diff --git a/FreeBSD-EN-23:17.ossl b/FreeBSD-EN-23:17.ossl
--- /dev/null
+++ b/FreeBSD-EN-23:17.ossl
@@ -0,0 +1,128 @@
+=============================================================================
+FreeBSD-EN-23:17.ossl Errata Notice
+ The FreeBSD Project
+
+Topic: ossl(4)'s AES-GCM implementation may give incorrect results
+
+Category: core
+Module: ossl
+Announced: 2023-XX-XX
+Affects: FreeBSD 14.0
+Corrected: 2023-XX-XX XX:XX:XX UTC (stable/14, 14.0-STABLE)
+ 2023-XX-XX XX:XX:XX UTC (releng/14.0, 14.0-RELEASE-pXX)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+.
+
+I. Background
+
+ossl(4) is a kernel module which implements some cryptographic
+operations using implementations derived from OpenSSL and integrated
+into the FreeBSD kernel's OpenCrypto Framework (OCF).
+
+II. Problem Description
+
+ossl(4) contains an implementation of AES-GCM for amd64. This
+implementation does not properly implement some aspects of the OCF
+interface. In particular, ossl(4) AES-GCM sessions are not thread-safe,
+and do not handle an AAD buffer outside of the main plaintext/ciphertext
+buffer. The former bug affects consumers which dispatch multiple
+requests in parallel on a single session, such as ZFS when encrypted
+datasets are configured. External AAD buffers are used by some network
+features such as ktls(4).
+
+III. Impact
+
+On amd64 systems, ossl(4) could give incorrect output for AES-GCM
+operations if consumers trigger either of the bugs described above.
+This could, for example, result in packet loss, if ossl is used to
+encrypt/decrypt tunnelled traffic, or data corruption if ossl is used to
+encrypt/decrypt filesystem data.
+
+Users are not affected by default, as ossl.ko is not loaded by default.
+To be affected, a system must either be running a custom kernel which
+contains ossl(4), or be configured to load ossl.ko via loader.conf(5).
+
+IV. Workaround
+
+Disable the use of ossl(4), either by removing it from loader.conf or
+the kernel configuration, and reboot the system. The built-in aesni(4)
+module implements all of the same operations as ossl.
+
+V. Solution
+
+
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+[XX Needs reboot? Mention please]
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platfrom on FreeBSD 13 and earlier, can be updated via
+the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+[XX Needs reboot? Mention please]
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 12.4]
+# fetch https://security.FreeBSD.org/patches/EN-XX:XX/XXXX.patch
+# fetch https://security.FreeBSD.org/patches/EN-XX:XX/XXXX.patch.asc
+# gpg --verify XXXX.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+ and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+-------------------------------------------------------------------------
+stable/14/ 118b866d9c39 stable/14-n265898
+releng/14.0/ XXXXXXXXXXXX releng/14.0-nXXXXXX
+-------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+
+
+
+
+The latest revision of this advisory is available at
+