diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml
index 4c1b2b1704..bd86fb8b01 100644
--- a/website/data/security/errata.toml
+++ b/website/data/security/errata.toml
@@ -1,671 +1,691 @@
# Sort errata notices by year, month and day
# $FreeBSD$
+[[notices]]
+name = "FreeBSD-EN-21:22.linux_futex"
+date = "2021-06-29"
+
+[[notices]]
+name = "FreeBSD-EN-21:21.ipfw"
+date = "2021-06-29"
+
+[[notices]]
+name = "FreeBSD-EN-21:20.vlan"
+date = "2021-06-29"
+
+[[notices]]
+name = "FreeBSD-EN-21:19.libcasper"
+date = "2021-06-29"
+
+[[notices]]
+name = "FreeBSD-EN-21:18.libc++"
+date = "2021-06-29"
+
[[notices]]
name = "FreeBSD-EN-21:17.libradius"
date = "2021-06-01"
[[notices]]
name = "FreeBSD-EN-21:16.bc"
date = "2021-05-26"
[[notices]]
name = "FreeBSD-EN-21:15.virtio"
date = "2021-05-26"
[[notices]]
name = "FreeBSD-EN-21:14.pms"
date = "2021-05-26"
[[notices]]
name = "FreeBSD-EN-21:13.mpt"
date = "2021-05-26"
[[notices]]
name = "FreeBSD-EN-21:12.divert"
date = "2021-05-26"
[[notices]]
name = "FreeBSD-EN-21:11.aesni"
date = "2021-05-26"
[[notices]]
name = "FreeBSD-EN-21:10.lldb"
date = "2021-04-06"
[[notices]]
name = "FreeBSD-EN-21:09.pf"
date = "2021-04-06"
[[notices]]
name = "FreeBSD-EN-21:08.freebsd-update"
date = "2021-02-24"
[[notices]]
name = "FreeBSD-EN-21:07.caroot"
date = "2021-02-24"
[[notices]]
name = "FreeBSD-EN-21:06.microcode"
date = "2021-02-24"
[[notices]]
name = "FreeBSD-EN-21:05.libatomic"
date = "2021-01-29"
[[notices]]
name = "FreeBSD-EN-21:04.zfs"
date = "2021-01-29"
[[notices]]
name = "FreeBSD-EN-21:03.vnet"
date = "2021-01-29"
[[notices]]
name = "FreeBSD-EN-21:02.extattr"
date = "2021-01-29"
[[notices]]
name = "FreeBSD-EN-21:01.tzdata"
date = "2021-01-29"
[[notices]]
name = "FreeBSD-EN-20:22.callout"
date = "2020-12-01"
[[notices]]
name = "FreeBSD-EN-20:21.ipfw"
date = "2020-12-01"
[[notices]]
name = "FreeBSD-EN-20:20.tzdata"
date = "2020-12-01"
[[notices]]
name = "FreeBSD-EN-20:19.audit"
date = "2020-12-01"
[[notices]]
name = "FreeBSD-EN-20:18.getfsstat"
date = "2020-09-02"
[[notices]]
name = "FreeBSD-EN-20:17.linuxthread"
date = "2020-09-02"
[[notices]]
name = "FreeBSD-EN-20:16.vmx"
date = "2020-08-05"
[[notices]]
name = "FreeBSD-EN-20:15.mps"
date = "2020-07-08"
[[notices]]
name = "FreeBSD-EN-20:14.linuxkpi"
date = "2020-07-08"
[[notices]]
name = "FreeBSD-EN-20:13.bhyve"
date = "2020-07-08"
[[notices]]
name = "FreeBSD-EN-20:12.iflib"
date = "2020-06-09"
[[notices]]
name = "FreeBSD-EN-20:11.ena"
date = "2020-06-09"
[[notices]]
name = "FreeBSD-EN-20:10.build"
date = "2020-05-12"
[[notices]]
name = "FreeBSD-EN-20:09.igb"
date = "2020-05-12"
[[notices]]
name = "FreeBSD-EN-20:08.tzdata"
date = "2020-05-12"
[[notices]]
name = "FreeBSD-EN-20:07.quotad"
date = "2020-04-21"
[[notices]]
name = "FreeBSD-EN-20:06.ipv6"
date = "2020-03-19"
[[notices]]
name = "FreeBSD-EN-20:05.mlx5en"
date = "2020-03-19"
[[notices]]
name = "FreeBSD-EN-20:04.pfctl"
date = "2020-03-19"
[[notices]]
name = "FreeBSD-EN-20:03.sshd"
date = "2020-03-19"
[[notices]]
name = "FreeBSD-EN-20:02.nmount"
date = "2020-01-28"
[[notices]]
name = "FreeBSD-EN-20:01.ssp"
date = "2020-01-28"
[[notices]]
name = "FreeBSD-EN-19:19.loader"
date = "2019-11-12"
[[notices]]
name = "FreeBSD-EN-19:18.tzdata"
date = "2019-10-23"
[[notices]]
name = "FreeBSD-EN-19:17.ipfw"
date = "2019-08-20"
[[notices]]
name = "FreeBSD-EN-19:16.bhyve"
date = "2019-08-20"
[[notices]]
name = "FreeBSD-EN-19:15.libunwind"
date = "2019-08-06"
[[notices]]
name = "FreeBSD-EN-19:14.epoch"
date = "2019-08-06"
[[notices]]
name = "FreeBSD-EN-19:13.mds"
date = "2019-07-24"
[[notices]]
name = "FreeBSD-EN-19:12.tzdata"
date = "2019-07-02"
[[notices]]
name = "FreeBSD-EN-19:11.net"
date = "2019-06-19"
[[notices]]
name = "FreeBSD-EN-19:10.scp"
date = "2019-05-14"
[[notices]]
name = "FreeBSD-EN-19:09.xinstall"
date = "2019-05-14"
[[notices]]
name = "FreeBSD-EN-19:08.tzdata"
date = "2019-05-14"
[[notices]]
name = "FreeBSD-EN-19:07.lle"
date = "2019-02-05"
[[notices]]
name = "FreeBSD-EN-19:06.dtrace"
date = "2019-02-05"
[[notices]]
name = "FreeBSD-EN-19:05.kqueue"
date = "2019-01-09"
[[notices]]
name = "FreeBSD-EN-19:04.tzdata"
date = "2019-01-09"
[[notices]]
name = "FreeBSD-EN-19:03.sqlite"
date = "2019-01-09"
[[notices]]
name = "FreeBSD-EN-19:02.tcp"
date = "2019-01-09"
[[notices]]
name = "FreeBSD-EN-19:01.cc_cubic"
date = "2019-01-09"
[[notices]]
name = "FreeBSD-EN-18:18.zfs"
date = "2018-12-19"
[[notices]]
name = "FreeBSD-EN-18:17.vm"
date = "2018-12-19"
[[notices]]
name = "FreeBSD-EN-18:16.ptrace"
date = "2018-12-19"
[[notices]]
name = "FreeBSD-EN-18:15.loader"
date = "2018-11-27"
[[notices]]
name = "FreeBSD-EN-18:14.tzdata"
date = "2018-11-27"
[[notices]]
name = "FreeBSD-EN-18:13.icmp"
date = "2018-11-27"
[[notices]]
name = "FreeBSD-EN-18:12.mem"
date = "2018-09-27"
[[notices]]
name = "FreeBSD-EN-18:11.listen"
date = "2018-09-27"
[[notices]]
name = "FreeBSD-EN-18:10.syscall"
date = "2018-09-27"
[[notices]]
name = "FreeBSD-EN-18:09.ip"
date = "2018-09-27"
[[notices]]
name = "FreeBSD-EN-18:08.lazyfpu"
date = "2018-09-12"
[[notices]]
name = "FreeBSD-EN-18:07.pmap"
date = "2018-06-21"
[[notices]]
name = "FreeBSD-EN-18:06.tzdata"
date = "2018-05-08"
[[notices]]
name = "FreeBSD-EN-18:05.mem"
date = "2018-05-08"
[[notices]]
name = "FreeBSD-EN-18:04.mem"
date = "2018-04-04"
[[notices]]
name = "FreeBSD-EN-18:03.tzdata"
date = "2018-04-04"
[[notices]]
name = "FreeBSD-EN-18:02.file"
date = "2018-03-07"
[[notices]]
name = "FreeBSD-EN-18:01.tzdata"
date = "2018-03-07"
[[notices]]
name = "FreeBSD-EN-17:09.tzdata"
date = "2017-11-02"
[[notices]]
name = "FreeBSD-EN-17:08.pf"
date = "2017-08-10"
[[notices]]
name = "FreeBSD-EN-17:07.vnet"
date = "2017-08-10"
[[notices]]
name = "FreeBSD-EN-17:06.hyperv"
date = "2017-07-12"
[[notices]]
name = "FreeBSD-EN-17:05.xen"
date = "2017-04-12"
[[notices]]
name = "FreeBSD-EN-17:04.mandoc"
date = "2017-02-23"
[[notices]]
name = "FreeBSD-EN-17:03.hyperv"
date = "2017-02-23"
[[notices]]
name = "FreeBSD-EN-17:02.yp"
date = "2017-02-23"
[[notices]]
name = "FreeBSD-EN-17:01.pcie"
date = "2017-02-23"
[[notices]]
name = "FreeBSD-EN-16:21.localedef"
date = "2016-12-06"
[[notices]]
name = "FreeBSD-EN-16:20.tzdata"
date = "2016-12-06"
[[notices]]
name = "FreeBSD-EN-16:19.tzcode"
date = "2016-12-06"
[[notices]]
name = "FreeBSD-EN-16:18.loader"
date = "2016-10-25"
[[notices]]
name = "FreeBSD-EN-16:17.vm"
date = "2016-10-25"
[[notices]]
name = "FreeBSD-EN-16:16.hv_storvsc"
date = "2016-08-12"
[[notices]]
name = "FreeBSD-EN-16:15.vmbus"
date = "2016-08-12"
[[notices]]
name = "FreeBSD-EN-16:14.hv_storvsc"
date = "2016-08-12"
[[notices]]
name = "FreeBSD-EN-16:13.vmbus"
date = "2016-08-12"
[[notices]]
name = "FreeBSD-EN-16:12.hv_storvsc"
date = "2016-08-12"
[[notices]]
name = "FreeBSD-EN-16:11.vmbus"
date = "2016-08-12"
[[notices]]
name = "FreeBSD-EN-16:10.dhclient"
date = "2016-08-12"
[[notices]]
name = "FreeBSD-EN-16:09.freebsd-update"
date = "2016-07-25"
[[notices]]
name = "FreeBSD-EN-16:08.zfs"
date = "2016-05-04"
[[notices]]
name = "FreeBSD-EN-16:07.ipi"
date = "2016-05-04"
[[notices]]
name = "FreeBSD-EN-16:06.libc"
date = "2016-05-04"
[[notices]]
name = "FreeBSD-EN-16:05.hv_netvsc"
date = "2016-03-16"
[[notices]]
name = "FreeBSD-EN-16:04.hyperv"
date = "2016-03-16"
[[notices]]
name = "FreeBSD-EN-16:03.yplib"
date = "2016-01-14"
[[notices]]
name = "FreeBSD-EN-16:02.pf"
date = "2016-01-14"
[[notices]]
name = "FreeBSD-EN-16:01.filemon"
date = "2016-01-14"
[[notices]]
name = "FreeBSD-EN-15:20.vm"
date = "2015-11-04"
[[notices]]
name = "FreeBSD-EN-15:19.kqueue"
date = "2015-11-04"
[[notices]]
name = "FreeBSD-EN-15:18.pkg"
date = "2015-09-16"
[[notices]]
name = "FreeBSD-EN-15:17.libc"
date = "2015-09-16"
[[notices]]
name = "FreeBSD-EN-15:16.pw"
date = "2015-09-16"
[[notices]]
name = "FreeBSD-EN-15:15.pkg"
date = "2015-08-25"
[[notices]]
name = "FreeBSD-EN-15:14.ixgbe"
date = "2015-08-25"
[[notices]]
name = "FreeBSD-EN-15:13.vidcontrol"
date = "2015-08-18"
[[notices]]
name = "FreeBSD-EN-15:12.netstat"
date = "2015-08-18"
[[notices]]
name = "FreeBSD-EN-15:11.toolchain"
date = "2015-08-18"
[[notices]]
name = "FreeBSD-EN-15:10.iconv"
date = "2015-06-30"
[[notices]]
name = "FreeBSD-EN-15:09.xlocale"
date = "2015-06-30"
[[notices]]
name = "FreeBSD-EN-15:08.sendmail"
date = "2015-06-18"
[[notices]]
name = "FreeBSD-EN-15:07.zfs"
date = "2015-06-09"
[[notices]]
name = "FreeBSD-EN-15:06.file"
date = "2015-06-09"
[[notices]]
name = "FreeBSD-EN-15:05.ufs"
date = "2015-05-13"
[[notices]]
name = "FreeBSD-EN-15:04.freebsd-update"
date = "2015-05-13"
[[notices]]
name = "FreeBSD-EN-15:03.freebsd-update"
date = "2015-02-25"
[[notices]]
name = "FreeBSD-EN-15:02.openssl"
date = "2015-02-25"
[[notices]]
name = "FreeBSD-EN-15:01.vt"
date = "2015-02-25"
[[notices]]
name = "FreeBSD-EN-14:13.freebsd-update"
date = "2014-12-23"
[[notices]]
name = "FreeBSD-EN-14:12.zfs"
date = "2014-11-04"
[[notices]]
name = "FreeBSD-EN-14:11.crypt"
date = "2014-10-22"
[[notices]]
name = "FreeBSD-EN-14:10.tzdata"
date = "2014-10-22"
[[notices]]
name = "FreeBSD-EN-14:09.jail"
date = "2014-07-08"
[[notices]]
name = "FreeBSD-EN-14:08.heimdal"
date = "2014-06-24"
[[notices]]
name = "FreeBSD-EN-14:07.pmap"
date = "2014-06-24"
[[notices]]
name = "FreeBSD-EN-14:06.exec"
date = "2014-06-03"
[[notices]]
name = "FreeBSD-EN-14:05.ciss"
date = "2014-05-13"
[[notices]]
name = "FreeBSD-EN-14:04.kldxref"
date = "2014-05-13"
[[notices]]
name = "FreeBSD-EN-14:03.pkg"
date = "2014-05-13"
[[notices]]
name = "FreeBSD-EN-14:02.mmap"
date = "2014-01-14"
[[notices]]
name = "FreeBSD-EN-14:01.random"
date = "2014-01-14"
[[notices]]
name = "FreeBSD-EN-13:05.freebsd-update"
date = "2013-11-28"
[[notices]]
name = "FreeBSD-EN-13:04.freebsd-update"
date = "2013-10-26"
[[notices]]
name = "FreeBSD-EN-13:03.mfi"
date = "2013-08-22"
[[notices]]
name = "FreeBSD-EN-13:01.fxp"
date = "2013-06-28"
[[notices]]
name = "FreeBSD-EN-13:02.vtnet"
date = "2013-06-28"
[[notices]]
name = "FreeBSD-EN-12:02.ipv6refcount"
date = "2012-06-12"
[[notices]]
name = "FreeBSD-EN-12:01.freebsd-update"
date = "2012-01-04"
[[notices]]
name = "FreeBSD-EN-10:02.sched_ule"
date = "2010-02-27"
[[notices]]
name = "FreeBSD-EN-10:01.freebsd"
date = "2010-01-06"
[[notices]]
name = "FreeBSD-EN-09:05.null"
date = "2009-10-02"
[[notices]]
name = "FreeBSD-EN-09:04.fork"
date = "2009-06-24"
[[notices]]
name = "FreeBSD-EN-09:03.fxp"
date = "2009-06-24"
[[notices]]
name = "FreeBSD-EN-09:02.bce"
date = "2009-06-24"
[[notices]]
name = "FreeBSD-EN-09:01.kenv"
date = "2009-03-23"
[[notices]]
name = "FreeBSD-EN-08:02.tcp"
date = "2008-06-19"
[[notices]]
name = "FreeBSD-EN-08:01.libpthread"
date = "2008-04-17"
[[notices]]
name = "FreeBSD-EN-07:05.freebsd-update"
date = "2007-03-15"
[[notices]]
name = "FreeBSD-EN-07:04.zoneinfo"
date = "2007-02-28"
[[notices]]
name = "FreeBSD-EN-07:03.rc.d_jail"
date = "2007-02-28"
[[notices]]
name = "FreeBSD-EN-07:02.net"
date = "2007-02-28"
[[notices]]
name = "FreeBSD-EN-07:01.nfs"
date = "2007-02-14"
[[notices]]
name = "FreeBSD-EN-06:02.net"
date = "2006-08-28"
[[notices]]
name = "FreeBSD-EN-06:01.jail"
date = "2006-07-07"
[[notices]]
name = "FreeBSD-EN-05:04.nfs"
date = "2005-12-19"
[[notices]]
name = "FreeBSD-EN-05:03.ipi"
date = "2005-01-16"
[[notices]]
name = "FreeBSD-EN-05:02.sk"
date = "2005-01-06"
[[notices]]
name = "FreeBSD-EN-05:01.nfs"
date = "2005-01-05"
[[notices]]
name = "FreeBSD-EN-04:01.twe"
date = "2004-06-28"
diff --git a/website/static/security/advisories/FreeBSD-EN-21:18.libc++.asc b/website/static/security/advisories/FreeBSD-EN-21:18.libc++.asc
new file mode 100644
index 0000000000..7773e922af
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-21:18.libc++.asc
@@ -0,0 +1,143 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-21:18.libc++ Errata Notice
+ The FreeBSD Project
+
+Topic: Missing C++20 headers in libc++
+
+Category: contrib
+Module: libc++
+Announced: 2021-06-29
+Affects: FreeBSD 13.0
+Corrected: 2021-06-03 18:53:18 UTC (stable/13, 13.0-STABLE)
+ 2021-06-29 17:08:58 UTC (releng/13.0, 13.0-RELEASE-p3)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+.
+
+I. Background
+
+libc++ is an implementation of the C++ Standard Library, provided by the
+LLVM project. It is used by C++ programs in the base system, and also by
+many C++ programs in the ports collection.
+
+II. Problem Description
+
+The LLVM project components in the base system, including libc++, were
+(2020-07-31) upgraded to upstream version 11.0.0. Among other features,
+improvements were made to libc++ to better support the C++20 standard. This
+also included a number of new Standard Library headers, but these were
+missed during the upgrade and not installed into the base system, in
+particular:
+
+*
+*
+*
+*
+*
+*
+
+III. Impact
+
+Even though clang and libc++ 11.0.0 have much improved support for the
+C++20 standard, it is not possible to build programs using the standard
+headers listed above, because they are not available in the base system.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-21:18/libc++.patch
+# fetch https://security.FreeBSD.org/patches/EN-21:18/libc++.patch.asc
+# gpg --verify libc++.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in .
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ 70e13c4cffd5 stable/13-n245875
+releng/13.0/ dac086497e50 releng/13.0-n244747
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+
+
+
+
+
+
+
+
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmDcD0QACgkQ05eS9J6n
+5cKVZg//Ro5nAZ7q23Uf4LlZchlADS8BlH6rHxJ2sk2784CJl4q0Lrh1UMcttfg6
+JA8xfbNV2YXLIzUaXemCfzJAOwCfuNSZkU4hJ568eqo5/itpRf5uQ6hXIwlmmYKw
+9Sk8ciUAxO4HuxLxKRDEPsHWSSQE04SnGyQk82AXCpxn/0nTeQoeKj1wyPHBf8F+
+Kj0kl30l9JKpnoXgHfvyTvK2akJAXbH1v+pc72kyjVBhy8HWKAtsbyC7vYbELylB
+XuH2IwxAVf1iR3VG7slUlr/L/XcGniICRzmYoY1A/SW6QalEfLDPtZLujl33HMOE
+xyni4+oi7JsbgwVc/ISNfqwtyZePSD8RCczLNrZb+femGz/iyGwq1fPn8w0H5snp
+NYrQ22HnjIR5E6Tqlx4IdVFC0M9JQjmEp9cTjG+9CM6L0qZLStdzYbGlJsG2qz0o
+hBc3gvMGZzP2uBG8VxaIH3FBZGgMllsN0/uaOvqipZyqA8t4OR56bF5/AEGxLuJY
+MPdMBMKNDvIpLKe9CEJ9A6BpAO3aPWnRKgAGKlV69t1wub0GWeAAFHz70JQC0Kgv
+6q5xuCjzzGydIeZdv34uSkVThB+vv4OgpdH806ZZLjSr90kfzYJsRYDTNxRBdKpR
+etU1E7FFJAxl9Qc2gXadEvDhi4IhKslBdtlQFIZvkoO8Wd4VhHM=
+=vLEs
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-21:19.libcasper.asc b/website/static/security/advisories/FreeBSD-EN-21:19.libcasper.asc
new file mode 100644
index 0000000000..603e5fc9bf
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-21:19.libcasper.asc
@@ -0,0 +1,166 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-21:19.libcasper Errata Notice
+ The FreeBSD Project
+
+Topic: libcasper assertion failure
+
+Category: core
+Module: libcasper
+Announced: 2021-06-29
+Credits: Borja Marcos, Jung-uk Kim
+Affects: All supported versions of FreeBSD.
+Corrected: 2021-06-15 18:14:43 UTC (stable/13, 13.0-STABLE)
+ 2021-06-29 17:09:02 UTC (releng/13.0, 13.0-RELEASE-p3)
+ 2021-06-16 20:25:22 UTC (stable/12, 12.2-STABLE)
+ 2021-06-29 20:26:12 UTC (releng/12.2, 12.2-RELEASE-p9)
+ 2021-06-16 20:30:46 UTC (stable/11, 11.4-STABLE)
+ 2021-06-29 20:25:32 UTC (releng/11.4, 11.4-RELEASE-p12)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+.
+
+I. Background
+
+libcasper(3) allows Capsicum-sandboxed applications to define and use
+system interfaces which are ordinarily disallowed. It is used by
+multiple programs in the base system, such as logger(1).
+
+II. Problem Description
+
+libcasper(3) creates service processes by forking the calling process,
+so they initially inherit the calling process' file descriptor table.
+Casper services expect the lowest 3 file descriptors, traditionally
+corresponding to standard input, output, and error, are redirected to
+/dev/null. libcasper(3) ensures this is the case. However, it did not
+handle the possibility that one of them is closed, and this scenario
+would trigger an assertion failure during service creation, resulting in
+a crash.
+
+III. Impact
+
+Some applications, such as logger(1), may crash if one of the standard
+descriptors is closed when Casper services are started, typically during
+program initialization.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 13.0]
+# fetch https://security.FreeBSD.org/patches/EN-21:19/libcasper.13.patch
+# fetch https://security.FreeBSD.org/patches/EN-21:19/libcasper.13.patch.asc
+# gpg --verify libcasper.13.patch.asc
+
+[FreeBSD 12.2]
+# fetch https://security.FreeBSD.org/patches/EN-21:19/libcasper.12.patch
+# fetch https://security.FreeBSD.org/patches/EN-21:19/libcasper.12.patch.asc
+# gpg --verify libcasper.12.patch.asc
+
+[FreeBSD 11.4]
+# fetch https://security.FreeBSD.org/patches/EN-21:19/libcasper.11.patch
+# fetch https://security.FreeBSD.org/patches/EN-21:19/libcasper.11.patch.asc
+# gpg --verify libcasper.11.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in .
+
+Restart all daemons that use the library, or reboot the system.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ 934e10b4a388 stable/13-n246041
+releng/13.0/ ba5ed8109cc9 releng/13.0-n244748
+stable/12/ r369994
+releng/12.2/ r370063
+stable/11/ r370004
+releng/11.4/ r370059
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+
+
+VII. References
+
+
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmDcD0QACgkQ05eS9J6n
+5cJ3oRAAhTR7w6yCDjLSExq+/mizNNPy/EHyTxnoexUV6vGnPL3wEno6IVhqTPS3
+Vuq9m7noXOgwHGO0Mbbuc9vkZJWjfoXoeEqylfkSxH3mDb+hkBKPGyZNZWup6XCd
+ykm2FB+c65t/neF9n/6OesT7mIUp+k4UIwTOXuO5rRolWkGrSawHLYWucww3LAF1
+p2bD7Gdc8m/Ymj5FDJBPMWAtFW7QNmocyQI4vGAgqoW2DXokoy/BVTYE6pU3RQ3G
+ZTkXMa5Vb6LlbnP3ho14Jap/6gXcUAnB96bXuWG3JIsNvslZzSLe1jRKD0QXNJvw
+PFRLe8LBOA/VZ02xyoHdlAkAnTMk+vv7LU6K6Z7UIr8YzwkS0UYvvVvEr03E1Psm
+qvzhs+qml2ATn4/C4sjzUEAq5YRqBPQOSmKFmGDAOzy179L1YM8IFIdm11hpGlu5
+8T+n/egH5IVQ7U35MiXUkomvO7F2PWBP7oGI0GDIvKa7UuR+gsMwkVyE68W2442i
+3JaBCqntchJjS2P+ixnXR2qCI81zCRlG+/m/1gBgztA8+K85l0P0gt8VAhcakbES
+WXh4rX6BSvMqDI1Ex3wS00zjZOSM/HoNz+HGmpUiQ7RYVinrt4Av3vdbv2hLm96l
+Iu28g8UCf4HNUAVAbgtiHmU74TBKGSyDPVcQVvegMG/YEhof9Fw=
+=LQ0r
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-21:20.vlan.asc b/website/static/security/advisories/FreeBSD-EN-21:20.vlan.asc
new file mode 100644
index 0000000000..3f2cf35791
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-21:20.vlan.asc
@@ -0,0 +1,129 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-21:20.vlan Errata Notice
+ The FreeBSD Project
+
+Topic: Missing backwards compatibility in vlan(4)
+
+Category: core
+Module: vlan
+Announced: 2021-06-29
+Affects: FreeBSD 13.0
+Corrected: 2021-04-12 22:18:33 UTC (stable/13, 13.0-STABLE)
+ 2021-06-29 17:09:25 UTC (releng/13.0, 13.0-RELEASE-p3)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+.
+
+I. Background
+
+FreeBSD 13.0 introduced support for stacked VLANs (802.1ad, Q-in-Q).
+
+II. Problem Description
+
+Due to missing backwards compatibility, VLAN interfaces created by
+the ifconfig binaries from prior versions of FreeBSD result in a
+VLAN Protocol of 0, instead of 802.1Q (normal VLAN).
+
+III. Impact
+
+During the upgrade process from a prior version of FreeBSD to FreeBSD
+13.0, when the system is rebooted with the new kernel, but still the old
+userland, VLANs are not configured properly, and the system may not be
+accessible over the network.
+
+Some network interface drivers may crash when they encounter the invalid
+ethernet protocol type 0.
+
+IV. Workaround
+
+Use the FreeBSD 13.0 ifconfig binary to configure network interfaces
+until the rest of the userland is updated as the upgrade process completes.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date and reboot.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for an erratum update"
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-21:20/vlan.patch
+# fetch https://security.FreeBSD.org/patches/EN-21:20/vlan.patch.asc
+# gpg --verify vlan.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+ and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ 9abc85d17d05 stable/13-n245206
+releng/13.0/ 78f91c1fbf02 releng/13.0-n244749
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmDcD0UACgkQ05eS9J6n
+5cIe+g/9Hbf0RjRHr4PDK9CMdl8qH2mUzJw48vZ7A/+/ZP2DI9uahAvwUzXs4LJd
+RvO9RHAQ4zU4xq4PrJg/H1N6oyx3s4RlPMvVi7EFEv0hKcoc21PzWfrrlIlrjuEx
+TZTighUmmfOy95Mx0R+zaqW5uO31hx5JrBeeIORMiTQFStSidoB5blj5+RXPhWdp
+xGmvRN/0YUvpDzSuwDt1UsjmbcGDcQn0KyIU3cnm7Dbc7M97WAngF3qB4zblP/Eu
+tCbC9SFe/Gp4aSydDupNLL45PM/WvcbDaULH1cu/03vkSu5jHOILdx9q+h8CKOfs
+GzCn2TY4iL/idfC3OxcZ1IYz2aRKG92fc1vtucT80BZ4vd6xUnQgAbYgDn16H59L
+QQjnddeohb7HcYoTsESaFUnjoHpcr9r756wPOIcP59/gENS3Q/3jhvUFt81hmXTC
+9ybR9KcrpD9WMLeFrI241TDqhUn7WeAnWmp+NJbAOJFBWQeDqHDqw6/pq923g8b+
+8yesNwXPXBPIw9OoqyG4X4ltfGJ2B2TcNvcr+3ILxwKNwFK5NA0xy6q7LXGNA64V
+fAnHYnLLvdrErFeDgYzTbn/stnFl7lQ1WDGc/KKcFNW6EfP0ZARljDXtNkj9RTKP
+jcxJ2s1pQfbXC1SzoieDb4CaNKQ9tzs0caGhLUWpEI2BKjgz5cU=
+=7me6
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-21:21.ipfw.asc b/website/static/security/advisories/FreeBSD-EN-21:21.ipfw.asc
new file mode 100644
index 0000000000..d0e5e81d67
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-21:21.ipfw.asc
@@ -0,0 +1,145 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-21:21.ipfw Errata Notice
+ The FreeBSD Project
+
+Topic: Kernel panic with ipfw link-layer filtering enabled
+
+Category: core
+Module: ipfw
+Announced: 2021-06-29
+Affects: FreeBSD 13.0
+Corrected: 2021-06-19 14:08:49 UTC (stable/13, 13.0-STABLE)
+ 2021-06-29 17:09:43 UTC (releng/13.0, 13.0-RELEASE-p3)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+.
+
+I. Background
+
+ipfw(4) is a IP packet filter implementation in the kernel. It uses the
+pfil(9) interface to hook into several
+
+II. Problem Description
+
+When link-layer filtering is enabled by setting the net.link.ether.ipfw
+sysctl to 1, packets received by the filter may be reallocated to ensure
+that protocol headers are contiguous in memory. In this case, the old
+copy of the packet is freed. However, the filter failed to update the
+pointer returned to the pfil(9) caller, resulting in the use of a
+pointer to freed memory.
+
+III. Impact
+
+Systems which use ipfw(4)'s link-layer filtering capabilities may panic.
+
+IV. Workaround
+
+No workaround is available. Systems not using ipfw(4), or systems that
+do not explicitly enable link-layer filtering by setting the
+net.link.ether.ipfw sysctl to 1, are not affected.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date and reboot.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for an erratum update"
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-21:21/ipfw.patch
+# fetch https://security.FreeBSD.org/patches/EN-21:21/ipfw.patch.asc
+# gpg --verify ipfw.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+ and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ ed1acef3fe30 stable/13-n246063
+releng/13.0/ 4647d115ff84 releng/13.0-n244750
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+
+
+VII. References
+
+
+
+
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmDcD0UACgkQ05eS9J6n
+5cKBew//V3FOP0ctdnzu2Y+EDOPkOt8SwVANBSY/Yde5NLATx6tpYf8ob2a98rYP
+6raKpxrn1LtMWwuhXfUGl86mZYInTKvG1SFAZx8H3y1NLc+oesXXF6kmObQz6yfN
+U8Gud4axcviV0dP2QW/JAbOAH7zwXpzCTYFYZvtdbFALGJdo2KqNYiFuJ6eVv4EK
+Gm35CJvTiugKoXG6JKzJpqHhonHMeKcRDTYcg9xLneTRkKoCldXNtFY6G21+sFDN
+OJgI+D6HilxPC1ujyGGKOx1EvQeUh42Hv8KoIQlbXzFq4j/ql1UlITaoPyOEGJYW
+G7qEH5WnIrQoauq5v3DZydwTsF6Bi/k9Xw3vZkpIkHjq/mEGBquMW3y660thuDFD
+K33dZWAtvzf4oupWNtGmAGZJ59MBSoSyj4TKUKChC5FC6MtKh1xaDi5AstqBZTkD
+VPo/DJXS3jR/gF/1jDt7lxTKVNFGsp60Ru9Y7Pd0P3PqAEbLuVQJxF4VSfGx814P
+PW7xOQmhi8Y3c0Cgcox/16hxAxo2tvv0XzNvvPikKn1HTMQ+9rc2V0rXG3bcr++a
+7Ug+ToEEYOjln03S5Xu7LWfkHYJdrPVV2qnbCMgRYxBWezrK76Q420dNtbx47ScZ
+eDg1vOOfiWpRQVUJbCzeUyLaZBUZ9WvgmemeO6bgeHlS9NE81Ys=
+=pdU2
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-21:22.linux_futex.asc b/website/static/security/advisories/FreeBSD-EN-21:22.linux_futex.asc
new file mode 100644
index 0000000000..750ce7f9de
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-21:22.linux_futex.asc
@@ -0,0 +1,157 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-21:22.linux_futex Errata Notice
+ The FreeBSD Project
+
+Topic: Linux compatibility layer futex(2) system call vulnerability
+
+Category: core
+Module: kernel
+Announced: 2021-06-29
+Credits: Dmitry Chagin
+Affects: All supported versions of FreeBSD.
+Corrected: 2021-06-29 19:58:32 UTC (stable/13, 13.0-STABLE)
+ 2021-06-29 20:06:09 UTC (releng/13.0, 13.0-RELEASE-p3)
+ 2021-06-29 20:01:48 UTC (stable/12, 12.2-STABLE)
+ 2021-06-29 20:26:15 UTC (releng/12.2, 12.2-RELEASE-p9)
+ 2021-06-29 20:01:14 UTC (stable/11, 11.4-STABLE)
+ 2021-06-29 20:25:38 UTC (releng/11.4, 11.4-RELEASE-p12)
+CVE Name: CVE-2018-6927
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+.
+
+I. Background
+
+The Linux ABI layer (Linuxulator) allows Linux binaries to be executed on a
+FreeBSD kernel. This compatibility layer is supported on the amd64, aarch64
+and i386 architecture.
+
+II. Problem Description
+
+A programming error in the Linux compatibility layer futex(2) system
+call might allow attackers to cause a denial of service.
+
+III. Impact
+
+It is possible for an unprivileged local attacker to specify negative
+wake or requeue value for futex_requeue, which may result in a signed
+integer overflow.
+
+IV. Workaround
+
+No workaround is available. Systems not using the Linux binary compatibility
+layer are not affected.
+
+The following command can be used to test if the Linux binary compatibility
+layer is loaded:
+
+# kldstat -m linuxelf && kldstat -m linux64elf
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date and reboot.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for an erratum update"
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-21:22/linux_futex.patch
+# fetch https://security.FreeBSD.org/patches/EN-21:22/linux_futex.patch.asc
+# gpg --verify linux_futex.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+ and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ 7a37d13b6cfa stable/13-n246121
+releng/13.0/ d1fffaed2309 releng/13.0-n244751
+stable/12/ r370058
+releng/12.2/ r370064
+stable/11/ r370057
+releng/11.4/ r370061
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+
+
+VII. References
+
+The fix was modeled after Linux, where a similar error has been fixed:
+
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmDcD0YACgkQ05eS9J6n
+5cJeohAAkhSmsTOpyNfWe2nhRmtH/686fEIaRyNBdPkPtCE/bszgMNLbGLPaCKEt
+EHV9HgtDWJF/U/V9odh4QJChkbBEIngh5A45IZcWgv3359Sv1xSCDhPNxuJvUgHZ
+R4VZ9zKFcY/ur6e/AJCkp9ofkWVDLBoLI/yYXTiIJqKWTtnOJ9ObphV08t6hNCSY
+vWK5wLs39Gd/fo7VhPSjSOP9JuCNCrrX57pd6PQzmhDuewl3jQAp6oot3nQSmTNM
+l8JlpegC8SnbUIv5vOxRdtuE22WbMjiGXN3V/ejxl40q9SeY+uDQjollMSf+xJwf
+6tTStPJMMv7zu10BJTja/27a+TTL7tTYzseTAtYSsCu51ZfN45AONaSgNDy8Tb1N
+zDiEi2E74bM1raO5TPHp+cPWAcYT/QV35DNt7BkKEDOGBrqAM1nyTsoe1qWolm9R
+PEkdOpRDOS1bpss6vcyI4yjD/wFPf82A7Ji27A0+fpmUedaqNpE4EXxlSAd/2vp2
+pORz+EhFj3D9iOSHvZJM9FS8cOncXlnq33rcSF0nY8prZ7pJfbaWZjLYIIBSrMZB
+w8PsmWBYjP01zHK+IReI/JVyJHbau+qdUsTND15TxVXAJPK5qbMKEeRak8RA9m5f
+v7CU2ahZfXhvLgxysBWP1txf4s/7+hiynftxAL2TGg0YH4Dqkts=
+=BHgS
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-21:18/libc++.patch b/website/static/security/patches/EN-21:18/libc++.patch
new file mode 100644
index 0000000000..7052684db3
--- /dev/null
+++ b/website/static/security/patches/EN-21:18/libc++.patch
@@ -0,0 +1,275 @@
+ Add C++ headers
+
+ I missed adding these to the libc++ Makefile, when importing
+ llvm-project 11.0.0-rc1, even though they were supplied by upstream.
+
+ While here, update OptionalObsoleteFiles.inc to add these new headers,
+ and cleanup old cruft.
+
+ Reported by: yuri
+ Submitted by: jkim (Makefile diff)
+ PR: 255374
+ MFC after: 3 days
+
+ (cherry picked from commit 95aa617e4bf09fcc813b1bab3d0dbf4b606807b1)
+ (cherry picked from commit 70e13c4cffd5ff7a70296bc5c4c3b7525c278b1d)
+--- lib/libc++/Makefile.orig
++++ lib/libc++/Makefile
+@@ -112,6 +112,7 @@
+ STD_HEADERS+= any
+ STD_HEADERS+= array
+ STD_HEADERS+= atomic
++STD_HEADERS+= barrier
+ STD_HEADERS+= bit
+ STD_HEADERS+= bitset
+ STD_HEADERS+= cassert
+@@ -131,6 +132,7 @@
+ STD_HEADERS+= compare
+ STD_HEADERS+= complex
+ STD_HEADERS+= complex.h
++STD_HEADERS+= concepts
+ STD_HEADERS+= condition_variable
+ STD_HEADERS+= csetjmp
+ STD_HEADERS+= csignal
+@@ -149,6 +151,7 @@
+ STD_HEADERS+= deque
+ STD_HEADERS+= errno.h
+ STD_HEADERS+= exception
++STD_HEADERS+= execution
+ STD_HEADERS+= fenv.h
+ STD_HEADERS+= filesystem
+ STD_HEADERS+= float.h
+@@ -164,6 +167,7 @@
+ STD_HEADERS+= iostream
+ STD_HEADERS+= istream
+ STD_HEADERS+= iterator
++STD_HEADERS+= latch
+ STD_HEADERS+= limits
+ STD_HEADERS+= limits.h
+ STD_HEADERS+= list
+@@ -174,6 +178,7 @@
+ STD_HEADERS+= memory
+ STD_HEADERS+= mutex
+ STD_HEADERS+= new
++STD_HEADERS+= numbers
+ STD_HEADERS+= numeric
+ STD_HEADERS+= optional
+ STD_HEADERS+= ostream
+@@ -182,6 +187,7 @@
+ STD_HEADERS+= ratio
+ STD_HEADERS+= regex
+ STD_HEADERS+= scoped_allocator
++STD_HEADERS+= semaphore
+ STD_HEADERS+= set
+ STD_HEADERS+= setjmp.h
+ STD_HEADERS+= shared_mutex
+--- tools/build/mk/OptionalObsoleteFiles.inc.orig
++++ tools/build/mk/OptionalObsoleteFiles.inc
+@@ -3831,6 +3831,7 @@
+ OLD_FILES+=usr/include/c++/v1/any
+ OLD_FILES+=usr/include/c++/v1/array
+ OLD_FILES+=usr/include/c++/v1/atomic
++OLD_FILES+=usr/include/c++/v1/barrier
+ OLD_FILES+=usr/include/c++/v1/bit
+ OLD_FILES+=usr/include/c++/v1/bitset
+ OLD_FILES+=usr/include/c++/v1/cassert
+@@ -3850,6 +3851,7 @@
+ OLD_FILES+=usr/include/c++/v1/compare
+ OLD_FILES+=usr/include/c++/v1/complex
+ OLD_FILES+=usr/include/c++/v1/complex.h
++OLD_FILES+=usr/include/c++/v1/concepts
+ OLD_FILES+=usr/include/c++/v1/condition_variable
+ OLD_FILES+=usr/include/c++/v1/csetjmp
+ OLD_FILES+=usr/include/c++/v1/csignal
+@@ -3869,14 +3871,12 @@
+ OLD_FILES+=usr/include/c++/v1/deque
+ OLD_FILES+=usr/include/c++/v1/errno.h
+ OLD_FILES+=usr/include/c++/v1/exception
++OLD_FILES+=usr/include/c++/v1/execution
+ OLD_FILES+=usr/include/c++/v1/experimental/__config
+ OLD_FILES+=usr/include/c++/v1/experimental/__memory
+ OLD_FILES+=usr/include/c++/v1/experimental/algorithm
+-OLD_FILES+=usr/include/c++/v1/experimental/any
+-OLD_FILES+=usr/include/c++/v1/experimental/chrono
+ OLD_FILES+=usr/include/c++/v1/experimental/coroutine
+ OLD_FILES+=usr/include/c++/v1/experimental/deque
+-OLD_FILES+=usr/include/c++/v1/experimental/dynarray
+ OLD_FILES+=usr/include/c++/v1/experimental/filesystem
+ OLD_FILES+=usr/include/c++/v1/experimental/forward_list
+ OLD_FILES+=usr/include/c++/v1/experimental/functional
+@@ -3884,25 +3884,22 @@
+ OLD_FILES+=usr/include/c++/v1/experimental/list
+ OLD_FILES+=usr/include/c++/v1/experimental/map
+ OLD_FILES+=usr/include/c++/v1/experimental/memory_resource
+-OLD_FILES+=usr/include/c++/v1/experimental/numeric
+-OLD_FILES+=usr/include/c++/v1/experimental/optional
+ OLD_FILES+=usr/include/c++/v1/experimental/propagate_const
+-OLD_FILES+=usr/include/c++/v1/experimental/ratio
+ OLD_FILES+=usr/include/c++/v1/experimental/regex
+ OLD_FILES+=usr/include/c++/v1/experimental/set
+ OLD_FILES+=usr/include/c++/v1/experimental/simd
+ OLD_FILES+=usr/include/c++/v1/experimental/string
+-OLD_FILES+=usr/include/c++/v1/experimental/string_view
+-OLD_FILES+=usr/include/c++/v1/experimental/system_error
+-OLD_FILES+=usr/include/c++/v1/experimental/tuple
+ OLD_FILES+=usr/include/c++/v1/experimental/type_traits
+ OLD_FILES+=usr/include/c++/v1/experimental/unordered_map
+ OLD_FILES+=usr/include/c++/v1/experimental/unordered_set
+ OLD_FILES+=usr/include/c++/v1/experimental/utility
+ OLD_FILES+=usr/include/c++/v1/experimental/vector
++OLD_DIRS+=usr/include/c++/v1/experimental
+ OLD_FILES+=usr/include/c++/v1/ext/__hash
+ OLD_FILES+=usr/include/c++/v1/ext/hash_map
+ OLD_FILES+=usr/include/c++/v1/ext/hash_set
++OLD_DIRS+=usr/include/c++/v1/ext
++OLD_FILES+=usr/include/c++/v1/fenv.h
+ OLD_FILES+=usr/include/c++/v1/filesystem
+ OLD_FILES+=usr/include/c++/v1/float.h
+ OLD_FILES+=usr/include/c++/v1/forward_list
+@@ -3917,6 +3914,7 @@
+ OLD_FILES+=usr/include/c++/v1/iostream
+ OLD_FILES+=usr/include/c++/v1/istream
+ OLD_FILES+=usr/include/c++/v1/iterator
++OLD_FILES+=usr/include/c++/v1/latch
+ OLD_FILES+=usr/include/c++/v1/limits
+ OLD_FILES+=usr/include/c++/v1/limits.h
+ OLD_FILES+=usr/include/c++/v1/list
+@@ -3927,7 +3925,7 @@
+ OLD_FILES+=usr/include/c++/v1/memory
+ OLD_FILES+=usr/include/c++/v1/mutex
+ OLD_FILES+=usr/include/c++/v1/new
+-OLD_FILES+=usr/include/c++/v1/numeric
++OLD_FILES+=usr/include/c++/v1/numbers
+ OLD_FILES+=usr/include/c++/v1/numeric
+ OLD_FILES+=usr/include/c++/v1/optional
+ OLD_FILES+=usr/include/c++/v1/ostream
+@@ -3936,6 +3934,7 @@
+ OLD_FILES+=usr/include/c++/v1/ratio
+ OLD_FILES+=usr/include/c++/v1/regex
+ OLD_FILES+=usr/include/c++/v1/scoped_allocator
++OLD_FILES+=usr/include/c++/v1/semaphore
+ OLD_FILES+=usr/include/c++/v1/set
+ OLD_FILES+=usr/include/c++/v1/setjmp.h
+ OLD_FILES+=usr/include/c++/v1/shared_mutex
+@@ -3956,12 +3955,12 @@
+ OLD_FILES+=usr/include/c++/v1/system_error
+ OLD_FILES+=usr/include/c++/v1/tgmath.h
+ OLD_FILES+=usr/include/c++/v1/thread
+-OLD_FILES+=usr/include/c++/v1/version
+ OLD_FILES+=usr/include/c++/v1/tr1/__bit_reference
+ OLD_FILES+=usr/include/c++/v1/tr1/__bsd_locale_defaults.h
+ OLD_FILES+=usr/include/c++/v1/tr1/__bsd_locale_fallbacks.h
+ OLD_FILES+=usr/include/c++/v1/tr1/__config
+ OLD_FILES+=usr/include/c++/v1/tr1/__debug
++OLD_FILES+=usr/include/c++/v1/tr1/__errc
+ OLD_FILES+=usr/include/c++/v1/tr1/__functional_03
+ OLD_FILES+=usr/include/c++/v1/tr1/__functional_base
+ OLD_FILES+=usr/include/c++/v1/tr1/__functional_base_03
+@@ -3969,6 +3968,7 @@
+ OLD_FILES+=usr/include/c++/v1/tr1/__libcpp_version
+ OLD_FILES+=usr/include/c++/v1/tr1/__locale
+ OLD_FILES+=usr/include/c++/v1/tr1/__mutex_base
++OLD_FILES+=usr/include/c++/v1/tr1/__node_handle
+ OLD_FILES+=usr/include/c++/v1/tr1/__nullptr
+ OLD_FILES+=usr/include/c++/v1/tr1/__split_buffer
+ OLD_FILES+=usr/include/c++/v1/tr1/__sso_allocator
+@@ -3982,6 +3982,8 @@
+ OLD_FILES+=usr/include/c++/v1/tr1/any
+ OLD_FILES+=usr/include/c++/v1/tr1/array
+ OLD_FILES+=usr/include/c++/v1/tr1/atomic
++OLD_FILES+=usr/include/c++/v1/tr1/barrier
++OLD_FILES+=usr/include/c++/v1/tr1/bit
+ OLD_FILES+=usr/include/c++/v1/tr1/bitset
+ OLD_FILES+=usr/include/c++/v1/tr1/cassert
+ OLD_FILES+=usr/include/c++/v1/tr1/ccomplex
+@@ -3989,6 +3991,7 @@
+ OLD_FILES+=usr/include/c++/v1/tr1/cerrno
+ OLD_FILES+=usr/include/c++/v1/tr1/cfenv
+ OLD_FILES+=usr/include/c++/v1/tr1/cfloat
++OLD_FILES+=usr/include/c++/v1/tr1/charconv
+ OLD_FILES+=usr/include/c++/v1/tr1/chrono
+ OLD_FILES+=usr/include/c++/v1/tr1/cinttypes
+ OLD_FILES+=usr/include/c++/v1/tr1/ciso646
+@@ -3996,8 +3999,10 @@
+ OLD_FILES+=usr/include/c++/v1/tr1/clocale
+ OLD_FILES+=usr/include/c++/v1/tr1/cmath
+ OLD_FILES+=usr/include/c++/v1/tr1/codecvt
++OLD_FILES+=usr/include/c++/v1/tr1/compare
+ OLD_FILES+=usr/include/c++/v1/tr1/complex
+ OLD_FILES+=usr/include/c++/v1/tr1/complex.h
++OLD_FILES+=usr/include/c++/v1/tr1/concepts
+ OLD_FILES+=usr/include/c++/v1/tr1/condition_variable
+ OLD_FILES+=usr/include/c++/v1/tr1/csetjmp
+ OLD_FILES+=usr/include/c++/v1/tr1/csignal
+@@ -4016,6 +4021,9 @@
+ OLD_FILES+=usr/include/c++/v1/tr1/deque
+ OLD_FILES+=usr/include/c++/v1/tr1/errno.h
+ OLD_FILES+=usr/include/c++/v1/tr1/exception
++OLD_FILES+=usr/include/c++/v1/tr1/execution
++OLD_FILES+=usr/include/c++/v1/tr1/fenv.h
++OLD_FILES+=usr/include/c++/v1/tr1/filesystem
+ OLD_FILES+=usr/include/c++/v1/tr1/float.h
+ OLD_FILES+=usr/include/c++/v1/tr1/forward_list
+ OLD_FILES+=usr/include/c++/v1/tr1/fstream
+@@ -4029,6 +4037,7 @@
+ OLD_FILES+=usr/include/c++/v1/tr1/iostream
+ OLD_FILES+=usr/include/c++/v1/tr1/istream
+ OLD_FILES+=usr/include/c++/v1/tr1/iterator
++OLD_FILES+=usr/include/c++/v1/tr1/latch
+ OLD_FILES+=usr/include/c++/v1/tr1/limits
+ OLD_FILES+=usr/include/c++/v1/tr1/limits.h
+ OLD_FILES+=usr/include/c++/v1/tr1/list
+@@ -4039,7 +4048,7 @@
+ OLD_FILES+=usr/include/c++/v1/tr1/memory
+ OLD_FILES+=usr/include/c++/v1/tr1/mutex
+ OLD_FILES+=usr/include/c++/v1/tr1/new
+-OLD_FILES+=usr/include/c++/v1/tr1/numeric
++OLD_FILES+=usr/include/c++/v1/tr1/numbers
+ OLD_FILES+=usr/include/c++/v1/tr1/numeric
+ OLD_FILES+=usr/include/c++/v1/tr1/optional
+ OLD_FILES+=usr/include/c++/v1/tr1/ostream
+@@ -4048,9 +4057,11 @@
+ OLD_FILES+=usr/include/c++/v1/tr1/ratio
+ OLD_FILES+=usr/include/c++/v1/tr1/regex
+ OLD_FILES+=usr/include/c++/v1/tr1/scoped_allocator
++OLD_FILES+=usr/include/c++/v1/tr1/semaphore
+ OLD_FILES+=usr/include/c++/v1/tr1/set
+ OLD_FILES+=usr/include/c++/v1/tr1/setjmp.h
+ OLD_FILES+=usr/include/c++/v1/tr1/shared_mutex
++OLD_FILES+=usr/include/c++/v1/tr1/span
+ OLD_FILES+=usr/include/c++/v1/tr1/sstream
+ OLD_FILES+=usr/include/c++/v1/tr1/stack
+ OLD_FILES+=usr/include/c++/v1/tr1/stdbool.h
+@@ -4077,8 +4088,10 @@
+ OLD_FILES+=usr/include/c++/v1/tr1/valarray
+ OLD_FILES+=usr/include/c++/v1/tr1/variant
+ OLD_FILES+=usr/include/c++/v1/tr1/vector
++OLD_FILES+=usr/include/c++/v1/tr1/version
+ OLD_FILES+=usr/include/c++/v1/tr1/wchar.h
+ OLD_FILES+=usr/include/c++/v1/tr1/wctype.h
++OLD_DIRS+=usr/include/c++/v1/tr1
+ OLD_FILES+=usr/include/c++/v1/tuple
+ OLD_FILES+=usr/include/c++/v1/type_traits
+ OLD_FILES+=usr/include/c++/v1/typeindex
+@@ -4092,8 +4105,10 @@
+ OLD_FILES+=usr/include/c++/v1/valarray
+ OLD_FILES+=usr/include/c++/v1/variant
+ OLD_FILES+=usr/include/c++/v1/vector
++OLD_FILES+=usr/include/c++/v1/version
+ OLD_FILES+=usr/include/c++/v1/wchar.h
+ OLD_FILES+=usr/include/c++/v1/wctype.h
++OLD_DIRS+=usr/include/c++/v1
+ OLD_FILES+=usr/lib32/libc++.a
+ OLD_FILES+=usr/lib32/libc++.so
+ OLD_LIBS+=usr/lib32/libc++.so.1
+@@ -4104,10 +4119,6 @@
+ OLD_FILES+=usr/lib32/libcxxrt.so
+ OLD_LIBS+=usr/lib32/libcxxrt.so.1
+ OLD_FILES+=usr/lib32/libcxxrt_p.a
+-OLD_DIRS+=usr/include/c++/v1/tr1
+-OLD_DIRS+=usr/include/c++/v1/experimental
+-OLD_DIRS+=usr/include/c++/v1/ext
+-OLD_DIRS+=usr/include/c++/v1
+ .endif
+
+ .if ${MK_LLD} == no
diff --git a/website/static/security/patches/EN-21:18/libc++.patch.asc b/website/static/security/patches/EN-21:18/libc++.patch.asc
new file mode 100644
index 0000000000..8efe37e24c
--- /dev/null
+++ b/website/static/security/patches/EN-21:18/libc++.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmDcD0QACgkQ05eS9J6n
+5cJo/w/9FRlaT0R8qOsIrN9JuHVx9pWA964W6RgXze6m/Wdeisxm8TYwdgiSpPyl
+iohJVoFJ/HvLmEZbYUJre/CXP3d68uxd+YPI19mb6dAB+qsOGP2QIGCLeFlFQ2AM
+0zg+63ZXVBnqe30zErMYVt1KoMoUHpy2W9p748tNnkbBTjR6/nszPvgnkm9TvcvP
+8+jhwlvSSoRfGzSrj9XGesx99ojUJ/+uUiTz+fHg5w9KOJxiCfPj8BJ41eDB6Hc2
+oIN+keWQyFOHQSkDPtDLtonoBv/PAAnlBvNaLVqk88RptaMPfMVDZ//eaCKaXrTn
+Qgq+PoeaOiE/nEnoeJ4rEOCsQs2H2YKQ2vMxUeZwUs68ItFvFiWJBFDcf74Z8gnA
+tYCHdEMTww6yBzHImKqtddQKsTsPnE7UnckIgkYezGBrRPL/PKGk6EOmDEOamtEw
+eoMTdeBDj7ISRiBQWoRNyOjXwDiBuCmrpCA1hXV72m2QJTVeYnMkqRHZsifUqtjg
+qyf7rYfxS6YwJ3yn6KQQJ1uuMMG8s7LikfcmlL5yanLkRM9T3Bud+C44AL09Tqj8
+xLhR0K7yk88QqLypNGqtMT5WlLP1jocCpeb2sru8ivTdhUfjRdPXQAf/6FR1+/za
+mJsne3jTKnVfJIeRZz1Dfr14bDQZ3V93QQ0I4ANdMHzQjajlvfE=
+=csw8
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-21:19/libcasper.11.patch b/website/static/security/patches/EN-21:19/libcasper.11.patch
new file mode 100644
index 0000000000..7b84afb7ec
--- /dev/null
+++ b/website/static/security/patches/EN-21:19/libcasper.11.patch
@@ -0,0 +1,165 @@
+--- lib/libcasper/libcasper/libcasper_impl.c.orig
++++ lib/libcasper/libcasper/libcasper_impl.c
+@@ -30,9 +30,12 @@
+ * $FreeBSD$
+ */
+
++#include
+ #include
+ #include
++#include
+ #include
++#include
+
+ #include "libcasper_impl.h"
+
+@@ -42,3 +45,28 @@
+
+ return (fcntl(fd, F_GETFL) != -1 || errno != EBADF);
+ }
++
++void
++fd_fix_environment(int *fdp)
++{
++ int nullfd, nfd;
++
++ if (*fdp > STDERR_FILENO)
++ return;
++
++ nullfd = open(_PATH_DEVNULL, O_RDWR);
++ if (nullfd == -1)
++ errx(1, "Unable to open %s", _PATH_DEVNULL);
++
++ while (*fdp <= STDERR_FILENO) {
++ nfd = dup(*fdp);
++ if (nfd == -1)
++ errx(1, "Unable to secure fd");
++ if (dup2(nullfd, *fdp) == -1)
++ errx(1, "Unable to secure fd");
++ *fdp = nfd;
++ }
++
++ close(nullfd);
++}
++
+--- lib/libcasper/libcasper/libcasper_impl.h.orig
++++ lib/libcasper/libcasper/libcasper_impl.h
+@@ -42,6 +42,7 @@
+ struct service_connection;
+
+ bool fd_is_valid(int fd);
++void fd_fix_environment(int *fdp);
+
+ /* Private service functions. */
+ struct service *service_alloc(const char *name,
+--- lib/libcasper/libcasper/service.c.orig
++++ lib/libcasper/libcasper/service.c
+@@ -365,24 +365,27 @@
+ }
+
+ static void
+-service_clean(int sock, int procfd, uint64_t flags)
++service_clean(int *sockp, int *procfdp, uint64_t flags)
+ {
+ int fd, maxfd, minfd;
+
+- assert(sock > STDERR_FILENO);
+- assert(procfd > STDERR_FILENO);
+- assert(sock != procfd);
++ fd_fix_environment(sockp);
++ fd_fix_environment(procfdp);
++
++ assert(*sockp > STDERR_FILENO);
++ assert(*procfdp > STDERR_FILENO);
++ assert(*sockp != *procfdp);
+
+ if ((flags & CASPER_SERVICE_STDIO) == 0)
+ stdnull();
+
+ if ((flags & CASPER_SERVICE_FD) == 0) {
+- if (procfd > sock) {
+- maxfd = procfd;
+- minfd = sock;
++ if (*procfdp > *sockp) {
++ maxfd = *procfdp;
++ minfd = *sockp;
+ } else {
+- maxfd = sock;
+- minfd = procfd;
++ maxfd = *sockp;
++ minfd = *procfdp;
+ }
+
+ for (fd = STDERR_FILENO + 1; fd < maxfd; fd++) {
+@@ -403,7 +406,7 @@
+ assert(service != NULL);
+ assert(service->s_magic == SERVICE_MAGIC);
+ setproctitle("%s", service->s_name);
+- service_clean(sock, procfd, service->s_flags);
++ service_clean(&sock, &procfd, service->s_flags);
+
+ if (service_connection_add(service, sock, NULL) == NULL)
+ exit(1);
+--- lib/libcasper/libcasper/zygote.c.orig
++++ lib/libcasper/libcasper/zygote.c
+@@ -45,6 +45,7 @@
+ #include
+ #include
+
++#include "libcasper_impl.h"
+ #include "zygote.h"
+
+ /* Zygote info. */
+@@ -88,7 +89,7 @@
+ * between sandbox and its owner.
+ */
+ static void
+-zygote_main(int sock)
++zygote_main(int *sockp)
+ {
+ int error, procfd;
+ int chanfd[2];
+@@ -96,12 +97,14 @@
+ zygote_func_t *func;
+ pid_t pid;
+
+- assert(sock > STDERR_FILENO);
++ fd_fix_environment(sockp);
++
++ assert(*sockp > STDERR_FILENO);
+
+ setproctitle("zygote");
+
+ for (;;) {
+- nvlin = nvlist_recv(sock, 0);
++ nvlin = nvlist_recv(*sockp, 0);
+ if (nvlin == NULL) {
+ if (errno == ENOTCONN) {
+ /* Casper exited. */
+@@ -133,7 +136,7 @@
+ break;
+ case 0:
+ /* Child. */
+- close(sock);
++ close(*sockp);
+ close(chanfd[0]);
+ func(chanfd[1]);
+ /* NOTREACHED */
+@@ -155,7 +158,7 @@
+ nvlist_move_descriptor(nvlout, "chanfd", chanfd[0]);
+ nvlist_move_descriptor(nvlout, "procfd", procfd);
+ }
+- (void)nvlist_send(sock, nvlout);
++ (void)nvlist_send(*sockp, nvlout);
+ nvlist_destroy(nvlout);
+ }
+ /* NOTREACHED */
+@@ -182,7 +185,7 @@
+ case 0:
+ /* Child. */
+ close(sp[0]);
+- zygote_main(sp[1]);
++ zygote_main(&sp[1]);
+ /* NOTREACHED */
+ abort();
+ default:
diff --git a/website/static/security/patches/EN-21:19/libcasper.11.patch.asc b/website/static/security/patches/EN-21:19/libcasper.11.patch.asc
new file mode 100644
index 0000000000..c245424a31
--- /dev/null
+++ b/website/static/security/patches/EN-21:19/libcasper.11.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmDcD0UACgkQ05eS9J6n
+5cKGmg//csL7mXyab+RajpC5Odd74rzTVmBjkgKBqR08UFzoV37e0Ymek6Jps0y6
+BJ7EX9DY1jA3CeBFnZWoC9kiKI5u/v1WvcumORxOOYo/cNoR2UAva/XYP1xSZk8x
+REmkQACd6wHSMkytQwa5IhWUIVy3jOMVkiA023lyHUI2CJi4UveMvAZDxfQ1U62H
+f2fWFc0YH9KIUBWMNyJhQjzV2IMOcBqdOcoA7mCPZIsbRuTEbtYLDz6b3IwyGvZa
+is+ntGGrmjPhcFaHKiKGpT9+3IRExRGuptnNFB82KovPM27QbzU0P3RyFXTge73+
+DiGzJhi0P7uIWPIL+1v0f7/FIgMOEqwJw48bwuUVCknM8MnK16evroIa8pVFtxQX
+aK6jTGuO4YHZaaBaeTuOQGQC4WK6Y60avDSg2uJB4jkEyDPwpSYo3nMkSqozjAxO
+aqpX4yU/b7aNZrBAeAVe/lKy+TzOTGdaFww5Zc6Pa78P8/cez0hqqFN+lkE86TXW
+27V4keI1Z/g74z1BtG0fQKUq0wBdZdeCBm1YjBr1iLbX4yRA42XTGuMw9ppJZESY
++mcNjuhGVDQsbVRzNWKijfD85YkbEQMEPLGuvaUhP73PNMvQJWAhA3gOf5akHCi5
+STXHAxl5zC5fZMGVHK/RNrvrPgXcY6EagfZ+WgGab/ZFsFOS8Yc=
+=Dr35
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-21:19/libcasper.12.patch b/website/static/security/patches/EN-21:19/libcasper.12.patch
new file mode 100644
index 0000000000..711afd3e7f
--- /dev/null
+++ b/website/static/security/patches/EN-21:19/libcasper.12.patch
@@ -0,0 +1,181 @@
+ libcasper: fix descriptors numbers
+
+ Casper services expect that the first 3 descriptors (stdin/stdout/stderr)
+ will point to /dev/null. Which Casper will ensure later. The Casper
+ services are forked from the original process. If the initial process
+ closes one of those descriptors, Casper may reuse one of them for it on
+ purpose. If this is the case, then renumarate the descriptors used by
+ Casper to higher numbers. This is done already after the fork, so it
+ doesn't break the parent process.
+
+ Approved by: so
+ Security: EN-21:12.libcasper
+ PR: 255339
+ Reported by: Borja Marcos
+ Tested by: jkim@
+
+ (cherry picked from commit aa310ebfba3d49a0b6b03a103b969731a8136a73)
+ (cherry picked from commit 4e2ae05c3ae8c470829b4c3a78aa8c34a7f0b617)
+--- lib/libcasper/libcasper/libcasper_impl.c.orig
++++ lib/libcasper/libcasper/libcasper_impl.c
+@@ -32,8 +32,10 @@
+ * $FreeBSD$
+ */
+
++#include
+ #include
+ #include
++#include
+ #include
+
+ #include "libcasper_impl.h"
+@@ -44,3 +46,28 @@
+
+ return (fcntl(fd, F_GETFL) != -1 || errno != EBADF);
+ }
++
++void
++fd_fix_environment(int *fdp)
++{
++ int nullfd, nfd;
++
++ if (*fdp > STDERR_FILENO)
++ return;
++
++ nullfd = open(_PATH_DEVNULL, O_RDWR);
++ if (nullfd == -1)
++ errx(1, "Unable to open %s", _PATH_DEVNULL);
++
++ while (*fdp <= STDERR_FILENO) {
++ nfd = dup(*fdp);
++ if (nfd == -1)
++ errx(1, "Unable to secure fd");
++ if (dup2(nullfd, *fdp) == -1)
++ errx(1, "Unable to secure fd");
++ *fdp = nfd;
++ }
++
++ close(nullfd);
++}
++
+--- lib/libcasper/libcasper/libcasper_impl.h.orig
++++ lib/libcasper/libcasper/libcasper_impl.h
+@@ -44,6 +44,7 @@
+ struct service_connection;
+
+ bool fd_is_valid(int fd);
++void fd_fix_environment(int *fdp);
+
+ /* Private service functions. */
+ struct service *service_alloc(const char *name,
+--- lib/libcasper/libcasper/service.c.orig
++++ lib/libcasper/libcasper/service.c
+@@ -386,24 +386,27 @@
+ }
+
+ static void
+-service_clean(int sock, int procfd, uint64_t flags)
++service_clean(int *sockp, int *procfdp, uint64_t flags)
+ {
+ int fd, maxfd, minfd;
+
+- assert(sock > STDERR_FILENO);
+- assert(procfd > STDERR_FILENO);
+- assert(sock != procfd);
++ fd_fix_environment(sockp);
++ fd_fix_environment(procfdp);
++
++ assert(*sockp > STDERR_FILENO);
++ assert(*procfdp > STDERR_FILENO);
++ assert(*sockp != *procfdp);
+
+ if ((flags & CASPER_SERVICE_STDIO) == 0)
+ stdnull();
+
+ if ((flags & CASPER_SERVICE_FD) == 0) {
+- if (procfd > sock) {
+- maxfd = procfd;
+- minfd = sock;
++ if (*procfdp > *sockp) {
++ maxfd = *procfdp;
++ minfd = *sockp;
+ } else {
+- maxfd = sock;
+- minfd = procfd;
++ maxfd = *sockp;
++ minfd = *procfdp;
+ }
+
+ for (fd = STDERR_FILENO + 1; fd < maxfd; fd++) {
+@@ -424,7 +427,7 @@
+ assert(service != NULL);
+ assert(service->s_magic == SERVICE_MAGIC);
+ setproctitle("%s", service->s_name);
+- service_clean(sock, procfd, service->s_flags);
++ service_clean(&sock, &procfd, service->s_flags);
+
+ if (service_connection_add(service, sock, NULL) == NULL)
+ _exit(1);
+--- lib/libcasper/libcasper/zygote.c.orig
++++ lib/libcasper/libcasper/zygote.c
+@@ -52,6 +52,7 @@
+ #include
+ #include
+
++#include "libcasper_impl.h"
+ #include "zygote.h"
+
+ /* Zygote info. */
+@@ -104,7 +105,7 @@
+ * between sandbox and its owner.
+ */
+ static void
+-zygote_main(int sock)
++zygote_main(int *sockp)
+ {
+ int error, procfd;
+ int chanfd[2];
+@@ -113,12 +114,14 @@
+ zygote_func_t *func;
+ pid_t pid;
+
+- assert(sock > STDERR_FILENO);
++ fd_fix_environment(sockp);
++
++ assert(*sockp > STDERR_FILENO);
+
+ setproctitle("zygote");
+
+ for (;;) {
+- nvlin = nvlist_recv(sock, 0);
++ nvlin = nvlist_recv(*sockp, 0);
+ if (nvlin == NULL) {
+ if (errno == ENOTCONN) {
+ /* Casper exited. */
+@@ -157,7 +160,7 @@
+ break;
+ case 0:
+ /* Child. */
+- close(sock);
++ close(*sockp);
+ close(chanfd[0]);
+ func(chanfd[1]);
+ /* NOTREACHED */
+@@ -179,7 +182,7 @@
+ nvlist_move_descriptor(nvlout, "chanfd", chanfd[0]);
+ nvlist_move_descriptor(nvlout, "procfd", procfd);
+ }
+- (void)nvlist_send(sock, nvlout);
++ (void)nvlist_send(*sockp, nvlout);
+ nvlist_destroy(nvlout);
+ }
+ /* NOTREACHED */
+@@ -206,7 +209,7 @@
+ case 0:
+ /* Child. */
+ close(sp[0]);
+- zygote_main(sp[1]);
++ zygote_main(&sp[1]);
+ /* NOTREACHED */
+ abort();
+ default:
diff --git a/website/static/security/patches/EN-21:19/libcasper.12.patch.asc b/website/static/security/patches/EN-21:19/libcasper.12.patch.asc
new file mode 100644
index 0000000000..b5eaf61973
--- /dev/null
+++ b/website/static/security/patches/EN-21:19/libcasper.12.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmDcD0UACgkQ05eS9J6n
+5cK6Lg/8DkrPQTPupkdEhiQZLo4V9MVUpvzD8PuZmcQrKODlJodqFQSG1a6aXrIo
+GqZNKjdhcbhn2YtGiSyS4yeeEevzD4Dp9C6IjNIp0A7C+lXAavksBdExWjIB1czB
+J6btjd0tki0+vHmztlUmfZjfkQ7JIMfR7BIiYNormpRv1fG61k7AmB7vg9lXygiJ
+tNk/hPK+3AD9GF4HHGNgvSoHcW0Q1KL4ChvUf+PafpronbOiiezQvIySYHdT7UYx
+AcWiNdRhZMVTdoRq/sFgYT1uXbHRiMi1zMQYDprEOAXWa8PIEnWcsVBGM9jSO4Ks
+pjN6Ex4/UJyaQBXWXEFJC41Cm1R6EfyppsCVoPfQGE8t1npo0QNfCnvinRipkm5V
+vkDjQgaloH05Dfl7UCA0yyPRt5tiphpmXaGSN8NYTELKGR8a67aBnPiY3AM7Mgg5
+o+kHKBqCtPtWZYDuMj73at0ULvO49gJa8W7lprg0ep0rH+vkW7bk6okBNGFC9cpG
+lilC1/vV3tZCpQhhHuk8xjCbY6ZEgzvuGTVc9bSJwuxI9HeCX2wc+CJrmWQk9Jtj
+0VOIQEHyWHn5ccAStGtEKinO7OhHA5/0aUWUIyQJADDbrDV1c9TMMoFwjaZp4swY
+XyQBpNIq8ZHA8bfduuiofUXnQW4KUriWvqbmop8N06xpshgXJZM=
+=Wx54
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-21:19/libcasper.13.patch b/website/static/security/patches/EN-21:19/libcasper.13.patch
new file mode 100644
index 0000000000..1457a06ae5
--- /dev/null
+++ b/website/static/security/patches/EN-21:19/libcasper.13.patch
@@ -0,0 +1,176 @@
+ libcasper: fix descriptors numbers
+
+ Casper services expect that the first 3 descriptors (stdin/stdout/stderr)
+ will point to /dev/null. Which Casper will ensure later. The Casper
+ services are forked from the original process. If the initial process
+ closes one of those descriptors, Casper may reuse one of them for it on
+ purpose. If this is the case, then renumarate the descriptors used by
+ Casper to higher numbers. This is done already after the fork, so it
+ doesn't break the parent process.
+
+ PR: 225343
+ Reported by: Borja Marcos
+ Tested by: jkim@
+--- lib/libcasper/libcasper/libcasper_impl.c.orig
++++ lib/libcasper/libcasper/libcasper_impl.c
+@@ -32,8 +32,10 @@
+ * $FreeBSD$
+ */
+
++#include
+ #include
+ #include
++#include
+ #include
+
+ #include "libcasper_impl.h"
+@@ -44,3 +46,28 @@
+
+ return (fcntl(fd, F_GETFL) != -1 || errno != EBADF);
+ }
++
++void
++fd_fix_environment(int *fdp)
++{
++ int nullfd, nfd;
++
++ if (*fdp > STDERR_FILENO)
++ return;
++
++ nullfd = open(_PATH_DEVNULL, O_RDWR);
++ if (nullfd == -1)
++ errx(1, "Unable to open %s", _PATH_DEVNULL);
++
++ while (*fdp <= STDERR_FILENO) {
++ nfd = dup(*fdp);
++ if (nfd == -1)
++ errx(1, "Unable to secure fd");
++ if (dup2(nullfd, *fdp) == -1)
++ errx(1, "Unable to secure fd");
++ *fdp = nfd;
++ }
++
++ close(nullfd);
++}
++
+--- lib/libcasper/libcasper/libcasper_impl.h.orig
++++ lib/libcasper/libcasper/libcasper_impl.h
+@@ -44,6 +44,7 @@
+ struct service_connection;
+
+ bool fd_is_valid(int fd);
++void fd_fix_environment(int *fdp);
+
+ /* Private service functions. */
+ struct service *service_alloc(const char *name,
+--- lib/libcasper/libcasper/service.c.orig
++++ lib/libcasper/libcasper/service.c
+@@ -386,24 +386,27 @@
+ }
+
+ static void
+-service_clean(int sock, int procfd, uint64_t flags)
++service_clean(int *sockp, int *procfdp, uint64_t flags)
+ {
+ int fd, maxfd, minfd;
+
+- assert(sock > STDERR_FILENO);
+- assert(procfd > STDERR_FILENO);
+- assert(sock != procfd);
++ fd_fix_environment(sockp);
++ fd_fix_environment(procfdp);
++
++ assert(*sockp > STDERR_FILENO);
++ assert(*procfdp > STDERR_FILENO);
++ assert(*sockp != *procfdp);
+
+ if ((flags & CASPER_SERVICE_STDIO) == 0)
+ stdnull();
+
+ if ((flags & CASPER_SERVICE_FD) == 0) {
+- if (procfd > sock) {
+- maxfd = procfd;
+- minfd = sock;
++ if (*procfdp > *sockp) {
++ maxfd = *procfdp;
++ minfd = *sockp;
+ } else {
+- maxfd = sock;
+- minfd = procfd;
++ maxfd = *sockp;
++ minfd = *procfdp;
+ }
+
+ for (fd = STDERR_FILENO + 1; fd < maxfd; fd++) {
+@@ -424,7 +427,7 @@
+ assert(service != NULL);
+ assert(service->s_magic == SERVICE_MAGIC);
+ setproctitle("%s", service->s_name);
+- service_clean(sock, procfd, service->s_flags);
++ service_clean(&sock, &procfd, service->s_flags);
+
+ if (service_connection_add(service, sock, NULL) == NULL)
+ _exit(1);
+--- lib/libcasper/libcasper/zygote.c.orig
++++ lib/libcasper/libcasper/zygote.c
+@@ -52,6 +52,7 @@
+ #include
+ #include
+
++#include "libcasper_impl.h"
+ #include "zygote.h"
+
+ /* Zygote info. */
+@@ -104,7 +105,7 @@
+ * between sandbox and its owner.
+ */
+ static void
+-zygote_main(int sock)
++zygote_main(int *sockp)
+ {
+ int error, procfd;
+ int chanfd[2];
+@@ -113,12 +114,14 @@
+ zygote_func_t *func;
+ pid_t pid;
+
+- assert(sock > STDERR_FILENO);
++ fd_fix_environment(sockp);
++
++ assert(*sockp > STDERR_FILENO);
+
+ setproctitle("zygote");
+
+ for (;;) {
+- nvlin = nvlist_recv(sock, 0);
++ nvlin = nvlist_recv(*sockp, 0);
+ if (nvlin == NULL) {
+ if (errno == ENOTCONN) {
+ /* Casper exited. */
+@@ -157,7 +160,7 @@
+ break;
+ case 0:
+ /* Child. */
+- close(sock);
++ close(*sockp);
+ close(chanfd[0]);
+ func(chanfd[1]);
+ /* NOTREACHED */
+@@ -179,7 +182,7 @@
+ nvlist_move_descriptor(nvlout, "chanfd", chanfd[0]);
+ nvlist_move_descriptor(nvlout, "procfd", procfd);
+ }
+- (void)nvlist_send(sock, nvlout);
++ (void)nvlist_send(*sockp, nvlout);
+ nvlist_destroy(nvlout);
+ }
+ /* NOTREACHED */
+@@ -206,7 +209,7 @@
+ case 0:
+ /* Child. */
+ close(sp[0]);
+- zygote_main(sp[1]);
++ zygote_main(&sp[1]);
+ /* NOTREACHED */
+ abort();
+ default:
diff --git a/website/static/security/patches/EN-21:19/libcasper.13.patch.asc b/website/static/security/patches/EN-21:19/libcasper.13.patch.asc
new file mode 100644
index 0000000000..da4108855a
--- /dev/null
+++ b/website/static/security/patches/EN-21:19/libcasper.13.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmDcD0UACgkQ05eS9J6n
+5cICyg//Ti1feoto9nzN0AwncmGvysSh399KnloOozqytbuCzP9NR0bKNUPqT2rS
+FdS42LwvmWyrtMWRRX5uQkNPt4aJz+oZ9FAbH03BJif6ViyTtQYFPszcPxySqyQC
+LrMyuMhtp9S+237KAM6vhbjSPgJedqTca9w57UN/YsYlXza6tPxvZ21s/JFQHF7n
+y3C23th5K6/LNPPB20HKPM0LwV7QjYYwASM6QEVmtg5pchCrIwSW1Sxzdgd6Zljg
+zk0nIcTg5MPNXXihnHcI6e6sl8cyZE3XkqzbiMYOoTulvjJt4MSv4OEpJYB+vLZD
+O61dgsKn4cX8uis/XNyusFuvCmd90IfU9aR2Vu+TSQsWeif6JEYyET/kwE/HeRGF
+UedkIqskBaNMC8bBkm1Z3BwpT4CkIl4OhsRv8/MyUwMUIzLuYOrUCP5jn+SI3MMS
+1kS/sUb82kNt//lBXovLuwocwcLSRjs/beTM1V6LvhedWEvJxq2wDr187XJ83tuW
+XJkFvYjDBLxHgU1VouM7YrNQ9XRUTIQ0Lc6U4Z57vh4JpkdfiDVRCCrEUg8kRr+K
+Bsl9pe1N9weJ/3egEjSY+0axo5JvO8SfHkY0cUsSOzq4IY+bWKJT2MIHXXkWBgk6
+PXgc/H0H0G6YuhDDqFrvd5j+nJ/dQUP9sEJfWQqI3XN0zUYi33w=
+=Od25
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-21:20/vlan.patch b/website/static/security/patches/EN-21:20/vlan.patch
new file mode 100644
index 0000000000..559b571a78
--- /dev/null
+++ b/website/static/security/patches/EN-21:20/vlan.patch
@@ -0,0 +1,30 @@
+ Fix vlan creation for the older ifconfig(8) binaries.
+
+ Reported by: allanjude
+ MFC after: immediately
+
+ (cherry picked from commit afbb64f1d85b7d8c2938031c3567946b5d10da4f)
+--- sys/net/if_vlan.c.orig
++++ sys/net/if_vlan.c
+@@ -1012,6 +1012,10 @@
+ vid = vlr.vlr_tag;
+ proto = vlr.vlr_proto;
+
++#ifdef COMPAT_FREEBSD12
++ if (proto == 0)
++ proto = ETHERTYPE_VLAN;
++#endif
+ p = ifunit_ref(vlr.vlr_parent);
+ if (p == NULL)
+ return (ENXIO);
+@@ -1942,6 +1946,10 @@
+ error = ENOENT;
+ break;
+ }
++#ifdef COMPAT_FREEBSD12
++ if (vlr.vlr_proto == 0)
++ vlr.vlr_proto = ETHERTYPE_VLAN;
++#endif
+ oldmtu = ifp->if_mtu;
+ error = vlan_config(ifv, p, vlr.vlr_tag, vlr.vlr_proto);
+ if_rele(p);
diff --git a/website/static/security/patches/EN-21:20/vlan.patch.asc b/website/static/security/patches/EN-21:20/vlan.patch.asc
new file mode 100644
index 0000000000..28de6a5d89
--- /dev/null
+++ b/website/static/security/patches/EN-21:20/vlan.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmDcD0UACgkQ05eS9J6n
+5cLNrw/8CtapQdVlxJDh0KU8YBXHlF+qPOQ8Ps+Rxi+uNXAmbGswKUYugMpG0LS+
+K/aKFX5UaghlSLXRh9d7QhxG9Xlf1LQLyh0g5GwovORnFIH2r/21YvhsmoAvzKn0
+4Zyg2rDXcdEp1/6XOPiBJ3yw5z/li7vjaAk97y2fAGe27rSQPQgMiuW9EQ6YzGnf
+0bP3ooYzEixkEuqgnfHcWlikDl6pEYUIUSy9pRVQhfGkOi/uWUKaP/pBXn+/lklY
+l4bKroUvWSnD9g00K76f9gMm+Dj3ozktN8vS5O/AbKe3xJ3/uvz4+ydc/+Dj0/Qb
+vd8pBNAzRoAfYXNIO6KzYkdqATch2QmF6qg10yx5PgHlztiMXCoLqlkO8VL1EJCv
+XEOPgXylhKzwvQC/nUypHzogfSHDkV/6n6zAHtY+ZmrFiGnmLPei7unev9pIQ9YN
+Xs6ztF/+VRkg6BZc4lRf6p2yEfFDHb8m2bZYUQQ9P5yK5RwYdofXrsTzdiV0J41t
+/jPKSxhvJFKLxgIutoQkboQGM/9DftTKMD5A/h+KD2wc9U811F/HeybbMxXkCmHP
+rb/r/nLj77jb8/LOc/+HgWE5Ehp9VK74vPDaPOhxYXKvlquMs2T4fkCvfQoo3e2y
+ML+SlK3kEluP28X8z0bY1THyCY33dnS8MwU7ctmMERehnNedoEg=
+=bHO3
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-21:21/ipfw.patch b/website/static/security/patches/EN-21:21/ipfw.patch
new file mode 100644
index 0000000000..4b292a9311
--- /dev/null
+++ b/website/static/security/patches/EN-21:21/ipfw.patch
@@ -0,0 +1,27 @@
+ ipfw: Update the pfil mbuf pointer in ipfw_check_frame()
+
+ ipfw_chk() might call m_pullup() and thus can change the mbuf chain
+ head. In this case, the new chain head has to be returned to the pfil
+ hook caller, otherwise the pfil hook caller is left with a dangling
+ pointer.
+
+ Note that this affects only the link-layer hooks installed when the
+ net.link.ether.ipfw sysctl is set to 1.
+
+ PR: 256439, 254015, 255069, 255104
+ Fixes: f355cb3e6
+ Reviewed by: ae
+ MFC after: 3 days
+ Sponsored by: The FreeBSD Foundation
+ Differential Revision: https://reviews.freebsd.org/D30764
+--- sys/netpfil/ipfw/ip_fw_pfil.c.orig
++++ sys/netpfil/ipfw/ip_fw_pfil.c
+@@ -371,6 +371,8 @@
+ }
+
+ ipfw = ipfw_chk(&args);
++ if (!mem)
++ *p.m = args.m;
+
+ ret = PFIL_PASS;
+ switch (ipfw) {
diff --git a/website/static/security/patches/EN-21:21/ipfw.patch.asc b/website/static/security/patches/EN-21:21/ipfw.patch.asc
new file mode 100644
index 0000000000..dd5139fc9c
--- /dev/null
+++ b/website/static/security/patches/EN-21:21/ipfw.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmDcD0YACgkQ05eS9J6n
+5cKfTxAAqxb4m2lbUVSCA1sT+Nv2EgDGkTNx6nQA1pmUkTHw5Md8+iylmsTuEa10
+fltVb95QI/qZVVVpGE44+BEI27l5JRpzxHtZSf1TMgRQxKhpwMYNqUbJ6aoYPgbu
+v4ZsHn414a0gEdAebxm+AjLLzw3/9au71TA3MS9GOfjn90gqjJgr4uYOPpuO+3ti
+M8aj+XpuIxRPnFwViUy3D3Vy3GbU4o5rN9FNc3N9O7vvTGBjLj/D7izV8yFPjqId
+3EjDXvzmHLmOeo+O78IWArHvcVI9yHSzykdz9b0jGLw7PeVSZYFRisjgwB6JoJuP
+GropEqoXySJD+IVBfIcZD3kYazENFkQvJ7biVrKoQVrKN9G39oan+zAEGSqJsHIW
+5ejZoNG2jHnlJfh3Q77mUkI0aC3jrwFyMcRGxVICku/tlORbr9Lb8aWUlZnVw3y5
+OiAx7XEsSXMwlt0ck+WBuO88AKuEhnuspH9zF8sJiPQfVoXzrYKAmrRkM+xOp+R3
+KWaH0FCn0aiFH0sPL8L3tk1a0KV9in0iY9mfSo2hMSwyVolfjwf71r9y9qjwBupZ
+RhHCxkwxWrvKV1uaurnpFp612qmlcl3pjNWGqfY6QV9PGCVKNW7Rv52xylNbkosv
+0USMZM6t3zCopiiVZoAvjMMv3+fwQls4qOUMzPoj/O/nbZrEfPQ=
+=5rvI
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-21:22/linux_futex.patch b/website/static/security/patches/EN-21:22/linux_futex.patch
new file mode 100644
index 0000000000..2136959ca2
--- /dev/null
+++ b/website/static/security/patches/EN-21:22/linux_futex.patch
@@ -0,0 +1,69 @@
+--- sys/compat/linux/linux_futex.c.orig
++++ sys/compat/linux/linux_futex.c
+@@ -587,18 +587,19 @@
+ }
+
+ static int
+-futex_requeue(struct futex *f, int n, struct futex *f2, int n2)
++futex_requeue(struct futex *f, int nrwake, struct futex *f2,
++ int nrrequeue)
+ {
+ struct waiting_proc *wp, *wpt;
+ int count = 0;
+
+- LIN_SDT_PROBE4(futex, futex_requeue, entry, f, n, f2, n2);
++ LIN_SDT_PROBE4(futex, futex_requeue, entry, f, nrwake, f2, nrrequeue);
+
+ FUTEX_ASSERT_LOCKED(f);
+ FUTEX_ASSERT_LOCKED(f2);
+
+ TAILQ_FOREACH_SAFE(wp, &f->f_waiting_proc, wp_list, wpt) {
+- if (++count <= n) {
++ if (++count <= nrwake) {
+ LINUX_CTR2(sys_futex, "futex_req_wake uaddr %p wp %p",
+ f->f_uaddr, wp);
+ wp->wp_flags |= FUTEX_WP_REMOVED;
+@@ -624,7 +625,7 @@
+ FUTEXES_LOCK;
+ ++f2->f_refcount;
+ FUTEXES_UNLOCK;
+- if (count - n >= n2)
++ if (count - nrwake >= nrrequeue)
+ break;
+ }
+ }
+@@ -736,7 +737,7 @@
+ int
+ linux_sys_futex(struct thread *td, struct linux_sys_futex_args *args)
+ {
+- int clockrt, nrwake, op_ret, ret;
++ int clockrt, nrwake, nrrequeue, op_ret, ret;
+ struct linux_pemuldata *pem;
+ struct waiting_proc *wp;
+ struct futex *f, *f2;
+@@ -880,6 +881,15 @@
+ return (EINVAL);
+ }
+
++ nrrequeue = (int)(unsigned long)args->timeout;
++ nrwake = args->val;
++ /*
++ * Sanity check to prevent signed integer overflow,
++ * see Linux CVE-2018-6927
++ */
++ if (nrwake < 0 || nrrequeue < 0)
++ return (EINVAL);
++
+ retry1:
+ error = futex_get(args->uaddr, NULL, &f, flags | FUTEX_DONTLOCK);
+ if (error) {
+@@ -930,8 +940,7 @@
+ return (EAGAIN);
+ }
+
+- nrwake = (int)(unsigned long)args->timeout;
+- td->td_retval[0] = futex_requeue(f, args->val, f2, nrwake);
++ td->td_retval[0] = futex_requeue(f, nrwake, f2, nrrequeue);
+ futex_put(f2, NULL);
+ futex_put(f, NULL);
+ break;
diff --git a/website/static/security/patches/EN-21:22/linux_futex.patch.asc b/website/static/security/patches/EN-21:22/linux_futex.patch.asc
new file mode 100644
index 0000000000..41d3be2b42
--- /dev/null
+++ b/website/static/security/patches/EN-21:22/linux_futex.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmDcD0YACgkQ05eS9J6n
+5cKl3A/9EhFS/AnBnyIaXc6lv+iCJ7TXzeZ5OOIWO3vJW8u7dkyqwl2Ha/smJn5S
+J6GmgQZ0g+/An5QruIyFscsGtO8IKxjAYrTbK6CFyCY+eFlj0kgooZ6fCXcwXz3D
+aDxNcIam5eFsXwo2k+nhdsIp6Knj3ivpW/5ouEOrItZDb7IRoW3TLaKL+qY/6vGU
+Ecp0xmy9d72Lxm0vg6mxbQ9epC7xhSuNfZIudhU+mWtWViWpYv5KhQG3uFr/u1zO
+wwWL07gvJ+kWEar7YX9dvgZREmCCU2IG+5tgl+FxSbZdDQeVaM+CUf9xX65zDIip
+1QFsLP2ve55t9+eD1sPsmjfgB7lpKZdEYdX5d7hZi395B89ayerk1HGjzQBFmSeJ
+GB2ZaPD1Jk7AdqAvQvqyQi5apbWsv9cgcfxXQF8s+6EmLx6nbbS/c4UKh3Nmtia/
+FVjbrdc1HotlY6w1JaXpP80onNT+RYZ/XFNZHqbs6HaB6z9GbC8zbcxgfKj6ECgB
+LmO2jdXJaAzCStA5HkTLbxxADoDrftCYH7S9SvkPePf9wTgkLOrMgFmN4EJIJnyD
+CXm+r9Tj/yf43HQT5GzlRQPx6WNJQUt4tHDyDDAAsl7Dh5dhT2ocCLJlNEeE9Khp
+T//17Cu0fCHIClZaRY/pSGNq6vGUjIPOLAeKlTGNLbuZbN66MAM=
+=aURx
+-----END PGP SIGNATURE-----