Revise EN-15:08, add EN-15:09.xlocale and EN-15:10.iconv.

svn path=/head/; revision=46903

share/security/advisories/FreeBSD-EN-15:08.sendmail.asc

@@ -9,27 +9,32 @@ Topic:          sendmail TLS/DH Interoperability Improvement
 
 Category:       contrib
 Module:         sendmail
-Announced:      2015-06-18
+Announced:      2015-06-18; Last revised on 2015-06-30.
 Credits:        Frank Seltzer, Gregory Shapiro
 Affects:        All supported versions of FreeBSD.
-Corrected:      2015-06-17 02:39:10 UTC (stable/10, 10.1-STABLE)
+Corrected:      2015-06-25 01:49:44 UTC (stable/10, 10.1-STABLE)
-                2015-06-18 05:36:45 UTC (releng/10.1, 10.1-RELEASE-p13)
+                2015-06-30 23:21:37 UTC (releng/10.1, 10.1-RELEASE-p14)
-                2015-06-17 03:11:25 UTC (stable/9, 9.3-STABLE)
+                2015-06-25 01:53:45 UTC (stable/9, 9.3-STABLE)
-                2015-06-18 05:36:45 UTC (releng/9.3, 9.3-RELEASE-p17)
+                2015-06-30 23:21:48 UTC (releng/9.3, 9.3-RELEASE-p18)
-                2015-06-17 03:22:18 UTC (stable/8, 8.4-STABLE)
+                2015-06-25 01:56:36 UTC (stable/8, 8.4-STABLE)
-                2015-06-18 05:36:45 UTC (releng/8.4, 8.4-RELEASE-p31)
+                2015-06-30 23:21:59 UTC (releng/8.4, 8.4-RELEASE-p32)
 
 For general information regarding FreeBSD Errata Notices and Security
 Advisories, including descriptions of the fields above, security
 branches, and the following sections, please visit
 <URL:https://security.freebsd.org/>.
 
+0.   Revision history
+
+v1.0  2015-06-18 Initial release.
+v1.1  2015-06-30 Revised patch for non-existent DH parameter file.
+
 I.   Background
 
-sendmail supports STARTTLS encrypted connections using DHE_EXPORT
+Sendmail supports STARTTLS encrypted connections using DHE_EXPORT
-ciphers.  As part of that support, by default, sendmail employs 1024-bit
+ciphers.  As part of that support, by default, Sendmail employs 1024-bit
-DH parameters for server connections and 512-bit DH parameters for
+DH parameters for server connections but 512-bit DH parameters if
-client connections.
+configured to use a DH parameter file that does not exist.
 
 II.  Problem Description
 
@@ -39,14 +44,16 @@ parameters during negotiation, thereby reducing interoperability.
 
 III. Impact
 
-In its default configuration, client connections from sendmail to other
+In its default FreeBSD configuration, client connections from Sendmail
-SMTP servers will not be able to negotiate a STARTTLS encrypted session
+to other SMTP servers will not be able to negotiate a STARTTLS encrypted
-with SMTP servers which reject 512-bit DH parameters.  This may cause
+session with SMTP servers that reject 512-bit DH parameters.  This may
-mail deliverability issues for outbound mail.
+cause mail deliverability issues for outbound mail.
 
 IV.  Workaround
 
-To work around this interoperability, sendmail can be configured to use
+Systems that do not use Sendmail are not affected.
+
+To work around this interoperability, Sendmail can be configured to use
 a 1024 or 2048 bit DH parameter using these steps:
 
         1. Edit /etc/mail/`hostname`.mc
@@ -59,20 +66,17 @@ a 1024 or 2048 bit DH parameter using these steps:
            for 2048-bit or:
                 openssl dhparam -out /path/to/file 1024
            for 1024-bit.
-        4. If you have modified your MSP submission configuration
-           file to enable STARTTLS (not enabled by default), repeat
-           the above steps for /etc/mail/`hostname`.submit.mc.
-        5. Rebuild the .cf file(s):
-                cd /etc/mail/; make; make install
-        6. Restart sendmail:
-                cd /etc/mail/; make restart
 
-Systems that do not use sendmail are not affected.
+        4. Rebuild the .cf file:
+                 cd /etc/mail/; make; make install
+        5. Restart sendmail:
+                 cd /etc/mail/; make restart
 
 V.   Solution
 
-A change to the raise the default for sendmail client connections to
+A change to the raise the default for Sendmail connections to use
-1024-bit DH parameters has been committed.
+1024-bit DH parameters if the configured DH parameters file does not
+exist has been committed.
 
 Perform one of the following:
 
@@ -99,6 +103,10 @@ detached PGP signature using your PGP utility.
 # fetch https://security.FreeBSD.org/patches/EN-15:08/sendmail.patch.asc
 # gpg --verify sendmail.patch.asc
 
+# fetch https://security.FreeBSD.org/patches/EN-15:08/sendmail-01.patch
+# fetch https://security.FreeBSD.org/patches/EN-15:08/sendmail-01.patch.asc
+# gpg --verify sendmail.patch.asc
+
 b) Apply the patch.  Execute the following commands as root:
 
 # cd /usr/src
@@ -107,7 +115,7 @@ b) Apply the patch.  Execute the following commands as root:
 c) Recompile the operating system using buildworld and installworld as
 described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
 
-Restart the sendmail daemon(s), or reboot the system.
+Restart the Sendmail daemon(s), or reboot the system.
 
 VI.  Correction details
 
@@ -116,12 +124,12 @@ affected branch.
 
 Branch/path                                                      Revision
 - -------------------------------------------------------------------------
-stable/8/                                                         r284491
+stable/8/                                                         r284790
-releng/8.4/                                                       r284536
+releng/8.4/                                                       r284987
-stable/9/                                                         r284488
+stable/9/                                                         r284788
-releng/9.3/                                                       r284536
+releng/9.3/                                                       r284986
-stable/10/                                                        r284485
+stable/10/                                                        r284786
-releng/10.1/                                                      r284536
+releng/10.1/                                                      r284985
 - -------------------------------------------------------------------------
 
 To see which files were modified by a particular revision, run the
@@ -141,17 +149,17 @@ https://security.FreeBSD.org/advisories/FreeBSD-EN-15:08.sendmail.asc
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.1.5 (FreeBSD)
 
-iQIcBAEBCgAGBQJVgllYAAoJEO1n7NZdz2rnsY0QAIKcqNxRed97fvmxvL9kX1In
+iQIcBAEBCgAGBQJVkyZLAAoJEO1n7NZdz2rnsdsP/2+xJUiaNWialSFlTwE75sHC
-CpdKO0Cso8EhCDOKJzmSYR49QZc6CNtPflbgbK2wktiHptmK87R+xODyIWBR1q8T
+vN/CrkceLw6QrUi5U0PpQdI7xP/y8Cspj/vDCNUbHlkK8WfA5G8J6WhyyaVxMREG
-peMoevr942gCUZzrA259cLaWJGC7MZer5G9SIsB7cnMJox/QcHmQysDONfu1PRjf
+aZTPHFBn0/IeP2vxlyf0PLq6hL1KtasOQNjDEasUMb4uclaE+hn3QxrWk+KGoe8B
-T8T3/q24230PnBBJpR1SNDMOPAc1YLMetEZ3ue72ToG9pd6gAXN8I9N1ZUPY/6dd
+8rZHYS6Y9gOfWLJj7Rvf6T6TEtKf8Mz1cBfn7lRQbF7yDwkvNDpmNv7BhTQOM5rw
-9/urhdQnxlX5RB3JnqujueJvCrcstInZ8grtKOmTfPSUcWGL++dwu6YH34ORwKDh
+/2q2i4ZjuZT4AX0IaSzZLC1dEyxuUKqAxMV1D+F1WYBQqMUwnoJLMAETmWXphuSa
-wiI8U+qyg1Lq5vGx6srDOkGAhiSbYi177PV1RCNTxY28yGVvhiiSnLSsIesZBcoB
+QGDNU0w3PbAJrgK06qeLSswVo/r/5h+kjra5eL17MPKZPO+sWHv9E1jS7wUsbsFB
-pVYcefBJeqcXNuQC5jsGKHEbti9X3bhHnThOaOBOvrooEGcc7/DuP02BZiNOWDvV
+RE7kcafgWcN9S0TBldyuFo9g8nwjsWq4uooSLrf8pG8y7U6FtXbgyitS3BNVKT7i
-3axT+iFzJdZ1sZktdUQl65zqVBSDASTFz5uG/nTUFASj0W4+vVEghy6FAxlf3aBO
+9GqzTi89HKPefnPQR5wfJIl9YXgKvWJ/FNei7MpGTl2LGKHSd2P/21+OoIjfNeQl
-eV9tqxeUozt0nSb/44n2u2GHRplWWS1KEE3N+skN5IT4RfZaNvTVtZ0s1fRv6Jum
+hYOP9uWDrk3Uf7gJVrJOobMfme5Zb1/LDSQegTIFjzQ0Iac1p4nqj53rzG2Nufyx
-YNut6TGiVIyTACP0JjS2TkGC3kdPrqweZSQ6xnfrgOSCS+3w2nR1aqaGJ3aCIm/b
+/Y93rKOz280NCS193buARcl4KmFp9oGaJTjVG9Cthu8FUFlCkCeZl13ZrhDufKBS
-9ixFFIW03LhBH2fl4Y68+CbAlIgGd0zigbRds1IGxRSUxR8AKBngqC+KQUFCOSnY
+z2ZEwkIYFamOFjbhCUJ5wm3gsozV7bzAOSRQEFEzzLDlYGPv2RPDAlgREcuzxr8N
-snl4x6f2t36abWYgneaP
+OhK1HFcIqXbXRthWN7Sp
-=mvxv
+=ibhZ
 -----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-EN-15:09.xlocale.asc

@@ -0,0 +1,129 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-15:09.xlocale                                        Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Inconsistency between locale and rune locale states
+
+Category:       core
+Module:         libc
+Announced:      2015-06-30
+Credits:        David Chisnall
+Affects:        FreeBSD 9.x and FreeBSD 10.x.
+Corrected:      2015-06-17 19:12:18 UTC (stable/10, 10.1-STABLE)
+                2015-06-30 23:21:37 UTC (releng/10.1, 10.1-RELEASE-p14)
+                2015-06-17 19:13:13 UTC (stable/9, 9.3-STABLE)
+                2015-06-30 23:21:48 UTC (releng/9.3, 9.3-RELEASE-p18)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.freebsd.org/>.
+
+I.   Background
+
+Recent FreeBSD releases have support to thread-safe and extended locale API,
+modeled after the Darwin xlocale(3) API.
+
+The C standard locale API was reimplemented as a wrapper of the xlocale(3)
+API with a global locale in order to support its semantics.
+
+II.  Problem Description
+
+The locale and rune locale may become out of sync, in which case calls of
+mb* and similar functions would be supplied with wrong data.
+
+III. Impact
+
+Applications that uses xlocale but does not call setlocale(3) would crash.
+
+IV.  Workaround
+
+No workaround is available.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+2) To update your present system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your present system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-15:09/xlocale.patch
+# fetch https://security.FreeBSD.org/patches/EN-15:09/xlocale.patch.asc
+# gpg --verify xlocale.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all deamons using the library, or reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/9/                                                         r284525
+releng/9.3/                                                       r284986
+stable/10/                                                        r284524
+releng/10.1/                                                      r284985
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://bugs.freebsd.org/188036>
+
+The latest revision of this Errata Notice is available at
+https://security.FreeBSD.org/advisories/FreeBSD-EN-15:09.locale.asc
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.5 (FreeBSD)
+
+iQIcBAEBCgAGBQJVkyZQAAoJEO1n7NZdz2rnitMQAK5jY0n9Kv0VDwP5J4EXdcHZ
+SOEE8n5O+bwWxVFWkqGGZrPQiUuJt6ujrAJb2iSeUtKIa2E84TLDVjmWGtyqP/RN
+rLlRjVVQo14EhSScRI54oUeAYpoBWU8oRtFiixFbw24gFEW/ZeovFxQUY1Waueuy
+Xpx28cmqQ3KG/T+Ujq1edHrtMpqwsBQd93eHRFSjtWaMrxmjnr4ln66AerdPQAYx
+ib2rznxy+MCF0rmHbTsYnpZKZ1DupcyU7YkOdhVTk8cviL44wPGaCrA9Oaf6Q2hW
+NTek9h5VQhvmhWaPsUZTGbQYPkvFjvEbmKOxRV+Mtf+UBt2y7SoqACpP1BbCC77n
+8uRGdI8MPpC1j9RHZ5miWz4NkA3W1Pa/oi66PRhenzXgDe9Ua4aykklqnINhOrgm
+ZBCLz1DXnx4WyeW2FIf7Z9GGcF3sUd9RU2e4H0WI3uZ75PT7p/zq1L4FKxXEn9/7
+VoGy6cyQWwFUZ27lIcSGLeUhSolrtDofHPwKe8YB12bTXPhxjNYs+4iYWF0ZScOE
+Wr9Jx7mKecNQ+jD5iEP2Ne7tzqSPSDZGzwkvifz+dmHT5L9hx6Pu916xp6/kzVg1
+up31EcoQOn1N/ZHjC9VgGmyOgdA5ENHKNPhzcYp2CrJSadBHQHeINfwbRLdzLjVl
+Nnt+YSShqakxvZhNmTex
+=Wfyl
+-----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-EN-15:10.iconv.asc

@@ -0,0 +1,128 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-15:10.iconv                                          Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Improved iconv(3) UTF-7 support
+
+Category:       core
+Module:         libc/iconv
+Announced:      2015-06-30
+Credits:        Tijl Coosemans
+Affects:        FreeBSD 10.x
+Corrected:      2015-06-02 09:42:00 UTC (stable/10, 10.1-STABLE)
+                2015-06-30 23:21:37 UTC (releng/10.1, 10.1-RELEASE-p14)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.freebsd.org/>.
+
+I.   Background
+
+The iconv(3) API allows converting text data from one character set
+encoding to another.  Applications first open a converter between two
+encodings using iconv_open(3) and then convert text using iconv(3).
+
+UTF-7 is a variable-length character encoding representing Unicode text
+using a stream of ASCII characters.
+
+II.  Problem Description
+
+A defect in the iconv(3) UTF-7 decoding process causes the end of base64
+symbols ("-") to be treated as an incomplete character when they exist
+at the end of the string.
+
+III. Impact
+
+Applications that use iconv(3) to decode UTF-7 may receive an incorrect
+encoded result.
+
+IV.  Workaround
+
+No workaround is available.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+2) To update your present system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your present system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-15:10/iconv.patch
+# fetch https://security.FreeBSD.org/patches/EN-15:10/iconv.patch.asc
+# gpg --verify iconv.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all deamons using the library, or reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/10/                                                        r283908
+releng/10.1/                                                      r284985
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://bugs.freebsd.org/200398>
+
+The latest revision of this Errata Notice is available at
+https://security.FreeBSD.org/advisories/FreeBSD-EN-15:10.iconv.asc
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.5 (FreeBSD)
+
+iQIcBAEBCgAGBQJVkyZQAAoJEO1n7NZdz2rnue4P/2TGL5ucl/YypMQAcgDxRn77
+3zky6DhJSWx0ydnoCsFNogiK2A9qdw6YHvYMyqwjcVTZ9NpjeXSOnuEgaD6SN9Xj
+elIkvxPkbome8QDJAVsW+amqw1ipfJ4deN4XQqzbRTaNBd0Yo0jsC4S7zjVq+gwE
+0EJ98vYQz8KfOFRW5Y1DlCS2OkapuGHPcxBJsRGoz5Y4Qe8KYDivRDZPJsrhbEWY
++QF+xjZ+ZDvCl6qBSVcYgsVNeMr6jHjmIS2BYSeWypKmI1LfPgZszOMCZsS/rvAs
+DKsm9N7GcbMVCD0tUWSOQmN1jtfBEoYtgqoHg1/wg5/jTOlcVQgANVMF5p9jqo/Q
+BGBUWfwQACZ4cJI/lXTqUt87Dg1n15JtU011nDCfbK4Ll9ZaYioAisqx2kXdUgBP
+ojP3XMwoFtq2tJGJZLlIG3nWm3IatsOL+vtZxw6N4Y5PVksZeCctFikm7FhsCXjk
+SCVSn3w+rLP1klWSCbqUUtpvRSMP3JZDH7auytvykUZ2pncKAzwhfb+TI9Qqnguk
+RkSDUDnRvLEuwezZOAZ3lErVV/G38zyi6Hn/ODeO0Cg6w70XKdbuWqgf0z3etz7M
+HiHk4dpVNO7S4Y12wNdin1XgXa94s08wyiY7bSGpDaqL22O6CHgd0B+NAsqUqJSx
+lAsbtw23ytA4JwkVwIdf
+=hK2X
+-----END PGP SIGNATURE-----

share/security/patches/EN-15:08/sendmail-01.patch

@@ -0,0 +1,13 @@
+Index: contrib/sendmail/src/sendmail.h
+===================================================================
+--- contrib/sendmail/src/sendmail.h	(revision 284940)
++++ contrib/sendmail/src/sendmail.h	(working copy)
+@@ -1935,7 +1935,7 @@ struct termescape
+ 
+ /* server requirements */
+ #define TLS_I_SRV	(TLS_I_SRV_CERT | TLS_I_RSA_TMP | TLS_I_VRFY_PATH | \
+-			 TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH512 | \
++			 TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH1024 | \
+ 			 TLS_I_CACHE)
+ 
+ /* client requirements */

share/security/patches/EN-15:08/sendmail-01.patch.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.5 (FreeBSD)
+
+iQIcBAABCgAGBQJVkyZ+AAoJEO1n7NZdz2rnDCgP/03Bv37NZRCd3fpZC8Og73t2
+qFxR5glnHfXeNpAnI2p0Jmfvay4/ZHYEOIXQwS60wdnNElN00mudJ/D7RBVr5sGF
+fjW68S3+z9vppBP4pWq4xhitDkA+Ko9zZmCojMOta3DTBhJzp825i8al03wQbViQ
+Xgv7AhA52bsdXqcru83DfRDfXfUuf8BivgvuGoohfaVQYhAusrOlAXR9jij9mWJo
+24Phs3gXlmOvRnjWiRfcmESCZdZJwDwUfBXk+cMFuEQo60bburyjqp+rCD4bt1lN
+3zkRTLggBQefqLer78CP++A/PrLxLWajqRpZ0SvUny3HeWED8Yrp/8L3xc0H+Zfs
+Eo5lmVvi3RLAzTWgAkdQOBddjvYoK5jmJBauFyiY/sQ/sti1HT7vavXPIRZFTWFQ
+VM/+URwLudyAnIXqVn0iSuOrrjW5eQnchuEWYs6ar7qc375sa9um7idfif9kCq5j
+5GvBILw1m6CVfeuW5dfL/Gwkz6ALx9yqSVQ10L3m5Ik7+hbCAkD+GnMK53OvQSjA
+Kuw3nMDVHjdVVYZKYI7h8Ez25K2S9EoPARcmX9oikkeUYLR3s8PbLOikixltpRpp
+viaHkskG4bvxY2b5SP64NRZowUqPP2EgVY/Mi11pPsr5cuQR+PTTv7mx0QUzJ862
+m86CQtJ8so6TKWTO8bQb
+=c8JT
+-----END PGP SIGNATURE-----

share/security/patches/EN-15:09/xlocale.patch

@@ -0,0 +1,58 @@
+Index: lib/libc/locale/setrunelocale.c
+===================================================================
+--- lib/libc/locale/setrunelocale.c	(revision 284940)
++++ lib/libc/locale/setrunelocale.c	(working copy)
+@@ -202,6 +202,8 @@ __set_thread_rune_locale(locale_t loc)
+ 
+ 	if (loc == NULL) {
+ 		_ThreadRuneLocale = &_DefaultRuneLocale;
++	} else if (loc == LC_GLOBAL_LOCALE) {
++		_ThreadRuneLocale = 0;
+ 	} else {
+ 		_ThreadRuneLocale = XLOCALE_CTYPE(loc)->runes;
+ 	}
+Index: lib/libc/locale/xlocale.c
+===================================================================
+--- lib/libc/locale/xlocale.c	(revision 284940)
++++ lib/libc/locale/xlocale.c	(working copy)
+@@ -154,23 +154,24 @@ __get_locale(void)
+ static void
+ set_thread_locale(locale_t loc)
+ {
++	locale_t l = (loc == LC_GLOBAL_LOCALE) ? 0 : loc;
+ 
+ 	_once(&once_control, init_key);
+ 	
+-	if (NULL != loc) {
+-		xlocale_retain((struct xlocale_refcounted*)loc);
++	if (NULL != l) {
++		xlocale_retain((struct xlocale_refcounted*)l);
+ 	}
+ 	locale_t old = pthread_getspecific(locale_info_key);
+-	if ((NULL != old) && (loc != old)) {
++	if ((NULL != old) && (l != old)) {
+ 		xlocale_release((struct xlocale_refcounted*)old);
+ 	}
+ 	if (fake_tls) {
+-		thread_local_locale = loc;
++		thread_local_locale = l;
+ 	} else {
+-		pthread_setspecific(locale_info_key, loc);
++		pthread_setspecific(locale_info_key, l);
+ 	}
+ #ifndef __NO_TLS
+-	__thread_locale = loc;
++	__thread_locale = l;
+ 	__set_thread_rune_locale(loc);
+ #endif
+ }
+@@ -361,9 +362,6 @@ locale_t uselocale(locale_t loc)
+ {
+ 	locale_t old = get_thread_locale();
+ 	if (NULL != loc) {
+-		if (LC_GLOBAL_LOCALE == loc) {
+-			loc = NULL;
+-		}
+ 		set_thread_locale(loc);
+ 	}
+ 	return (old ? old : LC_GLOBAL_LOCALE);

share/security/patches/EN-15:09/xlocale.patch.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.5 (FreeBSD)
+
+iQIcBAABCgAGBQJVkyZ+AAoJEO1n7NZdz2rnwpgQAI29DAkpuY6cD9vJNtVvD/BC
+EeGcYGO+hq82b5QAVS1778ETaQOPZjPrVycj3o8pFjCdVTaCCVhutKbEVxojDTAj
+pqPpTvBZqcAf9pfBL7mPGLjfF8gzKiLVwNMNxfs/uC++rWdebdVUMI3sWntnc85c
+a8oplvXIBuXJHXOd2xNG2c6+Zdo4GJBAouUxMvkneUwS5Sw8sB+cMJt5UZ5lHbRH
+qgekU+v4HLjurK10WWzBKN178y/+mOhvZ0gck0ft0BR4EZmaaFJqBYE6otUDz9MM
+W9dG2e+Bfg5VmVhuVZMetIFPzLmhTQtwciGhp5JFT5lBzx2JyLlZ9mztDo6s+hwm
+wsD8/Wf6xK0UbxLrlCi3cjNS/MKUmjjTJkFnbPnUljU3khmOjeGRkT3LZJL0eOft
+U/UU+AzOOUKXLAgOWuYjaG6a3QB1aAB6dEPX5YpMfdsprM6r3D9mYWLF6b2ieD/2
+QKZiQTUasJno5lXsyp6p/sEW59prPYOsWOtv5m65Tzjim+/rxX41w0vDTm8Ou2rh
+yHfCJidFL6AzYZEWh6dS2AGS/EW0hgWtp5frOP65cfNlFHdXiZqv21Xq0IRchs+L
+mYpWpxpzbdA7vk33tvolkv+TahgPCXML0waCucKEY9p8vRfl+wJo2vs3kqozl0jG
+rzjVDz4t+4Kbr0LNm9aI
+=BvyK
+-----END PGP SIGNATURE-----

share/security/patches/EN-15:10/iconv.patch

@@ -0,0 +1,107 @@
+Index: lib/libiconv_modules/UTF7/citrus_utf7.c
+===================================================================
+--- lib/libiconv_modules/UTF7/citrus_utf7.c	(revision 284940)
++++ lib/libiconv_modules/UTF7/citrus_utf7.c	(working copy)
+@@ -62,8 +62,7 @@ typedef struct {
+ 	unsigned int
+ 		mode: 1,	/* whether base64 mode */
+ 		bits: 4,	/* need to hold 0 - 15 */
+-		cache: 22,	/* 22 = BASE64_BIT + UTF16_BIT */
+-		surrogate: 1;	/* whether surrogate pair or not */
++		cache: 22;	/* 22 = BASE64_BIT + UTF16_BIT */
+ 	int chlen;
+ 	char ch[4]; /* BASE64_IN, 3 * 6 = 18, most closed to UTF16_BIT */
+ } _UTF7State;
+@@ -154,12 +153,11 @@ _citrus_UTF7_mbtoutf16(_UTF7EncodingInfo * __restr
+     uint16_t * __restrict u16, const char ** __restrict s, size_t n,
+     _UTF7State * __restrict psenc, size_t * __restrict nresult)
+ {
+-	_UTF7State sv;
+ 	const char *s0;
+ 	int done, i, len;
+ 
++	*nresult = 0;
+ 	s0 = *s;
+-	sv = *psenc;
+ 
+ 	for (i = 0, done = 0; done == 0; i++) {
+ 		if (i == psenc->chlen) {
+@@ -166,9 +164,6 @@ _citrus_UTF7_mbtoutf16(_UTF7EncodingInfo * __restr
+ 			if (n-- < 1) {
+ 				*nresult = (size_t)-2;
+ 				*s = s0;
+-				sv.chlen = psenc->chlen;
+-				memcpy(sv.ch, psenc->ch, sizeof(sv.ch));
+-				*psenc = sv;
+ 				return (0);
+ 			}
+ 			psenc->ch[psenc->chlen++] = *s0++;
+@@ -257,34 +252,31 @@ _citrus_UTF7_mbrtowc_priv(_UTF7EncodingInfo * __re
+ 		*nresult = (size_t)_ENCODING_IS_STATE_DEPENDENT;
+ 		return (0);
+ 	}
+-	if (psenc->surrogate) {
+-		hi = (psenc->cache >> psenc->bits) & UTF16_MAX;
+-		if (hi < HISRG_MIN || hi > HISRG_MAX)
+-			return (EINVAL);
+-		siz = 0;
+-	} else {
+-		err = _citrus_UTF7_mbtoutf16(ei, &hi, s, n, psenc, &nr);
+-		if (nr == (size_t)-1 || nr == (size_t)-2) {
+-			*nresult = nr;
+-			return (err);
+-		}
+-		if (err != 0)
+-			return (err);
+-		n -= nr;
+-		siz = nr;
+-		if (hi < HISRG_MIN || hi > HISRG_MAX) {
+-			u32 = (uint32_t)hi;
+-			goto done;
+-		}
+-		psenc->surrogate = 1;
++	err = _citrus_UTF7_mbtoutf16(ei, &hi, s, n, psenc, &nr);
++	if (nr == (size_t)-1 || nr == (size_t)-2) {
++		*nresult = nr;
++		return (err);
+ 	}
++	if (err != 0)
++		return (err);
++	n -= nr;
++	siz = nr;
++	if (hi < HISRG_MIN || hi > HISRG_MAX) {
++		u32 = (uint32_t)hi;
++		goto done;
++	}
+ 	err = _citrus_UTF7_mbtoutf16(ei, &lo, s, n, psenc, &nr);
+ 	if (nr == (size_t)-1 || nr == (size_t)-2) {
++		psenc->chlen = 1; /* make get_state_desc return incomplete */
+ 		*nresult = nr;
+ 		return (err);
+ 	}
+ 	if (err != 0)
+ 		return (err);
++	if (lo < LOSRG_MIN || lo > LOSRG_MAX) {
++		*nresult = (size_t)-1;
++		return (EILSEQ);
++	}
+ 	hi -= HISRG_MIN;
+ 	lo -= LOSRG_MIN;
+ 	u32 = (hi << 10 | lo) + SRG_BASE;
+@@ -297,7 +289,6 @@ done:
+ 		_citrus_UTF7_init_state(ei, psenc);
+ 	} else {
+ 		*nresult = siz;
+-		psenc->surrogate = 0;
+ 	}
+ 	return (err);
+ }
+@@ -396,7 +387,7 @@ _citrus_UTF7_put_state_reset(_UTF7EncodingInfo * _
+ {
+ 	int bits, pos;
+ 
+-	if (psenc->chlen != 0 || psenc->bits > BASE64_BIT || psenc->surrogate)
++	if (psenc->chlen != 0 || psenc->bits > BASE64_BIT)
+ 		return (EINVAL);
+ 
+ 	if (psenc->mode) {

share/security/patches/EN-15:10/iconv.patch.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.5 (FreeBSD)
+
+iQIcBAABCgAGBQJVkyZ+AAoJEO1n7NZdz2rn5vIP/jsofR8DW12TqLeEURwBKF+S
+mmUY4wQaCxDJQddAMRIEDHwWN0FPJnNn3sA7L40+c6iYnf1kTkK2Fimw733TAmsB
+hEZujVoFP77QUsFVGm7iYzzRu4ck76riNonNlEw8kvt1VUhJjzxFPVjkh55wRM6D
+T75JJD3VV78bfHN/umj437tsTe3wfH8el2nXXjTxyzRbucGZpz6EAkBYdnFc7PPu
+bFrEFmNVs/tD0V5C5FdoxFLkuti84FfdZ42Ad9z4o+1H80adwMLL+1dLciutLdQt
+7eHLGljdz9iDMlPhi3e8BCHM2Ij1QAa6L16BH43yTLaD/XMcM14HdwCwiNNl6YAr
+Mc6PScRwGSjZAixgL1rMR1iFtlDndyRGg6KCNydH89xIHTb+SEdEC+I6pOPvX4yg
+SAmzOwPsEGScslNbqxNeLkPlv70/zqnCihwN/8Z7M6yERYdWmfs8n8dhMBGc/UF5
+1vw/lOfOZf1CR+KJmhQQgpFknnx2aStJXdzqsTm+Bdx5n09wdRzoRVqwiuvPEBt+
+a+IInr9cybNdUeU3r+sobzuCcxfDDiRtoYtStoQ2vI7iGkuuwq8lulbBxvh1xzGH
+xolOc6tXDDn7Ndvo+pmY83/C9qI0q3TOnqWjody97zqihs+yRJwN7xrrujgngpdy
+FdClblODnEpnK3GmJsPE
+=ZMx/
+-----END PGP SIGNATURE-----

share/xml/notices.xml

@@ -10,6 +10,18 @@
     <month>
       <name>6</name>
 
+      <day>
+        <name>30</name>
+
+        <notice>
+          <name>FreeBSD-EN-15:10.iconv</name>
+        </notice>
+
+        <notice>
+          <name>FreeBSD-EN-15:09.xlocale</name>
+        </notice>
+      </day>
+
       <day>
         <name>18</name>