTC (releng/12.0, 12.0-RELEASE-p10)
+ 2019-08-20 17:54:18 UTC (stable/11, 11.3-STABLE)
+ 2019-08-20 17:50:33 UTC (releng/11.3, 11.3-RELEASE-p3)
+ 2019-08-20 17:50:33 UTC (releng/11.2, 11.2-RELEASE-p14)
+CVE Name: CVE-2019-5612
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit .
+
+I. Background
+
+/dev/midistat is a device file which can be read to obtain a
+human-readable list of the available MIDI-capable devices in the system.
+
+II. Problem Description
+
+The kernel driver for /dev/midistat implements a handler for read(2).
+This handler is not thread-safe, and a multi-threaded program can
+exploit races in the handler to cause it to copy out kernel memory
+outside the boundaries of midistat's data buffer.
+
+III. Impact
+
+The races allow a program to read kernel memory within a 4GB window
+centered at midistat's data buffer. The buffer is allocated each
+time the device is opened, so an attacker is not limited to a static
+4GB region of memory.
+
+On 32-bit platforms, an attempt to trigger the race may cause a page
+fault in kernel mode, leading to a panic.
+
+IV. Workaround
+
+No workaround is available. Custom kernels without "device sound"
+are not vulnerable.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot.
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-19:23/midi.patch
+# fetch https://security.FreeBSD.org/patches/SA-19:23/midi.patch.asc
+# gpg --verify midi.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+ and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r351264
+releng/12.0/ r351260
+stable/11/ r351265
+releng/11.3/ r351260
+releng/11.2/ r351260
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+
+
+VII. References
+
+
+
+
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPgVfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cItmQ/9HL5BIP/QUvfcBbhZmZAXa7O7V9Em4auumaUWEPnUaAR0vNKZqMvFXNeN
+v51/HOwCZte2fCgs8rxSH9ncQR+cUk/3nXO7PZ7pNPNfvuJoPlCV1rIuRrdwm14+
++pZIJpY65gmmXyh5Qa5cw41MEWuDcKluUg38zEROwBpX4h0J/ZuMSARn/s1jj/kJ
+hy2yzgPTz8gAzkNd8OtQm1CHdFnKWabuAHBlltj9qIA3OvJL+TpIFmzU5jA7wO1n
+w9GCcz73+IA1RZXu8vPsW9AEc/1LlUrNcyLmJ+bZjW9b7mY9dq+ackvULTzFV21u
+5xW2FEX3EBr3kFSbWyIS9zuTX4InftoAr97CBxNMYa25/0En4Ri2rB3oH49BgqTb
+sr6p5hO3ZB6gOfJIm3WeYIc9dXsqQcWC/Y8hp7zO/Ef29jBHaa76ZX3uGgKGgyoo
+UcoEjIx4ZpiqQxUEigKdlpEQdUtCIOSZ1NjSYDRFuCURDI07o1Oi8/HSdb9tNRe4
+IxfmT7G+oBGbhjZ/bziC/tZX/whXzBdo6eNIBC8XW8hrTDIXVCyqls3igiSqxoFA
+WMpQN2gEZ6Yug0zpRCn4fj+dvBobpAle7F/gwZdFeWU/wtDiLQHnBOxPaobR56Qy
+fIoVVGufmnjbSReSGh1WtFhDt+uJ8zal/EqGWi3IBIFpxjhAuP0=
+=I8mB
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-SA-19:24.mqueuefs.asc b/share/security/advisories/FreeBSD-SA-19:24.mqueuefs.asc
new file mode 100644
index 0000000000..40c2506316
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-19:24.mqueuefs.asc
@@ -0,0 +1,144 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-19:24.mqueuefs Security Advisory
+ The FreeBSD Project
+
+Topic: Reference count overflow in mqueue filesystem 32-bit compat
+
+Category: core
+Module: kernel
+Announced: 2019-08-20
+Credits: Karsten König, Secfault Security
+Affects: All supported versions of FreeBSD.
+Corrected: 2019-08-20 17:45:22 UTC (stable/12, 12.0-STABLE)
+ 2019-08-20 17:51:32 UTC (releng/12.0, 12.0-RELEASE-p10)
+ 2019-08-20 17:46:22 UTC (stable/11, 11.3-STABLE)
+ 2019-08-20 17:51:32 UTC (releng/11.3, 11.3-RELEASE-p3)
+ 2019-08-20 17:51:32 UTC (releng/11.2, 11.2-RELEASE-p14)
+CVE Name: CVE-2019-5603
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit .
+
+Note: This issue is related to the previously disclosed SA-19:15.mqueuefs.
+It is another instance of the same bug and as such shares the same CVE.
+
+I. Background
+
+mqueuefs(5) implements POSIX message queue file system which can be used
+by processes as a communication mechanism.
+
+'struct file' represents open files, directories, sockets and other
+entities.
+
+II. Problem Description
+
+System calls operating on file descriptors obtain a reference to
+relevant struct file which due to a programming error was not always put
+back, which in turn could be used to overflow the counter of affected
+struct file.
+
+III. Impact
+
+A local user can use this flaw to obtain access to files, directories,
+sockets, etc., opened by processes owned by other users. If obtained
+struct file represents a directory from outside of user's jail, it can
+be used to access files outside of the jail. If the user in question is
+a jailed root they can obtain root privileges on the host system.
+
+IV. Workaround
+
+No workaround is available. Note that the mqueuefs file system is not
+enabled by default.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-19:24/mqueuefs.patch
+# fetch https://security.FreeBSD.org/patches/SA-19:24/mqueuefs.patch.asc
+# gpg --verify mqueuefs.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+ and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r351255
+releng/12.0/ r351261
+stable/11/ r351257
+releng/11.3/ r351261
+releng/11.2/ r351261
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+
+
+VII. References
+
+
+
+
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPglfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cIKGA/+Oh+ORvFs273SJwaYaf8LCJ21IJnzVxDp9vS6MSO79LmI6HeiqAy9apQs
+Ec4zOXvE5MzYfA+E9jyRa6c4h7OY7uSSym15wCjLLi+DWPJ1lcCPAv01JuAgSw9E
+GkLOprdk2aETTe1jc3DjXv0q56JZM79vegL2Nn/AJd7GZqSI4Qxf0M+87eWFMxd6
+dFlvZtnh4QGuSC8w+ls5LpcGHfr8T6w4WwNv6hfvxu//Bg/6BRYKEIAnAu/P+udd
+LrZO5lY9IwdaLQckk44nCr02lHVG/G3JgyW2iWAn5tm0CPkQmbawbc6V2WN+lwYf
+ynn0ORfKWZpeLN6hd1QedlBhyEblUdjveVy9vaJI2KieHdRMlb56/HsPQqwZLdgV
+QrpambGJ4J+48gYcgOXsOn52kIG7iKLfyEsiH4mrQtlZEjfluWt0cGcNuMLNqgPc
+WZC1Kqpx3OI00u2M+85xnM8V4VL7iQnX7WWoe8qICZDksAsm4LDTwOP4HdfXkCgs
+iSibovwF9ZcKwZjB8AZ+smjRyHGb2KEs+WlGI+ASE5UF8jYshCEZWKfJFd59BJZx
+uw/lngCium0OgQ0Bzt0NnqR663kzSE1f7ZGLJtoc5+xaWbnTbifykYsM88hO/+/v
+LH/fYRdgXkDTtShiMgppx/YrfTF33+hea18CdNdtdPJmH99lPmE=
+=1dwe
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/EN-19:16/bhyve.patch b/share/security/patches/EN-19:16/bhyve.patch
new file mode 100644
index 0000000000..7ac215d86b
--- /dev/null
+++ b/share/security/patches/EN-19:16/bhyve.patch
@@ -0,0 +1,239 @@
+--- sys/amd64/vmm/vmm_instruction_emul.c.orig
++++ sys/amd64/vmm/vmm_instruction_emul.c
+@@ -77,6 +77,8 @@
+ VIE_OP_TYPE_STOS,
+ VIE_OP_TYPE_BITTEST,
+ VIE_OP_TYPE_TWOB_GRP15,
++ VIE_OP_TYPE_ADD,
++ VIE_OP_TYPE_TEST,
+ VIE_OP_TYPE_LAST
+ };
+
+@@ -112,6 +114,10 @@
+ };
+
+ static const struct vie_op one_byte_opcodes[256] = {
++ [0x03] = {
++ .op_byte = 0x03,
++ .op_type = VIE_OP_TYPE_ADD,
++ },
+ [0x0F] = {
+ .op_byte = 0x0F,
+ .op_type = VIE_OP_TYPE_TWO_BYTE
+@@ -216,6 +222,12 @@
+ .op_byte = 0x8F,
+ .op_type = VIE_OP_TYPE_POP,
+ },
++ [0xF7] = {
++ /* XXX Group 3 extended opcode - not just TEST */
++ .op_byte = 0xF7,
++ .op_type = VIE_OP_TYPE_TEST,
++ .op_flags = VIE_OP_F_IMM,
++ },
+ [0xFF] = {
+ /* XXX Group 5 extended opcode - not just PUSH */
+ .op_byte = 0xFF,
+@@ -410,6 +422,76 @@
+ return (getcc64(x, y));
+ }
+
++/*
++ * Macro creation of functions getaddflags{8,16,32,64}
++ */
++#define GETADDFLAGS(sz) \
++static u_long \
++getaddflags##sz(uint##sz##_t x, uint##sz##_t y) \
++{ \
++ u_long rflags; \
++ \
++ __asm __volatile("add %2,%1; pushfq; popq %0" : \
++ "=r" (rflags), "+r" (x) : "m" (y)); \
++ return (rflags); \
++} struct __hack
++
++GETADDFLAGS(8);
++GETADDFLAGS(16);
++GETADDFLAGS(32);
++GETADDFLAGS(64);
++
++static u_long
++getaddflags(int opsize, uint64_t x, uint64_t y)
++{
++ KASSERT(opsize == 1 || opsize == 2 || opsize == 4 || opsize == 8,
++ ("getaddflags: invalid operand size %d", opsize));
++
++ if (opsize == 1)
++ return (getaddflags8(x, y));
++ else if (opsize == 2)
++ return (getaddflags16(x, y));
++ else if (opsize == 4)
++ return (getaddflags32(x, y));
++ else
++ return (getaddflags64(x, y));
++}
++
++/*
++ * Return the status flags that would result from doing (x & y).
++ */
++#define GETANDFLAGS(sz) \
++static u_long \
++getandflags##sz(uint##sz##_t x, uint##sz##_t y) \
++{ \
++ u_long rflags; \
++ \
++ __asm __volatile("and %2,%1; pushfq; popq %0" : \
++ "=r" (rflags), "+r" (x) : "m" (y)); \
++ return (rflags); \
++} struct __hack
++
++GETANDFLAGS(8);
++GETANDFLAGS(16);
++GETANDFLAGS(32);
++GETANDFLAGS(64);
++
++static u_long
++getandflags(int opsize, uint64_t x, uint64_t y)
++{
++ KASSERT(opsize == 1 || opsize == 2 || opsize == 4 || opsize == 8,
++ ("getandflags: invalid operand size %d", opsize));
++
++ if (opsize == 1)
++ return (getandflags8(x, y));
++ else if (opsize == 2)
++ return (getandflags16(x, y));
++ else if (opsize == 4)
++ return (getandflags32(x, y));
++ else
++ return (getandflags64(x, y));
++}
++
+ static int
+ emulate_mov(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
+ mem_region_read_t memread, mem_region_write_t memwrite, void *arg)
+@@ -1179,6 +1261,111 @@
+ }
+
+ static int
++emulate_test(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
++ mem_region_read_t memread, mem_region_write_t memwrite, void *arg)
++{
++ int error, size;
++ uint64_t op1, rflags, rflags2;
++
++ size = vie->opsize;
++ error = EINVAL;
++
++ switch (vie->op.op_byte) {
++ case 0xF7:
++ /*
++ * F7 /0 test r/m16, imm16
++ * F7 /0 test r/m32, imm32
++ * REX.W + F7 /0 test r/m64, imm32 sign-extended to 64
++ *
++ * Test mem (ModRM:r/m) with immediate and set status
++ * flags according to the results. The comparison is
++ * performed by anding the immediate from the first
++ * operand and then setting the status flags.
++ */
++ if ((vie->reg & 7) != 0)
++ return (EINVAL);
++
++ error = memread(vm, vcpuid, gpa, &op1, size, arg);
++ if (error)
++ return (error);
++
++ rflags2 = getandflags(size, op1, vie->immediate);
++ break;
++ default:
++ return (EINVAL);
++ }
++ error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, &rflags);
++ if (error)
++ return (error);
++
++ /*
++ * OF and CF are cleared; the SF, ZF and PF flags are set according
++ * to the result; AF is undefined.
++ */
++ rflags &= ~RFLAGS_STATUS_BITS;
++ rflags |= rflags2 & (PSL_PF | PSL_Z | PSL_N);
++
++ error = vie_update_register(vm, vcpuid, VM_REG_GUEST_RFLAGS, rflags, 8);
++ return (error);
++}
++
++static int
++emulate_add(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
++ mem_region_read_t memread, mem_region_write_t memwrite, void *arg)
++{
++ int error, size;
++ uint64_t nval, rflags, rflags2, val1, val2;
++ enum vm_reg_name reg;
++
++ size = vie->opsize;
++ error = EINVAL;
++
++ switch (vie->op.op_byte) {
++ case 0x03:
++ /*
++ * ADD r/m to r and store the result in r
++ *
++ * 03/r ADD r16, r/m16
++ * 03/r ADD r32, r/m32
++ * REX.W + 03/r ADD r64, r/m64
++ */
++
++ /* get the first operand */
++ reg = gpr_map[vie->reg];
++ error = vie_read_register(vm, vcpuid, reg, &val1);
++ if (error)
++ break;
++
++ /* get the second operand */
++ error = memread(vm, vcpuid, gpa, &val2, size, arg);
++ if (error)
++ break;
++
++ /* perform the operation and write the result */
++ nval = val1 + val2;
++ error = vie_update_register(vm, vcpuid, reg, nval, size);
++ break;
++ default:
++ break;
++ }
++
++ if (!error) {
++ rflags2 = getaddflags(size, val1, val2);
++ error = vie_read_register(vm, vcpuid, VM_REG_GUEST_RFLAGS,
++ &rflags);
++ if (error)
++ return (error);
++
++ rflags &= ~RFLAGS_STATUS_BITS;
++ rflags |= rflags2 & RFLAGS_STATUS_BITS;
++ error = vie_update_register(vm, vcpuid, VM_REG_GUEST_RFLAGS,
++ rflags, 8);
++ }
++
++ return (error);
++}
++
++static int
+ emulate_sub(void *vm, int vcpuid, uint64_t gpa, struct vie *vie,
+ mem_region_read_t memread, mem_region_write_t memwrite, void *arg)
+ {
+@@ -1543,6 +1730,14 @@
+ error = emulate_twob_group15(vm, vcpuid, gpa, vie,
+ memread, memwrite, memarg);
+ break;
++ case VIE_OP_TYPE_ADD:
++ error = emulate_add(vm, vcpuid, gpa, vie, memread,
++ memwrite, memarg);
++ break;
++ case VIE_OP_TYPE_TEST:
++ error = emulate_test(vm, vcpuid, gpa, vie,
++ memread, memwrite, memarg);
++ break;
+ default:
+ error = EINVAL;
+ break;
diff --git a/share/security/patches/EN-19:16/bhyve.patch.asc b/share/security/patches/EN-19:16/bhyve.patch.asc
new file mode 100644
index 0000000000..f91b9d1cd0
--- /dev/null
+++ b/share/security/patches/EN-19:16/bhyve.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPhRfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJHuA//cW9cKXRVjNzTpfYVFy5yLbREVsE2nsGzTETuWXhx/aJNoEz6hPo0f169
+K2OQfz4rxhaFzA0BbwTRpFeYXRbV6e+iwgcWfNlYKiNpJi5RCMDsKQ4XsaH6gPKi
+swqliOl4uHLcuJeGhzkQ1fYyXjGxMJvOqpTs9brOj1btimCF0MJ/j9EpuWVX+lKH
+HVt8CyqX6HtixN8WF7ghs6D3hQUamhLNLJanoDicjuxE7uJr3P/ZVrc1ETI1uKO/
+LVFM94oXmRDzkMyEkRNFyoYyc0fCSS2FJrDY6EnfqcMs9IrtS2iC7Cjj8zWzEKtR
+FEVyCiruDNbQftF7/cMquksqNIhdlifVKGRFT13WvFkm2iVDNypTtO6eXDCHaxZe
+Z8KKEoPBoJDux9/VSnt038zLCNVOxrFGaDrupRL2xZTrgmCF56WN8lALNVzmrZlN
+0u0RwGM21xgdzt/58zmFfdlMI9hGfbsDTE1Wwj38eZd+qRzR3o+VxMgnFu0vxAcD
+R12fi8xOe9QoS13O5OCb3ouxK9mUrd0a56kSBO/rRHt4DD+u+FCN33u/0uBDgI06
+Av7p5Hjt0/C89fuFZzMOPD98a0PcSUhdmXOlMAQUotMvhXRbl4nKiGsOVDpmCYz6
+pow+Sf971OXGXEWyaf3UBIfhlANMrANAFTNljuhGOoLtQRrpw0w=
+=Tmxy
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/EN-19:17/ipfw.patch b/share/security/patches/EN-19:17/ipfw.patch
new file mode 100644
index 0000000000..1bd96cb8b7
--- /dev/null
+++ b/share/security/patches/EN-19:17/ipfw.patch
@@ -0,0 +1,33 @@
+--- sbin/ipfw/ipfw2.c.orig
++++ sbin/ipfw/ipfw2.c
+@@ -4662,12 +4662,27 @@
+ case TOK_JAIL:
+ NEED1("jail requires argument");
+ {
++ char *end;
+ int jid;
+
+ cmd->opcode = O_JAIL;
+- jid = jail_getid(*av);
+- if (jid < 0)
+- errx(EX_DATAERR, "%s", jail_errmsg);
++ /*
++ * If av is a number, then we'll just pass it as-is. If
++ * it's a name, try to resolve that to a jid.
++ *
++ * We save the jail_getid(3) call for a fallback because
++ * it entails an unconditional trip to the kernel to
++ * either validate a jid or resolve a name to a jid.
++ * This specific token doesn't currently require a
++ * jid to be an active jail, so we save a transition
++ * by simply using a number that we're given.
++ */
++ jid = strtoul(*av, &end, 10);
++ if (*end != '\0') {
++ jid = jail_getid(*av);
++ if (jid < 0)
++ errx(EX_DATAERR, "%s", jail_errmsg);
++ }
+ cmd32->d[0] = (uint32_t)jid;
+ cmd->len |= F_INSN_SIZE(ipfw_insn_u32);
+ av++;
diff --git a/share/security/patches/EN-19:17/ipfw.patch.asc b/share/security/patches/EN-19:17/ipfw.patch.asc
new file mode 100644
index 0000000000..f6e8f8738b
--- /dev/null
+++ b/share/security/patches/EN-19:17/ipfw.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPhhfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJoZQ//ZnkPQW6u638iGHQh1f7iqJCF/Q1kbdsKTNNvVEmWJPvcaB7kuTN4xXIt
+Lji51yk1hlVIrol+mmelvidJTkJbKu/GWR1/T4NlZ8Q0gSVZaGK3AZpMbbDI0ZSP
+tyOUD0pPUtsHf6d2oD6ozSAnH+Jk3OxoSwQ6z4PWNGDss69QQcVolpDEC9AXUHJ3
+vVBfk2+lJS5L0HmVIJxWgcS3ce3Qg9LB9VXbJRJ/nLsgMKtE6NHc9gYsnCf2e+r2
+3LTEeZI36BmsIEk7AB/0QN37ghlmpheyDDgd7HjV/PRJL7yWYvppWV3Jvp2yyWpu
+B/zaRKV/KopT+zx0ySiw5yO2R2WBVwNaUpFiRTwPTtJr4P9Ou/v1FkA5demupcUb
+RClgAPTRvBzg7KxC62qJ0h8Bf72ZH5ZPFSfrz548qGduUQ1DVxY3W3+K4aHsRCar
+E14NSZMHI+o5XPvZ+jEVkQV5rRqO0qU7dt+SHDju/0kEXAp+LK3Sn19dOoyD1b+L
+04t0kaYWMvKHHT3SIZMwuXqUU/L3OqrmlI/9/gQe9GSJjkmiABWgxXk8xQPPx+30
+Riij6j12PS2BAU4gj8EN+AuSUajemfXmm8oKd/J/IowEHV79Z2MTbJ8lZbD/Es/V
+ptH7Uf7Sb17mnYsMg7VrznDztFP0w9UuHETuHQM3PVJGqGiej1o=
+=JRT2
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-19:22/mbuf.patch b/share/security/patches/SA-19:22/mbuf.patch
new file mode 100644
index 0000000000..6c2b72978c
--- /dev/null
+++ b/share/security/patches/SA-19:22/mbuf.patch
@@ -0,0 +1,11 @@
+--- sys/kern/uipc_mbuf2.c.orig
++++ sys/kern/uipc_mbuf2.c
+@@ -216,7 +216,7 @@
+ goto ok;
+ }
+ if ((off == 0 || offp) && M_LEADINGSPACE(n->m_next) >= hlen
+- && writable) {
++ && writable && n->m_next->m_len >= tlen) {
+ n->m_next->m_data -= hlen;
+ n->m_next->m_len += hlen;
+ bcopy(mtod(n, caddr_t) + off, mtod(n->m_next, caddr_t), hlen);
diff --git a/share/security/patches/SA-19:22/mbuf.patch.asc b/share/security/patches/SA-19:22/mbuf.patch.asc
new file mode 100644
index 0000000000..ef6acb0ae5
--- /dev/null
+++ b/share/security/patches/SA-19:22/mbuf.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPhtfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKtvg/+Kx/TZnaO5CSvdJP4UCqLAnjYvCd2iJnBLGaqspvZA38uhLguvu0qI6Nb
+Ijeg0R26JSruqlTCFD2NZi64b76ErMsymlwSJfbNheNU/Mk16MYNPvvTeAv/0LcU
+OHNBNTcQ40mb5whr/yDp6fJk1IE+yDU0nryNaP3gSw91fKO4CrCbmZhK8+XbjudA
+YlqmvcbbHlet7DJ4UUONwo1SZpF/l7CmjTFA++rHMxAwPD2jodU3js3kJjgv6JOj
+53jqIOyxSJNHRQqjRMjJ3m/Ctf1DHJa8LQkt8dFtMB9bWJ2qeYlJsm8Sosie8hD4
+gVPFEZP3m0qF8Zpbm2jXn0QkZ620l/jGmbn2ZfFikB0slSYWO5b2zcl1KiwsVCnv
+Bfx9OuIRtrFLmv3yi6lBKdEKZFzXN6/nXf0PdTvwKqszfJIveCMVOtjdbzzxfHwf
+r5MiTkLvcytnlpQybn3jCxSi2Kdmsted7BUXlClRN/ySFUxiJpP0HRURsnD3gOtj
+LaJS1FWcsrDvShjbXAon+vp59OewnmuJyDGizcRMOsHTK2yl97TR0cq0kcWi3X4R
+6O+d8OfKx7goQ03Oa/G4KVJZTzrk9OAXNcV4iZSHCRc9XqaeoZdNe6zu5Acs030J
+JGCe0vC23wb7dDYY042rTRBfnvURF8TyYUmWGCWYiUBd85mHxiQ=
+=v2wC
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-19:23/midi.patch b/share/security/patches/SA-19:23/midi.patch
new file mode 100644
index 0000000000..d2f8adef9c
--- /dev/null
+++ b/share/security/patches/SA-19:23/midi.patch
@@ -0,0 +1,333 @@
+--- sys/dev/sound/midi/midi.c.orig
++++ sys/dev/sound/midi/midi.c
+@@ -40,6 +40,7 @@
+ __FBSDID("$FreeBSD$");
+
+ #include
++#include
+ #include
+ #include
+ #include
+@@ -49,10 +50,8 @@
+ #include
+ #include
+ #include
+-#include
+ #include
+-#include
+-#include
++#include
+ #include
+ #include
+ #include
+@@ -187,10 +186,9 @@
+ * /dev/midistat variables and declarations, protected by midistat_lock
+ */
+
+-static struct mtx midistat_lock;
++static struct sx midistat_lock;
+ static int midistat_isopen = 0;
+ static struct sbuf midistat_sbuf;
+-static int midistat_bufptr;
+ static struct cdev *midistat_dev;
+
+ /*
+@@ -289,7 +287,7 @@
+ MIDI_TYPE *buf;
+
+ MIDI_DEBUG(1, printf("midiinit: unit %d/%d.\n", unit, channel));
+- mtx_lock(&midistat_lock);
++ sx_xlock(&midistat_lock);
+ /*
+ * Protect against call with existing unit/channel or auto-allocate a
+ * new unit number.
+@@ -316,13 +314,8 @@
+ unit = i + 1;
+
+ MIDI_DEBUG(1, printf("midiinit #2: unit %d/%d.\n", unit, channel));
+- m = malloc(sizeof(*m), M_MIDI, M_NOWAIT | M_ZERO);
+- if (m == NULL)
+- goto err0;
+-
+- m->synth = malloc(sizeof(*m->synth), M_MIDI, M_NOWAIT | M_ZERO);
+- if (m->synth == NULL)
+- goto err1;
++ m = malloc(sizeof(*m), M_MIDI, M_WAITOK | M_ZERO);
++ m->synth = malloc(sizeof(*m->synth), M_MIDI, M_WAITOK | M_ZERO);
+ kobj_init((kobj_t)m->synth, &midisynth_class);
+ m->synth->m = m;
+ kobj_init((kobj_t)m, cls);
+@@ -331,7 +324,7 @@
+
+ MIDI_DEBUG(1, printf("midiinit queues %d/%d.\n", inqsize, outqsize));
+ if (!inqsize && !outqsize)
+- goto err2;
++ goto err1;
+
+ mtx_init(&m->lock, "raw midi", NULL, 0);
+ mtx_init(&m->qlock, "q raw midi", NULL, 0);
+@@ -356,8 +349,7 @@
+
+ if ((inqsize && !MIDIQ_BUF(m->inq)) ||
+ (outqsize && !MIDIQ_BUF(m->outq)))
+- goto err3;
+-
++ goto err2;
+
+ m->busy = 0;
+ m->flags = 0;
+@@ -366,14 +358,14 @@
+ m->cookie = cookie;
+
+ if (MPU_INIT(m, cookie))
+- goto err3;
++ goto err2;
+
+ mtx_unlock(&m->lock);
+ mtx_unlock(&m->qlock);
+
+ TAILQ_INSERT_TAIL(&midi_devs, m, link);
+
+- mtx_unlock(&midistat_lock);
++ sx_xunlock(&midistat_lock);
+
+ m->dev = make_dev(&midi_cdevsw,
+ MIDIMKMINOR(unit, MIDI_DEV_RAW, channel),
+@@ -382,16 +374,19 @@
+
+ return m;
+
+-err3: mtx_destroy(&m->qlock);
++err2:
++ mtx_destroy(&m->qlock);
+ mtx_destroy(&m->lock);
+
+ if (MIDIQ_BUF(m->inq))
+ free(MIDIQ_BUF(m->inq), M_MIDI);
+ if (MIDIQ_BUF(m->outq))
+ free(MIDIQ_BUF(m->outq), M_MIDI);
+-err2: free(m->synth, M_MIDI);
+-err1: free(m, M_MIDI);
+-err0: mtx_unlock(&midistat_lock);
++err1:
++ free(m->synth, M_MIDI);
++ free(m, M_MIDI);
++err0:
++ sx_xunlock(&midistat_lock);
+ MIDI_DEBUG(1, printf("midi_init ended in error\n"));
+ return NULL;
+ }
+@@ -409,7 +404,7 @@
+ int err;
+
+ err = EBUSY;
+- mtx_lock(&midistat_lock);
++ sx_xlock(&midistat_lock);
+ mtx_lock(&m->lock);
+ if (m->busy) {
+ if (!(m->rchan || m->wchan))
+@@ -428,8 +423,10 @@
+ if (!err)
+ goto exit;
+
+-err: mtx_unlock(&m->lock);
+-exit: mtx_unlock(&midistat_lock);
++err:
++ mtx_unlock(&m->lock);
++exit:
++ sx_xunlock(&midistat_lock);
+ return err;
+ }
+
+@@ -941,27 +938,22 @@
+ int error;
+
+ MIDI_DEBUG(1, printf("midistat_open\n"));
+- mtx_lock(&midistat_lock);
+
++ sx_xlock(&midistat_lock);
+ if (midistat_isopen) {
+- mtx_unlock(&midistat_lock);
++ sx_xunlock(&midistat_lock);
+ return EBUSY;
+ }
+ midistat_isopen = 1;
+- mtx_unlock(&midistat_lock);
+-
+ if (sbuf_new(&midistat_sbuf, NULL, 4096, SBUF_AUTOEXTEND) == NULL) {
+ error = ENXIO;
+- mtx_lock(&midistat_lock);
+ goto out;
+ }
+- mtx_lock(&midistat_lock);
+- midistat_bufptr = 0;
+ error = (midistat_prepare(&midistat_sbuf) > 0) ? 0 : ENOMEM;
+-
+-out: if (error)
++out:
++ if (error)
+ midistat_isopen = 0;
+- mtx_unlock(&midistat_lock);
++ sx_xunlock(&midistat_lock);
+ return error;
+ }
+
+@@ -969,40 +961,40 @@
+ midistat_close(struct cdev *i_dev, int flags, int mode, struct thread *td)
+ {
+ MIDI_DEBUG(1, printf("midistat_close\n"));
+- mtx_lock(&midistat_lock);
++ sx_xlock(&midistat_lock);
+ if (!midistat_isopen) {
+- mtx_unlock(&midistat_lock);
++ sx_xunlock(&midistat_lock);
+ return EBADF;
+ }
+ sbuf_delete(&midistat_sbuf);
+ midistat_isopen = 0;
+-
+- mtx_unlock(&midistat_lock);
++ sx_xunlock(&midistat_lock);
+ return 0;
+ }
+
+ static int
+-midistat_read(struct cdev *i_dev, struct uio *buf, int flag)
++midistat_read(struct cdev *i_dev, struct uio *uio, int flag)
+ {
+- int l, err;
++ long l;
++ int err;
+
+ MIDI_DEBUG(4, printf("midistat_read\n"));
+- mtx_lock(&midistat_lock);
++ sx_xlock(&midistat_lock);
+ if (!midistat_isopen) {
+- mtx_unlock(&midistat_lock);
++ sx_xunlock(&midistat_lock);
+ return EBADF;
+ }
+- l = min(buf->uio_resid, sbuf_len(&midistat_sbuf) - midistat_bufptr);
++ if (uio->uio_offset < 0 || uio->uio_offset > sbuf_len(&midistat_sbuf)) {
++ sx_xunlock(&midistat_lock);
++ return EINVAL;
++ }
+ err = 0;
++ l = lmin(uio->uio_resid, sbuf_len(&midistat_sbuf) - uio->uio_offset);
+ if (l > 0) {
+- mtx_unlock(&midistat_lock);
+- err = uiomove(sbuf_data(&midistat_sbuf) + midistat_bufptr, l,
+- buf);
+- mtx_lock(&midistat_lock);
+- } else
+- l = 0;
+- midistat_bufptr += l;
+- mtx_unlock(&midistat_lock);
++ err = uiomove(sbuf_data(&midistat_sbuf) + uio->uio_offset, l,
++ uio);
++ }
++ sx_xunlock(&midistat_lock);
+ return err;
+ }
+
+@@ -1015,7 +1007,7 @@
+ {
+ struct snd_midi *m;
+
+- mtx_assert(&midistat_lock, MA_OWNED);
++ sx_assert(&midistat_lock, SA_XLOCKED);
+
+ sbuf_printf(s, "FreeBSD Midi Driver (midi2)\n");
+ if (TAILQ_EMPTY(&midi_devs)) {
+@@ -1378,8 +1370,7 @@
+ static int
+ midi_destroy(struct snd_midi *m, int midiuninit)
+ {
+-
+- mtx_assert(&midistat_lock, MA_OWNED);
++ sx_assert(&midistat_lock, SA_XLOCKED);
+ mtx_assert(&m->lock, MA_OWNED);
+
+ MIDI_DEBUG(3, printf("midi_destroy\n"));
+@@ -1405,8 +1396,8 @@
+ static int
+ midi_load(void)
+ {
+- mtx_init(&midistat_lock, "midistat lock", NULL, 0);
+- TAILQ_INIT(&midi_devs); /* Initialize the queue. */
++ sx_init(&midistat_lock, "midistat lock");
++ TAILQ_INIT(&midi_devs);
+
+ midistat_dev = make_dev(&midistat_cdevsw,
+ MIDIMKMINOR(0, MIDI_DEV_MIDICTL, 0),
+@@ -1423,7 +1414,7 @@
+
+ MIDI_DEBUG(1, printf("midi_unload()\n"));
+ retval = EBUSY;
+- mtx_lock(&midistat_lock);
++ sx_xlock(&midistat_lock);
+ if (midistat_isopen)
+ goto exit0;
+
+@@ -1436,20 +1427,19 @@
+ if (retval)
+ goto exit1;
+ }
+-
+- mtx_unlock(&midistat_lock); /* XXX */
+-
++ sx_xunlock(&midistat_lock);
+ destroy_dev(midistat_dev);
++
+ /*
+ * Made it here then unload is complete
+ */
+- mtx_destroy(&midistat_lock);
++ sx_destroy(&midistat_lock);
+ return 0;
+
+ exit1:
+ mtx_unlock(&m->lock);
+ exit0:
+- mtx_unlock(&midistat_lock);
++ sx_xunlock(&midistat_lock);
+ if (retval)
+ MIDI_DEBUG(2, printf("midi_unload: failed\n"));
+ return retval;
+@@ -1498,13 +1488,11 @@
+ int retval = 0;
+ struct snd_midi *m;
+
+- mtx_lock(&midistat_lock);
+-
++ sx_xlock(&midistat_lock);
+ TAILQ_FOREACH(m, &midi_devs, link) {
+ retval++;
+ }
+-
+- mtx_unlock(&midistat_lock);
++ sx_xunlock(&midistat_lock);
+ return retval;
+ }
+
+@@ -1520,17 +1508,15 @@
+ struct snd_midi *m;
+ int retval = 0;
+
+- mtx_lock(&midistat_lock);
+-
++ sx_xlock(&midistat_lock);
+ TAILQ_FOREACH(m, &midi_devs, link) {
+ if (unit == retval) {
+- mtx_unlock(&midistat_lock);
++ sx_xunlock(&midistat_lock);
+ return (kobj_t)m->synth;
+ }
+ retval++;
+ }
+-
+- mtx_unlock(&midistat_lock);
++ sx_xunlock(&midistat_lock);
+ return NULL;
+ }
+
diff --git a/share/security/patches/SA-19:23/midi.patch.asc b/share/security/patches/SA-19:23/midi.patch.asc
new file mode 100644
index 0000000000..42c1abc673
--- /dev/null
+++ b/share/security/patches/SA-19:23/midi.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPh5fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKlVg//VZ6BqKXoW5f0HEA3wVdn9if3Fxux4q4hJw80AAJ+Zq+zF8zKCgZRaOS9
+nO+q5zj54IdSBKyGScqJ0owYE2gKdqdXz1/uYTz8cxjiUV+/JNtyPydHrt2eznYI
+9vbeShyCI48BnR74b9EiFY/2Naq0YICv3CHBR9oWSaPkYdLPdF4QSpKwrRSID0Ok
+bnomM8kGAUzpAtPoCMTpn9CJT+J/DCyXzvl3Npcn6m/iZCVtx94rktmWaoTYRNeD
+FkG77hMNkBQFJ3IkJjFJKSswwCky87F8u/2TF6vDyvYvfzpuuOFBS09AET8TmutV
+AmjA64tKltOALunaB5y0w/xXQiL/EoSY29UdH173xjh7/U/OFBA0cL//lFQOiTiE
+LuT0MCxsvk2A6WFglQTw8QMtcx3hez8GYzCmy/gJgVv6889c/l61eYR1TUqxNUKJ
++lzi9q1tX7M1vZmNwEUJLavwvSCJfqMMLO75C0Az8VKfI8HJDLrAeexrLWYK6Ayz
+/TRJx8GHS3lHNcVlBFg1LrvPdDGkOoO9EAIPvP3aUG6d256J/zVUHxvb6iFA4YG5
+9ptHQIXtqGGQTfNUl4WEUjb5+7U9C+QkuW7DCQTcuKEEjohA0SoY77/QU/ZrKX4+
+/G5wlR2hZ6Q9T9QVm1SMAY+rpu4znVWdObt2wsvgSbcNZKsyfF0=
+=Ditr
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-19:24/mqueuefs.patch b/share/security/patches/SA-19:24/mqueuefs.patch
new file mode 100644
index 0000000000..1a5ecd318b
--- /dev/null
+++ b/share/security/patches/SA-19:24/mqueuefs.patch
@@ -0,0 +1,19 @@
+--- sys/kern/uipc_mqueue.c.orig
++++ sys/kern/uipc_mqueue.c
+@@ -2806,7 +2806,7 @@
+ if (uap->abs_timeout != NULL) {
+ error = copyin(uap->abs_timeout, &ets32, sizeof(ets32));
+ if (error != 0)
+- return (error);
++ goto out;
+ CP(ets32, ets, tv_sec);
+ CP(ets32, ets, tv_nsec);
+ abs_timeout = &ets;
+@@ -2815,6 +2815,7 @@
+ waitok = !(fp->f_flag & O_NONBLOCK);
+ error = mqueue_send(mq, uap->msg_ptr, uap->msg_len,
+ uap->msg_prio, waitok, abs_timeout);
++out:
+ fdrop(fp, td);
+ return (error);
+ }
diff --git a/share/security/patches/SA-19:24/mqueuefs.patch.asc b/share/security/patches/SA-19:24/mqueuefs.patch.asc
new file mode 100644
index 0000000000..7c21d82c30
--- /dev/null
+++ b/share/security/patches/SA-19:24/mqueuefs.patch.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPiJfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKBYQ//SP6pcenVbNJrwNgR25HXKLfJ4osBPxMSVPE3nN5inPfJWAVnL1gNGQSR
+E01Pmxkz/4DrBjPhVlXUkFY7WCZu6QYgBRjFb8WadTGtUS+zg+/hz+/517OclRms
+KvKwZqnYVKDD2141X7Ign4h5EWQek6gkkhOmkMg6ROa2nl932l9RKguRvd6V1hDO
+c+JYhnpcOCj+lTLVF8ZTnOXMgVEVJs9RsBLWlwesDMLKCM4uSAY+p5IoXYiBvUVM
+hqd38u/Lr2QrijWpXwDk4XylxzWoUY+ben4ODtAPuVD0KxyA5h+39xRKCqrgrUfF
+3rYRi/ytSWVElVetitNAJcLrsv1Ho7mhKdTBuVj7zEXto+qtpxaJ/dbYaTUl5dwE
+mQzLOP/XcRpMr2Ryf1MmUxsRlF11g2GcKn2dufycPtiRuTzSDtVmHTLUK1hFsXvT
+QO6Mvfml+far/4ZPvn6Q6KwBoudiUpUiEkwPt2/Nb6ynnHWdUk4av6Kbcu7UlkiR
+a+oPTDlos+p0/IKyjwuBgOFjXC2OKZpELjgL3pmPrhOTEPKLduiFhfsiywN04ofx
+Zh0065kQFnSPenUAsO8s8WNx2gf+JhqG3HZs2Die6lTRmxJsiHYGZ8IpNaPig+W4
+VVJe+iQ7NTQ3gGieWHwnZd2DTvmhoUWnh1usw2XuX8Atug8JCuI=
+=Mzmh
+-----END PGP SIGNATURE-----
diff --git a/share/xml/advisories.xml b/share/xml/advisories.xml
index 4c22207b0f..81eb8ebe9d 100644
--- a/share/xml/advisories.xml
+++ b/share/xml/advisories.xml
@@ -10,6 +10,23 @@
8
+
+ 20
+
+
+ FreeBSD-SA-19:24.mqueuefs
+
+
+
+ FreeBSD-SA-19:23.midi
+
+
+
+ FreeBSD-SA-19:22.mbuf
+
+
+
+
6
diff --git a/share/xml/notices.xml b/share/xml/notices.xml
index d7d44fde33..1104cb9690 100644
--- a/share/xml/notices.xml
+++ b/share/xml/notices.xml
@@ -10,6 +10,19 @@
8
+
+ 20
+
+
+ FreeBSD-EN-19:17.ipfw
+
+
+
+ FreeBSD-EN-19:16.bhyve
+
+
+
+
6