Add SA-18:09-SA-18:11, refresh SA-18:08.

svn path=/head/; revision=52127

share/security/advisories/FreeBSD-SA-18:08.tcp.asc

@@ -15,16 +15,22 @@ Credits:        Juha-Matti Tilli <juha-matti.tilli@iki.fi> from
                 and Nokia Bell Labs
 Affects:        All supported versions of FreeBSD.
 Corrected:      2018-08-06 18:46:09 UTC (stable/11, 11.1-STABLE)
-                2018-08-06 17:47:47 UTC (releng/11.2, 11.2-RELEASE-p1)
-                2018-08-06 17:48:46 UTC (releng/11.1, 11.1-RELEASE-p12)
+                2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2)
+                2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13)
                 2018-08-06 18:47:03 UTC (stable/10, 10.4-STABLE)
-                2018-08-06 17:50:40 UTC (releng/10.4, 10.4-RELEASE-p10)
+                2018-08-15 02:31:10 UTC (releng/10.4, 10.4-RELEASE-p11)
 CVE Name:       CVE-2018-6922
 
 For general information regarding FreeBSD Security Advisories,
 including descriptions of the fields above, security branches, and the
 following sections, please visit <URL:https://security.FreeBSD.org/>.
 
+
+0.   Revision history
+
+v1.0   2018-08-06  Initial release.
+v1.1   2018-08-14  Fixed documentation date in manual pages.
+
 I.   Background
 
 The Transmission Control Protocol (TCP) of the TCP/IP protocol suite
@@ -108,6 +114,19 @@ detached PGP signature using your PGP utility.
 # fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-11.patch.asc
 # gpg --verify tcp-11.patch.asc
 
+[*** v1.1 NOTE ***] Patchsets are provided for completeness, it have
+little impact to runtime behavior.
+
+[FreeBSD 10.4]
+# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-man-10.patch
+# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-man-10.patch.asc
+# gpg --verify tcp-man-10.patch.asc
+
+[FreeBSD 11.x]
+# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-man-11.patch
+# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-man-11.patch.asc
+# gpg --verify tcp-man-11.patch.asc
+
 b) Apply the patch.  Execute the following commands as root:
 
 # cd /usr/src
@@ -125,10 +144,10 @@ affected branch.
 Branch/path                                                      Revision
 - -------------------------------------------------------------------------
 stable/10/                                                        r337392
-releng/10.4/                                                      r337389
+releng/10.4/                                                      r337832
 stable/11/                                                        r337391
-releng/11.1/                                                      r337388
-releng/11.2/                                                      r337387
+releng/11.1/                                                      r337828
+releng/11.2/                                                      r337828
 - -------------------------------------------------------------------------
 
 To see which files were modified by a particular revision, run the
@@ -152,17 +171,17 @@ The latest revision of this advisory is available at
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.2.9 (FreeBSD)
 
-iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltosd4ACgkQ05eS9J6n
-5cKLRRAApitUTx46nToGtbCr/fzEZtYpjU0L/kMDwFw8ngfrb3MR4yht087t8JK1
-jZlbeKRQwYjN+ecLrO3QdWoM4LavQK/cYuWq2tCpJiwqXK15rDJGBJjlBiAsmupF
-fGGSD2DcJ/Jz7zTKDkjybCh83QGGTt/HBZRYLc85ipJPHgPQQtnD/OLjFK34Lr45
-vEss9AAkBEe4ZWiSltrQYzqMYf8+sCz/OYP+NGluz4eUjuzKogqyLIAA29auqoNp
-UY5tIUhf8dcB9oeARxWlvmxTKSLB5kevF5jsBzxB8Ap1xUfLFip02h6ApL0xuWz2
-ouX/gN8KBgmJoNIP+GbBY29sQCEY0GTIR9q/dO1ZB3CePJFQsvWjtNeBBjIK66On
-xJSSrUXDPANfcePbnCN9JdsclSEJ0+EBYol3hSWVY8bX3OMcOZw1wRXXCwN0T3of
-QQwbuP0ORt5OdsOObwaxDJEWLEma7N2swWF5YR0oQl0+ETvkIsqFilsTlY6qEB/L
-WG9G1Y9uVn++AJs7HzI+vKVEhhwtJep+7ks28sH5J0LQiUGYfwRACYfVLgi6iXNV
-YKPB4hUFd2d8QaYWdgU92YBJWrR8bqyDdetifMEG5tP+TFCeNCh6SMpRnL7Lzns+
-hkZiRHJeIT7tGu77xZknFI6ghDHOdemtZ/QiL0NsrM05spWkdIA=
-=HNsD
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltztakACgkQ05eS9J6n
+5cLN1A//XMCorSih94rs9zvkRPj8g3eN4es5QD9QzI9IwLlfK8DTvtMM9XUKsNT2
+vxgJK8Mnl6N5NddRyiV8o0CioRQF+cmN4cnMhf0LRN6Rv0PqWpsbuuRdWgVtm/aV
+yHNEvnY32RbaZ6YQWmAhG9b+7JztWCpv2MawIaIdy6QFWmHV50ElDj5k1QBHauDd
+2+P3u3+ohbXNMAZGQjIMQwxIgU7BRTVKASa/GzkPSCwQHFabbtm7aL/jEhzySfdl
+bA6ZsMPhr0QqLORKqt8kAUzzFgpVdSRLCa+a8H9phi3CqPDEzGCDdseiCw4mJ+VU
+EhFu616EKw7V9G7FXpnK3Z+E0aHe6UYlf4swUzXluWJrtO/n5bD++ObZaSUOPH0l
+arcOUe8S5dnHiZ8Gg9BqtT6nKQMPXHgGh8W3U53CPt0USJsUWMPd0GPVYt2QnbkX
+27leNs7e1+Njes4PuhOJ+wunn1iye+eTVilqaGkuFC+YKiOJVs9pNJovBTalTsfB
+XqQO52DesrJ/C0xo3AaaNGfNB4JhG3rqR2tPiqubNQcEIocTJ7LkGy0lKXiDbIra
+UA7fDszAG5l5RSyRtgQ4QPd+EzvYguX1vccFGqItDX9aZdQDspnnViKl/FJNzb19
+p9fEa+ZVjV65N836RhCtRx7allqhTAX4yQFXIrUiwQ3ssLNAx1s=
+=sl/Z
 -----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-SA-18:09.l1tf.asc

@@ -0,0 +1,165 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-18:09.l1tf                                       Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          L1 Terminal Fault (L1TF) Kernel Information Disclosure
+
+Category:       core
+Module:         Kernel
+Announced:      2018-08-14
+Affects:        All supported versions of FreeBSD.
+Corrected:      2018-08-14 17:51:12 UTC (stable/11, 11.1-STABLE)
+                2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2)
+                2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13)
+CVE Name:       CVE-2018-3620, CVE-2018-3646
+
+Special Note:   Speculative execution vulnerability mitigation remains a work
+                in progress.  This advisory addresses the issue in FreeBSD
+                11.1 and later.  We expect to update this advisory to include
+                10.4 at a later time.
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+When a program accesses data in memory via a logical address it is translated
+to a physical address in RAM by the CPU.  Accessing an unmapped logical
+address results in what is known as a terminal fault.
+
+II.  Problem Description
+
+On certain Intel 64-bit x86 systems there is a period of time during terminal
+fault handling where the CPU may use speculative execution to try to load
+data.  The CPU may speculatively access the level 1 data cache (L1D).  Data
+which would otherwise be protected may then be determined by using side
+channel methods.
+
+This issue affects bhyve on FreeBSD/amd64 systems.
+
+III. Impact
+
+An attacker executing user code, or kernel code inside of a virtual machine,
+may be able to read secret data from the kernel or from another virtual
+machine.
+
+IV.  Workaround
+
+No workaround is available.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +30 "Rebooting for security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 11.2]
+# fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch
+# fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch.asc
+# gpg --verify l1tf-11.2.patch.asc
+
+[FreeBSD 11.1]
+# fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.1.patch
+# fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.1.patch.asc
+# gpg --verify l1tf-11.1.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+CVE-2018-3620 (L1 Terminal Fault-OS)
+- ------------------------------------
+FreeBSD reserves the the memory page at physical address 0, so it will not
+contain secret data.  FreeBSD zeros the paging data structures for unmapped
+addresses, so that speculatively executed L1 Terminal Faults will access only
+the reserved, unused page.
+
+CVE-2018-3646 (L1 Terminal Fault-VMM)
+- -------------------------------------
+Patched systems flush the L1 data cache prior to guest entry, so that there
+is no secret data in cache for a terminal fault (from the the guest) to
+access.
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/11/                                                        r337794
+releng/11.1/                                                      r337828
+releng/11.2/                                                      r337828
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+More information on L1 Terminal Fault is available at:
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3620>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3646>
+
+<URL:https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault>
+
+<URL:https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html>
+
+The FreeBSD Security Team thanks Intel for disclosing the issue.
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:09.l1tf.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.2.9 (FreeBSD)
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltztc8ACgkQ05eS9J6n
+5cLwEhAAos2Bnilthrbd+uQr1IGASD96aZZ5iXvn1Ibls03Vtd0kG9EcU30gFVG0
+HSg47qT7r5qJQUdhuSYxspgS9ZxXpRez1vnAz7cSGHL9FdecyfHWmHvGor5tz84/
+CgX4jCCAZfqDBquYD+ioqiLX7p1ZTRKfHBQOHcGgMfMq8UQUsg1YriXabEqnavU6
+W0h/eCGBo/Dbvl7004Gx0hKmDO2YQxt9aPWfInXWx1VOMf+wNWpcrvU6rJ4kOnL9
+7BXi+c5+vwlVXDvjrTwP9X+9DDa0MJcMoy2JCyCa/0W7lQ9nADLfUiXLsTvLDo6V
+6/sooFbqlO+Qz37XHlXOXaoVGZGw+NtJRcnD+w8ueP9ts02SsECoxofN8tPOzGsT
+T285qAwv8D8uuBLU3dc9y+assEe3j/4Aqb1Eil6Eh1MsHypEvyN5z9+PIpbN2tWK
+qqCtzgqx037Jvjo6DwjwMUd+DikObGjZyK4pwP8KIeccOIBrUAA1Xel7Xr74xuwq
+LwqtcHb2MWeFD0Mw+oW9viuJKrxyu6aiQfU6FsuGVmHjtXGxi+aWyGQqed+q8FcU
+w/J6fq4kmBVVqNNrAMc/bWKU3IXAj4c48H0CSiCoX4dE4waRQ+cEetKkSWVGYnXj
+3QdoyPsiqo8Goo34Cn0Ipf9GWDeNVv32iz0fXtr4LtoVZKCx9oc=
+=G5SD
+-----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-SA-18:10.ip.asc

@@ -0,0 +1,172 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-18:10.ip                                         Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Resource exhaustion in IP fragment reassembly
+
+Category:       core
+Module:         inet
+Announced:      2018-08-14
+Credits:        Juha-Matti Tilli <juha-matti.tilli@iki.fi> from
+                Aalto University, Department of Communications and Networking
+                and Nokia Bell Labs
+Affects:        All supported versions of FreeBSD.
+Corrected:      2018-08-14 18:17:05 UTC (stable/11, 11.1-STABLE)
+                2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2)
+                2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13)
+CVE Name:       CVE-2018-6923
+
+Special note:   Due to source code differences in FreeBSD 10-stable a patch
+                is not yet available for FreeBSD 10.4.  This will follow at
+                a later date.
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The Internet Protocol (IP) version 4 (IPv4) allows fragmentation of
+packets which are too big to traverse all the links between two end
+stations. Any router along the path between two end hosts may fragment
+packets which are larger than a link's maximum transmission unit
+(MTU). FreeBSD's implementation of some IPv4 protocols (such as the
+Transmission Control Protocol [TCP]) perform path MTU discovery to
+avoid the need for fragmentation.
+
+IP version 6 (IPv6) retains the concept of packet fragmentation. It
+changed the fragmentation operation to require that the originating
+end-system perform path MTU discovery and fragment packets which are
+too large for any MTU along the path between two end systems.
+
+While all hosts attached to the Internet are required to support
+fragmentation and reassembly, many hosts will encounter very few
+legitimate fragmented packets due to the operation of path MTU discovery.
+
+II.  Problem Description
+
+A researcher has notified us of a DoS attack applicable to another
+operating system. While FreeBSD may not be vulnerable to that exact
+attack, we have identified several places where inadequate DoS protection
+could allow an attacker to consume system resources.
+
+It is not necessary that the attacker be able to establish two-way
+communication to carry out these attacks. These attacks impact both
+IPv4 and IPv6 fragment reassembly.
+
+III. Impact
+
+In the worst case, an attacker could send a stream of crafted
+fragments with a low packet rate which would consume a substantial
+amount of CPU.
+
+Other attack vectors allow an attacker to send a stream of crafted
+fragments which could consume a large amount of CPU or all available
+mbuf clusters on the system.
+
+These attacks could temporarily render a system unreachable through
+network interfaces or temporarily render a system unresponsive. The
+effects of the attack should clear within 60 seconds after the attack stops.
+
+IV.  Workaround
+
+Disable fragment reassembly, using these commands:
+ % sysctl net.inet.ip.maxfragpackets=0
+ % sysctl net.inet6.ip6.maxfrags=0
+
+On systems compiled with VIMAGE, these sysctls will need to be
+executed for each VNET.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or release or
+security branch (releng) dated after the correction date, and reboot.
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Afterward, reboot the system.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+Afterward, reboot the system.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 11.x]
+# fetch https://security.FreeBSD.org/patches/SA-18:10/ip.patch
+# fetch https://security.FreeBSD.org/patches/SA-18:10/ip.patch.asc
+# gpg --verify ip.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/11/                                                        r337804
+releng/11.1/                                                      r337828
+releng/11.2/                                                      r337828
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://www.kb.cert.org/vuls/id/641765>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6923>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:10.ip.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.2.9 (FreeBSD)
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltztekACgkQ05eS9J6n
+5cJekQ/+PAOPGiPwpafBGuxwZVOaB3JloxJATPzg8z7PE7lvvo6I4pdwP0wq7ruJ
+vRejKXJPDPkDcNziyhB+QdhTXt3O1OAvow9n89nNKiLYX44+C2igTSbHGVe7lIFN
+NHvzGSJsdaPnm9qdvD3R7ZWT4vkNvoDiDiNChBSw829ZyGgLe1wNOOqQvsqVlwQt
+1p0ikLHv30wbSX5KlSkLUSYA66pwcEd8eZFM43pwOZw9eIhcggAhufjTWdgnIBZA
+ZYiMqUi/7ZydO2YW55cVa290tP8JGf6PynmYwBJWTGInz2RlM18TyBcWILewgXic
+PM7jJ75thqd26BcPCh44toZWT8A7EYYiZ6iieLfAaQD7R6zqkeVwT39kV50YYRmW
+tA3jmTKhJ1B0AXQbkh3QZw8cfgIOMYzcbjy4MCcBS3XbehRuT58Jvc8nFFsrypuE
+FF4O3GtqFBKJUrcCJZF0VR0CvU7GUxTeYmS/9dNfQMJlEouFdPatn2jJwTfkiu0O
+I1NlDHA6jriZxepaSa+zxqF86pxNvTI5gRouWwMdevtEPVZGBF8A+DDA5fk1wcdS
+dEV4jcxcg1LH+EPBItYTh7seYYPodFdSyu5X/hLGBo/4XyA4Mb3xIjct74nKr0qx
+bPR3y53fV9+4JWazgO0bIlMG8XVH4go8Rh9n0IKdqv8xwdLVo3w=
+=ddfE
+-----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-SA-18:11.hostapd.asc

@@ -0,0 +1,159 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-18:11.hostapd                                    Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Unauthenticated EAPOL-Key Decryption Vulnerability
+
+Category:       contrib
+Module:         wpa
+Announced:      2018-08-14
+Credits:        Mathy Vanhoef of the imec-DistriNet research group of
+                KU Leuven
+Affects:        All supported versions of FreeBSD.
+Corrected:      2018-08-15 05:03:54 UTC (stable/11, 11.1-STABLE)
+                2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2)
+                2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13)
+                2018-08-15 05:05:02 UTC (stable/10, 10.4-STABLE)
+                2018-08-15 02:31:10 UTC (releng/10.4, 10.4-RELEASE-p11)
+CVE Name:       CVE-2018-14526
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The wpa_supplicant(8) utility is a client (supplicant) with support for WPA
+and WPA2 (IEEE 802.11i / RSN).  It is suitable for both desktop and laptop
+computers as well as embedded systems.  Supplicant is the IEEE 802.1X/WPA
+component that is used in the client stations.  It implements key negotiation
+with a WPA Authenticator and it controls the roaming and IEEE 802.11
+authentication/association of the wlan(4) driver.
+
+The wpa_supplicant(8) utility is designed to be a "daemon" program that runs
+in the background and acts as the backend component controlling the wireless
+connection.  The wpa_supplicant(8) utility supports separate frontend programs
+and a text-based frontend (wpa_cli(8)) and a GUI (wpa_gui) are included with
+wpa_supplicant(8).
+
+II.  Problem Description
+
+When using WPA2, EAPOL-Key frames with the Encrypted flag and without the MIC
+flag set, the data field was decrypted first without verifying the MIC.  When
+the dta field was encrypted using RC4, for example, when negotiating TKIP as
+a pairwise cipher, the unauthenticated but decrypted data was subsequently
+processed.  This opened wpa_supplicant(8) to abuse by decryption and recovery
+of sensitive information contained in EAPOL-Key messages.
+
+See https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt
+for a detailed description of the bug.
+
+III. Impact
+
+All users of the WPA2 TKIP pairwise cipher are vulnerable to information, for
+example, the group key.
+
+IV.  Workaround
+
+Remove TKIP as an allowed pairwise cipher in RSN/WPA2 networks in
+wpa_supplicant.conf(5) by changing 'pairwise=CCMP TKIP' to 'pariwise=CCMP'.
+
+This can also be mitigated by removing TKIP as a cipher on the AP.
+
+Systems and users who do not use WPA2 TKIP are not affected.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 11.x]
+# fetch https://security.FreeBSD.org/patches/SA-18:11/hostapd.patch
+# fetch https://security.FreeBSD.org/patches/SA-18:11/hostapd.patch.asc
+# gpg --verify hostapd.patch.asc
+
+[FreeBSD 10.4]
+# fetch https://security.FreeBSD.org/patches/SA-18:11/hostapd-10.patch
+# fetch https://security.FreeBSD.org/patches/SA-18:11/hostapd-10.patch.asc
+# gpg --verify hostapd-10.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the applicable daemons, or reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/10/                                                        r337832
+releng/10.4/                                                      r337829
+stable/11/                                                        r337831
+releng/11.1/                                                      r337828
+releng/11.2/                                                      r337828
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14526>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:09.hostapd.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.2.9 (FreeBSD)
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltztf8ACgkQ05eS9J6n
+5cJ2kRAAiuef2NM6sG/OJhjIi3zTNZRTmO2S7BcaD8w7RDmH0rp1XPzTRs8CyWxo
+zLfoubOwIucS1nQGHHYhwTYSXw7lFvGWbebuzhNcEUOc8a1TrpLlyinqF8KDgfNd
+RSkTR1OTF91BEjlYKjuIFKUZ6OxUCpgUrprneEyn5wV/0eLkRv3VNqUuAwkTqU/i
+X7pnFd2BXPpvKTatefpGjnYmo3j3oJSiQeXcPM9zgcm6n9ZD+KiC48vdvbZGmERt
+HsMzUy0Z+OehKMJ+RvemWTiEwEFO7BK/FFgGH8LAgrwd0xff2RDU7S0NeCd+p76g
+y98aUg0WF6RqHXU/xHeHpljHxzrWP3Msb56NqB+phFuEKvVoVimGL54P6/sBSbq+
+eACFcTUcf88MLry41zKBchSmekzSdzeV1S6kQGG74W7DfYY/UdF/4ves/eNqO13l
+J5PjjusPn5IS+IP1omA6imJNHoEUrKR4ZW6KXZEfF7NdtcLGRebrAGySdqD0jHPP
+23fkVQRmEL23fwtlONxNhvrF/oA09/oHS++MUEUxF6b6BRyq0sQ/aBXU5GpoI8VQ
+5nDcASCloson18oA91T125bwD1bt6yLeTaFWhRJj6eeEI5HcJchZ9m1kGflNxEO9
+vM6bvIEPmF1IcR304i1os2JMgWHOAtOKxlsZpnwGs9U0qJu9/nw=
+=34YE
+-----END PGP SIGNATURE-----

share/security/patches/SA-18:08/tcp-man-10.patch

@@ -0,0 +1,11 @@
+--- share/man/man4/tcp.4.orig
++++ share/man/man4/tcp.4
+@@ -38,7 +38,7 @@
+ .\"     From: @(#)tcp.4	8.1 (Berkeley) 6/5/93
+ .\" $FreeBSD$
+ .\"
+-.Dd October 13, 2014
++.Dd August 6, 2018
+ .Dt TCP 4
+ .Os
+ .Sh NAME

share/security/patches/SA-18:08/tcp-man-10.patch.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.2.9 (FreeBSD)
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltztboACgkQ05eS9J6n
+5cJtEQ/8CDdSUbL4aWI2tt1NTAxMoLirMte4r4oR6R3L3prOQWzqKc8m2KV73pgI
+5hSAbcyW8pINgJ4gIX8FwXd+g1bfiz/9Fq7J7IEeZHbNPUo150NCsHC8LPG4oupz
+6UmjGybX/J4nBrKMVqC88p7sWeukvCQm2d8fcKJQgUPQ8d9lgjRFn2MeaKEGR36j
+rhQRK0GSQC7PLgsxzmHAnPtMBqnBNxP9GAyv/O+GX4pAX4PVf6GevQZMYMMPZYNE
+yC8vOclIBuSuOlXaEtanCB7w3WT4M+x6VUwM8NSTq30uQe3NMUvzbzlv+YE2xx0Q
+3XYncGma86rL0FqrqcgLZLoWHJAubqlxonCJNSNXS0o8I77njPffkKx1nDFtpUt2
+IdIleTaltinZXq1mAoPqtrt/nOa9x1C4hihvrIStIYAi/0rLdB8rCGJgMjD8twG7
+W7GUTJxDz2F/dp/y3zomwg69cjdXadh8JWHoPwscPObFhWUml3/WnPLw8iw0ae4A
+TE8+npZUir8zbbxevcZrQxZA/FasfVIEZJytBkIs6z9t+bxa6stBeR/tWU1qgYPx
+oSebDN09tpb3Qzb8uUKNHjuF9La6BXmstjzuh8F/FgPqfImIGQaTkvb0/jcZtvJt
+GatGGPBnZCJWZvy5wvHkNYbUxO81A6dvBJd0kYbS8Q4vYLrzjHo=
+=tsh3
+-----END PGP SIGNATURE-----

share/security/patches/SA-18:08/tcp-man-11.patch

@@ -0,0 +1,11 @@
+--- share/man/man4/tcp.4.orig
++++ share/man/man4/tcp.4
+@@ -34,7 +34,7 @@
+ .\"     From: @(#)tcp.4	8.1 (Berkeley) 6/5/93
+ .\" $FreeBSD$
+ .\"
+-.Dd February 6, 2017
++.Dd August 6, 2018
+ .Dt TCP 4
+ .Os
+ .Sh NAME

share/security/patches/SA-18:08/tcp-man-11.patch.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.2.9 (FreeBSD)
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltztbgACgkQ05eS9J6n
+5cJfvA//VV3j4T6xmYhMFYQ9fzExzBAfzmJjhmVeeAS/JBrKcHhsZgVuIk1E7CD/
+U1hqrlnwlPgG76UNe3tsXaDxhhYOFo4jH3COwE6zXJaXjDDv0H3rfc3TjbJD22fw
+ktz0P2P9DP0uxb1M2f73yrVvQokPlI5cWQ4yQa0MCyVWNUtCKJPIzK27hupjNo7L
+sDepUOR7809n2vHD1uXrkwAi4OfMYLkxDtf0Yt31EJ8+/ZeL8qg6caP2QPElAnws
+3P45z/SqVg3ygmBR9WhF0UK98a7FuyDI79/KZSMBIAOkl7nwe09HZjjvFNYlXnPq
+l7duHMVcC87VhZ0IaNQ1fEDIcyyXws7pVQpWNuA6HGOjLFYSGrJWCzek/yPsTO+S
+m631sRGWs/YyyY49S1D5P/6MaAGT2WjOnSX3q8wy+2WkKDPdQSlj85MZvRKKXY5u
+5KgvqWH6w/hxtHHDE+9Bk8dDfW7aHBGSy/lV5I2VorgE3dyp1vWTMuOacWeMJqhN
+twzlLEn7QCZgkEocb6rqK+fVuG3Sx+QJPa8pKBj3LgsnHTd8mJRcWWtzG50LvNcO
+orzUHwYht0gWrSfsfsS5OXfMUrOeEfpxtAB0FYh+2Sr+1jEtaAqBA4S9yHUnNUtS
+jLcoPClf+s4FVvm1khHLihhKHp/BMFoha8zeQKudrod4UNxSQxM=
+=r2Sc
+-----END PGP SIGNATURE-----

share/security/patches/SA-18:09/l1tf-11.1.patch

@@ -0,0 +1,213 @@
+--- sys/amd64/amd64/pmap.c.orig
++++ sys/amd64/amd64/pmap.c
+@@ -1206,6 +1206,9 @@
+ 	vm_size_t s;
+ 	int error, i, pv_npg;
+ 
++	/* L1TF, reserve page @0 unconditionally */
++	vm_page_blacklist_add(0, bootverbose);
++
+ 	/*
+ 	 * Initialize the vm page array entries for the kernel pmap's
+ 	 * page table pages.
+--- sys/amd64/vmm/intel/vmx.c.orig
++++ sys/amd64/vmm/intel/vmx.c
+@@ -183,6 +183,12 @@
+ SYSCTL_UINT(_hw_vmm_vmx, OID_AUTO, vpid_alloc_failed, CTLFLAG_RD,
+ 	    &vpid_alloc_failed, 0, NULL);
+ 
++static int guest_l1d_flush;
++SYSCTL_INT(_hw_vmm_vmx, OID_AUTO, l1d_flush, CTLFLAG_RD,
++    &guest_l1d_flush, 0, NULL);
++
++uint64_t vmx_msr_flush_cmd;
++
+ /*
+  * Use the last page below 4GB as the APIC access address. This address is
+  * occupied by the boot firmware so it is guaranteed that it will not conflict
+@@ -718,6 +724,12 @@
+ 		return (error);
+ 	}
+ 
++	guest_l1d_flush = (cpu_ia32_arch_caps & IA32_ARCH_CAP_RDCL_NO) == 0;
++	TUNABLE_INT_FETCH("hw.vmm.l1d_flush", &guest_l1d_flush);
++	if (guest_l1d_flush &&
++	    (cpu_stdext_feature3 & CPUID_STDEXT3_L1D_FLUSH) != 0)
++		vmx_msr_flush_cmd = IA32_FLUSH_CMD_L1D;
++
+ 	/*
+ 	 * Stash the cr0 and cr4 bits that must be fixed to 0 or 1
+ 	 */
+--- sys/amd64/vmm/intel/vmx_genassym.c.orig
++++ sys/amd64/vmm/intel/vmx_genassym.c
+@@ -36,6 +36,7 @@
+ 
+ #include <vm/vm.h>
+ #include <vm/pmap.h>
++#include <vm/vm_param.h>
+ 
+ #include <machine/vmm.h>
+ #include "vmx_cpufunc.h"
+@@ -86,3 +87,6 @@
+ 
+ ASSYM(KERNEL_SS, GSEL(GDATA_SEL, SEL_KPL));
+ ASSYM(KERNEL_CS, GSEL(GCODE_SEL, SEL_KPL));
++
++ASSYM(PAGE_SIZE, PAGE_SIZE);
++ASSYM(KERNBASE, KERNBASE);
+--- sys/amd64/vmm/intel/vmx_support.S.orig
++++ sys/amd64/vmm/intel/vmx_support.S
+@@ -28,6 +28,7 @@
+  */
+ 
+ #include <machine/asmacros.h>
++#include <machine/specialreg.h>
+ 
+ #include "vmx_assym.h"
+ 
+@@ -136,9 +137,47 @@
+ 	jbe	invept_error		/* Check invept instruction error */
+ 
+ guest_restore:
+-	cmpl	$0, %edx
++
++	/*
++	 * Flush L1D cache if requested.  Use IA32_FLUSH_CMD MSR if available,
++	 * otherwise load enough of the data from the zero_region to flush
++	 * existing L1D content.
++	 */
++#define	L1D_FLUSH_SIZE	(64 * 1024)
++	movl	%edx, %r8d
++	cmpb	$0, guest_l1d_flush(%rip)
++	je	after_l1d
++	movq	vmx_msr_flush_cmd(%rip), %rax
++	testq	%rax, %rax
++	jz	1f
++	movq	%rax, %rdx
++	shrq	$32, %rdx
++	movl	$MSR_IA32_FLUSH_CMD, %ecx
++	wrmsr
++	jmp	after_l1d
++1:	movq	$KERNBASE, %r9
++	movq	$-L1D_FLUSH_SIZE, %rcx
++	/*
++	 * pass 1: Preload TLB.
++	 * Kernel text is mapped using superpages.  TLB preload is
++	 * done for the benefit of older CPUs which split 2M page
++	 * into 4k TLB entries.
++	 */
++2:	movb	L1D_FLUSH_SIZE(%r9, %rcx), %al
++	addq	$PAGE_SIZE, %rcx
++	jne	2b
++	xorl	%eax, %eax
++	cpuid
++	movq	$-L1D_FLUSH_SIZE, %rcx
++	/* pass 2: Read each cache line */
++3:	movb	L1D_FLUSH_SIZE(%r9, %rcx), %al
++	addq	$64, %rcx
++	jne	3b
++	lfence
++#undef	L1D_FLUSH_SIZE
++after_l1d:
++	cmpl	$0, %r8d
+ 	je	do_launch
+-
+ 	VMX_GUEST_RESTORE
+ 	vmresume
+ 	/*
+--- sys/vm/vm_page.c.orig
++++ sys/vm/vm_page.c
+@@ -290,6 +290,27 @@
+ 	return (0);
+ }
+ 
++bool
++vm_page_blacklist_add(vm_paddr_t pa, bool verbose)
++{
++	vm_page_t m;
++	int ret;
++
++	m = vm_phys_paddr_to_vm_page(pa);
++	if (m == NULL)
++		return (true); /* page does not exist, no failure */
++
++	mtx_lock(&vm_page_queue_free_mtx);
++	ret = vm_phys_unfree_page(m);
++	mtx_unlock(&vm_page_queue_free_mtx);
++	if (ret) {
++		TAILQ_INSERT_TAIL(&blacklist_head, m, listq);
++		if (verbose)
++			printf("Skipping page with pa 0x%jx\n", (uintmax_t)pa);
++	}
++	return (ret);
++}
++
+ /*
+  *	vm_page_blacklist_check:
+  *
+@@ -301,26 +322,13 @@
+ vm_page_blacklist_check(char *list, char *end)
+ {
+ 	vm_paddr_t pa;
+-	vm_page_t m;
+ 	char *next;
+-	int ret;
+ 
+ 	next = list;
+ 	while (next != NULL) {
+ 		if ((pa = vm_page_blacklist_next(&next, end)) == 0)
+ 			continue;
+-		m = vm_phys_paddr_to_vm_page(pa);
+-		if (m == NULL)
+-			continue;
+-		mtx_lock(&vm_page_queue_free_mtx);
+-		ret = vm_phys_unfree_page(m);
+-		mtx_unlock(&vm_page_queue_free_mtx);
+-		if (ret == TRUE) {
+-			TAILQ_INSERT_TAIL(&blacklist_head, m, listq);
+-			if (bootverbose)
+-				printf("Skipping page with pa 0x%jx\n",
+-				    (uintmax_t)pa);
+-		}
++		vm_page_blacklist_add(pa, bootverbose);
+ 	}
+ }
+ 
+--- sys/vm/vm_page.h.orig
++++ sys/vm/vm_page.h
+@@ -448,6 +448,7 @@
+     u_long npages, vm_paddr_t low, vm_paddr_t high, u_long alignment,
+     vm_paddr_t boundary, vm_memattr_t memattr);
+ vm_page_t vm_page_alloc_freelist(int, int);
++bool vm_page_blacklist_add(vm_paddr_t pa, bool verbose);
+ vm_page_t vm_page_grab (vm_object_t, vm_pindex_t, int);
+ int vm_page_try_to_free (vm_page_t);
+ void vm_page_deactivate (vm_page_t);
+--- sys/x86/include/specialreg.h.orig
++++ sys/x86/include/specialreg.h
+@@ -378,6 +378,7 @@
+  */
+ #define	CPUID_STDEXT3_IBPB	0x04000000
+ #define	CPUID_STDEXT3_STIBP	0x08000000
++#define	CPUID_STDEXT3_L1D_FLUSH	0x10000000
+ #define	CPUID_STDEXT3_ARCH_CAP	0x20000000
+ 
+ /* MSR IA32_ARCH_CAP(ABILITIES) bits */
+@@ -427,6 +428,7 @@
+ #define	MSR_IA32_EXT_CONFIG	0x0ee	/* Undocumented. Core Solo/Duo only */
+ #define	MSR_MTRRcap		0x0fe
+ #define	MSR_IA32_ARCH_CAP	0x10a
++#define	MSR_IA32_FLUSH_CMD	0x10b
+ #define	MSR_BBL_CR_ADDR		0x116
+ #define	MSR_BBL_CR_DECC		0x118
+ #define	MSR_BBL_CR_CTL		0x119
+@@ -580,6 +582,9 @@
+ /* MSR IA32_PRED_CMD */
+ #define	IA32_PRED_CMD_IBPB_BARRIER	0x0000000000000001ULL
+ 
++/* MSR IA32_FLUSH_CMD */
++#define	IA32_FLUSH_CMD_L1D	0x00000001
++
+ /*
+  * PAT modes.
+  */

share/security/patches/SA-18:09/l1tf-11.1.patch.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.2.9 (FreeBSD)
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltztdsACgkQ05eS9J6n
+5cItLA//UjGUEP8QwggeT/drm99htP1lpABfxgLjaBFvXDQ8pFJU2D8bm0X/jHBW
+ExM4TO1H2K6gKtJMXC1gCgL9DXy6ukqI7DDKjG2vt46U8533DQ715C4HInj5+mdp
+hvdJVFKbLKVA4jqv0Z+LGeM/yhC5vLCJ+Upirfz42pLWUdmW1a5zbT0pEXsKldxJ
+cTRWfKck7TKbND9cYczaRKl7YjaJNUY8x2FZ3aq607dxWMbreW1sP1VnC2W/EJOa
+fX6G7WC38uZ5RzLL0GoyEUoA83ljcQLYjGWEH0Kr90AfRw6geh2ViajYWMaRj4Kg
+0/Jax7pn5xI14FaREwMybz7Lj+l2DpYfpToYs9Uh4mg/Ug8orLellD+tEBP88NyY
+aWRPYYc3um08osZ6f96RRdH8bOoYgyW+0HV7hO1ZBrIZiAwLdh7nSLoBPEGoGA/e
+XumkfRbwCc5gODH4NYDuCGFppQ2qQ+vfws97kFWULoia8PM/bseFICv9lbZ3c3wc
+7ImNHSHRCDk8lanX8ivTEN2MqEtQBIXwMJuLy6L2s2SPFaaH8Tzt6VNcFvDMONQb
+iXpUoejcLFdeQV1tisnOTsJ6bZayHQjuE6mvLmbSSVjWhh1X3ZStoqhU44AGnmiC
+LjEmQ03E/pCYfA4YV3trqAsE4dqgNTReiiK2P0edkIlo72g42x0=
+=8Mzj
+-----END PGP SIGNATURE-----

share/security/patches/SA-18:09/l1tf-11.2.patch

@@ -0,0 +1,145 @@
+--- sys/amd64/amd64/pmap.c.orig
++++ sys/amd64/amd64/pmap.c
+@@ -1215,6 +1215,9 @@
+ 	vm_size_t s;
+ 	int error, i, pv_npg, ret, skz63;
+ 
++	/* L1TF, reserve page @0 unconditionally */
++	vm_page_blacklist_add(0, bootverbose);
++
+ 	/* Detect bare-metal Skylake Server and Skylake-X. */
+ 	if (vm_guest == VM_GUEST_NO && cpu_vendor_id == CPU_VENDOR_INTEL &&
+ 	    CPUID_TO_FAMILY(cpu_id) == 0x6 && CPUID_TO_MODEL(cpu_id) == 0x55) {
+--- sys/amd64/vmm/intel/vmx.c.orig
++++ sys/amd64/vmm/intel/vmx.c
+@@ -185,6 +185,12 @@
+ SYSCTL_UINT(_hw_vmm_vmx, OID_AUTO, vpid_alloc_failed, CTLFLAG_RD,
+ 	    &vpid_alloc_failed, 0, NULL);
+ 
++static int guest_l1d_flush;
++SYSCTL_INT(_hw_vmm_vmx, OID_AUTO, l1d_flush, CTLFLAG_RD,
++    &guest_l1d_flush, 0, NULL);
++
++uint64_t vmx_msr_flush_cmd;
++
+ /*
+  * Use the last page below 4GB as the APIC access address. This address is
+  * occupied by the boot firmware so it is guaranteed that it will not conflict
+@@ -720,6 +726,12 @@
+ 		return (error);
+ 	}
+ 
++	guest_l1d_flush = (cpu_ia32_arch_caps & IA32_ARCH_CAP_RDCL_NO) == 0;
++	TUNABLE_INT_FETCH("hw.vmm.l1d_flush", &guest_l1d_flush);
++	if (guest_l1d_flush &&
++	    (cpu_stdext_feature3 & CPUID_STDEXT3_L1D_FLUSH) != 0)
++		vmx_msr_flush_cmd = IA32_FLUSH_CMD_L1D;
++
+ 	/*
+ 	 * Stash the cr0 and cr4 bits that must be fixed to 0 or 1
+ 	 */
+--- sys/amd64/vmm/intel/vmx_genassym.c.orig
++++ sys/amd64/vmm/intel/vmx_genassym.c
+@@ -36,6 +36,7 @@
+ 
+ #include <vm/vm.h>
+ #include <vm/pmap.h>
++#include <vm/vm_param.h>
+ 
+ #include <machine/vmm.h>
+ #include "vmx_cpufunc.h"
+@@ -86,3 +87,6 @@
+ 
+ ASSYM(KERNEL_SS, GSEL(GDATA_SEL, SEL_KPL));
+ ASSYM(KERNEL_CS, GSEL(GCODE_SEL, SEL_KPL));
++
++ASSYM(PAGE_SIZE, PAGE_SIZE);
++ASSYM(KERNBASE, KERNBASE);
+--- sys/amd64/vmm/intel/vmx_support.S.orig
++++ sys/amd64/vmm/intel/vmx_support.S
+@@ -28,6 +28,7 @@
+  */
+ 
+ #include <machine/asmacros.h>
++#include <machine/specialreg.h>
+ 
+ #include "vmx_assym.h"
+ 
+@@ -173,9 +174,47 @@
+ 	jbe	invept_error		/* Check invept instruction error */
+ 
+ guest_restore:
+-	cmpl	$0, %edx
+-	je	do_launch
+ 
++	/*
++	 * Flush L1D cache if requested.  Use IA32_FLUSH_CMD MSR if available,
++	 * otherwise load enough of the data from the zero_region to flush
++	 * existing L1D content.
++	 */
++#define	L1D_FLUSH_SIZE	(64 * 1024)
++	movl	%edx, %r8d
++	cmpb	$0, guest_l1d_flush(%rip)
++	je	after_l1d
++	movq	vmx_msr_flush_cmd(%rip), %rax
++	testq	%rax, %rax
++	jz	1f
++	movq	%rax, %rdx
++	shrq	$32, %rdx
++	movl	$MSR_IA32_FLUSH_CMD, %ecx
++	wrmsr
++	jmp	after_l1d
++1:	movq	$KERNBASE, %r9
++	movq	$-L1D_FLUSH_SIZE, %rcx
++	/*
++	 * pass 1: Preload TLB.
++	 * Kernel text is mapped using superpages,  TLB preload is
++	 * done for the benefit of older CPUs which split 2M page
++	 * into 4k TLB entries.
++	 */
++2:	movb	L1D_FLUSH_SIZE(%r9, %rcx), %al
++	addq	$PAGE_SIZE, %rcx
++	jne	2b
++	xorl	%eax, %eax
++	cpuid
++	movq	$-L1D_FLUSH_SIZE, %rcx
++	/* pass 2: Read each cache line */
++3:	movb	L1D_FLUSH_SIZE(%r9, %rcx), %al
++	addq	$64, %rcx
++	jne	3b
++	lfence
++#undef	L1D_FLUSH_SIZE
++after_l1d:
++	cmpl	$0, %r8d
++	je	do_launch
+ 	VMX_GUEST_RESTORE
+ 	vmresume
+ 	/*
+--- sys/x86/include/specialreg.h.orig
++++ sys/x86/include/specialreg.h
+@@ -387,6 +387,7 @@
+  */
+ #define	CPUID_STDEXT3_IBPB	0x04000000
+ #define	CPUID_STDEXT3_STIBP	0x08000000
++#define	CPUID_STDEXT3_L1D_FLUSH	0x10000000
+ #define	CPUID_STDEXT3_ARCH_CAP	0x20000000
+ #define	CPUID_STDEXT3_SSBD	0x80000000
+ 
+@@ -438,6 +439,7 @@
+ #define	MSR_IA32_EXT_CONFIG	0x0ee	/* Undocumented. Core Solo/Duo only */
+ #define	MSR_MTRRcap		0x0fe
+ #define	MSR_IA32_ARCH_CAP	0x10a
++#define	MSR_IA32_FLUSH_CMD	0x10b
+ #define	MSR_BBL_CR_ADDR		0x116
+ #define	MSR_BBL_CR_DECC		0x118
+ #define	MSR_BBL_CR_CTL		0x119
+@@ -592,6 +594,9 @@
+ /* MSR IA32_PRED_CMD */
+ #define	IA32_PRED_CMD_IBPB_BARRIER	0x0000000000000001ULL
+ 
++/* MSR IA32_FLUSH_CMD */
++#define	IA32_FLUSH_CMD_L1D	0x00000001
++
+ /*
+  * PAT modes.
+  */

share/security/patches/SA-18:09/l1tf-11.2.patch.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.2.9 (FreeBSD)
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltztd0ACgkQ05eS9J6n
+5cIGQQ//SWf3YET59okirsbCm/gF+ra8q1ohCRPaJbyS5ZJaWWWBNQRKX2ksphAF
+huamH+PmAlBvRmkjjVujbW5npPcZ00DpZVCC90awH1mLknlm5aIFpaFSe1oY/RUi
+cZjTSobjdTNyEwDX36GdQpq3xx4d0AmmvzmiLRb62MnzDTzMRQ4kPgAoMe1VP6QT
+z4KeSxS+rc1XjS+3d8qFB57/cxi8a3v60YAkOC7EfgqYUjGheuBa6wLFgsJyzm4/
+jil+Tm5Gp+GgyRzYuQNJSzgMtQaEfvBSkgLn1zIZGPMKfLWyo5Km4aFdtjsWmQaj
+XRQk91BhPJ3xXyvyUChkTckGrXuUMfkVarto5I2dIR9bXo9MXCpOgzLHfcSomGyQ
+JjMKqqjhmcg6aY1ptVHqnA5/NJAFNFUDnwAwsgPw8RPW8rcJjFY9KjmkPo3LRNkV
+x2AhAxjBj1jZ2JUMQiw4jQH25P/yX6COoJTCFisr4RJD0paGf3sPjTrIUN2SOHE9
+TorBvYWeaxgWs3e5yO/qOyUXt7C40ux3vzn2jfjersclJiKId4vIp0VLW4wUd+Et
+wjCZpYHt8BmN8YVRIV3a4hIHZ7tOQg12sv6DHeuzHBtDsKcgMcqZnhehalWGHAZ6
+NnJObTilJi3edXibluvNOgwElIT9l1a6rEv/eJ99rp3tSY0323Q=
+=gc08
+-----END PGP SIGNATURE-----

share/security/patches/SA-18:10/ip.patch.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.2.9 (FreeBSD)
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltztfIACgkQ05eS9J6n
+5cJ/BQ/9FjMAjlN0nLHm8OnoWIBRe2WTN/oi4/cQ+mliYClOLQB3fKaC7A43J0jJ
+AKXZsSwPlFujHyTMXr4Bnp1ws+JiAtFRqpKlgAOiv2M2jF1PJxEBFbw8Co9O/X4h
+wHI37BRsxxrp7UecxYEoaQsUF8ZTSqeuR2hyIwZLLc2wN3mziJsWjrNAHciwG1SK
+nYmdaSz8pzOmdcxM3jm3jle1EACwqoqo0aehuP+Bc4A0DhugK+wxP6KA1Ra7nojr
+VVKWgeKnyo0MUEXx/mA1kJ88DWolZVHxGUNk9jV4SQKC8p4/SowZvRn7k3M/f8I+
+Emub4mTo9pMyoQs2rbHGyhB1FYy9xI1Ax+BEpXL8z2TubO6r+AbmQP3cVLlfvbjS
+/GL9ibemyP6fRBqeJ+P4q+chvdE9BlQcZH1sVXfLaxbqq5zgeq9bwhtWclEm3Y/x
+XAKdCNRdTDV88s5jqA1COS3RNC5i2DCl1iFxIU1pme+kjyHC/YkPnRTckj8NjNCy
+kBdPba74yf86NAzzM3UD4vuzJ/Y2I2+tXbs+psIlKGEYBTjl8MQErVylvt+Ki9RE
+D6EkM4nqXyWAKlHgxJ4ifakx0IywXiZMssSRnSsQnwoWVIxCkTnU8iUgN/4ZgTb8
+Wb2yMX+ua1SACd/RWICrS8NTSuczyNvEHAeARg2es7lISTNG/gE=
+=TKXh
+-----END PGP SIGNATURE-----

share/security/patches/SA-18:11/hostapd-10.patch

@@ -0,0 +1,20 @@
+--- contrib/wpa/src/rsn_supp/wpa.c.orig
++++ contrib/wpa/src/rsn_supp/wpa.c
+@@ -1829,6 +1829,17 @@
+ 
+ 	if (sm->proto == WPA_PROTO_RSN &&
+ 	    (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
++		/*
++		 * Only decrypt the Key Data field if the frame's authenticity
++		 * was verified. When using AES-SIV (FILS), the MIC flag is not
++		 * set, so this check should only be performed if mic_len != 0
++		 * which is the case in this code branch.
++		 */
++		if (!(key_info & WPA_KEY_INFO_MIC)) {
++			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
++				"WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");
++			goto out;
++		}
+ 		if (wpa_supplicant_decrypt_key_data(sm, key, ver))
+ 			goto out;
+ 		extra_len = WPA_GET_BE16(key->key_data_length);

share/security/patches/SA-18:11/hostapd-10.patch.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.2.9 (FreeBSD)
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltztg0ACgkQ05eS9J6n
+5cKKBw/8DSDp5oTy7IkgB8PrPc3dCZg9tFeN19UYXs/wnBBX2eu4DdriU7vqn86d
+tGmCKxBMpALcprZaCmyKjk5hcQw7FVLe5N5kSmMbZYJBRJw9cODzGoZV4GabFt/X
+t6Lr9fuozfwEOyvzIgVPATOaBb6i9Pe5IbHoXNX4GtdzM65CpyW4qp1eIPb1dtYj
+pFKSbdz7IeUSXblYhZXiDYZ+dlhUGUrucxeD1ubFHTKWETYwdiJr7ERkqYgLLgA2
+Nc8uFrjLC4SiVjPSBVo8pQlXxvhUCqkBL8clJ0/FIiByUsoT5TdYRi2sSns5wJLk
+J3X0tSrOUI1+Nr69Q0GCIp0dy15ccvQMRcRJFZZFQ3weJz6WQd7iF9BHfZzbyQ1R
+B3jYVI2GBlWRD2BerDQQh6jwxs8Yd/b3sVCkKZNgk7v5Joh9UKszNF1msKiFLvtw
+yI82j5Xq+ZTj6Z/CvBGE6R6K7UymaAksn/BeV3rKVfgiITr3KMsK2IlP1hCjnZx1
+QbNanRDZ1cRqK87ic2IX9gBZR0j2YmZTPE+6lXEX7ufLJnArTKeqq1/CX1Q/iD3O
+V5YzO/gdOTBBnLdT4GdbMgMJ8ERGwCy1KCCC26rm6k4Rn01G3/pLyIcEWTbloqGr
+6sm4S9fLuRitriADzUj6Z4vAPtEkDPn29vyJAaVq2rII0h3s3r0=
+=mnWA
+-----END PGP SIGNATURE-----

share/security/patches/SA-18:11/hostapd.patch

@@ -0,0 +1,20 @@
+--- contrib/wpa/src/rsn_supp/wpa.c.orig
++++ contrib/wpa/src/rsn_supp/wpa.c
+@@ -2072,6 +2072,17 @@
+ 
+ 	if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) &&
+ 	    (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
++		/*
++		 * Only decrypt the Key Data field if the frame's authenticity
++		 * was verified. When using AES-SIV (FILS), the MIC flag is not
++		 * set, so this check should only be performed if mic_len != 0
++		 * which is the case in this code branch.
++		 */
++		if (!(key_info & WPA_KEY_INFO_MIC)) {
++			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
++				"WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");
++			goto out;
++		}
+ 		if (wpa_supplicant_decrypt_key_data(sm, key, ver, key_data,
+ 						    &key_data_len))
+ 			goto out;

share/security/patches/SA-18:11/hostapd.patch.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.2.9 (FreeBSD)
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltztgkACgkQ05eS9J6n
+5cIE8Q/9GKu6n3za6wrVV1JctS7bbQx/lbPy2Q139jds+HW5fJ4QN0f6OOl5X5g+
+483GOFEPgWYV/tkz1suoZD+sZWDb7rrkAli5uo3igstp5JiIYXgFi81LxrmK2bUe
+tj0PYWoUmjTn7QqLw0ASxkZnDzQk3QlviEHqijtFkoKwXJ5yGWNib4khSBo03gV6
+hoquvRX5PLURUdgP1gdiOOShwE1KAvfG/IU/a6HrvzDi3V8PnwztdGxNtaVuovXw
+dgS8Uaq10JO9fmvXyjtbFNC2uo9p/LVsv+S3aHzbCpqAJ/inRWVf1JCq2tv5LqA3
+ATJUk4EWXhBAzVbe//SkT7gxxGBHqRea4ed2vZ6SeXg1bDHUiq9far88TNwrhxdn
+Rr2qUejC12zDl8c+ASQdJ7EItQI+/FgjodwZpUYiVHNtZT/xP4VPgdABwY7tYnsK
+kZWFJG16JymXLEJU4KSiStz/5hJav5ETdzr2rIk1AcjRUT5+RtH+4auyh8hzT621
+yrI6zypGyKoEWuBBW0vb2sBMmj5SaucJ7hNbq+gn/C4VdV9Ds+HVSWnS+eM+skv4
+d+6SA6Vo4keE83/H44TDDAoGi89CBDP6JjOjJ8837zJ1tRzIVdrvdcQp5RcP8RHx
+kprox8j6sMFyuX6YgQQG2ZfVJqCffHW44g3+vLszMcCw9rHUNPA=
+=R1kF
+-----END PGP SIGNATURE-----

share/xml/advisories.xml

@@ -10,6 +10,23 @@
     <month>
       <name>8</name>
 
+      <day>
+	<name>14</name>
+
+	<advisory>
+	  <name>FreeBSD-SA-18:11.hostapd</name>
+	</advisory>
+
+	<advisory>
+	  <name>FreeBSD-SA-18:10.ip</name>
+	</advisory>
+
+	<advisory>
+	  <name>FreeBSD-SA-18:09.l1tf</name>
+	</advisory>
+
+      </day>
+
       <day>
 	<name>6</name>