diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml
index 72324804c6..2d5b3077f7 100644
--- a/website/data/security/advisories.toml
+++ b/website/data/security/advisories.toml
@@ -1,2639 +1,2655 @@
# Sort advisories by year, month and day
# $FreeBSD$
+[[advisories]]
+name = "FreeBSD-SA-23:09.pam_krb5"
+date = "2023-08-01"
+
+[[advisories]]
+name = "FreeBSD-SA-23:08.ssh"
+date = "2023-08-01"
+
+[[advisories]]
+name = "FreeBSD-SA-23:07.bhyve"
+date = "2023-08-01"
+
+[[advisories]]
+name = "FreeBSD-SA-23:06.ipv6"
+date = "2023-08-01"
+
[[advisories]]
name = "FreeBSD-SA-23:05.openssh"
date = "2023-06-21"
[[advisories]]
name = "FreeBSD-SA-23:04.pam_krb5"
date = "2023-06-21"
[[advisories]]
name = "FreeBSD-SA-23:03.openssl"
date = "2023-02-16"
[[advisories]]
name = "FreeBSD-SA-23:02.openssh"
date = "2023-02-16"
[[advisories]]
name = "FreeBSD-SA-23:01.geli"
date = "2023-02-08"
[[advisories]]
name = "FreeBSD-SA-22:15.ping"
date = "2022-11-29"
[[advisories]]
name = "FreeBSD-SA-22:14.heimdal"
date = "2022-11-15"
[[advisories]]
name = "FreeBSD-SA-22:13.zlib"
date = "2022-08-30"
[[advisories]]
name = "FreeBSD-SA-22:12.lib9p"
date = "2022-08-09"
[[advisories]]
name = "FreeBSD-SA-22:11.vm"
date = "2022-08-09"
[[advisories]]
name = "FreeBSD-SA-22:10.aio"
date = "2022-08-09"
[[advisories]]
name = "FreeBSD-SA-22:09.elf"
date = "2022-08-09"
[[advisories]]
name = "FreeBSD-SA-22:08.zlib"
date = "2022-04-06"
[[advisories]]
name = "FreeBSD-SA-22:07.wifi_meshid"
date = "2022-04-06"
[[advisories]]
name = "FreeBSD-SA-22:06.ioctl"
date = "2022-04-06"
[[advisories]]
name = "FreeBSD-SA-22:05.bhyve"
date = "2022-04-06"
[[advisories]]
name = "FreeBSD-SA-22:04.netmap"
date = "2022-04-06"
[[advisories]]
name = "FreeBSD-SA-22:03.openssl"
date = "2022-03-15"
[[advisories]]
name = "FreeBSD-SA-22:02.wifi"
date = "2022-03-15"
[[advisories]]
name = "FreeBSD-SA-22:01.vt"
date = "2022-01-11"
[[advisories]]
name = "FreeBSD-SA-21:17.openssl"
date = "2021-08-24"
[[advisories]]
name = "FreeBSD-SA-21:16.openssl"
date = "2021-08-24"
[[advisories]]
name = "FreeBSD-SA-21:15.libfetch"
date = "2021-08-24"
[[advisories]]
name = "FreeBSD-SA-21:14.ggatec"
date = "2021-08-24"
[[advisories]]
name = "FreeBSD-SA-21:13.bhyve"
date = "2021-08-24"
[[advisories]]
name = "FreeBSD-SA-21:12.libradius"
date = "2021-05-26"
[[advisories]]
name = "FreeBSD-SA-21:11.smap"
date = "2021-05-26"
[[advisories]]
name = "FreeBSD-SA-21:10.jail_mount"
date = "2021-04-06"
[[advisories]]
name = "FreeBSD-SA-21:09.accept_filter"
date = "2021-04-06"
[[advisories]]
name = "FreeBSD-SA-21:08.vm"
date = "2021-04-06"
[[advisories]]
name = "FreeBSD-SA-21:07.openssl"
date = "2021-03-25"
[[advisories]]
name = "FreeBSD-SA-21:06.xen"
date = "2021-02-24"
[[advisories]]
name = "FreeBSD-SA-21:05.jail_chdir"
date = "2021-02-24"
[[advisories]]
name = "FreeBSD-SA-21:04.jail_remove"
date = "2021-02-24"
[[advisories]]
name = "FreeBSD-SA-21:03.pam_login_access"
date = "2021-02-24"
[[advisories]]
name = "FreeBSD-SA-21:02.xenoom"
date = "2021-01-29"
[[advisories]]
name = "FreeBSD-SA-21:01.fsdisclosure"
date = "2021-01-29"
[[advisories]]
name = "FreeBSD-SA-20:33.openssl"
date = "2020-12-08"
[[advisories]]
name = "FreeBSD-SA-20:32.rtsold"
date = "2020-12-01"
[[advisories]]
name = "FreeBSD-SA-20:31.icmp6"
date = "2020-12-01"
[[advisories]]
name = "FreeBSD-SA-20:30.ftpd"
date = "2020-09-15"
[[advisories]]
name = "FreeBSD-SA-20:29.bhyve_svm"
date = "2020-09-15"
[[advisories]]
name = "FreeBSD-SA-20:28.bhyve_vmcs"
date = "2020-09-15"
[[advisories]]
name = "FreeBSD-SA-20:27.ure"
date = "2020-09-15"
[[advisories]]
name = "FreeBSD-SA-20:26.dhclient"
date = "2020-09-02"
[[advisories]]
name = "FreeBSD-SA-20:25.sctp"
date = "2020-09-02"
[[advisories]]
name = "FreeBSD-SA-20:24.ipv6"
date = "2020-09-02"
[[advisories]]
name = "FreeBSD-SA-20:23.sendmsg"
date = "2020-08-05"
[[advisories]]
name = "FreeBSD-SA-20:22.sqlite"
date = "2020-08-05"
[[advisories]]
name = "FreeBSD-SA-20:21.usb_net"
date = "2020-08-05"
[[advisories]]
name = "FreeBSD-SA-20:20.ipv6"
date = "2020-07-08"
[[advisories]]
name = "FreeBSD-SA-20:19.unbound"
date = "2020-07-08"
[[advisories]]
name = "FreeBSD-SA-20:18.posix_spawnp"
date = "2020-07-08"
[[advisories]]
name = "FreeBSD-SA-20:17.usb"
date = "2020-06-09"
[[advisories]]
name = "FreeBSD-SA-20:16.cryptodev"
date = "2020-05-12"
[[advisories]]
name = "FreeBSD-SA-20:15.cryptodev"
date = "2020-05-12"
[[advisories]]
name = "FreeBSD-SA-20:14.sctp"
date = "2020-05-12"
[[advisories]]
name = "FreeBSD-SA-20:13.libalias"
date = "2020-05-12"
[[advisories]]
name = "FreeBSD-SA-20:12.libalias"
date = "2020-05-12"
[[advisories]]
name = "FreeBSD-SA-20:11.openssl"
date = "2020-04-21"
[[advisories]]
name = "FreeBSD-SA-20:10.ipfw"
date = "2020-04-21"
[[advisories]]
name = "FreeBSD-SA-20:09.ntp"
date = "2020-03-19"
[[advisories]]
name = "FreeBSD-SA-20:08.jail"
date = "2020-03-19"
[[advisories]]
name = "FreeBSD-SA-20:07.epair"
date = "2020-03-19"
[[advisories]]
name = "FreeBSD-SA-20:06.if_ixl_ioctl"
date = "2020-03-19"
[[advisories]]
name = "FreeBSD-SA-20:05.if_oce_ioctl"
date = "2020-03-19"
[[advisories]]
name = "FreeBSD-SA-20:04.tcp"
date = "2020-03-19"
[[advisories]]
name = "FreeBSD-SA-20:03.thrmisc"
date = "2020-01-28"
[[advisories]]
name = "FreeBSD-SA-20:02.ipsec"
date = "2020-01-28"
[[advisories]]
name = "FreeBSD-SA-20:01.libfetch"
date = "2020-01-28"
[[advisories]]
name = "FreeBSD-SA-19:26.mcu"
date = "2019-11-12"
[[advisories]]
name = "FreeBSD-SA-19:25.mcepsc"
date = "2019-11-12"
[[advisories]]
name = "FreeBSD-SA-19:24.mqueuefs"
date = "2019-08-20"
[[advisories]]
name = "FreeBSD-SA-19:23.midi"
date = "2019-08-20"
[[advisories]]
name = "FreeBSD-SA-19:22.mbuf"
date = "2019-08-20"
[[advisories]]
name = "FreeBSD-SA-19:21.bhyve"
date = "2019-08-06"
[[advisories]]
name = "FreeBSD-SA-19:20.bsnmp"
date = "2019-08-06"
[[advisories]]
name = "FreeBSD-SA-19:19.mldv2"
date = "2019-08-06"
[[advisories]]
name = "FreeBSD-SA-19:18.bzip2"
date = "2019-08-06"
[[advisories]]
name = "FreeBSD-SA-19:17.fd"
date = "2019-07-24"
[[advisories]]
name = "FreeBSD-SA-19:16.bhyve"
date = "2019-07-24"
[[advisories]]
name = "FreeBSD-SA-19:15.mqueuefs"
date = "2019-07-24"
[[advisories]]
name = "FreeBSD-SA-19:14.freebsd32"
date = "2019-07-24"
[[advisories]]
name = "FreeBSD-SA-19:13.pts"
date = "2019-07-24"
[[advisories]]
name = "FreeBSD-SA-19:12.telnet"
date = "2019-07-24"
[[advisories]]
name = "FreeBSD-SA-19:11.cd_ioctl"
date = "2019-07-02"
[[advisories]]
name = "FreeBSD-SA-19:10.ufs"
date = "2019-07-02"
[[advisories]]
name = "FreeBSD-SA-19:09.iconv"
date = "2019-07-02"
[[advisories]]
name = "FreeBSD-SA-19:08.rack"
date = "2019-06-19"
[[advisories]]
name = "FreeBSD-SA-19:07.mds"
date = "2019-05-14"
[[advisories]]
name = "FreeBSD-SA-19:06.pf"
date = "2019-05-14"
[[advisories]]
name = "FreeBSD-SA-19:05.pf"
date = "2019-05-14"
[[advisories]]
name = "FreeBSD-SA-19:04.ntp"
date = "2019-05-14"
[[advisories]]
name = "FreeBSD-SA-19:03.wpa"
date = "2019-05-14"
[[advisories]]
name = "FreeBSD-SA-19:02.fd"
date = "2019-02-05"
[[advisories]]
name = "FreeBSD-SA-19:01.syscall"
date = "2019-02-05"
[[advisories]]
name = "FreeBSD-SA-18:15.bootpd"
date = "2018-12-19"
[[advisories]]
name = "FreeBSD-SA-18:14.bhyve"
date = "2018-12-04"
[[advisories]]
name = "FreeBSD-SA-18:13.nfs"
date = "2018-11-27"
[[advisories]]
name = "FreeBSD-SA-18:12.elf"
date = "2018-09-12"
[[advisories]]
name = "FreeBSD-SA-18:11.hostapd"
date = "2018-08-14"
[[advisories]]
name = "FreeBSD-SA-18:10.ip"
date = "2018-08-14"
[[advisories]]
name = "FreeBSD-SA-18:09.l1tf"
date = "2018-08-14"
[[advisories]]
name = "FreeBSD-SA-18:08.tcp"
date = "2018-08-06"
[[advisories]]
name = "FreeBSD-SA-18:07.lazyfpu"
date = "2018-06-21"
[[advisories]]
name = "FreeBSD-SA-18:06.debugreg"
date = "2018-05-08"
[[advisories]]
name = "FreeBSD-SA-18:05.ipsec"
date = "2018-04-04"
[[advisories]]
name = "FreeBSD-SA-18:04.vt"
date = "2018-04-04"
[[advisories]]
name = "FreeBSD-SA-18:03.speculative_execution"
date = "2018-03-14"
[[advisories]]
name = "FreeBSD-SA-18:02.ntp"
date = "2018-03-07"
[[advisories]]
name = "FreeBSD-SA-18:01.ipsec"
date = "2018-03-07"
[[advisories]]
name = "FreeBSD-SA-17:12.openssl"
date = "2017-12-09"
[[advisories]]
name = "FreeBSD-SA-17:11.openssl"
date = "2017-11-29"
[[advisories]]
name = "FreeBSD-SA-17:10.kldstat"
date = "2017-11-15"
[[advisories]]
name = "FreeBSD-SA-17:09.shm"
date = "2017-11-15"
[[advisories]]
name = "FreeBSD-SA-17:08.ptrace"
date = "2017-11-15"
[[advisories]]
name = "FreeBSD-SA-17:07.wpa"
date = "2017-10-17"
[[advisories]]
name = "FreeBSD-SA-17:06.openssh"
date = "2017-08-10"
[[advisories]]
name = "FreeBSD-SA-17:05.heimdal"
date = "2017-07-12"
[[advisories]]
name = "FreeBSD-SA-17:04.ipfilter"
date = "2017-04-27"
[[advisories]]
name = "FreeBSD-SA-17:03.ntp"
date = "2017-04-12"
[[advisories]]
name = "FreeBSD-SA-17:02.openssl"
date = "2017-02-23"
[[advisories]]
name = "FreeBSD-SA-17:01.openssh"
date = "2017-01-11"
[[advisories]]
name = "FreeBSD-SA-16:39.ntp"
date = "2016-12-22"
[[advisories]]
name = "FreeBSD-SA-16:38.bhyve"
date = "2016-12-06"
[[advisories]]
name = "FreeBSD-SA-16:37.libc"
date = "2016-12-06"
[[advisories]]
name = "FreeBSD-SA-16:36.telnetd"
date = "2016-12-06"
[[advisories]]
name = "FreeBSD-SA-16:35.openssl"
date = "2016-11-02"
[[advisories]]
name = "FreeBSD-SA-16:34.bind"
date = "2016-11-02"
[[advisories]]
name = "FreeBSD-SA-16:33.openssh"
date = "2016-11-02"
[[advisories]]
name = "FreeBSD-SA-16:32.bhyve"
date = "2016-10-25"
[[advisories]]
name = "FreeBSD-SA-16:31.libarchive"
date = "2016-10-10"
[[advisories]]
name = "FreeBSD-SA-16:30.portsnap"
date = "2016-10-10"
[[advisories]]
name = "FreeBSD-SA-16:29.bspatch"
date = "2016-10-10"
[[advisories]]
name = "FreeBSD-SA-16:28.bind"
date = "2016-10-10"
[[advisories]]
name = "FreeBSD-SA-16:27.openssl"
date = "2016-10-10"
[[advisories]]
name = "FreeBSD-SA-16:26.openssl"
date = "2016-09-23"
[[advisories]]
name = "FreeBSD-SA-16:25.bspatch"
date = "2016-07-25"
[[advisories]]
name = "FreeBSD-SA-16:24.ntp"
date = "2016-06-04"
[[advisories]]
name = "FreeBSD-SA-16:23.libarchive"
date = "2016-05-31"
[[advisories]]
name = "FreeBSD-SA-16:22.libarchive"
date = "2016-05-31"
[[advisories]]
name = "FreeBSD-SA-16:21.43bsd"
date = "2016-05-31"
[[advisories]]
name = "FreeBSD-SA-16:20.linux"
date = "2016-05-31"
[[advisories]]
name = "FreeBSD-SA-16:19.sendmsg"
date = "2016-05-17"
[[advisories]]
name = "FreeBSD-SA-16:18.atkbd"
date = "2016-05-17"
[[advisories]]
name = "FreeBSD-SA-16:17.openssl"
date = "2016-05-04"
[[advisories]]
name = "FreeBSD-SA-16:16.ntp"
date = "2016-04-29"
[[advisories]]
name = "FreeBSD-SA-16:15.sysarch"
date = "2016-03-16"
[[advisories]]
name = "FreeBSD-SA-16:14.openssh"
date = "2016-03-16"
[[advisories]]
name = "FreeBSD-SA-16:13.bind"
date = "2016-03-10"
[[advisories]]
name = "FreeBSD-SA-16:12.openssl"
date = "2016-03-10"
[[advisories]]
name = "FreeBSD-SA-16:11.openssl"
date = "2016-01-30"
[[advisories]]
name = "FreeBSD-SA-16:10.linux"
date = "2016-01-27"
[[advisories]]
name = "FreeBSD-SA-16:09.ntp"
date = "2016-01-27"
[[advisories]]
name = "FreeBSD-SA-16:08.bind"
date = "2016-01-27"
[[advisories]]
name = "FreeBSD-SA-16:07.openssh"
date = "2016-01-14"
[[advisories]]
name = "FreeBSD-SA-16:06.bsnmpd"
date = "2016-01-14"
[[advisories]]
name = "FreeBSD-SA-16:05.tcp"
date = "2016-01-14"
[[advisories]]
name = "FreeBSD-SA-16:04.linux"
date = "2016-01-14"
[[advisories]]
name = "FreeBSD-SA-16:03.linux"
date = "2016-01-14"
[[advisories]]
name = "FreeBSD-SA-16:02.ntp"
date = "2016-01-14"
[[advisories]]
name = "FreeBSD-SA-16:01.sctp"
date = "2016-01-14"
[[advisories]]
name = "FreeBSD-SA-15:27.bind"
date = "2015-12-16"
[[advisories]]
name = "FreeBSD-SA-15:26.openssl"
date = "2015-12-06"
[[advisories]]
name = "FreeBSD-SA-15:25.ntp"
date = "2015-10-26"
[[advisories]]
name = "FreeBSD-SA-15:24.rpcbind"
date = "2015-09-29"
[[advisories]]
name = "FreeBSD-SA-15:23.bind"
date = "2015-09-02"
[[advisories]]
name = "FreeBSD-SA-15:22.openssh"
date = "2015-08-25"
[[advisories]]
name = "FreeBSD-SA-15:21.amd64"
date = "2015-08-25"
[[advisories]]
name = "FreeBSD-SA-15:20.expat"
date = "2015-08-18"
[[advisories]]
name = "FreeBSD-SA-15:19.routed"
date = "2015-08-05"
[[advisories]]
name = "FreeBSD-SA-15:18.bsdpatch"
date = "2015-08-05"
[[advisories]]
name = "FreeBSD-SA-15:17.bind"
date = "2015-07-28"
[[advisories]]
name = "FreeBSD-SA-15:16.openssh"
date = "2015-07-28"
[[advisories]]
name = "FreeBSD-SA-15:15.tcp"
date = "2015-07-28"
[[advisories]]
name = "FreeBSD-SA-15:14.bsdpatch"
date = "2015-07-28"
[[advisories]]
name = "FreeBSD-SA-15:13.tcp"
date = "2015-07-21"
[[advisories]]
name = "FreeBSD-SA-15:12.openssl"
date = "2015-07-09"
[[advisories]]
name = "FreeBSD-SA-15:11.bind"
date = "2015-07-07"
[[advisories]]
name = "FreeBSD-SA-15:10.openssl"
date = "2015-06-12"
[[advisories]]
name = "FreeBSD-SA-15:09.ipv6"
date = "2015-04-07"
[[advisories]]
name = "FreeBSD-SA-15:08.bsdinstall"
date = "2015-04-07"
[[advisories]]
name = "FreeBSD-SA-15:07.ntp"
date = "2015-04-07"
[[advisories]]
name = "FreeBSD-SA-15:06.openssl"
date = "2015-03-19"
[[advisories]]
name = "FreeBSD-SA-15:05.bind"
date = "2015-02-25"
[[advisories]]
name = "FreeBSD-SA-15:04.igmp"
date = "2015-02-25"
[[advisories]]
name = "FreeBSD-SA-15:03.sctp"
date = "2015-01-27"
[[advisories]]
name = "FreeBSD-SA-15:02.kmem"
date = "2015-01-27"
[[advisories]]
name = "FreeBSD-SA-15:01.openssl"
date = "2015-01-14"
[[advisories]]
name = "FreeBSD-SA-14:31.ntp"
date = "2014-12-23"
[[advisories]]
name = "FreeBSD-SA-14:30.unbound"
date = "2014-12-17"
[[advisories]]
name = "FreeBSD-SA-14:29.bind"
date = "2014-12-10"
[[advisories]]
name = "FreeBSD-SA-14:28.file"
date = "2014-12-10"
[[advisories]]
name = "FreeBSD-SA-14:27.stdio"
date = "2014-12-10"
[[advisories]]
name = "FreeBSD-SA-14:26.ftp"
date = "2014-11-04"
[[advisories]]
name = "FreeBSD-SA-14:25.setlogin"
date = "2014-11-04"
[[advisories]]
name = "FreeBSD-SA-14:24.sshd"
date = "2014-11-04"
[[advisories]]
name = "FreeBSD-SA-14:23.openssl"
date = "2014-10-21"
[[advisories]]
name = "FreeBSD-SA-14:22.namei"
date = "2014-10-21"
[[advisories]]
name = "FreeBSD-SA-14:21.routed"
date = "2014-10-21"
[[advisories]]
name = "FreeBSD-SA-14:20.rtsold"
date = "2014-10-21"
[[advisories]]
name = "FreeBSD-SA-14:19.tcp"
date = "2014-09-16"
[[advisories]]
name = "FreeBSD-SA-14:18.openssl"
date = "2014-09-09"
[[advisories]]
name = "FreeBSD-SA-14:17.kmem"
date = "2014-07-08"
[[advisories]]
name = "FreeBSD-SA-14:16.file"
date = "2014-06-24"
[[advisories]]
name = "FreeBSD-SA-14:15.iconv"
date = "2014-06-24"
[[advisories]]
name = "FreeBSD-SA-14:14.openssl"
date = "2014-06-05"
[[advisories]]
name = "FreeBSD-SA-14:13.pam"
date = "2014-06-03"
[[advisories]]
name = "FreeBSD-SA-14:12.ktrace"
date = "2014-06-03"
[[advisories]]
name = "FreeBSD-SA-14:11.sendmail"
date = "2014-06-03"
[[advisories]]
name = "FreeBSD-SA-14:10.openssl"
date = "2014-05-13"
[[advisories]]
name = "FreeBSD-SA-14:09.openssl"
date = "2014-04-30"
[[advisories]]
name = "FreeBSD-SA-14:08.tcp"
date = "2014-04-30"
[[advisories]]
name = "FreeBSD-SA-14:07.devfs"
date = "2014-04-30"
[[advisories]]
name = "FreeBSD-SA-14:06.openssl"
date = "2014-04-08"
[[advisories]]
name = "FreeBSD-SA-14:05.nfsserver"
date = "2014-04-08"
[[advisories]]
name = "FreeBSD-SA-14:04.bind"
date = "2014-01-14"
[[advisories]]
name = "FreeBSD-SA-14:03.openssl"
date = "2014-01-14"
[[advisories]]
name = "FreeBSD-SA-14:02.ntpd"
date = "2014-01-14"
[[advisories]]
name = "FreeBSD-SA-14:01.bsnmpd"
date = "2014-01-14"
[[advisories]]
name = "FreeBSD-SA-13:14.openssh"
date = "2013-11-19"
[[advisories]]
name = "FreeBSD-SA-13:13.nullfs"
date = "2013-09-10"
[[advisories]]
name = "FreeBSD-SA-13:12.ifioctl"
date = "2013-09-10"
[[advisories]]
name = "FreeBSD-SA-13:11.sendfile"
date = "2013-09-10"
[[advisories]]
name = "FreeBSD-SA-13:10.sctp"
date = "2013-08-22"
[[advisories]]
name = "FreeBSD-SA-13:09.ip_multicast"
date = "2013-08-22"
[[advisories]]
name = "FreeBSD-SA-13:08.nfsserver"
date = "2013-07-26"
[[advisories]]
name = "FreeBSD-SA-13:07.bind"
date = "2013-07-26"
[[advisories]]
name = "FreeBSD-SA-13:06.mmap"
date = "2013-06-18"
[[advisories]]
name = "FreeBSD-SA-13:05.nfsserver"
date = "2013-04-29"
[[advisories]]
name = "FreeBSD-SA-13:04.bind"
date = "2013-04-02"
[[advisories]]
name = "FreeBSD-SA-13:03.openssl"
date = "2013-04-02"
[[advisories]]
name = "FreeBSD-SA-13:02.libc"
date = "2013-02-19"
[[advisories]]
name = "FreeBSD-SA-13:01.bind"
date = "2013-02-19"
[[advisories]]
name = "FreeBSD-SA-12:08.linux"
date = "2012-11-22"
[[advisories]]
name = "FreeBSD-SA-12:07.hostapd"
date = "2012-11-22"
[[advisories]]
name = "FreeBSD-SA-12:06.bind"
date = "2012-11-22"
[[advisories]]
name = "FreeBSD-SA-12:05.bind"
date = "2012-08-06"
[[advisories]]
name = "FreeBSD-SA-12:04.sysret"
date = "2012-06-12"
[[advisories]]
name = "FreeBSD-SA-12:03.bind"
date = "2012-06-12"
[[advisories]]
name = "FreeBSD-SA-12:02.crypt"
date = "2012-05-30"
[[advisories]]
name = "FreeBSD-SA-12:01.openssl"
date = "2012-05-30"
[[advisories]]
name = "FreeBSD-SA-11:10.pam"
date = "2011-12-23"
[[advisories]]
name = "FreeBSD-SA-11:09.pam_ssh"
date = "2011-12-23"
[[advisories]]
name = "FreeBSD-SA-11:08.telnetd"
date = "2011-12-23"
[[advisories]]
name = "FreeBSD-SA-11:07.chroot"
date = "2011-12-23"
[[advisories]]
name = "FreeBSD-SA-11:06.bind"
date = "2011-12-23"
[[advisories]]
name = "FreeBSD-SA-11:05.unix"
date = "2011-09-28"
[[advisories]]
name = "FreeBSD-SA-11:04.compress"
date = "2011-09-28"
[[advisories]]
name = "FreeBSD-SA-11:03.bind"
date = "2011-09-28"
[[advisories]]
name = "FreeBSD-SA-11:02.bind"
date = "2011-05-28"
[[advisories]]
name = "FreeBSD-SA-11:01.mountd"
date = "2011-04-20"
[[advisories]]
name = "FreeBSD-SA-10:10.openssl"
date = "2010-11-29"
[[advisories]]
name = "FreeBSD-SA-10:09.pseudofs"
date = "2010-11-10"
[[advisories]]
name = "FreeBSD-SA-10:08.bzip2"
date = "2010-09-20"
[[advisories]]
name = "FreeBSD-SA-10:07.mbuf"
date = "2010-07-13"
[[advisories]]
name = "FreeBSD-SA-10:06.nfsclient"
date = "2010-05-27"
[[advisories]]
name = "FreeBSD-SA-10:05.opie"
date = "2010-05-27"
[[advisories]]
name = "FreeBSD-SA-10:04.jail"
date = "2010-05-27"
[[advisories]]
name = "FreeBSD-SA-10:03.zfs"
date = "2010-01-06"
[[advisories]]
name = "FreeBSD-SA-10:02.ntpd"
date = "2010-01-06"
[[advisories]]
name = "FreeBSD-SA-10:01.bind"
date = "2010-01-06"
[[advisories]]
name = "FreeBSD-SA-09:17.freebsd-update"
date = "2009-12-03"
[[advisories]]
name = "FreeBSD-SA-09:16.rtld"
date = "2009-12-03"
[[advisories]]
name = "FreeBSD-SA-09:15.ssl"
date = "2009-12-03"
[[advisories]]
name = "FreeBSD-SA-09:14.devfs"
date = "2009-10-02"
[[advisories]]
name = "FreeBSD-SA-09:13.pipe"
date = "2009-10-02"
[[advisories]]
name = "FreeBSD-SA-09:12.bind"
date = "2009-07-29"
[[advisories]]
name = "FreeBSD-SA-09:11.ntpd"
date = "2009-06-10"
[[advisories]]
name = "FreeBSD-SA-09:10.ipv6"
date = "2009-06-10"
[[advisories]]
name = "FreeBSD-SA-09:09.pipe"
date = "2009-06-10"
[[advisories]]
name = "FreeBSD-SA-09:08.openssl"
date = "2009-04-22"
[[advisories]]
name = "FreeBSD-SA-09:07.libc"
date = "2009-04-22"
[[advisories]]
name = "FreeBSD-SA-09:06.ktimer"
date = "2009-03-23"
[[advisories]]
name = "FreeBSD-SA-09:05.telnetd"
date = "2009-02-16"
[[advisories]]
name = "FreeBSD-SA-09:04.bind"
date = "2009-01-13"
[[advisories]]
name = "FreeBSD-SA-09:03.ntpd"
date = "2009-01-13"
[[advisories]]
name = "FreeBSD-SA-09:02.openssl"
date = "2009-01-07"
[[advisories]]
name = "FreeBSD-SA-09:01.lukemftpd"
date = "2009-01-07"
[[advisories]]
name = "FreeBSD-SA-08:13.protosw"
date = "2008-12-23"
[[advisories]]
name = "FreeBSD-SA-08:12.ftpd"
date = "2008-12-23"
[[advisories]]
name = "FreeBSD-SA-08:11.arc4random"
date = "2008-11-24"
[[advisories]]
name = "FreeBSD-SA-08:10.nd6"
date = "2008-10-02"
[[advisories]]
name = "FreeBSD-SA-08:09.icmp6"
date = "2008-09-03"
[[advisories]]
name = "FreeBSD-SA-08:08.nmount"
date = "2008-09-03"
[[advisories]]
name = "FreeBSD-SA-08:07.amd64"
date = "2008-09-03"
[[advisories]]
name = "FreeBSD-SA-08:06.bind"
date = "2008-07-13"
[[advisories]]
name = "FreeBSD-SA-08:05.openssh"
date = "2008-04-17"
[[advisories]]
name = "FreeBSD-SA-08:04.ipsec"
date = "2008-02-14"
[[advisories]]
name = "FreeBSD-SA-08:03.sendfile"
date = "2008-02-14"
[[advisories]]
name = "FreeBSD-SA-08:02.libc"
date = "2008-01-14"
[[advisories]]
name = "FreeBSD-SA-08:01.pty"
date = "2008-01-14"
[[advisories]]
name = "FreeBSD-SA-07:10.gtar"
date = "2007-11-29"
[[advisories]]
name = "FreeBSD-SA-07:09.random"
date = "2007-11-29"
[[advisories]]
name = "FreeBSD-SA-07:08.openssl"
date = "2007-10-03"
[[advisories]]
name = "FreeBSD-SA-07:07.bind"
date = "2007-08-01"
[[advisories]]
name = "FreeBSD-SA-07:06.tcpdump"
date = "2007-08-01"
[[advisories]]
name = "FreeBSD-SA-07:05.libarchive"
date = "2007-07-12"
[[advisories]]
name = "FreeBSD-SA-07:04.file"
date = "2007-05-23"
[[advisories]]
name = "FreeBSD-SA-07:03.ipv6"
date = "2007-04-26"
[[advisories]]
name = "FreeBSD-SA-07:02.bind"
date = "2007-02-09"
[[advisories]]
name = "FreeBSD-SA-07:01.jail"
date = "2007-01-11"
[[advisories]]
name = "FreeBSD-SA-06:26.gtar"
date = "2006-12-06"
[[advisories]]
name = "FreeBSD-SA-06:25.kmem"
date = "2006-12-06"
[[advisories]]
name = "FreeBSD-SA-06:24.libarchive"
date = "2006-11-08"
[[advisories]]
name = "FreeBSD-SA-06:22.openssh"
date = "2006-09-30"
[[advisories]]
name = "FreeBSD-SA-06:23.openssl"
date = "2006-09-28"
[[advisories]]
name = "FreeBSD-SA-06:21.gzip"
date = "2006-09-19"
[[advisories]]
name = "FreeBSD-SA-06:20.bind"
date = "2006-09-06"
[[advisories]]
name = "FreeBSD-SA-06:19.openssl"
date = "2006-09-06"
[[advisories]]
name = "FreeBSD-SA-06:18.ppp"
date = "2006-08-23"
[[advisories]]
name = "FreeBSD-SA-06:17.sendmail"
date = "2006-06-14"
[[advisories]]
name = "FreeBSD-SA-06:16.smbfs"
date = "2006-05-31"
[[advisories]]
name = "FreeBSD-SA-06:15.ypserv"
date = "2006-05-31"
[[advisories]]
name = "FreeBSD-SA-06:14.fpu"
date = "2006-04-19"
[[advisories]]
name = "FreeBSD-SA-06:13.sendmail"
date = "2006-03-22"
[[advisories]]
name = "FreeBSD-SA-06:12.opie"
date = "2006-03-22"
[[advisories]]
name = "FreeBSD-SA-06:11.ipsec"
date = "2006-03-22"
[[advisories]]
name = "FreeBSD-SA-06:10.nfs"
date = "2006-03-01"
[[advisories]]
name = "FreeBSD-SA-06:09.openssh"
date = "2006-03-01"
[[advisories]]
name = "FreeBSD-SA-06:08.sack"
date = "2006-02-01"
[[advisories]]
name = "FreeBSD-SA-06:07.pf"
date = "2006-01-25"
[[advisories]]
name = "FreeBSD-SA-06:06.kmem"
date = "2006-01-25"
[[advisories]]
name = "FreeBSD-SA-06:05.80211"
date = "2006-01-18"
[[advisories]]
name = "FreeBSD-SA-06:04.ipfw"
date = "2006-01-11"
[[advisories]]
name = "FreeBSD-SA-06:03.cpio"
date = "2006-01-11"
[[advisories]]
name = "FreeBSD-SA-06:02.ee"
date = "2006-01-11"
[[advisories]]
name = "FreeBSD-SA-06:01.texindex"
date = "2006-01-11"
[[advisories]]
name = "FreeBSD-SA-05:21.openssl"
date = "2005-10-11"
[[advisories]]
name = "FreeBSD-SA-05:20.cvsbug"
date = "2005-09-07"
[[advisories]]
name = "FreeBSD-SA-05:19.ipsec"
date = "2005-07-27"
[[advisories]]
name = "FreeBSD-SA-05:18.zlib"
date = "2005-07-27"
[[advisories]]
name = "FreeBSD-SA-05:17.devfs"
date = "2005-07-20"
[[advisories]]
name = "FreeBSD-SA-05:16.zlib"
date = "2005-07-06"
[[advisories]]
name = "FreeBSD-SA-05:15.tcp"
date = "2005-06-29"
[[advisories]]
name = "FreeBSD-SA-05:14.bzip2"
date = "2005-06-29"
[[advisories]]
name = "FreeBSD-SA-05:13.ipfw"
date = "2005-06-29"
[[advisories]]
name = "FreeBSD-SA-05:12.bind9"
date = "2005-06-09"
[[advisories]]
name = "FreeBSD-SA-05:11.gzip"
date = "2005-06-09"
[[advisories]]
name = "FreeBSD-SA-05:10.tcpdump"
date = "2005-06-09"
[[advisories]]
name = "FreeBSD-SA-05:09.htt"
date = "2005-05-13"
[[advisories]]
name = "FreeBSD-SA-05:08.kmem"
date = "2005-05-06"
[[advisories]]
name = "FreeBSD-SA-05:07.ldt"
date = "2005-05-06"
[[advisories]]
name = "FreeBSD-SA-05:06.iir"
date = "2005-05-06"
[[advisories]]
name = "FreeBSD-SA-05:05.cvs"
date = "2005-04-22"
[[advisories]]
name = "FreeBSD-SA-05:04.ifconf"
date = "2005-04-15"
[[advisories]]
name = "FreeBSD-SA-05:03.amd64"
date = "2005-04-06"
[[advisories]]
name = "FreeBSD-SA-05:02.sendfile"
date = "2005-04-04"
[[advisories]]
name = "FreeBSD-SA-05:01.telnet"
date = "2005-03-28"
[[advisories]]
name = "FreeBSD-SA-04:17.procfs"
date = "2004-12-01"
[[advisories]]
name = "FreeBSD-SA-04:16.fetch"
date = "2004-11-18"
[[advisories]]
name = "FreeBSD-SA-04:15.syscons"
date = "2004-10-04"
[[advisories]]
name = "FreeBSD-SA-04:14.cvs"
date = "2004-09-19"
[[advisories]]
name = "FreeBSD-SA-04:13.linux"
date = "2004-06-30"
[[advisories]]
name = "FreeBSD-SA-04:12.jailroute"
date = "2004-06-07"
[[advisories]]
name = "FreeBSD-SA-04:11.msync"
date = "2004-05-19"
[[advisories]]
name = "FreeBSD-SA-04:10.cvs"
date = "2004-05-19"
[[advisories]]
name = "FreeBSD-SA-04:09.kadmind"
date = "2004-05-05"
[[advisories]]
name = "FreeBSD-SA-04:08.heimdal"
date = "2004-05-05"
[[advisories]]
name = "FreeBSD-SA-04:07.cvs"
date = "2004-04-15"
[[advisories]]
name = "FreeBSD-SA-04:06.ipv6"
date = "2004-03-29"
[[advisories]]
name = "FreeBSD-SA-04:05.openssl"
date = "2004-03-17"
[[advisories]]
name = "FreeBSD-SA-04:04.tcp"
date = "2004-03-02"
[[advisories]]
name = "FreeBSD-SA-04:03.jail"
date = "2004-02-25"
[[advisories]]
name = "FreeBSD-SA-04:02.shmat"
date = "2004-02-05"
[[advisories]]
name = "FreeBSD-SA-04:01.mksnap_ffs"
date = "2004-01-30"
[[advisories]]
name = "FreeBSD-SA-03:19.bind"
date = "2003-11-28"
[[advisories]]
name = "FreeBSD-SA-03:15.openssh"
date = "2003-10-05"
[[advisories]]
name = "FreeBSD-SA-03:18.openssl"
date = "2003-10-03"
[[advisories]]
name = "FreeBSD-SA-03:17.procfs"
date = "2003-10-03"
[[advisories]]
name = "FreeBSD-SA-03:16.filedesc"
date = "2003-10-02"
[[advisories]]
name = "FreeBSD-SA-03:14.arp"
date = "2003-09-23"
[[advisories]]
name = "FreeBSD-SA-03:13.sendmail"
date = "2003-09-17"
[[advisories]]
name = "FreeBSD-SA-03:12.openssh"
date = "2003-09-16"
[[advisories]]
name = "FreeBSD-SA-03:11.sendmail"
date = "2003-08-26"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1170"
[[advisories]]
name = "FreeBSD-SA-03:10.ibcs2"
date = "2003-08-10"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1164"
[[advisories]]
name = "FreeBSD-SA-03:09.signal"
date = "2003-08-10"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1163"
[[advisories]]
name = "FreeBSD-SA-03:08.realpath"
date = "2003-08-03"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1158"
[[advisories]]
name = "FreeBSD-SN-03:02"
date = "2003-04-08"
[[advisories]]
name = "FreeBSD-SN-03:01"
date = "2003-04-07"
[[advisories]]
name = "FreeBSD-SA-03:07.sendmail"
date = "2003-03-30"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1122"
[[advisories]]
name = "FreeBSD-SA-03:06.openssl"
date = "2003-03-21"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1118"
[[advisories]]
name = "FreeBSD-SA-03:05.xdr"
date = "2003-03-20"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1117"
[[advisories]]
name = "FreeBSD-SA-03:04.sendmail"
date = "2003-03-03"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1112"
[[advisories]]
name = "FreeBSD-SA-03:03.syncookies"
date = "2003-02-24"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1106"
[[advisories]]
name = "FreeBSD-SA-03:02.openssl"
date = "2003-02-24"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1105"
[[advisories]]
name = "FreeBSD-SA-03:01.cvs"
date = "2003-02-04"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1100"
[[advisories]]
name = "FreeBSD-SA-02:44.filedesc"
date = "2003-01-07"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1090"
[[advisories]]
name = "FreeBSD-SA-02:43.bind"
date = "2002-11-15"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1084"
[[advisories]]
name = "FreeBSD-SA-02:41.smrsh"
date = "2002-11-15"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1082"
[[advisories]]
name = "FreeBSD-SA-02:42.resolv"
date = "2002-11-12"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1083"
[[advisories]]
name = "FreeBSD-SA-02:40.kadmind"
date = "2002-11-12"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1081"
[[advisories]]
name = "FreeBSD-SN-02:06"
date = "2002-10-10"
[[advisories]]
name = "FreeBSD-SA-02:39.libkvm"
date = "2002-09-16"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1051"
[[advisories]]
name = "FreeBSD-SN-02:05"
date = "2002-08-28"
[[advisories]]
name = "FreeBSD-SA-02:38.signed-error"
date = "2002-08-19"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1041"
[[advisories]]
name = "FreeBSD-SA-02:37.kqueue"
date = "2002-08-05"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1033"
[[advisories]]
name = "FreeBSD-SA-02:36.nfs"
date = "2002-08-05"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1032"
[[advisories]]
name = "FreeBSD-SA-02:35.ffs"
date = "2002-08-05"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1031"
[[advisories]]
name = "FreeBSD-SA-02:33.openssl"
date = "2002-08-05"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1023"
[[advisories]]
name = "FreeBSD-SA-02:34.rpc"
date = "2002-08-01"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1024"
[[advisories]]
name = "FreeBSD-SA-02:32.pppd"
date = "2002-07-31"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1022"
[[advisories]]
name = "FreeBSD-SA-02:31.openssh"
date = "2002-07-15"
[[advisories]]
name = "FreeBSD-SA-02:30.ktrace"
date = "2002-07-12"
[[advisories]]
name = "FreeBSD-SA-02:29.tcpdump"
date = "2002-07-12"
[[advisories]]
name = "FreeBSD-SA-02:28.resolv"
date = "2002-06-26"
[[advisories]]
name = "FreeBSD-SN-02:04"
date = "2002-06-19"
[[advisories]]
name = "FreeBSD-SA-02:27.rc"
date = "2002-05-29"
[[advisories]]
name = "FreeBSD-SA-02:26.accept"
date = "2002-05-29"
[[advisories]]
name = "FreeBSD-SN-02:03"
date = "2002-05-28"
[[advisories]]
name = "FreeBSD-SA-02:25.bzip2"
date = "2002-05-20"
[[advisories]]
name = "FreeBSD-SA-02:24.k5su"
date = "2002-05-20"
[[advisories]]
name = "FreeBSD-SN-02:02"
date = "2002-05-13"
[[advisories]]
name = "FreeBSD-SA-02:23.stdio"
date = "2002-04-22"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1021"
[[advisories]]
name = "FreeBSD-SA-02:22.mmap"
date = "2002-04-18"
[[advisories]]
name = "FreeBSD-SA-02:21.tcpip"
date = "2002-04-17"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/980"
[[advisories]]
name = "FreeBSD-SA-02:20.syncache"
date = "2002-04-16"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/979"
[[advisories]]
name = "FreeBSD-SN-02:01"
date = "2002-03-30"
[[advisories]]
name = "FreeBSD-SA-02:19.squid"
date = "2002-03-26"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/960"
[[advisories]]
name = "FreeBSD-SA-02:18.zlib"
date = "2002-03-18"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/978"
[[advisories]]
name = "FreeBSD-SA-02:17.mod_frontpage"
date = "2002-03-12"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/954"
[[advisories]]
name = "FreeBSD-SA-02:16.netscape"
date = "2002-03-12"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/953"
[[advisories]]
name = "FreeBSD-SA-02:15.cyrus-sasl"
date = "2002-03-12"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/952"
[[advisories]]
name = "FreeBSD-SA-02:14.pam-pgsql"
date = "2002-03-12"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/951"
[[advisories]]
name = "FreeBSD-SA-02:13.openssh"
date = "2002-03-07"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/945"
[[advisories]]
name = "FreeBSD-SA-02:12.squid"
date = "2002-02-21"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/938"
[[advisories]]
name = "FreeBSD-SA-02:11.snmp"
date = "2002-02-12"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/936"
[[advisories]]
name = "FreeBSD-SA-02:10.rsync"
date = "2002-02-06"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/928"
[[advisories]]
name = "FreeBSD-SA-02:09.fstatfs"
date = "2002-02-06"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/927"
[[advisories]]
name = "FreeBSD-SA-02:08.exec"
date = "2002-01-24"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/923"
[[advisories]]
name = "FreeBSD-SA-02:07.k5su"
date = "2002-01-18"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/912"
[[advisories]]
name = "FreeBSD-SA-02:06.sudo"
date = "2002-01-16"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/909"
[[advisories]]
name = "FreeBSD-SA-02:05.pine"
date = "2002-01-04"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/894"
[[advisories]]
name = "FreeBSD-SA-02:04.mutt"
date = "2002-01-04"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/893"
[[advisories]]
name = "FreeBSD-SA-02:03.mod_auth_pgsql"
date = "2002-01-04"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/892"
[[advisories]]
name = "FreeBSD-SA-02:02.pw"
date = "2002-01-04"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/891"
[[advisories]]
name = "FreeBSD-SA-02:01.pkg_add"
date = "2002-01-04"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/898"
[[advisories]]
name = "FreeBSD-SA-01:64.wu-ftpd"
date = "2001-12-04"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/870"
[[advisories]]
name = "FreeBSD-SA-01:63.openssh"
date = "2001-12-02"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/871"
[[advisories]]
name = "FreeBSD-SA-01:62.uucp"
date = "2001-10-08"
[[advisories]]
name = "FreeBSD-SA-01:61.squid"
date = "2001-10-08"
[[advisories]]
name = "FreeBSD-SA-01:60.procmail"
date = "2001-09-24"
[[advisories]]
name = "FreeBSD-SA-01:59.rmuser"
date = "2001-09-04"
[[advisories]]
name = "FreeBSD-SA-01:58.lpd"
date = "2001-08-30"
[[advisories]]
name = "FreeBSD-SA-01:57.sendmail"
date = "2001-08-27"
[[advisories]]
name = "FreeBSD-SA-01:56.tcp_wrappers"
date = "2001-08-23"
[[advisories]]
name = "FreeBSD-SA-01:55.procfs"
date = "2001-08-21"
[[advisories]]
name = "FreeBSD-SA-01:54.ports-telnetd"
date = "2001-08-20"
[[advisories]]
name = "FreeBSD-SA-01:53.ipfw"
date = "2001-08-17"
[[advisories]]
name = "FreeBSD-SA-01:52.fragment"
date = "2001-08-06"
[[advisories]]
name = "FreeBSD-SA-01:51.openssl"
date = "2001-07-30"
[[advisories]]
name = "FreeBSD-SA-01:50.windowmaker"
date = "2001-07-27"
[[advisories]]
name = "FreeBSD-SA-01:49.telnetd"
date = "2001-07-23"
[[advisories]]
name = "FreeBSD-SA-01:48.tcpdump"
date = "2001-07-17"
[[advisories]]
name = "FreeBSD-SA-01:47.xinetd"
date = "2001-07-10"
[[advisories]]
name = "FreeBSD-SA-01:46.w3m"
date = "2001-07-10"
[[advisories]]
name = "FreeBSD-SA-01:45.samba"
date = "2001-07-10"
[[advisories]]
name = "FreeBSD-SA-01:44.gnupg"
date = "2001-07-10"
[[advisories]]
name = "FreeBSD-SA-01:43.fetchmail"
date = "2001-07-10"
[[advisories]]
name = "FreeBSD-SA-01:42.signal"
date = "2001-07-10"
[[advisories]]
name = "FreeBSD-SA-01:41.hanterm"
date = "2001-07-09"
[[advisories]]
name = "FreeBSD-SA-01:40.fts"
date = "2001-06-04"
[[advisories]]
name = "FreeBSD-SA-01:39.tcp-isn"
date = "2001-05-02"
[[advisories]]
name = "FreeBSD-SA-01:38.sudo"
date = "2001-04-23"
[[advisories]]
name = "FreeBSD-SA-01:37.slrn"
date = "2001-04-23"
[[advisories]]
name = "FreeBSD-SA-01:36.samba"
date = "2001-04-23"
[[advisories]]
name = "FreeBSD-SA-01:35.licq"
date = "2001-04-23"
[[advisories]]
name = "FreeBSD-SA-01:34.hylafax"
date = "2001-04-23"
[[advisories]]
name = "FreeBSD-SA-01:33.ftpd-glob"
date = "2001-04-17"
[[advisories]]
name = "FreeBSD-SA-01:32.ipfilter"
date = "2001-04-16"
[[advisories]]
name = "FreeBSD-SA-01:31.ntpd"
date = "2001-04-06"
[[advisories]]
name = "FreeBSD-SA-01:30.ufs-ext2fs"
date = "2001-03-22"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/738"
[[advisories]]
name = "FreeBSD-SA-01:29.rwhod"
date = "2001-03-12"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/732"
[[advisories]]
name = "FreeBSD-SA-01:28.timed"
date = "2001-03-12"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/731"
[[advisories]]
name = "FreeBSD-SA-01:27.cfengine"
date = "2001-03-12"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/730"
[[advisories]]
name = "FreeBSD-SA-01:26.interbase"
date = "2001-03-12"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/729"
[[advisories]]
name = "FreeBSD-SA-01:23.icecast"
date = "2001-03-12"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/728"
[[advisories]]
name = "FreeBSD-SA-01:25.kerberosIV"
date = "2001-02-14"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/716"
[[advisories]]
name = "FreeBSD-SA-01:24.ssh"
date = "2001-02-12"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/715"
[[advisories]]
name = "FreeBSD-SA-01:22.dc20ctrl"
date = "2001-02-07"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/714"
[[advisories]]
name = "FreeBSD-SA-01:21.ja-elvis"
date = "2001-02-07"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/713"
[[advisories]]
name = "FreeBSD-SA-01:20.mars_nwe"
date = "2001-02-07"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/712"
[[advisories]]
name = "FreeBSD-SA-01:19.ja-klock"
date = "2001-02-07"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/707"
[[advisories]]
name = "FreeBSD-SA-01:18.bind"
date = "2001-01-31"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/706"
[[advisories]]
name = "FreeBSD-SA-01:17.exmh"
date = "2001-01-29"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/705"
[[advisories]]
name = "FreeBSD-SA-01:16.mysql"
date = "2001-01-29"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/704"
[[advisories]]
name = "FreeBSD-SA-01:15.tinyproxy"
date = "2001-01-29"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/703"
[[advisories]]
name = "FreeBSD-SA-01:14.micq"
date = "2001-01-29"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/702"
[[advisories]]
name = "FreeBSD-SA-01:13.sort"
date = "2001-01-29"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/701"
[[advisories]]
name = "FreeBSD-SA-01:12.periodic"
date = "2001-01-29"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/700"
[[advisories]]
name = "FreeBSD-SA-01:11.inetd"
date = "2001-01-29"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/699"
[[advisories]]
name = "FreeBSD-SA-01:10.bind"
date = "2001-01-23"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/698"
[[advisories]]
name = "FreeBSD-SA-01:09.crontab"
date = "2001-01-23"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/697"
[[advisories]]
name = "FreeBSD-SA-01:08.ipfw"
date = "2001-01-23"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/696"
[[advisories]]
name = "FreeBSD-SA-01:07.xfree86"
date = "2001-01-23"
[[advisories]]
name = "FreeBSD-SA-01:06.zope"
date = "2001-01-15"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/669"
[[advisories]]
name = "FreeBSD-SA-01:05.stunnel"
date = "2001-01-15"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/668"
[[advisories]]
name = "FreeBSD-SA-01:04.joe"
date = "2001-01-15"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/667"
[[advisories]]
name = "FreeBSD-SA-01:03.bash1"
date = "2001-01-15"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/666"
[[advisories]]
name = "FreeBSD-SA-01:02.syslog-ng"
date = "2001-01-15"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/665"
[[advisories]]
name = "FreeBSD-SA-01:01.openssh"
date = "2001-01-15"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/664"
[[advisories]]
name = "FreeBSD-SA-00:81.ethereal"
date = "2000-12-20"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/651"
[[advisories]]
name = "FreeBSD-SA-00:80.halflifeserver"
date = "2000-12-20"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/650"
[[advisories]]
name = "FreeBSD-SA-00:79.oops"
date = "2000-12-20"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/649"
[[advisories]]
name = "FreeBSD-SA-00:78.bitchx"
date = "2000-12-20"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/648"
[[advisories]]
name = "FreeBSD-SA-00:77.procfs"
date = "2000-12-18"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/647"
[[advisories]]
name = "FreeBSD-SA-00:76.tcsh-csh"
date = "2000-11-20"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/628"
[[advisories]]
name = "FreeBSD-SA-00:75.php"
date = "2000-11-20"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/627"
[[advisories]]
name = "FreeBSD-SA-00:74.gaim"
date = "2000-11-20"
[[advisories]]
name = "FreeBSD-SA-00:73.thttpd"
date = "2000-11-20"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/626"
[[advisories]]
name = "FreeBSD-SA-00:72.curl"
date = "2000-11-20"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/625"
[[advisories]]
name = "FreeBSD-SA-00:71.mgetty"
date = "2000-11-20"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/624"
[[advisories]]
name = "FreeBSD-SA-00:70.ppp-nat"
date = "2000-11-14"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/623"
[[advisories]]
name = "FreeBSD-SA-00:69.telnetd"
date = "2000-11-14"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/622"
[[advisories]]
name = "FreeBSD-SA-00:68.ncurses"
date = "2000-11-13"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/621"
[[advisories]]
name = "FreeBSD-SA-00:67.gnupg"
date = "2000-11-10"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/620"
[[advisories]]
name = "FreeBSD-SA-00:66.netscape"
date = "2000-11-06"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/619"
[[advisories]]
name = "FreeBSD-SA-00:65.xfce"
date = "2000-11-06"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/618"
[[advisories]]
name = "FreeBSD-SA-00:64.global"
date = "2000-11-06"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/617"
[[advisories]]
name = "FreeBSD-SA-00:63.getnameinfo"
date = "2000-11-01"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/589"
[[advisories]]
name = "FreeBSD-SA-00:62.top"
date = "2000-11-01"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/616"
[[advisories]]
name = "FreeBSD-SA-00:61.tcpdump"
date = "2000-10-31"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/615"
[[advisories]]
name = "FreeBSD-SA-00:60.boa"
date = "2000-10-30"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/586"
[[advisories]]
name = "FreeBSD-SA-00:59.pine"
date = "2000-10-30"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/585"
[[advisories]]
name = "FreeBSD-SA-00:58.chpass"
date = "2000-10-30"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/584"
[[advisories]]
name = "FreeBSD-SA-00:57.muh"
date = "2000-10-13"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/570"
[[advisories]]
name = "FreeBSD-SA-00:56.lprng"
date = "2000-10-13"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/569"
[[advisories]]
name = "FreeBSD-SA-00:55.xpdf"
date = "2000-10-13"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/568"
[[advisories]]
name = "FreeBSD-SA-00:54.fingerd"
date = "2000-10-13"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/567"
[[advisories]]
name = "FreeBSD-SA-00:52.tcp-iss"
date = "2000-10-06"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/561"
[[advisories]]
name = "FreeBSD-SA-00:53.catopen"
date = "2000-09-27"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/562"
[[advisories]]
name = "FreeBSD-SA-00:51.mailman"
date = "2000-09-13"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/550"
[[advisories]]
name = "FreeBSD-SA-00:50.listmanager"
date = "2000-09-13"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/549"
[[advisories]]
name = "FreeBSD-SA-00:49.eject"
date = "2000-09-13"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/548"
[[advisories]]
name = "FreeBSD-SA-00:48.xchat"
date = "2000-09-13"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/547"
[[advisories]]
name = "FreeBSD-SA-00:47.pine"
date = "2000-09-13"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/546"
[[advisories]]
name = "FreeBSD-SA-00:46.screen"
date = "2000-09-13"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/545"
[[advisories]]
name = "FreeBSD-SA-00:45.esound"
date = "2000-08-31"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/526"
[[advisories]]
name = "FreeBSD-SA-00:44.xlock"
date = "2000-08-28"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/523"
[[advisories]]
name = "FreeBSD-SA-00:43.brouted"
date = "2000-08-28"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/520"
[[advisories]]
name = "FreeBSD-SA-00:42.linux"
date = "2000-08-28"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/530"
[[advisories]]
name = "FreeBSD-SA-00:41.elf"
date = "2000-08-28"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/527"
[[advisories]]
name = "FreeBSD-SA-00:40.mopd"
date = "2000-08-28"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/521"
[[advisories]]
name = "FreeBSD-SA-00:39.netscape"
date = "2000-08-28"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/528"
[[advisories]]
name = "FreeBSD-SA-00:38.zope"
date = "2000-08-14"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/525"
[[advisories]]
name = "FreeBSD-SA-00:37.cvsweb"
date = "2000-08-14"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/524"
[[advisories]]
name = "FreeBSD-SA-00:36.ntop"
date = "2000-08-14"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/531"
[[advisories]]
name = "FreeBSD-SA-00:35.proftpd"
date = "2000-08-14"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/522"
[[advisories]]
name = "FreeBSD-SA-00:34.dhclient"
date = "2000-08-14"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/529"
[[advisories]]
name = "FreeBSD-SA-00:33.kerberosIV"
date = "2000-07-12"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/488"
[[advisories]]
name = "FreeBSD-SA-00:32.bitchx"
date = "2000-07-05"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/487"
[[advisories]]
name = "FreeBSD-SA-00:31.canna"
date = "2000-07-05"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/486"
[[advisories]]
name = "FreeBSD-SA-00:30.openssh"
date = "2000-07-05"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/485"
[[advisories]]
name = "FreeBSD-SA-00:29.wu-ftpd"
date = "2000-07-05"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/489"
[[advisories]]
name = "FreeBSD-SA-00:28.majordomo"
date = "2000-07-05"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/484"
[[advisories]]
name = "FreeBSD-SA-00:27.XFree86-4"
date = "2000-07-05"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/483"
[[advisories]]
name = "FreeBSD-SA-00:26.popper"
date = "2000-07-05"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/482"
[[advisories]]
name = "FreeBSD-SA-00:24.libedit"
date = "2000-07-05"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/481"
[[advisories]]
name = "FreeBSD-SA-00:23.ip-options"
date = "2000-06-19"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/480"
[[advisories]]
name = "FreeBSD-SA-00:25.alpha-random"
date = "2000-06-12"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/473"
[[advisories]]
name = "FreeBSD-SA-00:22.apsfilter"
date = "2000-06-07"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/461"
[[advisories]]
name = "FreeBSD-SA-00:21.ssh"
date = "2000-06-07"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/459"
[[advisories]]
name = "FreeBSD-SA-00:20.krb5"
date = "2000-05-26"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/452"
[[advisories]]
name = "FreeBSD-SA-00:19.semconfig"
date = "2000-05-23"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/451"
[[advisories]]
name = "FreeBSD-SA-00:18.gnapster.knapster"
date = "2000-05-09"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/429"
[[advisories]]
name = "FreeBSD-SA-00:17.libmytinfo"
date = "2000-05-09"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/442"
[[advisories]]
name = "FreeBSD-SA-00:16.golddig"
date = "2000-05-09"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/439"
[[advisories]]
name = "FreeBSD-SA-00:15.imap-uw"
date = "2000-04-24"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/438"
[[advisories]]
name = "FreeBSD-SA-00:14.imap-uw"
date = "2000-04-24"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/441"
[[advisories]]
name = "FreeBSD-SA-00:13.generic-nqs"
date = "2000-04-19"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/437"
[[advisories]]
name = "FreeBSD-SA-00:12.healthd"
date = "2000-04-10"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/436"
[[advisories]]
name = "FreeBSD-SA-00:11.ircii"
date = "2000-04-10"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/440"
[[advisories]]
name = "FreeBSD-SA-00:10.orville-write"
date = "2000-03-15"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/408"
[[advisories]]
name = "FreeBSD-SA-00:09.mtr"
date = "2000-03-15"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/408"
[[advisories]]
name = "FreeBSD-SA-00:08.lynx"
date = "2000-03-15"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/407"
[[advisories]]
name = "FreeBSD-SA-00:07.mh"
date = "2000-03-15"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/411"
[[advisories]]
name = "FreeBSD-SA-00:06.htdig"
date = "2000-03-01"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/403"
[[advisories]]
name = "FreeBSD-SA-00:05.mysql"
date = "2000-02-28"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/402"
[[advisories]]
name = "FreeBSD-SA-00:04.delegate"
date = "2000-02-19"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/392"
[[advisories]]
name = "FreeBSD-SA-00:03.asmon"
date = "2000-02-19"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/391"
[[advisories]]
name = "FreeBSD-SA-00:02.procfs"
date = "2000-01-24"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/380"
[[advisories]]
name = "FreeBSD-SA-00:01.make"
date = "2000-01-19"
[[advisories]]
name = "FreeBSD-SA-99:06.amd"
date = "1999-09-16"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/318"
[[advisories]]
name = "FreeBSD-SA-99:05.fts"
date = "1999-09-15"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/313"
[[advisories]]
name = "FreeBSD-SA-99:04.core"
date = "1999-09-15"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/312"
[[advisories]]
name = "FreeBSD-SA-99:03.ftpd"
date = "1999-09-05"
link = "http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/311"
[[advisories]]
name = "FreeBSD-SA-99:02.profil"
date = "1999-09-04"
[[advisories]]
name = "FreeBSD-SA-99:01.chflags"
date = "1999-09-04"
[[advisories]]
name = "FreeBSD-SA-98:08.fragment"
date = "1998-11-04"
[[advisories]]
name = "FreeBSD-SA-98:07.rst"
date = "1998-10-13"
[[advisories]]
name = "FreeBSD-SA-98:06.icmp"
date = "1998-06-10"
[[advisories]]
name = "FreeBSD-SA-98:05.nfs"
date = "1998-06-04"
[[advisories]]
name = "FreeBSD-SA-98:04.mmap"
date = "1998-06-02"
[[advisories]]
name = "FreeBSD-SA-98:03.ttcp"
date = "1998-05-14"
[[advisories]]
name = "FreeBSD-SA-98:02.mmap"
date = "1998-03-12"
[[advisories]]
name = "FreeBSD-SA-97:06.f00f"
date = "1997-12-09"
[[advisories]]
name = "FreeBSD-SA-98:01.land"
date = "1997-12-01"
[[advisories]]
name = "FreeBSD-SA-97:05.open"
date = "1997-10-29"
[[advisories]]
name = "FreeBSD-SA-97:04.procfs"
date = "1997-08-19"
[[advisories]]
name = "FreeBSD-SA-97:03.sysinstall"
date = "1997-04-07"
[[advisories]]
name = "FreeBSD-SA-97:02.lpd"
date = "1997-03-26"
[[advisories]]
name = "FreeBSD-SA-97:01.setlocale"
date = "1997-02-05"
[[advisories]]
name = "FreeBSD-SA-96:21.talkd"
date = "1997-01-18"
[[advisories]]
name = "FreeBSD-SA-96:20.stack-overflow"
date = "1996-12-16"
[[advisories]]
name = "FreeBSD-SA-96:19.modstat"
date = "1996-12-10"
[[advisories]]
name = "FreeBSD-SA-96:18.lpr"
date = "1996-11-25"
[[advisories]]
name = "FreeBSD-SA-96:17.rzsz"
date = "1996-07-16"
[[advisories]]
name = "FreeBSD-SA-96:16.rdist"
date = "1996-07-12"
[[advisories]]
name = "FreeBSD-SA-96:15.ppp"
date = "1996-07-04"
[[advisories]]
name = "FreeBSD-SA-96:12.perl"
date = "1996-06-28"
[[advisories]]
name = "FreeBSD-SA-96:14.ipfw"
date = "1996-06-24"
[[advisories]]
name = "FreeBSD-SA-96:13.comsat"
date = "1996-06-05"
[[advisories]]
name = "FreeBSD-SA-96:11.man"
date = "1996-05-21"
[[advisories]]
name = "FreeBSD-SA-96:10.mount_union"
date = "1996-05-17"
[[advisories]]
name = "FreeBSD-SA-96:09.vfsload"
date = "1996-05-17"
[[advisories]]
name = "FreeBSD-SA-96:02.apache"
date = "1996-04-22"
[[advisories]]
name = "FreeBSD-SA-96:08.syslog"
date = "1996-04-21"
[[advisories]]
name = "FreeBSD-SA-96:01.sliplogin"
date = "1996-04-21"
[[advisories]]
name = "FreeBSD-SA-96:03.sendmail-suggestion"
date = "1996-04-20"
diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml
index 15ae740438..0fccd5baf3 100644
--- a/website/data/security/errata.toml
+++ b/website/data/security/errata.toml
@@ -1,859 +1,863 @@
# Sort errata notices by year, month and day
# $FreeBSD$
+[[notices]]
+name = "FreeBSD-EN-23:08.vnet"
+date = "2023-08-01"
+
[[notices]]
name = "FreeBSD-EN-23:07.mpr"
date = "2023-06-21"
[[notices]]
name = "FreeBSD-EN-23:06.loader"
date = "2023-06-21"
[[notices]]
name = "FreeBSD-EN-23:05.tzdata"
date = "2023-06-21"
[[notices]]
name = "FreeBSD-EN-23:04.ixgbe"
date = "2023-02-08"
[[notices]]
name = "FreeBSD-EN-23:03.ena"
date = "2023-02-08"
[[notices]]
name = "FreeBSD-EN-23:02.sdhci"
date = "2023-02-08"
[[notices]]
name = "FreeBSD-EN-23:01.tzdata"
date = "2023-02-08"
[[notices]]
name = "FreeBSD-EN-22:28.heimdal"
date = "2022-11-29"
[[notices]]
name = "FreeBSD-EN-22:27.loader"
date = "2022-11-01"
[[notices]]
name = "FreeBSD-EN-22:26.cam"
date = "2022-11-01"
[[notices]]
name = "FreeBSD-EN-22:25.tcp"
date = "2022-11-01"
[[notices]]
name = "FreeBSD-EN-22:24.zfs"
date = "2022-11-01"
[[notices]]
name = "FreeBSD-EN-22:23.vm"
date = "2022-11-01"
[[notices]]
name = "FreeBSD-EN-22:22.tzdata"
date = "2022-11-01"
[[notices]]
name = "FreeBSD-EN-22:21.zfs"
date = "2022-11-01"
[[notices]]
name = "FreeBSD-EN-22:20.tzdata"
date = "2022-08-30"
[[notices]]
name = "FreeBSD-EN-22:19.pam_exec"
date = "2022-08-09"
[[notices]]
name = "FreeBSD-EN-22:18.wifi"
date = "2022-08-09"
[[notices]]
name = "FreeBSD-EN-22:17.cam"
date = "2022-08-09"
[[notices]]
name = "FreeBSD-EN-22:16.kqueue"
date = "2022-08-09"
[[notices]]
name = "FreeBSD-EN-22:15.pf"
date = "2022-04-06"
[[notices]]
name = "FreeBSD-EN-22:14.tzdata"
date = "2022-03-22"
[[notices]]
name = "FreeBSD-EN-22:13.zfs"
date = "2022-03-21"
[[notices]]
name = "FreeBSD-EN-22:12.zfs"
date = "2022-03-15"
[[notices]]
name = "FreeBSD-EN-22:11.zfs"
date = "2022-03-15"
[[notices]]
name = "FreeBSD-EN-22:10.zfs"
date = "2022-03-15"
[[notices]]
name = "FreeBSD-EN-22:09.freebsd-update"
date = "2022-03-15"
[[notices]]
name = "FreeBSD-EN-22:08.i386"
date = "2022-02-01"
[[notices]]
name = "FreeBSD-EN-22:07.la57"
date = "2022-02-01"
[[notices]]
name = "FreeBSD-EN-22:06.libalias"
date = "2022-01-11"
[[notices]]
name = "FreeBSD-EN-22:05.tail"
date = "2022-01-11"
[[notices]]
name = "FreeBSD-EN-22:04.pcid"
date = "2022-01-11"
[[notices]]
name = "FreeBSD-EN-22:03.hyperv"
date = "2022-01-11"
[[notices]]
name = "FreeBSD-EN-22:02.xsave"
date = "2022-01-11"
[[notices]]
name = "FreeBSD-EN-22:01.fsck_ffs"
date = "2022-01-11"
[[notices]]
name = "FreeBSD-EN-21:29.tzdata"
date = "2021-11-03"
[[notices]]
name = "FreeBSD-EN-21:28.vmci"
date = "2021-11-03"
[[notices]]
name = "FreeBSD-EN-21:27.caroot"
date = "2021-11-03"
[[notices]]
name = "FreeBSD-EN-21:26.libevent"
date = "2021-11-03"
[[notices]]
name = "FreeBSD-EN-21:25.bhyve"
date = "2021-08-24"
[[notices]]
name = "FreeBSD-EN-21:24.libcrypto"
date = "2021-08-24"
[[notices]]
name = "FreeBSD-EN-21:23.virtio_blk"
date = "2021-08-24"
[[notices]]
name = "FreeBSD-EN-21:22.linux_futex"
date = "2021-06-29"
[[notices]]
name = "FreeBSD-EN-21:21.ipfw"
date = "2021-06-29"
[[notices]]
name = "FreeBSD-EN-21:20.vlan"
date = "2021-06-29"
[[notices]]
name = "FreeBSD-EN-21:19.libcasper"
date = "2021-06-29"
[[notices]]
name = "FreeBSD-EN-21:18.libc++"
date = "2021-06-29"
[[notices]]
name = "FreeBSD-EN-21:17.libradius"
date = "2021-06-01"
[[notices]]
name = "FreeBSD-EN-21:16.bc"
date = "2021-05-26"
[[notices]]
name = "FreeBSD-EN-21:15.virtio"
date = "2021-05-26"
[[notices]]
name = "FreeBSD-EN-21:14.pms"
date = "2021-05-26"
[[notices]]
name = "FreeBSD-EN-21:13.mpt"
date = "2021-05-26"
[[notices]]
name = "FreeBSD-EN-21:12.divert"
date = "2021-05-26"
[[notices]]
name = "FreeBSD-EN-21:11.aesni"
date = "2021-05-26"
[[notices]]
name = "FreeBSD-EN-21:10.lldb"
date = "2021-04-06"
[[notices]]
name = "FreeBSD-EN-21:09.pf"
date = "2021-04-06"
[[notices]]
name = "FreeBSD-EN-21:08.freebsd-update"
date = "2021-02-24"
[[notices]]
name = "FreeBSD-EN-21:07.caroot"
date = "2021-02-24"
[[notices]]
name = "FreeBSD-EN-21:06.microcode"
date = "2021-02-24"
[[notices]]
name = "FreeBSD-EN-21:05.libatomic"
date = "2021-01-29"
[[notices]]
name = "FreeBSD-EN-21:04.zfs"
date = "2021-01-29"
[[notices]]
name = "FreeBSD-EN-21:03.vnet"
date = "2021-01-29"
[[notices]]
name = "FreeBSD-EN-21:02.extattr"
date = "2021-01-29"
[[notices]]
name = "FreeBSD-EN-21:01.tzdata"
date = "2021-01-29"
[[notices]]
name = "FreeBSD-EN-20:22.callout"
date = "2020-12-01"
[[notices]]
name = "FreeBSD-EN-20:21.ipfw"
date = "2020-12-01"
[[notices]]
name = "FreeBSD-EN-20:20.tzdata"
date = "2020-12-01"
[[notices]]
name = "FreeBSD-EN-20:19.audit"
date = "2020-12-01"
[[notices]]
name = "FreeBSD-EN-20:18.getfsstat"
date = "2020-09-02"
[[notices]]
name = "FreeBSD-EN-20:17.linuxthread"
date = "2020-09-02"
[[notices]]
name = "FreeBSD-EN-20:16.vmx"
date = "2020-08-05"
[[notices]]
name = "FreeBSD-EN-20:15.mps"
date = "2020-07-08"
[[notices]]
name = "FreeBSD-EN-20:14.linuxkpi"
date = "2020-07-08"
[[notices]]
name = "FreeBSD-EN-20:13.bhyve"
date = "2020-07-08"
[[notices]]
name = "FreeBSD-EN-20:12.iflib"
date = "2020-06-09"
[[notices]]
name = "FreeBSD-EN-20:11.ena"
date = "2020-06-09"
[[notices]]
name = "FreeBSD-EN-20:10.build"
date = "2020-05-12"
[[notices]]
name = "FreeBSD-EN-20:09.igb"
date = "2020-05-12"
[[notices]]
name = "FreeBSD-EN-20:08.tzdata"
date = "2020-05-12"
[[notices]]
name = "FreeBSD-EN-20:07.quotad"
date = "2020-04-21"
[[notices]]
name = "FreeBSD-EN-20:06.ipv6"
date = "2020-03-19"
[[notices]]
name = "FreeBSD-EN-20:05.mlx5en"
date = "2020-03-19"
[[notices]]
name = "FreeBSD-EN-20:04.pfctl"
date = "2020-03-19"
[[notices]]
name = "FreeBSD-EN-20:03.sshd"
date = "2020-03-19"
[[notices]]
name = "FreeBSD-EN-20:02.nmount"
date = "2020-01-28"
[[notices]]
name = "FreeBSD-EN-20:01.ssp"
date = "2020-01-28"
[[notices]]
name = "FreeBSD-EN-19:19.loader"
date = "2019-11-12"
[[notices]]
name = "FreeBSD-EN-19:18.tzdata"
date = "2019-10-23"
[[notices]]
name = "FreeBSD-EN-19:17.ipfw"
date = "2019-08-20"
[[notices]]
name = "FreeBSD-EN-19:16.bhyve"
date = "2019-08-20"
[[notices]]
name = "FreeBSD-EN-19:15.libunwind"
date = "2019-08-06"
[[notices]]
name = "FreeBSD-EN-19:14.epoch"
date = "2019-08-06"
[[notices]]
name = "FreeBSD-EN-19:13.mds"
date = "2019-07-24"
[[notices]]
name = "FreeBSD-EN-19:12.tzdata"
date = "2019-07-02"
[[notices]]
name = "FreeBSD-EN-19:11.net"
date = "2019-06-19"
[[notices]]
name = "FreeBSD-EN-19:10.scp"
date = "2019-05-14"
[[notices]]
name = "FreeBSD-EN-19:09.xinstall"
date = "2019-05-14"
[[notices]]
name = "FreeBSD-EN-19:08.tzdata"
date = "2019-05-14"
[[notices]]
name = "FreeBSD-EN-19:07.lle"
date = "2019-02-05"
[[notices]]
name = "FreeBSD-EN-19:06.dtrace"
date = "2019-02-05"
[[notices]]
name = "FreeBSD-EN-19:05.kqueue"
date = "2019-01-09"
[[notices]]
name = "FreeBSD-EN-19:04.tzdata"
date = "2019-01-09"
[[notices]]
name = "FreeBSD-EN-19:03.sqlite"
date = "2019-01-09"
[[notices]]
name = "FreeBSD-EN-19:02.tcp"
date = "2019-01-09"
[[notices]]
name = "FreeBSD-EN-19:01.cc_cubic"
date = "2019-01-09"
[[notices]]
name = "FreeBSD-EN-18:18.zfs"
date = "2018-12-19"
[[notices]]
name = "FreeBSD-EN-18:17.vm"
date = "2018-12-19"
[[notices]]
name = "FreeBSD-EN-18:16.ptrace"
date = "2018-12-19"
[[notices]]
name = "FreeBSD-EN-18:15.loader"
date = "2018-11-27"
[[notices]]
name = "FreeBSD-EN-18:14.tzdata"
date = "2018-11-27"
[[notices]]
name = "FreeBSD-EN-18:13.icmp"
date = "2018-11-27"
[[notices]]
name = "FreeBSD-EN-18:12.mem"
date = "2018-09-27"
[[notices]]
name = "FreeBSD-EN-18:11.listen"
date = "2018-09-27"
[[notices]]
name = "FreeBSD-EN-18:10.syscall"
date = "2018-09-27"
[[notices]]
name = "FreeBSD-EN-18:09.ip"
date = "2018-09-27"
[[notices]]
name = "FreeBSD-EN-18:08.lazyfpu"
date = "2018-09-12"
[[notices]]
name = "FreeBSD-EN-18:07.pmap"
date = "2018-06-21"
[[notices]]
name = "FreeBSD-EN-18:06.tzdata"
date = "2018-05-08"
[[notices]]
name = "FreeBSD-EN-18:05.mem"
date = "2018-05-08"
[[notices]]
name = "FreeBSD-EN-18:04.mem"
date = "2018-04-04"
[[notices]]
name = "FreeBSD-EN-18:03.tzdata"
date = "2018-04-04"
[[notices]]
name = "FreeBSD-EN-18:02.file"
date = "2018-03-07"
[[notices]]
name = "FreeBSD-EN-18:01.tzdata"
date = "2018-03-07"
[[notices]]
name = "FreeBSD-EN-17:09.tzdata"
date = "2017-11-02"
[[notices]]
name = "FreeBSD-EN-17:08.pf"
date = "2017-08-10"
[[notices]]
name = "FreeBSD-EN-17:07.vnet"
date = "2017-08-10"
[[notices]]
name = "FreeBSD-EN-17:06.hyperv"
date = "2017-07-12"
[[notices]]
name = "FreeBSD-EN-17:05.xen"
date = "2017-04-12"
[[notices]]
name = "FreeBSD-EN-17:04.mandoc"
date = "2017-02-23"
[[notices]]
name = "FreeBSD-EN-17:03.hyperv"
date = "2017-02-23"
[[notices]]
name = "FreeBSD-EN-17:02.yp"
date = "2017-02-23"
[[notices]]
name = "FreeBSD-EN-17:01.pcie"
date = "2017-02-23"
[[notices]]
name = "FreeBSD-EN-16:21.localedef"
date = "2016-12-06"
[[notices]]
name = "FreeBSD-EN-16:20.tzdata"
date = "2016-12-06"
[[notices]]
name = "FreeBSD-EN-16:19.tzcode"
date = "2016-12-06"
[[notices]]
name = "FreeBSD-EN-16:18.loader"
date = "2016-10-25"
[[notices]]
name = "FreeBSD-EN-16:17.vm"
date = "2016-10-25"
[[notices]]
name = "FreeBSD-EN-16:16.hv_storvsc"
date = "2016-08-12"
[[notices]]
name = "FreeBSD-EN-16:15.vmbus"
date = "2016-08-12"
[[notices]]
name = "FreeBSD-EN-16:14.hv_storvsc"
date = "2016-08-12"
[[notices]]
name = "FreeBSD-EN-16:13.vmbus"
date = "2016-08-12"
[[notices]]
name = "FreeBSD-EN-16:12.hv_storvsc"
date = "2016-08-12"
[[notices]]
name = "FreeBSD-EN-16:11.vmbus"
date = "2016-08-12"
[[notices]]
name = "FreeBSD-EN-16:10.dhclient"
date = "2016-08-12"
[[notices]]
name = "FreeBSD-EN-16:09.freebsd-update"
date = "2016-07-25"
[[notices]]
name = "FreeBSD-EN-16:08.zfs"
date = "2016-05-04"
[[notices]]
name = "FreeBSD-EN-16:07.ipi"
date = "2016-05-04"
[[notices]]
name = "FreeBSD-EN-16:06.libc"
date = "2016-05-04"
[[notices]]
name = "FreeBSD-EN-16:05.hv_netvsc"
date = "2016-03-16"
[[notices]]
name = "FreeBSD-EN-16:04.hyperv"
date = "2016-03-16"
[[notices]]
name = "FreeBSD-EN-16:03.yplib"
date = "2016-01-14"
[[notices]]
name = "FreeBSD-EN-16:02.pf"
date = "2016-01-14"
[[notices]]
name = "FreeBSD-EN-16:01.filemon"
date = "2016-01-14"
[[notices]]
name = "FreeBSD-EN-15:20.vm"
date = "2015-11-04"
[[notices]]
name = "FreeBSD-EN-15:19.kqueue"
date = "2015-11-04"
[[notices]]
name = "FreeBSD-EN-15:18.pkg"
date = "2015-09-16"
[[notices]]
name = "FreeBSD-EN-15:17.libc"
date = "2015-09-16"
[[notices]]
name = "FreeBSD-EN-15:16.pw"
date = "2015-09-16"
[[notices]]
name = "FreeBSD-EN-15:15.pkg"
date = "2015-08-25"
[[notices]]
name = "FreeBSD-EN-15:14.ixgbe"
date = "2015-08-25"
[[notices]]
name = "FreeBSD-EN-15:13.vidcontrol"
date = "2015-08-18"
[[notices]]
name = "FreeBSD-EN-15:12.netstat"
date = "2015-08-18"
[[notices]]
name = "FreeBSD-EN-15:11.toolchain"
date = "2015-08-18"
[[notices]]
name = "FreeBSD-EN-15:10.iconv"
date = "2015-06-30"
[[notices]]
name = "FreeBSD-EN-15:09.xlocale"
date = "2015-06-30"
[[notices]]
name = "FreeBSD-EN-15:08.sendmail"
date = "2015-06-18"
[[notices]]
name = "FreeBSD-EN-15:07.zfs"
date = "2015-06-09"
[[notices]]
name = "FreeBSD-EN-15:06.file"
date = "2015-06-09"
[[notices]]
name = "FreeBSD-EN-15:05.ufs"
date = "2015-05-13"
[[notices]]
name = "FreeBSD-EN-15:04.freebsd-update"
date = "2015-05-13"
[[notices]]
name = "FreeBSD-EN-15:03.freebsd-update"
date = "2015-02-25"
[[notices]]
name = "FreeBSD-EN-15:02.openssl"
date = "2015-02-25"
[[notices]]
name = "FreeBSD-EN-15:01.vt"
date = "2015-02-25"
[[notices]]
name = "FreeBSD-EN-14:13.freebsd-update"
date = "2014-12-23"
[[notices]]
name = "FreeBSD-EN-14:12.zfs"
date = "2014-11-04"
[[notices]]
name = "FreeBSD-EN-14:11.crypt"
date = "2014-10-22"
[[notices]]
name = "FreeBSD-EN-14:10.tzdata"
date = "2014-10-22"
[[notices]]
name = "FreeBSD-EN-14:09.jail"
date = "2014-07-08"
[[notices]]
name = "FreeBSD-EN-14:08.heimdal"
date = "2014-06-24"
[[notices]]
name = "FreeBSD-EN-14:07.pmap"
date = "2014-06-24"
[[notices]]
name = "FreeBSD-EN-14:06.exec"
date = "2014-06-03"
[[notices]]
name = "FreeBSD-EN-14:05.ciss"
date = "2014-05-13"
[[notices]]
name = "FreeBSD-EN-14:04.kldxref"
date = "2014-05-13"
[[notices]]
name = "FreeBSD-EN-14:03.pkg"
date = "2014-05-13"
[[notices]]
name = "FreeBSD-EN-14:02.mmap"
date = "2014-01-14"
[[notices]]
name = "FreeBSD-EN-14:01.random"
date = "2014-01-14"
[[notices]]
name = "FreeBSD-EN-13:05.freebsd-update"
date = "2013-11-28"
[[notices]]
name = "FreeBSD-EN-13:04.freebsd-update"
date = "2013-10-26"
[[notices]]
name = "FreeBSD-EN-13:03.mfi"
date = "2013-08-22"
[[notices]]
name = "FreeBSD-EN-13:01.fxp"
date = "2013-06-28"
[[notices]]
name = "FreeBSD-EN-13:02.vtnet"
date = "2013-06-28"
[[notices]]
name = "FreeBSD-EN-12:02.ipv6refcount"
date = "2012-06-12"
[[notices]]
name = "FreeBSD-EN-12:01.freebsd-update"
date = "2012-01-04"
[[notices]]
name = "FreeBSD-EN-10:02.sched_ule"
date = "2010-02-27"
[[notices]]
name = "FreeBSD-EN-10:01.freebsd"
date = "2010-01-06"
[[notices]]
name = "FreeBSD-EN-09:05.null"
date = "2009-10-02"
[[notices]]
name = "FreeBSD-EN-09:04.fork"
date = "2009-06-24"
[[notices]]
name = "FreeBSD-EN-09:03.fxp"
date = "2009-06-24"
[[notices]]
name = "FreeBSD-EN-09:02.bce"
date = "2009-06-24"
[[notices]]
name = "FreeBSD-EN-09:01.kenv"
date = "2009-03-23"
[[notices]]
name = "FreeBSD-EN-08:02.tcp"
date = "2008-06-19"
[[notices]]
name = "FreeBSD-EN-08:01.libpthread"
date = "2008-04-17"
[[notices]]
name = "FreeBSD-EN-07:05.freebsd-update"
date = "2007-03-15"
[[notices]]
name = "FreeBSD-EN-07:04.zoneinfo"
date = "2007-02-28"
[[notices]]
name = "FreeBSD-EN-07:03.rc.d_jail"
date = "2007-02-28"
[[notices]]
name = "FreeBSD-EN-07:02.net"
date = "2007-02-28"
[[notices]]
name = "FreeBSD-EN-07:01.nfs"
date = "2007-02-14"
[[notices]]
name = "FreeBSD-EN-06:02.net"
date = "2006-08-28"
[[notices]]
name = "FreeBSD-EN-06:01.jail"
date = "2006-07-07"
[[notices]]
name = "FreeBSD-EN-05:04.nfs"
date = "2005-12-19"
[[notices]]
name = "FreeBSD-EN-05:03.ipi"
date = "2005-01-16"
[[notices]]
name = "FreeBSD-EN-05:02.sk"
date = "2005-01-06"
[[notices]]
name = "FreeBSD-EN-05:01.nfs"
date = "2005-01-05"
[[notices]]
name = "FreeBSD-EN-04:01.twe"
date = "2004-06-28"
diff --git a/website/static/security/advisories/FreeBSD-EN-23:08.vnet.asc b/website/static/security/advisories/FreeBSD-EN-23:08.vnet.asc
new file mode 100644
index 0000000000..fc722d9cff
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-23:08.vnet.asc
@@ -0,0 +1,147 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-23:08.vnet Errata Notice
+ The FreeBSD Project
+
+Topic: VNET and DPCPU module panic on arm64
+
+Category: core
+Module: kernel
+Announced: 2023-08-01
+Affects: FreeBSD 13.2
+Corrected: 2023-07-26 18:03:46 UTC (stable/13, 13.2-STABLE)
+ 2023-08-01 19:50:47 UTC (releng/13.2, 13.2-RELEASE-p2)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+.
+
+I. Background
+
+VNET is the name of a technique to virtualize the network stack. It changes
+global resources, most notably variables, into per network stack resources
+and handles them in the context of the correct instance. VNET is enabled by
+default in GENERIC kernels on all architectures except 32-bit ARM.
+
+DPCPU is a dynamic per-CPU memory allocator which can instantiate one
+instance of a global variable with each CPU in the system. Dynamically
+allocated per-CPU variables can be defined with custom names and types.
+DPCPU is always enabled.
+
+II. Problem Description
+
+After FreeBSD 13.1 was released, the contributed LLVM components (LLVM,
+clang, compiler-rt, libc++, libunwind, lld, lldb and openmp) were
+upgraded to upstream version 14.0.5. The new version of lld, the llvm
+linker, got additional optimizations for arm64 in the form of so-called
+relocation relaxations.
+
+These relaxations are fine for regular userland applications, as the
+dynamic linker can handle the optimized relocations. However, due to the
+way the VNET and DPCPU features are implemented, the optimized
+relocations can cause panics if they are used in kernel modules.
+
+III. Impact
+
+On arm64 systems, loading kernel modules that use VNET or DPCPU features can
+cause panics. A known example is the WireGuard kernel module, if_wg(4).
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+A reboot is required, because the kernel and several kernel modules are
+updated.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+A reboot is required, because the kernel and several kernel modules are updated.
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-23:08/vnet.patch
+# fetch https://security.FreeBSD.org/patches/EN-23:08/vnet.patch.asc
+# gpg --verify vnet.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+ and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ 98e7f836e65e stable/13-n255888
+releng/13.2/ e3e6fc371322 releng/13.2-n254623
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+
+
+
+
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJd+EACgkQbljekB8A
+Gu+2XRAAnIRnEfyWHe8XQa3ElzCx3gwyldIkZJqjqEX1hWm1uhASJGV3Zk/xj6gv
+6yyr8P5nij6rbblpo/YpUzwFeRVUX3foMU+R4blTB0nriJuW6P1vMiHpD1w52oS5
+OWpsyAouJ4/IsDh73jCqrJk3M7ZKOkfQ5tHn/E+bLl20ASQy/5S/t3G9QU8o8TeH
+Ak+zakq8Gf13BA6vMyq0beA34A0zT0niznKhbTqAc3czdsd18Rkeg/9txXU2iOkV
+8VBqnN2kJQ/gBfM79PtUOfz8uK/7tIWMpNoept4Kp0XlDPpJUhqBwjjmTBsuxB8w
+fpYpfNF5ADX50L1nzm24oxBjFsbA+YUNXzO1VHCQZeWNxI2cubZWFtzu7WoxT7QQ
+trdhUWlSI28jtRJSg5eBwfSI/iT/iESIH9f5wFdVo3iORPXe28CrW6EtEHXhVk37
+JQaQdIPr48n2IfsEzuogQyEMAWuD6hSUDksfZsArkPcS9QJFBzv1xkiTXmInn1CL
+JQK4XaVXSELKh0JWgnGTA3/Xsi/DRXcPbN+1saKi8Dp5LzwaMN26UmvWzMFYpQuY
+hrfFDpk3IP9iacvnnObuMretppd1LdwFx3O2Pq4Fs0nRYIKSU3OVpIVzu75otiwE
+GtArfSeRWgwy9moWd8W4wSWNFosTkFMFbZONS0n9SfEYzabpCzM=
+=0mU9
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-23:06.ipv6.asc b/website/static/security/advisories/FreeBSD-SA-23:06.ipv6.asc
new file mode 100644
index 0000000000..77b3701de3
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-23:06.ipv6.asc
@@ -0,0 +1,171 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-23:06.ipv6 Security Advisory
+ The FreeBSD Project
+
+Topic: Remote denial of service in IPv6 fragment reassembly
+
+Category: core
+Module: ipv6
+Announced: 2023-08-01
+Credits: Zweig of Kunlun Lab
+Affects: All supported versions of FreeBSD
+Corrected: 2023-08-01 19:49:07 UTC (stable/13, 13.2-STABLE)
+ 2023-08-01 19:51:27 UTC (releng/13.2, 13.2-RELEASE-p2)
+ 2023-08-01 19:49:52 UTC (releng/13.1, 13.1-RELEASE-p9)
+ 2023-08-01 20:05:08 UTC (stable/12, 12.4-STABLE)
+ 2023-08-01 20:05:42 UTC (releng/12.4, 12.4-RELEASE-p4)
+CVE Name: CVE-2023-3107
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit .
+
+I. Background
+
+IPv6 packets may be fragmented in order to accommodate the maximum
+transmission unit (MTU) of the network path between the source and
+destination hosts. The FreeBSD kernel keeps track of received packet
+fragments and will reassemble the original packet once all fragments
+have been received, at which point the packet is processed normally.
+
+II. Problem Description
+
+Each fragment of an IPv6 packet contains a fragment header which
+specifies the offset of the fragment relative to the original packet,
+and each fragment specifies its length in the IPv6 header. When
+reassembling the packet, the kernel calculates the complete IPv6 payload
+length. The payload length must fit into a 16-bit field in the IPv6
+header.
+
+Due to a bug in the kernel, a set of carefully crafted packets can
+trigger an integer overflow in the calculation of the reassembled
+packet's payload length field.
+
+III. Impact
+
+Once an IPv6 packet has been reassembled, the kernel continues
+processing its contents. It does so assuming that the fragmentation
+layer has validated all fields of the constructed IPv6 header. This bug
+violates such assumptions and can be exploited to trigger a remote
+kernel panic, resulting in a denial of service.
+
+IV. Workaround
+
+Users with IPv6 disabled on untrusted network interfaces are not
+affected. Such interfaces will have the IFDISABLED nd6 flag set in
+ifconfig(8).
+
+The kernel may be configured to drop all IPv6 fragments by setting the
+net.inet6.ip6.maxfrags sysctl to 0. Doing so will prevent the bug from
+being triggered, with the caveat that legitimate IPv6 fragments will
+be dropped.
+
+If the pf(4) firewall is enabled, and scrubbing and fragment reassembly
+is enabled on untrusted interfaces, the bug cannot be triggered. This
+is the default if pf(4) is enabled.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date and
+reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-23:06/ipv6.patch
+# fetch https://security.FreeBSD.org/patches/SA-23:06/ipv6.patch.asc
+# gpg --verify ipv6.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+ and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ 9515f04fe3b1 stable/13-n255919
+releng/13.2/ da38eaca4a22 releng/13.2-n254626
+releng/13.1/ 4e548c72914a releng/13.1-n250191
+stable/12/ r373149
+releng/12.4/ r373152
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+
+
+VII. References
+
+
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdsAACgkQbljekB8A
+Gu8rERAA2iGzA4ydDrYsKnNGXMtQEXRIkGOPOkCSB1fC6CGIWLD//XuPw7sISPNu
+vvt0DVlkOC/ZKjgUQVWDLHd/DWcEv6prhhCUEPEQ57nwvgfa9/oZNqF0ZvVgdyst
+OUc7wO3Pt9lAp6fPkay0LGmsHLlgRJR1VqUQ6fnWvJ7jRllsvIdjxr8krIwYyyVn
+E7U8+lBYoBmQLMql0jgiQ3S4FZ5kYX6MN9r2I1/nSQdE6IUOiqL0oux9H2PDTz3r
+mx9nYSrsd0WPNVO7n7GRnk48STwJryJNdY7tCZOUGsmOOtQAnXvF/ZYDQOMK1L66
+4d5XFVXTwYdHDwDbXMPCCqa+MsZyjrgz8NmNzcto1l0mClz1SGNW9MKmxTKU7op/
+dNTjziffvwxZefpFPv+r9ZEyJpPe1rcNgOskJFW4DVq0uNSaujPkHE77hkE93ozF
+ScDErtexPV+OEQyqGTgO4MxTjlk2l9DZGFVrLl+8Js1sFfLXlReGHLA2xtDtxJL0
+mLo1WtKq8Oq3XPBdU0UoAw3Wlp+BOZ7cY5AVk7IY5zU0T2jQP636QgzX33ZTynkD
+oLtFufJBOWMSPNx9bTFautEoNsivtKcOl3XWEKKgEqt4b+9h6VGU0tFjfRuozjxJ
+QAaYf0qXk9kfHp4EdHj4CeSoeZKgHCExJxpfX54qBGH/TY3Dd4c=
+=V/jE
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-23:07.bhyve.asc b/website/static/security/advisories/FreeBSD-SA-23:07.bhyve.asc
new file mode 100644
index 0000000000..770be95081
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-23:07.bhyve.asc
@@ -0,0 +1,148 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-23:07.bhyve Security Advisory
+ The FreeBSD Project
+
+Topic: bhyve privileged guest escape via fwctl
+
+Category: core
+Module: bhyve
+Announced: 2023-08-01
+Credits: Omri Ben Bassat and Vladimir Eli Tokarev from Microsoft
+Affects: FreeBSD 13.1 and 13.2
+Corrected: 2023-08-01 19:48:53 UTC (stable/13, 13.2-STABLE)
+ 2023-08-01 19:50:47 UTC (releng/13.2, 13.2-RELEASE-p2)
+ 2023-08-01 19:48:26 UTC (releng/13.1, 13.1-RELEASE-p9)
+CVE Name: CVE-2023-3494
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit .
+
+I. Background
+
+bhyve(8)'s fwctl interface provides a mechanism through which guest
+firmware can query the hypervisor for information about the virtual
+machine. The fwctl interface is available to guests when bhyve is run
+with the "-l bootrom" option, used for example when booting guests in
+UEFI mode.
+
+bhyve is currently only supported on the amd64 platform.
+
+II. Problem Description
+
+The fwctl driver implements a state machine which is executed when the
+guest accesses certain x86 I/O ports. The interface lets the guest copy
+a string into a buffer resident in the bhyve process' memory. A bug in
+the state machine implementation can result in a buffer overflowing when
+copying this string.
+
+III. Impact
+
+A malicious, privileged software running in a guest VM can exploit the
+buffer overflow to achieve code execution on the host in the bhyve
+userspace process, which typically runs as root. Note that bhyve runs
+in a Capsicum sandbox, so malicious code is constrained by the
+capabilities available to the bhyve process.
+
+IV. Workaround
+
+No workaround is available. bhyve guests that are executed without the
+"-l bootrom" option are unaffected.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Restart all affected virtual machines.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 13.2]
+# fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.2.patch
+# fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.2.patch.asc
+# gpg --verify bhyve.13.2.patch.asc
+
+[FreeBSD 13.1]
+# fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.1.patch
+# fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.1.patch.asc
+# gpg --verify bhyve.13.1.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in .
+
+Restart all affected virtual machines.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ 9fe302d78109 stable/13-n255918
+releng/13.2/ 2bae613e0da3 releng/13.2-n254625
+releng/13.1/ 87702e38a4b4 releng/13.1-n250190
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdsIACgkQbljekB8A
+Gu8Q1Q/7BFw5Aa0cFxBzbdz+O5NAImj58MvKS6xw61bXcYr12jchyT6ENC7yiR+K
+qCqbe5TssRbtZ1gg/94gSGEXccz5OcJGxW+qozhcdPUh2L2nzBPkMCrclrYJfTtM
+cnmQKjg/wFZLUVr71GEM95ZFaktlZdXyXx9Z8eBzow5rXexpl1TTHQQ2kZZ41K4K
+KFhup91dzGCIj02cqbl+1h5BrXJe3s/oNJt5JKIh/GBh5THQu9n6AywQYl18HtjV
+fMb1qRTAS9WbiEP5QV2eEuOG86ucuhytqnEN5MnXJ2rLSjfb9izs9HzLo3ggy7yb
+hN3tlbfIPjMEwYexieuoyP3rzKkLeYfLXqJU4zKCRnIbBIkMRy4mcFkfcYmI+MhF
+NPh2R9kccemppKXeDhKJurH0vsetr8ti+AwOZ3pgO21+9w+mjE+EfaedIi+JWhip
+hwqeFv03bAQHJdacNYGV47NsJ91CY4ZgWC3ZOzBZ2Y5SDtKFjyc0bf83WTfU9A/0
+drC0z3xaJribah9e6k5d7lmZ7L6aHCbQ70+aayuAEZQLr/N1doB0smNi0IHdrtY0
+JdIqmVX+d1ihVhJ05prC460AS/Kolqiaysun1igxR+ZnctE9Xdo1BlLEbYu2KjT4
+LpWvSuhRMSQaYkJU72SodQc0FM5mqqNN42Vx+X4EutOfvQuRGlI=
+=MlAY
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-23:08.ssh.asc b/website/static/security/advisories/FreeBSD-SA-23:08.ssh.asc
new file mode 100644
index 0000000000..37d9c0df7f
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-23:08.ssh.asc
@@ -0,0 +1,167 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-23:08.ssh Security Advisory
+ The FreeBSD Project
+
+Topic: Potential remote code execution via ssh-agent forwarding
+
+Category: contrib
+Module: OpenSSH
+Announced: 2023-08-01
+Credits: Qualys
+Affects: All supported versions of FreeBSD.
+Corrected: 2023-07-21 14:41:41 UTC (stable/13, 13.2-STABLE)
+ 2023-08-01 19:50:47 UTC (releng/13.2, 13.2-RELEASE-p2)
+ 2023-08-01 19:48:26 UTC (releng/13.1, 13.1-RELEASE-p9)
+ 2023-07-21 16:25:51 UTC (stable/12, 12.4-STABLE)
+ 2023-08-01 19:47:00 UTC (releng/12.4, 12.4-RELEASE-p4)
+CVE Name: CVE-2023-38408
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit .
+
+I. Background
+
+ssh-agent is a program to hold private keys used for OpenSSH public key
+authentication. Connections to ssh-agent may be forwarded from further
+remote hosts using the -A option to ssh. The server to which the ssh-agent
+connection is forwarded may cause the ssh-agent process to load (and unload)
+operating system-provided shared libraries to support the addition and
+deletion of PKCS#11 keys.
+
+II. Problem Description
+
+The server may cause ssh-agent to load shared libraries other than those
+required for PKCS#11 support. These shared libraries may have side effects
+that occur on load and unload (dlopen and dlclose).
+
+III. Impact
+
+An attacker with access to a server that accepts a forwarded ssh-agent
+connection may be able to execute code on the machine running ssh-agent.
+Note that the attack relies on properties of operating system-provided
+libraries. This has been demonstrated on other operating systems; it is
+unknown whether this attack is possible using the libraries provided by
+a FreeBSD installation.
+
+IV. Workaround
+
+Avoid using ssh-agent forwarding, or start ssh-agent with an empty
+PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that
+contains only specific provider libraries.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date and
+restart any ssh sessions using ssh-agent forwarding.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 13.2]
+# fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.13.2.patch
+# fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.13.2.patch.asc
+# gpg --verify ssh.13.2.patch.asc
+
+[FreeBSD 13.1]
+# fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.13.1.patch
+# fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.13.1.patch.asc
+# gpg --verify ssh.13.1.patch.asc
+
+[FreeBSD 12.4]
+# fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.12.4.patch
+# fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.12.4.patch.asc
+# gpg --verify ssh.12.4.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in .
+Restart all ssh sessions that use ssh-agent forwarding, or reboot.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ d578a19e2cd3 stable/13-n255848
+releng/13.2/ 20bcfc33d3f2 releng/13.2-n254624
+releng/13.1/ 3d3a1cbfd7a2 releng/13.1-n250189
+stable/12/ r373142
+releng/12.4/ r373151
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+
+
+VII. References
+
+
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdsUACgkQbljekB8A
+Gu9M3A//ftE38dmRBx//0dm0sY6Pb++OprS7SKkm/dPlv2ywFMrUOZJl47pcfEuJ
+h+jeHOMWzQJYwSQBxPii/PbJRbxd4w4c0pjLDKXO3fc74anmuLQh7b8DLip6jQ/S
+C4LM11e0lGfxwJmrQl49r8eKkm4ta+TOn+IoSzGzsYUYkpqX3jpBuP/yhFvueXO7
+9ZaXCIsg99/tZvXU34b4ZA5t3vVjkAhtbV9HSAza0RnM4ZFJnXJoZbheVMgp63qp
+yg2pieDnA5U/c1exC8joRQoiyXtSZjmq2+8e4HYXc9+LZvWr+/fyfBXO6BXn4hmU
+KSB6t2aldvB0ywWEbge+mM9I+h0jPKHNo/HsAwwF4gKfLqzZ1XNLnHC+LVTTe0cD
+lNHw6kBgH9qx4oLBXg8fZwxtPGv5qvSjC4qisDWi/BMDeVsTfr8wa+LoKHIp0KOH
+AnhuNKs1/TYpyHZfa2l7OfvSc70jSGYyG6Flcr5lYrhfDnXEFR6En4qbRLjIS6GA
++8otM6AyuLLiwfaLdha2G9scuA/RUfyixB7AAhrFrxJPBQypC/kIi+lF0TKmEx69
+Q2TlWktN/zzHzPJLafor5g9W9dft2Kt4T8hHsmQVwwwN58l3Q49FSrKAib5Agv66
+1QuQDP5hhsq7VISG81ZzMZbgvhNgCM5EPjggZ65Qrk9/NCyWhOw=
+=scNH
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-23:09.pam_krb5.asc b/website/static/security/advisories/FreeBSD-SA-23:09.pam_krb5.asc
new file mode 100644
index 0000000000..9d40ed76db
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-23:09.pam_krb5.asc
@@ -0,0 +1,166 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-23:09.pam_krb5 Security Advisory
+ The FreeBSD Project
+
+Topic: Network authentication attack via pam_krb5
+
+Category: core
+Module: pam_krb5
+Announced: 2023-08-01
+Affects: All supported versions of FreeBSD
+Corrected: 2023-07-08 05:44:29 UTC (stable/13, 13.2-STABLE)
+ 2023-08-01 19:50:30 UTC (releng/13.2, 13.2-RELEASE-p2)
+ 2023-08-01 19:48:09 UTC (releng/13.1, 13.1-RELEASE-p9)
+ 2023-07-08 05:44:51 UTC (stable/12, 12.4-STABLE)
+ 2023-08-01 19:46:53 UTC (releng/12.4, 12.4-RELEASE-p4)
+CVE Name: CVE-2023-3326
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit .
+
+I. Background
+
+Kerberos 5 (krb5) is a computer-network authentication protocol that works on
+the basis of tickets to allow nodes communicating over a non-secure network
+to prove their identity to one another in a secure manner.
+
+The PAM (Pluggable Authentication Modules) library provides a flexible
+framework for user authentication and session setup / teardown.
+
+pam_krb5 is a PAM module that allows using a Kerberos password to
+authenticate the user. pam_krb5 is disabled in the default FreeBSD
+installation.
+
+pam_krb5 uses passwords for authentication, which is distinct from
+Kerberos native protocols like GSSAPI, which allows for login without the
+exchange of passwords. GSSAPI is not affected by this issue.
+
+II. Problem Description
+
+The problem detailed in FreeBSD-SA-23:04.pam_krb5 persisted following
+the patch for that advisory.
+
+III. Impact
+
+The impact described in FreeBSD-SA-23:04.pam_krb5 persists.
+
+IV. Workaround
+
+If you are not using Kerberos at all, ensure /etc/krb5.conf is missing from
+your system. Additionally, ensure pam_krb5 is commented out of your PAM
+configuration located as documented in pam.conf(5), generally /etc/pam.d.
+Note, the default FreeBSD PAM configuration has pam_krb5 commented out.
+
+If you are using Kerberos, but not using pam_krb5, ensure pam_krb5 is
+commented out of your PAM configuration located as documented in pam.conf(5),
+generally /etc/pam.d. Note, the default FreeBSD PAM configuration has
+pam_krb5 commented out.
+
+If you are using pam_krb5, ensure you have a keytab on your system as
+provided by your Kerberos administrator.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-23:09/pam_krb5.patch
+# fetch https://security.FreeBSD.org/patches/SA-23:09/pam_krb5.patch.asc
+# gpg --verify pam_krb5.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in .
+
+Restart all daemons that use the PAM module, or reboot the system.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ d295e418ae7e stable/13-n255792
+releng/13.2/ 9b45d8eddfac releng/13.2-n254622
+releng/13.1/ 140f65a20533 releng/13.1-n250188
+stable/12/ r373127
+releng/12.4/ r373150
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+
+
+VII. References
+
+
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdskACgkQbljekB8A
+Gu9QjQ/7BlRQJGHtf/tljjCbzVKAOTcknk/d2VncZ4dDidsHWgO4umaYIrQzYxX0
+1mBtLEPZ7vHt2t4IC4NZ1FP7wrdLNDWCfHcKlP9p9tCzhh2zQXgv6NHbruUTMtJX
+/LN+fxdOcRo++23ae0ohaBUwFVo69/nel0KnSq3QOeSwzJdvaW9cggimOK96pvB1
+QXsqJvb9uBZGdv0yufZ4xJ174xDVnchBY/wvLx2qSdAsXGPO6ihvoeJHFJ7JAYLP
+JYtEAKkgHnkDtG9cw9DQigskwr8VC0x8J+9JG5H4zTXtzofng4pFD7+LBDhozoPy
+FRGi5IfWA4VkeQYDaMB9mE37R333PpKFfJZWF8cwOyeLXNTTUvtPEu2k0DRvljqs
+6lmKcqNLJMbbHa7jIDwdYs5wrSqXJuKOD0Fsj/QScfqWphK86oz6VBdft71A+g55
+D9QFVoXZ2kYTdJ3mMvcKPCdsnixVdtIaaTQ+Embeu2dnMUemc9xsRiPNp18a5y1a
+EgLJ5WHIVJoCjte7HROnPKN6IeB7G/laPeewpoO8AJqL46Z+Ch0PMJacYLhNp5fn
+9rDnJkurJBa4hqii05MztQvhvaoJyy1WFQbObrzfNQI7Hl+EtMb8dlP09qsiWeGq
+27gca8AB1KaMbG+Wwc92n1cn8ZSiF6WT0cV/+Cx3lYuIbmMgnBU=
+=eKnj
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-23:08/vnet.patch b/website/static/security/patches/EN-23:08/vnet.patch
new file mode 100644
index 0000000000..e3ae10b6a5
--- /dev/null
+++ b/website/static/security/patches/EN-23:08/vnet.patch
@@ -0,0 +1,16 @@
+--- sys/conf/kmod.mk.orig
++++ sys/conf/kmod.mk
+@@ -168,6 +168,13 @@
+ CFLAGS+= -fPIC
+ .endif
+
++.if ${MACHINE_CPUARCH} == "aarch64"
++# https://bugs.freebsd.org/264094
++# lld >= 14 and recent GNU ld can relax adrp+add and adrp+ldr instructions,
++# which breaks VNET.
++LDFLAGS+= --no-relax
++.endif
++
+ # Temporary workaround for PR 196407, which contains the fascinating details.
+ # Don't allow clang to use fpu instructions or registers in kernel modules.
+ .if ${MACHINE_CPUARCH} == arm
diff --git a/website/static/security/patches/EN-23:08/vnet.patch.asc b/website/static/security/patches/EN-23:08/vnet.patch.asc
new file mode 100644
index 0000000000..deba5b5d36
--- /dev/null
+++ b/website/static/security/patches/EN-23:08/vnet.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdr8ACgkQbljekB8A
+Gu+HgBAApQv1OSL3BdPCm44GOO4JE8cyWetpTxlM/wblnQS2WHv+cvWiDitgthgX
+Enek4lTFjz3SlgyeSGEwgDz0NucHSOGixS4SIqLKGHXEEqwcZFdICOhb56tcT5Mg
+GLndgCKaNjCM4vLQ7U/TRHZl03m0NyxXt9c9ga6cad4fZkFDAWpiIWAmzVF766vY
+7KIXlZ97y1IpqmHtuv3nTwcfBlw1ThiWj23JdoJyj9CEA8Qd5I3vAdHkX8JDirkJ
+qzS1hMExQAWQfY7cNH7fa56Z418ZdDRPoZeub7VYBaC4YG79D3s/FBcu9tADyb07
+aW6k6CnAGDOGPCxzKCCWgGB+GeYyd+zT0pEstwin43m9yNCgiXtI4UBIEZCJrbo4
+wKR5QF22R3uSBfU5T6JrLvl1muyGvcEsCWja0+O3CR6vrFKZEqm0nkzmTrNsB7e+
+9V5ZtgSEH3NmBejwLUjjDAoLz9EFf6Asji3obkdSbzEaZV5OSF20w4XDnvc8hXze
+psDcgspUjdiFoS3ci8LO/xl0jf6rguj56JA4FG9nB8fHe3lxuxwbJuJsm4dsHtNr
+Hxh7RQRGvTdvZ1bHwbIVc6Y9+Nnwozl7+q1+7a2yws2ZuxtLYE86+dvA/l2dl8iH
+IkZSKycsArwnnmkxfcqUGbbzKOF+x3nBruC0z8cYlSo0KWr193Q=
+=mU3Y
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/SA-23:06/ipv6.patch b/website/static/security/patches/SA-23:06/ipv6.patch
new file mode 100644
index 0000000000..9735c134d9
--- /dev/null
+++ b/website/static/security/patches/SA-23:06/ipv6.patch
@@ -0,0 +1,14 @@
+--- sys/netinet6/frag6.c.orig
++++ sys/netinet6/frag6.c
+@@ -807,6 +807,11 @@
+ /* Adjust offset to point where the original next header starts. */
+ offset = ip6af->ip6af_offset - sizeof(struct ip6_frag);
+ free(ip6af, M_FRAG6);
++ if ((u_int)plen + (u_int)offset - sizeof(struct ip6_hdr) >
++ IPV6_MAXPACKET) {
++ frag6_freef(q6, bucket);
++ goto dropfrag;
++ }
+ ip6 = mtod(m, struct ip6_hdr *);
+ ip6->ip6_plen = htons((u_short)plen + offset - sizeof(struct ip6_hdr));
+ if (q6->ip6q_ecn == IPTOS_ECN_CE)
diff --git a/website/static/security/patches/SA-23:06/ipv6.patch.asc b/website/static/security/patches/SA-23:06/ipv6.patch.asc
new file mode 100644
index 0000000000..1bbe4f57cc
--- /dev/null
+++ b/website/static/security/patches/SA-23:06/ipv6.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdsEACgkQbljekB8A
+Gu8RkA/+Kt5g7V4+D2GAttjm73kuDZpYpiD0evC7i1SMEJqm9SuLrUhAY0glKHLC
+wvXGOLQxKLupPv4XVtimtAPY9sSaTqnWtvit/upLLw5N+fIhEXWSX7JXnsmsALEv
+ky+mTt4RL8kB6XnzVJGA6kEpn6DF0tuR8kooxWvoxTAdSGQsS5P2PIcDP026JWWk
++4VgHe1iB4sAtIUlCp55HYWw+GaUMhXf74pJjGNG0GihW1m4XCrEYMas/f4PqMID
+2IbBrAT4WNSPM7hggPtp7KU7kdZtIH2GnR+Ib7JoythyndmPnbDK4z6AArVTBoEy
+n9t7GLtyTQaQWxkmQM0DzVSj22oEkb/MG5gfCV41oi+b+g4w3TZFI3axyegmYlS+
+tbeGol84Xwxi5UhgF29xcTtbKisuotCCmyN7ake8+XQhFlWsLuNjPA1MGLyifD+g
+GP/HjIvzTc/zKOFxVsj4KNa2dD+QgktBA+QKOEZA0Jz1WiJQA4r9ltZzeTIokJNj
+KQ7arPEwpSuTr5/6KVTaESwehO8afdkwXhyr3fFdWmQOpyWyZuAZbynm0tnPZkZb
+UhQCzdMcdjhSM7UCInsDxfOLEN3WyfYRQ9igeIDrNYYCx2bj+J6kkoZMUhlRR5hZ
+FRvlNmT4q7nPjPJ9ZtoAM/E2lG0bSEi9zdwty2QiPD4M/97QPtU=
+=cbY7
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/SA-23:07/bhyve.13.1.patch b/website/static/security/patches/SA-23:07/bhyve.13.1.patch
new file mode 100644
index 0000000000..acf4750adf
--- /dev/null
+++ b/website/static/security/patches/SA-23:07/bhyve.13.1.patch
@@ -0,0 +1,87 @@
+--- usr.sbin/bhyve/fwctl.c.orig
++++ usr.sbin/bhyve/fwctl.c
+@@ -66,13 +66,12 @@
+ /*
+ * Back-end state-machine
+ */
+-enum state {
+- DORMANT,
++static enum state {
+ IDENT_WAIT,
+ IDENT_SEND,
+ REQ,
+ RESP
+-} be_state = DORMANT;
++} be_state;
+
+ static uint8_t sig[] = { 'B', 'H', 'Y', 'V' };
+ static u_int ident_idx;
+@@ -203,7 +202,8 @@
+ fget_data(uint32_t data, uint32_t len)
+ {
+
+- *((uint32_t *) &fget_str[fget_cnt]) = data;
++ assert(fget_cnt + sizeof(uint32_t) <= sizeof(fget_str));
++ memcpy(&fget_str[fget_cnt], &data, sizeof(data));
+ fget_cnt += sizeof(uint32_t);
+ }
+
+@@ -347,7 +347,8 @@
+ fwctl_request_data(uint32_t value)
+ {
+
+- /* Make sure remaining size is >= 0 */
++ /* Make sure remaining size is > 0 */
++ assert(rinfo.req_size > 0);
+ if (rinfo.req_size <= sizeof(uint32_t))
+ rinfo.req_size = 0;
+ else
+@@ -445,6 +446,28 @@
+ return (0);
+ }
+
++static void
++fwctl_reset(void)
++{
++
++ switch (be_state) {
++ case RESP:
++ /* If a response was generated but not fully read, discard it. */
++ fwctl_response_done();
++ break;
++ case REQ:
++ /* Discard partially-received request. */
++ memset(&rinfo, 0, sizeof(rinfo));
++ break;
++ case IDENT_WAIT:
++ case IDENT_SEND:
++ break;
++ }
++
++ be_state = IDENT_SEND;
++ ident_idx = 0;
++}
++
+
+ /*
+ * i/o port handling.
+@@ -472,18 +495,13 @@
+ static void
+ fwctl_outw(uint16_t val)
+ {
+- if (be_state == DORMANT) {
+- return;
+- }
+-
+ if (val == 0) {
+ /*
+ * The guest wants to read the signature. It's possible that the
+ * guest is unaware of the fwctl state at this moment. For that
+ * reason, reset the state machine unconditionally.
+ */
+- be_state = IDENT_SEND;
+- ident_idx = 0;
++ fwctl_reset();
+ }
+ }
+
diff --git a/website/static/security/patches/SA-23:07/bhyve.13.1.patch.asc b/website/static/security/patches/SA-23:07/bhyve.13.1.patch.asc
new file mode 100644
index 0000000000..3016b0e81a
--- /dev/null
+++ b/website/static/security/patches/SA-23:07/bhyve.13.1.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdsMACgkQbljekB8A
+Gu9LqhAAwNbs3vtGeS8+eQ7ycbNRsGSol8rEM2iEHNeoWYEn5WgWswH80pCWDzIA
+GfuqX7Vju058XcDuqHSz1XU+cvyRPgZNGiKfvNzDFXEukRs2NCdUiFkNmy7r9pLu
+TUtQKzDv+JjwrYO/HzdABcxNYfwU696WW3RPXj11exKUXA0f3nmwAg3qihY0F09d
+gjhrfUzXkpRDX8AzmOZEkIWWON9bIYWtMNBrJ61NBu+P9tBfy27zUGF6hVQ6ZhMW
+iv6Gljgq0JuVJ/9zk95rwnQ1vuO1PQvhSaGPTjCzW8emU5RuPQoKt5qeBP/lLG+n
+lB8M/3K2peiQ0y53v8BlPU0+8JObHCamvN1jhfLuXb4LeO4TZmIb8FTpI9F3aUb5
+7RS0zLPs/Vgm7cx7dQtiCXCtVDvWeGesoQRgLLPf9LUXb3uBsxmZZzHc2FnPFipm
+Txz7zSl0dCteIW5CirOhOagH0F8Sai63gExoE6Rgxmk7K0IAnPSNrwFBmukRJOe2
+0/Yzl6fzwamGZ/2C8SSezFVFD1olauis/fBHPfOl1HGtsNAFrwTAd4hiqsj/NtAw
+otzJiq8fmheDX9nTXzf9eavubTmDLbj90OhL2jepdGIbcq3CJtVQ/leZASy4Ljsj
+goDMlxKrnlYuHxzPEXXAbSZamO3cbur/qpYRVkhhH5jsmxg1rpc=
+=51Jy
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/SA-23:07/bhyve.13.2.patch b/website/static/security/patches/SA-23:07/bhyve.13.2.patch
new file mode 100644
index 0000000000..9de5e7cb78
--- /dev/null
+++ b/website/static/security/patches/SA-23:07/bhyve.13.2.patch
@@ -0,0 +1,84 @@
+--- usr.sbin/bhyve/fwctl.c.orig
++++ usr.sbin/bhyve/fwctl.c
+@@ -67,12 +67,11 @@
+ * Back-end state-machine
+ */
+ static enum state {
+- DORMANT,
+ IDENT_WAIT,
+ IDENT_SEND,
+ REQ,
+ RESP
+-} be_state = DORMANT;
++} be_state;
+
+ static uint8_t sig[] = { 'B', 'H', 'Y', 'V' };
+ static u_int ident_idx;
+@@ -200,6 +199,7 @@
+ fget_data(uint32_t data, uint32_t len __unused)
+ {
+
++ assert(fget_cnt + sizeof(uint32_t) <= sizeof(fget_str));
+ memcpy(&fget_str[fget_cnt], &data, sizeof(data));
+ fget_cnt += sizeof(uint32_t);
+ }
+@@ -344,7 +344,8 @@
+ fwctl_request_data(uint32_t value)
+ {
+
+- /* Make sure remaining size is >= 0 */
++ /* Make sure remaining size is > 0 */
++ assert(rinfo.req_size > 0);
+ if (rinfo.req_size <= sizeof(uint32_t))
+ rinfo.req_size = 0;
+ else
+@@ -441,6 +442,28 @@
+ return (0);
+ }
+
++static void
++fwctl_reset(void)
++{
++
++ switch (be_state) {
++ case RESP:
++ /* If a response was generated but not fully read, discard it. */
++ fwctl_response_done();
++ break;
++ case REQ:
++ /* Discard partially-received request. */
++ memset(&rinfo, 0, sizeof(rinfo));
++ break;
++ case IDENT_WAIT:
++ case IDENT_SEND:
++ break;
++ }
++
++ be_state = IDENT_SEND;
++ ident_idx = 0;
++}
++
+
+ /*
+ * i/o port handling.
+@@ -468,18 +491,13 @@
+ static void
+ fwctl_outw(uint16_t val)
+ {
+- if (be_state == DORMANT) {
+- return;
+- }
+-
+ if (val == 0) {
+ /*
+ * The guest wants to read the signature. It's possible that the
+ * guest is unaware of the fwctl state at this moment. For that
+ * reason, reset the state machine unconditionally.
+ */
+- be_state = IDENT_SEND;
+- ident_idx = 0;
++ fwctl_reset();
+ }
+ }
+
+--
diff --git a/website/static/security/patches/SA-23:07/bhyve.13.2.patch.asc b/website/static/security/patches/SA-23:07/bhyve.13.2.patch.asc
new file mode 100644
index 0000000000..6bfba08413
--- /dev/null
+++ b/website/static/security/patches/SA-23:07/bhyve.13.2.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdsQACgkQbljekB8A
+Gu8OdA//bCCfcpSehl4gFNVhuRnSrs3vlDeCAUdm3vLA+h3/kSM2JDKX+1cx4n82
+PzGmGqGkBBBeYuF7dL6FkdpbYdWxbFZdtnqCm9y6XfNzONTZK5TJKoNXT0kXW7R1
+WSpfsTjeSunALie0C7QukzcCReQ1fy8wLWtksqiDBaXoEfNsvs/7d2RdDBepj4wW
+DHShXPp0117UQVXyz59Fgm3lb60OU02U7T+Plxb7//quAWtg/thAAcAzG7S/K4zg
+nBElOfLXo8zNMvrhxi6TYCY5Yqf6x+UQ1pjE8Ke4fsRN/kx19NVN1RoXjZvBt79A
+JrBi0r1wvFuamLQH/CIhAw9q34+Wcf2/300pLQrk7Cp/quD8fG6VdGw6CQrgslNh
+bzUBG28bjOEJnKZ1N5THANbr6mGKCAZTTpAbabl5tY51jgjWTyvhVaAiLXg+wv+V
+ochmwndfpt2bwSig/hbJtQ7j+N95pHVuU6NGMTssv4pXYtNPmU/vwwcx4IE5ByIn
+41FhUbdz6Vi4To7R72707+a4GAeqp+30bMTl6gbcgMFqf2rAjNfoq4eo3NpxcEcw
+diV7kwoLsLtvl7k1O88oIH44T/Uw5hOsaZhe2J7bhUx+va83trXQkq4uEEEQzC8C
+WBQ5inLsofQ2DnYbJjf/kGTUC7pZzO1zxYNlOGDKcyV9Jqp+m/s=
+=1R5i
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/SA-23:08/ssh.12.4.patch b/website/static/security/patches/SA-23:08/ssh.12.4.patch
new file mode 100644
index 0000000000..7631beb7e2
--- /dev/null
+++ b/website/static/security/patches/SA-23:08/ssh.12.4.patch
@@ -0,0 +1,189 @@
+--- crypto/openssh/ssh-agent.1.orig
++++ crypto/openssh/ssh-agent.1
+@@ -1,1 +1,1 @@
+-.\" $OpenBSD: ssh-agent.1,v 1.73 2022/03/31 17:27:27 naddy Exp $
++.\" $OpenBSD: ssh-agent.1,v 1.75 2022/10/07 06:00:58 jmc Exp $
+@@ -35,7 +35,7 @@
+ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ .\"
+-.Dd $Mdocdate: March 31 2022 $
++.Dd $Mdocdate: October 7 2022 $
+ .Dt SSH-AGENT 1
+ .Os
+ .Sh NAME
+@@ -47,11 +47,13 @@
+ .Op Fl \&Ddx
+ .Op Fl a Ar bind_address
+ .Op Fl E Ar fingerprint_hash
++.Op Fl O Ar option
+ .Op Fl P Ar allowed_providers
+ .Op Fl t Ar life
+ .Nm ssh-agent
+ .Op Fl a Ar bind_address
+ .Op Fl E Ar fingerprint_hash
++.Op Fl O Ar option
+ .Op Fl P Ar allowed_providers
+ .Op Fl t Ar life
+ .Ar command Op Ar arg ...
+@@ -103,6 +105,45 @@
+ Kill the current agent (given by the
+ .Ev SSH_AGENT_PID
+ environment variable).
++.It Fl O Ar option
++Specify an option when starting
++.Nm .
++Currently two options are supported:
++.Cm allow-remote-pkcs11
++and
++.Cm no-restrict-websafe .
++.Pp
++The
++.Cm allow-remote-pkcs11
++option allows clients of a forwarded
++.Nm
++to load PKCS#11 or FIDO provider libraries.
++By default only local clients may perform this operation.
++Note that signalling that a
++.Nm
++client remote is performed by
++.Xr ssh 1 ,
++and use of other tools to forward access to the agent socket may circumvent
++this restriction.
++.Pp
++The
++.Cm no-restrict-websafe ,
++instructs
++.Nm
++to permit signatures using FIDO keys that might be web authentication
++requests.
++By default,
++.Nm
++refuses signature requests for FIDO keys where the key application string
++does not start with
++.Dq ssh:
++and when the data to be signed does not appear to be a
++.Xr ssh 1
++user authentication request or a
++.Xr ssh-keygen 1
++signature.
++The default behaviour prevents forwarded access to a FIDO key from also
++implicitly forwarding the ability to authenticate to websites.
+ .It Fl P Ar allowed_providers
+ Specify a pattern-list of acceptable paths for PKCS#11 provider and FIDO
+ authenticator middleware shared libraries that may be used with the
+--- crypto/openssh/ssh-agent.c.orig
++++ crypto/openssh/ssh-agent.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-agent.c,v 1.292 2022/09/17 10:11:29 djm Exp $ */
++/* $OpenBSD: ssh-agent.c,v 1.293 2022/10/07 06:00:58 jmc Exp $ */
+ /*
+ * Author: Tatu Ylonen
+ * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland
+@@ -172,6 +172,12 @@
+ /* Pattern-list of allowed PKCS#11/Security key paths */
+ static char *allowed_providers;
+
++/*
++ * Allows PKCS11 providers or SK keys that use non-internal providers to
++ * be added over a remote connection (identified by session-bind@openssh.com).
++ */
++static int remote_add_provider;
++
+ /* locking */
+ #define LOCK_SIZE 32
+ #define LOCK_SALT_SIZE 16
+@@ -1249,6 +1255,12 @@
+ if (strcasecmp(sk_provider, "internal") == 0) {
+ debug_f("internal provider");
+ } else {
++ if (e->nsession_ids != 0 && !remote_add_provider) {
++ verbose("failed add of SK provider \"%.100s\": "
++ "remote addition of providers is disabled",
++ sk_provider);
++ goto out;
++ }
+ if (realpath(sk_provider, canonical_provider) == NULL) {
+ verbose("failed provider \"%.100s\": "
+ "realpath: %s", sk_provider,
+@@ -1412,6 +1424,11 @@
+ error_f("failed to parse constraints");
+ goto send;
+ }
++ if (e->nsession_ids != 0 && !remote_add_provider) {
++ verbose("failed PKCS#11 add of \"%.100s\": remote addition of "
++ "providers is disabled", provider);
++ goto send;
++ }
+ if (realpath(provider, canonical_provider) == NULL) {
+ verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
+ provider, strerror(errno));
+@@ -2015,9 +2032,9 @@
+ {
+ fprintf(stderr,
+ "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n"
+- " [-P allowed_providers] [-t life]\n"
+- " ssh-agent [-a bind_address] [-E fingerprint_hash] [-P allowed_providers]\n"
+- " [-t life] command [arg ...]\n"
++ " [-O option] [-P allowed_providers] [-t life]\n"
++ " ssh-agent [-a bind_address] [-E fingerprint_hash] [-O option]\n"
++ " [-P allowed_providers] [-t life] command [arg ...]\n"
+ " ssh-agent [-c | -s] -k\n");
+ exit(1);
+ }
+@@ -2077,7 +2094,9 @@
+ break;
+ case 'O':
+ if (strcmp(optarg, "no-restrict-websafe") == 0)
+- restrict_websafe = 0;
++ restrict_websafe = 0;
++ else if (strcmp(optarg, "allow-remote-pkcs11") == 0)
++ remote_add_provider = 1;
+ else
+ fatal("Unknown -O option");
+ break;
+--- crypto/openssh/ssh-pkcs11.c.orig
++++ crypto/openssh/ssh-pkcs11.c
+@@ -1537,10 +1537,8 @@
+ error("dlopen %s failed: %s", provider_id, dlerror());
+ goto fail;
+ }
+- if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) {
+- error("dlsym(C_GetFunctionList) failed: %s", dlerror());
+- goto fail;
+- }
++ if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL)
++ fatal("dlsym(C_GetFunctionList) failed: %s", dlerror());
+ p = xcalloc(1, sizeof(*p));
+ p->name = xstrdup(provider_id);
+ p->handle = handle;
+--- crypto/openssh/sshd_config.orig
++++ crypto/openssh/sshd_config
+@@ -106,7 +106,7 @@
+ #PermitTunnel no
+ #ChrootDirectory none
+ #UseBlacklist no
+-#VersionAddendum FreeBSD-20221019
++#VersionAddendum FreeBSD-20230719
+
+ # no default banner path
+ #Banner none
+--- crypto/openssh/sshd_config.5.orig
++++ crypto/openssh/sshd_config.5
+@@ -1822,7 +1822,7 @@
+ Optionally specifies additional text to append to the SSH protocol banner
+ sent by the server upon connection.
+ The default is
+-.Qq FreeBSD-20221019 .
++.Qq FreeBSD-20230719 .
+ The value
+ .Cm none
+ may be used to disable this.
+--- crypto/openssh/version.h.orig
++++ crypto/openssh/version.h
+@@ -6,4 +6,4 @@
+ #define SSH_PORTABLE "p1"
+ #define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+
+-#define SSH_VERSION_FREEBSD "FreeBSD-20221019"
++#define SSH_VERSION_FREEBSD "FreeBSD-20230719"
diff --git a/website/static/security/patches/SA-23:08/ssh.12.4.patch.asc b/website/static/security/patches/SA-23:08/ssh.12.4.patch.asc
new file mode 100644
index 0000000000..7111a87f1e
--- /dev/null
+++ b/website/static/security/patches/SA-23:08/ssh.12.4.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdsYACgkQbljekB8A
+Gu+TnBAAwe8IpFB7Zs4qEpuhggpUq19sodKOlu3pbEyUKPpnyKYbPf1PwjvozVTQ
+z2tYlgOeFM4hKQfXNSYgAKmsSwqpq4O1p8gvop7GBa0SsRTqYXN9p/86JmMEWbkz
+tXi/hvwD2u92REaQ0Gh/ObLaNTWgAr+xo11DU790oN6TpitX6atmeKOLc50kTN5v
+yVGWp3Au0fMdvRxbd19CXtTWNHBSF5U/P/4h/f2jApfdUDZl1PU9zlqFRfhR7/Nk
+GCr8YkNE6etc6PAd98ifURxqXyMzMOwInFMWdtbK3QgErBdHvSlIgckA+vyiE9dq
+/j/shohi5N5SfYY+/nxtZAe6PWaGBu4T61P3mnpK+GNT9k25wSxARcu5x6/NdSVw
+2fP5NFVjnqmbP9KxO2HMQRTVdm6Zwe/g35WVA9W+WgkqUPL1p4itZWMknlpYgqva
+nTzZv+UVz7vJ08zH3jCRyHVD8+MDHqzh4vBjLZYl9CTLzZW+fKVIKlvXdV9hH3AZ
++RpidyvdZZ8OlecGkx/vui961Ship6hOWZQ+uwwbqSFJj5siQMiUsU6gvAC2VOW9
+crwqBnX3surUkPjAAuNTCc9kKRQMTc3oX9NSNz+MPE5D4tCcaR2YtN1nsSdZ1uf6
+KpOUucyTwHtltD0ICUJ6pnS1PT8fp2OMBODeAYGLcuUKwz5+ujw=
+=UtKu
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/SA-23:08/ssh.13.1.patch b/website/static/security/patches/SA-23:08/ssh.13.1.patch
new file mode 100644
index 0000000000..9b336e388b
--- /dev/null
+++ b/website/static/security/patches/SA-23:08/ssh.13.1.patch
@@ -0,0 +1,48 @@
+--- crypto/openssh/ssh-pkcs11.c.orig
++++ crypto/openssh/ssh-pkcs11.c
+@@ -1536,10 +1536,8 @@
+ error("dlopen %s failed: %s", provider_id, dlerror());
+ goto fail;
+ }
+- if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) {
+- error("dlsym(C_GetFunctionList) failed: %s", dlerror());
+- goto fail;
+- }
++ if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL)
++ fatal("dlsym(C_GetFunctionList) failed: %s", dlerror());
+ p = xcalloc(1, sizeof(*p));
+ p->name = xstrdup(provider_id);
+ p->handle = handle;
+--- crypto/openssh/sshd_config.orig
++++ crypto/openssh/sshd_config
+@@ -105,7 +105,7 @@
+ #PermitTunnel no
+ #ChrootDirectory none
+ #UseBlacklist no
+-#VersionAddendum FreeBSD-20211221
++#VersionAddendum FreeBSD-20230719
+
+ # no default banner path
+ #Banner none
+--- crypto/openssh/sshd_config.5.orig
++++ crypto/openssh/sshd_config.5
+@@ -1805,7 +1805,7 @@
+ Optionally specifies additional text to append to the SSH protocol banner
+ sent by the server upon connection.
+ The default is
+-.Qq FreeBSD-20211221 .
++.Qq FreeBSD-20230719 .
+ The value
+ .Cm none
+ may be used to disable this.
+--- crypto/openssh/version.h.orig
++++ crypto/openssh/version.h
+@@ -6,7 +6,7 @@
+ #define SSH_PORTABLE "p1"
+ #define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+
+-#define SSH_VERSION_FREEBSD "FreeBSD-20211221"
++#define SSH_VERSION_FREEBSD "FreeBSD-20230719"
+
+ #ifdef WITH_OPENSSL
+ #define OPENSSL_VERSION_STRING OpenSSL_version(OPENSSL_VERSION)
diff --git a/website/static/security/patches/SA-23:08/ssh.13.1.patch.asc b/website/static/security/patches/SA-23:08/ssh.13.1.patch.asc
new file mode 100644
index 0000000000..ef29c56362
--- /dev/null
+++ b/website/static/security/patches/SA-23:08/ssh.13.1.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdscACgkQbljekB8A
+Gu8wwA//RJR6pkCCKfNiqJYnji1cl5U0p9lq7phbKdg+5KcVaUevxoPLM+rMSVPZ
+Oq5+E2pu4PKio7VYyHi1cxaKBvcS5XZ1UbjbmCYkvea0UDhP4WS54S0Xcs4kcaeb
+o16UswdUTGyxhOnE9MXiOeX1V1AeZ3tULR1zD+7NDW+szEmA3MD1WlARHrfohDie
+x0kRDWsV3nMWBi23zKlmSFmk2acAn5s1wpHgG96TAWbwd6pVWaMX8hL12KytBS3r
+w8XElffL/8HLwjm/pA1JwuRxYlGZy3G2FhWJy87Q0CJp0c65AQ/cn+etcAsMyWEW
+MRKmGY7GGJyQAAIIFFBpSZ+qihk+B6aAyqO4YHqMEIY1oQ0+PGCBP4q6+l6OwD6U
+OsTUFHcqUIobkPcFKRJFmazsDRyeJxhZJqCYkzP7SIETsfnZ2acKMOBp1bVlvi97
+Qn9RaxFWS09omsh0qMqcrLOLC7Se4uw8Y9SKfLATozF6hPyLR2RM2omKAGikrwbT
+K2A6DJcDdI0vIp8YkpNzdEGU25nFiCvG2tW8GCwS8SmYYXTX2PwTAtDfznhLk452
+RvGNpI+Hr/agLclxm6tA/vjoZLryuA7W1r7EaQUYCfE5fv0mYkqwf1tHtStmy/Mb
+KS2b2T7/kMYx/OBrE6et3Kavwpy0bZK8uvON9rs/Rk9kLaKnskE=
+=H9vw
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/SA-23:08/ssh.13.2.patch b/website/static/security/patches/SA-23:08/ssh.13.2.patch
new file mode 100644
index 0000000000..29f203741e
--- /dev/null
+++ b/website/static/security/patches/SA-23:08/ssh.13.2.patch
@@ -0,0 +1,2036 @@
+--- crypto/openssh/ChangeLog.orig
++++ crypto/openssh/ChangeLog
+@@ -1,3 +1,36 @@
++commit 9795c4016ae35162072144df032c8b262433b462
++Author: Damien Miller
++Date: Wed Jul 19 16:27:12 2023 +1000
++
++ OpenSSH 9.3p2
++
++commit bde3635f3c9324bad132cf9ed917813d6abb599e
++Author: Damien Miller
++Date: Wed Jul 19 16:31:09 2023 +1000
++
++ update version in README
++
++commit f673f2f3e5f67099018fc281a6b5fb918142472e
++Author: Damien Miller
++Date: Wed Jul 19 16:31:00 2023 +1000
++
++ update RPM spec versions
++
++commit d7790cdce72a1b6982795baa2b4d6f0bdbb0100d
++Author: Damien Miller
++Date: Fri Jul 7 13:30:15 2023 +1000
++
++ disallow remote addition of FIDO/PKCS11 keys
++
++ Depends on the local client performing the session-bind@openssh.com
++ operation, so non-OpenSSH local client may circumvent this.
++
++commit b23fe83f06ee7e721033769cfa03ae840476d280
++Author: Damien Miller
++Date: Thu Jul 13 12:09:34 2023 +1000
++
++ terminate pkcs11 process for bad libraries
++
+ commit cb30fbdbee869f1ce11f06aa97e1cb8717a0b645
+ Author: Damien Miller
+ Date: Thu Mar 16 08:28:19 2023 +1100
+@@ -9402,1837 +9435,3 @@
+ reliability on very heavily loaded hosts.
+
+ OpenBSD-Regress-ID: 4c28a0fce3ea89ebde441d7091464176e9730533
+-
+-commit 7953e1bfce9e76bec41c1331a29bc6cff9d416b8
+-Author: Darren Tucker
+-Date: Mon Jul 19 13:47:51 2021 +1000
+-
+- Add sshfp-connect.sh file missed in previous.
+-
+-commit b75a80fa8369864916d4c93a50576155cad4df03
+-Author: dtucker@openbsd.org
+-Date: Mon Jul 19 03:13:28 2021 +0000
+-
+- upstream: Ensure that all returned SSHFP records for the specified host
+-
+- name and hostkey type match instead of only one. While there, simplify the
+- code somewhat and add some debugging. Based on discussion in bz#3322, ok
+- djm@.
+-
+- OpenBSD-Commit-ID: 0a6a0a476eb7f9dfe8fe2c05a1a395e3e9b22ee4
+-
+-commit 1cc1fd095393663cd72ddac927d82c6384c622ba
+-Author: dtucker@openbsd.org
+-Date: Mon Jul 19 02:21:50 2021 +0000
+-
+- upstream: Id sync only, -portable already has this.
+-
+- Put dh_set_moduli_file call inside ifdef WITH_OPENSSL. Fixes
+- build with OPENSSL=no.
+-
+- OpenBSD-Commit-ID: af54abbebfb12bcde6219a44d544e18204defb15
+-
+-commit 33abbe2f4153f5ca5c874582f6a7cc91ae167485
+-Author: dtucker@openbsd.org
+-Date: Mon Jul 19 02:46:34 2021 +0000
+-
+- upstream: Add test for host key verification via SSHFP records. This
+-
+- requires some external setup to operate so is disabled by default (see
+- comments in sshfp-connect.sh).
+-
+- OpenBSD-Regress-ID: c52c461bd1df3a803d17498917d156ef64512fd9
+-
+-commit f0cd000d8e3afeb0416dce1c711c3d7c28d89bdd
+-Author: dtucker@openbsd.org
+-Date: Mon Jul 19 02:29:28 2021 +0000
+-
+- upstream: Add ed25519 key and test SSHFP export of it. Only test
+-
+- RSA SSHFP export if we have RSA functionality compiled in.
+-
+- OpenBSD-Regress-ID: b4ff5181b8c9a5862e7f0ecdd96108622333a9af
+-
+-commit 0075511e27e5394faa28edca02bfbf13b9a6693e
+-Author: dtucker@openbsd.org
+-Date: Mon Jul 19 00:16:26 2021 +0000
+-
+- upstream: Group keygen tests together.
+-
+- OpenBSD-Regress-ID: 07e2d25c527bb44f03b7c329d893a1f2d6c5c40c
+-
+-commit 034828820c7e62652e7c48f9ee6b67fb7ba6fa26
+-Author: dtucker@openbsd.org
+-Date: Sun Jul 18 23:10:10 2021 +0000
+-
+- upstream: Add test for ssh-keygen printing of SSHFP records.
+-
+- OpenBSD-Regress-ID: fde9566b56eeb980e149bbe157a884838507c46b
+-
+-commit 52c3b6985ef1d5dadb4c4fe212f8b3a78ca96812
+-Author: djm@openbsd.org
+-Date: Sat Jul 17 00:38:11 2021 +0000
+-
+- upstream: wrap some long lines
+-
+- OpenBSD-Commit-ID: 4f5186b1466656762dae37d3e569438d900c350d
+-
+-commit 43ec991a782791d0b3f42898cd789f99a07bfaa4
+-Author: djm@openbsd.org
+-Date: Sat Jul 17 00:36:53 2021 +0000
+-
+- upstream: fix sftp on ControlPersist connections, broken by recent
+-
+- SessionType change; spotted by sthen@
+-
+- OpenBSD-Commit-ID: 4c5ddc5698790ae6ff50d2a4f8f832f0eeeaa234
+-
+-commit 073f45c236550f158c9a94003e4611c07dea5279
+-Author: djm@openbsd.org
+-Date: Fri Jul 16 09:00:23 2021 +0000
+-
+- upstream: Explicitly check for and start time-based rekeying in the
+-
+- client and server mainloops.
+-
+- Previously the rekey timeout could expire but rekeying would not start
+- until a packet was sent or received. This could cause us to spin in
+- select() on the rekey timeout if the connection was quiet.
+-
+- ok markus@
+-
+- OpenBSD-Commit-ID: 4356cf50d7900f3df0a8f2117d9e07c91b9ff987
+-
+-commit ef7c4e52d5d840607f9ca3a302a4cbb81053eccf
+-Author: jmc@openbsd.org
+-Date: Wed Jul 14 06:46:38 2021 +0000
+-
+- upstream: reorder SessionType; ok djm
+-
+- OpenBSD-Commit-ID: c7dd0b39e942b1caf4976a0b1cf0fed33d05418c
+-
+-commit 8aa2f9aeb56506dca996d68ab90ab9c0bebd7ec3
+-Author: Darren Tucker
+-Date: Wed Jul 14 11:26:50 2021 +1000
+-
+- Make whitespace consistent.
+-
+-commit 4f4297ee9b8a39f4dfd243a74c5f51f9e7a05723
+-Author: Darren Tucker
+-Date: Wed Jul 14 11:26:12 2021 +1000
+-
+- Add ARM64 Linux self-hosted runner.
+-
+-commit eda8909d1b0a85b9c3804a04d03ec6738fd9dc7f
+-Author: djm@openbsd.org
+-Date: Tue Jul 13 23:48:36 2021 +0000
+-
+- upstream: add a SessionType directive to ssh_config, allowing the
+-
+- configuration file to offer equivalent control to the -N (no session) and -s
+- (subsystem) command-line flags.
+-
+- Part of GHPR#231 by Volker Diels-Grabsch with some minor tweaks;
+- feedback and ok dtucker@
+-
+- OpenBSD-Commit-ID: 726ee931dd4c5cc7f1d7a187b26f41257f9a2d12
+-
+-commit 7ae69f2628e338ba6e0eae7ee8a63bcf8fea7538
+-Author: djm@openbsd.org
+-Date: Mon Jul 12 02:12:22 2021 +0000
+-
+- upstream: fix some broken tests; clean up output
+-
+- OpenBSD-Regress-ID: 1d5038edb511dc4ce1622344c1e724626a253566
+-
+-commit f5fc6a4c3404bbf65c21ca6361853b33d78aa87e
+-Author: Darren Tucker
+-Date: Mon Jul 12 18:00:05 2021 +1000
+-
+- Add configure-time detection for SSH_TIME_T_MAX.
+-
+- Should fix printing cert times exceeding INT_MAX (bz#3329) on platforms
+- were time_t is a long long. The limit used is for the signed type, so if
+- some system has a 32bit unsigned time_t then the lower limit will still
+- be imposed and we would need to add some way to detect this. Anyone using
+- an unsigned 64bit can let us know when it starts being a problem.
+-
+-commit fd2d06ae4442820429d634c0a8bae11c8e40c174
+-Author: dtucker@openbsd.org
+-Date: Mon Jul 12 06:22:57 2021 +0000
+-
+- upstream: Make limit for time_t test unconditional in the
+-
+- format_absolute_time fix for bz#3329 that allows printing of timestamps past
+- INT_MAX. This was incorrectly included with the previous commit. Based on
+- discussion with djm@.
+-
+- OpenBSD-Commit-ID: 835936f6837c86504b07cabb596b613600cf0f6e
+-
+-commit 6c29b387cd64a57b0ec8ae7d2c8d02789d88fcc3
+-Author: dtucker@openbsd.org
+-Date: Mon Jul 12 06:08:57 2021 +0000
+-
+- upstream: Use existing format_absolute_time() function when
+-
+- printing cert validity instead of doing it inline. Part of bz#3329.
+-
+- OpenBSD-Commit-ID: a13d4e3c4f59644c23745eb02a09b2a4e717c00c
+-
+-commit 99981d5f8bfa383791afea03f6bce8454e96e323
+-Author: djm@openbsd.org
+-Date: Fri Jul 9 09:55:56 2021 +0000
+-
+- upstream: silence redundant error message; reported by Fabian Stelzer
+-
+- OpenBSD-Commit-ID: 9349a703016579a60557dafd03af2fe1d44e6aa2
+-
+-commit e86097813419b49d5bff5c4b51d1c3a5d4d2d804
+-Author: John Ericson
+-Date: Sat Dec 26 11:40:49 2020 -0500
+-
+- Re-indent krb5 section after pkg-config addition.
+-
+-commit 32dd2daa56c294e40ff7efea482c9eac536d8cbb
+-Author: John Ericson
+-Date: Sat Dec 26 11:40:49 2020 -0500
+-
+- Support finding Kerberos via pkg-config
+-
+- This makes cross compilation easier.
+-
+-commit def7a72234d7e4f684d72d33a0f7229f9eee0aa4
+-Author: Darren Tucker
+-Date: Fri Jul 9 14:34:06 2021 +1000
+-
+- Update comments about EGD to include prngd.
+-
+-commit b5d23150b4e3368f4983fd169d432c07afeee45a
+-Author: dtucker@openbsd.org
+-Date: Mon Jul 5 01:21:07 2021 +0000
+-
+- upstream: Fix a couple of whitespace things. Portable already has
+-
+- these so this removes two diffs between the two.
+-
+- OpenBSD-Commit-ID: 769f017ebafd8e741e337b3e9e89eb5ac73c9c56
+-
+-commit 8f57be9f279b8e905f9883066aa633c7e67b31cf
+-Author: dtucker@openbsd.org
+-Date: Mon Jul 5 01:16:46 2021 +0000
+-
+- upstream: Order includes as per style(9). Portable already has
+-
+- these so this removes a handful of diffs between the two.
+-
+- OpenBSD-Commit-ID: 8bd7452d809b199c19bfc49511a798f414eb4a77
+-
+-commit b75624f8733b3ed9e240f86cac5d4a39dae11848
+-Author: dtucker@openbsd.org
+-Date: Mon Jul 5 00:50:25 2021 +0000
+-
+- upstream: Remove comment referencing now-removed
+-
+- RhostsRSAAuthentication. ok djm@
+-
+- OpenBSD-Commit-ID: 3d864bfbd99a1d4429a58e301688f3be464827a9
+-
+-commit b67eb12f013c5441bb4f0893a97533582ad4eb13
+-Author: djm@openbsd.org
+-Date: Mon Jul 5 00:25:42 2021 +0000
+-
+- upstream: allow spaces to appear in usernames for local to remote,
+-
+- and scp -3 remote to remote copies. with & ok dtucker bz#1164
+-
+- OpenBSD-Commit-ID: e9b550f3a85ffbb079b6720833da31317901d6dd
+-
+-commit 8c4ef0943e574f614fc7c6c7e427fd81ee64ab87
+-Author: dtucker@openbsd.org
+-Date: Fri Jul 2 07:20:44 2021 +0000
+-
+- upstream: Remove obsolete comments about SSHv1 auth methods. ok
+-
+- djm@
+-
+- OpenBSD-Commit-ID: 6060f70966f362d8eb4bec3da2f6c4712fbfb98f
+-
+-commit 88908c9b61bcb99f16e8d398fc41e2b3b4be2003
+-Author: Darren Tucker
+-Date: Sat Jul 3 23:00:19 2021 +1000
+-
+- Remove reference to ChallengeResponse.
+-
+- challenge_response_authentication was removed from the struct, keeping
+- kbd_interactive_authentication.
+-
+-commit 321874416d610ad2158ce6112f094a4862c2e37f
+-Author: Darren Tucker
+-Date: Sat Jul 3 20:38:09 2021 +1000
+-
+- Move signal.h up include order to match upstream.
+-
+-commit 4fa83e2d0e32c2dd758653e0359984bbf1334f32
+-Author: Darren Tucker
+-Date: Sat Jul 3 20:36:06 2021 +1000
+-
+- Remove old OpenBSD version marker.
+-
+- Looks like an accidental leftover from a sync.
+-
+-commit 9d5e31f55d5f3899b72645bac41a932d298ad73b
+-Author: Darren Tucker
+-Date: Sat Jul 3 20:34:19 2021 +1000
+-
+- Remove duplicate error on error path.
+-
+- There's an extra error() call on the listen error path, it looks like
+- its removal was missed during an upstream sync.
+-
+-commit 888c459925c7478ce22ff206c9ac1fb812a40caf
+-Author: Darren Tucker
+-Date: Sat Jul 3 20:32:46 2021 +1000
+-
+- Remove some whitespace not in upstream.
+-
+- Reduces diff vs OpenBSD by a small amount.
+-
+-commit 4d2d4d47a18d93f3e0a91a241a6fdb545bbf7dc2
+-Author: Darren Tucker
+-Date: Sat Jul 3 19:27:43 2021 +1000
+-
+- Replace remaining references to ChallengeResponse.
+-
+- Portable had a few additional references to ChallengeResponse related to
+- UsePAM, replaces these with equivalent keyboard-interactive ones.
+-
+-commit 53237ac789183946dac6dcb8838bc3b6b9b43be1
+-Author: Darren Tucker
+-Date: Sat Jul 3 19:23:28 2021 +1000
+-
+- Sync remaining ChallengeResponse removal.
+-
+- These were omitted from commit 88868fd131.
+-
+-commit 2c9e4b319f7e98744b188b0f58859d431def343b
+-Author: Darren Tucker
+-Date: Sat Jul 3 19:17:31 2021 +1000
+-
+- Disable rocky84 to figure out why agent test fails
+-
+-commit bfe19197a92b7916f64a121fbd3c179abf15e218
+-Author: Darren Tucker
+-Date: Fri Jul 2 15:43:28 2021 +1000
+-
+- Remove now-unused SSHv1 enums.
+-
+- sRhostsRSAAuthentication and sRSAAuthentication are protocol 1 options
+- and are no longer used.
+-
+-commit c73b02d92d72458a5312bd098f32ce88868fd131
+-Author: dtucker@openbsd.org
+-Date: Fri Jul 2 05:11:20 2021 +0000
+-
+- upstream: Remove references to ChallengeResponseAuthentication in
+-
+- favour of KbdInteractiveAuthentication. The former is what was in SSHv1, the
+- latter is what is in SSHv2 (RFC4256) and they were treated as somewhat but
+- not entirely equivalent. We retain the old name as deprecated alias so
+- config files continue to work and a reference in the man page for people
+- looking for it.
+-
+- Prompted by bz#3303 which pointed out the discrepancy between the two
+- when used with Match. Man page help & ok jmc@, with & ok djm@
+-
+- OpenBSD-Commit-ID: 2c1bff8e5c9852cfcdab1f3ea94dfef5a22f3b7e
+-
+-commit f841fc9c8c7568a3b5d84a4cc0cefacb7dbc16b9
+-Author: Darren Tucker
+-Date: Fri Jul 2 15:20:32 2021 +1000
+-
+- Fix ifdefs around get_random_bytes_prngd.
+-
+- get_random_bytes_prngd() is used if either of PRNGD_PORT or PRNGD_SOCKET
+- are defined, so adjust ifdef accordingly.
+-
+-commit 0767627cf66574484b9c0834500b42ea04fe528a
+-Author: Damien Miller
+-Date: Fri Jul 2 14:30:23 2021 +1000
+-
+- wrap get_random_bytes_prngd() in ifdef
+-
+- avoid unused static function warning
+-
+-commit f93fdc4de158386efe1116bd44c5b3f4a7a82c25
+-Author: Darren Tucker
+-Date: Mon Jun 28 13:06:37 2021 +1000
+-
+- Add rocky84 test target.
+-
+-commit d443006c0ddfa7f6a5bd9c0ae92036f3d5f2fa3b
+-Author: djm@openbsd.org
+-Date: Fri Jun 25 06:30:22 2021 +0000
+-
+- upstream: fix decoding of X.509 subject name; from Leif Thuresson
+-
+- via bz3327 ok markus@
+-
+- OpenBSD-Commit-ID: 0ea2e28f39750dd388b7e317bc43dd997a217ae8
+-
+-commit 2a5704ec142202d387fda2d6872fd4715ab81347
+-Author: dtucker@openbsd.org
+-Date: Fri Jun 25 06:20:39 2021 +0000
+-
+- upstream: Use better language to refer to the user. From l1ving
+-
+- via github PR#250, ok jmc@
+-
+- OpenBSD-Commit-ID: 07ca3526626996613e128aeddf7748c93c4d6bbf
+-
+-commit 4bdf7a04797a0ea1c431a9d54588417c29177d19
+-Author: dtucker@openbsd.org
+-Date: Fri Jun 25 03:38:17 2021 +0000
+-
+- upstream: Replace SIGCHLD/notify_pipe kludge with pselect.
+-
+- Previously sshd's SIGCHLD handler would wake up select() by writing a
+- byte to notify_pipe. We can remove this by blocking SIGCHLD, checking
+- for child terminations then passing the original signal mask through
+- to pselect. This ensures that the pselect will immediately wake up if
+- a child terminates between wait()ing on them and the pselect.
+-
+- In -portable, for platforms that do not have pselect the kludge is still
+- there but is hidden behind a pselect interface.
+-
+- Based on other changes for bz#2158, ok djm@
+-
+- OpenBSD-Commit-ID: 202c85de0b3bdf1744fe53529a05404c5480d813
+-
+-commit c9f7bba2e6f70b7ac1f5ea190d890cb5162ce127
+-Author: Darren Tucker
+-Date: Fri Jun 25 15:08:18 2021 +1000
+-
+- Move closefrom() to before first malloc.
+-
+- When built against tcmalloc, tcmalloc allocates a descriptor for its
+- internal use, so calling closefrom() afterward causes the descriptor
+- number to be reused resulting in a corrupted connection. Moving the
+- closefrom a little earlier should resolve this. From kircherlike at
+- outlook.com via bz#3321, ok djm@
+-
+-commit 7ebfe4e439853b88997c9cfc2ff703408a1cca92
+-Author: Darren Tucker
+-Date: Fri Jun 18 20:41:45 2021 +1000
+-
+- Put second -lssh in link line for sftp-server.
+-
+- When building --without-openssl the recent port-prngd.c change adds
+- a dependency on atomicio, but since nothing else in sftp-server uses
+- it, the linker may not find it. Add a second -lssh similar to other
+- binaries.
+-
+-commit e409d7966785cfd9f5970e66a820685c42169717
+-Author: Darren Tucker
+-Date: Fri Jun 18 18:34:08 2021 +1000
+-
+- Try EGD/PRNGD if random device fails.
+-
+- When built --without-openssl, try EGD/PRGGD (if configured) as a last
+- resort before failing.
+-
+-commit e43a898043faa3a965dbaa1193cc60e0b479033d
+-Author: Darren Tucker
+-Date: Fri Jun 18 18:32:51 2021 +1000
+-
+- Split EGD/PRNGD interface into its own file.
+-
+- This will allow us to use it when building --without-openssl.
+-
+-commit acb2887a769a1b1912cfd7067f3ce04fad240260
+-Author: Darren Tucker
+-Date: Thu Jun 17 21:03:19 2021 +1000
+-
+- Handle GIDs > 2^31 in getgrouplist.
+-
+- When compiled in 32bit mode, the getgrouplist implementation may fail
+- for GIDs greater than LONG_MAX. Analysis and change from ralf.winkel
+- at tui.com.
+-
+-commit 31fac20c941126281b527605b73bff30a8f02edd
+-Author: dtucker@openbsd.org
+-Date: Thu Jun 10 09:46:28 2021 +0000
+-
+- upstream: Use $SUDO when reading sshd's pidfile here too.
+-
+- OpenBSD-Regress-ID: 6bfb0d455d493f24839034a629c5306f84dbd409
+-
+-commit a3a58acffc8cc527f8fc6729486d34e4c3d27643
+-Author: dtucker@openbsd.org
+-Date: Thu Jun 10 09:43:51 2021 +0000
+-
+- upstream: Use $SUDO when reading sshd's pidfile in case it was
+-
+- created with a very restrictive umask. This resyncs with -portable.
+-
+- OpenBSD-Regress-ID: 07fd2af06df759d4f64b82c59094accca1076a5d
+-
+-commit 249ad4ae51cd3bc235e75a4846eccdf8b1416611
+-Author: dtucker@openbsd.org
+-Date: Thu Jun 10 09:37:59 2021 +0000
+-
+- upstream: Set umask when creating hostkeys to prevent excessive
+-
+- permissions warning.
+-
+- OpenBSD-Regress-ID: 382841db0ee28dfef7f7bffbd511803e1b8ab0ef
+-
+-commit 9d0892153c005cc65897e9372b01fa66fcbe2842
+-Author: dtucker@openbsd.org
+-Date: Thu Jun 10 03:45:31 2021 +0000
+-
+- upstream: Add regress test for SIGHUP restart
+-
+- while handling active and unauthenticated clients. Should catch anything
+- similar to the pselect bug just fixed in sshd.c.
+-
+- OpenBSD-Regress-ID: 3b3c19b5e75e43af1ebcb9586875b3ae3a4cac73
+-
+-commit 73f6f191f44440ca3049b9d3c8e5401d10b55097
+-Author: dtucker@openbsd.org
+-Date: Thu Jun 10 03:14:14 2021 +0000
+-
+- upstream: Continue accept loop when pselect
+-
+- returns -1, eg if it was interrupted by a signal. This should prevent
+- the hang discovered by sthen@ wherein sshd receives a SIGHUP while it has
+- an unauthenticated child and goes on to a blocking read on a notify_pipe.
+- feedback deraadt@, ok djm@
+-
+- OpenBSD-Commit-ID: 0243c1c5544fca0974dae92cd4079543a3fceaa0
+-
+-commit c785c0ae134a8e8b5c82b2193f64c632a98159e4
+-Author: djm@openbsd.org
+-Date: Tue Jun 8 22:30:27 2021 +0000
+-
+- upstream: test that UserKnownHostsFile correctly accepts multiple
+-
+- arguments; would have caught readconf.c r1.356 regression
+-
+- OpenBSD-Regress-ID: 71ca54e66c2a0211b04999263e56390b1f323a6a
+-
+-commit 1a6f6b08e62c78906a3032e8d9a83e721c84574e
+-Author: djm@openbsd.org
+-Date: Tue Jun 8 22:06:12 2021 +0000
+-
+- upstream: fix regression in r1.356: for ssh_config options that
+-
+- accepted multiple string arguments, ssh was only recording the first.
+- Reported by Lucas via bugs@
+-
+- OpenBSD-Commit-ID: 7cbf182f7449bf1cb7c5b4452667dc2b41170d6d
+-
+-commit 78e30af3e2b2dd540a341cc827c6b98dd8b0a6de
+-Author: djm@openbsd.org
+-Date: Tue Jun 8 07:40:12 2021 +0000
+-
+- upstream: test argv_split() optional termination on comments
+-
+- OpenBSD-Regress-ID: 9fd1c4a27a409897437c010cfd79c54b639a059c
+-
+-commit a023138957ea2becf1c7f93fcc42b0aaac6f2b03
+-Author: dtucker@openbsd.org
+-Date: Tue Jun 8 07:05:27 2021 +0000
+-
+- upstream: Add testcases from bz#3319 for IPQoS and TunnelDevice
+-
+- being overridden on the command line.
+-
+- OpenBSD-Regress-ID: 801674d5d2d02abd58274a78cab2711f11de14a8
+-
+-commit 660cea10b2cdc11f13ba99c89b1bbb368a4d9ff2
+-Author: djm@openbsd.org
+-Date: Tue Jun 8 06:52:43 2021 +0000
+-
+- upstream: sprinkle some "# comment" at end of configuration lines
+-
+- to test comment handling
+-
+- OpenBSD-Regress-ID: cb82fbf40bda5c257a9f742c63b1798e5a8fdda7
+-
+-commit acc9c32dcb6def6c7d3688bceb4c0e59bd26b411
+-Author: djm@openbsd.org
+-Date: Tue Jun 8 06:51:47 2021 +0000
+-
+- upstream: more descriptive failure message
+-
+- OpenBSD-Regress-ID: 5300f6faf1d9e99c0cd10827b51756c5510e3509
+-
+-commit ce04dd4eae23d1c9cf7c424a702f48ee78573bc1
+-Author: djm@openbsd.org
+-Date: Mon Jun 7 01:16:34 2021 +0000
+-
+- upstream: test AuthenticationMethods inside a Match block as well
+-
+- as in the main config section
+-
+- OpenBSD-Regress-ID: ebe0a686621b7cb8bb003ac520975279c28747f7
+-
+-commit 9018bd821fca17e26e92f7a7e51d9b24cd62f2db
+-Author: djm@openbsd.org
+-Date: Mon Jun 7 00:00:50 2021 +0000
+-
+- upstream: prepare for stricter sshd_config parsing that will refuse
+-
+- a config that has {Allow,Deny}{Users,Groups} on a line with no subsequent
+- arguments. Such lines are permitted but are nonsensical noops ATM
+-
+- OpenBSD-Regress-ID: ef65463fcbc0bd044e27f3fe400ea56eb4b8f650
+-
+-commit a10f929d1ce80640129fc5b6bc1acd9bf689169e
+-Author: djm@openbsd.org
+-Date: Tue Jun 8 07:09:42 2021 +0000
+-
+- upstream: switch sshd_config parsing to argv_split()
+-
+- similar to the previous commit, this switches sshd_config parsing to
+- the newer tokeniser. Config parsing will be a little stricter wrt
+- quote correctness and directives appearing without arguments.
+-
+- feedback and ok markus@
+-
+- tested in snaps for the last five or so days - thanks Theo and those who
+- caught bugs
+-
+- OpenBSD-Commit-ID: 9c4305631d20c2d194661504ce11e1f68b20d93e
+-
+-commit ea9e45c89a4822d74a9d97fef8480707d584da4d
+-Author: djm@openbsd.org
+-Date: Tue Jun 8 07:07:15 2021 +0000
+-
+- upstream: Switch ssh_config parsing to use argv_split()
+-
+- This fixes a couple of problems with the previous tokeniser,
+- strdelim()
+-
+- 1. strdelim() is permissive wrt accepting '=' characters. This is
+- intended to allow it to tokenise "Option=value" but because it
+- cannot keep state, it will incorrectly split "Opt=val=val2".
+- 2. strdelim() has rudimentry handling of quoted strings, but it
+- is incomplete and inconsistent. E.g. it doesn't handle escaped
+- quotes inside a quoted string.
+- 3. It has no support for stopping on a (unquoted) comment. Because
+- of this readconf.c r1.343 added chopping of lines at '#', but
+- this caused a regression because these characters may legitimately
+- appear inside quoted strings.
+-
+- The new tokeniser is stricter is a number of cases, including #1 above
+- but previously it was also possible for some directives to appear
+- without arguments. AFAIK these were nonsensical in all cases, and the
+- new tokeniser refuses to accept them.
+-
+- The new code handles quotes much better, permitting quoted space as
+- well as escaped closing quotes. Finally, comment handling should be
+- fixed - the tokeniser will terminate only on unquoted # characters.
+-
+- feedback & ok markus@
+-
+- tested in snaps for the last five or so days - thanks Theo and those who
+- caught bugs
+-
+- OpenBSD-Commit-ID: dc72fd12af9d5398f4d9e159d671f9269c5b14d5
+-
+-commit d786424986c04d1d375f231fda177c8408e05c3e
+-Author: dtucker@openbsd.org
+-Date: Tue Jun 8 07:02:46 2021 +0000
+-
+- upstream: Check if IPQoS or TunnelDevice are already set before
+-
+- overriding. Prevents values in config files from overriding values supplied
+- on the command line. bz#3319, ok markus.
+-
+- OpenBSD-Commit-ID: f3b08b898c324debb9195e6865d8999406938f74
+-
+-commit aae4b4d3585b9f944d7dbd3c9e5ba0006c55e457
+-Author: djm@openbsd.org
+-Date: Tue Jun 8 06:54:40 2021 +0000
+-
+- upstream: Allow argv_split() to optionally terminate tokenisation
+-
+- when it encounters an unquoted comment.
+-
+- Add some additional utility function for working with argument
+- vectors, since we'll be switching to using them to parse
+- ssh/sshd_config shortly.
+-
+- ok markus@ as part of a larger diff; tested in snaps
+-
+- OpenBSD-Commit-ID: fd9c108cef2f713f24e3bc5848861d221bb3a1ac
+-
+-commit da9f9acaac5bab95dca642b48e0c8182b246ab69
+-Author: Darren Tucker
+-Date: Mon Jun 7 19:19:23 2021 +1000
+-
+- Save logs on failure for upstream test
+-
+-commit 76883c60161e5f3808787085a27a8c37f8cc4e08
+-Author: Darren Tucker
+-Date: Mon Jun 7 14:36:32 2021 +1000
+-
+- Add obsdsnap-i386 upstream test target.
+-
+-commit d45b9c63f947ec5ec314696e70281f6afddc0ac3
+-Author: djm@openbsd.org
+-Date: Mon Jun 7 03:38:38 2021 +0000
+-
+- upstream: fix debug message when finding a private key to match a
+-
+- certificate being attempted for user authentication. Previously it would
+- print the certificate's path, whereas it was supposed to be showing the
+- private key's path. Patch from Alex Sherwin via GHPR247
+-
+- OpenBSD-Commit-ID: d5af3be66d0f22c371dc1fe6195e774a18b2327b
+-
+-commit 530739d42f6102668aecd699be0ce59815c1eceb
+-Author: djm@openbsd.org
+-Date: Sun Jun 6 11:34:16 2021 +0000
+-
+- upstream: Match host certificates against host public keys, not private
+-
+- keys. Allows use of certificates with private keys held in a ssh-agent.
+- Reported by Miles Zhou in bz3524; ok dtucker@
+-
+- OpenBSD-Commit-ID: 25f5bf70003126d19162862d9eb380bf34bac22a
+-
+-commit 4265215d7300901fd7097061c7517688ade82f8e
+-Author: djm@openbsd.org
+-Date: Sun Jun 6 03:40:39 2021 +0000
+-
+- upstream: Client-side workaround for a bug in OpenSSH 7.4: this release
+-
+- allows RSA/SHA2 signatures for public key authentication but fails to
+- advertise this correctly via SSH2_MSG_EXT_INFO. This causes clients of these
+- server to incorrectly match PubkeyAcceptedAlgorithms and potentially refuse
+- to offer valid keys.
+-
+- Reported by and based on patch from Gordon Messmer via bz3213, thanks
+- also for additional analysis by Jakub Jelen. ok dtucker
+-
+- OpenBSD-Commit-ID: d6d0b7351d5d44c45f3daaa26efac65847a564f7
+-
+-commit bda270d7fb8522d43c21a79a4b02a052d7c64de8
+-Author: djm@openbsd.org
+-Date: Sun Jun 6 03:17:02 2021 +0000
+-
+- upstream: degrade gracefully if a sftp-server offers the
+-
+- limits@openssh.com extension but fails when the client tries to invoke it.
+- Reported by Hector Martin via bz3318
+-
+- OpenBSD-Commit-ID: bd9d1839c41811616ede4da467e25746fcd9b967
+-
+-commit d345d5811afdc2d6923019b653cdd93c4cc95f76
+-Author: djm@openbsd.org
+-Date: Sun Jun 6 03:15:39 2021 +0000
+-
+- upstream: the limits@openssh.com extension was incorrectly marked
+-
+- as an operation that writes to the filesystem, which made it unavailable in
+- sftp-server read-only mode. Spotted by Hector Martin via bz3318
+-
+- OpenBSD-Commit-ID: f054465230787e37516c4b57098fc7975e00f067
+-
+-commit 2b71010d9b43d7b8c9ec1bf010beb00d98fa765a
+-Author: naddy@openbsd.org
+-Date: Sat Jun 5 13:47:00 2021 +0000
+-
+- upstream: PROTOCOL.certkeys: update reference from IETF draft to
+-
+- RFC
+-
+- Also fix some typos.
+- ok djm@
+-
+- OpenBSD-Commit-ID: 5e855b6c5a22b5b13f8ffa3897a868e40d349b44
+-
+-commit aa99b2d9a3e45b943196914e8d8bf086646fdb54
+-Author: Darren Tucker
+-Date: Fri Jun 4 23:41:29 2021 +1000
+-
+- Clear notify_pipe from readset if present.
+-
+- Prevents leaking an implementation detail to the caller.
+-
+-commit 6de8dadf6b4d0627d35bca0667ca44b1d61c2c6b
+-Author: Darren Tucker
+-Date: Fri Jun 4 23:24:25 2021 +1000
+-
+- space->tabs.
+-
+-commit c8677065070ee34c05c7582a9c2f58d8642e552d
+-Author: Darren Tucker
+-Date: Fri Jun 4 18:39:48 2021 +1000
+-
+- Add pselect implementation for platforms without.
+-
+- This is basically the existing notify_pipe kludge from serverloop.c
+- moved behind a pselect interface. It works by installing a signal
+- handler that writes to a pipe that the select is watching, then calls
+- the original handler.
+-
+- The select call in serverloop will become pselect soon, at which point the
+- kludge will be removed from thereand will only exist in the compat layer.
+- Original code by markus, help from djm.
+-
+-commit 7cd7f302d3a072748299f362f9e241d81fcecd26
+-Author: Vincent Brillault
+-Date: Sun May 24 09:15:06 2020 +0200
+-
+- auth_log: dont log partial successes as failures
+-
+- By design, 'partial' logins are successful logins, so initially with
+- authenticated set to 1, for which another authentication is required. As
+- a result, authenticated is always reset to 0 when partial is set to 1.
+- However, even if authenticated is 0, those are not failed login
+- attempts, similarly to attempts with authctxt->postponed set to 1.
+-
+-commit e7606919180661edc7f698e6a1b4ef2cfb363ebf
+-Author: djm@openbsd.org
+-Date: Fri Jun 4 06:19:07 2021 +0000
+-
+- upstream: The RB_GENERATE_STATIC(3) macro expands to a series of
+-
+- function definitions and not a statement, so there should be no semicolon
+- following them. Patch from Michael Forney
+-
+- OpenBSD-Commit-ID: c975dd180580f0bdc0a4d5b7d41ab1f5e9b7bedd
+-
+-commit c298c4da574ab92df2f051561aeb3e106b0ec954
+-Author: djm@openbsd.org
+-Date: Fri Jun 4 05:59:18 2021 +0000
+-
+- upstream: rework authorized_keys example section, removing irrelevant
+-
+- stuff, de-wrapping the example lines and better aligning the examples with
+- common usage and FAQs; ok jmc
+-
+- OpenBSD-Commit-ID: d59f1c9281f828148e2a2e49eb9629266803b75c
+-
+-commit d9cb35bbec5f623589d7c58fc094817b33030f35
+-Author: djm@openbsd.org
+-Date: Fri Jun 4 05:10:03 2021 +0000
+-
+- upstream: adjust SetEnv description to clarify $TERM handling
+-
+- OpenBSD-Commit-ID: 8b8cc0124856bc1094949d55615e5c44390bcb22
+-
+-commit 771f57a8626709f2ad207058efd68fbf30d31553
+-Author: dtucker@openbsd.org
+-Date: Fri Jun 4 05:09:08 2021 +0000
+-
+- upstream: Switch the listening select loop from select() to
+-
+- pselect() and mask signals while checking signal flags, umasking for pselect
+- and restoring afterwards. Also restore signals before sighup_restart so they
+- don't remain blocked after restart.
+-
+- This prevents a race where a SIGTERM or SIGHUP can arrive between
+- checking the flag and calling select (eg if sshd is processing a
+- new connection) resulting in sshd not shutting down until the next
+- time it receives a new connection. bz#2158, with & ok djm@
+-
+- OpenBSD-Commit-ID: bf85bf880fd78e00d7478657644fcda97b9a936f
+-
+-commit f64f8c00d158acc1359b8a096835849b23aa2e86
+-Author: djm@openbsd.org
+-Date: Fri Jun 4 05:02:40 2021 +0000
+-
+- upstream: allow ssh_config SetEnv to override $TERM, which is otherwise
+-
+- handled specially by the protocol. Useful in ~/.ssh/config to set TERM to
+- something generic (e.g. "xterm" instead of "xterm-256color") for destinations
+- that lack terminfo entries. feedback and ok dtucker@
+-
+- OpenBSD-Commit-ID: 38b1ef4d5bc159c7d9d589d05e3017433e2d5758
+-
+-commit 60107677dc0ce1e93c61f23c433ad54687fcd9f5
+-Author: djm@openbsd.org
+-Date: Fri Jun 4 04:02:21 2021 +0000
+-
+- upstream: correct extension name "no-presence-required" =>
+-
+- "no-touch-required"
+-
+- document "verify-required" option
+-
+- OpenBSD-Commit-ID: 1879ff4062cf61d79b515e433aff0bf49a6c55c5
+-
+-commit ecc186e46e3e30f27539b4311366dfda502f0a08
+-Author: Darren Tucker
+-Date: Wed Jun 2 13:54:11 2021 +1000
+-
+- Retire fbsd7 test target.
+-
+- It's the slowest of the selfhosted targets (since it's 32bit but has
+- most of the crypto algos). We still have coverage for 32bit i386.
+-
+-commit 5de0867b822ec48b5eec9abde0f5f95d1d646546
+-Author: Darren Tucker
+-Date: Wed Jun 2 11:21:40 2021 +1000
+-
+- Check for $OPENSSL in md5 fallback too.
+-
+-commit 1db69d1b6542f8419c04cee7fd523a4a11004be2
+-Author: Darren Tucker
+-Date: Wed Jun 2 11:17:54 2021 +1000
+-
+- Add dfly60 target.
+-
+-commit a3f2dd955f1c19cad387a139f0e719af346ca6ef
+-Author: dtucker@openbsd.org
+-Date: Wed Jun 2 00:17:45 2021 +0000
+-
+- upstream: Merge back shell portability changes
+-
+- bringing it back in sync with -portable.
+-
+- OpenBSD-Regress-ID: c07905ba931e66ad7d849b87b7d19648007175d1
+-
+-commit 9d482295c9f073e84d75af46b720a1c0f7ec2867
+-Author: dtucker@openbsd.org
+-Date: Tue Jun 1 23:56:20 2021 +0000
+-
+- upstream: Use a default value for $OPENSSL,
+-
+- allowing it to be overridden. Do the same in the PuTTY tests since it's
+- needed there and not exported by test-exec.sh.
+-
+- OpenBSD-Regress-ID: c49dcd6aa7602a8606b7afa192196ca1fa65de16
+-
+-commit 07660b3c99f8ea74ddf4a440e55c16c9f7fb3dd1
+-Author: dtucker@openbsd.org
+-Date: Mon May 24 10:25:18 2021 +0000
+-
+- upstream: Find openssl binary via environment variable. This
+-
+- allows overriding if necessary (eg in -portable where we're testing against a
+- specific version of OpenSSL).
+-
+- OpenBSD-Regress-ID: 491f39cae9e762c71aa4bf045803d077139815c5
+-
+-commit 1a4d1da9188d7c88f646b61f0d6a3b34f47c5439
+-Author: djm@openbsd.org
+-Date: Fri May 21 04:03:47 2021 +0000
+-
+- upstream: fix memleak in test
+-
+- OpenBSD-Regress-ID: 5e529d0982aa04666604936df43242e97a7a6f81
+-
+-commit 60455a5d98065a73ec9a1f303345856bbd49aecc
+-Author: djm@openbsd.org
+-Date: Fri May 21 03:59:01 2021 +0000
+-
+- upstream: also check contents of remaining string
+-
+- OpenBSD-Regress-ID: d526fa07253f4eebbc7d6205a0ab3d491ec71a28
+-
+-commit 39f6cd207851d7b67ca46903bfce4a9f615b5b1c
+-Author: djm@openbsd.org
+-Date: Fri May 21 03:48:07 2021 +0000
+-
+- upstream: unit test for misc.c:strdelim() that mostly servces to
+-
+- highlight its inconsistencies
+-
+- OpenBSD-Regress-ID: 8d2bf970fcc01ccc6e36a5065f89b9c7fa934195
+-
+-commit 7a3a1dd2c7d4461962acbcc0ebee9445ba892be0
+-Author: Darren Tucker
+-Date: Thu May 27 21:23:15 2021 +1000
+-
+- Put minix3 config in the host-specific block.
+-
+-commit 59a194825f12fff8a7f75d91bf751ea17645711b
+-Author: djm@openbsd.org
+-Date: Mon May 31 06:48:42 2021 +0000
+-
+- upstream: Hash challenge supplied by client during FIDO key enrollment
+-
+- prior to passing it to libfido2, which does expect a hash.
+-
+- There is no effect for users who are simply generating FIDO keys using
+- ssh-keygen - by default we generate a random 256 bit challenge, but
+- people building attestation workflows around our tools should now have
+- a more consistent experience (esp. fewer failures when they fail to
+- guess the magic 32-byte challenge length requirement).
+-
+- ok markus@
+-
+- OpenBSD-Commit-ID: b8d5363a6a7ca3b23dc28f3ca69470472959f2b5
+-
+-commit eb68e669bc8ab968d4cca5bf1357baca7136a826
+-Author: Darren Tucker
+-Date: Thu May 27 21:14:15 2021 +1000
+-
+- Include login_cap.h for login_getpwclass override.
+-
+- On minix3, login_getpwclass is __RENAME'ed to __login_getpwclass50 so
+- without this the include overriding login_getpwclass causes a compile
+- error.
+-
+-commit 2063af71422501b65c7a92a5e14c0e6a3799ed89
+-Author: Darren Tucker
+-Date: Thu May 27 21:13:38 2021 +1000
+-
+- Add minix3 test target.
+-
+-commit 2e1efcfd9f94352ca5f4b6958af8a454f8cf48cd
+-Author: djm@openbsd.org
+-Date: Wed May 26 01:47:24 2021 +0000
+-
+- upstream: fix SEGV in UpdateHostkeys debug() message, triggered
+-
+- when the update removed more host keys than remain present. Fix tested by
+- reporter James Cook, via bugs@
+-
+- OpenBSD-Commit-ID: 44f641f6ee02bb957f0c1d150495b60cf7b869d3
+-
+-commit 9acd76e6e4d2b519773e7119c33cf77f09534909
+-Author: naddy@openbsd.org
+-Date: Sun May 23 18:22:57 2021 +0000
+-
+- upstream: ssh: The client configuration keyword is
+-
+- "hostbasedacceptedalgorithms"
+-
+- This fixes a mistake that slipped in when "HostbasedKeyTypes" was
+- renamed to "HostbasedAcceptedAlgorithms".
+-
+- Bug report by zack@philomathiclife.com
+-
+- OpenBSD-Commit-ID: d745a7e8e50b2589fc56877f322ea204bc784f38
+-
+-commit 078a0e60c92700da4c536c93c007257828ccd05b
+-Author: Darren Tucker
+-Date: Tue May 25 11:40:47 2021 +1000
+-
+- Rename README.md to ci-status.md.
+-
+- The original intent was to provide a status page for the CIs configured
+- in that directory, but it had the side effect of replacing the top-level
+- README.md.
+-
+-commit 7be4ac813662f68e89f23c50de058a49aa32f7e4
+-Author: djm@openbsd.org
+-Date: Wed May 19 01:24:05 2021 +0000
+-
+- upstream: restore blocking status on stdio fds before close
+-
+- ssh(1) needs to set file descriptors to non-blocking mode to operate
+- but it was not restoring the original state on exit. This could cause
+- problems with fds shared with other programs via the shell, e.g.
+-
+- > $ cat > test.sh << _EOF
+- > #!/bin/sh
+- > {
+- > ssh -Fnone -oLogLevel=verbose ::1 hostname
+- > cat /usr/share/dict/words
+- > } | sleep 10
+- > _EOF
+- > $ ./test.sh
+- > Authenticated to ::1 ([::1]:22).
+- > Transferred: sent 2352, received 2928 bytes, in 0.1 seconds
+- > Bytes per second: sent 44338.9, received 55197.4
+- > cat: stdout: Resource temporarily unavailable
+-
+- This restores the blocking status for fds 0,1,2 (stdio) before ssh(1)
+- abandons/closes them.
+-
+- This was reported as bz3280 and GHPR246; ok dtucker@
+-
+- OpenBSD-Commit-ID: 8cc67346f05aa85a598bddf2383fcfcc3aae61ce
+-
+-commit c4902e1a653c67fea850ec99c7537f358904c0af
+-Author: djm@openbsd.org
+-Date: Mon May 17 11:43:16 2021 +0000
+-
+- upstream: fix breakage of -W forwaring introduced in 1.554; reported by
+-
+- naddy@ and sthen@, ok sthen@
+-
+- OpenBSD-Commit-ID: f72558e643a26dc4150cff6e5097b5502f6c85fd
+-
+-commit afea01381ad1fcea1543b133040f75f7542257e6
+-Author: dtucker@openbsd.org
+-Date: Mon May 17 07:22:45 2021 +0000
+-
+- upstream: Regenerate moduli.
+-
+- OpenBSD-Commit-ID: 83c93a2a07c584c347ac6114d6329b18ce515557
+-
+-commit be2866d6207b090615ff083c9ef212b603816a56
+-Author: Damien Miller
+-Date: Mon May 17 09:40:23 2021 +1000
+-
+- Handle Android libc returning NULL pw->pw_passwd
+-
+- Reported by Luke Dashjr
+-
+-commit 5953c143008259d87342fb5155bd0b8835ba88e5
+-Author: djm@openbsd.org
+-Date: Fri May 14 05:20:32 2021 +0000
+-
+- upstream: fix previous: test saved no_shell_flag, not the one that just
+-
+- got clobbered
+-
+- OpenBSD-Commit-ID: b8deace085d9d941b2d02f810243b9c302e5355d
+-
+-commit 1e9fa55f4dc4b334651d569d3448aaa3841f736f
+-Author: djm@openbsd.org
+-Date: Fri May 14 03:09:48 2021 +0000
+-
+- upstream: Fix ssh started with ControlPersist incorrectly executing a
+-
+- shell when the -N (no shell) option was specified. bz3290 reported by Richard
+- Schwab; patch from markus@ ok me
+-
+- OpenBSD-Commit-ID: ea1ea4af16a95687302f7690bdbe36a6aabf87e1
+-
+-commit d1320c492f655d8f5baef8c93899d79dded217a5
+-Author: dtucker@openbsd.org
+-Date: Wed May 12 11:34:30 2021 +0000
+-
+- upstream: Clarify language about moduli. While both ends of the
+-
+- connection do need to use the same parameters (ie groups), the DH-GEX
+- protocol takes care of that and both ends do not need the same contents in
+- the moduli file, which is what the previous text suggested. ok djm@ jmc@
+-
+- OpenBSD-Commit-ID: f0c18cc8e79c2fbf537a432a9070ed94e96a622a
+-
+-commit d3cc4d650ce3e59f3e370b101778b0e8f1c02c4d
+-Author: djm@openbsd.org
+-Date: Fri May 7 04:11:51 2021 +0000
+-
+- upstream: include pid in LogVerbose spam
+-
+- OpenBSD-Commit-ID: aacb86f96ee90c7cb84ec27452374285f89a7f00
+-
+-commit e3c032333be5fdbbaf2751f6f478e044922b4ec4
+-Author: djm@openbsd.org
+-Date: Fri May 7 03:09:38 2021 +0000
+-
+- upstream: don't sigdie() in signal handler in privsep child process;
+-
+- this can end up causing sandbox violations per bz3286; ok dtucker@
+-
+- OpenBSD-Commit-ID: a7f40b2141dca4287920da68ede812bff7ccfdda
+-
+-commit a4039724a3f2abac810735fc95cf9114a3856049
+-Author: dtucker@openbsd.org
+-Date: Fri May 7 09:23:40 2021 +0000
+-
+- upstream: Increase ConnectionAttempts from 4 to 10 as the tests
+-
+- occasionally time out on heavily loaded hosts.
+-
+- OpenBSD-Regress-ID: 29a8cdef354fc9da471a301f7f65184770434f3a
+-
+-commit c0d7e36e979fa3cdb60f5dcb6ac9ad3fd018543b
+-Author: djm@openbsd.org
+-Date: Fri May 7 02:26:55 2021 +0000
+-
+- upstream: dump out a usable private key string too; inspired by Tyson
+-
+- Whitehead
+-
+- OpenBSD-Regress-ID: 65572d5333801cb2f650ebc778cbdc955e372058
+-
+-commit 24fee8973abdf1c521cd2c0047d89e86d9c3fc38
+-Author: djm@openbsd.org
+-Date: Fri May 7 02:29:40 2021 +0000
+-
+- upstream: correct mistake in spec - the private key blobs are encoded
+-
+- verbatim and not as strings (i.e. no 4-byte length header)
+-
+- OpenBSD-Commit-ID: 3606b5d443d72118c5b76c4af6dd87a5d5a4f837
+-
+-commit f43859159cc62396ad5d080f0b1f2635a67dac02
+-Author: dtucker@openbsd.org
+-Date: Tue May 4 22:53:52 2021 +0000
+-
+- upstream: Don't pass NULL as a string in debugging as it does not work
+-
+- on some platforms in -portable. ok djm@
+-
+- OpenBSD-Commit-ID: 937c892c99aa3c9c272a8ed78fa7c2aba3a44fc9
+-
+-commit ac31aa3c6341905935e75f0539cf4a61bbe99779
+-Author: djm@openbsd.org
+-Date: Mon May 3 00:16:45 2021 +0000
+-
+- upstream: more debugging for UpdateHostKeys signature failures
+-
+- OpenBSD-Commit-ID: 1ee95f03875e1725df15d5e4bea3e73493d57d36
+-
+-commit 8e32e97e788e0676ce83018a742203614df6a2b3
+-Author: Darren Tucker
+-Date: Sat May 1 20:07:47 2021 +1000
+-
+- Add obsd69 test target.
+-
+-commit f06893063597c5bb9d9e93f851c4070e77d2fba9
+-Author: djm@openbsd.org
+-Date: Fri Apr 30 04:29:53 2021 +0000
+-
+- upstream: a little debugging in the main mux process for status
+-
+- confirmation failures in multiplexed sessions
+-
+- OpenBSD-Commit-ID: 6e27b87c95176107597035424e1439c3232bcb49
+-
+-commit e65cf00da6bc31e5f54603b7feb7252dc018c033
+-Author: dtucker@openbsd.org
+-Date: Fri Apr 30 04:02:52 2021 +0000
+-
+- upstream: Remove now-unused skey function prototypes leftover from
+-
+- skey removal.
+-
+- OpenBSD-Commit-ID: 2fc36d519fd37c6f10ce74854c628561555a94c3
+-
+-commit ae5f9b0d5c8126214244ee6b35aae29c21028133
+-Author: Darren Tucker
+-Date: Thu Apr 29 13:01:50 2021 +1000
+-
+- Wrap sntrup761x25519 inside ifdef.
+-
+- From balu.gajjala at gmail.com via bz#3306.
+-
+-commit 70a8dc138a6480f85065cdb239915ad4b7f928cf
+-Author: Darren Tucker
+-Date: Wed Apr 28 14:44:07 2021 +1000
+-
+- Add status badges for Actions-based tests.
+-
+-commit 40b59024cc3365815381474cdf4fe423102e391b
+-Author: Darren Tucker
+-Date: Wed Apr 28 12:22:11 2021 +1000
+-
+- Add obsdsnap (OpenBSD snapshot) test target.
+-
+-commit e627067ec8ef9ae8e7a638f4dbac91d52dee3e6d
+-Author: Darren Tucker
+-Date: Wed Apr 28 11:35:28 2021 +1000
+-
+- Add test building upstream OpenBSD source.
+-
+-commit 1b8108ebd12fc4ed0fb39ef94c5ba122558ac373
+-Author: Darren Tucker
+-Date: Tue Apr 27 14:22:20 2021 +1000
+-
+- Test against OpenSSL 1.1.0h instead of 1.1.0g.
+-
+- 1.1.0g requires a perl glob module that's not installed by default.
+-
+-commit 9bc20efd39ce8525be33df3ee009f5a4564224f1
+-Author: Darren Tucker
+-Date: Tue Apr 27 12:37:59 2021 +1000
+-
+- Use the default VM type for libcrypto ver tests.
+-
+-commit 9f79e80dc40965c2e73164531250b83b176c1eea
+-Author: Darren Tucker
+-Date: Tue Apr 27 12:24:10 2021 +1000
+-
+- Always build OpenSSL shared.
+-
+- This is the default for current versions but we need it to test against
+- earlier versions.
+-
+-commit b3cc9fbdff2782eca79e33e02ac22450dc63bce9
+-Author: Darren Tucker
+-Date: Tue Apr 27 09:18:02 2021 +1000
+-
+- Fix custom OpenSSL tests.
+-
+- Check out specified OpenSSL version. Install custom libcrypto where
+- configure expects to find it. Remove unneeded OpenSSL config time
+- options. Older OpenSSL versions were not make -j safe so remove it.
+-
+-commit 77532609874a99a19e3e2eb2d1b7fa93aef963bb
+-Author: Darren Tucker
+-Date: Mon Apr 26 17:18:25 2021 +1000
+-
+- Export CC and CFLAGS for c89 test.
+-
+-commit 33f62dfbe865f4de77980ab88774bf1eb5e4e040
+-Author: Darren Tucker
+-Date: Mon Apr 26 17:13:44 2021 +1000
+-
+- Add c89 here too.
+-
+-commit da9d59f526fce58e11cba49cd8eb011dc0bf5677
+-Author: Darren Tucker
+-Date: Mon Apr 26 15:34:23 2021 +1000
+-
+- Add test against OpenSSL w/out ECC.
+-
+-commit 29e194a752359ebf85bf7fce100f23a0477fc4de
+-Author: Darren Tucker
+-Date: Mon Apr 26 14:49:59 2021 +1000
+-
+- Ensure we can still build with C89.
+-
+-commit a38016d369d21df5d35f761f2b67e175e132ba22
+-Author: Darren Tucker
+-Date: Mon Apr 26 14:29:03 2021 +1000
+-
+- Interop test agains PuTTY.
+-
+-commit 095b0307a77be8803768857cc6c0963fa52ed85b
+-Author: Darren Tucker
+-Date: Mon Apr 26 14:02:03 2021 +1000
+-
+- Support testing against arbitary libcrytpo vers.
+-
+- Add tests against various LibreSSL and OpenSSL versions.
+-
+-commit b16082aa110fa7128ece2a9037ff420c4a285317
+-Author: Darren Tucker
+-Date: Mon Apr 26 13:35:44 2021 +1000
+-
+- Add fbsd10 test target.
+-
+-commit 2c805f16b24ea37cc051c6018fcb05defab6e57a
+-Author: Darren Tucker
+-Date: Sun Apr 25 14:15:02 2021 +1000
+-
+- Disable compiler hardening on nbsd4.
+-
+- The system compiler supports -fstack-protector-all, but using it will
+- result in an internal compiler error on some files.
+-
+-commit 6a5d39305649da5dff1934ee54292ee0cebd579d
+-Author: Darren Tucker
+-Date: Sun Apr 25 13:01:34 2021 +1000
+-
+- Add nbsd3, nbsd4 and nbsd9 test targets.
+-
+-commit d1aed05bd2e4ae70f359a394dc60a2d96b88f78c
+-Author: Darren Tucker
+-Date: Sat Apr 24 22:03:46 2021 +1000
+-
+- Comment out nbsd2 test target for now.
+-
+-commit a6b4ec94e5bd5a8a18cd2c9942d829d2e5698837
+-Author: Darren Tucker
+-Date: Sat Apr 24 17:52:24 2021 +1000
+-
+- Add OPENBSD ORIGINAL marker.
+-
+-commit 3737c9f66ee590255546c4b637b6d2be669a11eb
+-Author: Darren Tucker
+-Date: Fri Apr 23 19:49:46 2021 +1000
+-
+- Replace "==" (a bashism) with "=".
+-
+-commit a116b6f5be17a1dd345b7d54bf8aa3779a28a0df
+-Author: Darren Tucker
+-Date: Fri Apr 23 16:34:48 2021 +1000
+-
+- Add nbsd2 test target.
+-
+-commit 196bf2a9bb771f45d9b0429cee7d325962233c44
+-Author: Darren Tucker
+-Date: Fri Apr 23 14:54:10 2021 +1000
+-
+- Add obsd68 test target.
+-
+-commit e3ba6574ed69e8b7af725cf5e8a9edaac04ff077
+-Author: Darren Tucker
+-Date: Fri Apr 23 14:53:32 2021 +1000
+-
+- Remove dependency on bash.
+-
+-commit db1f9ab8feb838aee9f5b99c6fd3f211355dfdcf
+-Author: Darren Tucker
+-Date: Fri Apr 23 14:41:13 2021 +1000
+-
+- Add obsd67 test target.
+-
+-commit c039a6bf79192fe1daa9ddcc7c87dd98e258ae7c
+-Author: Darren Tucker
+-Date: Fri Apr 23 11:08:23 2021 +1000
+-
+- Re-add macos-11.0 test target.
+-
+-commit a6db3a47b56adb76870d59225ffb90a65bc4daf2
+-Author: Darren Tucker
+-Date: Fri Apr 23 10:28:28 2021 +1000
+-
+- Add openindiana test target.
+-
+-commit 3fe7e73b025c07eda46d78049f1da8ed7dfc0c69
+-Author: Darren Tucker
+-Date: Fri Apr 23 10:26:35 2021 +1000
+-
+- Test krb5 on Solaris 11 too.
+-
+-commit f57fbfe5eb02df1a91f1a237c4d27165afd87c13
+-Author: Darren Tucker
+-Date: Thu Apr 22 22:27:26 2021 +1000
+-
+- Don't always set SUDO.
+-
+- Rely on sourcing configs to set as appropriate.
+-
+-commit e428f29402fb6ac140b52f8f12e06ece7bb104a0
+-Author: Darren Tucker
+-Date: Thu Apr 22 22:26:08 2021 +1000
+-
+- Remove now-unused 2nd arg to configs.
+-
+-commit cb4ff640d79b3c736879582139778f016bbb2cd7
+-Author: Darren Tucker
+-Date: Wed Apr 21 01:08:04 2021 +1000
+-
+- Add win10 test target.
+-
+-commit 4457837238072836b2fa3107d603aac809624983
+-Author: Darren Tucker
+-Date: Tue Apr 20 23:31:29 2021 +1000
+-
+- Add nbsd8 test target.
+-
+-commit bd4fba22e14da2fa196009010aabec5a8ba9dd42
+-Author: Darren Tucker
+-Date: Sat Apr 17 09:55:47 2021 +1000
+-
+- Add obsd51 target.
+-
+-commit 9403d0e805c77a5741ea8c3281bbe92558c2f125
+-Author: Darren Tucker
+-Date: Fri Apr 16 18:14:25 2021 +1000
+-
+- Add fbsd13 target.
+-
+-commit e86968280e358e62649d268d41f698d64d0dc9fa
+-Author: Damien Miller
+-Date: Fri Apr 16 13:55:25 2021 +1000
+-
+- depend
+-
+-commit 2fb25ca11e8b281363a2a2a4dec4c497a1475d9a
+-Author: Damien Miller
+-Date: Fri Apr 16 13:53:02 2021 +1000
+-
+- crank version in README and RPM spec files
+-
+-commit b2b60ebab0cb77b5bc02d364d72e13db882f33ae
+-Author: djm@openbsd.org
+-Date: Fri Apr 16 03:42:00 2021 +0000
+-
+- upstream: openssh-8.6
+-
+- OpenBSD-Commit-ID: b5f3e133c846127ec114812248bc17eff07c3e19
+-
+-commit faf2b86a46c9281d237bcdec18c99e94a4eb820a
+-Author: markus@openbsd.org
+-Date: Thu Apr 15 16:24:31 2021 +0000
+-
+- upstream: do not pass file/func to monitor; noted by Ilja van Sprundel;
+-
+- ok djm@
+-
+- OpenBSD-Commit-ID: 85ae5c063845c410283cbdce685515dcd19479fa
+-
+-commit 2dc328023f60212cd29504fc05d849133ae47355
+-Author: Damien Miller
+-Date: Wed Apr 14 11:42:55 2021 +1000
+-
+- sshd don't exit on transient read errors
+-
+- openssh-8.5 introduced a regression that would cause sshd to exit
+- because of transient read errors on the network socket (e.g. EINTR,
+- EAGAIN). Reported by balu.gajjala AT gmail.com via bz3297
+-
+-commit d5d6b7d76d171a2e6861609dcd92e714ee62ad88
+-Author: Damien Miller
+-Date: Sat Apr 10 18:45:00 2021 +1000
+-
+- perform report_failed_grab() inline
+-
+-commit ea996ce2d023aa3c6d31125e2c3ebda1cb42db8c
+-Author: Damien Miller
+-Date: Sat Apr 10 18:22:57 2021 +1000
+-
+- dedicated gnome-ssk-askpass3 source
+-
+- Compatibility with Wayland requires that we use the gdk_seat_grab()
+- API for grabbing mouse/keyboard, however these API don't exist in
+- Gtk+2.
+-
+- This branches gnome-ssk-askpass2.c => gnome-ssk-askpass3.c and
+- makes the changes to use the gdk_seat_grab() instead of grabbing
+- mouse/focus separately via GDK.
+-
+- In the future, we can also use the branched file to avoid some
+- API that has been soft-deprecated in GTK+3, e.g. gtk_widget_modify_fg
+-
+-commit bfa5405da05d906ffd58216eb77c4375b62d64c2
+-Author: Darren Tucker
+-Date: Thu Apr 8 15:18:15 2021 +1000
+-
+- Ensure valgrind-out exists.
+-
+- Normally the regress tests would create it, but running the unit tests
+- on their own would fail because the directory did not exist.
+-
+-commit 1f189181f3ea09a9b08aa866f78843fec800874f
+-Author: Darren Tucker
+-Date: Thu Apr 8 15:17:19 2021 +1000
+-
+- Pass OBJ to unit test make invocation.
+-
+- At least the Valgrind unit tests uses $OBJ.
+-
+-commit f42b550c281d28bd19e9dd6ce65069164f3482b0
+-Author: Darren Tucker
+-Date: Thu Apr 8 14:20:12 2021 +1000
+-
+- Add pattern for valgrind-unit.
+-
+-commit 19e534462710e98737478fd9c44768b50c27c4c6
+-Author: Darren Tucker
+-Date: Thu Apr 8 13:31:08 2021 +1000
+-
+- Run unit tests under valgrind.
+-
+- Run a separate build for the unit tests under Valgrind. They take long
+- enough that running in parallel with the other Valgrind tests helps.
+-
+-commit 80032102d05e866dc2a48a5caf760cf42c2e090e
+-Author: Darren Tucker
+-Date: Thu Apr 8 13:25:57 2021 +1000
+-
+- ifdef out MIN and MAX.
+-
+- In -portable, defines.h ensures that these are defined, so redefining
+- potentially causes a warning. We don't just delete it to make any
+- future code syncs a little but easier. bz#3293.
+-
+-commit d1bd184046bc310c405f45da3614a1dc5b3e521a
+-Author: Darren Tucker
+-Date: Wed Apr 7 10:23:51 2021 +1000
+-
+- Remove only use of warn().
+-
+- The warn() function is only used in one place in portable and does not
+- exist upstream. Upgrade the only instance it's used to fail()
+- (the privsep/sandbox+proxyconnect, from back when that was new) and
+- remove the now-unused function.
+-
+-commit fea8f4b1aa85026ad5aee5ad8e1599a8d5141fe0
+-Author: Darren Tucker
+-Date: Wed Apr 7 10:18:32 2021 +1000
+-
+- Move make_tmpdir() into portable-specific area.
+-
+- Reduces diff vs OpenBSD and makes it more likely diffs will apply
+- cleanly.
+-
+-commit 13e5fa2acffd26e754c6ee1d070d0afd035d4cb7
+-Author: dtucker@openbsd.org
+-Date: Tue Apr 6 23:57:56 2021 +0000
+-
+- upstream: Add TEST_SSH_ELAPSED_TIMES environment variable to print the
+-
+- elapsed time in seconds of each test. This depends on "date +%s" which is
+- not specified by POSIX but is commonly implemented.
+-
+- OpenBSD-Regress-ID: ec3c8c19ff49b2192116a0a646ee7c9b944e8a9c
+-
+-commit ef4f46ab4387bb863b471bad124d46e8d911a79a
+-Author: Darren Tucker
+-Date: Wed Apr 7 09:59:15 2021 +1000
+-
+- Move the TEST_SSH_PORT section down a bit.
+-
+- This groups the portable-specific changes together and makes it a
+- little more likely that patches will apply cleanly.
+-
+-commit 3674e33fa70dfa1fe69b345bf576113af7b7be11
+-Author: Darren Tucker
+-Date: Wed Apr 7 10:05:10 2021 +1000
+-
+- Further split Valgrind tests.
+-
+- Even split in two, the Valgrind tests take by far the longest to run,
+- so split them four ways to further increase parallelism.
+-
+-commit 961af266b861e30fce1e26170ee0dbb5bf591f29
+-Author: djm@openbsd.org
+-Date: Tue Apr 6 23:24:30 2021 +0000
+-
+- upstream: include "ssherr.h" not ; from Balu Gajjala via
+-
+- bz#3292
+-
+- OpenBSD-Commit-ID: e9535cd9966eb2e69e73d1ede1f44905c30310bd
+-
+-commit e7d0a285dbdd65d8df16123ad90f15e91862f959
+-Author: Damien Miller
+-Date: Wed Apr 7 08:50:38 2021 +1000
+-
+- wrap struct rlimit in HAVE_GETRLIMIT too
+-
+-commit f283a6c2e0a9bd9369e18462acd00be56fbe5b0d
+-Author: Damien Miller
+-Date: Wed Apr 7 08:20:35 2021 +1000
+-
+- wrap getrlimit call in HAVE_GETRLIMIT; bz3291
+-
+-commit 679bdc4a5c9244f427a7aee9c14b0a0ed086da1f
+-Author: dtucker@openbsd.org
+-Date: Tue Apr 6 09:07:33 2021 +0000
+-
+- upstream: Don't check return value of unsetenv(). It's part of the
+-
+- environment setup and not part of the actual test, and some platforms
+- -portable runs on declare it as returning void, which prevents the test from
+- compiling.
+-
+- OpenBSD-Regress-ID: 24f08543ee3cdebc404f2951f3e388cc82b844a1
+-
+-commit 320af2f3de6333aa123f1b088eca146a245e968a
+-Author: jmc@openbsd.org
+-Date: Sun Apr 4 11:36:56 2021 +0000
+-
+- upstream: remove stray inserts; from matthias schmidt
+-
+- OpenBSD-Commit-ID: 2c36ebdc54e14bbf1daad70c6a05479a073d5c63
+-
+-commit 801f710953b24dd2f21939171c622eac77c7484d
+-Author: jmc@openbsd.org
+-Date: Sun Apr 4 06:11:24 2021 +0000
+-
+- upstream: missing comma; from kawashima james
+-
+- OpenBSD-Commit-ID: 31cec6bf26c6db4ffefc8a070715ebef274e68ea
+-
+-commit b3ca08cb174266884d44ec710a84cd64c12414ea
+-Author: Darren Tucker
+-Date: Mon Apr 5 23:46:42 2021 +1000
+-
+- Install libcbor with libfido2.
+-
+-commit f3ca8af87a4c32ada660da12ae95cf03d190c083
+-Author: Damien Miller
+-Date: Sat Apr 3 18:21:08 2021 +1100
+-
+- enable authopt and misc unit tests
+-
+- Neither were wired into the build, both required some build
+- adaptations for -portable
+-
+-commit dc1b45841fb97e3d7f655ddbcfef3839735cae5f
+-Author: djm@openbsd.org
+-Date: Sat Apr 3 06:58:30 2021 +0000
+-
+- upstream: typos in comments; GHPR#180 from Vill
+-
+- =?UTF-8?q?e=20Skytt=C3=A4?=
+- MIME-Version: 1.0
+- Content-Type: text/plain; charset=UTF-8
+- Content-Transfer-Encoding: 8bit
+-
+- OpenBSD-Commit-ID: 93c732381ae0e2b680c79e67c40c1814b7ceed2c
+-
+-commit 53ea05e09b04fd7b6dea66b42b34d65fe61b9636
+-Author: djm@openbsd.org
+-Date: Sat Apr 3 06:55:52 2021 +0000
+-
+- upstream: sync CASignatureAlgorithms lists with reality. GHPR#174 from
+-
+- Matt Hazinski
+-
+- OpenBSD-Commit-ID: f05e4ca54d7e67b90fe58fe1bdb1d2a37e0e2696
+-
+-commit 57ed647ee07bb883a2f2264231bcd1df6a5b9392
+-Author: Damien Miller
+-Date: Sat Apr 3 17:47:37 2021 +1100
+-
+- polish whitespace for portable files
+-
+-commit 31d8d231eb9377df474746a822d380c5d68d7ad6
+-Author: djm@openbsd.org
+-Date: Sat Apr 3 06:18:40 2021 +0000
+-
+- upstream: highly polished whitespace, mostly fixing spaces-for-tab
+-
+- and bad indentation on continuation lines. Prompted by GHPR#185
+-
+- OpenBSD-Commit-ID: e5c81f0cbdcc6144df1ce468ec1bac366d8ad6e9
+-
+-commit 34afde5c73b5570d6f8cce9b49993b23b77bfb86
+-Author: djm@openbsd.org
+-Date: Sat Apr 3 05:54:14 2021 +0000
+-
+- upstream: whitespace (tab after space)
+-
+- OpenBSD-Commit-ID: 0e2b3f7674e985d3f7c27ff5028e690ba1c2efd4
+-
+-commit 7cd262c1c5a08cc7f4f30e3cab108ef089d0a57b
+-Author: Darren Tucker
+-Date: Sat Apr 3 16:59:10 2021 +1100
+-
+- Save config.h and config.log on failure too.
+-
+-commit 460aee9298f365357e9fd26851c22e0dca51fd6a
+-Author: djm@openbsd.org
+-Date: Sat Apr 3 05:46:41 2021 +0000
+-
+- upstream: fix incorrect plural; from Ville Skyt
+-
+- =?UTF-8?q?t=C3=A4=20via=20GHPR#181?=
+- MIME-Version: 1.0
+- Content-Type: text/plain; charset=UTF-8
+- Content-Transfer-Encoding: 8bit
+-
+- OpenBSD-Commit-ID: 92f31754c6296d8f403d7c293e09dc27292d22c9
+-
+-commit 082804c14e548cada75c81003a3c68ee098138ee
+-Author: djm@openbsd.org
+-Date: Sat Apr 3 05:40:39 2021 +0000
+-
+- upstream: ensure that pkcs11_del_provider() is called before exit -
+-
+- some PKCS#11 providers get upset if C_Initialize is not matched with
+- C_Finalize.
+-
+- From Adithya Baglody via GHPR#234; ok markus
+-
+- OpenBSD-Commit-ID: f8e770e03b416ee9a58f9762e162add900f832b6
+-
+-commit 464ebc82aa926dd132ec75a0b064574ef375675e
+-Author: djm@openbsd.org
+-Date: Sat Apr 3 05:28:43 2021 +0000
+-
+- upstream: unused variable
+-
+- OpenBSD-Commit-ID: 85f6a394c8e0f60d15ecddda75176f112007b205
+-
+-commit dc3c0be8208c488e64a8bcb7d9efad98514e0ffb
+-Author: djm@openbsd.org
+-Date: Sat Apr 3 05:21:46 2021 +0000
+-
+- upstream: Fix two problems in string->argv conversion: 1) multiple
+-
+- backslashes were not being dequoted correctly and 2) quoted space in the
+- middle of a string was being incorrectly split.
+- MIME-Version: 1.0
+- Content-Type: text/plain; charset=UTF-8
+- Content-Transfer-Encoding: 8bit
+-
+- A unit test for these cases has already been committed
+-
+- prompted by and based on GHPR#223 by Eero Häkkinen; ok markus@
+-
+- OpenBSD-Commit-ID: d7ef27abb4eeeaf6e167e9312e4abe9e89faf1e4
+-
+-commit f75bcbba58a08c670727ece5e3f8812125969799
+-Author: Damien Miller
+-Date: Sat Apr 3 16:22:48 2021 +1100
+-
+- missing bits from 259d648e
+-
+-commit 4cbc4a722873d9b68cb5496304dc050d7168df78
+-Author: djm@openbsd.org
+-Date: Wed Mar 31 21:59:26 2021 +0000
+-
+- upstream: cannot effectively test posix-rename extension after
+-
+- changes in feature advertisment.
+-
+- OpenBSD-Regress-ID: 5e390bf88d379162aaa81b60ed86b34cb0c54d29
+-
+-commit 259d648e63e82ade4fe2c2c73c8b67fe57d9d049
+-Author: djm@openbsd.org
+-Date: Fri Mar 19 04:23:50 2021 +0000
+-
+- upstream: add a test for misc.c:argv_split(), currently fails
+-
+- OpenBSD-Regress-ID: ad6b96d6ebeb9643b698b3575bdd6f78bb144200
+-
+-commit 473ddfc2d6b602cb2d1d897e0e5c204de145cd9a
+-Author: djm@openbsd.org
+-Date: Fri Mar 19 03:25:01 2021 +0000
+-
+- upstream: split
+-
+- OpenBSD-Regress-ID: f6c03c0e4c58b3b9e04b161757b8c10dc8378c34
+-
+-commit 1339800fef8d0dfbfeabff71b34670105bcfddd2
+-Author: djm@openbsd.org
+-Date: Wed Mar 31 22:16:34 2021 +0000
+-
+- upstream: Use new limits@openssh.com protocol extension to let the
+-
+- client select good limits based on what the server supports. Split the
+- download and upload buffer sizes to allow them to be chosen independently.
+-
+- In practice (and assuming upgraded sftp/sftp-server at each end), this
+- increases the download buffer 32->64KiB and the upload buffer
+- 32->255KiB.
+-
+- Patches from Mike Frysinger; ok dtucker@
+-
+- OpenBSD-Commit-ID: ebd61c80d85b951b794164acc4b2f2fd8e88606c
+-
+-commit 6653c61202d104e59c8e741329fcc567f7bc36b8
+-Author: djm@openbsd.org
+-Date: Wed Mar 31 21:58:07 2021 +0000
+-
+- upstream: do not advertise protocol extensions that have been
+-
+- disallowed by the command-line options (e.g. -p/-P/-R); ok dtucker@
+-
+- OpenBSD-Commit-ID: 3a8a76b3f5131741aca4b41bfab8d101c9926205
+-
+-commit 71241fc05db4bbb11bb29340b44b92e2575373d8
+-Author: Damien Miller
+-Date: Mon Mar 29 15:14:25 2021 +1100
+-
+- gnome-ssh-askpass3 is a valid target here
+-
+-commit 8a9520836e71830f4fccca066dba73fea3d16bda
+-Author: djm@openbsd.org
+-Date: Fri Mar 19 02:22:34 2021 +0000
+-
+- upstream: return non-zero exit status when killed by signal; bz#3281 ok
+-
+- dtucker@
+-
+- OpenBSD-Commit-ID: 117b31cf3c807993077b596bd730c24da9e9b816
+-
+-commit 1269b8a686bf1254b03cd38af78167a04aa6ec88
+-Author: djm@openbsd.org
+-Date: Fri Mar 19 02:18:28 2021 +0000
+-
+- upstream: increase maximum SSH2_FXP_READ to match the maximum
+-
+- packet size. Also handle zero-length reads that are borderline nonsensical
+- but not explicitly banned by the spec. Based on patch from Mike Frysinger,
+- feedback deraadt@ ok dtucker@
+-
+- OpenBSD-Commit-ID: 4e67d60d81bde7b84a742b4ee5a34001bdf80d9c
+-
+-commit 860b67604416640e8db14f365adc3f840aebcb1f
+-Author: djm@openbsd.org
+-Date: Tue Mar 16 06:15:43 2021 +0000
+-
+- upstream: don't let logging clobber errno before use
+-
+- OpenBSD-Commit-ID: ce6cca370005c270c277c51c111bb6911e1680ec
+--- crypto/openssh/README.orig
++++ crypto/openssh/README
+@@ -1,4 +1,4 @@
+-See https://www.openssh.com/releasenotes.html#9.3p1 for the release
++See https://www.openssh.com/releasenotes.html#9.3p2 for the release
+ notes.
+
+ Please read https://www.openssh.com/report.html for bug reporting
+--- crypto/openssh/contrib/redhat/openssh.spec.orig
++++ crypto/openssh/contrib/redhat/openssh.spec
+@@ -1,4 +1,4 @@
+-%global ver 9.3p1
++%global ver 9.3p2
+ %global rel 1%{?dist}
+
+ # OpenSSH privilege separation requires a user & group ID
+--- crypto/openssh/contrib/suse/openssh.spec.orig
++++ crypto/openssh/contrib/suse/openssh.spec
+@@ -13,7 +13,7 @@
+
+ Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
+ Name: openssh
+-Version: 9.3p1
++Version: 9.3p2
+ URL: https://www.openssh.com/
+ Release: 1
+ Source0: openssh-%{version}.tar.gz
+--- crypto/openssh/ssh-agent.1.orig
++++ crypto/openssh/ssh-agent.1
+@@ -107,9 +107,27 @@
+ .It Fl O Ar option
+ Specify an option when starting
+ .Nm .
+-Currently only one option is supported:
++Currently two options are supported:
++.Cm allow-remote-pkcs11
++and
+ .Cm no-restrict-websafe .
+-This instructs
++.Pp
++The
++.Cm allow-remote-pkcs11
++option allows clients of a forwarded
++.Nm
++to load PKCS#11 or FIDO provider libraries.
++By default only local clients may perform this operation.
++Note that signalling that a
++.Nm
++client remote is performed by
++.Xr ssh 1 ,
++and use of other tools to forward access to the agent socket may circumvent
++this restriction.
++.Pp
++The
++.Cm no-restrict-websafe ,
++instructs
+ .Nm
+ to permit signatures using FIDO keys that might be web authentication
+ requests.
+--- crypto/openssh/ssh-agent.c.orig
++++ crypto/openssh/ssh-agent.c
+@@ -169,6 +169,12 @@
+ /* Pattern-list of allowed PKCS#11/Security key paths */
+ static char *allowed_providers;
+
++/*
++ * Allows PKCS11 providers or SK keys that use non-internal providers to
++ * be added over a remote connection (identified by session-bind@openssh.com).
++ */
++static int remote_add_provider;
++
+ /* locking */
+ #define LOCK_SIZE 32
+ #define LOCK_SALT_SIZE 16
+@@ -1246,6 +1252,12 @@
+ if (strcasecmp(sk_provider, "internal") == 0) {
+ debug_f("internal provider");
+ } else {
++ if (e->nsession_ids != 0 && !remote_add_provider) {
++ verbose("failed add of SK provider \"%.100s\": "
++ "remote addition of providers is disabled",
++ sk_provider);
++ goto out;
++ }
+ if (realpath(sk_provider, canonical_provider) == NULL) {
+ verbose("failed provider \"%.100s\": "
+ "realpath: %s", sk_provider,
+@@ -1409,6 +1421,11 @@
+ error_f("failed to parse constraints");
+ goto send;
+ }
++ if (e->nsession_ids != 0 && !remote_add_provider) {
++ verbose("failed PKCS#11 add of \"%.100s\": remote addition of "
++ "providers is disabled", provider);
++ goto send;
++ }
+ if (realpath(provider, canonical_provider) == NULL) {
+ verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
+ provider, strerror(errno));
+@@ -2073,7 +2090,9 @@
+ break;
+ case 'O':
+ if (strcmp(optarg, "no-restrict-websafe") == 0)
+- restrict_websafe = 0;
++ restrict_websafe = 0;
++ else if (strcmp(optarg, "allow-remote-pkcs11") == 0)
++ remote_add_provider = 1;
+ else
+ fatal("Unknown -O option");
+ break;
+--- crypto/openssh/ssh-pkcs11.c.orig
++++ crypto/openssh/ssh-pkcs11.c
+@@ -1537,10 +1537,8 @@
+ error("dlopen %s failed: %s", provider_id, dlerror());
+ goto fail;
+ }
+- if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) {
+- error("dlsym(C_GetFunctionList) failed: %s", dlerror());
+- goto fail;
+- }
++ if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL)
++ fatal("dlsym(C_GetFunctionList) failed: %s", dlerror());
+ p = xcalloc(1, sizeof(*p));
+ p->name = xstrdup(provider_id);
+ p->handle = handle;
+--- crypto/openssh/sshd_config.orig
++++ crypto/openssh/sshd_config
+@@ -105,7 +105,7 @@
+ #PermitTunnel no
+ #ChrootDirectory none
+ #UseBlacklist no
+-#VersionAddendum FreeBSD-20230316
++#VersionAddendum FreeBSD-20230719
+
+ # no default banner path
+ #Banner none
+--- crypto/openssh/sshd_config.5.orig
++++ crypto/openssh/sshd_config.5
+@@ -1930,7 +1930,7 @@
+ Optionally specifies additional text to append to the SSH protocol banner
+ sent by the server upon connection.
+ The default is
+-.Qq FreeBSD-20230316 .
++.Qq FreeBSD-20230719 .
+ The value
+ .Cm none
+ may be used to disable this.
+--- crypto/openssh/version.h.orig
++++ crypto/openssh/version.h
+@@ -2,7 +2,7 @@
+
+ #define SSH_VERSION "OpenSSH_9.3"
+
+-#define SSH_PORTABLE "p1"
++#define SSH_PORTABLE "p2"
+ #define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+
+-#define SSH_VERSION_FREEBSD "FreeBSD-20230316"
++#define SSH_VERSION_FREEBSD "FreeBSD-20230719"
diff --git a/website/static/security/patches/SA-23:08/ssh.13.2.patch.asc b/website/static/security/patches/SA-23:08/ssh.13.2.patch.asc
new file mode 100644
index 0000000000..d3d66a9b60
--- /dev/null
+++ b/website/static/security/patches/SA-23:08/ssh.13.2.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdsgACgkQbljekB8A
+Gu+h0A//aPVLcAKGXb2v5XyQ58DNidLLXj2xZ7bAA8aQlJZJu3EogCh2t1xfK0o9
+OAEDN+1tMjOsFJ7792Ex7EoS96k3dvXz7uiBCsl4RwxOt14G/BPtaKORDtKr6jUF
+RJS6Tb6zzeyERKoWB1sNubtJJiLHg+fIu76eHKSkmMPSC0PeSfy0Oj/N3RuAY74Y
+TmMhje5j+uLMgqaxkE0aZftPu8lTpfsENg39YwMl7a3ee0SEUxna/lF4rRm40/gA
+F21HQcVRV8i9dxk26uCxGJBkgEebmMYPk37ejeoOS9Ff48dDP3yRpKSotUp0WOXl
+Ez/lTA7kNw1CyX3uSQguXQhBkFhFZ32gU/42UvC+cCYyqFasumOLmVtHzc2fmzjG
+j/ld0TN2urzRLQ7YQrDJzHfPNoZWFx2XPUCiyhKK9V+d9fBZAkxAH2IQomCrYUgY
+hJ4spytspyZpKwsMzkVpcLcvkJjOcIZnbVaLx+fmqC7Zs8vvhDakuCMkHNxADPZf
+1cmZAU4lbvx0++ugGD+tspIiN9ZchI1Sf+sP3weNnRu2trKp2l0Okt7yhyAmsjCO
+dl0iLK2ffLl6S8Jye2CC+cpGsOoD6e+yuBRQbfIGFYZnfxrIffs64bZ0ZoeXpdzf
+Im9myONVlHVq2JpWqWyl9ejl9JGgL7z1knTurJb0FYrCpn8oF3k=
+=H+a9
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/SA-23:09/pam_krb5.patch b/website/static/security/patches/SA-23:09/pam_krb5.patch
new file mode 100644
index 0000000000..ca4a6c781f
--- /dev/null
+++ b/website/static/security/patches/SA-23:09/pam_krb5.patch
@@ -0,0 +1,21 @@
+--- lib/libpam/modules/pam_krb5/pam_krb5.c.orig
++++ lib/libpam/modules/pam_krb5/pam_krb5.c
+@@ -938,18 +938,6 @@
+ continue;
+ break;
+ }
+- if (retval != 0) { /* failed to find key */
+- /* Keytab or service key does not exist */
+- if (debug) {
+- const char *msg = krb5_get_error_message(context,
+- retval);
+- syslog(LOG_DEBUG,
+- "pam_krb5: verify_krb_v5_tgt(): %s: %s",
+- "krb5_kt_read_service_key()", msg);
+- krb5_free_error_message(context, msg);
+- }
+- retval = 0;
+- }
+ if (keyblock)
+ krb5_free_keyblock(context, keyblock);
+
diff --git a/website/static/security/patches/SA-23:09/pam_krb5.patch.asc b/website/static/security/patches/SA-23:09/pam_krb5.patch.asc
new file mode 100644
index 0000000000..6769314884
--- /dev/null
+++ b/website/static/security/patches/SA-23:09/pam_krb5.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdsoACgkQbljekB8A
+Gu8TGw/+I4LISJ7xuPPSVVZ8sms9KCtIfPCKtCLa8vEyajDXB/W3mV3gLcM3pUq9
+AzTHwvcqvBzStev/yvuPJpWA+gfHB9OiTfFa5Q1Vw4VJePaXjDih2xTLtsEH6Mzj
+FubSyGGk4rh/Gv6K2ktMII3yJPQdB5LpfJZBH9VbhnCIdLsMTkpc2+LwSKJ6HxgO
+d33iNSNj/ToOY5K098yPHGSKkWRsU0rs2iGOXhocy1JHvnYfmfkFJ6D6m/xC3c01
+OLCagAv8gtdhV9bc7fleaL4aHnYmdvtjZfLjRAotEPvy0AFCI0EVVO1ZAURymNUL
+khnrjFIFt5HCD1pKAzB+A72tRaoH5ppJa4XA16Q3sM8up5jhEz8/iYOEoMa2L0PY
+beo4rcxXXNWZ2Nuo8HlmvJ53a4cCGXzSf42Xqqf6wcDq6rEW1H3OX/bWFBWVAGsk
+TFC9VUSq3GgYlz8ZKTLnhwZO4cviT/IzlhKJpEAo+PRUqY3vSn7ETUQM8oT2GMvV
+he6W5mUOkLAKM2m6UQdaRZAmrWhcmRvH3tBHhU2yJDidSvc/Tvr8w6ngKa7Rxuf+
+KbOqJqwHBEamEgus6fDMO2lwFC1BWTKUFNUXT55oitje7XD4eLJlQURASut0pcfs
+p5b+X8qr+wV5ay6OgErzmjtn4bCQ7Wgr5EDrOxRBFRDmfKlXTpw=
+=QEp/
+-----END PGP SIGNATURE-----