diff --git a/website/static/security/advisories/FreeBSD-EN-24:15.calendar.asc b/website/static/security/advisories/FreeBSD-EN-24:15.calendar.asc
new file mode 100644
index 0000000000..2b4ff86788
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-24:15.calendar.asc
@@ -0,0 +1,137 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-24:15.calendar Errata Notice
+ The FreeBSD Project
+
+Topic: cron(8) / periodic(8) session login
+
+Category: core
+Module: periodic
+Announced: 2024-09-04
+Affects: All supported versions of FreeBSD.
+Corrected: 2024-08-08 20:07:04 UTC (stable/14, 14.1-STABLE)
+ 2024-09-04 21:34:23 UTC (releng/14.1, 14.1-RELEASE-p4)
+ 2024-09-04 20:54:10 UTC (releng/14.0, 14.0-RELEASE-p10)
+ 2024-08-08 20:07:07 UTC (stable/13, 13.4-STABLE)
+ 2024-08-14 03:37:16 UTC (releng/13.4, 13.4-BETA3)
+ 2024-09-04 20:29:38 UTC (releng/13.3, 13.3-RELEASE-p6)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+.
+
+I. Background
+
+periodic(8) is run via cron(8) as root to perform periodic system functions to
+be executed on a daily, weekly, or monthly basis.
+
+II. Problem Description
+
+periodic(8) jobs are typically run in a context as the `root` user, but an
+erratum in calendar(1) may clobber the login session of both cron(8) and
+periodic(8) to a non-`root` user if the daily calendar job is enabled with
+`daily_calendar_enable=YES`.
+
+III. Impact
+
+Mail sent after calendar(1) has run in the daily periodic run will have a
+non-root sender on the envelope. This includes security jobs as well as other
+cron jobs that may be run after the daily job has concluded.
+
+IV. Workaround
+
+No workaround is available. Systems that have not explicitly enabled the daily
+calendar job are not affected.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-24:15/calendar.patch
+# fetch https://security.FreeBSD.org/patches/EN-24:15/calendar.patch.asc
+# gpg --verify calendar.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in .
+
+Restart the applicable daemons, or reboot the system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 33708452aaab stable/14-n268432
+releng/14.1/ 86d01789bf41 releng/14.1-n267709
+releng/14.0/ d94dbaa516e0 releng/14.0-n265431
+stable/13/ 3a9010c98b3d stable/13-n258228
+releng/13.4/ 7088bf662d46 releng/13.4-n258220
+releng/13.3/ eab94c0fbb78 releng/13.3-n257447
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY53AACgkQbljekB8A
+Gu+FxA/+JUfcaaoOhPcS8VabJS4UKYKH3S703qTSqaR1KsHj+nKXj5eSWCyGA4KI
+C4p+9C4H7shzgO4SF18+HR679i+y0QNayEpEv9MkUsuYfevx3t8+E7joOH10usi1
+g92EPpAUYM5Cb0NpsjFS8gQk18qRlY76asdQlA+b8RDB0gU7lJkDTxrT4TUtJqKP
+ysAa2ZruGuJbZpZlVPY/JLA9/liwBZcq6fij1g4dyQke6PbvTkoWxFD/3+/ufKXu
+mWW+VsYxldNQRIJF9+8SuIcGTkDUr4HAP7EPYYKU8prX39lsAN0fA7oQO0ohvQ1b
+20Oglq4PYQTEzv16KbAGZdByEzH2Tnzoz8jkaUeIfgnQrHEZbiaqckixi3bUOzPV
+SJ037qikttpxVXrs6qxehl1f9tMLXFlbRSOrVrxg+YSb8Xy0nxRvdNwuJ+1OS2bD
+DoPDXs3BVtecKrArDrZcbFcvzNbNiESZGRlFBI7hiy8DQFNFT755n1NnIDxjDerW
+Qo9MELlWerWyP2djzS+C5YeTe3HPMw8dRbPORRKBD65+dXDn+W53TeJdVY/uwN/O
+B9l/RRehDTB4pj79J6689h3mPSBgMC0tS33Nv1Xm42+58JPb9hP+RzHQkNVJcrxk
+RDpKKxgJjTm5hQ+U8TMN+YOfWJnrEGk+mSWK8Vk96C0JQJSd0lI=
+=Z1hr
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-24:09.libnv.asc b/website/static/security/advisories/FreeBSD-SA-24:09.libnv.asc
new file mode 100644
index 0000000000..8fa9aa9e43
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-24:09.libnv.asc
@@ -0,0 +1,158 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-24:09.libnv Security Advisory
+ The FreeBSD Project
+
+Topic: Multiple vulnerabilities in libnv
+
+Category: core
+Module: libnv
+Announced: 2024-09-04
+Credits: Taylor R Campbell (NetBSD, CVE-2024-45287)
+ Synacktiv (CVE-2024-45287, CVE-2024-45288)
+Sponsored by: The FreeBSD Foundation, The Alpha-Omega Project
+Affects: All supported versions of FreeBSD.
+Corrected: 2024-09-04 12:24:56 UTC (stable/14, 14.1-STABLE)
+ 2024-09-04 21:07:27 UTC (releng/14.1, 14.1-RELEASE-p4)
+ 2024-09-04 20:54:12 UTC (releng/14.0, 14.0-RELEASE-p10)
+ 2024-09-04 12:24:12 UTC (stable/13, 13.4-STABLE)
+ 2024-09-04 19:13:10 UTC (releng/13.4, 13.4-RC2-p1)
+ 2024-09-04 20:29:40 UTC (releng/13.3, 13.3-RELEASE-p6)
+CVE Name: CVE-2024-45287, CVE-2024-45288
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit .
+
+I. Background
+
+libnv (also called nvlist) is a general-purpose library designed for storing
+name-value pairs. This library can serve as an Inter-Process Communication
+(IPC) framework, enabling processes to exchange data. For example, it is
+used in libcasper to communicate between privileged and unprivileged
+processes. Additionally, libnv can function as an interface for communication
+between userland and kernel.
+
+Originally, libnv was inspired by OpenZFS nvlist. However, the
+implementations are separate. This advisory is only about base system
+implementation of libnv, not a OpenZFS one.
+
+II. Problem Description
+
+CVE-2024-45287 is a vulnerability that affects both the kernel and userland.
+A malicious value of size in a structure of packed libnv can cause an integer
+overflow, leading to the allocation of a smaller buffer than required for the
+parsed data.
+
+CVE-2024-45288 is a vulnerability that affects both the kernel and userland.
+A missing null-termination character in the last element of an nvlist array
+string can lead to writing outside the allocated buffer.
+
+III. Impact
+
+It is possible for an attacker to overwrite portions of memory (in userland
+or the kernel) as the allocated buffer might be smaller than the data
+received from a malicious process. This vulnerability could result in
+privilege escalation or cause a system panic.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-24:09/libnv.patch
+# fetch https://security.FreeBSD.org/patches/SA-24:09/libnv.patch.asc
+# gpg --verify libnv.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in .
+
+d) Recompile your kernel as described in
+ and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 9c2ef102166e stable/14-n268655
+releng/14.1/ d87f821959fb releng/14.1-n267696
+releng/14.0/ b219ce1c5a93 releng/14.0-n265433
+stable/13/ 03bef9971d73 stable/13-n258309
+releng/13.4/ 3aa9be7e3334 releng/13.4-n258240
+releng/13.3/ 33b4e2361c82 releng/13.3-n257449
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+
+
+
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY54cACgkQbljekB8A
+Gu8YLRAAmpVVVib8RgEj0bKS5qNLwujEssMIO96LS73txcFGm/Iy+QJA/N/SRtDL
+lnKRi0ya90pBmXXhX03Uei+O/nBAFxkCxCukuQ36bauJrA74RFgn/8ZK63RbvdDE
+K+xAyK71FXLTr+wGqyzv0xOxNA60dl14WiyaLCUX++0DU3EesmVD508wIL7Ls/bS
+5g5vllxmELV2zXYXY/DbEVHS/i2YRCs8ftasa92uXVgOibODVpL/GSXy1QHyykNQ
+ODAmGjs+p0xf2JDJa2qvokMh4WS4HkGe4W/TcJueTiSbsdOrDDhOV/n0QTgwt1rQ
+zq2QQU3tk2unYjhQrR6ZvHTbFCKc7G3BVFCPAZ6fSthq834EoCr2LUGyYhU+bLZ6
+SweQfCP48ExjIqvDzQqMOlvp9rMiLbxpjkdDcsml4zhD2GE+byuT6RSRBqq3tBvT
+893YoIiW1m069DnAQxh1Zlewsk/BZFeeXBHZdk4Ik5KYFCwCabV3HLFa9hA1/iKx
+5ITULL0gZgZKBQ9IbpkL45q9mcDHXrVuMPfA0a3bb38rpoK5uof25+oKSGGvWyDA
+plGXuEh5Sltmx0lOdY2O70j8pLh7bVJCyo5rYDhObzQlWiajUx1pH3M9DePbI+Rk
+Z+Gby0zKpXzgSfHSiSyfVPgDMa83yDpiozRMszjpvApB7h/hekQ=
+=yX5r
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-24:10.bhyve.asc b/website/static/security/advisories/FreeBSD-SA-24:10.bhyve.asc
new file mode 100644
index 0000000000..3c14fec494
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-24:10.bhyve.asc
@@ -0,0 +1,146 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-24:10.bhyve Security Advisory
+ The FreeBSD Project
+
+Topic: bhyve(8) privileged guest escape via TPM device passthrough
+
+Category: core
+Module: bhyve
+Announced: 2024-09-04
+Credits: Synacktiv
+Sponsored by: The FreeBSD Foundation, The Alpha-Omega Project
+Affects: FreeBSD 14.x
+Corrected: 2024-09-04 15:42:29 UTC (stable/14, 14.1-STABLE)
+ 2024-09-04 21:07:28 UTC (releng/14.1, 14.1-RELEASE-p4)
+ 2024-09-04 20:54:13 UTC (releng/14.0, 14.0-RELEASE-p10)
+CVE Name: CVE-2024-41928
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit .
+
+I. Background
+
+bhyve(8) is a hypervisor that runs guest operating systems inside a virtual
+machine.
+
+II. Problem Description
+
+bhyve can be configured to provide access to the host's TPM device, where it
+passes the communication through an emulated device provided to the guest. This
+may be performed on the command-line by starting bhyve with the
+`-l tpm,passthru,/dev/tpmX` parameters.
+
+The MMIO handler for the emulated device did not validate the offset and size
+of the memory access correctly, allowing guests to read and write memory
+contents outside of the memory area effectively allocated.
+
+III. Impact
+
+Malicious software running in a guest VM can exploit the buffer overflow to
+achieve code execution on the host in the bhyve userspace process, which
+typically runs as root. Note that bhyve runs in a Capsicum sandbox, so
+malicious code is constrained by the capabilities available to the bhyve
+process.
+
+IV. Workaround
+
+No workaround is available, but guests that do not use TPM passthrough are
+not impacted.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Guest operating systems exposing the TPM device need to be restarted for the
+correction to be applied. (i.e., their corresponding bhyve process needs to be
+terminated and started again)
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-24:10/bhyve.patch
+# fetch https://security.FreeBSD.org/patches/SA-24:10/bhyve.patch.asc
+# gpg --verify bhyve.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in .
+
+Restart the corresponding bhyve processes, or reboot the system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 6ce4821f0859 stable/14-n268656
+releng/14.1/ eab723be7542 releng/14.1-n267697
+releng/14.0/ 429f200688ca releng/14.0-n265434
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+The corresponding part of the security audit report as provided by Synacktiv
+will be published in due course.
+
+
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY54kACgkQbljekB8A
+Gu9vGg//YkEx8/3PWE8GUfdwfGrzMD+bpXoJViBIW+CX4tYYDU05CzF9i/FbB93B
+629nWU4HMmTrQfARtpC/VCRASz+v6kSJvsOwt2120GVx5SUuFkP2nw3fCWdH5tqu
+c/M4GRT2Brl4ZJFZGdfXCKYvGKnw68qhuX6CWFhXgAPAlj2VHNCluElriGMsuPs9
+mmu6/YX5vwVps8dj1XJqx8TFv81PXyatBbzmDi4VMpeBkcM6RBjzDl3C9XVh2k9S
+ahPVp9yW/bXLS2U5GA+rTK4PNIJukZ5tRb2DXH3g5Ku9l6s2l3b8oof6kNifhwf7
+1L8QeTYabkeeGgCfpKmQb7ouZoAHw2fe6M64X/IAkWM46XejiV0mzRokjrG9VIPf
+Ushi7hnEbI7Kzxw/H280R/lgsQh/o8+fF+3iFDij/GPKoWlLVy4WnLluihXkE2Xd
+wlFxD80CKVxGi18JBjCIo7sFrLPuec1rGPn9sULCf2Yi5TnRnBYp9OzD7wSx5zIR
+ohm6zKfajdyVlis9HLm1Xee4B7dEEbZWn6seo3DclCTIO22esN3Kjs8ovSyv1KFn
+B0m0bR8YbJ0qVT/jDYdWkZmJW/EmmZpMMAN91G0q+M9m8Od4e81iQZknvujPsw+I
+QjM5FlKvEuYXjt2tMxP35Dq8PXdl3jvY0fqTNrkCpuzKK0q76sM=
+=VI0d
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-24:11.ctl.asc b/website/static/security/advisories/FreeBSD-SA-24:11.ctl.asc
new file mode 100644
index 0000000000..019935a17e
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-24:11.ctl.asc
@@ -0,0 +1,178 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-24:11.ctl Security Advisory
+ The FreeBSD Project
+
+Topic: Multiple issues in ctl(4) CAM Target Layer
+
+Category: core
+Module: ctl
+Announced: 2024-09-04
+Credits: Synacktiv
+Sponsored by: The FreeBSD Foundation, The Alpha-Omega Project
+Affects: All supported versions of FreeBSD.
+Corrected: 2024-09-04 15:51:07 UTC (stable/14, 14.1-STABLE)
+ 2024-09-04 21:07:33 UTC (releng/14.1, 14.1-RELEASE-p4)
+ 2024-09-04 20:54:18 UTC (releng/14.0, 14.0-RELEASE-p10)
+ 2024-09-04 15:53:53 UTC (stable/13, 13.4-STABLE)
+ 2024-09-04 19:58:25 UTC (releng/13.4, 13.4-RC2-p1)
+ 2024-09-04 20:29:45 UTC (releng/13.3, 13.3-RELEASE-p6)
+CVE Name: CVE-2024-8178, CVE-2024-42416, CVE-2024-43110,
+ CVE-2024-45063
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit .
+
+I. Background
+
+The ctl subsystem provides SCSI target devices emulation. The bhyve(8)
+hypervisor and ctld(8) iSCSI target daemon make use of ctl.
+
+II. Problem Description
+
+Several vulnerabilities were found in the ctl subsystem.
+
+The function ctl_write_buffer incorrectly set a flag which resulted in a
+kernel Use-After-Free when a command finished processing (CVE-2024-45063).
+The ctl_write_buffer and ctl_read_buffer functions allocated memory to be
+returned to userspace, without initializing it (CVE-2024-8178).
+The ctl_report_supported_opcodes function did not sufficiently validate a
+field provided by userspace, allowing an arbitrary write to a limited amount
+of kernel help memory (CVE-2024-42416).
+The ctl_request_sense function could expose up to three bytes of the kernel
+heap to userspace (CVE-2024-43110).
+
+Guest virtual machines in the bhyve hypervisor can send SCSI commands to the
+corresponding kernel driver via the virtio_scsi interface. This provides
+guests with direct access to the vulnerabilities covered by this advisory.
+
+The CAM Target Layer iSCSI target daemon ctld(8) accepts incoming iSCSI
+connections, performs authentication and passes connections to the kernel
+ctl(4) target layer.
+
+III. Impact
+
+Malicious software running in a guest VM that exposes virtio_scsi can exploit
+the vulnerabilities to achieve code execution on the host in the bhyve
+userspace process, which typically runs as root. Note that bhyve runs in a
+Capsicum sandbox, so malicious code is constrained by the capabilities
+available to the bhyve process.
+
+A malicious iSCSI initiator could achieve remote code execution on the iSCSI
+target host.
+
+IV. Workaround
+
+No workaround is available.
+
+bhyve VMs that do not make use of virtio_scsi (for instance, via
+`bhyve -s NN,virtio-scsi,...`), and hosts that do not export iSCSI targets,
+are not affected.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+The system should be rebooted in order to effectively mitigate the issue with
+certainty.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 13.3, 14.0, 14.1]
+# fetch https://security.FreeBSD.org/patches/SA-24:11/ctl.patch
+# fetch https://security.FreeBSD.org/patches/SA-24:11/ctl.patch.asc
+# gpg --verify ctl.patch.asc
+
+[FreeBSD 13.4]
+# fetch https://security.FreeBSD.org/patches/SA-24:11/ctl-13.4.patch
+# fetch https://security.FreeBSD.org/patches/SA-24:11/ctl-13.4.patch.asc
+# gpg --verify ctl-13.4.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+ and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 803e0c2ab29b stable/14-n268660
+releng/14.1/ d30ffde0806e releng/14.1-n267701
+releng/14.0/ 4c60b8289d0e releng/14.0-n265438
+stable/13/ c8afc072690f stable/13-n258314
+releng/13.4/ 004298792002 releng/13.4-n258243
+releng/13.3/ 639494a3c1e6 releng/13.3-n257453
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+The corresponding part of the security audit report as provided by Synacktiv
+will be published in due course.
+
+
+
+
+
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY54sACgkQbljekB8A
+Gu9gEBAArLEF2hSMAo63riezMWcREkF+3r7GfgOmKNq1CWFgfA/ikjZKxIxAojEj
+il6LBgEPQl7jhcC/eG2/U80gze5AtSsQpdCN5DgaQa4rrq4C8dIu8Q8DI/ZGkkAD
+1oFQ5iz9IW0fszjCgwvdnEZt0wEvcMi8d3GzJddouVVxPgcTatw0VbMZWH9ZrpFA
+pwgybyntTE3IG1DqOmFWqjZmjV55BESlphp3LoheWYR21iGwuMsZWBWZ7+c9IK2j
+6RP7ZBN6F/IEr0Np0G22iqUcgQOyA20zL1EJPq93Hp7OdxTMLSgggg1zq3GMEZi6
+A8rjLHmiC6SIIjv7cFohU6vHHrUQkvkx1U0xmtI32StHowKf/Mn5wL8e+i+5g/JE
+vPG6vmFRDUvMqWjB/GK0atyZ7pFHMX9s75NcI7q846Rg0IW9birlgFfqZEQOndH+
+O4AM2oQWOENg9FavMkZ9ScaR2/m2wQR8c4H3BLmAz6Q4R2+QQAjlDu2DtsLWFEeW
+3DNna0/Lw67yDXv2+hJcj+WwQxxWBW3yEz6OVVdszdOofLy8eyUXHo2XGUFJZQKG
+ZpplFPuvq1ZEci544hRDmjGhdKH9h6UoUAOiZQz9vJbx0GyCnhiunyIcM9gN+Rmk
+KGP0t+jEDaMjkAWsu5w0qju68cFMRwEP1E+fT5atsmvnzQR+Zqo=
+=eocJ
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-24:12.bhyve.asc b/website/static/security/advisories/FreeBSD-SA-24:12.bhyve.asc
new file mode 100644
index 0000000000..8306450694
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-24:12.bhyve.asc
@@ -0,0 +1,148 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-24:12.bhyve Security Advisory
+ The FreeBSD Project
+
+Topic: bhyve(8) privileged guest escape via USB controller
+
+Category: core
+Module: bhyve
+Announced: 2024-09-04
+Credits: Synacktiv
+Sponsored by: The FreeBSD Foundation, The Alpha-Omega Project
+Affects: All supported versions of FreeBSD.
+Corrected: 2024-09-04 15:42:30 UTC (stable/14, 14.1-STABLE)
+ 2024-09-04 21:07:34 UTC (releng/14.1, 14.1-RELEASE-p4)
+ 2024-09-04 20:54:19 UTC (releng/14.0, 14.0-RELEASE-p10)
+ 2024-09-04 15:45:38 UTC (stable/13, 13.4-STABLE)
+ 2024-09-04 19:58:26 UTC (releng/13.4, 13.4-RC2-p1)
+ 2024-09-04 20:29:46 UTC (releng/13.3, 13.3-RELEASE-p6)
+CVE Name: CVE-2024-32668
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit .
+
+I. Background
+
+bhyve(8) is a hypervisor that runs guest operating systems inside a virtual
+machine.
+
+II. Problem Description
+
+bhyve can be configured to emulate devices on a virtual USB controller (XHCI),
+such as USB tablet devices. An insufficient boundary validation in the USB code
+could lead to an out-of-bounds write on the heap, with data controlled by the
+caller.
+
+III. Impact
+
+A malicious, privileged software running in a guest VM can exploit the
+vulnerability to achieve code execution on the host in the bhyve userspace
+process, which typically runs as root. Note that bhyve runs in a Capsicum
+sandbox, so malicious code is constrained by the capabilities available to the
+bhyve process.
+
+IV. Workaround
+
+No workaround is available, but VMs that do not make the XHCI device
+available to the guest (via `bhyve -s xhci,...`) are not impacted.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Guest operating systems emulating USB devices with XHCI need to be restarted for
+the correction to be applied. (i.e., their corresponding bhyve process needs to
+be terminated and started again)
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-24:12/bhyve.patch
+# fetch https://security.FreeBSD.org/patches/SA-24:12/bhyve.patch.asc
+# gpg --verify bhyve.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in .
+
+Restart the corresponding bhyve processes, or reboot the system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 90af1336ed5e stable/14-n268657
+releng/14.1/ bb245c142075 releng/14.1-n267702
+releng/14.0/ 1d01a6c11210 releng/14.0-n265439
+stable/13/ 5920b7e6eea1 stable/13-n258311
+releng/13.4/ b3f0e555781c releng/13.4-n258244
+releng/13.3/ 5d6576f4f000 releng/13.3-n257454
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+The corresponding part of the security audit report as provided by Synacktiv
+will be published in due course.
+
+
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY544ACgkQbljekB8A
+Gu+rCw/9FKPcF1L1kRh6J9Y6TLEmMIQx95YwodI4O11KMjgEL3wnz36p/Mrkrj8Z
+g8h2+OBmqdr8NegyKHIuOHo8j9M892dnZpGWjyCgtbpnc57rXZhm83DDzRQ2r9OP
+7yOWftWjgje1cyTphlFAr2p6IWg6z+6UicGwmeV17FSaG5rPjWuYoOOt63kzk3NA
+0viDPIgLpoyGRCaiXa/sdoM2YQH9FxzKEC2yeURF/mLSPEFhaMO6SS8nrxmRC9Wc
+f8DP5G00I3RPjAQ5ehXc5n0z88SHGKJc/dstI4jSzguyBNO8HQtCD6HC6uEo0ACV
+EEJ80FJ+TOfZ9fhHkyEpGfMxwsAjpzud0zZWKV8+4jeY3kIp94g8MCKrHkLr6hXL
+0+DMBsdqNS3T7lPzIimhJ7cwk/fXVQvUWu3rGBO33l3IUK0BWz/o3cTARTPEl/Zi
+MMBETwn+ga6JioRBTmmOMazufAyA3Nlf/eRzIc9RGTUBjoqnY0jHzdwfPI8hDKXR
+1bi1Rii8IcAmaHvMkGww6PJOkRTV8uyuW6JZ2te8V8PC5ojdUniYq5JN6mbrkpOR
+RIYt3f16o6ANZ9qgMqmq2gdBBnJ80LDkQa71FV1bDf9g/LEd5aDynloaZb5D3EMp
+0J0ZIPKKy/qprhVzEjxROzhLzNH0bJy6yaQhoxPY3QLzU78qrE4=
+=nYwM
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-24:13.openssl.asc b/website/static/security/advisories/FreeBSD-SA-24:13.openssl.asc
new file mode 100644
index 0000000000..7b3a152879
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-24:13.openssl.asc
@@ -0,0 +1,136 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-24:13.openssl Security Advisory
+ The FreeBSD Project
+
+Topic: Possible DoS in X.509 name checks in OpenSSL
+
+Category: contrib
+Module: openssl
+Announced: 2024-09-03
+Credits: David Benjamin (Google)
+Affects: FreeBSD 14.x
+Corrected: 2024-09-03 17:09:21 UTC (stable/14, 14.1-STABLE)
+ 2024-09-04 21:07:35 UTC (releng/14.1, 14.1-RELEASE-p4)
+ 2024-09-04 20:54:20 UTC (releng/14.0, 14.0-RELEASE-p10)
+CVE Name: CVE-2024-6119
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit .
+
+I. Background
+
+FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a
+collaborative effort to develop a robust, commercial-grade, full-featured
+Open Source toolkit for the Transport Layer Security (TLS) protocol. It is
+also a general-purpose cryptography library.
+
+II. Problem Description
+
+Applications performing certificate name checks (e.g., TLS clients checking
+server certificates) may attempt to read an invalid memory address when
+comparing the expected name with an otherName subject alternative name of an
+X.509 certificate.
+
+Basic certificate chain validation is not affected. The issue only occurs
+when an application also specifies an expected DNS name, Email address or IP
+address.
+
+III. Impact
+
+Applications affected by the problem may result in a termination, leading to
+a denial of service.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-24:13/openssl.patch
+# fetch https://security.FreeBSD.org/patches/SA-24:13/openssl.patch.asc
+# gpg --verify openssl.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in .
+
+Restart all daemons that use the library, or reboot the system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 5946b0c6cbc7 stable/14-n268645
+releng/14.1/ 9a5a7c90d5e5 releng/14.1-n267703
+releng/14.0/ abd3a7939117 releng/14.0-n265440
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY55AACgkQbljekB8A
+Gu/qxQ/9H4Iaao+a5X4aXiV1iU+fT2KSli8fMZKeRw/OOIAztSOHZp7go0noAX65
+SVwsb0fShwqAfDpeZhSjzMjpMmfkwQUkRbMK1SD+zLznSmC1McKF/EIAWrMwr78z
+zDLv497wh26tY+3CUZJQPwkodTvkHnwU0jeUSTjHqC+lOQeOcQ9HwL0T4FsHw4HF
+BJEX/k6uabpXsQe4H9U8C3MbUlOxiKfwFZAxDBhei2zZN/kfAY63iQhVH6/Ls5BG
+ei7TcEF2e6ylhdaLcCxpArRrdql1VQ4SanAGVW4MQ/2s3YpxQYweKGMg4VSZvqXt
+07mBlNHcLepsHK1/qXhDqO/UMO5QsSsH1trwiohmZRQZJp4wXFsGhc102dezDbun
+TEJutKpNsojvWQ01IFcykCkvH2AAGXHJTB8H3jVXhBIU6DuqcmjVc8WXbrdN0vX8
+KcZgI7S5PyQ0WF+ESqR5MHGXx7Qr9uZPKSMvPq0/g2d+6G52/Yw4oZ3rZtqU34iO
+uLq+FApa0Ema3jzxhq89c9oybfADpBDmYsAfqfMqexS+nIuPjeUpcv9gCukr2Of3
+rJDxx2hF/1c/hd83Pp7MKBT/x/4E3vombPjeNeP/sBLhXFSKiVxUDYGYgm6yw3GA
+E7rv33ZJ09RaDGp9jbYaV5rOuEWAZpy42X/LsHjI9W3v0sGCJvU=
+=JDHd
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-24:14.umtx.asc b/website/static/security/advisories/FreeBSD-SA-24:14.umtx.asc
new file mode 100644
index 0000000000..7f5c4ee555
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-24:14.umtx.asc
@@ -0,0 +1,143 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-24:14.umtx Security Advisory
+ The FreeBSD Project
+
+Topic: umtx Kernel panic or Use-After-Free
+
+Category: core
+Module: kern
+Announced: 2024-09-04
+Credits: Synacktiv
+Sponsored by: The FreeBSD Foundation, The Alpha-Omega Project
+Affects: All supported versions of FreeBSD.
+Corrected: 2024-09-04 16:00:58 UTC (stable/14, 14.1-STABLE)
+ 2024-09-04 21:07:40 UTC (releng/14.1, 14.1-RELEASE-p4)
+ 2024-09-04 20:54:24 UTC (releng/14.0, 14.0-RELEASE-p10)
+ 2024-09-04 16:05:17 UTC (stable/13, 13.4-STABLE)
+ 2024-09-04 19:58:30 UTC (releng/13.4, 13.4-RC2-p1)
+ 2024-09-04 20:29:50 UTC (releng/13.3, 13.3-RELEASE-p6)
+CVE Name: CVE-2024-43102
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit .
+
+I. Background
+
+The _umtx_op(2) system call provides support for the implementation of
+synchronization primitives between threads, and is used by the 1:1 Threading
+Library (libthr, -lthr) to implement IEEE Std 1003.1-2001 (“POSIX.1”) pthread
+locks, like mutexes, condition variables and so on.
+
+In particular, its UMTX_OP_SHM operation provides support for anonymous shared
+memory associated to a particular physical address, which is used to implement
+process-shared mutexes (PTHREAD_PROCESS_SHARED).
+
+II. Problem Description
+
+Concurrent removals of such a mapping by using the UMTX_SHM_DESTROY sub-request
+of UMTX_OP_SHM can lead to decreasing the reference count of the object
+representing the mapping too many times, causing it to be freed too early.
+
+III. Impact
+
+A malicious code exercizing the UMTX_SHM_DESTROY sub-request in parallel can
+panic the kernel or enable further Use-After-Free attacks, potentially
+including code execution or Capsicum sandbox escape.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-24:14/umtx.patch
+# fetch https://security.FreeBSD.org/patches/SA-24:14/umtx.patch.asc
+# gpg --verify umtx.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+ and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 4938f554469b stable/14-n268665
+releng/14.1/ f4a2dbb81603 releng/14.1-n267707
+releng/14.0/ 37823ca38148 releng/14.0-n265444
+stable/13/ a73a70472c47 stable/13-n258319
+releng/13.4/ 7739dab97433 releng/13.4-n258248
+releng/13.3/ 8fd0fa88b5a6 releng/13.3-n257458
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY55IACgkQbljekB8A
+Gu9grQ/+J7wLENdAwj/vclXgEwiqMtVBud/oWWXL6/h8YzSCOGRW88NsGrhkS+I4
+ykWVdCcTvOqP8FvArarQVTfmMD/dQvAZZciHMkYDrQhjd7BwBuWVkLe1YdA1VR0o
+TT5gVclbJFJP3kvC+ivusN+hVn8Iacb0bvLn47/7pBKL96cCx1aTcP9XtHJqPZAr
+W80C5+4Z6qE0bUcCZ5lT8/6XvBtQNiD7otA7h5vBGMoIlBHgrxvYIz+QxAoOJ9Ke
+DvwNKjAm1nYrgiAzAF7lgPWLe6TxYxfYVcyEdm2UJnVpZqldnZevjIFD4DgaijKF
+dPT99EJdgkDQMqaiRM4VqlkcQvzZC/MatV9ypcStoRvQhQZczemLZdEVcf2luEdo
+r6RLvCGQPiSbeANc2DV/J35oX/Zwr9KN29ttkOqisVfadIba2LXANUiAF/x3SReo
+B/Gyilla4SU42obSaDuOe7fuDxj1HS4vAcJ03BQP0VfMNFkUaqb6ZoXioWhgtHAO
+E1zRIJcht1Ad2mEJtMid51co40g1Gd0lcxgEF0UOaIm5gTbYGKD+9tiOBaxvXlxC
+eDiKChtB31XWmfnuK4fSKh28dfyu+ltRUVsmQbakpQyufWx/RhSk3neZs44SNrwq
+SEX5SZ9Rt+E8uBZYU/rDzP2N6cd9ayMANCanuh2GPjorf15Em3g=
+=/sml
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-24:15/calendar.patch b/website/static/security/patches/EN-24:15/calendar.patch
new file mode 100644
index 0000000000..94dfc9b03e
--- /dev/null
+++ b/website/static/security/patches/EN-24:15/calendar.patch
@@ -0,0 +1,11 @@
+--- usr.bin/calendar/calendar.c.orig
++++ usr.bin/calendar/calendar.c
+@@ -211,7 +211,7 @@
+
+ lc = login_getpwclass(pw);
+ if (setusercontext(lc, pw, pw->pw_uid,
+- LOGIN_SETALL) != 0)
++ LOGIN_SETALL & ~LOGIN_SETLOGIN) != 0)
+ errx(1, "setusercontext");
+ setenv("HOME", pw->pw_dir, 1);
+ cal();
diff --git a/website/static/security/patches/EN-24:15/calendar.patch.asc b/website/static/security/patches/EN-24:15/calendar.patch.asc
new file mode 100644
index 0000000000..53a1170809
--- /dev/null
+++ b/website/static/security/patches/EN-24:15/calendar.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY53gACgkQbljekB8A
+Gu8zJg/+Kx6+gD1VC3a/KoqjDQKuL6uGJZjfn1fcMnAyUBe3Yo2vhvRavTpE0/Tk
+S7dJQkgRgFztei1fvln0PNdv5/1J4SZYtTDas1YpRrPs+CzIYg9oxp/p2VSwM1/W
+t5OPtrvtFCU5FnCJkLb0aeWyYdSaGwv55sXF9ebanKLTIHm0HfzvrcU08yQ+gAcQ
++kByK4yQM2xumlbe/5iURn2Ir+GDmrk9G0Vk1upLxV5MAj4qB0VyYcRgrnrBErjs
+BeY2ECsAanoy+Jocbr0v6L+dH3WSEf/ExOqjDr2M19VWCkrrFR55LWg/c3NtktWb
+zu3w94rMdkuWaIgA74dkh1emvbLHWmtOGJImisM1tBG/qfRGvf2AMCdrcgm6ClrL
+cVqPdzJEPngYySZYsdMQSzTp02EbFpP9LUsPDJYbjWvt/h31SLRstux81lkoxG6c
+IKpuohiy/WIZHe5eKV4VO5ANjWdIUofzv3WxyU2trlBitpZ1/mKsKh1Qt6A6UvSH
+ogiejNneXD+meU0x1zalb8rJD0ui4p+d9FBx2ND4lXXjFTkybiFIkLPrht0SXj/u
+sv/fIeAbJDsW8yGJd6ly+QAUmqhS1tkSMpkP8q/M/I/3lZ3khLgNEx3RxnkDikiT
+lqWY6t++6Kmq0GnhbLqnWOh2CAoYrGwnoUcUywrDG/UPToq3EgU=
+=adbK
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/SA-24:09/libnv.patch b/website/static/security/patches/SA-24:09/libnv.patch
new file mode 100644
index 0000000000..c9fdf18726
--- /dev/null
+++ b/website/static/security/patches/SA-24:09/libnv.patch
@@ -0,0 +1,115 @@
+--- sys/contrib/libnv/bsd_nvpair.c.orig
++++ sys/contrib/libnv/bsd_nvpair.c
+@@ -988,6 +988,10 @@ nvpair_unpack_string_array(bool isbe __unused, nvpair_t *nvp,
+ for (ii = 0; ii < nvp->nvp_nitems; ii++) {
+ len = strnlen(tmp, size - 1) + 1;
+ size -= len;
++ if (tmp[len - 1] != '\0') {
++ ERRNO_SET(EINVAL);
++ return (NULL);
++ }
+ if (size < 0) {
+ ERRNO_SET(EINVAL);
+ return (NULL);
+@@ -999,7 +1003,7 @@ nvpair_unpack_string_array(bool isbe __unused, nvpair_t *nvp,
+ return (NULL);
+ }
+
+- value = nv_malloc(sizeof(*value) * nvp->nvp_nitems);
++ value = nv_calloc(nvp->nvp_nitems, sizeof(*value));
+ if (value == NULL)
+ return (NULL);
+
+@@ -1092,7 +1096,7 @@ nvpair_unpack_nvlist_array(bool isbe __unused, nvpair_t *nvp,
+ return (NULL);
+ }
+
+- value = nv_malloc(nvp->nvp_nitems * sizeof(*value));
++ value = nv_calloc(nvp->nvp_nitems, sizeof(*value));
+ if (value == NULL)
+ return (NULL);
+
+@@ -1330,10 +1334,10 @@ nvpair_create_bool_array(const char *name, const bool *value, size_t nitems)
+ return (NULL);
+ }
+
+- size = sizeof(value[0]) * nitems;
+- data = nv_malloc(size);
++ data = nv_calloc(nitems, sizeof(value[0]));
+ if (data == NULL)
+ return (NULL);
++ size = sizeof(value[0]) * nitems;
+
+ memcpy(data, value, size);
+ nvp = nvpair_allocv(name, NV_TYPE_BOOL_ARRAY, (uint64_t)(uintptr_t)data,
+@@ -1360,10 +1364,10 @@ nvpair_create_number_array(const char *name, const uint64_t *value,
+ return (NULL);
+ }
+
+- size = sizeof(value[0]) * nitems;
+- data = nv_malloc(size);
++ data = nv_calloc(nitems, sizeof(value[0]));
+ if (data == NULL)
+ return (NULL);
++ size = sizeof(value[0]) * nitems;
+
+ memcpy(data, value, size);
+ nvp = nvpair_allocv(name, NV_TYPE_NUMBER_ARRAY,
+@@ -1393,7 +1397,7 @@ nvpair_create_string_array(const char *name, const char * const *value,
+
+ nvp = NULL;
+ datasize = 0;
+- data = nv_malloc(sizeof(value[0]) * nitems);
++ data = nv_calloc(nitems, sizeof(value[0]));
+ if (data == NULL)
+ return (NULL);
+
+@@ -1440,7 +1444,7 @@ nvpair_create_nvlist_array(const char *name, const nvlist_t * const *value,
+ return (NULL);
+ }
+
+- nvls = nv_malloc(sizeof(value[0]) * nitems);
++ nvls = nv_calloc(nitems, sizeof(value[0]));
+ if (nvls == NULL)
+ return (NULL);
+
+@@ -1507,7 +1511,7 @@ nvpair_create_descriptor_array(const char *name, const int *value,
+
+ nvp = NULL;
+
+- fds = nv_malloc(sizeof(value[0]) * nitems);
++ fds = nv_calloc(nitems, sizeof(value[0]));
+ if (fds == NULL)
+ return (NULL);
+ for (ii = 0; ii < nitems; ii++) {
+--- sys/contrib/libnv/nvlist.c.orig
++++ sys/contrib/libnv/nvlist.c
+@@ -758,7 +758,7 @@ nvlist_descriptors(const nvlist_t *nvl, size_t *nitemsp)
+ int *fds;
+
+ nitems = nvlist_ndescriptors(nvl);
+- fds = nv_malloc(sizeof(fds[0]) * (nitems + 1));
++ fds = nv_calloc(nitems + 1, sizeof(fds[0]));
+ if (fds == NULL)
+ return (NULL);
+ if (nitems > 0)
+@@ -1029,6 +1029,10 @@ static bool
+ nvlist_check_header(struct nvlist_header *nvlhdrp)
+ {
+
++ if (nvlhdrp->nvlh_size > SIZE_MAX - sizeof(nvlhdrp)) {
++ ERRNO_SET(EINVAL);
++ return (false);
++ }
+ if (nvlhdrp->nvlh_magic != NVLIST_HEADER_MAGIC) {
+ ERRNO_SET(EINVAL);
+ return (false);
+@@ -1313,7 +1317,7 @@ nvlist_recv(int sock, int flags)
+ goto out;
+
+ if (nfds > 0) {
+- fds = nv_malloc(nfds * sizeof(fds[0]));
++ fds = nv_calloc(nfds, sizeof(fds[0]));
+ if (fds == NULL)
+ goto out;
+ if (fd_recv(sock, fds, nfds) == -1)
diff --git a/website/static/security/patches/SA-24:09/libnv.patch.asc b/website/static/security/patches/SA-24:09/libnv.patch.asc
new file mode 100644
index 0000000000..d9b6ba66b1
--- /dev/null
+++ b/website/static/security/patches/SA-24:09/libnv.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY54gACgkQbljekB8A
+Gu+1+Q/+POZt2UpZmLAUaOE9MTPXWeldsVkC3weGMW8BqSmPOoPArIMkxJ164Pic
+MzVCfVinmY2tx70ULAbidjGASDB2vnR5PWiwhr8PVR6toc/du2rp/RZFgp9R+4tz
+5EutJDiy0FaCjLI5TsPiKxb+TJIQG8Fuq0h/HUfvBf5v+kVMcSLepC7eQGLOitzo
+yXZSgrblW+mM7YOb2O2ICO/+zTshoO6E23RsSjD4nVeouFU+cLEK8jKL7lOoL1jL
+DS6A9bSp/6DuXKcIWRP/OY7hBomAAiRntbfd3VwZXW6pfS/+xXD3/nM4G4oDX08j
+XU7vEExh9Z1Kim+qAjGTICV3YtltCxk4zdAGnb/P+7U5aekvVWtMlfK5GBS3KSsv
+JEICFpOZX9E+o2QePWtY3UZNLLdSw3FYhC79e6LRyAWkVndScIl8NGcuMu2Opcll
+HyGdtJWi8zfenI9Ht6OshTTJQk71XoT1cJilOYrOvtnp/fIgp1xeQPXICSl9+bpc
+xefdmGQPM4hRGfIoowyKakbPK2OzGDIRjjmKHxuELLKJwHkpzhYcGxyWcFcUtcXb
+1xJx/gDJ10nCEaII/N0mArHEK84L2QiVgINwnAscslHcppzD3SbQOgSX9c3XnU+2
+7CLfFTq2ktf4DuxHRtEEExmOa0u9iZXUxYypFS7/db0GRDeTPX8=
+=r0zi
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/SA-24:10/bhyve.patch b/website/static/security/patches/SA-24:10/bhyve.patch
new file mode 100644
index 0000000000..37c515852c
--- /dev/null
+++ b/website/static/security/patches/SA-24:10/bhyve.patch
@@ -0,0 +1,20 @@
+--- usr.sbin/bhyve/tpm_ppi_qemu.c.orig
++++ usr.sbin/bhyve/tpm_ppi_qemu.c
+@@ -25,7 +25,7 @@
+ #include "tpm_ppi.h"
+
+ #define TPM_PPI_ADDRESS 0xFED45000
+-#define TPM_PPI_SIZE 0x1000
++#define TPM_PPI_SIZE 0x400
+
+ #define TPM_PPI_FWCFG_FILE "etc/tpm/config"
+
+@@ -100,7 +100,7 @@
+ struct tpm_ppi_fwcfg *fwcfg = NULL;
+ int error;
+
+- ppi = calloc(1, sizeof(*ppi));
++ ppi = calloc(1, TPM_PPI_SIZE);
+ if (ppi == NULL) {
+ warnx("%s: failed to allocate acpi region for ppi", __func__);
+ error = ENOMEM;
diff --git a/website/static/security/patches/SA-24:10/bhyve.patch.asc b/website/static/security/patches/SA-24:10/bhyve.patch.asc
new file mode 100644
index 0000000000..5cb1988d25
--- /dev/null
+++ b/website/static/security/patches/SA-24:10/bhyve.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY54oACgkQbljekB8A
+Gu+XRw/+I7TwSitFo9EhpurYdQXPOfAD0HQJ9KNC4lvcO0Cr6SVxTdUAecqgoHQo
+5UkLzMurtaI3ejCi9j6/fDNWsCHlRMQe1HhJ53Nrtd+tVdFtJeYSJ+/KpSxplqOu
+AEqbZtv88y9b2vxO0I5rRvqc0uoYKP6pJiZzkWdE/XFdQxLEgwYXvMm4Zq6xT9Bl
+I+6LA5uDAVBmg9gPiEkUQBRobb3u1cTt8Jc2tb278uEzh4W4GCuISLQi6WJXh4/A
+a7510D+dvIpbQ8nfz0AgkXwBOxmD4WeqFFLtPrcVlNoX6enemwanxeicSq4SILG2
+5R+2p9Rp1/oqVVPklFrDfXyz9WyNN8NRBSoZHPt/DtZkIdtdjHoyb709bptZTRsp
+7gBBLHNKwNRzm0zXnhmcFp+WbXYALLklZOCkrIdmw7rr5f/VrXxsinisCIxVpJ3w
+Ol9fddqdj3a8/qMcNyHwrGmhDQBdHjjR4QwO+/r5oP7uuw5O7b7i59VuUbKR8wCS
+OmQbUpsGJ1KxkgQoZ/ZS8jyMteFrXv7kC8jWExIs75cF8EA4TJCzdXc2y5XHB/bo
+LMnlejKalEtjnEmiaxJ709H74WB3yTXNO1YgAs84DIq34Q3jwYB+I2KzkPjgjeR7
+fIiRRWjnSDtkgaCnl1NIwoppQqkV/VilgSJZFn606IguIjoIPQg=
+=38ew
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/SA-24:11/ctl-13.4.patch b/website/static/security/patches/SA-24:11/ctl-13.4.patch
new file mode 100644
index 0000000000..5bc737332e
--- /dev/null
+++ b/website/static/security/patches/SA-24:11/ctl-13.4.patch
@@ -0,0 +1,90 @@
+--- sys/cam/ctl/ctl.c.orig
++++ sys/cam/ctl/ctl.c
+@@ -5586,7 +5586,7 @@
+ } else {
+ if (lun->write_buffer == NULL) {
+ lun->write_buffer = malloc(CTL_WRITE_BUFFER_SIZE,
+- M_CTL, M_WAITOK);
++ M_CTL, M_WAITOK | M_ZERO);
+ }
+ ctsio->kern_data_ptr = lun->write_buffer + buffer_offset;
+ }
+@@ -5625,21 +5625,24 @@
+ return (CTL_RETVAL_COMPLETE);
+ }
+
++ if (lun->write_buffer == NULL) {
++ lun->write_buffer = malloc(CTL_WRITE_BUFFER_SIZE,
++ M_CTL, M_WAITOK | M_ZERO);
++ }
++
+ /*
+- * If we've got a kernel request that hasn't been malloced yet,
+- * malloc it and tell the caller the data buffer is here.
++ * If this kernel request hasn't started yet, initialize the data
++ * buffer to the correct region of the LUN's write buffer. Note that
++ * this doesn't set CTL_FLAG_ALLOCATED since this points into a
++ * persistent buffer belonging to the LUN rather than a buffer
++ * dedicated to this request.
+ */
+- if ((ctsio->io_hdr.flags & CTL_FLAG_ALLOCATED) == 0) {
+- if (lun->write_buffer == NULL) {
+- lun->write_buffer = malloc(CTL_WRITE_BUFFER_SIZE,
+- M_CTL, M_WAITOK);
+- }
++ if (ctsio->kern_data_ptr == NULL) {
+ ctsio->kern_data_ptr = lun->write_buffer + buffer_offset;
+ ctsio->kern_data_len = len;
+ ctsio->kern_total_len = len;
+ ctsio->kern_rel_offset = 0;
+ ctsio->kern_sg_entries = 0;
+- ctsio->io_hdr.flags |= CTL_FLAG_ALLOCATED;
+ ctsio->be_move_done = ctl_config_move_done;
+ ctl_datamove((union ctl_io *)ctsio);
+
+@@ -7467,20 +7470,19 @@
+ case RSO_OPTIONS_OC_SA:
+ if ((ctl_cmd_table[opcode].flags & CTL_CMD_FLAG_SA5) == 0 ||
+ service_action >= 32) {
+- ctl_set_invalid_field(/*ctsio*/ ctsio,
+- /*sks_valid*/ 1,
+- /*command*/ 1,
+- /*field*/ 2,
+- /*bit_valid*/ 1,
+- /*bit*/ 2);
+- ctl_done((union ctl_io *)ctsio);
+- return (CTL_RETVAL_COMPLETE);
++ goto invalid;
+ }
+- /* FALLTHROUGH */
++ total_len = sizeof(struct scsi_report_supported_opcodes_one) + 32;
++ break;
+ case RSO_OPTIONS_OC_ASA:
++ if ((ctl_cmd_table[opcode].flags & CTL_CMD_FLAG_SA5) != 0 &&
++ service_action >= 32) {
++ goto invalid;
++ }
+ total_len = sizeof(struct scsi_report_supported_opcodes_one) + 32;
+ break;
+ default:
++invalid:
+ ctl_set_invalid_field(/*ctsio*/ ctsio,
+ /*sks_valid*/ 1,
+ /*command*/ 1,
+--- sys/cam/ctl/ctl_private.h.orig
++++ sys/cam/ctl/ctl_private.h
+@@ -355,6 +355,14 @@
+ uint8_t pr_res_type;
+ int prevent_count;
+ uint32_t *prevent;
++
++ /*
++ * The READ_BUFFER and WRITE_BUFFER commands permit access to a logical
++ * data buffer associated with a LUN. Accesses to the data buffer do
++ * not affect data stored on the storage medium. To support this,
++ * allocate a buffer on first use that persists until the LUN is
++ * destroyed.
++ */
+ uint8_t *write_buffer;
+ struct ctl_devid *lun_devid;
+ TAILQ_HEAD(tpc_lists, tpc_list) tpc_lists;
diff --git a/website/static/security/patches/SA-24:11/ctl-13.4.patch.asc b/website/static/security/patches/SA-24:11/ctl-13.4.patch.asc
new file mode 100644
index 0000000000..71d14c6134
--- /dev/null
+++ b/website/static/security/patches/SA-24:11/ctl-13.4.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY54wACgkQbljekB8A
+Gu+Z/A//akC5RXsHdNUJ5iZSrhy8DvV8xL0wKHUfiqksC/1cMXZbgLJSFs9IhVw4
+3yG4FJwd9l5NuXCzazcwGCtwTX/U844DOhaafdNzliDE02PjyRwhRwVxaIg9uyJp
+gA7/+beT9FiwS8HNvKx6DfWQG91E8E45hZlSURJA/d6Lm+V4kBNQM7AR4tH7k+Cn
+qpcNwnp0niiI3WJyX08WY9F/RevUuGPio28873mCn4ZIwYyqs/w+jf1NajsxvxkD
+dnmXaCJFcOiBDmylt67q7qRPR+FEaNX6Sag/Fj1wY7lZJIcQENJU4s9y7mRaObQQ
+/UplJzYv/GRu2vvr79CihpsIYRCqv9Cd3ktj8Ic/FV87u+xhhNBuCaiPYqwc0zN5
+IbmNk6DHyOlqHGpyKqjiWg92q2DeQaixaFraezRGhlO5AUsM8fr7JWWB8+NCE01u
+lhlDkS33HbHmurjmnhzkUDomuIMvhe9fjJskIAouc98/XrMOBDWchNwJu7LlMm79
+hk3PEs3t5VU+jnuRH/1+eI2NzLEtA5lceY0F+BDGL1aAIygIByjee9Lbp3jsJa2z
+zL+vKwqC+0qtmtyKX0FpOEfoX6sFMn9EbIojbeRXb8qPKZWXRpj3WzBFak8q25VW
+TrtUOYILnuFtBN+kRzfFNv7vgxP/c7BjQH9zBZizZncqTUm4zK4=
+=51hZ
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/SA-24:11/ctl.patch b/website/static/security/patches/SA-24:11/ctl.patch
new file mode 100644
index 0000000000..f06c839a31
--- /dev/null
+++ b/website/static/security/patches/SA-24:11/ctl.patch
@@ -0,0 +1,107 @@
+--- sys/cam/ctl/ctl.c.orig
++++ sys/cam/ctl/ctl.c
+@@ -5634,7 +5634,7 @@
+ } else {
+ if (lun->write_buffer == NULL) {
+ lun->write_buffer = malloc(CTL_WRITE_BUFFER_SIZE,
+- M_CTL, M_WAITOK);
++ M_CTL, M_WAITOK | M_ZERO);
+ }
+ ctsio->kern_data_ptr = lun->write_buffer + buffer_offset;
+ }
+@@ -5673,21 +5673,24 @@
+ return (CTL_RETVAL_COMPLETE);
+ }
+
++ if (lun->write_buffer == NULL) {
++ lun->write_buffer = malloc(CTL_WRITE_BUFFER_SIZE,
++ M_CTL, M_WAITOK | M_ZERO);
++ }
++
+ /*
+- * If we've got a kernel request that hasn't been malloced yet,
+- * malloc it and tell the caller the data buffer is here.
++ * If this kernel request hasn't started yet, initialize the data
++ * buffer to the correct region of the LUN's write buffer. Note that
++ * this doesn't set CTL_FLAG_ALLOCATED since this points into a
++ * persistent buffer belonging to the LUN rather than a buffer
++ * dedicated to this request.
+ */
+- if ((ctsio->io_hdr.flags & CTL_FLAG_ALLOCATED) == 0) {
+- if (lun->write_buffer == NULL) {
+- lun->write_buffer = malloc(CTL_WRITE_BUFFER_SIZE,
+- M_CTL, M_WAITOK);
+- }
++ if (ctsio->kern_data_ptr == NULL) {
+ ctsio->kern_data_ptr = lun->write_buffer + buffer_offset;
+ ctsio->kern_data_len = len;
+ ctsio->kern_total_len = len;
+ ctsio->kern_rel_offset = 0;
+ ctsio->kern_sg_entries = 0;
+- ctsio->io_hdr.flags |= CTL_FLAG_ALLOCATED;
+ ctsio->be_move_done = ctl_config_move_done;
+ ctl_datamove((union ctl_io *)ctsio);
+
+@@ -7511,20 +7514,19 @@
+ case RSO_OPTIONS_OC_SA:
+ if ((ctl_cmd_table[opcode].flags & CTL_CMD_FLAG_SA5) == 0 ||
+ service_action >= 32) {
+- ctl_set_invalid_field(/*ctsio*/ ctsio,
+- /*sks_valid*/ 1,
+- /*command*/ 1,
+- /*field*/ 2,
+- /*bit_valid*/ 1,
+- /*bit*/ 2);
+- ctl_done((union ctl_io *)ctsio);
+- return (CTL_RETVAL_COMPLETE);
++ goto invalid;
+ }
+- /* FALLTHROUGH */
++ total_len = sizeof(struct scsi_report_supported_opcodes_one) + 32;
++ break;
+ case RSO_OPTIONS_OC_ASA:
++ if ((ctl_cmd_table[opcode].flags & CTL_CMD_FLAG_SA5) != 0 &&
++ service_action >= 32) {
++ goto invalid;
++ }
+ total_len = sizeof(struct scsi_report_supported_opcodes_one) + 32;
+ break;
+ default:
++invalid:
+ ctl_set_invalid_field(/*ctsio*/ ctsio,
+ /*sks_valid*/ 1,
+ /*command*/ 1,
+@@ -9340,14 +9342,8 @@
+ sense_ptr = (struct scsi_sense_data *)ctsio->kern_data_ptr;
+ ctsio->kern_sg_entries = 0;
+ ctsio->kern_rel_offset = 0;
+-
+- /*
+- * struct scsi_sense_data, which is currently set to 256 bytes, is
+- * larger than the largest allowed value for the length field in the
+- * REQUEST SENSE CDB, which is 252 bytes as of SPC-4.
+- */
+- ctsio->kern_data_len = cdb->length;
+- ctsio->kern_total_len = cdb->length;
++ ctsio->kern_data_len = ctsio->kern_total_len =
++ MIN(cdb->length, sizeof(*sense_ptr));
+
+ /*
+ * If we don't have a LUN, we don't have any pending sense.
+--- sys/cam/ctl/ctl_private.h.orig
++++ sys/cam/ctl/ctl_private.h
+@@ -411,6 +411,14 @@
+ uint8_t pr_res_type;
+ int prevent_count;
+ uint32_t *prevent;
++
++ /*
++ * The READ_BUFFER and WRITE_BUFFER commands permit access to a logical
++ * data buffer associated with a LUN. Accesses to the data buffer do
++ * not affect data stored on the storage medium. To support this,
++ * allocate a buffer on first use that persists until the LUN is
++ * destroyed.
++ */
+ uint8_t *write_buffer;
+ struct ctl_devid *lun_devid;
+ TAILQ_HEAD(tpc_lists, tpc_list) tpc_lists;
diff --git a/website/static/security/patches/SA-24:11/ctl.patch.asc b/website/static/security/patches/SA-24:11/ctl.patch.asc
new file mode 100644
index 0000000000..e53c403e74
--- /dev/null
+++ b/website/static/security/patches/SA-24:11/ctl.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY540ACgkQbljekB8A
+Gu9SORAAnOg/VAkZ6FYsmeWAajrIwR42G4aH/TSA0p4gTLm6rQSzbaSCzmnqDG+E
+OV99cFm1tUAYp1yKoO8pIHWHV5PNG9L7/eOQzft4/Qmm7XZ3VfiWHtqQhWdk9EAS
+1F/N1+QNDWszgDFZ0fX2EshY8R6UnH7ulspfFm2XdjfkEIka5Gr98fKWUAF4EUnc
+w1GFyTN+v0a3fm03Mgx3BKBWiLQ4fojSfTEsHC2ejNaSEN3axNeE/eJLSGzGs7y0
+txaAV0CmrQDdM80PjuvO6euJoEM/Qgo2tLuisz3nKjOnl7kj4BBmMkyLj9sUR5Yb
+cm2U0BJrDU8fqgc9nqY5xIcy1DKuyu7pWeYO9lWf/tE+TZe13jiAeo+90FweT/TE
+P1EOPWDvOpKsTWF0FPGtFp4RklqmyMK+Mlen99np3NueCTBnVhslp0W5zldVPf4i
+PsnpZXl+ud623YcvS/t4zjiPVPYoGSwYnioE1jyRUli0TN1BcgbduHKz9KT9FCIz
+ewDPJJIul/natWPyOu/ug+s9Muur8RC4Ykz/Olh893MKZ4Qbv+2PChyacqmsAsCi
+uIlC9DO4o64UHCSYXQOGGT0DuYVGtR++l0C/hHSAknxUHGeXxP//0r/lKM7liDFm
+7UQ9Hxu3ghBNUB3WBoPRxc/xIxAjHJsIq5jsWEdyRm8Yt6rfsl4=
+=3U90
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/SA-24:12/bhyve.patch b/website/static/security/patches/SA-24:12/bhyve.patch
new file mode 100644
index 0000000000..8e1904ec45
--- /dev/null
+++ b/website/static/security/patches/SA-24:12/bhyve.patch
@@ -0,0 +1,20 @@
+--- usr.sbin/bhyve/pci_xhci.c.orig
++++ usr.sbin/bhyve/pci_xhci.c
+@@ -660,7 +660,7 @@
+ devep = &dev->eps[epid];
+ pstreams = XHCI_EPCTX_0_MAXP_STREAMS_GET(ep_ctx->dwEpCtx0);
+ if (pstreams > 0) {
+- DPRINTF(("init_ep %d with pstreams %d", epid, pstreams));
++ DPRINTF(("init_ep %d with pstreams %u", epid, pstreams));
+ assert(devep->ep_sctx_trbs == NULL);
+
+ devep->ep_sctx = XHCI_GADDR(dev->xsc, ep_ctx->qwEpCtx2 &
+@@ -1202,7 +1202,7 @@
+ }
+
+ /* only support primary stream */
+- if (streamid > devep->ep_MaxPStreams)
++ if (streamid >= devep->ep_MaxPStreams)
+ return (XHCI_TRB_ERROR_STREAM_TYPE);
+
+ sctx = (struct xhci_stream_ctx *)XHCI_GADDR(sc, ep->qwEpCtx2 & ~0xFUL) +
diff --git a/website/static/security/patches/SA-24:12/bhyve.patch.asc b/website/static/security/patches/SA-24:12/bhyve.patch.asc
new file mode 100644
index 0000000000..8e8085a1d4
--- /dev/null
+++ b/website/static/security/patches/SA-24:12/bhyve.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY548ACgkQbljekB8A
+Gu9l6A//Rbo+GD8zYD82aPlB2TKd6qBcXWK+yVNMmvnQ4KNY5KfIg5E4DN74kyN2
+DHdkjjRc/YZdv0pHXP46Qfgst0T2mFcplXzEY635Ox5Zu+37xG193GI5ZM5ZAz/+
+1GZ+ZdPObSYSrx5Z+vUU/SSg6m8V4IgT31yOd56HgoiuSCVEeOOU34nPtLs3M9j8
+CLkd40f6joL/gwuDJaX45pbAbxL4HU2CFkobfBRa+g2/iNwH2qgseIMW+b7kwxYI
+4xa71h2FyhN1khslJPRPVYHL0rB1gVBcF9CJZlu9JNUY1h3dMjAfnlbSfR5Kelo4
+V6qtz+pj6vXKiHA4Mu/Ftw9FQCk2wmeOb7pAUWgl08KiNBd4isT77W9JOxa+e6zx
+FXtoTwupLfgZXy+F6O513OKwWK1oSsXudP+8HKdHWOnA0dnkbnsQYd9U4YdlXKwk
+BoXvP63xy1xDWY0HDdyNzl7QIyFVnkKBB6uzSOc3ZjrBdIBi7sl9RI0+r9zMM6lb
+txobDGxhvqAjfLmlOGlE+wGXGN4IN8+LG9RvrN6TDgFiiXCWxQCi2brhsbfH+8De
+QLyrBn4goRWUBw6UsHMEIkzGrBUfjmxJkU1tEMYrqnX4gWP+sj1bvPJJ5tAFLOOd
+FK4LSW9qQRZbZoJI7hmdra2ULgP6ub+qNtSuYTXtym7wtrirIyk=
+=Xlvu
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/SA-24:13/openssl.patch b/website/static/security/patches/SA-24:13/openssl.patch
new file mode 100644
index 0000000000..929a258603
--- /dev/null
+++ b/website/static/security/patches/SA-24:13/openssl.patch
@@ -0,0 +1,92 @@
+--- crypto/openssl/crypto/x509/v3_utl.c.orig
++++ crypto/openssl/crypto/x509/v3_utl.c
+@@ -916,36 +916,64 @@
+ ASN1_STRING *cstr;
+
+ gen = sk_GENERAL_NAME_value(gens, i);
+- if ((gen->type == GEN_OTHERNAME) && (check_type == GEN_EMAIL)) {
+- if (OBJ_obj2nid(gen->d.otherName->type_id) ==
+- NID_id_on_SmtpUTF8Mailbox) {
+- san_present = 1;
+-
+- /*
+- * If it is not a UTF8String then that is unexpected and we
+- * treat it as no match
+- */
+- if (gen->d.otherName->value->type == V_ASN1_UTF8STRING) {
+- cstr = gen->d.otherName->value->value.utf8string;
+-
+- /* Positive on success, negative on error! */
+- if ((rv = do_check_string(cstr, 0, equal, flags,
+- chk, chklen, peername)) != 0)
+- break;
+- }
+- } else
++ switch (gen->type) {
++ default:
++ continue;
++ case GEN_OTHERNAME:
++ switch (OBJ_obj2nid(gen->d.otherName->type_id)) {
++ default:
+ continue;
+- } else {
+- if ((gen->type != check_type) && (gen->type != GEN_OTHERNAME))
++ case NID_id_on_SmtpUTF8Mailbox:
++ /*-
++ * https://datatracker.ietf.org/doc/html/rfc8398#section-3
++ *
++ * Due to name constraint compatibility reasons described
++ * in Section 6, SmtpUTF8Mailbox subjectAltName MUST NOT
++ * be used unless the local-part of the email address
++ * contains non-ASCII characters. When the local-part is
++ * ASCII, rfc822Name subjectAltName MUST be used instead
++ * of SmtpUTF8Mailbox. This is compatible with legacy
++ * software that supports only rfc822Name (and not
++ * SmtpUTF8Mailbox). [...]
++ *
++ * SmtpUTF8Mailbox is encoded as UTF8String.
++ *
++ * If it is not a UTF8String then that is unexpected, and
++ * we ignore the invalid SAN (neither set san_present nor
++ * consider it a candidate for equality). This does mean
++ * that the subject CN may be considered, as would be the
++ * case when the malformed SmtpUtf8Mailbox SAN is instead
++ * simply absent.
++ *
++ * When CN-ID matching is not desirable, applications can
++ * choose to turn it off, doing so is at this time a best
++ * practice.
++ */
++ if (check_type != GEN_EMAIL
++ || gen->d.otherName->value->type != V_ASN1_UTF8STRING)
++ continue;
++ alt_type = 0;
++ cstr = gen->d.otherName->value->value.utf8string;
++ break;
++ }
++ break;
++ case GEN_EMAIL:
++ if (check_type != GEN_EMAIL)
+ continue;
+- }
+- san_present = 1;
+- if (check_type == GEN_EMAIL)
+ cstr = gen->d.rfc822Name;
+- else if (check_type == GEN_DNS)
++ break;
++ case GEN_DNS:
++ if (check_type != GEN_DNS)
++ continue;
+ cstr = gen->d.dNSName;
+- else
++ break;
++ case GEN_IPADD:
++ if (check_type != GEN_IPADD)
++ continue;
+ cstr = gen->d.iPAddress;
++ break;
++ }
++ san_present = 1;
+ /* Positive on success, negative on error! */
+ if ((rv = do_check_string(cstr, alt_type, equal, flags,
+ chk, chklen, peername)) != 0)
diff --git a/website/static/security/patches/SA-24:13/openssl.patch.asc b/website/static/security/patches/SA-24:13/openssl.patch.asc
new file mode 100644
index 0000000000..e988d7f69f
--- /dev/null
+++ b/website/static/security/patches/SA-24:13/openssl.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY55EACgkQbljekB8A
+Gu8tZhAAr56EAjwwspQ663Yx+QNQd1Hds/SCUpDkaN8xgH6doeQ/xy1msLIwD6dn
+t3PWqjKcPyNktIcKegDT2uiy7ITUl7Dcl5o2txH2nsfaM5U/FkK9KIAKNhuAGKnk
+rdOuvVxsFp+Zmu9+c7F71Zxqd22vycMVAtLKVCIX7at/GwM5Az1VyfG9EGVyxaee
+y80OnYeAeAXd1jUEBEYME6SqbblTYJO2+pMxfQuNPuzfeYScN9oNH9i4NK3j8Eg+
+wRwitgCbX1kzs7N7afxtnwT0MGo81db8JrhUGtehAXVV8iXXyqytBIRRNzB7Qrpl
+xhHzmCYdaGF9a13AMN4VMuyX1bJXAP4ahCzlhXFYmsOF8r5mQRRSPXBPpE2Ue7le
+bwxE8TgRCNhnEIFAFwq9Zc888CNv3eSzP1Q85A0X6DwyzrFoMtPSk+S7Qkvt6sCV
+eCLzkPSfmY8KBlmZ5jmuilRhyuj93vWRZbtvtZUvwIDYpKra9re2HhQSkFBLs+2L
+in/5o9426ofnXe6OQGD3/4QElvajWrRFnDkhSf8mm7QAcH+/7Fa7s47KJ3GM9g5i
+d9XvHvqhdBOfvzprmLjhYq8/xJGNOzn7VTfhGOzepOVL3VjBgrK0TFj9ZhEw3h+L
+YhgTYUA+rgwEKwovErW28JRVlS1nU8pdXipj6YKhsL8udsPR5bk=
+=FSL5
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/SA-24:14/umtx.patch b/website/static/security/patches/SA-24:14/umtx.patch
new file mode 100644
index 0000000000..a59572bc0c
--- /dev/null
+++ b/website/static/security/patches/SA-24:14/umtx.patch
@@ -0,0 +1,232 @@
+--- sys/kern/kern_umtx.c.orig
++++ sys/kern/kern_umtx.c
+@@ -4293,8 +4293,7 @@
+ #define USHM_OBJ_UMTX(o) \
+ ((struct umtx_shm_obj_list *)(&(o)->umtx_data))
+
+-#define USHMF_REG_LINKED 0x0001
+-#define USHMF_OBJ_LINKED 0x0002
++#define USHMF_LINKED 0x0001
+ struct umtx_shm_reg {
+ TAILQ_ENTRY(umtx_shm_reg) ushm_reg_link;
+ LIST_ENTRY(umtx_shm_reg) ushm_obj_link;
+@@ -4335,8 +4334,17 @@
+ static struct task umtx_shm_reg_delfree_task =
+ TASK_INITIALIZER(0, umtx_shm_reg_delfree_tq, NULL);
+
+-static struct umtx_shm_reg *
+-umtx_shm_find_reg_locked(const struct umtx_key *key)
++/*
++ * Returns 0 if a SHM with the passed key is found in the registry, in which
++ * case it is returned through 'oreg'. Otherwise, returns an error among ESRCH
++ * (no corresponding SHM; ESRCH was chosen for compatibility, ENOENT would have
++ * been preferable) or EOVERFLOW (there is a corresponding SHM, but reference
++ * count would overflow, so can't return it), in which case '*oreg' is left
++ * unchanged.
++ */
++static int
++umtx_shm_find_reg_locked(const struct umtx_key *key,
++ struct umtx_shm_reg **const oreg)
+ {
+ struct umtx_shm_reg *reg;
+ struct umtx_shm_reg_head *reg_head;
+@@ -4352,26 +4360,38 @@
+ reg->ushm_key.info.shared.offset ==
+ key->info.shared.offset) {
+ KASSERT(reg->ushm_key.type == TYPE_SHM, ("TYPE_USHM"));
+- KASSERT(reg->ushm_refcnt > 0,
++ KASSERT(reg->ushm_refcnt != 0,
+ ("reg %p refcnt 0 onlist", reg));
+- KASSERT((reg->ushm_flags & USHMF_REG_LINKED) != 0,
++ KASSERT((reg->ushm_flags & USHMF_LINKED) != 0,
+ ("reg %p not linked", reg));
++ /*
++ * Don't let overflow happen, just deny a new reference
++ * (this is additional protection against some reference
++ * count leak, which is known not to be the case at the
++ * time of this writing).
++ */
++ if (__predict_false(reg->ushm_refcnt == UINT_MAX))
++ return (EOVERFLOW);
+ reg->ushm_refcnt++;
+- return (reg);
++ *oreg = reg;
++ return (0);
+ }
+ }
+- return (NULL);
++ return (ESRCH);
+ }
+
+-static struct umtx_shm_reg *
+-umtx_shm_find_reg(const struct umtx_key *key)
++/*
++ * Calls umtx_shm_find_reg_unlocked() under the 'umtx_shm_lock'.
++ */
++static int
++umtx_shm_find_reg(const struct umtx_key *key, struct umtx_shm_reg **const oreg)
+ {
+- struct umtx_shm_reg *reg;
++ int error;
+
+ mtx_lock(&umtx_shm_lock);
+- reg = umtx_shm_find_reg_locked(key);
++ error = umtx_shm_find_reg_locked(key, oreg);
+ mtx_unlock(&umtx_shm_lock);
+- return (reg);
++ return (error);
+ }
+
+ static void
+@@ -4385,42 +4405,49 @@
+ }
+
+ static bool
+-umtx_shm_unref_reg_locked(struct umtx_shm_reg *reg, bool force)
++umtx_shm_unref_reg_locked(struct umtx_shm_reg *reg, bool linked_ref)
+ {
+- bool res;
+-
+ mtx_assert(&umtx_shm_lock, MA_OWNED);
+- KASSERT(reg->ushm_refcnt > 0, ("ushm_reg %p refcnt 0", reg));
+- reg->ushm_refcnt--;
+- res = reg->ushm_refcnt == 0;
+- if (res || force) {
+- if ((reg->ushm_flags & USHMF_REG_LINKED) != 0) {
+- TAILQ_REMOVE(&umtx_shm_registry[reg->ushm_key.hash],
+- reg, ushm_reg_link);
+- reg->ushm_flags &= ~USHMF_REG_LINKED;
+- }
+- if ((reg->ushm_flags & USHMF_OBJ_LINKED) != 0) {
+- LIST_REMOVE(reg, ushm_obj_link);
+- reg->ushm_flags &= ~USHMF_OBJ_LINKED;
+- }
++ KASSERT(reg->ushm_refcnt != 0, ("ushm_reg %p refcnt 0", reg));
++
++ if (linked_ref) {
++ if ((reg->ushm_flags & USHMF_LINKED) == 0)
++ /*
++ * The reference tied to USHMF_LINKED has already been
++ * released concurrently.
++ */
++ return (false);
++
++ TAILQ_REMOVE(&umtx_shm_registry[reg->ushm_key.hash], reg,
++ ushm_reg_link);
++ LIST_REMOVE(reg, ushm_obj_link);
++ reg->ushm_flags &= ~USHMF_LINKED;
+ }
+- return (res);
++
++ reg->ushm_refcnt--;
++ return (reg->ushm_refcnt == 0);
+ }
+
+ static void
+-umtx_shm_unref_reg(struct umtx_shm_reg *reg, bool force)
++umtx_shm_unref_reg(struct umtx_shm_reg *reg, bool linked_ref)
+ {
+ vm_object_t object;
+ bool dofree;
+
+- if (force) {
++ if (linked_ref) {
++ /*
++ * Note: This may be executed multiple times on the same
++ * shared-memory VM object in presence of concurrent callers
++ * because 'umtx_shm_lock' is not held all along in umtx_shm()
++ * and here.
++ */
+ object = reg->ushm_obj->shm_object;
+ VM_OBJECT_WLOCK(object);
+ vm_object_set_flag(object, OBJ_UMTXDEAD);
+ VM_OBJECT_WUNLOCK(object);
+ }
+ mtx_lock(&umtx_shm_lock);
+- dofree = umtx_shm_unref_reg_locked(reg, force);
++ dofree = umtx_shm_unref_reg_locked(reg, linked_ref);
+ mtx_unlock(&umtx_shm_lock);
+ if (dofree)
+ umtx_shm_free_reg(reg);
+@@ -4464,16 +4491,22 @@
+ struct ucred *cred;
+ int error;
+
+- reg = umtx_shm_find_reg(key);
+- if (reg != NULL) {
+- *res = reg;
+- return (0);
++ error = umtx_shm_find_reg(key, res);
++ if (error != ESRCH) {
++ /*
++ * Either no error occured, and '*res' was filled, or EOVERFLOW
++ * was returned, indicating a reference count limit, and we
++ * won't create a duplicate registration. In both cases, we are
++ * done.
++ */
++ return (error);
+ }
++ /* No entry, we will create one. */
++
+ cred = td->td_ucred;
+ if (!chgumtxcnt(cred->cr_ruidinfo, 1, lim_cur(td, RLIMIT_UMTXP)))
+ return (ENOMEM);
+ reg = uma_zalloc(umtx_shm_reg_zone, M_WAITOK | M_ZERO);
+- reg->ushm_refcnt = 1;
+ bcopy(key, ®->ushm_key, sizeof(*key));
+ reg->ushm_obj = shm_alloc(td->td_ucred, O_RDWR, false);
+ reg->ushm_cred = crhold(cred);
+@@ -4483,18 +4516,32 @@
+ return (error);
+ }
+ mtx_lock(&umtx_shm_lock);
+- reg1 = umtx_shm_find_reg_locked(key);
+- if (reg1 != NULL) {
++ /* Re-lookup as 'umtx_shm_lock' has been temporarily released. */
++ error = umtx_shm_find_reg_locked(key, ®1);
++ switch (error) {
++ case 0:
+ mtx_unlock(&umtx_shm_lock);
+ umtx_shm_free_reg(reg);
+ *res = reg1;
+ return (0);
++ case ESRCH:
++ break;
++ default:
++ mtx_unlock(&umtx_shm_lock);
++ umtx_shm_free_reg(reg);
++ return (error);
+ }
+- reg->ushm_refcnt++;
+ TAILQ_INSERT_TAIL(&umtx_shm_registry[key->hash], reg, ushm_reg_link);
+ LIST_INSERT_HEAD(USHM_OBJ_UMTX(key->info.shared.object), reg,
+ ushm_obj_link);
+- reg->ushm_flags = USHMF_REG_LINKED | USHMF_OBJ_LINKED;
++ reg->ushm_flags = USHMF_LINKED;
++ /*
++ * This is one reference for the registry and the list of shared
++ * mutexes referenced by the VM object containing the lock pointer, and
++ * another for the caller, which it will free after use. So, one of
++ * these is tied to the presence of USHMF_LINKED.
++ */
++ reg->ushm_refcnt = 2;
+ mtx_unlock(&umtx_shm_lock);
+ *res = reg;
+ return (0);
+@@ -4553,13 +4600,9 @@
+ if (error != 0)
+ return (error);
+ KASSERT(key.shared == 1, ("non-shared key"));
+- if ((flags & UMTX_SHM_CREAT) != 0) {
+- error = umtx_shm_create_reg(td, &key, ®);
+- } else {
+- reg = umtx_shm_find_reg(&key);
+- if (reg == NULL)
+- error = ESRCH;
+- }
++ error = (flags & UMTX_SHM_CREAT) != 0 ?
++ umtx_shm_create_reg(td, &key, ®) :
++ umtx_shm_find_reg(&key, ®);
+ umtx_key_release(&key);
+ if (error != 0)
+ return (error);
diff --git a/website/static/security/patches/SA-24:14/umtx.patch.asc b/website/static/security/patches/SA-24:14/umtx.patch.asc
new file mode 100644
index 0000000000..231ed349e0
--- /dev/null
+++ b/website/static/security/patches/SA-24:14/umtx.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY55MACgkQbljekB8A
+Gu+fXQ/+OItU1UDzoImknQ91chFbN1h+fEdNZ5SIeU9FNq9OXJ+KMDptTtyqaxdj
+A4md8z5bXzvlp04hM8Kp4CvjD/S8pcaZwXtTsNOkBwJU8e90xgX6ZgTy2bpz1Jpg
+aokvOtZ5Ovwd3bgFSs+Exja8ik7cfwvbzS7fvPBAE+RDb03UHIvLPJVJyilPjNuY
+wogQdjtkQoh2vG6b/vWVw2avqI7jnC9V21xTwxZqK3nRTTkeGiIedC6d98j7FPyP
+Sku27l1LNcDdys8WmSVhkhASvZTBET8agPU1IBLfuZsh4sA7Wc5ObCHhVrT5pla7
+1CNL1JU1//LJB8kEqCyc0MO7Wu0RXMQPWZuCVoZedhgkMGD8IQqxLN4ukjdZ+sNO
+9EulGE/fHQXUlvWxxErEyiVdpUbXl4VO4XzVRhN7AHEv/sOmulv/Bze37yNTl8dV
+Md2ZvZuMh9zG5BrHIuGPEnmpw0Pll9GZdnE2ehE2vlgU7je6SOeVit8Ab3lfTMU2
+KGpV3jji+8cat57ilrrIOEdB8C26AcSSfrp/k42pL1ff2gPD81S/p9fbBlvnTP9K
+ouPOpDYu9u1JnTXvIpKK2YZGJuPnkgaCbe6HE1KwWG+rudy8NtncONPkh+1dbUyP
+0Hc6wNXb3J151+H6HA/sm54/UT3tbRhE40x3KUu8mnspCjmVv4s=
+=N5EI
+-----END PGP SIGNATURE-----